Posts Tagged ‘anonymity’
How to handle Tor
I am a frequent user of the anonymization tool Tor. Regrettably, some websites are in the bad habit of blocking requests from Tor without a valid reason—and those that do have a valid reason (e.g. related to spam or malicious attacks) rarely handle the situation appropriately.
Bearing in mind that most Tor users are perfectly legitimate, these are the main errors:
-
Never telling the user that or why the request was blocked.
-
Blocking only parts of a page, creating the impression that something unrelated to Tor is not working, that something unrelated to the website is not working (e.g. a proxy), or that things are working (while they are not).
-
Excluding the user from functionality that is unrelated to the problem. For instance, many forums block Tor with the claim that they are afraid of spam. Well, if so, they may have a legitimate reason to block postings—but not reading! Further, if spam is the problem, then this is probably the wrong solution to begin with: Some combination of registration and verification (CAPTCHA, manual reply to an email, e.g.) would be more effective.
As a natural pendant, the following advice:
-
Do not block Tor (and similar services) unless you absolutely have too—or without bothering to find out what Tor is.
-
Explicitly tell the users that they were blocked and why. Use a message that takes into account that this is a blanket ban of a user group—not an individual misbehaving user.
-
Exclude pages in their entirety or not all. (Some special cases may exist, but none occurs to me at the moment.)
-
Never block users from functionality that does not enhance the effects of the ban (e.g. reading posts, when the purpose of the ban is to prevent writing posts).
I2P and Internet anonymity
A few weeks ago, I wrote an entry about Tor and anonymity. Since then I have continued my experiments with a related service, I2Pw.
Conceptually, I2P works differently from Tor: It is not a tool to surf the Internet anonymously (although this is possible through a gateway), but a private and anonymous sub-net within the Internet. Effectively, this is an Internet in miniature with its own search-engines, email systems, blogs, file-sharing and torrent services, and similar. Unfortunately, the amount of content is still far too small for it to be a complete anonymous replacement for the Internet. Then again, the growth appears to be decent and the future may be different. (Certainly, and unsurprisingly, the file-sharing community appears to be flowering.)
Notably, the high degree of anonymity provided can be very valuable for those who live in fear of prison for criticizing their respective governments, wish to communicate anonymously within a smaller group, or similar.
As with Tor, just running a local node can be a great help to the community—and, unlike with Tor, there is no risk of landing in the eyes of the police for having relayed someone elses surfing.
Internet anonymity, Tor, and the German justice system
The last few days, I have been looking into various anonymization solutions for the Internet, in particular Torw, with the adage “better safe than sorry” in mind. Apart from the traditional arguments (that may or may not actually apply/be paranoia in the individual case) about being spied upon by the government, the advertising industry, or similar, I would get some satisfaction from helping in thwarting the current Nineteen Eighty-Four developments. Further, I occasionally engage in some activities that are perfectly ethical, but could, in at least some circumstances, technically be illegal—or be misinterpreted as illegal. (Exactly what those are, I will obviously not mention here. Let us just say that anyone who occasionally jaywalks should think twice about throwing the first stone.) Notably, much of the policing of the Internet (possibly policing in general) is more focused on making the numbers look good or catering to special interest groups than on proper policing (i.e. preventing crimes and finding the guilty with a minimal disturbance to the innocent)—catching a metaphorical jaywalker is often prioritized over attacking actual criminals.
Tor is a collaborative network that re-directs the request for e.g. an HTML page over several network nodes in order to ensure that the end-user cannot be identified without snooping between the requester and the first node (assuming that the end-user is careful, that the nodes are not manipulated, and similar) Obviously, this only works when sufficiently many users provide nodes; in particular, “exit nodes” that interact directly with the servers, and whose IPs are the ones that eventually end up in various external log files. With too few nodes, as is currently the case, Tor is slow—and, naturally, the “fair” user tries to give something back by providing a node of his own.
However, looking at the issues involved with providing a node in Germany, I was appalled: Apparently, there have been a number of instances where the computers providing exit nodes have been confiscated by the police, where accusations of surfing for child pornography or violating copyrights have been raised against the users providing the nodes (based on something a third-party user has done), and other cases of harassment. This despite Tor it self being perfectly legal—and despite there being no way to extract the identity of the original requester from the exit node. (With some reservations for “Vorratsdatenspeicherung”e; which, in my understanding, did not apply to Tor, as it is non-profit, and which has recently been ruled unconstitutional.) See an English language accounte for one of the more harmless examples; most other accounts are, understandably, written in German.
Even a small risk of this kind of harassment is too much for me at this particular time, and I will therefore not be setting up an exit node. (I may still decide to set up a non-exit node, however; and if I someday have a server at an ISP, the situation will be different.) This in particular considering that a police investigation would (potentially) not merely involve the police accessing my private files, nor even just taking my hard-drives, but actually taking the physical computers as a whole—with no telling when and if they will be returned. The more absurd, because just physically removing the hard-drives would be less effort for the authorities themselves in the long run—not to mention how much time and money the owner would save.
For those in Germany who can take the risk—please do. If the authorities find that their behaviour (be it caused by sheer ignorance or by a deliberate scare tactic) is just a waste of time and energy, then there is a hope that they will eventually back down.
Of course, we have to consider the issue of anonymization being abused by various criminals. Could counter-measures against e.g. Tor be justified? In my current understanding: No. Firstly, the value of the legal uses, say to avoid being spied upon, is potentially considerable (notably, Tor is even used by some companies who want to increase the security of their professional communications). Secondly, the tendency for greater government “Big Brotherness” is a great mid- to long-term threat, which necessitates resistance of various forms. Thirdly, criminals benefit comparatively little compared to the average citizen, because they have other means available to them. (Cf. e.g. Tor’s abuse FAQe.) In many ways, attacks against Tor are similar to saying that “A criminal could use or has used your private road to commit a crime; ergo, you, yourself, are a criminal and your road must be closed.” (while the same claim concerning a public road would resemble closing the Internet as a whole).
We should further remember that those types of Internet criminality that actually are under heavy attack from the authorities (mostly child-porn and movie/music piracy) are far lesser problems than propaganda tells us—there simply are no 14 million child-porn sites. (A claim I discuss in my discussion of pedophile hysteria).
Michael Eriksson's Blog 