Another police raid in Germany

I ran a few exits for about about ~5 years. In those 5 years, my hosting provider (DigitalOcean) received 3 subpoenas for my account information.

The first two were random. The 1st one was someone sent a bomb threat email to a university. The 2nd one was someone sending a phishing email.

The last and final subpoena was the most serious one. Some nation-state hackers from Qatar had ended up using my exit IP to break into some email accounts belonging to people they were interested in and spied upon them and stole some info.

Thankfully both the Tor Project and the EFF were able to help me pro-bono. The EFF lawyer that was assigned to me helped me fight this subpoena but ultimately we had to turn over my account information to the DOJ + I had to give an affidavit stating that I was simply just an operator and nothing on the server in question would be useful to their investigation (by design).

The stress of having to deal with law enforcement, lawyers, and having to entertain the possibility of having my home raided over something so silly ultimately led to me finally shutting down my exits.

Even though I had all of my exits using a reduced exit policy and I would blacklist known malicious IPs and c2/malware infra from being able to use it, I was still a target.

I feel law enforcement realizes this is a big weakness they can target since a lot of Tor exit operators are individuals with not a lot of resources to fight them. They can use the legal system to scare operators into shutting down.

I one day hope to resume running exits as I find it rewarding to be able to help people from around the world in a small way.

As much as I can respect the idealism about privacy and liberty etc…, I could not ignore the fact that any “really!!!” bad actor could use the same infrastructure to avoid investigation/prosecution, therefore I did not want to provide indirectly any help.

> I feel law enforcement realizes this is a big weakness they can target since a lot of Tor exit operators are individuals with not a lot of resources to fight them. They can use the legal system to scare operators into shutting down.

On one hand I admit that that might be the case, on the other hand even government organizations/departments/agencies can be “local” and scattered (e.g. similar IT departments for each “canton” in Switzerland) and not have huge amounts of resources/knowledge to track/identify perpetrators of all ongoing (sophisticated?) IT crimes => somebody somewhere might see the same IP involved in a lot of “bad” stuff not realizing it’s just a TOR node.

I hate the current general trend pushing a position of an either absolute “yes/no” for any theme, including this one (of encryption for privacy/etc vs. crime).

In my opinion it’s obvious that the current situation of solutions is in general bad: too much pressure on services that provide privacy because it’s too easy for crime to misuse them :o(

Well, what would be considered a “really!!!” bad actor for some might be a hero for others. Just as an example, depending on which side of the Israel/Palestine conflict you are on, either side using your node for military intelligence might be an use worth fighting for or terrible abuse.

In the end, this really comes down to whether you value freedom or state protection more; either of which can be abused by rogue actors or a malicious state, respectively. There is no win-win-solution, unfortunately.

Here’s the thing: I am not on either side of that conflict, or likely any other conflict you could use as an example. There are atrocities committed by both sides. There are victims on both sides. You could argue over who committed the worse atrocities or over who is the biggest victim until your face turns blue, it isn’t going to end the cycle of violence as long as there are people facilitating that violence.

And no, I am not naive. I know there are people out there who care nothing about causes beyond their own self interest and who care nothing about their victims. I realize that these people are impossible to combat without the innocent coming in harms way. Yet the moment we fail to be ashamed of the harm we cause in the name of the cause, the moment we fail to acknowledge who is being harmed in the name of the cause, is the moment we become no better than them.

Stepping back though neither side in that conflict needs Tor. They both have numerous supporters in other countries where that support is legal. They can send and receive information through trusted outside supporters including some outside governments. They just need secure communication channels to a few representatives among those supporters rather than something is general as Tor.

There is a fundamental trade off we have always had to make between safety and freedom. If you believe that privacy online is a freedom worth having, or if you believe one should be able to say whatever they want, you have to accept the bad with the good.

As soon as you start gating access by judging a person by what they’re trying to do privately online, or what they’re trying to say, you’ve thrown out that freedom and made it a privledge.

There’s not even anything wrong with that if that’s the world you would prefer to live in. Its important to know that’s the tradeoff you’re making though, and be prepared to accept the consequences if you one day find yourself running into new leadership that believes what you want to do online, or what you say, isn’t worthy of the privilege.

Exactly. This is all I’m saying.

I don’t have enough knowledge of Tor to make an argument that it does more harm than good or vice versa. But I do know that a lot of people on here are just as ignorant as I am but are quick to assume that Tor must be inherently good because it protects privacy.

As I said, if you look frankly at the risks and decide that the benefits are still worth it, that’s a decision I’m comfortable with you making. But that requires looking very frankly at the risks, which most seem reluctant to do in favor of high-minded abstract discussions of the merits of freedom and privacy.

This subthread spawned from someone who helped facilitate a bomb threat through an exit node they were running, and that kind of concrete harm needs to be mentioned in any discussion of the merits of Tor.

One of those “better look your meat in the eyes, before you murder and eat it” idealism-meets-realism moments.

On the whole, though, I think even with perfect encryption the remaining physical traces of illegality are sufficient for law enforcement purposes (granted: if more difficult).

The exit node operator is also shuttling other content, so it’s not wholly evil and on the balance someone might decide it’s still worth it, but it’s still a much less obvious ethical call than simply designing a piece of tech.

The problem with a “no shades of grey” stance is that in any large organised group there are going to be some good points and reasonable ideologies for why they have banded together to do what they do. They may be mistaken on important points, and it certainly may be necessary to put all empathy aside and try to ruthlessly crush them regardless of any good points they have – but in practice that approach almost always leads to terrible results compared to negotiating to emphasise the good and suppress the bad. Take ISIS – the reason we have groups like ISIS running around is generally because of a no-shades-of-grey approach taken to deal with their precursors. The US policy in the Middle East typically destabilises things (although they are hardly alone in doing that).

(0) https://en.wikipedia.org/wiki/Foreign_relations_of_North_Kor… – “Results of the 2017 BBC World Service poll. Views of North Korean Influence by country”

The “really bad” people have no conscience. No qualms about compromising the device of some innocent victim and then using that as their “exit node” if Tor wasn’t available. So if Tor doesn’t exist, that’s what they do, and that’s worse. Because not only do the bad guys still get to be anonymous, now the owner of the compromised system takes the blame. Which is more likely to be someone less able than you to articulate what happened, and who has to claim they were hacked with perhaps scant evidence rather than being able to point to their IP address on the public list of Tor exit nodes. They also might not be in a country with due process. So what you’re doing there isn’t helping the bad guys, it’s saving some of their innocent victims from being unjustly punished.

Meanwhile the “good guys” who use Tor do have a conscience, so they wouldn’t do that to an innocent third party, and then without Tor they have nothing. So you’d be helping them too.

I want to argue for freedom, on the grounds that most people know whats best for themselves better than others, so on balance there should be more people using that freedom for good, but then most people are busy, and not as motivated or knowledgable of how to use that freedom as the malicious actors are.. so is that even freedom in the end?

If we’re talking about the decision to actually run an exit node, I disagree with this breakdown of the ethics. I can value freedom more than state protection in the abstract while at the same time not feeling that helping support freedom in Russia and China and Iran is worth the cost of simultaneously helping to shield perpetrators of violence closer to home.

In most people’s ethical frameworks choosing not to run a Tor node does not make me culpable for the actions of a state suppressing its people, but choosing to run one does make me at least somewhat complicit in shielding the perp of a bomb threat.

This is again a forced binary “and/or”-decision, without anything inbetween.

It doesn’t have to be like that – both can coexist, if both terms are not extreme.

(disclosure: my post is not related in any way to Israel nor Palestine and I’m personally not linked in/directly to anything related to Israel nor Palestine and this post is not related to the current conflict)

The problem is when you choose to involve yourself in nation-state conflicts they’re just not going to care about your protestations of neutrality and freedom. They’re just going to see you aiding their enemy.

Decentralization is not an excuse for negligence. Anyone working in cybercrimes should be aware that Tor exists and of what it is. The list of exit nodes is public. Harassing the operators can only be one of malice or incompetence and neither alternative is excusable.

Would being gay count? In some countries it’s a death sentence, so using TOR is how they avoid being thrown off a roof or stoned. Talking about anything LGB is a crime.

What about someone who wants to read 1984.. Would you be okay with them committing that crime?

https://docs.digitalocean.com/products/droplets/details/poli…:

> We do not specifically disallow Tor exit nodes, but as the account holder, you are responsible for all the traffic going through your Droplet (including traffic that an exit node may generate), and we do prohibit some of the traffic types that may go through a typical Tor exit node.

> If you are unable to stop prohibited traffic like torrents, spam, SSH probes, botnets, and DDoS attacks, running a Tor exit node may lead to us suspending or terminating your account. We send you an email in the event of a violation of our Terms of Service, and you must address these issues as soon as possible.

Running Tor exit node without abuse? How is that possible? Since they didn’t shut you down after three abuses serious enough to get law enforcement involved, I guess they don’t really give a shit about abuse after all.

Nearly every major site ends up either totally blocking anything that comes from a Tor relay, or applying massive numbers of weird CAPTCHAs and restrictions, so it’s getting to be basically unusable anyway.

(1) TOR exit node operators are buffers to protect people from being hacked. A hacker would more easily use TOR than need the effort to runa scan for vulnerable routers, root one, and hop between various routers.

Which implies

(2) if TOR had no exit nodes and/or clearnet service blocked TOR ranges, hackers will just resort to hacking routers / other systems / botnets to make their own proxy. Now the block doesn’t work, someone(s) got hacked, TOR is gone.

Basically TOR as a “containment” system. Seems to me that would be preferable for law enforcement, particularly because some state actors (https://www.infosecinstitute.com/resources/general-security/…) are putting great effort into unmasking TOR, making it a great honeypot. Ironic that Germany prosecuted a German exit node when they were the same ones investing heavily in unmasking it!

That’s why they requested my personal account information, billing info, IPs that I logged into DO with, all of that.

If not interrupted by me getting the help of the amazing EFF lawyers, the next step after getting my personal information, could have been to raid my home and seize all my electronics. I work from home and would have been greatly disrupted and not been able to work without my computers and etc. Then I’d have to wait months/years to be found innocent and then get all of my electronics back + spend thousands on lawyers.

During all of this, the EFF lawyers straight up told me to prepare my home as if it were to be raided and encrypt all my devices.

Thankfully it did not come to that.

It seemed likely that it would be the horrible use cases it would benefit the most.

Balancing an increase in the efficiency of doing good things that could already by done other ways against greatly benefiting horrible use cases made it so that I could not morally justify it.

If you had visited any of my exit nodes via port 80 or 443, I had a lander on them stating that it was a Tor exit node and to please contact me if you wanted your IP to be blacklisted from it. I also stated that there was no useful information contained on this server (by design) that would be helpful for any evidence gathering or investigations. Seriously, all they had to do was plug my IP into a browser or do a simple scan of it but I suppose that’s asking too much from LE lol.

Additionally, Tor exit nodes are public and all they had to do was look into my IP more than 5 seconds after finding it in logs somewhere and firing off a warrant or subpoena for it. The first two were straight up vague templated fishing expeditions. The 3rd subpoena actually came straight from the DOJ and was a lot more detailed and serious.

They should know what Tor is and know that any Tor server contains ZERO info that would be able to assist them in whatever they are attempting to investigate.

Sure, I do think such situations require follow-up but as soon as they are informed it’s a Tor ip, they should know to drop any pursuit of getting evidence from it. They do not, they continue to go after you via legal means. Even though I had the EFFs help, this entire process still took months.

It’s pretty stressful to be in a situation where its lil ole me VS the entire United States government who has unlimited resources, time, and money to go after you.

I am extremely blessed to have had the EFF lawyers at my defense and will forever be a life long supporter and donor to them. They really do fight for our digital rights and can help defend you in a digital equivalent of a David versus Goliath situation.

To have some sort of automated process in place to deflect blame allows an exit node operator to ignore the real damage their work can do. They may still decide that the good that they’re doing outweighs the bad, but forcing them to see the negative consequences of shielding anyone who wants a shield has value.

I’m not suggesting people shouldn’t be able to run a Tor exit node. I’m suggesting that people who run Tor exit nodes should occasionally have to a deal with a subpoena that says “your exit node was used by a criminal to hurt people in ${these ways} and we require any information you have to help apprehend the attacker.”

I don’t want to deprive anyone of the right to make a moral decision, but I do want them to feel the weight of the full import of that decision.

Can you name a product or service for which this is not the case? Militaries use general purpose software to design weapons. Murderers use vehicles and transit systems. We don’t expect the government to harass the makers of cutlery because they provided a product used in a mugging.

The distinction some people try to draw is when a higher proportion of a product’s users are nefarious, but that doesn’t really work either because who uses something can change over time.

If you have a society where nobody has window blinds or locks on their doors because it’s a rural area and there is no one around to invade your privacy then locks will be disproportionately used by neerdowells “with something to hide”, and then busybodies will claim that anyone with nothing to hide shouldn’t be concealing their private spaces and anyone selling or using any privacy technology should be pressured to stop. Which sustains the status quo through external pressure even if someone does start invading everyone’s privacy.

And that’s what’s been happening on the internet. Surveillance is the default, Cloudflare et al block Tor users as a matter of course and that drives normal people from Tor and similar technologies even though they would otherwise benefit from its use. People are told that it’s the dark web where there are criminals and they shouldn’t use it — it being Tor Browser, the thing that keeps ad networks from tracking them across the internet.

Then after dispersing the normal users who would otherwise benefit from using it, people say that it has a lot of nefarious users to justify the continued harassment of anyone who does. But that’s just path dependence, and there are parties interested in leading us down the garden path to mass surveillance.

Not trying to single out the person you’re responding to, but I’ve seen this play out many times and engaged in it previously to no effect.

Camera feeds, ticket records… All of that is accessible via warrant. That’s probably the most salient example in this context.

Of course there is. If I am deciding whether to dedicate resources, money and time to running a service which –

a) Helps dissidents in authoritarian regimes communicate freely

and

b) Enables bad actors to send threats and/or move CSAM around

Then that is absolutely a moral choice I need to make. It’s not outside your control, you get to decide whether or not to provide the service.

There could be logging bugs in Tor that you were unaware of, or the owner could be using Tor as a cover. It would be negligent _not_ to at least check the device logs for anything useful.

The truth is that police investigations normally are restrained based on the disruption that they cause the public. Police deviate from standard operating procedure when it comes to TOR exit node operators because they want to punish and intimidate them.

They want to punish operators because the authorities are frustrated by the effectiveness of these technologies in countering the pervasive surveillance environment which the authorities take for granted.

Citation needed. ISPs have entire departments dedicated to cooperating with law enforcement. Comcast has a whole portal with its own subdomain specifically for handling requests from law enforcement (0). Cox has a page detailing exactly how to send them a subpoena (1). These guys are clearly dealing with subpoenas just like the ones OP is describing all the time.

It only seems out of the ordinary this time because it’s a random person who decided to play middle-man instead of an enormous corporation with a massive legal department.

(0) https://lrc.comcast.com/lea

(1) https://www.cox.com/aboutus/policies/law-enforcement-and-sub…

Implying that they don’t have the capability to do this already and/or alternative means to accomplish the same thing.

https://en.wikipedia.org/wiki/Room_641A

> Room 641A is a telecommunication interception facility operated by AT&T for the U.S. National Security Agency, as part of its warrantless surveillance program as authorized by the Patriot Act. The facility commenced operations in 2003 and its purpose was publicly revealed by AT&T technician Mark Klein in 2006.

That’s my experience too from actually having my house raided. I had two kids in bed at the time, and the police didn’t even know to expect kids in the house (both kids were over 11 years old, had birth certificates, had lived in that house all their lives and attend local schools and are darn fine students).

They didn’t know. It’s mind boggling to me that they could get a raid warrant without having done even the most basic (below even basic) investigation.

My opinion of police investigative competence took a 99% hit as a result.

It’s a lesson my kids won’t forget either.

If all you’d need to deter law enforcement is to put a website up on your server and say that you don’t have anything to do with anything happening on that server and that they shouldn’t bother because there’s nothing to see anyhow, a lot more criminals would do that. I’m sure they’d even put an actual exit node on their machines if that protected them from law enforcement.

It’s like raiding the home of the mail carrier because someone got drugs in the mail. Sure, it could technically be that the mail carrier is also a drug dealer. But when it comes to the USPS, the identity of who delivered the contraband package is not a useful data point for investigating the crime, and acting otherwise is willful ignorance.

It doesn’t have to be the actual origin for it to be useful—unless the software is specifically designed to avoid traces (i.e., Tor), there are often logs that will lead you to another IP address, which might lead you to another, which might eventually lead you to the source. It would be foolhardy for police investigating a bomb threat to not at least ask, given how many people they do in fact catch this way.

> It’s like raiding the home of the mail carrier because someone got drugs in the mail.

No, in the case of OP it’s like subpoenaing the local post office and asking for everything they know about where that package came from. Which is, incidentally, quite common, except that in the US the post office is a government entity that doesn’t need to be subpoenaed because it has its own law enforcement agency that should have jurisdiction over the case.

I mean, yes, I’m pretty sure “just take my word for it” is asking too much of LE.

We can always say “Come back with a warrant” but then sometimes they’ll come back with a warrant.

> They should know what Tor is and know that any Tor server contains ZERO info

Unless, of course, one has misconfigured it… Which could be the case. Definitely the kind of thing LEO can figure out on the other side of a seize-and-strip of the hardware. Unfortunately, I think the only way to not be a part of the story here is to not be a part of the story here… Don’t proxy anonymous traffic if you don’t want law enforcement asking after the anonymous traffic you proxied. Otherwise, expect the responsibility imposed upon a service provider (since you’re providing a service).

Other ISPs avoid this scrutiny by going out of their way to be helpful to law enforcement.

It would in fact be negligent if the police did not properly investigate the server/computer/house of the device.

One day I will resume but in the future 🙂

That’s very nice but until tor exit nodes are illegal, such police action is purely a harassment effort, right?

One thing that struck me, years ago, is that the people running these actions (recipient of a death threat or police) are far more concerned with the fact that “someone enabled this”, rather than the fact that someone was angry enough at them to issue a death threat. They had no visible concern about that wannabe murderer, apparently spending no effort trying to identify THEM. They just wanted retribution against the exit node operator. It was totally doing something for the sake of doing something, zero concern about solving any root problem. They had seemingly zero concern that their safety was a risk (I mean, from eventual action stronger than a death threat.)

They also had zero awareness that anonymous email had allowed this ennemy to be revealed before any physical violence.

The exit nodes have been known to be the weakest part of the tor design. It has been a logical theory for a while that all exit nodes are visible to the U.S. Govt.

This is just one way they can leave a system like Tor up for their uses and also make sure anything domestically is fully visible to them.

Surely that’s worse than the exit nodes?

The way I see it, the right approach is some kind of continuous communication where messages end up in fixed slots, where if no message would have gone, there’d have been a randomly generated message.

Is the burden undue?

A Tor exit node operator has made the ethical judgment call that they’re doing more good than harm. That might be a reasonable position to take, but I don’t think it’s unreasonable for us to expect an operator to face up to exactly what it is that they are doing. I’m fully on board with any bomb threats (as just one example) leading to a subpoena on the exit node operator who shielded the threat actor, even if the answer is the same every time.

Making the decision that you’re doing more good than harm requires you to fully understand the harm that you’re justifying, and law enforcement subpoenaing you every single time is one way to make it very clear what it is that you’re choosing.

Yes.

> A Tor exit node operator has made the ethical judgment call that they’re doing more good than harm.

They are. Absolutely. It’s not really a question.

> Making the decision that you’re doing more good than harm requires you to fully understand the harm that you’re justifying, and law enforcement subpoenaing you every single time is one way to make it very clear what it is that you’re choosing.

No, that’s just harassment.

It is fair that running an exit node might be inconvenient, maybe even to the point where consulting a lawyer is advisable, but I think we should draw a hard line at direct threats to an innocent person’s liberty, livelihood, and physical safety. That kind of fear is definitely an “undue burden”.

> it’s clear all you’re doing is running software. (Side note: I’m surprised how often attitudes on this site are at odds with the “hacker” part of “Hacker News”.)

I do not view software as amoral. It’s a tool, and like any tool it is an extension of myself. Software that I run is acting on my behalf, and what my software is designed to do is something that I should be held morally accountable for.

I’m not sure when the hacker ethos came to mean that “just running software” absolved you from having to account for the damage your software causes, but if that’s what the hacker ethos is about then yes, you can count me out.

Where is the presumption of guilt? A threat of violence was traced to their IP and they were served a subpoena to provide information that might lead to finding the threat actor before they actually hurt anyone. No one even accused OP of a crime, much less presumed their guilt.

Their lawyers warned them to prepare as though a raid would occur, but that’s the lawyers’ job: to prepare their clients for the worst just in case.

That’s not what subpoenas are for, and it would be a really stupid waste of time and resources. If you really want to do that, just send them an email.

They would know the full extent of the inconveniences regarding home raids and device seizures for long periods of time. This would disrupt their lives, work, and probably affect their ability to serve their clients’ legal troubles.

At the very least, I’m thankful for the efforts of the EFF and others that do know the law and help. But I’d imagine there’s a good case for separations of concerns here. Stay out of the legal troubles yourself so you can help others that do get caught up in it. One degree away.

> post office help people communicate coded messages about nefarious thing

The US postal service scans and stores the outside of every envelope and package they handle. Law enforcement agencies can query this metadata.

https://en.m.wikipedia.org/wiki/Mail_Isolation_Control_and_T…

> Doesn’t running a telephone network help people do the same?

They do, but they are not only share the metadata with law enforcement, but also let them wiretap. (Often they require a warrant for this, but that is not a hard burden for a LEO.) And this capability is not some aftertought, but deeply integrated into their tech stack.

Tor’s feature isn’t “communication” in the abstract, it’s anonymity. And yes, that can be used for good or for evil. But the upthread comment was saying how nice it was to run an exit node because it was “helping people”. And to the extent that’s true, I think correct thinking demands you also account for the harm.

And let’s be clear: Tor is definitely harmful. Almost all Tor traffic is some degree of nefarious. The tiny handful of dissidents are drowned in a sea of phishing and contraband.

I’m not going to make a value judgment on the use of tor, but I do think it’s important to be honest about how it may be used.

This is not why.

> As a consequence, I am personally no longer willing to provide my personal address&office-space as registered address for our non-profit/NGO as long as we risk more raids by running exit nodes.

This is why. It’s basically a textbook example of a chilling effect.

It only takes one person in LE to request to investigate this IP, and a single judge that isn’t entirely convinced that it will be worthless to try to sign it off.

If parts of the state wanted to harass operators systematically or organize to discourage TOR, they could do much worse.

“Why you need balls of steel to operate a tor exit node”

http://web.archive.org/web/20100414224255/http://calumog.wor…

The above is within the context of a western legal system, and certainly since it was written domestic law enforcement has become even more militarized and aggressive. I would be absolutely unsurprised if the same thing happened today and it resulted in a battering ram on the door at 0400 in the morning, flashbang grenades and the house being rampaged through by a SWAT team.

My assumption is that Germany has some sort of common-carrier privileges for Tor node operators. In America, telecoms can’t be sued for facilitating illegal activity. But they do have to assist law enforcement with finding criminals when requested.

Would be happy to hear from someone who is more knowledgeable in this area.

How do ISPs operate legally? Every single thing that’s ever been done over a Tor relay has crossed multiple ISPs.

They could keep logs, but they choose not to. They are intentionally unhelpful.

The reason they aren’t keeping logs is not for the privacy of others.

If I run an exit node, I know I am not reading the logs to garner personal information of others. And unless someone hacks my server and goes through the logs, which is extremely unlikely, noone else will read the logs either.

The only one reading the logs would be law enforcement.

By not keeping logs, you are intentionally hindering law enforcement.

This is why I keep a diary indicating every single person I’ve ever interacted with, along with the date, time and place. It’s a pain to do so and it takes up a lot of storage space and it makes people wary about interacting with me but I’d certainly never want to hinder law enforcement.

It is not a “pain” to set up logging. Most non-tor proxies implement logging. It would be a completely reasonable task for the tor project to implement logging by default.

No one would be any more “wary” to interact with your tor node. Trusting your node not to log would be foolish anyway. So whether you make known that you are logging, or whether you claim not to log (but might secretly do anyway) doesn’t make much of a difference.

The storage space a log takes up is negligible (unless you keep logs for unreasonably long times) on anything but the smallest systems. And since running a tor node takes quite a bit of processing power, you won’t be running your node on a system that can’t handle a few megabytes of logs.

The perspective is that in order for these actions to be ethical, you must log the traffic, or you should not bother setting up the node. It’s irresponsible to setup the node (which takes some amount of effort) but not do the precautionary part which makes it ethical.

You can believe otherwise if you’d like, but this is an ethical framework applied to many other parts of our society and it’s the thing that sets you apart from the ISPs, and generally it’s the thing accepted by the public at large.

I was not making any moral judgement on people operating tor nodes.

I was simply stating that you are, in fact, hindering law enforcement if you set up a non-logging proxy for the purposes of hindering law enforcement.

Whether that’s a good or a bad thing is up to you to decide. Clearly many people think it’s a good thing; good enough to go through the efforts of setting up a proxy.

Some tech companies have extremely sophisticated observability which dumps huge volumes data about the internal state of a program. Some companies have very limited observability beyond maybe logging “we just served a request”. Your argument suggests that companies who don’t have the extensive logs of the former are being intentionally unhelpful?

There are lots of reasons to not keep logs – lack of storage space, additional economic cost of doing so, slower response times due to overhead of observability, etc.

I mean, exit node operators are being intentionally unhelpful? They’re intentionally helping people who don’t want to be tracked. “I don’t want to give you the papers” and “I can’t give you the papers because I burned them so that I couldn’t give them to anybody” are equivalent morally; the only difference is that the latter is irreversible.

There are good reasons to not want to be tracked, but there are also bad reasons to not want to be tracked. Exit node operators have chosen to help both. Police on the whole tend not to be the kinds of people who understand the “good reasons not to want to be tracked” thing.

There are other differences. One is after the fact, the other is a decision made before the fact; one is specific (rejecting that request in particular), the other is general (all requests of that type are guaranteed to be affected equally).

It’s the same with, for instance, email retention policies. We accept that old messages are irrevocably deleted after X days, even when we require them to be produced once requested if they still exist.

Indeed it is. The intention and moral purpose of email deletion policies is to reduce the risk of embarrassing or incriminating emails being turned up as part of a lawsuit or investigation — in other words, to be unhelpful.

The legal justification for being unhelpful in both cases is that “this is just policy, we’re treating everyone the same”. That doesn’t change the fact that in both cases the intent was to be unhelpful to investigators.

I have long retention policies for things and life cycles for others. Information shouldn’t be permanently available to me if it’s not relevant or it’s a waste of resources.

It’s best to assume the government is a hostile, rabid actor who will seize any reachable assets and your freedom at any point they wish and proceed accordingly.

… or at least there never was in the past. The new wave of stupid and extremely broad “duty of care” laws that try to apply to the design of any and every communication service may change that. But it hasn’t been litigated anywhere.

It sounds like Germany extends some sort of carrier protection to Tor exit node operators. E.g. if someone organizes a drug deal over the phone, Verizon is not liable. But Verizon does have to meet some minimum standards of records keeping and law enforcement assistance (wire tapping).

Perhaps the most famous example is DMCA: (Google) is exempt from liabilities for hosting pirated movies on (YouTube) by US laws, on condition that it’s not actively involved with it and fully robotic with takedowns.

This largely conforms with how the first telecoms received immunity for abuse of their services. They retain logs and assist the government with investigations, and in exchange they are shielded from liability. WhatsApp and iMessage would probably cooperate to the same extent, minus wire-tapping messages in transit (because they can’t). That’s vastly greater cooperation than a tor exit node operator that retains no logs.s

I imagine for tor, the reason is that there are also good uses for tor. However i dont think “i intentionally know nothing” works as a defence in general.

Ianal

“Facilitation” as an offense in itself is one of those things that tends to be a real thing, but varies a lot depending on the jurisdiction. In most places, most of the time, you’re only going to get in trouble for facilitating crime if your service is especially set up to be unusually useful for crime. You’re especially vulnerable if you specifically designed it for crime. If those things apply, then knowing it’s being used for crime (but not necessarily on which specific occasions) can make it worse for you. Give or take, depending on where you live.

In the past, Tor nodes, even exit nodes, have mostly gotten a pass, at least in countries where most of them are located. They get raided all the time, but largely as cases of mistaken identity. That’s probably because most Tor traffic has historically probably been people trying to hide from ad tracking or people worried about their perfectly legal activities being spied on. So it’s hard to say the service is really aimed at illegal activity.

Things are tightening up worldwide, in statute and probably in case law, mostly because of Tor and other services possibly being swept in by standards primarily aimed at social media. We may start seeing Tor nodes targeted because Tor is now considered “too adapted to legal activity”, or even because node operators are “not doing enough to prevent” illegal activity (including redesigning the system if necessary).

But until fairly recently that’s been more what you’d expect to see in North Korea than what you’d expect to see in Germany (or the US).

With Tor Hidden Service there’s no exit node as such since traffic terminates inside the Tor network. The networking route is doubly anonymized so both the server and the client can’t track each other down.

1. Bob is running a Tor exit node.

2. Charlie is a government official investigating illegal content (use your imagination)

3. Charlie downloads illegal content via Tor

4. This content is sent to Charlie from Bob’s exit node.

5. Charlie observes that Bob’s exit node sent him illegal content.

I understand that even if Bob is raided and his computer searched, they cannot find the website hosting the illegal content. But Charlie would know that Bob helped deliver the illegal content. Tor Hidden Service does not anonymize the exit node from the client.

Charlie could only see the machine in the final step of requesting the illegal content it Charlie was hosting the hidden service themselves. These requests can come from many different Tor operators not just exit nodes.

Host -> Node 1 -> Node 2 -> … Bob -> Charlie

this obfuscates the Host from Charlie. But Charlie knows that Bob sent him illegal content. Yes, Bob didn’t host the content. The host is obfuscated. But Bob is still delivering illegal content and Charlie knows it.

Guard Relays usually don’t have these issues, since you have to be somewhat technical to actively probe relays by requesting content through tor. And technical people know there isn’t any point to rading an operator’s home.

Does BOB know they are delivering illegal content?

No… is it even possible to send unencrypted traffic by Tor? If it’s even possible, Charlie must be the only person in the world doing it.

He does when Charlie knocks on his door and informs him that he delivered CSE to him. Ignorance of the fact that one is breaking the law is rarely accepted as a defense. Carriers usually get this protection when when meet some standards of safeguards and cooperation with law enforcement.

Taking the wrong jacket by mistake is not theft, and operating the exit node through which someone downloads CSAM is not criminal possession of CSAM or knowing facilitation thereof.

That rarely happens in practice because prosecutors are usually pretty good at their jobs, and tend not to bring cases they can’t prove.

Is there some mechanism that prevents Charlie from knowing who sent the content to him? Fundamentally, you can’t stop the government from sniffing at the endpoint. Because they’re not really “sniffing” they’re just requesting content like any normal Tor user.

That is, in fact, the whole point of Tor. In the hidden service case, neither end can identify the other.

Host -> Node 1 -> Node 2 -> …. -> Bob -> Charlie.

Charlie doesn’t know where the Host is. But Charlie does know that Bob sent him illegal content. Or is that final link, from Bob to Charlie, also obfuscated somehow? If so, how did OP get raided by police if he’s supposed to be hidden?

1. Charlie is running a client and downloads something. In which case Bob is an entrance node, not an exit node, but it’s essentially the same thing. Charlie does know that the next hop is Bob. Depending on whether the ultimate destination is a hidden service or on the clearnet, Charlie may or may not know who’s running that service.

2. Charlie is running a hidden service, and somebody uploads something. Charlie knows that it came via Bob, but doesn’t know where it came from.

3. Charlie is running a regular clearnet Web server, and somebody uploads something to Charlie via Bob’s exit node. Again Charlie sees that the traffic comes from Bob.

In the first two cases, Charlie has to be actually running the Tor software, and knowingly using Tor. So Charlie also knows that (a) Bob is just a relay, (b) Bob doesn’t actually host the content, (c) Bob doesn’t handle more than a packet or two of the content at a time, and deletes those as soon as they’ve been relayed, (d) Bob doesn’t know, and can’t find out, what the content actually is, (e) Bob doesn’t know, and can’t find out, where the content originally came from, and (f) Bob is really unlikely to keep any record of the whole connection after the session is over, which means probably no more than 10 minutes or so.

If that’s enough to go after Bob, then it’s enough to go after Bob… but historically it hasn’t been. Bob can reasonably claim not only that he doesn’t know what that particular traffic was, but that, although he knows there’s probably some illegal traffic, most of the traffic he relays is probably legal.

In the third case, it looks to Charlie like Bob is the ultimate user. Unless Charlie does some investigation, Charlie may go raid Bob. But Charlie should then find out all that other stuff.

I think the most common actual case is that Charlie is running a honey pot, either as a hidden service or on the clearnet, and somebody gets the content from Charlie via Bob. But the same basic ideas apply.

The main issue isn’t that Charlie doesn’t know what the content is, but that Bob doesn’t.

(Oh, and on edit, just to be clear: In the first two cases, that “packet or two” that Bob may ephemerally buffer is encrypted so that Bob can’t read it, nor can any other relay. In the third case, where Charlie is a clearnet service, the end user is usually still using TLS, so Bob still can’t read it. And none of the non-exit relays can read it no matter what.)

But at the end of the day Charlie, the government agent, is catching Bob in the act of delivering illegal content.

Imagine a government agent buys drugs on the dark web and arrests the courier. The courier protests, “I didn’t know it was drugs, I didn’t ask what was in the package”. Do you think that defense is going to keep the courier out of prison?

It sounds like Germany is treating Tor operators as common carriers, and not holding them liable for content they delivery. They’re being quite generous in that regard, in most countries the node operators are probably not met with such leniency.

Yes. That happens every day.

> It sounds like Germany is treating Tor operators as common carriers,

That’s probably because they basically are common carriers. And the service isn’t particularly designed for illegal activity, even it can be useful for that. It’s especially not designed for activities that tend to be illegal in the “free world”.

> in most countries the node operators are probably not met with such leniency.

The Tor network has been running for about 20 years. There are on the order of thousands of relays. Unlike users, relay operators aren’t anonymous; there’s a public list of their IP addresses. The relays are all over most of Europe, especially Western Europe, and the Americas, especially the US and Canada, with a not-insignificant number of them in other countries.

So far as I know, nobody’s ever been arrested, let alone convicted, for running a Tor relay. If they have, it’s been in the sort of country where you also get arrested for running a newspaper. That may change soon, but it’s still the case so far. Oh, and a good chunk of the funding for development (but not relay operation) comes from the US government.

You say “leniency”, I say “not being an authoritarian hellhole”.

Well, yes, otherwise FedEx and UPS would quickly go out of business.

Juries aren’t stupid, they’re not going to buy it when the courier says, “I just saw this online ad for deliveries on the dark web. Sure, it paid way more than normal delivery jobs but that’s not cause for suspicion, right?”

And that’s exactly what a tor node is doing: delivering content from the dark web. As far as I’m concerned, Germany is being very generous in its decision to let these operators continue to operate despite knowing full well that they are enabling criminal activity.

I, recently, bought a computer mouse from an online shop. The courier who brought me the package had no idea it contained a computer mouse. It might have been listed on the manifest outside the package, but even then, the courier had no way of knowing whether that was true without opening the package.

So, yes, I do think that defense can keep the courier out of prison.

What part are you surprised isn’t forbidden? The part where it accepts connections anonymously? The part where data is encrypted in transit?

Exit node operators, like telecoms can be required to tell law enforcement everything they know about a user. The difference is they don’t know anything of value.

If someone leveraged your employment services to commit crime, would you consider yourself having facilitated illegal activity?

Measure of purposes, ‘legit or otherwise’, is not a law for anything ever.

But regardless, in both systems i am very certain your purpose (“intent”) matters a lot. (Details depend on the specific crime in question)

USC has extraterritorial power about everywhere but NK, Russia, and Iran either formally or through influence.

No. Their objective is to intimidate individuals, exhaust them, which leads to…

> As a consequence, I am personally no longer willing to provide my personal address&office-space as registered address for our non-profit/NGO as long as we risk more raids by running exit nodes. That is a risk I am just no longer willing to take anymore.

Which is totally understandable.

So I was specifically told by a detective.

*Australia has laws that requires ISPs to keep metadata for at least two years.

Yes, my intention was to say that it’ll get their attention, but as a single data point won’t justify a raid.

The detective said it to me as part of the conversation in which I was told I could collect my seized equipment, and it was said in a way that implied they thought I was still “guilty” despite the fact they found nothing incriminating in the multiple terabytes of data they seized.

The other (laughable) ‘red flag data points’ the detective mentioned were:

– The usage of virtual machines

– Having downloaded items from MEGA

Incredibly low bars for suspicion if you ask me, but then I know a bare minimum about technology…

if you use Tor you already know what’s going on. onion routing didn’t save anyone from anything in 20 years. the evils Tor enabled often seem to trace back to the very states and establishments who manage and tolerate them. drug cartels run several of the governments Tor ostensibly protects users from, and human trafficking is within a degree of most western establishments in every direction, from “NGOs” to intelligence operations to the sex trade.

if you want privacy, tech is an inferior solution. make nations that protect it.

Hard to imagine even a single would-be organizer who got side-quested into zealously advocating for Tor.

On the other hand– easy to imagine many digital utopianists who on principle don’t organize in the sense you mean, and some of them zealously advocating for Tor.

there’s quite a list and tbh, I can probably afford the humility.

  - This IP had malicious activity or is otherwise relevant to a (maybe complicated) case
  - It says "tor" on a landing page, or in WHOIS, or the IP is on the public list of nodes

… does “it will be 100% worthless to investigate” really follow from only this?

Some things to consider:

  - All kinds of other servers, services or proxies could also be running on or behind this IP
  - The node could be misconfigured in a variety of ways to keep forensic traces, even being a VM that is being snapshotted regularly
  - Some lunatic could be running an exit on his personal machine, but just coincidentally to the observed criminal activity
  - A high percentage of nodes is malicious, keeps logs, mines data, poisons traffic and tries opportunistic TLS stripping (those poor, naive souls clicking the warning away...)

It does NOT follow that there are no useful forensic traces to be found, not even that the traffic actually originates from the TOR network.

Not to encourage raids on node operators, but it is worthwhile to keep in mind that there could be actual reasoning behind these actions.

If you are smart about this, you can even get the relevant and obtainable info with little LE resources and without unduly harassing the operator.

It wouldn’t fix the “someone used my exit node to send a bomb treat” case though.

The tech is probably impossible, but I’m not seeing a moral case against it.

They’re going to assume until proven otherwise (by first confiscating all your electronics and sending them to a digital forensics lab to analyze them for 6-12 months) that some person who is physically present at that exact location is engaged in CSAM/CP or malicious/illegal activity.

Presumably still worth checking out in case a criminal is running a tor node as cover, but at the same time it seems unlikely someone is both technical enough to run a tor node but also doesn’t bother covering their tracks.

But that requires the (likely non-trivial) expense of a business premises for likely the sole purpose of running exit nodes.

On the other hand Germany does use flimsy excuses to crack down on services like Tor and that’s bad.

I am sorry for what your governments are about to do you, bc you will likely go through a very difficult time in the near future. Now, its Tor and Telegram – soon, every opinion you have shared will likely be scrutinized and used against you.

Good luck, European people. I am hoping the best for you.