An internal review by University of Colorado officials has found that a controversial research project conducted by a team of computer scientists did not constitute research misconduct. University lawyers have also stated their belief that the team probably did not violate US wiretapping laws.
As I reported in a blog post yesterday, a team of researchers from both the University of Colorado and University of Washington recently presented a controversial study in which they recorded a limited portion of the communications of users of Tor -- a popular anonymizing proxy network.
According to a written statement posted by the research team, an internal university review conducted on the 24th of July 2008 found that:
Based on our assessment and understanding of the issues involved in your work, our opinion was that by any reasonable standard, the work in question was not classifiable as human subject research, nor did it involve the collection of personally identifying information. While the underlying issues are certainly interesting and complex, our opinion is that in this case, no rules were violated by your not having subjected your proposed work to prior IRG scrutiny. Our analysis was confined to this IRG (HRC) issue.
In a statement made to the Boulder Daily Camera newspaper today, spokesman Bronson Hilliard said that University attorneys described the wiretap law as "broad." He added that "legal counsel's opinion was that there's no clear indication that there was any kind of criminal action on the part of the researchers."
The Electronic Communications Privacy Act (ECPA), which governs network surveillance and access to private stored communications is particularly difficult to understand, something the US 9th Circuit Court of Appeals recognized when it described ECPA as "a complex, often convoluted, area of the law" (pdf). Computer scientists simply have no business making judgments about the legality of network monitoring and interception research -- and should, as the EFF advises, seek legal advice before doing so.
While I have strong personal objections to the methods employed by the researchers, the primary criticism in my original blog post was that the researchers had not sought a review of their project by university lawyers and the school's human subjects review board before conducting their study. Given that the University of Colorado was able to conduct both of these within 12 hours of the publication of my blog post yesterday, it is difficult to see how seeking such reviews ahead of time would have been any significant burden.
Personally Identifying Information
In reaching its decision, the University of Colorado review determined that the researchers did not collect any "personally identifying information" from users of the Tor network. This is in spite of the fact that for 15 days, the researchers collected the unique network addresses of each user sending data through their server.
While that may be the view of the University, there are certainly others that disagree. Back in February of this year, the European Union announced that it now considers IP addresses to be personally identifiable information.
IP addresses have been used by law enforcement to justify FBI raids on homes, by the record companies in copyright infringment suits, as well as in foreign countries, where suspects have been arrested and beaten because their IP addresses appeared in an incriminating log files.
In the last few weeks, there has been a significant amount of discussion of this issue, after a court ordered YouTube to hand over the IP addresses of millions of users to Viacom as part of its massive copyright infringement suit against the video sharing site. While Google (which own YouTube) has long argued that IP addresses are not personally identifying information, at least with regard to calls for the company to delete its own search log files, it rapidly changed its position once it was faced with the possibility of handing such data over to Viacom.
"Safe" storage of data
The researchers themselves admit that the data that they have collected is extremely sensitive. In their statement issued yesterday, they stated that "we took extreme caution in managing these traces and have not and will not plan to share them with other researchers."
If the information was not sensitive and could be potentially used to identify Tor users, why would they need to take such care managing the data, and why could they not share it with others? If it is not personally identifying information, why don't they put it online?
The fact is that this information is extremely sensitive, and were it to fall into the wrong hands -- an oppressive foreign government that does not take kindly to anonymous speech -- users whose IP addresses could reveal their identity could soon find themselves subject to arrest, imprisonment or torture.
While we can be asked to trust this research team not to share the data with others, there is little that they can do if presented with a government subpoena, or other lawful request. Furthermore, there is always the risk that they could accidentally lose the data, or be the victim of data theft.
Finally, the researchers have not said how long they plan to hang onto this data. As much as I criticize Google, at least they partially anonymize their server logs after 18 months.
The only safe and responsible way to handle this sensitive data is to delete it. Anything else is simply irresponsible..
Be Nice to Privacy
To be clear -- my focus on this issue is not about enforcing the law, no matter how flawed it may be. There are many unjust laws that I despise, chief among them the Digital Millennium Copyright Act, and I will eagerly defend researchers who violate these.
Communications privacy laws, unlike the DMCA, are (mostly) written for our protection. After spending the last several months criticizing AT&T, and later the US Congress' complete capitulation for illegal wiretapping immunity, I do not see how I could rightfully defend these researchers. Yes, they had good intentions -- but then, so might have the Bush Administration when it asked the telecoms to help it spy on millions of Americans.
A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act.
The team of two graduate students and three professors neither sought legal review of the project, nor ran it past the Human Subjects Committee at their university, putting them in a particularly dangerous position.
The academic paper, "Shining Light in Dark Places: Understanding the Tor Network" (pdf) was presented at the Privacy Enhancing Technologies Symposium yesterday, in Leuven, Belgium. The authors are listed as: Damon McCoy, Kevin Bauer, Dr. Dirk Grunwald, Dr. Tadayoshi Kohno and Dr. Douglas Sicker.
The goal of the project was to learn what kind of traffic was flowing over Tor -- a free network providing anonymous web and other Internet services to hundreds of thousands of users world-wide. Some of Tor's users include pro-democracy dissidents, journalists and bloggers in countries like China, Egypt and Burma who would otherwise face arrest and torture for their work.
Tor relies on volunteers who donate computing power and bandwidth to run approximately 2500 publicly accessible proxy servers, which are then used by hundreds of thousands of people to hide their Internet traffic.
In order to study Tor, the researchers setup their own 'exit node' server on the University of Colorado's high-speed network. For 4 days in December 2007, they logged and stored the first 150 bytes of each network packet that crossed their network, thus revealing what kind of traffic was crossing the network, and the remote websites that Tor users were visiting. While the authors do not state how many sessions they snooped on, they do state that their server carried over 700GB of data.
In a second part of the study, the researchers ran an 'entry node' to the network for 15 days, which allowed them to determine the source IP address of a large number of Tor users. They used this to learn which countries use Tor more heavily than others. Note that in this second part of the study, the researchers did not have access to the destination site information, nor were they able to observe the kinds of traffic going through their server.
The researchers found that HTTP (web traffic) was responsible for 58% of their servers' bandwidth. They also found that the BitTorrent file-sharing protocol, while accounting for only 3% of the number of connections, was responsible for over 40% of the overall bandwidth. They also observed that German users were responsible for over 30% of the requests through their server.
No Legal Review Sought
In his presentation of the work at the PET Symposium yesterday, Kevin Bauer, one of the graduate students who wrote the paper shed some light on the limited amount of legal analysis performed on the project.
Bauer said that the researchers "spoke informally with one lawyer, who told us that that area of the law is ill defined" based on this, the researchers felt that it was "unnecessary to follow up with other lawyers."
The lawyer they spoke to was Professor Paul Ohm, who teaches at the University of Colorado Law School. Ohm has previously collaborated with two of the researchers on an earlier publication, which discussed the legal risks faced by academics engaged network monitoring research. Ohm, a former federal computer crimes prosecutor, has also been the subject of some media attention in recent months, after he publicly stated that ISP-level advertising and traffic-shaping systems may violate US wiretap laws .
In a response to questions by this blogger, Professor Ohm seemed to attempt to distance himself from the researchers, writing by email:
I met with the research team once before they had finished their research, although I don't know how far along they were at that point. At the meeting, I gave them a very brief sketch about federal Wiretap law and they gave me a very brief sketch of their research. They seemed to have put in place a number of controls to try to minimize the risk of liability. I haven't seen the final paper (as far as I can recall).
I'm not their lawyer, and I've never been their lawyer, and I haven't produced any official or unofficial legal advice about their research, but because I spoke with them about this, I don't think it would be appropriate for me to give you any opinions about the research other than this brief statement.
Legal Risks
The Electronic Frontier Foundation, which wrote a legal guide for operators of Tor servers, strongly advises server administrators against snooping on their users. A section in the legal guide makes this clear:
Should I snoop on the plaintext that exits through my Tor relay?
No. You may be technically capable of modifying the Tor source code or installing additional software to monitor or log plaintext that exits your node. However, Tor relay operators in the U.S. can create legal and possibly even criminal liability for themselves under state or federal wiretap laws if they affirmatively monitor, log, or disclose Tor users' communications .... Do not examine the contents of anyone's communications without first talking to a lawyer.
While state laws vary, one immediate concern would be the Wiretap Act, a federal law that broadly prohibits snooping by network operators and others. The core prohibition of the Wiretap Act is found at section 2511(1)(a), which prohibits any person from intentionally intercepting, or attempting to intercept, any wire, oral, or electronic communication." A violation of these rules is is a Class D felony, and can result in fines up to $250,000 and up to 5 years in jail.
It is this same law that groups such as the ACLU and EFF sued AT&T and other telecom companies for violating, when they shared customer communication with the US National Security Agency. AT&T was able to obtain retroactive immunity from the US Congress, but only after spending tens of millions of dollars on lobbyists.
In order to learn more about the legal issues at play, I spoke with Kevin Bankston, the EFF lawyer who wrote the Legal guide for Tor server operators, and who also lead the EFF's lawsuit against AT&T. Bankston told me that:
"I agree that their logging the content exiting their nodes would appear to constitute interceptions of those electronic (not wire) communications under the Wiretap Act, and I don't think they qualify for the narrow provider exceptions [18 USC 2511, 2 (a) I], so I still see the same potential civil and criminal liability that was noted in our FAQ."
No Human Subjects Committee Review
In addition to possible legal issues, the project also raises serious ethical concerns related to the study of users' communications without their consent.
During his presentation, Bauer revealed that the researchers did not seek the approval of their university's Institutional Review Board -- a body that reviews research projects that involve human subjects. He said that, "we were advised that it wasn't necessary," adding that the IRB review process is used "used more in medical and psychology research at our university," and was not generally consulted in computer science projects
Information listed on the website of the University of Colorado's Human Research Committee states that: "All research involving human participants that is conducted by UCB faculty, staff or students must receive some level of review by the Human Research Committee."
Of particular concern to all Institutional Review Boards is any research that involves the study of participants under the age off 18, and other at risk or vulnerable persons. Given that the users of the Tor network have gone out of their way to seek anonymity, and that in some cases, their discovery could lead to arrest or torture, it would seem that these users would almost certainly be considered to be vulnerable. Furthermore, it is quite likely that the snooped communications include at least a few users under the age of 18 -- something that the researchers did not address in their paper.
In a paper published earlier this year, Dr. Simson Garfinkel explored some of the common myths and pitfalls for computer security researchers that study real users and their behavior, and the need to submit their projects to an IRB review.
Dr Garfinkel specifically deals with one of the researcher's claims:
Myth: Because the Common Rule exempts research involving subjects that cannot be identified, IRB approval is not required when using anonymized data
Although this would certainly be convenient, most institutions only allow a determination of exemption to be made by the IRB itself.
A request for clarification on these issues left with the director of the University of Colorado Human Research Committee had not been returned by press time.
Other concerns
In addition to the issues surrounding US legal liability, and ethical concerns over human subject testing -- there is one other problem: International law.
While the researchers are Americans, and conducted their study on a server based in the US, there is certainly an international angle to their study. Users from around the world sent traffic through the researchers' server, and as such more strict Canadian and European intercept and data privacy laws may apply.
Furthermore, one of the strongest privacy protections inherent in the Tor system is the complete lack of logging. That is, if law enforcement agencies approach a Tor server administrator seeking information on a user of the system, the admin can truthfully reply that they have no logs, and thus have nothing that they can be compelled to produce.
Taking questions before their presentation, two of the authors told me that they still have a copy of the data that they collected, and admitted that it was not currently stored on an encrypted disk. They did stress that it was, however, being kept in a "secure" location.
What this means of course, is that law enforcement agencies could easily subpoena this data, thus legally compelling the researchers into handing over the data. This places the users of the Tor network at a significant risk, one that certainly violates the expected social norms of the system.
During the question and answer session after his presentation, Bauer stated that the researchers were still not sure what they were going to do with the data set, and were exploring possibilities for releasing it to researchers in an anonymized and non-personally identifiable way. This statement was met with boos from the audience, which was mainly made up of privacy researchers and activists, a number of whom run their own legitimate Tor servers.
Caveat Emptor
While the US government did not send officials to this annual meeting of privacy researchers, the Canadian government did. A representative for Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario was in the audience during the presentation.
When asked for comment on the research project, and any potential impact for Canadian citizens who may have used the snooping Tor server, Cavoukian issued the following statement:
"Whether you run an ISP, a search engine, a Tor server node, or a research project, the principle of Data Minimization should rule. Universal privacy practices require that strong limits be placed on the processing and storage of personal data. In today's online world of constant data availability, privacy requires data minimization at every stage of the information life-cycle: If you don't need the data, don't collect it in the first place; if you don't need it any more, then destroy it securely -- don't keep it any longer than you need to. Full stop."
Wise words indeed.
In a recent blog posting, a German operator of a Tor anonymous proxy server revealed that he was arrested by German police officers at the end of July. Although he was released shortly afterwards, information about the arrest had been kept quiet until his lawyers were able to get the charges dropped.
Tor Project Logo
(Credit: Tor Project)Tor is a privacy tool designed to allow users to communicate and browse anonymously on the Internet. It's endorsed by the Electronic Frontier Foundation and other civil liberties groups as a method for whistle blowers and human rights workers to communicate with journalists. Tor provides anonymous Web-browsing software to hundreds of thousands of users around the world, according to its developers. The largest numbers of users are in the United States, the European Union and China.
The police were investigating a bomb threat posted to an online forum for German police officers. The police traced one of the objectionable posts on the forum to the IP address for Janssen's server. Up until his arrest, Alex Janssen's Tor server carried more than 40GB of random strangers' Internet traffic each day.
Showing up at his house at midnight on a Sunday night, police cuffed and arrested him in front of his wife and seized his equipment. In a display of both bitter irony and incompetence, the police did not take or shutdown the Tor server responsible for the traffic they were interested in, which was located in a different city, more than 500km away.
Janssen's attempts to explain what Tor is to the police officers initially fell on deaf ears. After being interrogated for hours, someone from the city of Düsseldorf's equivalent of the Department of Homeland Security showed up and admitted to Janssen that they'd made a mistake. He was released shortly after.
Germany is clearly not going out of its way to make computer security researchers and activists feel too welcome. Germany recently passed a law that "renders the creation and distribution of software illegal that could be used by someone to break into a computer system or could be used to prepare a break in. This includes port scanners like nmap, security scanners like nessus [as well as] proof of concept exploits."
Back in summer 2006, German authorities conducted a simultaneous raid of seven different data centers, seizing 10 Tor servers in the process. Agents took the servers believing them to be related to a child porn investigation. Furthermore, in 2003 a German court ordered the developers of the Jap anonymity system, a completely different project than Tor, to create a back-door in their system to be used in national security investigations.
This event does raise some interesting legal questions. If 40GB of other people's Internet traffic flows through your own home network, can authorities, be they the RIAA or FBI, reasonably link anything that has been tracked to your computer's IP address to you?
Does setting up a Tor server give you the ultimate plausible deniability card? "No officer, that BitTorrent download wasn't mine. It was from one of the thousands of people who route their Internet traffic through the anonymizing sever on my home network."
The ability to have a believable claim to plausible deniability is something that some of us have been attempting to get for a while by having an open wireless access point at home. And 40GB of Internet traffic from perfect strangers may be more significant in the eyes of a court than the possibility of one or two of your neighbors connecting to your wireless network. All of this, for now, remains theoretical. No Tor-related case has made it to the courts.. but it's just a matter of time until one does.
- prev
- 1
- next
