Surveillance State

A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act.

The team of two graduate students and three professors neither sought legal review of the project, nor ran it past the Human Subjects Committee at their university, putting them in a particularly dangerous position.

The academic paper, "Shining Light in Dark Places: Understanding the Tor Network" (pdf) was presented at the Privacy Enhancing Technologies Symposium yesterday, in Leuven, Belgium. The authors are listed as: Damon McCoy, Kevin Bauer, Dr. Dirk Grunwald, Dr. Tadayoshi Kohno and Dr. Douglas Sicker.

The goal of the project was to learn what kind of traffic was flowing over Tor -- a free network providing anonymous web and other Internet services to hundreds of thousands of users world-wide. Some of Tor's users include pro-democracy dissidents, journalists and bloggers in countries like China, Egypt and Burma who would otherwise face arrest and torture for their work.

Tor relies on volunteers who donate computing power and bandwidth to run approximately 2500 publicly accessible proxy servers, which are then used by hundreds of thousands of people to hide their Internet traffic.

In order to study Tor, the researchers setup their own 'exit node' server on the University of Colorado's high-speed network. For 4 days in December 2007, they logged and stored the first 150 bytes of each network packet that crossed their network, thus revealing what kind of traffic was crossing the network, and the remote websites that Tor users were visiting. While the authors do not state how many sessions they snooped on, they do state that their server carried over 700GB of data.

In a second part of the study, the researchers ran an 'entry node' to the network for 15 days, which allowed them to determine the source IP address of a large number of Tor users. They used this to learn which countries use Tor more heavily than others. Note that in this second part of the study, the researchers did not have access to the destination site information, nor were they able to observe the kinds of traffic going through their server.

The researchers found that HTTP (web traffic) was responsible for 58% of their servers' bandwidth. They also found that the BitTorrent file-sharing protocol, while accounting for only 3% of the number of connections, was responsible for over 40% of the overall bandwidth. They also observed that German users were responsible for over 30% of the requests through their server.

No Legal Review Sought

In his presentation of the work at the PET Symposium yesterday, Kevin Bauer, one of the graduate students who wrote the paper shed some light on the limited amount of legal analysis performed on the project.

Bauer said that the researchers "spoke informally with one lawyer, who told us that that area of the law is ill defined" based on this, the researchers felt that it was "unnecessary to follow up with other lawyers."

The lawyer they spoke to was Professor Paul Ohm, who teaches at the University of Colorado Law School. Ohm has previously collaborated with two of the researchers on an earlier publication, which discussed the legal risks faced by academics engaged network monitoring research. Ohm, a former federal computer crimes prosecutor, has also been the subject of some media attention in recent months, after he publicly stated that ISP-level advertising and traffic-shaping systems may violate US wiretap laws .

In a response to questions by this blogger, Professor Ohm seemed to attempt to distance himself from the researchers, writing by email:

I met with the research team once before they had finished their research, although I don't know how far along they were at that point. At the meeting, I gave them a very brief sketch about federal Wiretap law and they gave me a very brief sketch of their research. They seemed to have put in place a number of controls to try to minimize the risk of liability. I haven't seen the final paper (as far as I can recall).

I'm not their lawyer, and I've never been their lawyer, and I haven't produced any official or unofficial legal advice about their research, but because I spoke with them about this, I don't think it would be appropriate for me to give you any opinions about the research other than this brief statement.

Legal Risks

The Electronic Frontier Foundation, which wrote a legal guide for operators of Tor servers, strongly advises server administrators against snooping on their users. A section in the legal guide makes this clear:

Should I snoop on the plaintext that exits through my Tor relay?

No. You may be technically capable of modifying the Tor source code or installing additional software to monitor or log plaintext that exits your node. However, Tor relay operators in the U.S. can create legal and possibly even criminal liability for themselves under state or federal wiretap laws if they affirmatively monitor, log, or disclose Tor users' communications .... Do not examine the contents of anyone's communications without first talking to a lawyer.

While state laws vary, one immediate concern would be the Wiretap Act, a federal law that broadly prohibits snooping by network operators and others. The core prohibition of the Wiretap Act is found at section 2511(1)(a), which prohibits any person from intentionally intercepting, or attempting to intercept, any wire, oral, or electronic communication." A violation of these rules is is a Class D felony, and can result in fines up to $250,000 and up to 5 years in jail.

It is this same law that groups such as the ACLU and EFF sued AT&T and other telecom companies for violating, when they shared customer communication with the US National Security Agency. AT&T was able to obtain retroactive immunity from the US Congress, but only after spending tens of millions of dollars on lobbyists.

In order to learn more about the legal issues at play, I spoke with Kevin Bankston, the EFF lawyer who wrote the Legal guide for Tor server operators, and who also lead the EFF's lawsuit against AT&T. Bankston told me that:

"I agree that their logging the content exiting their nodes would appear to constitute interceptions of those electronic (not wire) communications under the Wiretap Act, and I don't think they qualify for the narrow provider exceptions [18 USC 2511, 2 (a) I], so I still see the same potential civil and criminal liability that was noted in our FAQ."

No Human Subjects Committee Review

In addition to possible legal issues, the project also raises serious ethical concerns related to the study of users' communications without their consent.

During his presentation, Bauer revealed that the researchers did not seek the approval of their university's Institutional Review Board -- a body that reviews research projects that involve human subjects. He said that, "we were advised that it wasn't necessary," adding that the IRB review process is used "used more in medical and psychology research at our university," and was not generally consulted in computer science projects

Information listed on the website of the University of Colorado's Human Research Committee states that: "All research involving human participants that is conducted by UCB faculty, staff or students must receive some level of review by the Human Research Committee."

Of particular concern to all Institutional Review Boards is any research that involves the study of participants under the age off 18, and other at risk or vulnerable persons. Given that the users of the Tor network have gone out of their way to seek anonymity, and that in some cases, their discovery could lead to arrest or torture, it would seem that these users would almost certainly be considered to be vulnerable. Furthermore, it is quite likely that the snooped communications include at least a few users under the age of 18 -- something that the researchers did not address in their paper.

In a paper published earlier this year, Dr. Simson Garfinkel explored some of the common myths and pitfalls for computer security researchers that study real users and their behavior, and the need to submit their projects to an IRB review.

Dr Garfinkel specifically deals with one of the researcher's claims:

Myth: Because the Common Rule exempts research involving subjects that cannot be identified, IRB approval is not required when using anonymized data

Although this would certainly be convenient, most institutions only allow a determination of exemption to be made by the IRB itself.

A request for clarification on these issues left with the director of the University of Colorado Human Research Committee had not been returned by press time.

Other concerns

In addition to the issues surrounding US legal liability, and ethical concerns over human subject testing -- there is one other problem: International law.

While the researchers are Americans, and conducted their study on a server based in the US, there is certainly an international angle to their study. Users from around the world sent traffic through the researchers' server, and as such more strict Canadian and European intercept and data privacy laws may apply.

Furthermore, one of the strongest privacy protections inherent in the Tor system is the complete lack of logging. That is, if law enforcement agencies approach a Tor server administrator seeking information on a user of the system, the admin can truthfully reply that they have no logs, and thus have nothing that they can be compelled to produce.

Taking questions before their presentation, two of the authors told me that they still have a copy of the data that they collected, and admitted that it was not currently stored on an encrypted disk. They did stress that it was, however, being kept in a "secure" location.

What this means of course, is that law enforcement agencies could easily subpoena this data, thus legally compelling the researchers into handing over the data. This places the users of the Tor network at a significant risk, one that certainly violates the expected social norms of the system.

During the question and answer session after his presentation, Bauer stated that the researchers were still not sure what they were going to do with the data set, and were exploring possibilities for releasing it to researchers in an anonymized and non-personally identifiable way. This statement was met with boos from the audience, which was mainly made up of privacy researchers and activists, a number of whom run their own legitimate Tor servers.

Caveat Emptor

While the US government did not send officials to this annual meeting of privacy researchers, the Canadian government did. A representative for Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario was in the audience during the presentation.

When asked for comment on the research project, and any potential impact for Canadian citizens who may have used the snooping Tor server, Cavoukian issued the following statement:

"Whether you run an ISP, a search engine, a Tor server node, or a research project, the principle of Data Minimization should rule. Universal privacy practices require that strong limits be placed on the processing and storage of personal data. In today's online world of constant data availability, privacy requires data minimization at every stage of the information life-cycle: If you don't need the data, don't collect it in the first place; if you don't need it any more, then destroy it securely -- don't keep it any longer than you need to. Full stop."

Wise words indeed.

The FISA fight is all about the e-mails, according to public comments made on Tuesday by a Department of Justice official.

For months, the debate has centered around immunity for telecom companies including AT&T, Verizon, and Sprint. The primary focus has been on the warrantless wiretapping of the phone calls made by millions of Americans. In comments made at a public meeting on Tuesday, Assistant Attorney General for National Security Kenneth Wainstein made clear that the FISA fight is not about foreign-to-foreign calls, but actually about Internet data. The Washington Post reports:

At the breakfast yesterday, Wainstein highlighted a different problem with the current FISA law than other administration officials have emphasized. Director of National Intelligence Mike McConnell, for example, has repeatedly said FISA should be changed so no warrant is needed to tap a communication that took place entirely outside the United States but happened to pass through the United States.

But in response to a question at the meeting by David Kris, a former federal prosecutor and a FISA expert, Wainstein said FISA's current strictures did not cover strictly foreign wire and radio communications, even if acquired in the United States. The real concern, he said, is primarily e-mail, because "essentially you don't know where the recipient is going to be" and so you would not know in advance whether the communication is entirely outside the United States.

What this means, of course, is that while the public outcry has been focused on AT&T, it should have included a few other firms, including perhaps Microsoft, Yahoo and Google.

If the NSA is interested in getting email messages, it can do so in one of two ways. First, it can tap the Internet backbone, through which almost all communications flow. Second, it can go directly to the major email providers.

The Backbone Providers

According to the relevant Wikipedia page, the Internet backbone (commonly understood to mean the collection of Tier 1 internet Service Providers) is made up of: AOL Transit Data Network, AT&T, Global Crossing, Verizon Business (formerly UUNET), NTT Communications, Qwest, SAVVIS, and Sprint.

From numerous press reports, we already know that AT&T, Verizon, and Sprint are involved in the shady NSA wiretapping program. Furthermore, we also know that Qwest refused to participate as the government would not provide a FISA warrant.

That leaves AOL, Global Crossing, NTT Communications, and SAVVIS as other potential participants in any NSA effort to sniff email communications.

The Email Providers

With www.alqaeda.com, www.alqaeda.net and www.alqaeda.org owned by domain squatters, where should a would-be terrorist go for email? Microsoft's Hotmail of course.

In all seriousness, no terrorist worth his or her salt would advertise themselves by using a domain name related to their cause, and so it is far more likely that they would want to blend into the crowd of the hundreds of millions of other users the major free email providers -- Yahoo, Microsoft Hotmail, and Google Mail.

The Protect America Act of 2007 permitted intelligence agencies to force Google, Yahoo and Microsoft to hand over a copy of every email passing through their systems which lists one non-US recipient. While the law expired in February, any orders initiated under the act can continue until August of this year.

It is unclear what the major email providers could have been forced to do before the Protect America Act. However, if email communications are the most important issue in the telecom immunity debate, we should certainly be looking carefully at these and other email providers. As other bloggers have previously discussed, the proposed legislation would provide immunity for all companies that assisted the administration in its illegal spying, not just AT&T and the other 2 telcos.

Public Comment and Denial

I made an effort to get a comment from a few of the major free email provider. However, I didn't bother with the backbone providers -- as I assumed I'd get the same "we respect privacy and will respond to lawful requests" line that is common in the industry.

Microsoft's PR people were nice enough to let me know that the company has over 300 million active email accounts. When asked how many of those accounts the company had turned over to US intelligence agencies, the company declined to comment.

Google was a bit more verbose. Its spokeperson told me that: "As our privacy policy states, we comply with law enforcement requests made with proper service. We do not discuss specific law enforcement requests and generally do not share aggregate information about them. There are also some legal restrictions on what information we can share about law enforcement requests.

As Wired's Ryan Singel has often noted, Google could easily tell us how many divorce lawyers, copyright holders and law enforcement agencies are probing people's search histories and emails. The company chooses not to, primarily because doing so would shed light on how much information the company has, and how often it is forced to share it with third parties.

One thing is clear: With the proposed immunity bill looking like it will pass this week, members of the media and the privacy community should pay close attention to Google, Microsoft, Yahoo, and the major operators of the Internet backbone. The immunity provisions will just as equally apply to them -- and up until now, they've received almost no scrutiny at all.

With the majority of the Democrats caving in to the Bush administration's demands for full immunity for the telecom companies for-profit collusion in the NSA's illegal wiretapping program, it seems to be clear that the Fourth Amendment and federal antiwiretapping laws are no longer enough to keep our communications secure. Laws stating that "thou shalt not listen to your customers phone calls" no longer seem to have any bite. Or at least, they don't as long as teleco lobbying coupled with massive political contributions can turn once critical senators into kindly old men willing to forgive and forget.

AT&T: Your World. Delivered. To the NSA

(Credit: Electronic Frontier Foundation)

Thus, now that AT&T and Verizon are free to provide the NSA with a full copy of all Internet traffic that flows over their networks, I thought that perhaps it'd be a good idea to discuss proactive technical solutions that users can utilize to protect their own privacy. The primary focus of today's blog post is on one small area of user privacy, but one which is perhaps the least well known by the average joe, yet which is extremely vulnerable: instant messaging. The question to be answered today is: how can nontechnical users secure their own instant-messaging conversations such that an attacker is unable to listen in (be it the government or a nosy neighbor sniffing the wireless network from next door).

The major IM networks, which include AOL IM/iChat, MSN, and Google Talk (when using the gmail embedded chat function) all send data over the clear. Using IM over an unencrypted wireless network (such as at a coffee shop or hotel lobby) is an open invitation for nasty folks to read your conversations. Those people using the downloadable Google Talk client will at least have their conversations encrypted between their own computers and Google's servers - but that doesn't solve the problem of the NSA forcing/paying Google to hand over your data. Likewise, AOL confirmed in 2005 that if presented with a court order, it would let the government eavesdrop on IM conversations between customers.

The solution then, is to use an encrypted instant-messaging program--one made by a third party and not one of the major IM networks. That is, a software client with which the conversation is encrypted from one user's computer all the way to the recipient--and not just to the central servers of the IM network. While the popular Trillian multinetwork client does offer encryption, its design is flawed, and is subject to a number of attacks. The tool of choice for privacy-conscious geeks everwhere is a protocol known as Off The Record (OTR). This scheme, designed by a team of security researchers including professors Ian Goldberg and Nikita Borisov, provides a number of really cool features. The benefits of OTR include:

• Encryption: No one else can read your instant messages.
• Authentication: You are assured the correspondent is who you think it is.
• Deniability: The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
• Perfect forward secrecy: If you lose control of your private keys (such as if your computer is hacked, for example), no previous conversation is compromised.

An encrypted conversation in Adium

(Credit: The Adium Dev Team)

The OTR team don't actually produce its own instant-messaging client. Instead, they have released an open-source library that other IM programs can include--which hopefully means that as more and more clients adopt it, users will be able to conduct safe and encrypted conversations with people who use an IM program different than their own. Right now, the OTR team distribute a plugin for Pidgin, the popular multiplatform IM client. Adium, a popular IM client for Mac OS X, has OTR support built in. There are third-party plugins for the Kopete, Miranda and Trillian IM clients. Best of all: OTR is IM-protocol-independent. That is, once you have an OTR-enabled client installed, you can communicate with friends on different IM networks, be it AIM, Google Talk or others, as long as your friends also have OTR-friendly IM software.

Linux and Windows users are probably best off using the Pidgin IM client, which works with all of the popular IM networks and then installing the OTR plugin. For Linux users, it should be as simple as installing the Pidgin-OTR package with your respective package manager. Windows users will want to download the Pidgin-OTR plugin from the OTR Web site. Mac users: you're in luck. You can be lazy, and simply download Adium, which has OTR out of the box.

Once you have an OTR-enabled client installed, its as simple as clicking on the lock icon in any conversation window. You'll be asked to accept an encryption key the first time you chat--which you should verify with your pal by some form of non-IM conversation (the phone, in person, etc). After that, all future communications with that person should be encrypted without any more work. That's it. Secure communications, free from prying next-door neighbors or privacy-invading spooks.