sadly, naively turning up tor to help folk who wish to be anonymous in
hard times gets one a lot of assertive email from self-important people
who wear formal clothes.
folk who learn this the hard way may find a pointer passed to me by smb
helpful, <http://www.chrisbrunner.com/?p=119>.
randy
If bittorrent of copyrighted material is the most illegal thing you
helped facilitate while running tor, and all you got was an assertive
e-mail because of it, you should consider yourself extremely lucky.
Anonymity against privacy invasion and for political causes sure sounds
like a great concept, but in reality it presents too tempting a target
for abuse. If you choose to open up your internet connection to anyone
who wants to use it, you should be prepared to be held accountable for
what those anonymous people do with it. I'm sure you don't just sell
transit to any spammer who comes along without researching them a little
first, why should this be any different?
Richard A Steenbergen wrote:
Hi Richard,
It is a more complicated issue than that.
There is a long established legal tradition that telecommunication transport is not liable for the content it transmits. It's called common carrier. If someone makes an obscene phone call, the phone company cannot be held liable. Yes, if the client subsequently complains and asks for that number to be blocked and the phone company does nothing, that's different.
But the general principle is that anyone who transmits bits is not liable for content.
Unfortunately in my personal view that principle never got established in the Layer 3 world.
So we now have governments trying to use ISPs as censors, regulators, and enforcers of public policy.
There may be some cases such as spamming where the ISPs have to take some responsibility, but it is really hard to find an appealing principle that articulates what should and should not be the ISP's responsibility.
Roderick S. Beck
Director of European Sales
Hibernia Atlantic
13-15, rue Sedaine, 75011 Paris
http://www.hiberniaatlantic.com
Wireless: 33+6+8692+5357.
French Landline: 33+1+4355+8224
AOL Messenger: GlobalBandwidth
rod.beck@hiberniaatlantic.com
info@globalwholesalebandwidht.com
``Unthinking respect for authority is the greatest enemy of truth.'' Albert Einstein.
OK -- I looked at that part of the US Code
(http://www4.law.cornell.edu/uscode/47/230.html). Apart from the fact
that the phrase "common carrier" does not occur in that section,
subparagraph (f)(2) says:
Nothing in this section shall be construed to limit or expand
any law pertaining to intellectual property.
Perhaps you're referring to the law exempting ISPs from liability for
user-created content? (I don't have the citation handy.) If so,
remember that that law requires response to take-down notices.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
OK -- I looked at that part of the US Code
(http://www4.law.cornell.edu/uscode/47/230.html). Apart from the fact
that the phrase "common carrier" does not occur in that section,
subparagraph (f)(2) says:
Nothing in this section shall be construed to limit or expand
any law pertaining to intellectual property.
Perhaps you're referring to the law exempting ISPs from liability for
user-created content? (I don't have the citation handy.) If so,
remember that that law requires response to take-down notices.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Well, let's push a little harder. If I transfer stolen intellectual property over the Internet using simple file transfer, I don't believe any court is going to accept that the ISP has liability.
So what is the underlying principle? Mind you the law is ad hoc most of the time. This whole area is fuzzy to the point of being a pea soup fog ...
This has nothing to do with telecommunications or any kind of carrier or
business relationship. This is intentionally leaving your computer open
so that anyone on the Internet can come along and appear to be coming
from your IP, where they will promptly set off doing bad stuff that will
get traced back to you rather than them. Think of it like intentionally
leaving your car unlocked with the keys in the ignition and a note
authorizing people to borrow it and take it for a spin, and then
expecting not to get into any kind of trouble when they rack up speeding
tickets and/or use it to run someone over.
Besides, the kind of consequencies I'm talking about are "having your
internet account shut off for abuse"... But if you do happen to be one
of those unlucky people who gets sued for downloading illegal content I
don't think "but your honor I was running tor" is the defense you're
looking for. 
You're referring to the DMCAs safe harbor provision.
-brandon
This has nothing to do with telecommunications or any kind of carrier or
business relationship. This is intentionally leaving your computer open
so that anyone on the Internet can come along and appear to be coming
from your IP, where they will promptly set off doing bad stuff that will
get traced back to you rather than them. Think of it like intentionally
leaving your car unlocked with the keys in the ignition and a note
authorizing people to borrow it and take it for a spin, and then
expecting not to get into any kind of trouble when they rack up speeding
tickets and/or use it to run someone over.
Besides, the kind of consequencies I'm talking about are "having your
internet account shut off for abuse"... But if you do happen to be one
of those unlucky people who gets sued for downloading illegal content I
don't think "but your honor I was running tor" is the defense you're
looking for.
Richard A Steenbergen wrote:
I'm not going to try and play armchair lawyer here (since my original
comment was about the ethical and practical implications, i.e. your
insurance co would probably tell you to piss off when you filed a claim
about your trashed car, rather than the legal ones), but...
If you did this activity with the express purpose of helping someone
else hide their identity, and thus their crime could be traced back to
you but no further, you might end up looking like you were aiding and
abetting.
Bottom line, this simply isn't common carrier activity, and when these
anonymous users decide to abuse your trust you are the one who will
suffering the consequences.
Richard,
The question is how much ISPs should be responsible for the actions of their clients.
My point is that is not obvious where you draw the line.
I have yet to see anyone, including yourself, articulate a general principle (maybe it doesn't exist).
Roderick S. Beck
Director of European Sales
Hibernia Atlantic
13-15, rue Sedaine, 75011 Paris
http://www.hiberniaatlantic.com
Wireless: 33+6+8692+5357.
French Landline: 33+1+4355+8224
AOL Messenger: GlobalBandwidth
rod.beck@hiberniaatlantic.com
info@globalwholesalebandwidht.com
``Unthinking respect for authority is the greatest enemy of truth.'' Albert Einstein.
My gosh...
Ok, so if someone happens to talk about murder over the phone, is the phone
company providing the service held liable?
Lets get back to rational/informative content please.
-Joe Blanchard
This is rapidly heading off topic, and I imagine the MLC will be stepping in shortly.
Joe Blanchard wrote:
My gosh...
Ok, so if someone happens to talk about murder over the phone, is the phone
company providing the service held liable?Lets get back to rational/informative content please.
The phone company still has to provide records of who owns the phone number and perhaps allow a tap of the phone depending on court orders. I seem to have to maintain a CALEA server and compliance which I will probably never use but is mandated by law. If the courts find they can never find the owner of an IP, then the laws will mandate that we maintain such records; and in fact, there has been more than one bill for provisioning the storage of all emails for subpoena purposes.
I'm not familiar with TOR, but I suspect that governments can still step through it to find the person responsible if perhaps a bit more time consuming.
Jack
Richard A Steenbergen wrote:
If you did this activity with the express purpose of helping someone
else hide their identity, and thus their crime could be traced back to
you but no further, you might end up looking like you were aiding and
abetting.
Since when was anonymity a crime? Neither entails the other.
I've run a tor relay, and I'm pretty confident that just because I'm up in layer 3+ land, common carrier status would apply, if anyone could even detect the contents of the traffic passing through my systems in the first place (the whole point of tor being to mitigate against exactly that).
Some good tips for anyone thinking about running a relay or exit node, the first of which is to inform your isp. tor is a great tool, more people please! https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment
Yes, allow records and perhaps a phone tap, but not held liable for the
means to a crime as suggested in earlier
emails.
Again, lets get back to suitable content. We could certainly go on an on
about the legal items
but of what relevance is it to NANOG.
Kind Regards,
-Joe Blanchard
Right. Randy's original posting was square-on: he said that if you
offer a certain service, you may encounter a certain problem, and
such-and-such a web site may help you avoid that problem while still
offering (most of) the service.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
This has nothing to do with telecommunications or any kind of carrier or
business relationship. This is intentionally leaving your computer open
so that anyone on the Internet can come along and appear to be coming
from your IP, where they will promptly set off doing bad stuff that will
get traced back to you rather than them. Think of it like intentionally
[snip]
Not sure if this just "happened" to pop up on the radar because of all the tor work being done to provide access out of Iran for citizens there that are blocked. Probably just a co-incidence, but since I just got done reading a bunch and setting up a bridge node (provate relay), I can say that there are also levels of liability.
There are tor entry/egress points (where users enter and exit the tor netowrk), usually referred to as "exit nodes", and then there are a bunch of tor relay nodes. A relay node just becomes part of the network, and sends and receives traffic inside the tor network. This _should_ be the most common configuration, but some people do not RTM and make themselves exit nodes. That is where you get into trouble.
Relay nodes just pass encrypted packets - no exiting allowed.
The third configuration is called a "bridge" node. This is a relay that does not tell anyone it is a node. A controller has a copy of that nodes public key, and builds a private network.
Moral: you can help with tor without leaving yourself open to sbuse.
From what I know, the bigger exit node operators are fully aware of
the responsibility they have.
Running what's effectively an anonymous open proxy is not a bright
idea, even if there's security bundled on..
John Gilmore found that out after Verio disconnected his perpetual
open relay for example .. and TOR is just as nutty a concept.
Nothing less that I'd expect from the EFF, frankly speaking - but
clued people (and you are clued, for sure) shouldnt be running it.
There was that other fun when that swedish researcher was running a
fake tor exit node and turned up lots of embassy passwords etc -
mostly because embassy staffers found TOR a fun way to browse for
porn, bypassing firewalls from their offices
Uninstall it and forget about it, I'd say.
--srs