Not really comparable.
Speaking from a US point of view, ISPs has strong legal protections isolating them from culpability for the actions of their customers. I know internationally things are different, but here in the US the ISP doesn't get dinged, except in certain cases where they are legally required to remove access to material and don't.
End users have no such protections that I'm aware of that cover them similarly.
I think service providers are afforded special protections because the
law recognizes their utility and the inability of the service provider
to be responsible for the actions of all of their customers. The major
problem is that not every individual has the same protections. A lot of
ISPs are actually also CLECs or LECs that are protected as licensed
telecom carriers.
ISPs also do not "allow strangers to do whatever they want" ISPs have
responsibilities to act on DCMA notices and CALEA requests from law
enforcement. These are things that Tor exit nodes are not capable of
doing. If you were an ISP and could not respond to CALEA requests, you
will find yourself out of business in a big hurry.
Steven Naslund
There are plenty of ISPs with no or little customer contracts; anyone
running open access wireless. Plenty of "open access" sites with free
accounts.
And any but the largest ISPs are "end users" of upstream bandwidth.
The analogy of a small free access ISP and a Tor exit node is legally
defensible. I know of five, six, seven that I can think of off the
top of my head that are run by people I know, one of whom has started
and/or been architect or operations lead for 5 or more commercial
ISPs.
Even more, ISP like protections are extended in the US to many "end
user" sites such as blogging sites, Wikis, etc; where the site is
"publishing" content but not creating it or exerting control over it,
etc.
This is US specific, and the case of a user in Austria is entirely
unrelated to US law, but I don't know that this type of response would
hold up in US court for these reasons. I am going to ping my internet
law contacts in the US and see what they think, as IANAL.
Sure, Tor exit nodes are 'capable of doing' those things if a report
is generated that someone's using it to source child porn or terrorist
communications or DMCA violations. At the most extreme the owner can
shut down a node; they might also put egress filters in place pursuant
to notifications.
Plenty of small ISPs in one sense or another don't comply with CALEA
because they own systems not networks (open access sites, etc). CALEA
goes to the network providers in those cases, as I understand it.
The Tor owner also might chose to fight it and leave it completely
open, but an ISP might chose to do that in response to certain notices
as well.
This presumes that law enforcement deems them the right place to go
investigating an incident, and notifies them. But if they seem to be
aware of what Tor is in the US and be generally reasonable in
responding to issues with it, that I know of.
Communications Decency Act, 47 U.S.C. �230 is the US law that has been interpreted to provide immunity to ISP for the actions of their users.
Zeran v. America Online, Inc., 4th Circuit, 1997
Jane Doe v. America Online, Inc., 5th Circuit, 1997
Blumenthal v. Drudge, DC District, 1998
Green v. AOL, 3rd Circuit, 2003
Gentry v. eBay, Inc, California Appeals, 2002
Delfino v. Agilent Technologies, California Appeals, 2006
The ISP ones are most relevant here, but look at these cases.
The situation would be complicated if the ISP ran the TOR exit node themselves, and that would be a messy legal battle I'm sure.
Either way, that doesn't change the fact that running a TOR exit on a home PC on a residential internet connection is silly. You might legally not be held responsible at the end of the day, but it just may cost you a lot in legal fees to get there.
Personally, I have better things to spend money on.
The entire point of Tor is to be untraceable back to the source. Egress
filters can prevent future abuse but do not provide for tracing back to
the original source of offending conduct. They are not trying to stop
the flow of the data in this case, they want the source in jail. If law
enforcement comes to you and asks you to show them the source or
destination on a case like the one in question, you cannot comply and if
law enforcement asks you to trap this data in the future you will also
have a problem complying because I think you cannot identify the
original source.
You ARE providing a network if you are running a Tor exit node just the
same as someone who builds a MPLS VPN would be responsible for
responding to law enforcement requests for data inside the secure
network. A licensed LEC and CLEC has very specific requirements in
terms of CALEA and DCMA. It is not something they optionally comply
with. An ISP that does not respond to CALEA and DCMA can become liable
for events that happen after their non-response. Their "safe harbor"
protection ends the moment they do not act in good faith to comply with
the law.
Even a small ISP that does not own their own network can be subpoenaed
to provide logs, sniffer traces, and file dumps from any system they
own. I know this for a fact and have provided this data under court
orders. CALEA applies just as well to servers and data as it does to
the communication circuits themselves. If you have a server on the
network, it has a communications circuit into it and you can be required
to provide access to that circuit. You can also be required to tap
email accounts or data directories as well. This data may not fall
strictly under CALEA but a court order can compel you to provide any
data you are in possession of. That is why law enforcement can grab a
server or PC. ISPs and carriers are often given the benefit of the
doubt and law enforcement accepts copies of data they want. If they
view you as an adversary or have any inclination of hiding data, they
will seize the machine. If they view a Tor exit node owner as an
accessory, they are not going to be nicey nice about it.
The main problem with Tor is that it purposefully attempts to make this
data obscure which could be construed as obstruction. As far as US law
enforcement attitudes on Tor, those can and will change as the
government sees fit. It is all a matter of the "greater good" in their
eyes and whether they think the fight is worthwhile. You better believe
that as soon as it becomes a "national security threat" it is coming
down.
Steven Naslund
If you run an open wireless access point and don't log MACs / MAC to
IP DHCP assignments, you are in similar straights.
If they come to you 31 days after the data flow and you retain logs
for 30, you are in similar straights.
If someone faked their wireless MAC and the data in your log is not
definitive, everyone's stymied.
If someone went into a Library and used an open access computer,
there's often no log of who / when.
The assertion being made here, that it's somehow illegal (or immoral,
or scary) for there to be not-completely-traceable internet access in
the US, is absurd.
CALEA doesn't say what you're asserting. From the First Report and Order:
"24. In this section, we find that facilities-based providers of any
type of broadband Internet access
service, including but not limited to wireline, cable modem,
satellite, wireless, fixed wireless, and
broadband access via powerline are subject to CALEA" (
http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-05-153A1.pdf )
If you're not a facilities-based provider, you aren't covered.
1. Running open access wireless does not make you legally an ISP and if
your open wireless is used to commit a crime you could be criminally
negligent if you did not take "reasonable care" in the eyes of the
court.
2. If I provide access to four or five friends, I am not an ISP and in
fact I am responsible if they use my connection to do something illegal
since I am the customer of record. If you loan your car to an
unlicensed driver and he kills someone, you are on the hook.
3. I guarantee you that if your blogging site, wiki or whatever is
publishing content like child porn, you are going to jail. There is no
"ISP like protections" for that. If you do not take action as soon as
you know a crime is being committed, you are going to get nailed.
The question in this case would be all about whether the Tor exit node
is viewed as a device specifically enabling a criminal or something that
was incidentally used to commit a crime. For example, if I give you a
hammer and you break into someone's house with it, I am probably not
criminally negligent. If I provided you with lock picking equipment and
you are not a locksmith, I might be criminally negligent. This is not
so clear cut a case that there would not be a fight about it.
Steven Naslund
The entire question here is whether CALEA's covered entities
definition and ISP "common carrier" (not exactly, but the commonly
used term for CDA protections available, see earlier discussion)
definitions overlap.
The answer is no. It always has been no. Plenty of publishers and
access providers do not fall under CALEA. The FCC and law enforcement
are aware of that. The conflation of the two in this conversation has
not been useful or educational.
What the future might hold is an open question, but for the time
being, CDA protections are available (at least theoretically, or
arguably) for a lot of people for whom CALEA clearly is not
applicable.
CDA protections are available whether you log commenters' IP addresses
on your blog, keep long lasting web acces logs, allow unrestricted
wireless access point access without logging, or what. Responsibility
under it does not kick in unless you're aware of or notified of an
issue, with some exceptions. Plenty of sites do not keep logs long
and some do not log.
-george
if your phone is stolen and used by a drug dealer, i'm pretty sure the cops
would not be after you for anything the dealer did.
if you stand on the corner with a sign saying "free cell phone airtime,
just ask me", they might take a different view on things.
now, whether you are guilty of anything or not, by standing there with a sign
you are certainly opening yourself to legal inquiry, delay and hassle.
i wouldn't be surprised if the cops didn't accept your "i'm just letting
people use my phone, i've got nothing to do with their activities" defence,
at least not without poking about for a bit, which might include looking
at your cellphone, your home phone, your bank records, and anything else
they think (and a judge agrees) might need viewing to clear you.
Date: Thu, 29 Nov 2012 15:26:57 -0500
From: Tom Beecher <tbeecher@localnet.com>
Subject: Re: William was raided for running a Tor exit node. Please help if
you can.Communications Decency Act, 47 U.S.C. 230 is the US law that has been
interpreted to provide immunity to ISP for the actions of their users.
It is worth noting that 47 U.S.C. 230 provides _limited_ protections, only.
Broad protection, but limited. It says that a provider shall not 'be
treated as author' for material provided by someone else.
This of little-to-no help with regard to kiddie porn, since distribution,
and even 'mere' possession, are crimes -- independant of authorship.
47 U.S.C. 230 doesn't do much for child porn, no. However, PROTECT does.
PROTECT spells out reporting, but also contains safe harbor provisions such that an ISP who didn't know that child porn was being transmitted across their network cannot be prosecuted for not knowing, only for not taking the required reporting/preservation/destruction actions as required by law.
And in practice, the process is:
1. Running open access wireless does not make you legally an ISP and if
OK.
your open wireless is used to commit a crime you could be criminally
negligent if you did not take "reasonable care" in the eyes of the
court.
I believe this is incorrect under US law. Do you have any support, statutory or case law, for this claim?
2. If I provide access to four or five friends, I am not an ISP and in
fact I am responsible if they use my connection to do something illegal
since I am the customer of record. If you loan your car to an
unlicensed driver and he kills someone, you are on the hook.
The key word above is "unlicensed". And the other key word -- not present -- is "knowingly". But the analogy breaks down because you don't need a license to use the Internet. Consequently, in most cases you will not know, and cannot reasonably be expected to know, about legal violations. If you let your buddy use your home wireless while he's staying with you for the weekend, and he commits, say, a fraud, or blackmails someone, you are not legally responsible for any of it unless you participated knowingly in some way. Of course, that you didn't know may be hard and expensive and unpleasant to try to prove, but that's a different question.
3. I guarantee you that if your blogging site, wiki or whatever is
publishing content like child porn, you are going to jail. There is no
Child porn is an unusual strict liability crime. If you publish or possess it, even unknowingly, you face real risks. As a practical matter most prosecutors do not bring cases against innocent victims (e.g. someone on AOL who gets an evil popup unexpectedly). In theory maybe they could, but I suspect they don't really want the test case.
"ISP like protections" for that. If you do not take action as soon as
you know a crime is being committed, you are going to get nailed.The question in this case would be all about whether the Tor exit node
is viewed as a device specifically enabling a criminal or something that
I do not think that would be the analysis under US law at all. The first question is mens rea. We do not charge the car rental company with something if its car is used to rob a bank -- unless they knew in advance that was the plan. Cars enable criminals too.
was incidentally used to commit a crime. For example, if I give you a
hammer and you break into someone's house with it, I am probably not
criminally negligent. If I provided you with lock picking equipment and
you are not a locksmith, I might be criminally negligent. This is not
The term "criminally negligent" really has no role here. Negligence is in most cases a civil not a criminal offense. There are specific crimes. There is aiding and abetting. There may be criminal negligence in unrelated cases where you have a duty to secure something or protect (or not harm) someone and fail to do so (e.g. you leave your car in a position to roll downhill and it hurts someone, or you are willfully blind to a danger to child for whom you should be caring, or you act with such inattention so as to kill someone). But in the USA ***you have no legal duty to secure your wireless***. None. You can leave it open, just as you can leave your window open and let people enjoy what you are playing on your stereo (modulo public nuisance law, and copyright rules against some types of unlicensed public performance). Thus there can be no negligence in leaving it open, at least absent specific knowledge that a person intends to do a specific thing.
so clear cut a case that there would not be a fight about it.
Steven Naslund
[...]
Michael Froomkin - U.Miami School of Law wrote:
2. If I provide access to four or five friends, I am not an ISP and in
fact I am responsible if they use my connection to do something illegal
since I am the customer of record. If you loan your car to an
unlicensed driver and he kills someone, you are on the hook.The key word above is "unlicensed". And the other key word -- not present -- is "knowingly". But the analogy breaks down because you don't need a license to use the Internet. Consequently, in most cases you will not know, and cannot reasonably be expected to know, about legal violations. If you let your buddy use your home wireless while he's staying with you for the weekend, and he commits, say, a fraud, or blackmails someone, you are not legally responsible for any of it unless you participated knowingly in some way. Of course, that you didn't know may be hard and expensive and unpleasant to try to prove, but that's a different question.
Ummm... you might be liable under your service agreement with your ISP. Most of these have all kinds of restrictive clauses re. not letting others use your connection, copyright infringement, assumption of liability, yada, yada, yada. We all violate these, all the time, but there are times when that might catch up with someone.
The term "criminally negligent" really has no role here. Negligence is in most cases a civil not a criminal offense. There are specific crimes. There is aiding and abetting. There may be criminal negligence in unrelated cases where you have a duty to secure something or protect (or not harm) someone and fail to do so (e.g. you leave your car in a position to roll downhill and it hurts someone, or you are willfully blind to a danger to child for whom you should be caring, or you act with such inattention so as to kill someone). But in the USA ***you have no legal duty to secure your wireless***. None. You can leave it open, just as you can leave your window open and let people enjoy what you are playing on your stereo (modulo public nuisance law, and copyright rules against some types of unlicensed public performance). Thus there can be no negligence in leaving it open, at least absent specific knowledge that a person intends to do a specific thing.
You may have a civil liability to secure your wireless under the terms-of-service agreement with your Internet provider. Well, maybe not to "secure your wireless" but to prevent unauthorized use of your connection to the service provider - which could be accomplished in other ways.
Miles Fidelman
Naslund, Steve wrote:
1. Running open access wireless does not make you legally an ISP and if
your open wireless is used to commit a crime you could be criminally
negligent if you did not take "reasonable care" in the eyes of the
court.
Related:
You are correct about most people not falling under CALEA. That also
means that they do not have the "safe harbor" provisions provided to
facilities based providers (however an open wireless hotspot MIGHT just
make you a wireless facilities based provider). You are not under an
obligation to provide data under CALEA but a court can order you collect
that data going forward, allow LE to tap a device, or just seize the
server to study it anytime they feel you may have evidence of a crime.
A court can seize almost anything from anyone as long as a judge thinks
it is a reasonable search and seizure. If you provide someone with any
kind of tools or services (free or not) you are opening yourself up to a
liability. If you are in physical possession of a server that contains
kiddie porn you are likely to go to jail. I am not saying this Tor
server has data like that onboard (but I suppose there could be caches,
temp files, and such) but they are going to look until they understand
it. You may very well be able to defend your right to a Tor server but
it is certainly going to cost you a lot of money and I am sure it is
going to be uncomfortable to explain why you want to have one to a judge
when LE explains all the evil uses for one.
When it comes to running an open access point, I think the legal issue
would be negligence. Is it negligence for the 90 year old grandma to
have an open AP (probably not, just didn't know better)? Is it
negligence for me to have an open AP (probably, I am a network
professional and know how to secure a network).
As a long time service provider I can tell you that a lot of CALEA
enforcement has to do with good faith more than the letter of the law.
If your policy is to delete logs after 30 days and the cops show up on
day 31, no big deal. If they show up at day 5 and you say you dump your
logs at day 4, expect to get grilled. They can tell real quick if you
are cooperating to the best of your ability. In the early Internet
days, before the CALEA applied to ISPs I had to try to work with LE to
comply with court orders and often we explained the technology and
limitations of it to the FBI. We were even involved in expert testimony
to explain how this "Internet Stuff" worked. Often we did not have the
data they wanted but there were ways to get it for an ongoing
investigation. Our policy was to not provide specific data without a
court order but we would begin collecting it as soon as a LE agent told
us they were going to try to obtain it. It was just a professional
courtesy to them. I know there is a big counter-culture, no big
brother, no regulation attitude toward a lot of Internet issues but I
have seen some sick cases involving emailed threats (later carried out)
and kids that made me give the law the benefit of the doubt in a lot of
cases. There are lots of evil people out there and the Internet is a
big tool for them.
I have no statistics to back this up (and no one probably does) but with
my many years of experience in engineering ARPANET, MILNET, and the
Internet I would have to guess that most Tor servers are used for no
good much more than they are protecting anyone's privacy. I am guessing
that a ton of the Tor traffic is likely to be BitTorrent that is just as
likely copyrighted material. That does not mean that Tor or BitTorrent
is evil but as network professionals we all know (wink, wink) what that
kind of stuff is really mainly used for. That probably does not affect
your legal rights to have a Tor server but certainly affects my decision
to donate to your defense if you get in a legal case.
This is certainly an interesting discussion and I think there are not a
lot of concrete answers since this is on the edge of technology law. I
do think history shows us that while the government lags behind, they
will eventually find a way to control this if it suits them and becomes
a source of pain for them.
Done with this subject, sorry for the long windedness
Steven Naslund
Comments deep below.
Michael Froomkin - U.Miami School of Law wrote:
> 2. If I provide access to four or five friends, I am not an ISP and in
> fact I am responsible if they use my connection to do something illegal
> since I am the customer of record. If you loan your car to an
> unlicensed driver and he kills someone, you are on the hook.
>The key word above is "unlicensed". And the other key word -- not present
-- is "knowingly". But the analogy breaks down because you don't need a
license to use the Internet. Consequently, in most cases you will not
know, and cannot reasonably be expected to know, about legal violations.
If you let your buddy use your home wireless while he's staying with you
for the weekend, and he commits, say, a fraud, or blackmails someone, you
are not legally responsible for any of it unless you participated
knowingly in some way. Of course, that you didn't know may be hard and
expensive and unpleasant to try to prove, but that's a different question.Ummm... you might be liable under your service agreement with your ISP. Most of these have all kinds of restrictive clauses re. not letting others use your connection, copyright infringement, assumption of liability, yada, yada, yada. We all violate these, all the time, but there are times when that might catch up with someone.
OK, you might have *contract* liability to the ISP, but not to third parities in the main. Contract damages < tort damages < criminal penalties, the latter being what we were talking about).
The only attempt I know of to make violation of those contract terms the predicate for criminal liability failed. Google "Lori Drew".
The term "criminally negligent" really has no role here. Negligence is in
most cases a civil not a criminal offense. There are specific crimes.
There is aiding and abetting. There may be criminal negligence in
unrelated cases where you have a duty to secure something or protect (or
not harm) someone and fail to do so (e.g. you leave your car in a position
to roll downhill and it hurts someone, or you are willfully blind to a
danger to child for whom you should be caring, or you act with such
inattention so as to kill someone). But in the USA ***you have no legal
duty to secure your wireless***. None. You can leave it open, just as
you can leave your window open and let people enjoy what you are playing
on your stereo (modulo public nuisance law, and copyright rules against
some types of unlicensed public performance). Thus there can be no
negligence in leaving it open, at least absent specific knowledge that a
person intends to do a specific thing.You may have a civil liability to secure your wireless under the terms-of-service agreement with your Internet provider. Well, maybe not to "secure your wireless" but to prevent unauthorized use of your connection to the service provider - which could be accomplished in other ways.
Normally that would just be a capacity or useage based billing issue in practice. But sure, contract terms vary widely. Note, though, the distinction between "having contracted to pay extra in some circumstances" (one type of 'civil liability') and risking being found in violation of the contract (another type, but usually one that results in termination of the service rather than an obligation to pay).
[...]
When it comes to running an open access point, I think the legal issue
would be negligence. Is it negligence for the 90 year old grandma to
have an open AP (probably not, just didn't know better)? Is it
negligence for me to have an open AP (probably, I am a network
professional and know how to secure a network).
In order for there to be a civil claim of negligence there must be, inter alia, a breach of duty.
What duty has been breached in your scenario? None.
[...]
This is certainly an interesting discussion and I think there are not a
lot of concrete answers since this is on the edge of technology law. I
Actually some of us have been teaching and writing about this stuff since the mid 1990s. These issues are far from new; we went through them in the early anonymous remailer days.
<relurk>
The real issue here is *not* the legality of the act of providing a Tor exit node, or an open access point, or anything else. In sensible countries that is perfectly legal. The problem here is the reality of undergoing a criminal investigation.
Think carefully about the impact of having everything in your life which runs an operating system taken away. Phones. Tablet. Laptop. Servers. All portable drives, data. If you rely on that hardware for your income (and who doesn't?) you're going to have to buy all of that again. And restore your data, if you are able.
I think the best analogy I would use in defense is something like the
pre-paid cellular phones that are sold. That is about the only
anonymous communications service I can think of off the top of my head.
Problem is that most people are not licensed carriers and may not be
able to hide behind that protection.if your phone is stolen and used by a drug dealer, i'm pretty sure the cops
would not be after you for anything the dealer did.if you stand on the corner with a sign saying "free cell phone airtime,
just ask me", they might take a different view on things.now, whether you are guilty of anything or not, by standing there with a sign
you are certainly opening yourself to legal inquiry, delay and hassle.i wouldn't be surprised if the cops didn't accept your "i'm just letting
people use my phone, i've got nothing to do with their activities" defence,
at least not without poking about for a bit, which might include looking
at your cellphone, your home phone, your bank records, and anything else
they think (and a judge agrees) might need viewing to clear you.
A few questions this thread raises for me: you are a very trusting
person, and frequently let people borrow your things. A friend
frequently borrows your phone, which he explains is because he:
a) frequently lets his phone die, or has run close to using too many minutes.
You frequently allow him (and other people) to borrow your phone. At
some point, it becomes clear that his life has taken a turn for the
worse, and he has become involved in activities of which you do not
approve. You stop allowing him to use your phone. During a criminal
investigation of your friend's activities, it later becomes clear that
for some time he was using it for illegal activities.
At what point did allowing him to use your phone become illegal, and
how should a responsible citizen rationally realize or identify this
point?
How can one be reasonably sure that one knows another person well
enough to allow them to use one's equipment/resources? When do you
become responsible for the activity of someone else on your equipment?
Clearly "always" is not correct; similarly, "never" is also not
correct.
b) (most analogous to the actual situation) has a [legitimate?]
reason for wanting to avoid the entity he calls having, being able to
predict, see, or otherwise link some information he wishes to give
them with some information he does not wish to give them (for example,
his phone number [1])
Upon this pretense, which seems fairly reasonable, you allow him
access to your phone. In order to enable this pursuit (so that this
phone number cannot be attached to a pattern of activity), you also
allow others to use your phone for similar reasons. You consider such
activity correlation/tracking and data mining to be a violation of
privacy (explicitly with regard to data-mining and activity tracking
performed in pursuit of selling this data for profit).
Now arguably, in the second case, you are operating this "service"
with an explicitly altruistic intent. IF you are not informed about
the mechanics of this process, and you are unaware of the issues this
creates for law enforcement entities in identifying criminals, what
constitutes wrongdoing? If you are not aware of criminal uses of your
service which is entirely free and only intended for avoiding
data-miners, are you still accountable for the activities of those
using it? Why? At what point do you accept or acquire this
responsibility? How is this different from operating a party line
shared by an apartment building or phone bridge with external calling
ability?
I am curious about the impact of the nuances of each of these situations.
[1] he is paranoid, and doesn't like the pizza place associating his
address with his phone number, or perhaps he is calling someone who
collects marketing data and attempts to data-mine his activity, or
some other more legitimate, applicable and realistic take on
appropriate cases for desiring anonymity in such a transaction