On Fri, Jun 12, 2009 at 3:28 PM, Andrew Lewman <[email protected]>wrote:
> grarpamp wrote: > > 3 - Further, there needs to be an understanding of what the traffic > > ACTUALLY IS. Operators should be using tools such as wireshark, > > tcpdump, bro, etc to determine the content. And if it turns out to > > be encrypted to destinations and services unknown, NO such determination > > can be made. The only thing left to go on is impact as in #2 above. > > I wasn't going to comment on this thread in general because I have > nothing new to add to the conversation. > > However, I feel compelled to mention this #3 is possibly very bad advice > for those in the USA. Our Legal FAQ clearly states this is probably > illegal; https://www.torproject.org/eff/tor-legal-faq.html.en#ExitSnooping > . > > Until such a case determines it legal or not, some very savvy lawyers > recommend against doing exactly what you suggest. If your lawyer > suggests otherwise, we're happy to talk to them. > > "Should I snoop on the plaintext that exits through my Tor relay? > > No. You may be technically capable of modifying the Tor source code or > installing additional software to monitor or log plaintext that exits > your node. However, Tor relay operators in the U.S. can create legal and > possibly even criminal liability for themselves under state or federal > wiretap laws if they affirmatively monitor, log, or disclose Tor users' > communications, while non-U.S. operators may be subject to similar laws. > Do not examine the contents of anyone's communications without first > talking to a lawyer." > > -- > Andrew Lewman > The Tor Project > pgp 0x31B0974B > > Website: https://torproject.org/ > Blog: https://blog.torproject.org/ > Identica/Twitter: torproject I think "snooping" and "statistical information" should be treated differently. Take Scott's case here. He is making a claim that by using the exit policy outlined above, it would reduce the amount of traffic on tor by 70% or whatever. What I would like to see proof of is that the IP addresses that are now being blocked are NOT running a WHOIS services. How do we know for sure that they are not in fact a valid WHOIS service? So, Andrew, would running 'iptraf' on a exit node to see the amount of bandwidth that is being used or what IP/ports are being connected be considered "wire tapping"? I'm not trying to start an argument, I'm just trying to figure out how a researcher can do his/her work, get real answers, without crossing the line of "wire tapping". That's all. Best regards, Kyle
