#29734: Broker should receive country stats information from Proxy and Client
-------------------------------------+-----------------------------
Reporter: cohosh | Owner: cohosh
Type: enhancement | Status: merge_ready
Priority: Medium | Milestone:
Component: Obfuscation/Snowflake | Version:
Severity: Normal | Resolution:
Keywords: snowflake, geoip, stats | Actual Points: 2
Parent ID: #29207 | Points: 1
Reviewer: ahf | Sponsor: Sponsor19
-------------------------------------+-----------------------------
Comment (by cohosh):
Replying to [comment:18 dcf]:
> I have many comments, but overall my impression is good and I think you
can move ahead with this.
>
> My big-picture question is: what do we plan to do with this data? If
it's to detect blocking events by comparing the broker's statistics
against the bridge's, I think we should at least sketch out those analysis
scripts, in order to see whether the client geoip data we will be
collecting is suited to the requirements. My main point is that we
shouldn't collect data just because it may be useful; instead we should
design safe data collection around some question we want to answer. As it
stands, the branch will collect more precise client data than Tor Metrics
does (Tor Metrics doesn't publish raw numbers but applies some fuzzing and
binning). Having /debug display precise counts is a danger in the
following scenario: an observer wants to determine whether a particular
client is accessing the Snowflake broker. Whenever the observer sees a
suspected connection, it checks the /debug output to see whether the count
has incremented.
>
> Perhaps we could do a test deployment for a few days, to get an idea of
what the data looks like. In fact, I think it's a good idea to try that,
before merging. If there's a research question that we think this data
could help us answer, we could ask the
[https://research.torproject.org/safetyboard.html Safety Board] to
evaluate it.
>
Thanks for this, I agree we should think about it some more.
Whatever we decide, we should eventually not be displaying this data in
/debug in the end, but rather logging it and using that log file to
display metrics somewhere else. I also think that we should not be
revealing '''more''' information about clients than the bridge is.
I'm also willing to believe that collecting client country stats at the
broker, even though it would tell us more information about censorship
events, may not be *that* useful to us at the moment and is undesirable
due to privacy concerns. We could always take a deeper dive into our
investigations if we notice a drop in clients from a specific region at
the bridge to figure out exactly what is going on.
On the other hand, perhaps we want to collect country stats of the
snowflake proxies? This is discussed to some extent in #21315. Do we have
privacy concerns about proxies that are similar to those concerning
clients?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29734#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
