#29734: Broker should receive country stats information from Proxy and Client -------------------------------------+----------------------------- Reporter: cohosh | Owner: cohosh Type: enhancement | Status: merge_ready Priority: Medium | Milestone: Component: Obfuscation/Snowflake | Version: Severity: Normal | Resolution: Keywords: snowflake, geoip, stats | Actual Points: 2 Parent ID: #29207 | Points: 1 Reviewer: ahf | Sponsor: Sponsor19 -------------------------------------+-----------------------------
Comment (by cohosh): Replying to [comment:18 dcf]: > I have many comments, but overall my impression is good and I think you can move ahead with this. > > My big-picture question is: what do we plan to do with this data? If it's to detect blocking events by comparing the broker's statistics against the bridge's, I think we should at least sketch out those analysis scripts, in order to see whether the client geoip data we will be collecting is suited to the requirements. My main point is that we shouldn't collect data just because it may be useful; instead we should design safe data collection around some question we want to answer. As it stands, the branch will collect more precise client data than Tor Metrics does (Tor Metrics doesn't publish raw numbers but applies some fuzzing and binning). Having /debug display precise counts is a danger in the following scenario: an observer wants to determine whether a particular client is accessing the Snowflake broker. Whenever the observer sees a suspected connection, it checks the /debug output to see whether the count has incremented. > > Perhaps we could do a test deployment for a few days, to get an idea of what the data looks like. In fact, I think it's a good idea to try that, before merging. If there's a research question that we think this data could help us answer, we could ask the [https://research.torproject.org/safetyboard.html Safety Board] to evaluate it. > Thanks for this, I agree we should think about it some more. Whatever we decide, we should eventually not be displaying this data in /debug in the end, but rather logging it and using that log file to display metrics somewhere else. I also think that we should not be revealing '''more''' information about clients than the bridge is. I'm also willing to believe that collecting client country stats at the broker, even though it would tell us more information about censorship events, may not be *that* useful to us at the moment and is undesirable due to privacy concerns. We could always take a deeper dive into our investigations if we notice a drop in clients from a specific region at the bridge to figure out exactly what is going on. On the other hand, perhaps we want to collect country stats of the snowflake proxies? This is discussed to some extent in #21315. Do we have privacy concerns about proxies that are similar to those concerning clients? -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29734#comment:19> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs