
The German Problem with Tor - worldofmatthew
https://worldofmatthew.com/post/tor-german-avoid/
======
elchin
"In reality, the German government has a double standard when it comes to the
right to privacy. They will fully support that right if it's company's
violating your privacy (especially, if they are American because
protectionism) but in contrast, the German will give itself as many powers as
it can to spy on its own citizens and those abroad." This.

~~~
_Microft
That's only double standards if one considers states and companies as being in
the same position.

A state and a company have vastly different goals. A state should care for its
citizens, this includes protections against threats to public safety (terror,
organized crime) and surveillance is a tool in the box for that. A company on
the other hand, would have no issues fleecing people and abusing their power
for profit if they only could. States are the entities actually powerful
enough to keep companies in check and I'm pretty happy when they do that.

I admit that this is a, I guess, pretty european view of things (i.e. govs are
good, since they keep greedy companies in check), while the american view
might rather be that govs are bad because they get into the way of companies
(which are considered good).

~~~
terminalcommand
In many places in the world, the government is corrupt and there is no
transparency.

I’d be surprised if people trust their governments in Poland, Bulgaria etc.

Government officials have more power to abuse people than companies. At least
Germany has an established constitutional court that can still resist the
politicians to some degree.

I think the american view is that governments are bad because they can be used
to establish tyranny. Every citizen’s right to be judged by their own peers,
their right to carry firearms and freedom of speech are the things that allow
people to fight against corrupt governments.

This is my view being someone living in Turkey. I am even afraid of posting
this comment.

Maybe this generation in Europe trusts their government and thinks that its
good. But I bet people having experienced autocratic regimes can never trust
their government.

~~~
chopin
Rulings of the constitutional court have almost no real life consequences. If
there is a negative ruling the parliament is given ample time before the
unconstitutional law must be replaced. If there is any replacement within that
time, the same law, formulated differently, is passed.

~~~
alborzb
so what you're saying is that the court... works?

~~~
gruez
It sounds different than something like the US, where if a law is
unconstitutional it's struck down immediately (rather than giving time for the
legislature to fix it), and the defendant acquitted (not sure what happens in
germany).

~~~
afthonos
> where if a law is unconstitutional it's struck down immediately

What? Cases take years or decades to make their way through the court system.
You might be thinking of the fact that _some_ laws get an injunction on their
enforcement until they are ruled on, but that is not mandatory. More
important, they are _not_ struck down, only enjoined. And of course if the
legislature changes the law, the case becomes moot by the time it reaches the
court (this happens semi-regularly, where the court refuses to rule on the
constitutionality of a law that is no longer on the books).

~~~
gruez
>What? Cases take years or decades to make their way through the court system.
You might be thinking of the fact that some laws get an injunction on their
enforcement until they are ruled on, but that is not mandatory.

It's implied that we're talking about what happens after it's decided. We
obviously can't talk about the action of the court before it's been decided.
What matters is what happens after a decision has been made. The grandparent
comment gave me the impression that in germany, after a law has been found to
be unconstitutional by the courts, it doesn't get struck down. Instead, it
gets sent back to the legislature for revision, while remaining valid in the
meantime.

>And of course if the legislature changes the law, the case becomes moot by
the time it reaches the court (this happens semi-regularly, where the court
refuses to rule on the constitutionality of a law that is no longer on the
books).

I'm not sure what you're trying to say here. Is this supposed to be a flaw?
What purpose does it serve to rule on laws that have already been revoked? To
throw some shade on the legislative branch? To punish them somehow? Moreover,
is this something that _doesn 't_ happen in germany?

~~~
afthonos
I think I did not understand GGP the way you did, leading to me not making
sense of your response. And of course it makes perfect sense not to rule on
laws that have been repealed. :-)

------
jupp0r
Keep in mind that government IT jobs in Germany are almost comically
underpaid. People competent enough to perform timing correlation attacks
usually choose the >2x salary industry jobs. The running gag was that this is
the greatest protection for citizens privacy.

Unfortunately, an unintended consequence is that the government looks to shady
companies like Gamma to do its job. This leads to FinFisher, which is normally
used by the most contemptible dictatorships against their dissidents, to be
used against German law enforcement. It also creates incentives not to
prosecute Gamma for helping to violate human rights all over the world by
helping to throw bloggers into torture jails.

~~~
Kalium
> to be used against German law enforcement.

Against, or by? I'm not trying to nitpick, just make sense of this. You imply
that the German government hired Gamma to gain access to FinFisher, and then
talk about it being used against German law enforcement. This seems internally
inconsistent.

~~~
black_puppydog
"By"

I'd suspect a writing/editing mistake here. But nobody is spying _on_ our law
enforcement. In fact, they seem to be so confident that anytime someone _does_
look into their affairs for whatever reason, unconstitutional attitudes and
practices just show up all over the place.

------
LeanderK
While I don't want to defend the german state, i think it should be mentioned
that germany does have a pretty active pro-privacy movement. The chaos-
computer club is big, with local chapters in nearly every city, very well
connected and closely follows any movement from our government (and industry).
While the german state itself may want as much control as possible, its
attempts are always attacked by those groups.

~~~
gmueckl
These aren't attacks, just protests that are sometimes big enough to be
mentioned in mainstream media to then be summarily dimissed by politicians,
sometimes in very condescending tones or even derogatory language. The actual
impact on the lawmaking process is negligible. Politicians have figured out
that ignoring protests of privacy advocates is "safe", that is, it won't
affect their reelection.

Suing against the legislation in the constitutional court is somewhat more
effective, but it takes somewhere between 5 to 10 years to obtain a ruling
againt a law that must be in effect before the process can even start.

~~~
asimovfan
If those attacks are completely negligable, was it the progressiveness and
open mindedness of politicians that brought us to this point in history in
terms of civil rights etc?

~~~
gmueckl
It was Hitler and Stalin. The Federal Republic of Germany was set up to have a
constitution with very strong protections of individual freedom and democracy
in response to the highjacking of the Weimar Republic constitution by the
NSDAP. That state then evolved into a counterexample to German Democratic
Republic while slowly gaining more and more independence from the Allied
oversight that was put in place initially. There is a strong framework of
rights and freedoms into the constitution as a legacy of these formation
years. The main power that keeps that in place is the constitutional court
with its long history of landmark decisions and a general tendency to overturn
the steady trickle of new legislation that seeks to limit personal rights,
mostly in the guise of better prosecution of crimes. For example, the right to
control the use of one's own data is a result of ruling of that court. No
lawmaker would have come up with that.

~~~
black_puppydog
Best example IMO: for the last ~20 years, government after government has
tried to push the essentially same data retention legislation. And everytime
they do pass it, it gets shot down in a court. It's not even always the same
people pushing it (although Merkel was chancellor for most of that time, but
she never seemed to get involved directly, not her style) but at this point
it's quite clear that "the government" simply wants these laws, constitutional
or not.

------
cookiengineer
Recommending to host an exit node in Switzerland in the context of TOR feels
like reading an article of someone who thinks they are anonymous by using TOR.

Switzerland is even more privacy invasive than German laws, and that is the
case since 2010 when automated connection tagging was introduced for VND and
VÜPF.

~~~
GekkePrutser
I wasn't aware of that :( Which country would be best in your opinion? It
seems it's becoming quite hard to find one that doesn't do this now.

~~~
qayxc
There are none. Full stop.

Anyone who thinks otherwise is just delusional.

~~~
rhn_mk1
This is a useless reply. There is no black and white, and the parent is asking
about the shades of graay.

~~~
qayxc
There are no shades of grey here - state actors have access to every internet
node, fibre optic cables, operating systems and hardware.

So unless you take your time to build your own CPU, main board and modem and
only use our own private direct fibre connection, you're a potential target
for being spied on.

It's as simple as that. You can make things harder by encrypting your traffic,
but that's possible regardless of were your Tor relay is located at. And even
then some crypto algos are known to have been deliberately weakened by
intelligence agencies so you best be a crypto expert as well if you're really
_that_ paranoid.

The irony is that most (not all!) people who are ever so concerned about these
things still use their smartphones (even though EVERY GSM/UMTS/4G protocol has
been hacked at this point and is thus insecure), use cloud computing (either
directly or indirectly via 3rd party services like Uber) and post on social
networks.

The only computer that is safe from attacks is not connected to any network
and only ever used in a windowless room surrounded by reinforced concrete
walls.

The only information that is truly private is information you don't share in
the first place.

~~~
rhn_mk1
You say "There are no shades of grey here" but then you contradict it by
saying "You can make things harder by encrypting your traffic", so obviously
you don't mean it.

By dismissing the imperfect possiblities of making yourself safer, you seem to
be saying "there only needs to be one gunner to shoot you when you look out
the window, so either you never leave your bunker or may as well live in a war
zone", while dismissing those who ask "which country is the most peaceful and
stable, so that I can settle there?".

People can be well aware of weak crypto, compromised CPUs, TEMPEST, Tor
compromises, state actors and legal problems, and yet still choose which of
those to defend against, and to what extent. In real life, people take
tradeoffs, because it's almost never an all-or-nothing situation.

~~~
qayxc
There is no place in the world that is both technologically capable of
reliably hosting servers and at the same time inherently safer with regards to
the privacy of your data than others.

If it's not the domestic government that will raid the server or monitor
traffic, it's foreign actors or (in case of monitoring) the country that
packets are routed through.

Yes, there are possibilities to make yourself safer, but they don't depend on
where you place your data.

The question wasn't "can I be safer", the question was "is there a specific
_place_ that is safer" and the answer is no, for the reasons I gave.

That's not saying "encryption is useless anyway" or "you might as well give
up" \- no! I'm saying that if the privacy of your data depends on where your
server is located, then you're doing it wrong.

~~~
rhn_mk1
I'm not sure I'm convinced that location doesn't matter at all. The attack
routes are different between countries: local culture determines attack
surface inside the company, local law determines attack surface due to the
local government. There are probably more factors at play due to technical
reasons, like the closeness to internet exchanges and the difficulty to sniff
packets in secret by foreign spies. Unless those are uniformly the same
everywhere, I don't think your agrument holds.

------
Havoc
Why all the hate for Germany specifically? Pretty much no gov out there likes
TOR nodes. The fact that there are ton in Germany any seems like something
that should be applauded

~~~
notRobot
> _The high number of high-speed relays and exits in Germany mean that it is
> not too uncommon to get both a German guard and exit. This gives the state
> an easier time if they want to target someone using traffic correlation
> attacks._

> _That also does not take in account the planned German law that will allow
> authorities to redirect traffic to state-owned servers, to infect users with
> viruses /Trojans. This is especially a concern for third-world users of Tor
> who are going to mainly accessing non-HTTPS sites on a computer without the
> best security._

Did you read the article in its entirety?

~~~
Havoc
Yes I did read it

> not too uncommon to get both a German guard and exit.

The solution here is more non-German nodes not to shit on the Germans that are
already hosting lots.

Maybe there is a language barrier at play here but just seems bizarre how
aggressively “the German” is being singled out:

>the German will give itself as many powers as it can to spy on its own
citizens and those abroad.

~~~
jand
Maybe this is because of the visibility.

If your security legislation is often declared partly illegal by the
Verfassungsgericht (latest [1]), you leave the impression of reaching too far
by default.

If your courts do not declare (too far reaching) laws illegal, you leave the
impression to have been right in your demands.

[1] [https://www.nytimes.com/2020/07/17/world/europe/germany-
priv...](https://www.nytimes.com/2020/07/17/world/europe/germany-privacy-
data.html)

~~~
imtringued
Is your argument that strict controls makes corruption appear more prevalent
than it is in reality?

Here is a different way to think about it. You are a police officer and
interrogate 100 honest people who never lie and 25 people confess their crimes
and the rest are innocent. Then you interrogate 100 people who always lie (75
are innocent) and you can only prove 15 of them guilty. From the outside it
looks like honest people have a higher chance to be criminals. Doing the right
thing can destroy your reputation.

------
0ld
> you could get a VPS from a country who hates the western spy powers like
> Russia or Moldova

nice try, comrade. but no

~~~
Andrew_nenakhov
* that's "comrade Major" for you.

------
luckylion
> The high number of high-speed relays and exits in Germany mean that it is
> not too uncommon to get both a German guard and exit. This gives the state
> an easier time if they want to target someone using traffic correlation
> attacks.

No, it doesn't. They'd need to control those computers, and they don't, do
they? Because if they do, then "move your exit node somewhere else" won't
help, because "you" are the state. And if they don't, no, I don't believe it's
feasible for them to look at raw traffic (e.g. on the datacenter level) for
two nodes in Germany and correlate individual data streams that may or may not
be from one TOR connection.

> That also does not take in account the planned German law that will allow
> authorities to redirect traffic to state-owned servers, to infect users with
> viruses/Trojans.

They'd have to control the server though. They can't just decree that all TOR
traffic must now be routed through their malicious endpoint. The laws are
targeting ISPs and service providers and are for individual cases (i.e. "we
know who's on the line") not for mass-infection, and will require a court
order. They could do the individual surveillance with court order previously,
what's new is that the provider can be forced to cooperate and proxy the
traffic. It's still not applicable to TOR because it's not one large provider,
and you can generally not say who's on the line.

------
LockAndLol
> Now you know how the Germans hate privacy, you will almost certainly be
> asking about alternative locations.

I don't know where this guy comes from but this has to be the most
sensationalist sentence in that blog post. It's on par with "non Americans
hate freedom". If Germans hated privacy, why would they be the biggest
bandwidth contributors to the TOR network?

Not sure the author was using all of his brain when he wrote that blog post.

~~~
chickenpotpie
Devils advocate: if you hate tor you should try to contribute to the network
as much as possible. The more you control it, the more you can exploit it when
vulnerabilities are found.

~~~
Sebb767
That's the equivalent of saying if you want Microsoft to fail, buy all their
products in the hope that they get too big and inefficient and therefore fail.

Sure, more control helps, but you need quite a lot and it would be
prohibitively expensive at the moment (and also noticeable).

------
kleton
Off-topic, but what is the current state of tor onion (hidden) services? Are
they easy to de-anonymize?

~~~
Cantbekhan
There are certainly plenty of black markets thriving on onion services. Some
have been online and serving for quite a few years. They seem fine.

See
[https://news.ycombinator.com/item?id=23818727](https://news.ycombinator.com/item?id=23818727)

------
kilo_bravo_3
I ran an exit node about a decade ago.

There are no freedom-fighting journalists in repressed countries using TOR.

There are only pornographers, BitTorrent users, crypto-haxxing "Z3r0cools" who
use it to feel like they are doing something crypto-haxxy, and botnet command
and controllers.

Countries in which TOR will be useful treat TOR users as de-facto criminals or
block it altogether. Using TOR in a totalitarian state (and it is easily
detectable) is worse than speaking out against the state.

Countries in which TOR is not needed are full of crypto-haxxing "Z3r0cools"
who think they are actually helping someone by promoting TOR.

When you mention that TOR was an experiment-- one that failed-- to shield
spies from foreign governments that crypto-haxxing Z3r0cools co-opted you get
scorn.

When you point out that TOR fails in its primary purpose: non-attributable
access to information or communications in totalitarian regimes you get scorn.

There is no space for criticism of TOR which makes it not a product or
technology but a religion-like ideology.

~~~
john-shaffer
> When you point out that TOR fails in its primary purpose: non-attributable
> access to information or communications in totalitarian regimes you get
> scorn.

It's my understanding that the subjects of totalitarian regimes use software
such as Ultrasurf [1], and not TOR. I agree that TOR is not very useful in
practice, but it seems misleading to state that without mentioning the success
of the alternatives.

[1] [https://ultrasurf.us/](https://ultrasurf.us/)

------
bar00000n
When you use tor you are just another coward and a thief. Or a kiddo ashamed
that he is jerking off to porn. so relax no one cares what you say in politics
until you overcome your limitations. this is the right label for tor users.

