
Tor Exit Node Operator Issued Subpoena - tshtf
https://lists.torproject.org/pipermail/tor-relays/2015-April/006804.html
======
kyledrake
I've received a subpoena from Cook County before regarding a site on
Neocities. Related to Tor, actually. Easily the stupidest thing I've ever seen
in my life.

The person that signed the subpoena was in the news for allegations of
corruption, and so was her husband (it's called Crook County for a reason).
They spelled the name of my company wrong (noahcities.com or something like
that), and when I sent a letter to the designated agents requesting they fix
it (I control neocities.org, not noahcities, how can I respond to legal
requests addressed to a different web site?), they never responded, and the
subpoena basically just died.

If they had followed up, they would have gotten a tor exit IP address
somewhere outside of their jurisdiction (read: another country). I told them
this before they filed it, and they told me "That decision is for someone
above my pay grade, man". You can't spend 5 minutes to google for Tor because
of your "pay grade"?

Oh, and they also love to put unlawful (but unfortunately, not illegal) gag
orders in their subpoenas. I chose not to waste our lawyer's time (and our
money) on this piece of trash, so we didn't make too big of a deal about it.

The take home lesson for me was that crooked regional governments abusing the
subpoena system are just as big of a problem as the NSA, if not worse.

So, now you know the story behind this commit
[http://github.com/neocities/neocities/commit/4983a9b24eac00b...](http://github.com/neocities/neocities/commit/4983a9b24eac00b8d8bfd300a18cdcee0152a271)

It's not good enough for the NSA, but it will prevent these idiots from ever
figuring it out. And there's no US data retention laws for web sites, so it's
completely legal.

This is textbook Neocities business philosophy. Instead of raising money to
hire more lawyers and take the legal risk individually fighting bad John Doe
subpoenas, we changed our code to make the data they can actually get
worthless to them, so we can just serve them (if they're valid) while still
protecting our users' privacy. If we get dragged into court over it, our
liability insurance kicks in, we pay a (relatively) small deductible, and then
we can use the precedent we set there to throw out any new cases for everybody
with this problem, not just us. Way more sustainable.

Phase 2 is that I delete the hashes after a few months. I haven't gotten to it
yet, but it's in the ticket tracker.

~~~
DenisM
How long will it take to hash all 4b ip addresses with your salt? I guess if
you tune scrypt to 100ms, that would be 400m seconds, or about 100,000 hours
of machine time. If you buy machine time at 1 cent per hour, that would be
$1000, spread across 1000 machines it will take about 4 days total. Not good.

Log anonmimization is hard. I wonder if a probabilistic approach would be
better, because it's deniable. Something like a bloom filter. You can tune the
false positive rate to match that of a human admin making an error, so
business impact is less pronounced.

Yet another option I'm thinking about is an external service that takes 32 bit
IP address and returns a 256 bit handle, which you would then use for logging.
The service would be rate-limited to prevent enumeration, so those 100k hours
would have to be spent sequentially, turning 4 days into 4 thousand days.

~~~
kyledrake
Not good for a serious agency, but it stops the lower level ones that aren't
going to do this.

We use these hashes to fight off spammers. A bloom filter won't do us any good
because it will provide false positives.

An external service will be legally subject to subpoenas, so pawning it off
doesn't solve the problem either.

You're right. Log anonymization is hard.

The only really good way to solve this is to throw this information away,
which is also legal. Because of the spam considerations, we need this for now.
I might decide it's not worth it though and just stop storing even these
hashes.

~~~
DenisM
If your scheme becomes prevalent, someone will create a service that for $10k
will brutforce $1k worth of hashed IP addresses. $10k and 4 days is comparable
to a legal bill, so you're not deterring anyone, but the most casual snooper.

~~~
comex
But if it isn't prevalent (which is likely to remain the case for the near
future), and the regional agencies issuing subpoenas are technically pretty
clueless (which I think they mostly are), then it will be effective. That's
pretty near the best you can do, as long as you need to log IPs in some form
for spam prevention.

Incidentally - a slightly more effective solution might be to put the 'did
this IP visit recently' function in a secure microprocessor, rate limit it so
it can't be bruteforced at more than a modest rate (in case of DDOS you can
always temporarily stop using it), and throw away the keys to reprogram it.
That really will stop everyone but the NSA, but it's about a million times
more difficult and expensive...

------
sandworm
They know about Tor. Five years ago it was magic to most cops and all
prosecutors. Today they have been educated, to some extent by people like me.
They acknowledge that the exit node is a proxy. In years past they would have
tried sending cops to the door to seize the server, or at least make some
allegations.

That's why I do not think that they expect any results here. They expect
nothing. They need nothing. They need a non-response to take things to the
next step. That step is probably political. They want the bullet point about
why criminals are getting away due to VPNs, Tor and other online nasties.

~~~
diafygi
Exactly. The actual subpoena is really short and reads like it was thrown
together so that someone could tell their boss they tried.

------
korethr
Okay, reading the subpoena linked in the original article, it appears that
Cook County, Illinois is trying to subpoena a company in Romania. IANAL, but I
didn't think an entity in one country could compel anything of another entity
in another country without getting the governments of both involved.

So, what was the point of this subpoena? Did a clerk somewhere fail to realize
that Romania isn't even on the same continent, much less in the same country?
Or is there legal mechanisms involved that I'm not aware of?

~~~
wongarsu
Maybe the receiver of the subpoena could be charged with contempt of court if
he/she ever enters the US? Not sure if that's possible under US law.

~~~
korethr
If a specific person were named, I could see that possibly happening if said
person were to ever set foot in the US (or maybe just Illinois).

But a company? That brings in additional questions. Would not Cook County have
to prove that the person to be held in contempt had been employed by the
company in question at the time of the subpoena? Wouldn't they also have to
prove that responding to the subpoena would have part of said persons duties
at said company? For example, if I were employed by EuropeCo in 2014 as an
engineer on their Foomatic line of widgets, and travelled to the US next month
for a conference, I don't think it should be possible for me to be held in
contempt of court because someone didn't respond to a subpoena regarding
EuropeCo's Baritron service. Yes, it's a silly and contrived example, but
hopefully you get the idea.

But again, IANAL.

~~~
aroch
I'm pretty sure Cook County would need to show some sort of nexus in order to
compel, eg that significant business is done by the Romanian company in Cook
County. Otherwise, anyone could break any laws so long as they didn't live in
the place where they're breaking the law.

As is, providing an anonymous an non-specific service to anyone doesn't really
satisfy that.

------
higherpurpose
FBI's Comey (crypto backdoor promoter) has just visited Romania calling for
data retention laws after several such recent laws were declared
unconstitutional. The FBI basically gave an ultimatum saying that if such laws
aren't passed, then it could hurt the US-Romanian relationship. So the US is
actively threatening/bullying other countries into adopting mass surveillance
laws right now - _or else!_.

The ultimatum is also BS, because the US _needs_ Romania more than ever in the
Russian-Ukranian conflict (Romania is also one of the countries that has a
missile shield against Russia, installed by the US). But I guess that's the
level of diplomacy US enforces with most weaker countries (bullying).

The Romanian NSA sees the US NSA as some sort of mentor and tries to do
whatever it gets told to strengthen that relationship. It's also very likely
the NSA subsidizes/gives away its spying tech to countries such as Romania to
make spying on its own citizens easier. Surveillance oversight is even weaker
than in the US/UK.

Both Romania and Poland were accused of holding secret CIA prisons as well
about a decade ago (likely true).

~~~
bigiain
> So the US is actively threatening/bullying other countries into adopting
> mass surveillance laws right now - or else!.

A ploy which worked just fine against Australia (and our spineless luddite
government). They probably didn't even need to threaten, just asked nicely and
promised our Prime Minister a photo opportunity one day. </rant>

------
bri3d
Title would be better as "Exit Node" and based on what I know, this isn't
altogether uncommon. A relay-only node receiving a subpoena would be novel as
far as I know.

EDIT: Title was changed, thanks!

~~~
p4bl0
Yes exactly, I was alarmed by the HN title, but then the link content was
pretty usual. Tor is not broken, fiew :).

That said I'm pretty curious to see the answer of the administration to the
answer of the exit node admin explaining what is Tor and why he can't help
them.

------
cft
Cook County waged a war against Craigslist back in the day:
[https://www.eff.org/deeplinks/2009/10/cook-county-sheriff-
lo...](https://www.eff.org/deeplinks/2009/10/cook-county-sheriff-loses-case-
against-craigslist)

------
mega1ton
Probably from this: [http://chicagotonight.wttw.com/2014/04/09/cook-county-
comput...](http://chicagotonight.wttw.com/2014/04/09/cook-county-computers-
hacked)

~~~
mb0
Maybe. The IP address that is referenced in the subpoena (12.218.239.38) is
the IP address of cookcountyboardofreview.com. Maybe that box got hacked and
it had access to some big cook county DMZ?

~~~
mega1ton
Who knows. Sounds like some idiot logged into
[https://apps.cookcountyil.gov/oe/](https://apps.cookcountyil.gov/oe/) (same
IP) and attempted to do something bad.

These poor guys from this county are probably pretty distressed and using
whatever means they have to find out whodunnit.

------
nippoo
I can't stop giggling at the red hand-circled bit in the subpoena.

( IP? ) <\-- This is the one we need

------
sporkenfang
This is why individuals are generally less likely to operate an exit node than
large bodies such as universities.

It can happen, has happened, and will likely happen again.

------
Aissen
Isn't this an everyday thing for Exit Node operators ? Many ISPs simply
forbade Tor because it wasn't worth the legal hassle/paperwork.

~~~
benev
I ran a Tor exit node for about nine months and only ever had two complaints
sent to me. Both were for people performing some form of hacking through my
exit node. I responded to both with a form letter, and that was that. Granted
it was a low bandwidth exit node.

I hear US-based nodes get more legal attention because of the DMCA, but I
can't comment on that as mine was based in Romania as well.

------
yownie
funny info request from the subpeona IP -> 176.126.252.11 -> 12.218.239.38

~~~
sandworm
Give them some credit. By this they are acknowledging the concept of a proxy.
Compared to most, this request does a reasonable job of describing what they
have and what they want efficiently. They aren't asking for everyone connected
at the time. They aren't asking for 'any and all' records. They are asking for
one connection record and are providing reasonable information on their end to
facilitate. The diagram is a reasonable and, considering the source, a novel
means of conveying the vital data.

The fact that the connection record doesn't exist, or if it does would be
virtually useless, should not take away from the reasonableness of the
request. "We don't have such records" is a legitimate response.

------
peterkelly
What next? Everyone who operates an IP router on the internet starts getting
subpoenas?

