The person that signed the subpoena was in the news for allegations of corruption, and so was her husband (it's called Crook County for a reason). They spelled the name of my company wrong (noahcities.com or something like that), and when I sent a letter to the designated agents requesting they fix it (I control neocities.org, not noahcities, how can I respond to legal requests addressed to a different web site?), they never responded, and the subpoena basically just died.
If they had followed up, they would have gotten a tor exit IP address somewhere outside of their jurisdiction (read: another country). I told them this before they filed it, and they told me "That decision is for someone above my pay grade, man". You can't spend 5 minutes to google for Tor because of your "pay grade"?
Oh, and they also love to put unlawful (but unfortunately, not illegal) gag orders in their subpoenas. I chose not to waste our lawyer's time (and our money) on this piece of trash, so we didn't make too big of a deal about it.
The take home lesson for me was that crooked regional governments abusing the subpoena system are just as big of a problem as the NSA, if not worse.
So, now you know the story behind this commit http://github.com/neocities/neocities/commit/4983a9b24eac00b...
It's not good enough for the NSA, but it will prevent these idiots from ever figuring it out. And there's no US data retention laws for web sites, so it's completely legal.
This is textbook Neocities business philosophy. Instead of raising money to hire more lawyers and take the legal risk individually fighting bad John Doe subpoenas, we changed our code to make the data they can actually get worthless to them, so we can just serve them (if they're valid) while still protecting our users' privacy. If we get dragged into court over it, our liability insurance kicks in, we pay a (relatively) small deductible, and then we can use the precedent we set there to throw out any new cases for everybody with this problem, not just us. Way more sustainable.
Phase 2 is that I delete the hashes after a few months. I haven't gotten to it yet, but it's in the ticket tracker.
I think this is often misunderstood as meaning something like:
"They don't pay me enough to do that"
"I do not have the authority to make that decision."
Log anonmimization is hard. I wonder if a probabilistic approach would be better, because it's deniable. Something like a bloom filter. You can tune the false positive rate to match that of a human admin making an error, so business impact is less pronounced.
Yet another option I'm thinking about is an external service that takes 32 bit IP address and returns a 256 bit handle, which you would then use for logging. The service would be rate-limited to prevent enumeration, so those 100k hours would have to be spent sequentially, turning 4 days into 4 thousand days.
We use these hashes to fight off spammers. A bloom filter won't do us any good because it will provide false positives.
An external service will be legally subject to subpoenas, so pawning it off doesn't solve the problem either.
You're right. Log anonymization is hard.
The only really good way to solve this is to throw this information away, which is also legal. Because of the spam considerations, we need this for now. I might decide it's not worth it though and just stop storing even these hashes.
How about a distributed onion route of external corporations, such that N subpoena hops must be followed to get to an unhashed IP? Serious investigations would do the legwork required and catch a serious bad guy, but nuisance clowns would be stopped from going too far. Kind of like a legal scrypt().
Instead of services, it could just be a reciprocal arrangement where everybody participating holds some of everybody else's data.
Incidentally - a slightly more effective solution might be to put the 'did this IP visit recently' function in a secure microprocessor, rate limit it so it can't be bruteforced at more than a modest rate (in case of DDOS you can always temporarily stop using it), and throw away the keys to reprogram it. That really will stop everyone but the NSA, but it's about a million times more difficult and expensive...
Go IPv6 only?
Do you think that kind of decision was up to the actual guy/gal you were interacting with? Genuine question, not rhetorical. I just ask because sometimes you get asked to do stuff at work that's silly, but it's easy and makes the guy/gal paying you happy, so you do it.
If it was a lawyer, they probably charged for the whole hour, right? Heh.
That's why I do not think that they expect any results here. They expect nothing. They need nothing. They need a non-response to take things to the next step. That step is probably political. They want the bullet point about why criminals are getting away due to VPNs, Tor and other online nasties.
So, what was the point of this subpoena? Did a clerk somewhere fail to realize that Romania isn't even on the same continent, much less in the same country? Or is there legal mechanisms involved that I'm not aware of?
But a company? That brings in additional questions. Would not Cook County have to prove that the person to be held in contempt had been employed by the company in question at the time of the subpoena? Wouldn't they also have to prove that responding to the subpoena would have part of said persons duties at said company? For example, if I were employed by EuropeCo in 2014 as an engineer on their Foomatic line of widgets, and travelled to the US next month for a conference, I don't think it should be possible for me to be held in contempt of court because someone didn't respond to a subpoena regarding EuropeCo's Baritron service. Yes, it's a silly and contrived example, but hopefully you get the idea.
But again, IANAL.
As is, providing an anonymous an non-specific service to anyone doesn't really satisfy that.
The ultimatum is also BS, because the US needs Romania more than ever in the Russian-Ukranian conflict (Romania is also one of the countries that has a missile shield against Russia, installed by the US). But I guess that's the level of diplomacy US enforces with most weaker countries (bullying).
The Romanian NSA sees the US NSA as some sort of mentor and tries to do whatever it gets told to strengthen that relationship. It's also very likely the NSA subsidizes/gives away its spying tech to countries such as Romania to make spying on its own citizens easier. Surveillance oversight is even weaker than in the US/UK.
Both Romania and Poland were accused of holding secret CIA prisons as well about a decade ago (likely true).
A ploy which worked just fine against Australia (and our spineless luddite government). They probably didn't even need to threaten, just asked nicely and promised our Prime Minister a photo opportunity one day. </rant>
> Poland were accused of holding secret CIA prisons as well about a decade ago (likely true).
I think that this is true and a matter of public record with regards Poland.
Or would they not even bother to subpoena, and just get the information through back channels (i.e. not documented, not official)?
EDIT: Title was changed, thanks!
That said I'm pretty curious to see the answer of the administration to the answer of the exit node admin explaining what is Tor and why he can't help them.
These poor guys from this county are probably pretty distressed and using whatever means they have to find out whodunnit.
( IP? ) <-- This is the one we need
It can happen, has happened, and will likely happen again.
I hear US-based nodes get more legal attention because of the DMCA, but I can't comment on that as mine was based in Romania as well.
The fact that the connection record doesn't exist, or if it does would be virtually useless, should not take away from the reasonableness of the request. "We don't have such records" is a legitimate response.