This blog posting about the experience of a former Tor exit node server operator in the UK, is worrying:
Passion and Dalliance blog: Why you need balls of steel to operate a Tor exit node
I became interested in Tor in the spring of 2007 after reading about the situation in Burma and felt that I would like to do something, anything, to help. As a geek and lover of the internet it seemed the best thing I could do was to run Tor as an exit node to allow those under jurisdictions that censor the internet free access to the information they need. I had a lot of unused bandwidth and it seemed like a philanthropic use of it to donate that to Tor.
[...]
I totally believe in Tor. I think it is a magnificent force for the circumvention of internet censorship but there is a problem.
I was visited by the police in November 2008 because my ip address had turned up in the server logs of a site offering, or perhaps trading in (I was not told the details of the offence) indecent images of children. The date of the offence was about one month after I started the server so it looks as though the site in question had been under surveillance for more than a year.
It was what is known as a 'dawn raid' and, amazingly enough, my children were still asleep when it occured. Thank God.
I explained to the officers, who we had heard threatening to break the door down before we let them in, about Tor but they had never heard of it. My wife says she thinks they were about to arrest me before that. I was not arrested. I was told not to touch the computer and it was placed, considerately, in a black plastic bag and taken away for forensic examination.
I was OK at first. I knew that somebody had gone through my server to access that material and that I was not guilty of any offence but as the weeks wore on it started to get to me.
I was overwhelmed by horror to be implicated in such a thing. I was desperately worried about my family. One of the officers had told my wife that Social Services would be informed as a matter of course and there was a possibility that my children would be taken into care.The low point came about two weeks after the visit by the police when I totalled my car. I was distracted, stressed and unable to accurately assess the road conditions. I ploughed into a hedgerow at speed, destroying the car which we had just bought, but, luckily, walked out of it with only bruised ribs.
I didn't have the money to hire a lawyer so I just sat the thing out. From time to time the police called with an estimate of when the investigation would be finished but none of that meant very much because those dates came and passed with no resolution.
Eventually, four months after the visit, I picked up a voice message from the police inviting me to call back. When I called I was told that no evidence had been retrieved and the machine would be returned to me.
I think, in retrospect, I was desperately naive to run a Tor exit server on a home computer but I didn't believe that an ip address in a server log would be enough evidence to warrant seizing equipment.
My wife, God bless her, was absolutely marvellous throughout the whole thing and never doubted me.
I have read with interest about the need to make Tor faster and that that largely depends on having more nodes but there is no way I can contemplate offering my ip address as a service to internet anonymity any more.
It was very frightening for me to be implicated in a serious crime.
As a parent of very young children I have an extensive network of friends and contacts in my neighbourhood who also have children. As we know the subject of paedophilia is not one that can be debated with any rationality at all in the UK. It is surrounded by hysteria. I was terrified that people would find out that my computer had been taken because of that - 'no smoke without fire'.
I don't know what can be done about any of this. To my mind running an exit node is extremely high risk. I think Tor is important but I don't have any ideas about how to support it at the moment.
Why are there are still any untrained Policemen in the UK, who are being allowed to conduct internet crime related investigations, without having first learned about open proxy servers, Tor and other techniques ?
They need to be disciplined and retrained, and their senior managers need to be named and shamed, as they are an unacceptable risk to innocent members of the public, and the real criminals must be running rings around them.
Surely if major UK ISP's are now only offering a censored CleanFeed system, then there is no excuse for the Police to harass their customers in this way ?
As a sometimes Tor user and someone that has been thinking about starting a Tor exist node at home for much the same reasons this is quite a worrying read. Especially as if I run it on something other than a dedicated server (which I'd rather avoid) getting the server taken away for any length of time would be more than just an inconvenience.
hmm so you told the police that you were just running a proxy and they still confiscated your pc. You then berate the police for not taking your word for it that you werent a pedophile even though your ip was found in a server log...
Dude wtf, if it was that easy don't you think every pedophile would use the same excuse. Of course they had to check your pc for evidence...
I am no fan of the increasing level of hysteria and authoritarianism in the UK but I do believe that crimes like pedophilia should be investigated and I think your reaction to this incident is misguided. You are lucky they didn't just charge you anyways. If anything, this shows the police aren't as crazy in the UK as we are led to believe.
@fapfapfap,
You do realise that paedophilia is not a crime, correct?
Crimes which paedophiles may commit include sexual contact with a minor, or perhaps posession/distribution of child pornography.
Some amount of precision is necessary in describing what the police were investigating.
This makes me much *more* likely to run a Tor exit node, since nothing came of it -- just not on my personal daily-use machine. I'd take precautions: run it on its own computer, and have a big label on it that says "TOR NODE" and its IP address. When the cops come with a warrant, hand it over and bid them a nice day. Then raise a huge stink in the press until you get it back. :-)
Dangerous business, dangerous business. Dangerous business when you do stuff that the government consider you shouldn't be doing (even if its legal like running a tor exit node). Indeed, it'd be pretty silly to run a tor exit node, in the same way it'd be pretty silly to, say, mention Tian'anmen Square in a web site in China. Pretty silly.
Dangerous business, dangerous business. Dangerous business when you do stuff that the government consider you shouldn't be doing (even if its legal like running a tor exit node). Indeed, it'd be pretty silly to run a tor exit node, in the same way it'd be pretty silly to, say, mention Tian'anmen Square in a web site in China. Pretty silly.
Like reporters going to a demonstration. The police are going to charge and they'll be charged too and smacked around a bit because it was pretty silly that they were there. They thought, hey, I'm free press, I have my rights and people have the right to know. Until they feel the stick. Then they still have their rights, and a bleeding contusion. Serves them well.
>You are lucky they didn't just charge you anyways.
On what grounds? Are you positively nutters?
It's questionable (to me at least) whether an IP address in a log alone should be enough evidence even for search and seizure. One could have a computer infected with a botnet or trojan type virus, allowing outsiders to gain control of the system, one could have a wireless router and never read the directions (while a paedophile sat in a car outside their house downloading kiddy porn one night). One could be running a tor exit node, an unconfigured squid proxy, a box with weak SSH passwords, or a whole host of other things. That said, I agree they should look into alleged possession of child pornography and I can't think of any other way they could have looked into it other than seizing the equipment and examining it. Unfortunately, I have a strong feeling they would have charged him immediately had they found even one image, without ever looking to see if others may have had access to his equipment remotely. This is where things get scary.
I'm especially horrified at the length of time it took. That's absurd.
The police knew exactly what they were doing.
Its part of an effort to shut down the network so that the only Tor exit nodes are those run by Intelligence services.
i just want to say some thing "great job"
download youtube video's on the fly... in any format
http://youtubeddl.com
dirict download from youtube server
" I'd take precautions: run it on its own computer, and have a big label on it that says "TOR NODE" and its IP address. When the cops come with a warrant, hand it over and bid them a nice day. Then raise a huge stink in the press until you get it back."
So you believe the during the police raid, they will only confiscate the computer that has been marked with tape?? LOL good luck with that!
@ Anon on March 21, 2009 5:03 AM -
Not in this case they didn't.
There are so few Tor exit nodes in the UK, far fewer than in say just the city of Berlin in Germany - usually fewer than 20, and at weekends, down to perhaps only half a dozen,
The Police or intelligence agencies could easily just copy all the Tor exit node internet traffic (with a warrant signed by the Home Secreatry under the Regulation of Investigatory Powers ACt 2000). They could certainly get hold of any or all of the YK based Tor exit nodes' relevant ISP log files, also in secret.
This would probably cost less than the Police overtime for a "dawn raid" and the forensic examination of a single Tor server seized from someone's home or office.
See the various websites which list all the Tor nodes e.g.
https://torstat.xenobite.eu/index.php?FilterIsRunning=1
and filter by "GB" and "Exit Node" and "Running"
N.B. The vast majority of Tor users in the United Kingdom will not be exiting from the 20 or so UK Tor exit servers, but almost certainly from the 1500 others which are overseas.
These Tor Exit node connections change randomly every 10minutes or so anyway..
You do realise that paedophilia is not a crime, correct?
Crimes which paedophiles may commit include sexual contact with a minor, or perhaps posession/distribution of child pornography. http://trypu.com
@ fapfapfap - Note that apparently there was no arrest, but private property was "seized", seemingly without a warrant anyway - we do not have the equivalent of the US 4th Amendment to the Constitution against unreasonable searches and seizures here in the UK
@ dhr - it is one of the many Orwellian Thought Crimes, along with many other dissident political or social communications, which the Tor cloud might be used to make it a bit more difficult for even a powerful snooper to trace.
Why are there no police raids on the hundreds of thousands of trojan malware infected broadband connected home PCs, which are also spamming adverts for, or actually sharing and distributing, such illegal content ?
You do realise that paedophilia is not a crime, correct?
Crimes which paedophiles may commit include sexual contact with a minor, or perhaps posession/distribution of child pornography. http://youtubeddl.com
You're lucky this occurred in the UK where even though the police may be untrained they can still occasionally be civil.
If this had been in the US you would have been tasered, your children taken away and probably convicted because evidence would have been manufactured against you to save face.
If you are single, independently wealthy and have excellent counsel on retainer, running an exit node is a very honorable thing to do. Otherwise do not consider it.
What's the problem? The police had reasonable intelligence to get a warrant, they investigated (without arresting you), they found you hadn't committed the crime, they gave you your stuff back.
95% of intel like this that comes into UK forces leads to a quantity of indecent images of children being recovered from the computer, along with a forensic trail showing how they got there. I know this because I examine these computers day in, day out.
This post shows, if anything, that the system works.
And as for the comment at the bottom of the story about a 'censored CleanFeed system' - if you really believe that that would stop anyone from getting anything, then you're deluded.
tien, you are just feeling the squeeze that many of us have felt. I raised the issue of inappropriate (verbal) behaviour of a student teacher at my kids school with the headmistress. what happened after was an education in how the system works. got called back from work out of the blue several days later by my missus 'get back now- social are here to take away the kids'. Got back 4 social workers + 2 coppers waiting outside - no comment except 'social are here to interview you'. found myself accused of being an alcoholic wife and child beater and, get this, 'hostage taker' . i don't drink, which was apparently 'evidence of it being a hidden problem' - 6 hours of interrogation after which as no evidence a regime of monitoring which went on for a year was instituted. where did all this come from - the headmistress made the accusation, the hostage taking came from 'her being buttonholed in her office while i made wild accusations regarding her staff' -not true, I raised the issue politely and it was in a room with other folk present.
anyways it cost the marriage, the missus couldn't handle the surveillance - car outside the house for 3 months, surprise inspections - once at 11 at night with cops to get kids out their beds to check on them. As the surveillance went with the kids I ended up taking them on on my own - social were round after the split to see if the missus would now 'give the evidence they needed' - seems the whole thing was designed to split us up on the grounds she wouldn't testify if 'living in fear'. now I live with the kids on the at risk register so social have 24/7 access if they want it, although it hasn't been excercised since shortly after the split it isn't something you can have removed. the teacher was apparently 'disciplined under internal code' details of which i am not permitted to know.
point is these folk know well how to hurt you if you have kids and the adage of nothing to hide nothing to fear is a complete lie. nothing to hide simply means no reason to stop looking (read turning you over).
in my opinion the raid you experienced was done as it was to close you down as a tor node, and for no other reason. the child pornography threat is now levelled at anyone who has a computer, cf the raid on the two brothers in north london. accusation was thrown in at the beginning when the computers were seized and later retracted in a very small article in the press. back in the 70's we had a family friend who'd escaped from the eastern block. he commented back then that if you were targeted you could expect to be accused of being a pederast in the press. he pointed out that it was game over for your life regardless of its veracity as no one would risk being in contact with you anymore. my condolances on what happened - its politics, nothing more.
@ flopsy -
Unless you have personal inside knowledge of this particular case, that is not not evident from the blog article under discussion.
You are perhaps confusing Spy Blog, with the Passion and Dalliance blog.
Read it again. The blog posting does not say that the computer equipment has actually yet been returned, only that the police were willing to do so, sometime in the future. The expense and disruption caused by the inordinate length of time that innocent people's computer equipment is held for by the police and legal system,is one of the many current issues which needs to be vastly improved.
The fear of loss of business and other unnecessary "collateral damage" caused by law enforcement investigations, is a major factor in the under reporting of computer crimes.
Do you mean Tor exit nodes or home computers in general ?
Have you ever actually forensically examined a Tor exit node?
A Tor exit node is no different from any other internet router - it does not store the content of what is is passing from one IP address to another. Neither does it usually store any logfiles. What it passes to and from the Tor cloud is strongly encrypted, and the Tor exit node operator has no way of deciphering it, even under torture.
N.B. it is entirely possible for Tor exit nodes and/or open WiFi connections to be run deliberately by criminals in the hope of providing "cover" for their nefarious activities, but if that was the case, then the police should surely have other intelligence, and should have made an arrest.
The impression from the article is that they were on a "fishing expedition".
No it does not, unless you think that an entirely avoidable "dawn raid" on an innocent person is somehow acceptable, either from civil liberties or from efficient police investigation viewpoints.
This could have been avoided by simply checking the IP address with widely published public lists of Tor exit nodes, something which it is utterly inexcusable for any policemen involved in internet crime investigations to be ignorant of, but which seems to be the case here.
You cannot have it both ways.
Either the (flawed) CleanFeed censorship infrastucture is of some use, in some cases at least, or it is not, in which case it must be dismantled, because it provides the infrastructure for political or religious censorship and discrimination, as well as its current purpose for "child protection".
A UK based Tor Exit node on an ISP using using CleanFeed would not (currently) censor access to, say the BBC Chinese language news website, but would stop Chinese or US based web surfers from accessing porn sites on the UK Internet Watch Foundation lists.
UK Tor client users would hardly ever connect out of the Tor cloud via a UK Tor exit node (there are simply too few of them), and then, only for about 10 minutes, before the node connection is randomly changed.
@wtwu:
I don't have any inside info on this, the intel that I referred to was that the user's IP address had accessed unlawful material. Yes, there are a few 1337 ways that this could have been done by someone bouncing off that IP, but when you hear a quack you look for a duck until you're got reason to look for something pretending to be a duck. As I said, a squillion jobs a year come in from IP referrals, and in all but one or two cases per year (speaking from a busy urban computer forensics dept) there is muck to be found, a trail telling how it got there, and a guilty plea after the report is presented to the suspect and his defence expert has replied with a 'yeah, you're pretty much fcked'. OK, but he didn't say that it was being withheld from him either. Once the exhibit is OK'd for return, it's usually just a matter of collecting it.Point taken about the length of time to do analyses. This is totally out of order and unacceptable, but it's all down to money. Forensic analysts take time to train and that training is expensive. Every police force in the UK is swamped with computers awaiting examination, but a police force only has so much money and a hell of a lot of priorities. Speaking for our department, if there's a business need to get a machine back then we bend over backwards to accommodate that need. This is partly because we appreciate that other people's lives are involved, partly out of fear of civil lit., and partly because we're not assholes and we try to do right by people. Believe this or don't, it's up to you.
Computers in general. I don't think that this raid was avoidable, as you say. There was no way to know the computer was running a Tor node until it was examined, and for that it had to be seized.I know that 'dawn raid' sounds very sinister and evil, but it's just the best time to do it - you can catch the person before they go to work, then you have time to search the house, get the exhibits back to base and do a quickie forensic preview before interview, then the suspect's bailed and back home in time for Coronation Street. It's only dawn at certain times of year anyway, generally it goes on at about 6.30.
It's just not reliable enough. These referrals come to the UK from anywhere in the world, and can be a year old. Bear in mind that some of the jobs we're talking about involve very, very nasty people who are doing horrible things to innocents. The police would be negligent if they relied on an unverified historical list of IPs run from god knows where by god knows who. The fault, if there's anyone at fault, lies with the criminals who exploit a truly good and noble idea like Tor for their own selfish ends.I don't want it both ways, I'd like to see it gone. It stops no one who wants to get child abuse images from getting them, it's just a tick in a government box. Dismantle it and no criminal would even notice it was gone. The very idea is ridiculous and unpleasant.
@ Flopsy
What do you think of the Jim Bates computer forensic expert witness case, which had a Judicial Review hearing today ?
The former National Hi-Tech Crime Unit used to publish a Confidentiality Charter for Businesses, trying to re-assure them about this, but all that has disappeared nowadays, as has a lot of public trust in the police etc. under this Government and its unaccountable quangos.
Every Tor client gets updates of this list (simple, easily searchable text files) from the Directory servers, which have no way of telling whether the client is under the control of the police etc. or not.
There is no reason why the police should not compile their own trustworthy copy of the history of Tor exit node IP addresses, especially since so many police and intelligence agencies actually use Tor for conducting investigations without blabbing out their own *.pnn.gov.uk, *.met.police.uk, *.gmp.police.uk etc. IP addresses.
The free Vidalia front end even comes with a GeoIP based mapping tool which shows you through which countries your Tor circuit is currently hopping
On a slightly tangential topic, what do you think of the Jim Bates computer forensic expert witness case
http://www.theregister.co.uk/2008/09/17/ore_bates_arrest/
which had a Judicial Review hearing today ?
Does his embellishment of his CV invalidate all of his technical testimony over the years (both for the prosecution and for the defence) ?
Creating a sort of SLA would be difficult in practice, because some exhibits simply have to be held onto for a long time, and it's not always possible to clone data to give them back. Again speaking for our place, we like to return stuff partly because we haven't got the storage but if it's an indecent images job then we can't give it back until it's been cleared - otherwise we'd be committing the offence of distribution. We get a lot of requests from suspects and their families for schoolwork, finance data, family photos etc and we generally provide them with a DVD as soon as we can.
I know that few people on a site like this want to believe it, but we're not monsters. I'm a Guardian-reading pinko type, and I'm working with the nicest bunch of people I've ever worked with at the moment, after 15 years in various sectors of the public and private sectors.
Your idea about checking Tor lists isn't without merit, but it can't just be used as a 'get out of an investigation free' card. If a warrant is executed and the suspect says straight away that he's running a Tor node, then the relevant IP could be quickly checked against the lists and the focus of the investigation may change accordingly, but there's still got to be a forensic analysis done of any seized equipment. Anything other than that is just giving carte blanche to commit any criminal act online. It's just one of the risks of running a Tor node, and it's very sad but it needs to be taken into account by anyone choosing to run a node. As I said, don't blame The Man, blame the criminals. Oh, and I don't know of any forces using Tor - the RIPA authorities needed to do so would get insanely complex, because we'd be passing potential intel through unknown computers. Seriously, the thought of having to explain it to our Force Intelligence Manager is bringing a grin to my face now.
Mr Bates...it wouldn't be professional of me to comment, especially hiding behind anonymity on here. He was one of the godfathers of computer forensics in the early days.
@ flopsy -
Difficult perhaps, but unless there are rapid, effective error correction procedures, to quickly apologise for, and financially compensate innocent people who have been falsely accused, either through error or malice, then the Police and intelligence agencies and politicians are part of the problem, not part of the solution to serious crime and terrorism etc.
The senior managers should recognise that mistakes are inevitable, and then they should Do The Right Thing, instead of always spinning the media and trying to cover their bureaucratic backsides.
I doubt if you could ever use it as Evidence in Court, but surely a serious crime or national security intelligence investigator risks tipping off the operators of, for example, a criminal or terrorist website or email server etc., by not hiding their real IP address. They may even be blocked from accessing it in the first place, either by the target server, or by nanny censorship software in place in their own organisation.
More subtly, the content displayed by a particular website can easily be tailored to be different, according to which IP address block or which even GeoIP based country location that your IP address seemingly belongs to. This might also rule out using any UK based IP address at all, to investigate something apparently located in, for example China or the Ukraine etc.
Unless investigators use Tor clients, then they cannot access encrypted Tor Hidden Services, which are slow and not well indexed, but some of which certainly do contain some dubious and possibly illegal content.
Explain it you should, as he or she needs to be as aware of the advantages and limitations of Tor and other such tools.
I do not see how RIPA red tape is needed at all - anybody is allowed to download and install the Tor client, which, when fired up, automatically downloads and periodically updates all the Exit node details, i.e. name, IP address, which ports are open according to the Exit Policy etc. to a couple of text files on your local hard disk.
Surely the Police do not have to fill in the bureaucratic RIPA forms, when they run a public WHOIS lookup, or a Google search engine query, or visit any other public website, so this would be no different.
The Tor project itself provides tools and lists of Exit nodes for people who want to block them e.g. Wikipedia does not allow user registration or edits via Tor (reading articles is ok)
e.g.
https://check.torproject.org/cgi-bin/TorBulkExitList.py
Running a Tor exit node or open Wifi access point etc. should not be a "carte blanche" at all.
However a "dawn raid" should not be authorised simply on the basis of the apparent IP address information, without taking into account Tor and other possible open proxy servers, and which has not been first checked with easily available tools.
The IP address information intelligence / tip off should be checked against the Tor exit node lists (and open WiFi access point lists or other list of open proxies) before a Data Protection Act section 29 request for the Communications Data subscriber details is made.
Such checks could and should be made at the same time as the (not always up to date) public WHOIS lookup on the IP address is done to determine to which ISP or other organisation or company the IP address in question is allocated to.
This should be part of the checklist used when evaluating the credibility of the original technical intelligence or tipoff, according to the National Intelligence Model Code of Practice i.e. the 5x5x5 Intelligence Report Form
If the investigators still then want, or need, to get a search warrant, then so be it, but such elementary checks, which take only a few seconds, would save wasting their valuable time and public money, and do less damage to public trust, in cases like the one being discussed above, where, seemingly the only suspicious intelligence was IP address based.
This is just the sort of situation which you are very unlikely to be able to comment on at all, without career threatening consequences, without making use of anonymity tools.
The Judicial Review apparently seemed to go quite well from Jim Bates' point of view, and Spy Blog will keep an eye out for the publication of the judgment, which is expected after Easter.
It seems than in this case criminals called police made a dawn raid. Occasionally, it is difficult to see the difference between the police and the criminals. It is morally disgusting to see a policeman defending his fellow criminals.
EU citizen has right to access justice and the police denied that with improper conduct and being slow. The offending country has an obligation to pay a compensation to the victim of the state even if its legislation is insufficient in the matter. If the legislation is insufficient, I would require a higher compensation to motivate the sloppy legislature.