INS runs a so-called "Exit Node" within the Tor anonymization network. This network service is used by many whistleblowers (including Edward Snowden), journalists, critical NGOs, dissidents and just plain normal people from stringent state regimes to safeguard their Internet communication from snooping by Internet service providers (ISPs), application providers (such as Facebook, Google, and many others) and countries, and we believe that the right to and possibility for free, unmonitored exchange of information and opinion (sometimes referred to as freedom of speech) is a cornerstone of open, democratic societies. Therefore, we support this anonymization network with a relay node that will transport any traffic to and from the Tor network and with the open Internet in an unfiltered manner with up to 200 MBit/s over the Johannes Kepler University network as connected to the Austrian ACONet.
On the 4.12.2015 the project was publicliy unveiled during the event "Privatsphäre im Internet - Der TOR Exit-Node an der JKU". Technical as well as legal questions were presented and discussed.
Questions & Answers
1. Do you monitor the traffic passing through this node?
As part of this research project we calculate some statistics of outgoing traffic only. No incoming traffic is monitored at all.
For outgoing traffic the following data is stored and aggregated:
- The autonomous system (AS) number of the destination IP: This allows us to e.g. identify that traffic is going to "Google" as well as the destination country. No individual IP addresses are stored.
- The destination port: This allows us to identify the kind of traffic (e.g. mail, web, ftp), and (with some uncertainty) whether the content is encrypted or not (note: We do not even look at the content to check whether this assumption is true!).
- The number of connections, packets and bytes for the pair "AS - Port" is aggregated and collected; for both directions.
- The country of the source and the destination IP address: Performed as a lookup in a local GeoIP database.
- The data is aggreated over one hour and records with too little traffic are suppressed.
No other data is stored or even briefly investigated, especially not the content or the destination IP address. As we do not take a look at the input side at all, no de-anonymization is possible at all or helped in any way. Because of the aggregation and minimum-requirement no conclusions on the use of individual persons is possible too.
2. Do you allow others to monitor the traffic passing through this node?
Nobody is allowed to monitor the traffic. In our area (=university buildings) we can (and did) verify this as best as possible. What happens outside (e.g. the lines between the universities and at other places in the Internet, e.g. exchanges) is unknown to us and we can make no guarantees there.
a) What will happen if a judge or prosecutor demands monitoring to be implemented?
In this case we will have to comply and institute monitoring, after detailed verification whether this is legal in the specific case. However, we will do our best to shut down the system in that case (so in effect the state would have to take over hardware and operation).
b) What will happen if you receive a "gag order" or "National Security Letter" to lie about monitoring being implemented?
"National Security Letters" do no exist in Austria and those from the USA are not binding for us. Gag orders might be instituted in extreme cases by judges, but we would again try to shut down the system in that case.
3. What advantages does Tor have?
Tor supports anonymous communication in an Internet with ubiquitous tracking and surveillance by companies (Facebook, advertiser networks, and many others routinely collect detailed data about browsing habits with the aim of user profiling) and state agencies (such as NSA and GCHQ). There are many ways to stay anonymous on the Internet, including the use of public terminals, open WiFi hotspots, pre-paid SIM cards, free and commercial VPN and proxy servers, etc. However, most of these are inconvenient and require additional effort by users. Tor allows to communicate anonymously with existing Internet access using the users' own devices. It therefore supports anonymity without sacrificing convenience, and is therefore one method to foster the privacy of larger parts of the population. For this reason, initiatives like the Library Freedom Project now run both public terminals with Tor clients and Tor Exit Nodes like ours.
4. Doesn't an anonymization network also support illegal network traffic?
We do not "support" any illegal traffic, but we fully well know, that some of the traffic going through our system will be illegal in some jurisdictions. We have no possibility of knowing which traffic this is and aside from shutting down the whole system there exists no possibility of stopping this. We belive that as long as we do not know of any illegal traffic in detail and do not actively encourage any such use we are not liable or punishable. Illegal traffic is best combatted by shutting down servers providing illegal data/services or "following the trail of money".
5. Do the benefits outweigh the risks?
We firmly believe in the fundamental right to privacy in personal life and private communication between individuals, both for freedom of life choices and as a cornerstone of any democratic process. Therefore, we certainly see the benefits far greater than potential risks such as communication towards illegal actions. Our point of view is consistent with the May 2015 Report on encryption, anonymity, and the human rights framework by the United Nations Human Rights Council (highlights are ours):Summary In the present report, submitted in accordance with Human Rights Council resolution 25/2, the Special Rapporteur addresses the use of encryption and anonymity in digital communications. Drawing from research on international and national norms and jurisprudence, and the input of States and civil society, the report concludes that encryption and anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age and, as such, deserve strong protection. ... V. Conclusions and recommendations 56. Encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age. Such security may be essential for the exercise of other rights, including economic rights, privacy, due process, freedom of peaceful assembly and association, and the right to life and bodily integrity. Because of their importance to the rights to freedom of opinion and expression, restrictions on encryption and anonymity must be strictly limited according to principles of legality, necessity, proportionality and legitimacy in objective. The Special Rapporteur therefore recommends the following. A. States 57. States should revise or establish, as appropriate, national laws and regulations to promote and protect the rights to privacy and freedom of opinion and expression. With respect to encryption and anonymity, States should adopt policies of non-restriction or comprehensive protection, only adopt restrictions on a case-specific basis and that meet the requirements of legality, necessity, proportionality and legitimacy in objective, require court orders for any specific limitation, and promote security and privacy online through public education. 58. Discussions of encryption and anonymity have all too often focused only on their potential use for criminal purposes in times of terrorism. But emergency situations do not relieve States of the obligation to ensure respect for international human rights law. Legislative proposals for the revision or adoption of restrictions on individual security online should be subject to public debate and adopted according to regular, public, informed and transparent legislative process. States must promote effective participation of a wide variety of civil society actors and minority groups in such debate and processes and avoid adopting such legislation under accelerated legislative procedures. General debate should highlight the protection that encryption and anonymity provide, especially to the groups most at risk of unlawful interferences. Any such debate must also take into account that restrictions are subject to strict tests: if they interfere with the right to hold opinions, restrictions must not be adopted. Restrictions on privacy that limit freedom of expression — for purposes of the present report, restrictions on encryption and anonymity — must be provided by law and be necessary and proportionate to achieve one of a small number of legitimate objectives. 59. States should promote strong encryption and anonymity. National laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online. Legislation and regulations protecting human rights defenders and journalists should also include provisions enabling access and providing support to use the technologies to secure their communications. 60. States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows. In addition, States should refrain from making the identification of users a condition for access to digital communications and online services and requiring SIM card registration for mobile users. Corporate actors should likewise consider their own policies that restrict encryption and anonymity (including through the use of pseudonyms). Court-ordered decryption, subject to domestic and international law, may only be permissible when it results from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (i.e., not to a mass of people) and subject to judicial warrant and the protection of due process rights of individuals.
This is clearly an argument against mass surveillance without specific cause (data retention, "Vorratsdatenspeicherung"), and Tor is one technical approach to strengthen user anonymity and privacy, which should complement approaches in regulation and law. Austria has provided input to this report with the summary that "... this legislation does not foresee any restrictions on the use of encryption tools or tools to transact and communicate anonymously online".
6. Is it legal to run a Tor exit node in Austria?
We do believe so!
And we took some pains to make sure that this is actually the case. For instance we applied for a permission according to the Telecommunications Act (§ 15 TKG) and insisted on receiving a negative reply (which we argued for in the application). In this way we ensured, that this is not a necessity for operating a Tor exit node.
No other laws exists as far as we currently know which would prohibit operating such a node either, however an explicit permission is absent too.
7. What risks do exist for users?
Risks for users are the same as for all other Tor exit nodes. For an accessible summary of known attack vectors to the Tor network, please refer to the article "Seeking Anonymity in an Internet Panopticon" by J. Feigenbaum and B. Ford (PDF preprint). We are not aware of any specific or increased risk, rather the traffic is going through the network of Austrian universities, which is comparatively busy, so it is "hiding" in a much larger volume of data and on much higher bandwidth lines than e.g. that of an individual person.
The only real risk for users is non-availability. We can and do make no guarantee at all that this exit node will always, round the clock, and infinitely be available. If it is, you are welcome to use it in any legal way you see fit, but do not complain if we (have to) shut it down.
8. What risks do exist for us as the operator?
In the worst case the policy might impound all computers associated with this exit node. To reduce any potential problems this equipment (and only this!) is located in a separate room. Legal proceedings could be instituted against the university or personnell involved. However, this is a fully official research project under the direction of a full professor, so we also have the freedom of research on our side (apart from the general legal situation; see above!).
To reduce this risk we have contacted the local prosecution agencies and informed them about us running a Tor exit node. This is not legally required and might not help (the information would have to propagate to all persons potentially involved in such cases), but proactively "going public" is in our opinion a good first line of defense.
To avoid potential technical repercussions like blacklisting, the exit node uses a separate IP address than the university and a separate DNS name.