I've received a subpoena from Cook County before regarding a site on Neocities. Related to Tor, actually. Easily the stupidest thing I've ever seen in my life.
The person that signed the subpoena was in the news for allegations of corruption, and so was her husband (it's called Crook County for a reason). They spelled the name of my company wrong (noahcities.com or something like that), and when I sent a letter to the designated agents requesting they fix it (I control neocities.org, not noahcities, how can I respond to legal requests addressed to a different web site?), they never responded, and the subpoena basically just died.
If they had followed up, they would have gotten a tor exit IP address somewhere outside of their jurisdiction (read: another country). I told them this before they filed it, and they told me "That decision is for someone above my pay grade, man". You can't spend 5 minutes to google for Tor because of your "pay grade"?
Oh, and they also love to put unlawful (but unfortunately, not illegal) gag orders in their subpoenas. I chose not to waste our lawyer's time (and our money) on this piece of trash, so we didn't make too big of a deal about it.
The take home lesson for me was that crooked regional governments abusing the subpoena system are just as big of a problem as the NSA, if not worse.
It's not good enough for the NSA, but it will prevent these idiots from ever figuring it out. And there's no US data retention laws for web sites, so it's completely legal.
This is textbook Neocities business philosophy. Instead of raising money to hire more lawyers and take the legal risk individually fighting bad John Doe subpoenas, we changed our code to make the data they can actually get worthless to them, so we can just serve them (if they're valid) while still protecting our users' privacy. If we get dragged into court over it, our liability insurance kicks in, we pay a (relatively) small deductible, and then we can use the precedent we set there to throw out any new cases for everybody with this problem, not just us. Way more sustainable.
Phase 2 is that I delete the hashes after a few months. I haven't gotten to it yet, but it's in the ticket tracker.
> You can't spend 5 minutes to google for Tor because of your "pay grade"?
I think this is often misunderstood as meaning something like:
"They don't pay me enough to do that"
wherein, in fact, in military / civil service, 'pay grade' is typically interchangeable with 'rank', so this means something like:
"I do not have the authority to make that decision."
In this case, you have an outcome you pretty clearly wanted the human you dealt with to reach. How much leeway would you like them granted to lead you to the opposite outcome?
How long will it take to hash all 4b ip addresses with your salt? I guess if you tune scrypt to 100ms, that would be 400m seconds, or about 100,000 hours of machine time. If you buy machine time at 1 cent per hour, that would be $1000, spread across 1000 machines it will take about 4 days total. Not good.
Log anonmimization is hard. I wonder if a probabilistic approach would be better, because it's deniable. Something like a bloom filter. You can tune the false positive rate to match that of a human admin making an error, so business impact is less pronounced.
Yet another option I'm thinking about is an external service that takes 32 bit IP address and returns a 256 bit handle, which you would then use for logging. The service would be rate-limited to prevent enumeration, so those 100k hours would have to be spent sequentially, turning 4 days into 4 thousand days.
Not good for a serious agency, but it stops the lower level ones that aren't going to do this.
We use these hashes to fight off spammers. A bloom filter won't do us any good because it will provide false positives.
An external service will be legally subject to subpoenas, so pawning it off doesn't solve the problem either.
You're right. Log anonymization is hard.
The only really good way to solve this is to throw this information away, which is also legal. Because of the spam considerations, we need this for now. I might decide it's not worth it though and just stop storing even these hashes.
> An external service will be legally subject to subpoenas, so pawning it off doesn't solve the problem either.
How about a distributed onion route of external corporations, such that N subpoena hops must be followed to get to an unhashed IP? Serious investigations would do the legwork required and catch a serious bad guy, but nuisance clowns would be stopped from going too far. Kind of like a legal scrypt().
Instead of services, it could just be a reciprocal arrangement where everybody participating holds some of everybody else's data.
You don't even have to chain them, you can execute requests to 128 different services in parallel, and then XOR the result to obtain a single IP address "handle" for logging purposes.
If your scheme becomes prevalent, someone will create a service that for $10k will brutforce $1k worth of hashed IP addresses. $10k and 4 days is comparable to a legal bill, so you're not deterring anyone, but the most casual snooper.
But if it isn't prevalent (which is likely to remain the case for the near future), and the regional agencies issuing subpoenas are technically pretty clueless (which I think they mostly are), then it will be effective. That's pretty near the best you can do, as long as you need to log IPs in some form for spam prevention.
Incidentally - a slightly more effective solution might be to put the 'did this IP visit recently' function in a secure microprocessor, rate limit it so it can't be bruteforced at more than a modest rate (in case of DDOS you can always temporarily stop using it), and throw away the keys to reprogram it. That really will stop everyone but the NSA, but it's about a million times more difficult and expensive...
> You can't spend 5 minutes to google for Tor because of your "pay grade"?
Do you think that kind of decision was up to the actual guy/gal you were interacting with? Genuine question, not rhetorical. I just ask because sometimes you get asked to do stuff at work that's silly, but it's easy and makes the guy/gal paying you happy, so you do it.
If it was a lawyer, they probably charged for the whole hour, right? Heh.
They know about Tor. Five years ago it was magic to most cops and all prosecutors. Today they have been educated, to some extent by people like me. They acknowledge that the exit node is a proxy. In years past they would have tried sending cops to the door to seize the server, or at least make some allegations.
That's why I do not think that they expect any results here. They expect nothing. They need nothing. They need a non-response to take things to the next step. That step is probably political. They want the bullet point about why criminals are getting away due to VPNs, Tor and other online nasties.
They may expect nothing, but that shouldn't keep them from asking. Lots of crimes that are solved are solved because of a random mistake or oversight. Maybe somebody used a 1-hop route, or something, who knows. They're just doing legwork.
Okay, reading the subpoena linked in the original article, it appears that Cook County, Illinois is trying to subpoena a company in Romania. IANAL, but I didn't think an entity in one country could compel anything of another entity in another country without getting the governments of both involved.
So, what was the point of this subpoena? Did a clerk somewhere fail to realize that Romania isn't even on the same continent, much less in the same country? Or is there legal mechanisms involved that I'm not aware of?
If a specific person were named, I could see that possibly happening if said person were to ever set foot in the US (or maybe just Illinois).
But a company? That brings in additional questions. Would not Cook County have to prove that the person to be held in contempt had been employed by the company in question at the time of the subpoena? Wouldn't they also have to prove that responding to the subpoena would have part of said persons duties at said company? For example, if I were employed by EuropeCo in 2014 as an engineer on their Foomatic line of widgets, and travelled to the US next month for a conference, I don't think it should be possible for me to be held in contempt of court because someone didn't respond to a subpoena regarding EuropeCo's Baritron service. Yes, it's a silly and contrived example, but hopefully you get the idea.
I'm pretty sure Cook County would need to show some sort of nexus in order to compel, eg that significant business is done by the Romanian company in Cook County. Otherwise, anyone could break any laws so long as they didn't live in the place where they're breaking the law.
As is, providing an anonymous an non-specific service to anyone doesn't really satisfy that.
FBI's Comey (crypto backdoor promoter) has just visited Romania calling for data retention laws after several such recent laws were declared unconstitutional. The FBI basically gave an ultimatum saying that if such laws aren't passed, then it could hurt the US-Romanian relationship. So the US is actively threatening/bullying other countries into adopting mass surveillance laws right now - or else!.
The ultimatum is also BS, because the US needs Romania more than ever in the Russian-Ukranian conflict (Romania is also one of the countries that has a missile shield against Russia, installed by the US). But I guess that's the level of diplomacy US enforces with most weaker countries (bullying).
The Romanian NSA sees the US NSA as some sort of mentor and tries to do whatever it gets told to strengthen that relationship. It's also very likely the NSA subsidizes/gives away its spying tech to countries such as Romania to make spying on its own citizens easier. Surveillance oversight is even weaker than in the US/UK.
Both Romania and Poland were accused of holding secret CIA prisons as well about a decade ago (likely true).
> So the US is actively threatening/bullying other countries into adopting mass surveillance laws right now - or else!.
A ploy which worked just fine against Australia (and our spineless luddite government). They probably didn't even need to threaten, just asked nicely and promised our Prime Minister a photo opportunity one day. </rant>
So do you think federal subpoenas from the US to Romania would get honored, then? Like, if the FBI subpoenas for this same information, would the Romanian federal government enforce it?
Or would they not even bother to subpoena, and just get the information through back channels (i.e. not documented, not official)?
Title would be better as "Exit Node" and based on what I know, this isn't altogether uncommon. A relay-only node receiving a subpoena would be novel as far as I know.
Yes exactly, I was alarmed by the HN title, but then the link content was pretty usual. Tor is not broken, fiew :).
That said I'm pretty curious to see the answer of the administration to the answer of the exit node admin explaining what is Tor and why he can't help them.
Maybe. The IP address that is referenced in the subpoena (12.218.239.38) is the IP address of cookcountyboardofreview.com. Maybe that box got hacked and it had access to some big cook county DMZ?
Sounds like an inside job to me. Why would a 'hacker' file false unemployment claims for government employees? I bet one of these filings is the person who filed-- and the rest are just noise to cover their tracks.
I ran a Tor exit node for about nine months and only ever had two complaints sent to me. Both were for people performing some form of hacking through my exit node. I responded to both with a form letter, and that was that. Granted it was a low bandwidth exit node.
I hear US-based nodes get more legal attention because of the DMCA, but I can't comment on that as mine was based in Romania as well.
Give them some credit. By this they are acknowledging the concept of a proxy. Compared to most, this request does a reasonable job of describing what they have and what they want efficiently. They aren't asking for everyone connected at the time. They aren't asking for 'any and all' records. They are asking for one connection record and are providing reasonable information on their end to facilitate. The diagram is a reasonable and, considering the source, a novel means of conveying the vital data.
The fact that the connection record doesn't exist, or if it does would be virtually useless, should not take away from the reasonableness of the request. "We don't have such records" is a legitimate response.
The person that signed the subpoena was in the news for allegations of corruption, and so was her husband (it's called Crook County for a reason). They spelled the name of my company wrong (noahcities.com or something like that), and when I sent a letter to the designated agents requesting they fix it (I control neocities.org, not noahcities, how can I respond to legal requests addressed to a different web site?), they never responded, and the subpoena basically just died.
If they had followed up, they would have gotten a tor exit IP address somewhere outside of their jurisdiction (read: another country). I told them this before they filed it, and they told me "That decision is for someone above my pay grade, man". You can't spend 5 minutes to google for Tor because of your "pay grade"?
Oh, and they also love to put unlawful (but unfortunately, not illegal) gag orders in their subpoenas. I chose not to waste our lawyer's time (and our money) on this piece of trash, so we didn't make too big of a deal about it.
The take home lesson for me was that crooked regional governments abusing the subpoena system are just as big of a problem as the NSA, if not worse.
So, now you know the story behind this commit http://github.com/neocities/neocities/commit/4983a9b24eac00b...
It's not good enough for the NSA, but it will prevent these idiots from ever figuring it out. And there's no US data retention laws for web sites, so it's completely legal.
This is textbook Neocities business philosophy. Instead of raising money to hire more lawyers and take the legal risk individually fighting bad John Doe subpoenas, we changed our code to make the data they can actually get worthless to them, so we can just serve them (if they're valid) while still protecting our users' privacy. If we get dragged into court over it, our liability insurance kicks in, we pay a (relatively) small deductible, and then we can use the precedent we set there to throw out any new cases for everybody with this problem, not just us. Way more sustainable.
Phase 2 is that I delete the hashes after a few months. I haven't gotten to it yet, but it's in the ticket tracker.