Re: 20090101... - Dänemark
Eugen Leitl wrote: Data retention law has just been passed in Germany. Here's the list of who voted how http://www.bundestag.de/parlament/plenargeschehen/abstimmung/20071109_teleueberwach.pdf This will be contested as unconstitutional, but in cases it will become law all Tor operators are required by law to start logging 20090101. Similiar applies to the entire EU, but the dates and details might differ. The details indeed does differ :-) In Denmark, the implementation of the EU-directive (which is called 'logningsbekendtgørelsen') is not bad news for Tor-operators. If you have a Tor-server in Denmark, you don't have to log *anything*! I have this in writing (from something called IT- og Telestyrelsen), if anybody is interested. Regarding to the danish 'version' of Vorratsdatenspeicherung ('logningsbekendtgørelsen'), you only have to log data, that you /know/. That means, if you eg. have an open access point, then normally you do not know which physical persons have a specific IP-address, and therefore you do not have to log that. If you are non-commercial (eg. Tor-operaters normally are), then you do not have to log *anything*. That means a private open access point does not have to be register anything. So if you want to host a Tor-server somewhere in Denmark, feel free to contact me by e-mail if i can be at any help. -- Regards Georg Sluyterman
Re: 20090101 (log data)
On Sun, Nov 11, 2007 at 11:46:07AM -0500, Hans S. wrote: TOR Admin (gpfTOR1) wrote: I will try it for email (fon, mobile and sms may be nearly like this): For mobile calls and SMS messages, the cell location of the caller/ sender at the beginning of the call must be recorded. Please take a look at: (0) The Treaty (choose #185), english, french The treaty (0) is concerned about what they call mutual assisstance in fighting computer related crime and the usual paedorist stuff. The treaty itself is absolutely horrifying and has effects much further than Germany and Europe, reaching out to the US and elsewhere. Article 20 and 21 are interesting, they might be the reason for our law. They could be understood as recording traffic / content data on demand, not collect / store everything by default and keep it for queries about the past. Wouldn't a law that compels ISPs to start to record data about a particular user when the police asks it (with a court order or otherwise vetted order) fulfil that treaty? -- Lionel
Re: 20090101 (log data)
On Mon, Nov 12, 2007 at 08:12:35PM +0100, linux wrote: do you know what is a timestamp in terms of this law? today, 11pm 2: anon server: In my opinion, an anon sever has to log every replacement of a sender ID by his own ID and the time stamp of this replacement. Tor replaces the IP-address, so we have to log a time stamp and the source IP for every connection. (Thats my private opinion.) What they ask for email is stupid. Every one will go to a server which is not in the EU. But still I will keep some email account in the EU and enter this address everywhere where I expect to get spam from. No, alas, no. I think most people will stay with servers and the EU, so your email to/from them will be in the system. Although maybe not in a form that is convenient for the authorities to query (they have to mass-send requests to several ISPs...). Another solution is using your *own* server. That would be kinda funny... Have the police call you to get logs about you. PS: what happens if the logged data is lost by accident? If the Bundeswehr looses data why not me? Because you are criminally liable for it and they don't? More seriously, I suppose that if they actually believe you when you say it is an accident and you show that you took appropriate precautions (off-site backups, ...), then they will not make you (big) problems. There is “lost by accident” and “lost by “accident””. Not entirely the same. -- Lionel
Re: 20090101
Thus spake Smuggler ([EMAIL PROTECTED]): Olaf Selke wrote: Eugen Leitl wrote: On Sat, Nov 10, 2007 at 08:14:34PM +0100, Olaf Selke wrote: nothing will change for German tor operators due to this law. It defines how to store and how to hand over stored data to the authorities. Data not collected at all can't be stored, right?. But this law does not enforce tor operators to collect any data. Oh, really? So ISPs, VoIP and mobile phone providers have nothing to fear, right? right! Wrong. I read the law. My lawyers read the law. It doesnt say: Store the data you have. It says: Store these specific datasets, no matter if you have them or not. The comments in the Regierungsentwurf are very telling. So, I am sorry. Tor nodes will have to log. ISPs will have to log. Everyone doing public telco services will have to log. Actually, out of curiosity do your lawyers believe that upstream/backbone/IX ISPs will also be required to log (and to log the same type of data)? That would seem to be a lot of data.. Not to mention that upstream ISPs will not have customer information for IP addresses. It would seem to me that Tor nodes are much more similar to backbone routers than consumer ISPs. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpTZL1QyFh0R.pgp Description: PGP signature
Re: 20090101
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Perry wrote: Thus spake Smuggler ([EMAIL PROTECTED]): Olaf Selke wrote: Eugen Leitl wrote: On Sat, Nov 10, 2007 at 08:14:34PM +0100, Olaf Selke wrote: nothing will change for German tor operators due to this law. It defines how to store and how to hand over stored data to the authorities. Data not collected at all can't be stored, right?. But this law does not enforce tor operators to collect any data. Oh, really? So ISPs, VoIP and mobile phone providers have nothing to fear, right? right! Wrong. I read the law. My lawyers read the law. It doesnt say: Store the data you have. It says: Store these specific datasets, no matter if you have them or not. The comments in the Regierungsentwurf are very telling. So, I am sorry. Tor nodes will have to log. ISPs will have to log. Everyone doing public telco services will have to log. Actually, out of curiosity do your lawyers believe that upstream/backbone/IX ISPs will also be required to log (and to log the same type of data)? That would seem to be a lot of data.. Not to mention that upstream ISPs will not have customer information for IP addresses. It would seem to me that Tor nodes are much more similar to backbone routers than consumer ISPs. No, upstreams/backbones etc dont have to log. Only parties generating traffic data in the first place (dialup) and parties changing traffic data (Tor) have to store. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHO1PnOMmnRrmEoQkRArkKAJ9/oOvPxQVX1yca7Okc7Z77DzbPqwCgmYsH LgeqiBGPgpNAGLr+Dg3xf9k= =F9Wc -END PGP SIGNATURE-
Re: 20090101
Thus spake Smuggler ([EMAIL PROTECTED]): Olaf Selke wrote: Eugen Leitl wrote: On Sat, Nov 10, 2007 at 08:14:34PM +0100, Olaf Selke wrote: nothing will change for German tor operators due to this law. It defines how to store and how to hand over stored data to the authorities. Data not collected at all can't be stored, right?. But this law does not enforce tor operators to collect any data. Oh, really? So ISPs, VoIP and mobile phone providers have nothing to fear, right? right! Wrong. I read the law. My lawyers read the law. It doesnt say: Store the data you have. It says: Store these specific datasets, no matter if you have them or not. The comments in the Regierungsentwurf are very telling. So, I am sorry. Tor nodes will have to log. ISPs will have to log. Everyone doing public telco services will have to log. Oh, and I'm also wondering about redundancy. If I run a Tor node in Germany is it the case that I have to log, AND my ISP has to log, AND their colo provider has to log, AND the upstream ISP has to log, AND the IX has to log all the same data? Is there any division of responsibility? Or will there be like 5-10 copies of the same connection data floating around everywhere? -- Mike Perry Mad Computer Scientist fscked.org evil labs pgp3BKQrUQ75W.pgp Description: PGP signature
Re: 20090101
On Wed, Nov 14, 2007 at 11:59:43AM -0800, Mike Perry wrote: Oh, and I'm also wondering about redundancy. If I run a Tor node in Germany is it the case that I have to log, AND my ISP has to log, AND their colo provider has to log, AND the upstream ISP has to log, AND the That would be interesting to know. I think I'll ask my provider (Hetzner) whether they'll have to log, or whether they feel commercial entities they're hosting have to log themselves. IX has to log all the same data? Is there any division of responsibility? Or will there be like 5-10 copies of the same connection data floating around everywhere? There will be definitely a redundancy, imo. Also, Tor server is privy to more information than the ISP which hosts it. The question is, whether the law can be interpreted in such a way (I presume it will be milked for all that it is worth). -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: 20090101 (log data)
(Disclaimer: I'm not doing it, nor will I ever do it, so raiding my place is completely pointless; and once you've ruined my life sufficiently, you and yours will pay dearly, and in person). Not think you're being a tad melodramatic there? --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 07-1, 11/11/2007 Tested on: 12/11/2007 08:28:55 avast! - copyright (c) 1988-2007 ALWIL Software. http://www.avast.com
Re: 20090101
Hi, SI VIS PACEM, PARA BELLUM Bad idea. Right now we're not criminals, and can even convince the interested public of that. If we'd start shooting back we would lose public support. Which is the factor that will decide this war. Plus, it would never really work. Antivirus software would need days - at the most - to detect and disable tor. And we just don't have the resources to find new methods of spreading tor, like the big spammers and botnets constantly do. I agree. But what about building Tor server and client into popular P2P clients? bye, Matej
Re: 20090101
Matej Kovacic schrieb: I agree. But what about building Tor server and client into popular P2P clients? There is a project to spread out Tor by pre-configured DSL-modem/WLAN-router. http://wiki.freunde-der-freiheit.de/index.php/TOR-Campaign They have a mailing list. I do not know, if a router was running now.
Re: 20090101 (log data)
Hello I just hardly can't believe it what I am hearing about this. From what I get, it sounds like a full on assault on privacy and free speech, the things that make the internet good, has begun. I am very sorry to hear the news and am very upset for everybody, especially those in Europe where this seems to be starting. Am I to believe from the foregoing that potentially having to surrender a Tor servers logs (that do not compromise much) will actually make Tor server operators criminals because they don't reveal enough? Algenon Hans S. [EMAIL PROTECTED] wrote: Original Message From: Marco Gruss Apparently from: [EMAIL PROTECTED] To: or-talk@freehaven.net Subject: Re: 20090101 (log data) Date: Sun, 11 Nov 2007 16:27:39 +0100 Hi, TOR Admin (gpfTOR1) wrote: I will try it for email (fon, mobile and sms may be nearly like this): For mobile calls and SMS messages, the cell location of the caller/ sender at the beginning of the call must be recorded. Pretty ugly, IMHO. Marco Hi, the big, but yet not loud enough protests in Germany about these new laws do imho relate to the fact that there are much older laws. These protected exactly against the use of grids of databases concerning citizens, the obligation to deliver data to authorities and to to create grids with for good reasons separate data for authorities. So the big They create new laws explicitely enforcing what was prohibited yesterday. How successfull or actually working that was in daily life is another question. Deep trust in promotional and mass manipulating abilities make me believe that in a not too far future all these doings may be socially anticipated by the majority and accepted as necessary. Reasons? The usual. Paedorists. To my knowledge not all (or only few) of states have or ever had this 'limited ability' in treating their citizens data. Of course there also are a few with a higher valency of human rights. There is a background to what has happened in DE right now, also concerning our friends from Suomi (hope that's right) as well as people (friends, too, of course;) from Italy and presently 48 other States. The bigger picture appears to be the so called Convention on Cybercrime, which our beloved goverment (DE) wishes to ratify. Please take a look at: (0) The Treaty (choose #185), english, french (1) The list of states involved, english (2) Is where I found (1), german. (3) Foebud's website, german As obvious and natural members of a Council of Europe, the US, Japan, Azerbaijan, Turkey, South-Africa and others are also supposed to, are about to, or already have ratified the mentioned paper. Moving servers to Russia ? See list. (although the Russians didn't even care to sign it, yet ...) The treaty (0) is concerned about what they call mutual assisstance in fighting computer related crime and the usual paedorist stuff. The treaty itself is absolutely horrifying and has effects much further than Germany and Europe, reaching out to the US and elsewhere. Article 20 and 21 are interesting, they might be the reason for our law. The german gov. and others simply shift the costs of getting and storing data essential for the intended surveillance. According to the treaty the goverments are obliged to somehow get hold of tha data. So they make a law forcing isp's and other service providers to do so. Awfully simple. Read Article 23 and further about international co-operation agreements. According to this, telco data can and shall be made available to authorities of the enlisted states on request and spontanously for the purpose of criminal investigation. Hurray. So far, so bad, but even worse, data then will leave the originating legislation. Of course will, lets say the Ukrainian police obey e.g german law how long to store and how to use or where to pass data to. (I do not have any problems with or about Ukrania or Ukranians, just an example.) So, what happens, if data becomes to be very easily available to states who never really cared about such odd things like civil rights? Welcome to an international legal marketplace for telco data. With a little phantasy we might imagine yottabytes (really much) of logs being analyzed by whoever wants to, profiling of individuals and tracking just about anything in communication, and this on a pretty much international scale. Every day. Is that new? No, but new in that extent. Some people might end up in Guantanamo or some other weirdo's prison without ever knowing what actually hit them. Nowadays mere suspicion is enough, we have learned. Quite a nightmare. As soon as this law in Germany comes into force on 01.01.2009 Tor-ops _may_ have to hand over logs on request. It does not criminalize operators of a node. Tor's purpose is to provide anonymous access to the net. Period. So how much this analyzing of nodes will break anonymity
Re: 20090101 (log data)
On Nov 12, 2007 3:15 AM, algenon flower [EMAIL PROTECTED] wrote: Hello I just hardly can't believe it what I am hearing about this. From what I get, it sounds like a full on assault on privacy and free speech, the things that make the internet good, has begun. I am very sorry to hear the news and am very upset for everybody, especially those in Europe where this seems to be starting. Am I to believe from the foregoing that potentially having to surrender a Tor servers logs (that do not compromise much) will actually make Tor server operators criminals because they don't reveal enough? Algenon Another issue here is that surrendering the logs will actually have the potential to compromise much. It was allow timing attacks to become very trivial for the government to carry out. And the Tor operators will only be criminals if they do not have the data to surrender to the government when it is requested. Kasimir -- Kasimir Gabert
Re: 20090101 (log data)
Andrew kirjoitti: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marko Sihvo schrieb: Eugen Leitl kirjoitti: Yes, I agree, ordinarily this is morally despicable, but this is war, and we haven't started it. SI VIS PACEM, PARA BELLUM Bad idea. Right now we're not criminals, and can even convince the interested public of that. If we'd start shooting back we would lose public support. Which is the factor that will decide this war. Fighting this war with volunteers would be the honorable way... Of course... But if that won't do it... Maybe there are other options...
Re: 20090101 (log data)
On Sunday 11 November 2007 10:43, TOR Admin (gpfTOR1) wrote: do you know what is a timestamp in terms of this law? today, 11pm 2: anon server: In my opinion, an anon sever has to log every replacement of a sender ID by his own ID and the time stamp of this replacement. Tor replaces the IP-address, so we have to log a time stamp and the source IP for every connection. (Thats my private opinion.) does tor really change the packets 1 by 1? or is it that data comes in, is buffered and then send with other data to a different tor server (middle man). If yes then tor middlenode does not offer any public service where you replace an ID by an other. (Whatever you mean by ID) exit nodes still can be run outside europe. I will quit from my german server provider and get one somewhere else asap. What they ask for email is stupid. Every one will go to a server which is not in the EU. But still I will keep some email account in the EU and enter this address everywhere where I expect to get spam from. Gruesse PS: what happens if the logged data is lost by accident? If the Bundeswehr looses data why not me?
Re: 20090101 (log data)
Timing attacs can be done only with accurate data. What if my server has a wrong time or its clock is changing speed randomly or ... I think some more clever people then me will come up with an idea soon. I am sure tor developers will soon improve tor. We should of course do a lot in fighting this law but we should do more in improving tor. Promote tor or the idea of anonymous web access in universities. Why should it not be cool to make a masters degree in improving anonymity? Why not create a overnet where your IP address is only seen when you log in to the overnet but what you do inside is hidden. I have big hope in the smart guys and girls around us :) (I do not talk about the a***oles in the government) Gruesse
Re: 20090101 (log data)
On Nov 12, 2007 12:13 PM, linux [EMAIL PROTECTED] wrote: Timing attacs can be done only with accurate data. What if my server has a wrong time or its clock is changing speed randomly or ... I think some more clever people then me will come up with an idea soon. I am sure tor developers will soon improve tor. We should of course do a lot in fighting this law but we should do more in improving tor. Promote tor or the idea of anonymous web access in universities. Why should it not be cool to make a masters degree in improving anonymity? Why not create a overnet where your IP address is only seen when you log in to the overnet but what you do inside is hidden. I have big hope in the smart guys and girls around us :) (I do not talk about the a***oles in the government) Gruesse The Overnet idea seems a tad silly. If connections in between servers need to be logged, I do not think the requirement of logging would change were the connections to be for the Overnet or for the Internet. And I honestly do not see a problem with engaging in illegal activities to ensure the anonymity of Tor users. What the government is doing is illegal by any decent rational standards, and it will [hopefully] never come to the level of abuse against us that Ghandi and other active peaceful resistors were subjected to in order to achieve their ends, so it is unlikely that standing on the sidelines and shouting that more people need to join Tor will accomplish much. Kasimir -- Kasimir Gabert
Re: 20090101 (log data)
On Mon, Nov 12, 2007 at 01:13:23PM -0700, Kasimir Gabert wrote: The Overnet idea seems a tad silly. If connections in between servers I don't know how well hidden services and current Tor codebase scales, but having an anonymous communication space is certainly worthwhile, even if read-only. Do hidden wikis see much defacement, currently? need to be logged, I do not think the requirement of logging would change were the connections to be for the Overnet or for the Internet. Not all Tor hosts log, and cooperation between different legal compartments is much less than within e.g. US and EU. The average network bandwidth and latency are likely to get much better in future, so the number of hops in a circuit can be adaptively increased to make attack much more difficult, logs or no. And I honestly do not see a problem with engaging in illegal activities to ensure the anonymity of Tor users. What the government is doing is illegal by any decent rational standards, and it will I agree -- but so far there's no need for it yet. As others have correctly stated we need to stay in full compliance of the law (as long as that law is not unconstitutional), to not put public support into jeopardy. Once however such illegal retention laws have been passed, then only outlaws will have anonymity. [hopefully] never come to the level of abuse against us that Ghandi and other active peaceful resistors were subjected to in order to achieve their ends, so it is unlikely that standing on the sidelines and shouting that more people need to join Tor will accomplish much. As your attorney, I advise you to to rent a very fast car with no top, and to not discuss such issues with anybody else you don't trust absolutely. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: 20090101 (log data)
On Nov 12, 2007 1:26 PM, Eugen Leitl [EMAIL PROTECTED] wrote: On Mon, Nov 12, 2007 at 01:13:23PM -0700, Kasimir Gabert wrote: The Overnet idea seems a tad silly. If connections in between servers I don't know how well hidden services and current Tor codebase scales, but having an anonymous communication space is certainly worthwhile, even if read-only. Do hidden wikis see much defacement, currently? need to be logged, I do not think the requirement of logging would change were the connections to be for the Overnet or for the Internet. Not all Tor hosts log, and cooperation between different legal compartments is much less than within e.g. US and EU. The average network bandwidth and latency are likely to get much better in future, so the number of hops in a circuit can be adaptively increased to make attack much more difficult, logs or no. You are definitely correct, I apologize. Only when data is retained across the world will hidden services not continue to provide the anonymity that is currently provided... assuming of course that the Tor servers are not all German. It would be easily possible for the government if the hidden server is German to track the connection from a German user to it, however (after this law). And I honestly do not see a problem with engaging in illegal activities to ensure the anonymity of Tor users. What the government is doing is illegal by any decent rational standards, and it will I agree -- but so far there's no need for it yet. As others have correctly stated we need to stay in full compliance of the law (as long as that law is not unconstitutional), to not put public support into jeopardy. Once however such illegal retention laws have been passed, then only outlaws will have anonymity. That is true, and we all do have until 20090101 to produce a solution. It would be bad, however, to lose anonymity for Germans for even a few days after that date, especially because Germans, as a whole, seem to be requiring it more and more lately. [hopefully] never come to the level of abuse against us that Ghandi and other active peaceful resistors were subjected to in order to achieve their ends, so it is unlikely that standing on the sidelines and shouting that more people need to join Tor will accomplish much. As your attorney, I advise you to to rent a very fast car with no top, and to not discuss such issues with anybody else you don't trust absolutely. Thank you. Or I should start using Tor... let's see... I need a good name :) -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE -- Kasimir Gabert
Re: 20090101
Eugen Leitl wrote: On Sat, Nov 10, 2007 at 08:14:34PM +0100, Olaf Selke wrote: nothing will change for German tor operators due to this law. It defines how to store and how to hand over stored data to the authorities. Data not collected at all can't be stored, right?. But this law does not enforce tor operators to collect any data. Oh, really? So ISPs, VoIP and mobile phone providers have nothing to fear, right? right! Wonder why they've been whining, then. I wonder why I went demonstrating for the first time in my life, in the freezing sleet, with a bad cold. they have to spend a lot of money for that kind of nonsense. That really hurts. Do you expect companies do care for free speech or human rights? They only care for profit. regards, Olaf
Re: 20090101
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Olaf Selke wrote: Eugen Leitl wrote: On Sat, Nov 10, 2007 at 08:14:34PM +0100, Olaf Selke wrote: nothing will change for German tor operators due to this law. It defines how to store and how to hand over stored data to the authorities. Data not collected at all can't be stored, right?. But this law does not enforce tor operators to collect any data. Oh, really? So ISPs, VoIP and mobile phone providers have nothing to fear, right? right! Wrong. I read the law. My lawyers read the law. It doesnt say: Store the data you have. It says: Store these specific datasets, no matter if you have them or not. The comments in the Regierungsentwurf are very telling. So, I am sorry. Tor nodes will have to log. ISPs will have to log. Everyone doing public telco services will have to log. Wonder why they've been whining, then. I wonder why I went demonstrating for the first time in my life, in the freezing sleet, with a bad cold. they have to spend a lot of money for that kind of nonsense. That really hurts. Do you expect companies do care for free speech or human rights? They only care for profit. Actually, some companies do care for free speech and human rights. Mine does. Which is why it leaves Germany now for more free ground. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHNsVVOMmnRrmEoQkRArwTAJ4m4fUMjUlVmwGEwqmSq7OfmCZgbgCgkHbS hRLi0014ciIOj0ANOICKhno= =yuSe -END PGP SIGNATURE-
Re: 20090101
On Sun, 11 Nov 2007 09:03:19 + Smuggler [EMAIL PROTECTED] wrote: It says: Store these specific datasets since i'm italian and i don't know your language, i'm curious about which data must be retained by each service. Could you list them, in english? greetings
Re: 20090101 (log data)
On Sun, 11 Nov 2007 10:43:03 +0100 TOR Admin (gpfTOR1) [EMAIL PROTECTED] wrote: I will try it for email (fon, mobile and sms may be nearly like this): thank you ;-)
Re: 20090101 (log data)
Hi, TOR Admin (gpfTOR1) wrote: I will try it for email (fon, mobile and sms may be nearly like this): For mobile calls and SMS messages, the cell location of the caller/ sender at the beginning of the call must be recorded. Pretty ugly, IMHO. Marco
Re: 20090101
-Ursprüngliche Nachricht- Von: or-talk@freehaven.net Gesendet: 10.11.07 06:38:52 An: or-talk@freehaven.net Betreff: Re: 20090101 Am Freitag, 9. November 2007 schrieb Eugen Leitl: On Fri, Nov 09, 2007 at 07:42:46PM +0100, Valen MacLeod wrote: Heisst das jetzt, dass ich das protokollieren muss, wenn ich einen TORserver betreiben will? Not yet. A lot of things can and will change until 1. January 2009, and I would definitely look for an official legal interpretation before you pick between your three choices of what to do (or not to do). What are the most friendly jurisdications for anonymizing services? I was thinking about Russia, but it's probably not cheap to rent a server there. Any russian Tor operators here? The Germans on this list can participate in a Verfassungsbeschwerde (constitutional complaint?) here: http://www.vorratsdatenspeicherung.de/content/view/51/70/ Martin -- Dr. Martin Senftleben, Ph.D. (S.V.U.) http://www.drmartinus.de/ http://www.daskirchenjahr.de/ -- Several weeks ago i registered a Tor exit node (123Tor). I thought it's a good thing for privacy. After reading the mailing lists I was really extremely shocked about the arrested Tor-Server admins and other things. The result was I'm shutting down my exit-node immediately. After that I'm assume that Tor is needed in the free world, so i set up a new node (arachne) on a debian linux box as middleman. Living in Germany can be very hard. First the Hackerparagraph and now the Vorratsdatenspeicherung. Because of this I've just signed in the list. Greetings Rüdiger
Re: 20090101 (log data)
Original Message From: Marco Gruss [EMAIL PROTECTED] Apparently from: [EMAIL PROTECTED] To: or-talk@freehaven.net Subject: Re: 20090101 (log data) Date: Sun, 11 Nov 2007 16:27:39 +0100 Hi, TOR Admin (gpfTOR1) wrote: I will try it for email (fon, mobile and sms may be nearly like this): For mobile calls and SMS messages, the cell location of the caller/ sender at the beginning of the call must be recorded. Pretty ugly, IMHO. Marco Hi, the big, but yet not loud enough protests in Germany about these new laws do imho relate to the fact that there are much older laws. These protected exactly against the use of grids of databases concerning citizens, the obligation to deliver data to authorities and to to create grids with for good reasons separate data for authorities. So the big They create new laws explicitely enforcing what was prohibited yesterday. How successfull or actually working that was in daily life is another question. Deep trust in promotional and mass manipulating abilities make me believe that in a not too far future all these doings may be socially anticipated by the majority and accepted as necessary. Reasons? The usual. Paedorists. To my knowledge not all (or only few) of states have or ever had this 'limited ability' in treating their citizens data. Of course there also are a few with a higher valency of human rights. There is a background to what has happened in DE right now, also concerning our friends from Suomi (hope that's right) as well as people (friends, too, of course;) from Italy and presently 48 other States. The bigger picture appears to be the so called Convention on Cybercrime, which our beloved goverment (DE) wishes to ratify. Please take a look at: (0) The Treaty (choose #185), english, french (1) The list of states involved, english (2) Is where I found (1), german. (3) Foebud's website, german As obvious and natural members of a Council of Europe, the US, Japan, Azerbaijan, Turkey, South-Africa and others are also supposed to, are about to, or already have ratified the mentioned paper. Moving servers to Russia ? See list. (although the Russians didn't even care to sign it, yet ...) The treaty (0) is concerned about what they call mutual assisstance in fighting computer related crime and the usual paedorist stuff. The treaty itself is absolutely horrifying and has effects much further than Germany and Europe, reaching out to the US and elsewhere. Article 20 and 21 are interesting, they might be the reason for our law. The german gov. and others simply shift the costs of getting and storing data essential for the intended surveillance. According to the treaty the goverments are obliged to somehow get hold of tha data. So they make a law forcing isp's and other service providers to do so. Awfully simple. Read Article 23 and further about international co-operation agreements. According to this, telco data can and shall be made available to authorities of the enlisted states on request and spontanously for the purpose of criminal investigation. Hurray. So far, so bad, but even worse, data then will leave the originating legislation. Of course will, lets say the Ukrainian police obey e.g german law how long to store and how to use or where to pass data to. (I do not have any problems with or about Ukrania or Ukranians, just an example.) So, what happens, if data becomes to be very easily available to states who never really cared about such odd things like civil rights? Welcome to an international legal marketplace for telco data. With a little phantasy we might imagine yottabytes (really much) of logs being analyzed by whoever wants to, profiling of individuals and tracking just about anything in communication, and this on a pretty much international scale. Every day. Is that new? No, but new in that extent. Some people might end up in Guantanamo or some other weirdo's prison without ever knowing what actually hit them. Nowadays mere suspicion is enough, we have learned. Quite a nightmare. As soon as this law in Germany comes into force on 01.01.2009 Tor-ops _may_ have to hand over logs on request. It does not criminalize operators of a node. Tor's purpose is to provide anonymous access to the net. Period. So how much this analyzing of nodes will break anonymity is the interesting part... I personally begin to look around for places to set up my node (and myself;) in other parts of the world. Suggestions are welcome. Regards Hans (0)http://conventions.coe.int/Treaty/Commun/ListeTraites.asp?CM=8CL=ENG (1)http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185CM=DF=CL=ENG (2)http://www.tecchannel.de/pc_mobile/news/1738342/ (3)http://www.foebud.org/datenschutz-buergerrechte/vorratsdatenspeicherung/weitergabe-von-kommunikationsprofilen
Re: 20090101 (log data)
On Sun, Nov 11, 2007 at 11:46:07AM -0500, Hans S. wrote: I personally begin to look around for places to set up my node (and myself;) in other parts of the world. When you do this, make sure you that the server/IP is not registered to you personally, and make sure the means of payment are not traceable to you (cash is good). Offshoring is also possible, but unfortunately expensive. The thing with Russia (or China) is that authorities there completely ignore massively illegal operations like RBN (of course their SIGINT guys may still monitor it, they just don't act on the intelligence), so with that kind of operator nobody would frown at hosting a Tor exit. Apart from that my (as always, purely personal, and rather unpopular) opinion is that once operating Tor without logs has been made illegal, then it's time for no more Mr. Nice Guy, and let's see how the authorities will deal with a global StormTor network of a million nodes, all exit. The advantage of malware-vectored Tor is that it's self-propagating/self-hosting, and it it also boosts the number of users by forcing all traffic on infected machines through Tor, transparently for the end user. It will be slightly slower, but the fraction of a malicious exits will be negligible. Yes, I agree, ordinarily this is morally despicable, but this is war, and we haven't started it. (Disclaimer: I'm not doing it, nor will I ever do it, so raiding my place is completely pointless; and once you've ruined my life sufficiently, you and yours will pay dearly, and in person). -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: 20090101 (log data)
Eugen Leitl kirjoitti: Yes, I agree, ordinarily this is morally despicable, but this is war, and we haven't started it. I agree... Acting like saint will end up in the death of anonymity and free communciations... Welcome to the real world... SI VIS PACEM, PARA BELLUM
Re: 20090101 (log data)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marko Sihvo schrieb: Eugen Leitl kirjoitti: Yes, I agree, ordinarily this is morally despicable, but this is war, and we haven't started it. SI VIS PACEM, PARA BELLUM Bad idea. Right now we're not criminals, and can even convince the interested public of that. If we'd start shooting back we would lose public support. Which is the factor that will decide this war. Plus, it would never really work. Antivirus software would need days - - at the most - to detect and disable tor. And we just don't have the resources to find new methods of spreading tor, like the big spammers and botnets constantly do. No, the only way this fight can be won is by winning public opinion. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) iD8DBQFHN2Fj6GnazsDEIPERAgSdAJ0U/x+woy2u6CarKvYd7q6LcdMleQCfcVjb ruTivRwNgWyEIyKuEKdyGPE= =m20f -END PGP SIGNATURE-
Re: 20090101
Am Freitag, den 09.11.2007, 16:25 +0100 schrieb Eugen Leitl: No, there's a clemency period until 20090101. Whether you want to log afterwards, or shut down your node is every operator's personal decision. Does anyone have an idea of the size of these log files? I try to estimate how many data we will collect in half a year and how useful they are for breaking anonymity... Will we need the stream data? As far as I see in the new §113a TKG [*] we don't have to log the whole circuit data. We just have to log, which nodes connect to our node and which IP-address we give this connection (that's the IP-address of our own node, so we have to log this only once). The IP-address of the next node is not required. Max (*) http://www.bmj.bund.de/files/-/2047/RegE%20TK%DC.pdf §113a (6) Wer Telekommunikationsdienste erbringt und hierbei die nach Maßgabe dieser Vorschrift zu speichernden Angaben verändert, ist zur Speicherung der ursprünglichen und der neuen Angabe sowie des Zeitpunktes der Umschreibung dieser Angaben nach Datum und Uhrzeit unter Angabe der zugrunde liegenden Zeitzone verpflichtet.
RE: 20090101
They will not just ask you for the logfiles. YOU will have to find out which ip-address was routed on your server on a more-or-less specific timewindow in the last 6 month and with which ip-address the data was forwarded to the next router. If you can not provide this information you will be charged by law. In my opinion, as an tor-operator you will not be punished for the maximum years of inprisonment or the highest money fee possible ... but it could be hard enough if you have a previous conviction in your police file stating you to be involved in computer crime and a possible terrorist :-( And yes, they of cource put some terms into the TKG to whom the information is available: Zur Erfüllung ihrer gesetzlichen Aufgaben haben eine Vielzahl von Stellen Zugriff auf diese Bestandsdaten (§§ 112, 113 TKG): Gerichte, Strafverfolgungsbehörden, Polizeivollzugsbehörden des Bundes und der Länder für Zwecke der Gefahrenabwehr, Zollkriminalamt und Zollfahndungsämter für Zwecke eines Strafverfahrens, Zollkriminalamt zur Vorbereitung und Durchführung von Maßnahmen nach § 39 des Außenwirtschaftsgesetzes, Verfassungsschutzbehörden des Bundes und der Länder, Militärischer Abschirmdienst, Bundesnachrichtendienst, Notrufabfragestellen, Bundesanstalt für Finanzdienstleistungsaufsicht, Zollverwaltung zur Schwarzarbeitsbekämpfung.(found at http://www.vorratsdatenspeicherung.de/content/view/78/86/lang,de/#Umsetzung_ in_Deutschland) Sorry for not translating the german text, but perhaps you can see that it is not only one institution and not only courts ... There are really bad times coming up in Germany ... regards, Alexander Bernhard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan Danielsson Sent: Saturday, November 10, 2007 12:59 PM To: or-talk@freehaven.net Subject: Re: 20090101 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Max Berger wrote: [---] As far as I see in the new §113a TKG [*] we don't have to log the whole circuit data. We just have to log, which nodes connect to our node and which IP-address we give this connection (that's the IP-address of our own node, so we have to log this only once). The IP-address of the next node is not required. I assume that they made sure to put one, or more, make available to the state cause in there? If not, I'm just wondering how they'd react if I do log (as required), and if they want the logs, I send them a tor.20080101-20100101.logs.tar.bz.gpg.good_luck. - -- Kind regards, Jan Danielsson -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (NetBSD) iD8DBQFHNZ0UuPlHKFfKXTYRCi17AKCJH5hLNUoQWfWaamuWtaCWRUR//ACeK6ii 8wipwCF4HDrIiutt6nJOOkw= =i3p7 -END PGP SIGNATURE-
Re: 20090101 (space for log data)
Our measurement for space of log data: (because there was a question for it) server traffic (mean): 2.000 KB/s log data for one week: 200 GByte after remove of some useless strings: 120 GByte compressed and encrypted: 20 GByte for 26 weeks: approx. 500 GByte This is very much for our server. But we hope, we do not have to log.
Re: 20090101
I assume that they made sure to put one, or more, make available to the state cause in there? Of course ! If not, I'm just wondering how they'd react if I do log (as required), and if they want the logs, I send them a tor.20080101-20100101.logs.tar.bz.gpg.good_luck. German: §113 a (9) Die Speicherung der Daten nach den Absätzen 1 bis 7 hat so zu erfolgen, dass Auskunftsersuchen der berechtigten Stellen unverzüglich beantwortet werden können. English: You have to store the logs in a way, that you can hand them over immediately. But it is not clear which data to store yet. We will see. Christoph.
Re: 20090101
Alexander Bernhard kirjoitti: They will not just ask you for the logfiles. YOU will have to find out which ip-address was routed on your server on a more-or-less specific timewindow in the last 6 month and with which ip-address the data was forwarded to the next router. If you can not provide this information you will be charged by law. In my opinion, as an tor-operator you will not be punished for the maximum years of inprisonment or the highest money fee possible ... but it could be hard enough if you have a previous conviction in your police file stating you to be involved in computer crime and a possible terrorist :-( When freedom is terrorism, only terrorists have freedom. If this ever comes into the law in Finland, I promise to setup Tor middleman and log _nothing_. Let them put me in prison, if they have the balls to do it.
Re: 20090101
On Fri, Nov 09, 2007 at 03:59:44PM CET, you (Eugen Leitl) wrote: This will be contested as unconstitutional, but in cases it will become law all Tor operators are required by law to start logging 20090101. 20080101 :(
Re: 20090101
Eugen Leitl wrote: This will be contested as unconstitutional, but in cases it will become law all Tor operators are required by law to start logging 20090101. nope, from my understanding this is not the case. Telco operators are required to store data they already collect, for a certain period of time. But this law doesn't require to collect any data at all. So for German Tor operators nothing is going to change since there's nothing to store. regards, Olaf
Re: 20090101
On Fri, Nov 09, 2007 at 04:13:46PM +0100, Peter Kornherr wrote: On Fri, Nov 09, 2007 at 03:59:44PM CET, you (Eugen Leitl) wrote: This will be contested as unconstitutional, but in cases it will become law all Tor operators are required by law to start logging 20090101. 20080101 :( No, there's a clemency period until 20090101. Whether you want to log afterwards, or shut down your node is every operator's personal decision. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: 20090101
On Fri, Nov 09, 2007 at 04:20:00PM +0100, Olaf Selke wrote: nope, from my understanding this is not the case. Telco operators are required to store data they already collect, for a certain period of time. But this law doesn't require to collect any data at all. So for German Tor operators nothing is going to change since there's nothing to store. No, this is not correct. You have to log connection info, and anonymisation services are explicitly mentioned in the new bill. Let's hope Karlsruhe will strike it down. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: 20090101
Eugen Leitl wrote: On Fri, Nov 09, 2007 at 04:20:00PM +0100, Olaf Selke wrote: nope, from my understanding this is not the case. Telco operators are required to store data they already collect, for a certain period of time. But this law doesn't require to collect any data at all. So for German Tor operators nothing is going to change since there's nothing to store. No, this is not correct. You have to log connection info, and anonymisation services are explicitly mentioned in the new bill. which paragraph are you referring to? §113a TKG doesn't require to collect any data. It just requires to store already collected data for at least six months: §113a TKG Wer öffentlich zugängliche Telekommunikationsdienste für Endnutzer erbringt, ist verpflichtet, von ihm bei der Nutzung seines Dienstes erzeugte oder verarbeitete Verkehrsdaten nach Maßgabe der Absätze 2 bis 5 sechs Monate im Inland oder in einem anderen Mitgliedstaat der Europäischen Union zu speichern. regards, Olaf
Re: 20090101
On Fri, Nov 09, 2007 at 04:47:11PM +0100, Olaf Selke wrote: which paragraph are you referring to? §113a TKG doesn't require to collect any data. It just requires to store already collected data for at least six months: §113a TKG Wer öffentlich zugängliche Telekommunikationsdienste für Endnutzer erbringt, ist verpflichtet, von ihm bei der Nutzung seines Dienstes erzeugte oder verarbeitete Verkehrsdaten nach Maßgabe der Absätze 2 bis 5 sechs Monate im Inland oder in einem anderen Mitgliedstaat der Europäischen Union zu speichern. http://www.bmj.bund.de/files/-/2047/RegE%20TK%DC.pdf http://www.heise.de/newsticker/foren/go.shtml?read=1msg_id=13859936forum_id=127012 Geht es nach dem heute beschlossenen Entwurf, so sind auch die in Deutschland ansässigen Anonymisierungsdienste betroffen. Alle Tor-, oder sonstigen Nodes müssen die Ausgangs-, und Endadresse der IP-Umwandlung protokollieren. Vgl. insoweit RegE Seite 166 zu § 113a Abs. 6 TKG-E.[1] Da bleiben nur Dienste mit mindestens zwei Nodes außerhalb der EU um Anonymität zu gewährleisten. Zumindest bis zu einer Entscheidung des BVerfG. Denn diese spezielle Regelung geht über die Richtlinie hinaus. Perhaps it's time to increase the number of hops in the client circuit. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: 20090101
Eugen Leitl schrieb: On Fri, Nov 09, 2007 at 04:47:11PM +0100, Olaf Selke wrote: which paragraph are you referring to? §113a TKG doesn't require to collect any data. It just requires to store already collected data for at least six months: §113a TKG Wer öffentlich zugängliche Telekommunikationsdienste für Endnutzer erbringt, ist verpflichtet, von ihm bei der Nutzung seines Dienstes erzeugte oder verarbeitete Verkehrsdaten nach Maßgabe der Absätze 2 bis 5 sechs Monate im Inland oder in einem anderen Mitgliedstaat der Europäischen Union zu speichern. http://www.bmj.bund.de/files/-/2047/RegE%20TK%DC.pdf http://www.heise.de/newsticker/foren/go.shtml?read=1msg_id=13859936forum_id=127012 Geht es nach dem heute beschlossenen Entwurf, so sind auch die in Deutschland ansässigen Anonymisierungsdienste betroffen. Alle Tor-, oder sonstigen Nodes müssen die Ausgangs-, und Endadresse der IP-Umwandlung protokollieren. Vgl. insoweit RegE Seite 166 zu § 113a Abs. 6 TKG-E.[1] Da bleiben nur Dienste mit mindestens zwei Nodes außerhalb der EU um Anonymität zu gewährleisten. Zumindest bis zu einer Entscheidung des BVerfG. Denn diese spezielle Regelung geht über die Richtlinie hinaus. Perhaps it's time to increase the number of hops in the client circuit. Heisst das jetzt, dass ich das protokollieren muss, wenn ich einen TORserver betreiben will?
Re: 20090101
On Fri, Nov 09, 2007 at 07:42:46PM +0100, Valen MacLeod wrote: Heisst das jetzt, dass ich das protokollieren muss, wenn ich einen TORserver betreiben will? Not yet. A lot of things can and will change until 1. January 2009, and I would definitely look for an official legal interpretation before you pick between your three choices of what to do (or not to do). What are the most friendly jurisdications for anonymizing services? I was thinking about Russia, but it's probably not cheap to rent a server there. Any russian Tor operators here? -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: 20090101
Am Freitag, 9. November 2007 schrieb Eugen Leitl: On Fri, Nov 09, 2007 at 07:42:46PM +0100, Valen MacLeod wrote: Heisst das jetzt, dass ich das protokollieren muss, wenn ich einen TORserver betreiben will? Not yet. A lot of things can and will change until 1. January 2009, and I would definitely look for an official legal interpretation before you pick between your three choices of what to do (or not to do). What are the most friendly jurisdications for anonymizing services? I was thinking about Russia, but it's probably not cheap to rent a server there. Any russian Tor operators here? The Germans on this list can participate in a Verfassungsbeschwerde (constitutional complaint?) here: http://www.vorratsdatenspeicherung.de/content/view/51/70/ Martin -- Dr. Martin Senftleben, Ph.D. (S.V.U.) http://www.drmartinus.de/ http://www.daskirchenjahr.de/ signature.asc Description: This is a digitally signed message part.