Security Focus story
http://www.securityfocus.com/news/11447 A number of comments made on the list are referred to in this story. One of Nick's posts has been quoted. -James
Re: Security Focus story
On 3/9/07, James Muir <[EMAIL PROTECTED]> wrote: http://www.securityfocus.com/news/11447 A quote which worries me: "Tor servers meet the definition of an Internet service provider, which means that operators are not required to know what data passed through the server, said Kevin Bankston, staff attorney with the Electronic Frontier Foundation (EFF)" If TOR would legally qualify as an ISP, we're in deep trouble. Keyword: the upcoming data-retention laws in Europe. Alex. -- "I am tired of all this sort of thing called science here... We have spent millions in that sort of thing for the last few years, and it is time it should be stopped." -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901.
Re: Security Focus story
On Fri, Mar 09, 2007 at 08:37:58AM +0100, Alexander W. Janssen wrote: > If TOR would legally qualify as an ISP, we're in deep trouble. We don't provide access to the Internet, and we're not charging for it. Last time I looked the data retention laws also allowed a loophole for very small providers. > Keyword: the upcoming data-retention laws in Europe. Even if you ran a Tor node with logging, and you gave BKA a slice for the time window they ask you for, that would be quite useless. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
Re: Security Focus story
On 3/9/07, Eugen Leitl <[EMAIL PROTECTED]> wrote: On Fri, Mar 09, 2007 at 08:37:58AM +0100, Alexander W. Janssen wrote: > If TOR would legally qualify as an ISP, we're in deep trouble. We don't provide access to the Internet, and we're not charging for it. Last time I looked the data retention laws also allowed a loophole for very small providers. I hope so, although I wonder how "small" will be defined. How would you tell how many users your have on your TOR-node? > Keyword: the upcoming data-retention laws in Europe. Even if you ran a Tor node with logging, and you gave BKA a slice for the time window they ask you for, that would be quite useless. No; the point is if you'd qualify as an "access provider" you need to enable "relevant logging". ETSI already defined interfaces and data-sets which would come quite handy. But I agree with you: The law isn't here yet. Alex. -- "I am tired of all this sort of thing called science here... We have spent millions in that sort of thing for the last few years, and it is time it should be stopped." -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901.
Re: Security Focus story
repeat after me: it's "Tor", _NOT_ "TOR" :) On 3/9/07, Alexander W. Janssen <[EMAIL PROTECTED]> wrote: ... No; the point is if you'd qualify as an "access provider" you need to enable "relevant logging". ETSI already defined interfaces and data-sets which would come quite handy. i have a policy that law breakers will leave evidence in logs and set the "evil bit" on all packets! [0][1] if it does get close to that bad over in EU, don't run Tor nodes in data centers. once those canaries have died begin to worry about that DSL exit... 0. "i have a policy..." http://www.kottke.org/04/07/my-new-policy 1. RFC 3514 - The Security Flag in the IPv4 Header http://www.faqs.org/rfcs/rfc3514.html
Re: Security Focus story
If TOR would legally qualify as an ISP, we're in deep trouble. Keyword: the upcoming data-retention laws in Europe. Data retention in Europe doesn't cover the content of traffic, only CDR (call data record) are covered and gathered all togheter for LI purpose. Telecoms providers will now have to keep data including the time of each fixed and mobile phone call made in Europe, whether the call is answered or not, the duration of the call and other details that can trace the caller, as well as times users connect to the internet, their IP addresses and details pertaining to emails and VoIP calls. The content of the communications will not be recorded. The big problem about data retention is data collected for a period of time, how to interact to those data and how to protect the data for unauthorized access (these action is on duty in ETSI meeting). Cesare