Plausible Deniability with Tor?
Plausible deniability with Tor? Not so fast, buddy!
The idea here is that by running a Tor exit node (which the subject of the article posted does, puting through 40 GB of traffic a day!), you get plausible deniability if the Feds come banging on your door, nattering on about how you downloaded the latest Hollywood blockbuster. "It wasn't me, must've been someone through Tor!"
There are still a few ways they can build up a case for the download being yours. Most of them have to deal with monitoring network traffic and drawing some conclusions from those observations, so Big Brother would need access to some of the network hardware at your ISP. And we all know that there's no way that'll ever happen, so consider this a little theoretical. Or paranoid, take your pick.
The simplest would just be to monitor traffic rates, especially if you're downloading from a server (as opposed to P2P). Let's say you've got a more or less steady upload and download rate of 200K/s (I haven't looked deeply enough into it to be absolutely sure, but it only seems logical to me that Tor traffic that isn't your own has to be more or less equal amounts upstream and downstream) and all of a sudden, you jump up to 500K/s download, while your upload only increases a little bit. At the same time, the watchers notice someone grabbing a large file off illegalmoviedownloads.com, and it's heading straight towards your IP! That's a pretty damning hint that the 200K extra is all you, grabbing a movie for the weekend. It at least seems more likely than it being all kinds of random network use that I would assume you see from a Tor exit node.
Well, how about something P2P? Setup bittorrent properly, and you'll have the same increase in upload rate and download rate, so no way to show that it was you, right? Unfortumately, no, not for any reasonably sized download. As per the EFF's quick overview on how Tor works, Tor will choose a new path through the network roughly every minute or so. Ten minutes (or even much longer) of the same torrent going through your node? Very suspicious, and very hard to blame on Tor. ("Honest judge, must've been alot of people, one after the other, going through my node, all after the same torrent...")
So, is there no hope? Well, you could always route your less-than-legal activities through Tor itself. One warning on that matter; as we've seen recently, even Tor can't protect you if you post personally identifying information. All the anonymous routing in the world won't help me if my digital camera has left its serial number in the EXIM data stored in the photos I'm sharing. God forbid should I sign a post using my real name.
Another potential trick could be to have your exit node drop traffic when you start using it up yourself. In this way, the traffic rates still appear the same to an outside observer. It would be horribly bad form, and I would expect Tor to intelligently stop sending you connections anyway, but done in short bursts, it adds one more layer of disguise. (I think that, in theory, a similar, but more difficult traffic analysis job could, with much, much less certainty, could hint that you're dropping Tor traffic.) Again, for longer communications, you have the issue of persistent connections originating from your IP address.
Finally, is it proper to use Tor to hide your illegal file-sharing? That's up to every individual to decide for themselves, but I would start by asking a few questions; "Is my filesharing using more resources than I am giving back?" "Should I be bogging down the network so that I can save 5$ on a movie, when others need it to protect themselves from repressive governments (some would argue that filesharing in and of itself is an act of resistance :-P )?" "Will a judge understand what's going on, or assume that I sympathize with terrorists and child pornographers due to my running of an exit node?"
Does that last one sound weird? Not everyone understands technology, as can be seen when this judge considers data passing through RAM (by definition: volatile, extremely temporary memory) the same as 'electronically storing' it.
One last parting shot. I only know about the technical side here. As far as what would be legal, what the cops could get away with anyway, if anything would pass in court, or at least allow for a search warrant, and whether any of that matters in our current world of disappearing freedoms are all matters I can't speak with any authority about. I just want people to realize that there are other ways to figure out what you're doing than just the absolutely most direct observation, just like all the non-verbal cues we pick up on in a conversation.
Play safe.
posted by -Pat @ 7:35 AM
6 comments
6 Comments:
Don't use tor for filesharing!!!
Hey Patrick,
I found your blog (this particular post) by following a link from cnet, which was a link from Slashdot. Interesting stuff. Let's hope that the ISPs aren't constantly monitored for traffic. I would think that would be a violation of privacy, but who's to say what is legal now that we had Gonzales as AG?
The coffee thing was interesting since I often talk of coffee, and I love Dune. I could have told you another way of taking care of the problem too. Point your elbow out instead of down, it helps your arm and shoulder dampen the motion of your body.
My favorite books are those from Frank Herbert, The Dune Chronicles specifically, but I've read some of his other books also, one being just this side of stupid (The Green Brain.)
Actually, the ten minute route change only applies to new connections. So it's not unusual for a single connection through tor to last as long as you want, but it would be suspicious if the many connections for the same torrent keep being made by your IP over a longer period of time.
No, I don't think routing your filesharing through Tor should be used to cover it up either. My ethics aren't everyone else's though, I just put out the questions I thought people should be asking themselves.
I'm going to say (again, without properly looking into it) that the torrent problem still exists. Yes, a longer, continuous connection will keep on the same route, but that's not what's happening in a torrent. As a simple example, let's look at a 50M file being downloaded via bittorrent, over Tor. it is split up in 512K segments (pretty common) and there are 10 seeders and peers. You now need to grab 100 parts from 10 different IPs. if this takes any reasonable amount of time, Tor will take different routes for some chunks from the same IP. If that doesn't happen, an observer can assume that you are the downloader, and not someone using your Tor exit node.
"No, I don't think routing your filesharing through Tor should be used to cover it up either."
I thought the original point was that you have your own P2P downloading plus Tor endnode traffic coming from your PC -- and they can't tell that the P2P traffic is yours rather than coming from the Tor endnode on your PC.
I mean, if the OP was advocating P2P over Tor, this whole 'avoidance of tracking' thing wouldn't be an issue.
Hence, the OP wouldn't have posted on it. I mean, I get the impression that the OP understands what Tor does.
Lesson: closer reading avoids miscomprehensions of basic presmises in arguments.
Yes, the original, original idea (Chris Soghoian's) was that by running a Tor exit node, you can't be pegged for your own (non-Tor) filesharing. I don't think it's that easy, (my post is about how I think an observer can still see that you're filesharing, even though you're running a Tor exit node) but you could hide your filesharing by running it over Tor (which I don't think is the right thing to do, and neither does that first anonymous).
I hope my stance is clearer now.
Post a Comment
<< Home