?

Log in

No account? Create an account
Semiformalishmaybe

Argument summary

DPerkins (a friend I knew from my CMU times) and I had a long discussion on Tor on twitter. Twitter's an interesting medium for an argument; the character limit encourages one to be really brief, which:

  • Has the effect of leading to really short sentences in discussion, which can be positive or negative
  • Leads to underexpression of supporting points, which is probably more negative
  • Leads to very rapid back-and-forth without interruption (like IRC), which is positive
In any case, if you'll recall, I don't like Tor, and DPerkins was taking a pro-Tor stance. I'm trying to present the discussion in a way that doesn't try-to favour my side over his so much as act like "perspective tourism", pointing out points of disagreement. This will require me to connect the dots to an extent on his perspective; I'll try to do so sensibly. I will simply assert in the following my conclusions on what DPerkins believes; this is a linguistic convenience, so please be willing to expand my assertions into presumptions.

First, summaries of both of our perspectives. I identify as a far-left liberal, as probably does DPerkins. We do have somewhat different commitments and perspectives.

  • For me, the discussion illustrates the tensions between rule-of-law and civil liberties. I am committed to both, and I see tor as meeting some strong social goods but doing so in a way that permanently and excessively damages rule-of-law. I believe that in order for civil liberties to mean anything, they must happen in a context where there is an effective public order that involves reasonably-functioning police and judiciary
  • For DPerkins, the discussion is the defense of a powerful tool for civil liberties against a call for state power. In the United States, and particularly in other countries, repressive laws are being circumvented through technologies that support free speech, and that makes Tor a net plus for good.
The harms we identify with each other's positions are probably as follows:
  • DPerkins' position, which I identify as Technolibertarian, leads to a variety of crimes being very difficult to investigate; without the theoretical ability to trace or tap communications, police cannot trace communications tied to kidnappings, bribery, libel/slander, harassment, threats, money laundering, and the like. We are familiar with these harms (and could enumerate them further) by looking at all the things wiretaps and tracing enable police to investigate now
  • DPerkins identifies with my position the stifling of speech, enabling foreign oppressive regimes to prevent political criticism, making travel to foreign countries more dangerous for geeks, and enabling police states
One point that came up was whether preventing tor would be an expansion of power of the state or not:
  • I claim no, because I see the existing ability of the state to tap phones, bug locations, and the like as extending smoothly into the digital realm. I want the state to need a warrant for such activities (online and off) and am concerned that recently exceptions to executive power have allowed for warrantless tapping of various sorts, but I think in general our laws should smoothly extend, as much as possible, into new means of communication, just as our legal protections/traditions (such as the First Amendment) do.
  • DPerkins claims yes, believing that new realms should be by default free and that extending regulations into them requires sufficient adaptation to amount to a new restriction and more state power.
DPerkins notes at Tor is not the only tool that might disrupt LE, which is true. I am comfortable targeting all of them, including Tor.

My preferred means for dealing with Tor is to impose liability on those who knowingly run a Tor node for any actions that can be shown to pass through their systems, on the theory that Tor nodes are like safehouses that offer sanctuary to anyone, whether they're running from police, gangs, or are just privacy freaks. I would not ban the technology outright (although personally I would shame those who use it as being socially irresponsible). There was a digression in the discussion where DPerkins and I expressed agreement that having devices "secured" against their users with locked bootloaders and the like would be a bad development.

DPerkins challenged me to get some hard data on criminal use of tor. I held that it is sufficient to show that tor is designed to prevent some kinds of LE activity, and that the decades of hard data that the ability to trace/tap communications is occasionally very important to LE is sufficient data to support my claims. We remain in disagreement on this; I am comfortable with my stance in that new technologies with predictable uses can lead to predictable results. There may actually *be* hard data on criminal use of tor, but I don't think it's necessary/useful for me to dig at it, particularly as I expect it to be used increasingly as tor will probably catch on in the criminal community.

DPerkins objected to my blurring tapping and tracing as activities of LE. This is fair; I spoke of them using the same term because they both pose a systemic damage to LE, they both are enabled by tor, and they both might reasonably be used in the same investigation. I am willing to talk of them separately though.

We traced a few scenarios for potential crime; registering and using gmail through tor provides a disposable "identity" not easily traced back to a human, not easily tapped to find out what other activities are in play.

I agree with DPerkins that if tapping is too easy that's a damage to the public good; I am baseline-comfortable with a warrant being sufficient, but am happier with there being some (but not stifling) trouble or difficulty in the process itself so it is not done too lightly. I hold that it's better for it to be easy than impossible though. DPerkins disagrees.

DPerkins also is uncomfortable with libel/slander laws and thinks they have been effectively obsoleted by the internet (or perhaps were never valid to begin with). I am comfortable with libel/slander as being illegal.

As a general matter of philosophy, I trust (or feel I have to effectively trust; not quite the same thing) government much more than DPerkins does. I accept there will be irregularities and unacceptable things, but see us much better off with an effective state that screws up sometimes (or even a lot) than with one that is so weak as to be ineffective. DPerkins distrusts the government significantly more than I do, and sees technology as an independent way to seek the good from legal reform. I believe his perspective neglects the damage done by severely weakening law enforcement, and he believes my perspective neglects the potential for autonomy made possible by tor.

(originally the discussion included Bitcoin, which I see as much more damaging than tor, but we dropped that topic very early on)

Comments

"DPerkins claims yes, believing that new realms should be by default free and that extending regulations into them requires sufficient adaptation to amount to a new restriction and more state power."

I'm not sure whether or not that's a good summary of D's viewpoint. I, personally, would say this quite differently. I think that in the digital age, most of our day-to-day conversations and transactions have moved from being effectively unmonitorable to being extraordinarily monitorable (and, depending who you believe, probably already monitored).

Twenty years ago almost all my conversations happened face to face, and in a variety of locations. Even if the police bugged my house or tapped my phone, they wouldn't have had access to most of my conversations, which happened as I walked in the park, sat in a coffeeshop, etc. In fact, I don't think the police could even have known I was at the coffee shop without tailing me, because I would have paid in cash and I didn't carry a cell phone.

Now, most of my conversations happen online. Most of my transactions happen online. Even when I'm offline, I can at least theoretically be tracked using my cell phone and credit card purchases. A government that had unfettered access to its citizens' online data would have a degree of knowledge about people's lives that has never before been possible.

I know you're not suggesting that governments OUGHT to have unfettered access. But right now, all that stands between the government and all that information is our legal system. Other countries have the same technologies, but not the same legal systems, so it seems short-sighted to suggest that a legal solution can restore the balance of power.

So yes, I support technologies that circumvent the government's (or corporations', or whoever's) ability to spy on us. I don't think it's enough merely to have laws in place that say people can't use the copious information about us that is already floating around out there. I think we should be allowed to limit the accessibility of that information in the first place.

Does that limit the power of law enforcement? In my mind, it simply reverts their level of power back to what it was when they would have had to actually follow me into a coffeeshop to see what I'm up to.

Edited at 2012-01-21 09:11 pm (UTC)
I imagine that if the police had come to believe you were engaged in organised crime and known who you are they probably could've had someone tail you to the coffeeshop, and bugged the table if necessary (and done the equivalent for other locations). Yeah, it's manpower-intensive and a pain, which is my ideal; you're right that it's at least theoretically easier in modern times to do so.

I don't think it's quite a reversion in that there's still the initial step of finding the person in the first place; right now if someone has command of a botnet or knows how to use tor, tracking them down can be much more difficult than it ever was, and building a case against them is IMO much harder because bugging their communications is impractically hard.

I did get the impression that that was what D was saying; here's what led me to that impression:
"Tor is dealing with /new/ powers, not old ones. Wiretapping still exists. Tor doesn't stop it."

I do recognise the desire for a way to deal with less-good legal systems (and our own legal system has been less than stellar recently, with the need for court review curtailed). I think tor tilts the balance dangerously far against LE though in ways that will be a hinderance for as long as tor's around; the cost of that amount of anti-LE sway will be very significant and in this case is not one I think we should be willing to pay.

(This conversation was probably about 30% a prop to get my thoughts out there so people can see that I'm operating from reasonable concerns and making a judgement call; even if they don't agree with me in the end I hope it's at least clear I'm not operating from either crazy moon logic or one of those "everything states do is awesome it is wrong to oppose them ever" sorts).

(Anonymous)

Some courts have recognized the difference in scale between the old manual tailing and wiretapping techniques and today's new "tail and wiretap everyone" methods. As we know, people behave differently when they think they're being monitored. When all it takes for the government to watch you is flip a switch or press 5 keystrokes, people start assuming they're being monitored. When it takes the government paying some guy $100 a day to walk around behind you, people assume they aren't. What seems like "just a matter of degree or difficulty" in reality is a massive shift in the way people perceive and react to government surveillance.

However, this is a minor point. See my coming comment for what I consider the more important one.

-douglas

(Anonymous)

Encryption vs Tor

The reason we shouldn't group Tor with other crypto and proxy technologies is because people are wondering whether they ought to run Tor servers. I have friends who are on the fence.

The damage done to LE by crypto goes back to the beginning of cryptography on the internet. What are SSH and HTTPS if not destroyers of electronic eavesdropping? We understand that those tools could be used in the process of committing crimes, but we also understand that they aren't going away, nor would we want them to.

For many years, determined criminals have used proxy servers that don't log or are internationally located to defeat IP address tracing. This also is unlikely to end. Indeed, VPN services are cropping up in many countries, and I don't see how anyone can shut them all down without massive internet changes.

The question my friends have is simple. Given that crypto and proxies already exist, and given that people already use them, would supporting Tor make things worse for law enforcement? We know from personal and secondhand experience that Tor has positive uses, and while it's not the simplest thing to use, it's not very difficult and doesn't require many resources. So if the good uses of Tor outweigh the bad uses of Tor (and *not* other circumvention technologies like SSH), then it makes reasonable sense to run Tor relays.

If you want to ask what you predict the future will bring for electronic LE, then you can ask about Tor and all of the other crypto resources grouped together. But if you want to know whether you might want to run a Tor server, or whether people who run Tor servers are supporters of crime, that won't help you.

Re: Encryption vs Tor

I believe and hope that there are ways around SSH, HTTPS, and those VPNs that can be managed with a court order; perhaps a sneaky way to root our servers without our knowing? subpoenas for the places we connect? Inbound and outbound monitors on those VPN sites? I want there at least to be a theoretical way to do that that's in the hands of LE and ideally counterbalanced by the need for a court order. As for proxies, I also hope that LE has some methods to break those when they have to. Any technology that amounts to an unbreakable win against LE for the ability to either trace or tap communications is one I hope never sees the light of day; I want us relatively free but protected from crime, but being completely free and completely vulnerable is pretty awful.

In all these cases, people time is going to be expensive. The strongest reason I believe LE isn't keeping an eye on me isn't that I think it's technically difficult; I imagine there's been ample time to root my boxes without my noticing in ways that'd be very difficult to detect, tap my networks, bug my apartment, etc. It's also not that I haven't done anything interesting to LE recently (although that's true). It's that it's expensive to do that to lots of people, particularly when LE needs to pay for someone to actually figure out what to do with the data. Human judgement is always expensive.

I always assume that if the government wanted to snoop on me or make me disappear, they could without too much difficulty. The same goes for sufficiently wealthy/powerful private corporations or organised crime groups, which I'm much more inclined to think of as sinister. I'm generally inclined to think of all governments as being at least somewhat legitimate, and of the US government as doing much better than most in trying to serve the public good. I'd still generally say that LE priorities of governments less principled and more systemically corrupt than ours are really important, and technologies that make it harder for LE to function (untracable, untappable communcations) are not something to celebrate.

But I suspect we're not going to come to an agreement on this; I think we both understand each other's arguments but we're weighing the risks and benefits differently.