On Sat, Nov 24, 2007 at 10:44:17AM +0100, Andrew wrote:

Sadly, what you say is true. Precautions have to be implemented in Tor that no more than one node from Germany is chosen for any connection. We should ask tor development to implement such a feature until 12/2008, and have it activated automatically before the end of next year.

Alas, I fear it's more complex than that. There are two anonymity-related issues that people here aren't considering enough: a) Tor's security doesn't come from having any single honest (unobserved) relay on the path. It comes from the adversary not being able to see (measure) traffic on both ends of the circuit. See e.g. http://freehaven.net/anonbib/#danezis:pet2004 So for example if the destination website is in Germany, and it logs all the packets it sees, then a logging entry relay would be sufficient to give away the game. b) If the Tor relay's ISP is logging enough, then it doesn't matter what the Tor relay itself logs. I'm still hoping to hear an answer to Mike Perry's question at http://archives.seul.org/or/talk/Nov-2007/msg00146.html Then see http://freehaven.net/anonbib/#murdoch-pet2007 If sufficient logging becomes pervasive at the ISP or IX level, then it would seem that either we'll need to excise those jurisdictions from the Tor network (and worse, give up on providing anonymity to users there), or work on anonymity designs that tolerate this level of attack while still remaining usable. And that's where the actual definition of "traffic headers" or "traffic data" becomes critical -- and as I understand it, nobody yet knows what definitions will be used in practice. So it is premature to start deploying any alternate designs. But yes, if it gets to that point, we will be working hard on ways to avoiding leaving as many tracks in these large central databases. Even if I entirely trusted the authorities to only use the data in critical situations, what scares me most is the poor track record of large organizations at securing huge piles of sensitive data. We don't have to look very far for stunning examples of data leaks. These extra requirements like realtime access just make the task even more impossible.

But please, everybody, do not overreact by blocking german tor nodes. The law will only have an effect for tor operators by the beginning of 2009, and I doubt anyone will start logging before that.

Right. If you would like to start logging early, please instead turn off your Tor relay. And if the authorities try to force you to start logging early, please also turn off your Tor relay, and then find some lawyers to help you figure out how to notify the world safely.

Plus, there's still a chance the german Supreme Court (Bundesverfassungsgericht) will stop this law before the end of next year. The lawsuit is under way...

Good luck! --Roger ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE