Caught in the Network

[Eugen Leitl]

http://chronicle.com/temp/email2.php?id=zht45qPrsddjvvgfcjwWPjxhFwqxyfVX

OBSERVER
Caught in the Network

By PAUL CESARINI

At 9:15 one Thursday morning, there came a polite knock on my mostly closed
office door. I was expecting the knock. A student was coming to talk to me
about getting into one of my courses, which he needed to graduate.

So when I heard the knock, I said, "C'mon in, Kyle." Someone said, "Hello?"
and came in, along with two smartly dressed men extending business cards to
me.

I recognized the speaker as a network-security technician in my university's
office of information-technology services. The other men were not familiar,
but a quick glance at their cards told me they were detectives on our campus
police force. They closed my office door behind them, sat down, took out
notepads and pens, and asked if I had a few minutes to speak with them about
Tor.

Tor b an acronym for The Onion Router b is a freely available, open-source
program developed by the U.S. Navy about a decade ago. A browser plug-in, it
thwarts online traffic analysis and related forms of Internet surveillance by
sending your data packets through different routers around the world. As each
packet moves from one router to the next, it is encoded with encrypted routing
information, and the previous layer of such information is peeled away b
hence the "onion" in the name.

Basically, Tor is a way to surf the Internet anonymously. Someone looking up
potentially sensitive information might prefer to use it b like a person who
is worried about potential exposure to a sexually transmitted disease and
shares a computer with roommates. Abuse survivors might not want anyone else
knowing they have visited Web sites for support groups related to rape or
incest. Journalists in repressive regimes with state-controlled media use Tor
to reach foreign online news sites, chat rooms, blogs, and related venues for
information.

Tor can also be useful in e-commerce. For example, Amazon.com knows more about
my shopping habits and tastes than my wife does. I appreciate Amazon's ability
to make recommendations based on my previous purchases. But in 2000, Amazon
admitted experimenting with so-called dynamic pricing, charging different
people different prices for the same MP3 player; the prices were presumably
based on estimates of what each user would be willing to pay, considering
prior purchases. Online merchants could all do that, thanks to traffic
analysis. They know who I am when I log on b unless I delete their cookies
or use Tor.

Of course, anonymous Web surfing can be used to conceal fraud and other forms
of electronic malfeasance. That was why the police had come to see me. They
told me that only two people on our campus were using Tor: me and someone they
suspected of engaging in an online scam. The detectives wanted to know whether
the other user was a former student of mine, and why I was using Tor.

Widespread use of Tor could be a huge headache for network-security
administrators, particularly in higher education. My university alone has more
than 21,000 students. Imagine what would happen if even a tenth of them and a
similar percentage of faculty and staff members started using Tor regularly.
With all the spam scams, phishing scams, identity theft, and related criminal
enterprises going on around the world b many of which involve remotely
hijacking university-owned computers b we could approach technological
anarchy on the campus.

My reason for downloading and installing the Tor plug-in was actually simple:
I'd read about it for some time, was planning to discuss it in two courses I
teach, and figured I should have some experience using it before I described
it to my students. The courses in question both deal with controlling
technology, diffusing it throughout society, and freedom and censorship
online.

When I cover online censorship in countries with no free press, I focus on how
those countries rely on hardware, software, and phalanxes of people to make
sure citizens can reach only government-approved media. Crackdowns on
independent journalists, bloggers, and related dissidents all too often result
in their being beaten, incarcerated, or worse. Technologies like Tor represent
a beacon of freedom to people in those countries, and I would be doing my
students a disservice if I didn't mention it.

The detectives and network-security technician listened patiently to me,
wearing their best poker faces. They then gave me a copy of the university's
responsible-use policy, which employees must agree to abide by when we first
sign up for our e-mail accounts. They pointed out that my actions violated at
least three provisions of that policy.

I wasn't particularly impressed. I had helped edit and revise that policy when
I worked for the information-technology office before I earned my Ph.D., and I
knew that neither Tor nor any similar program had existed when the policy was
first written. I also knew that the provisions in question were vague.

My visitors next produced page after page of logs detailing my apparent use of
Tor. While I couldn't dispute most of the details in the logs, they seemed
inaccurate. For example, the technician said I had been using Tor earlier that
morning. In fact, I had been at Wal-Mart that morning looking for a good deal
on an HDTV; I had reached my office only about five minutes earlier.

More important, the logs did not prove any wrongdoing on my part. All they
demonstrated was that I, like thousands of others around the world, had
installed and infrequently used Tor. In my case, of course, there was no
wrongdoing.

Nonetheless, my visitors made two requests: that I stop using Tor, and that I
avoid covering it in class.

Having been on the administrative end of academic technology, I appreciate the
difficulties facing the information-technology staff. No one pats you on the
back if nothing goes wrong, but if something does b if a virus or worm
sweeps through the campus's network infrastructure, or someone hijacks some
computers to churn out spam b you are off everyone's Christmas-card list.
The last thing my former colleagues needed was some smarmy faculty member
spouting off about academic freedom and threatening to demonstrate Tor to
100-plus students each semester.

Their job is to protect the network that allows me to do my job: to teach
classes that are mostly or entirely online, and to conduct research. If they
weren't here as the first or even only line of defense against the
unscrupulous elements of our technological society, my university would cease
to function. It's as simple as that.

Furthermore, I do not rely heavily on Tor, or even think much about it outside
the context of my courses. I find all that routing makes it slow to use, even
with the superfast connection I have at work.

But it is being used all around the world, by people in countries that
restrict their access to information, by corporate whistle-blowers, and by
digital-rights activists. It's even being used by average people like me, as a
way to keep innocuous and personal online activities private.

So in the head-on collision between my appreciation of the role IT staff
members play on my campus and my understanding of the role I have to play for
my students, my need for academic freedom won. I found myself lecturing my
three visitors into near catatonia about the uses of Tor.

Finally, they shook my hand, thanked me for talking with them, reminded me
that I was probably violating the responsible-use policy, and left. They had
bigger game to catch: the other Tor user on the campus.

A moment later, I heard another knock on my door. One of the detectives had
come back to ask if I would reconsider my position. I told him that while I
would think about giving up Tor, I honestly felt that this was a clear case of
academic freedom, and I could not bow to external pressure. I reminded him
that Tor is a perfectly legal, open-source program that serves a wide variety
of legitimate needs around the world.

He nodded and left. Feeling an odd mixture of righteous indignation,
patriotism, and dread, I closed the door.

Almost immediately, I heard still another knock. In perhaps an overly dramatic
fashion, I raised my voice and bravely said, as I opened the door, "I'm sorry,
but it's about academic freedom!"

There was Kyle, add/drop slip in one hand, pen in the other, grooving to his
iPod, looking at me blankly.

Paul Cesarini is an assistant professor of visual communication and technology
education at Bowling Green State University.


--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]