The Tor anonymity network keeps making the headlines. The notorious Tor Stinks presentation, as well as the Freedom Hosting and Silk Road 2.03 cases, are just a few examples of the use (and abuse) of this software that was initially built to help its users anonymize their location and that of their websites and other services. Judging from recent developments and much to the dismay of several governments, the use of anonymization technologies such as Tor will continue to thrive.
Despite Tor’s attention worldwide, the technical and legal questions surrounding it remain relatively unexplored. One of the reasons for this is that most Tor users, relay providers, and cybersecurity researchers have limited knowledge of the possible legal implications surrounding the use of Tor. At the same time, most legal researchers may not be familiar with Tor’s technical aspects or have not fully grasped the demand for anonymization solutions being echoed by different layers of modern surveillance societies.
We find these underexplored questions fascinating. Does Tor grant its users 100% anonymity? How can public authorities detect, investigate and prevent crimes committed with the help of Tor? Can they use Tor themselves in their activities? What is the role of the exit node operators? Would it not be easier to ban the use of Tor altogether? And who needs Tor anyway?
Aiming to fill this gap in the discussions about Tor, this study will look at these questions from both a technical and legal perspective. By so doing, we aim to contribute to the exchange of information between the technical and legal members of the cybersecurity community who are dealing with controversial multidisciplinary issues related to anonymizing technologies. To cater to the interests of policy-makers, governmental bodies, and researchers in various domains, who are all looking for a comprehensive overview of these technical and legal issues, the nature of this study is introductory and therefore does not necessarily require previous technical or legal knowledge. Hopefully, this study will serve as a starting point for numerous future research projects that will tackle in greater detail some of the issues introduced here.
We start with a technical overview of privacy-preserving Internet technologies and censorship circumvention methods, such as proxies, Virtual Private Networks (VPN), and Domain Name System (DNS) based bypassing mechanisms. Then, the concept of onion routing is explained with a special focus on Tor. The underlying technical structure of Tor and the access to the network, its relays, and exit nodes are elaborated on afterward. We conclude the technical part by discussing the weaknesses of the Tor network, popular attacks, defense mechanisms, and other indirect issues which affect the efficacy of this anonymity network.
Understanding the technical foundation of Tor is necessary for further elaborating on the legal issues. In the legal part, we explore government activities concerning Tor, focusing on open-source intelligence, personal data protection, and the collection of evidence. We discuss the importance of Tor in the exercise and protection of human rights. We briefly illustrate the content liability of exit node operators in the context of European law. We conclude by describing the legal limits on traffic monitoring.
CCDCOE (2015). Technical and Legal Overview of the Tor Anonymity Network