Torrents of Abuse

In recent news reports an Austrian man William Weber was charged in connection with distributing child pornography because illegal images were detected being transferred by his computer. Just another pervert getting caught? No, because this Server computer was in fact a “Tor Exit Node”, so the data going through it was nothing to do with him.

Tor is a system to give people privacy on the internet. To understand how it works, one first needs to understand a little about how the internet works. Before the internet, if you wanted your computer to communicate with another computer you set up a direct connection between the two machines. The internet however avoids the need for a direct connection: each computer attached to the internet has an “IP Address”; your computer sends packets of data with a header containing the address of the computer it wants a reply from to another computer, usually belonging to your Internet Service Provider (ISP), which in turn passes it onwards to another computer until it reaches the addressee which replies with packets labelled with your computers address. Now while these data packets all passes through computers in between, they do not (necessarily) have access to the contents of the packetes 1. Also the way the internet works, each packet need not travel along the same route, so the intermediate computers may not see the whole sequence of packets making up the message.

However, the intermediate computers can see the address of the computer you are trying to reach; they need to in order to pass them in the right direction. As IP addresses are assigned in blocks to national authorities to distribute within their territory, it is possible for the intermediate computers to refuse to pass on data packets to certain IP addresses (e.g. for a particular website) or IP addresses in certain ranges i.e. in certain countries. This is a technique used in various countries by governments to prevent their citizens contacting the outside world or viewing banned websites. It is also possible to allow the data through but carry out “traffic analysis”, essentially to record the addresses on the data packets leaving your computer to see for example what websites you have viewed or who you have emailed.

The purpose of the Tor project is to give computer users privacy. You connect from your computer to a “Tor entry node” which is a computer set up to allow access to the Tor network. This computer then passes on whatever data you send through a variety of “Tor relays” just like the intermediate computers in a standard internet connection. However, these relays are set up so that the owners of the computers have no way of telling what data is passing through their connections, they just take an anonymous packet of data and pass it onwards. Eventually the data arrives at a “Tor exit node” which then connects to the regular internet to pass the now anonymised packets out and receive the reponses for transmission back the way.

The problem of course is that privacy can be used for good or ill. One can use it to try to avoid sanction from an oppressive government, or to try to avoid punishment for a criminal offence2.

The creators of Tor have designed certain features to prevent certain types of abuse of anonymity. For example, the network cannot be used for Distributed Denial of Service (DDOS) attacks, or for sending spam emails.3. Undoubtedly though, for those who want to carry out illegal activities it provides the exact same privacy as to those wanting it for legal activities. Indeed it is essential for those wanting to use it for illegal acts that the majority of the traffic is for fully legal (or at least morally acceptable) acts; otherwise it would be a simple matter to detect criminals because they would make up the bulk of the traffic. A more detailed consideration of the place of privacy in internet usage would take at least another blog post, if not a Ph.D. thesis.4

While the case in Austria is “live”, we obviously have to be careful on what comments we make on the specific case, but we can consider the legal position of someone running a Tor Exit Relay generally. The problem the gentleman appears to have run into is that the authorities have, at least in the first instance, decided that he is responsible for the data passing through his Exit Relay despite having no knowledge or control over this data. Providing a Tor service is analogous to the services provided by commercial ISPs. ISPs are protected from prosecutions for illegal data passing through their systems under EU Directive 2000/31/EC implemented in the UK by the Electronic Commerce (EC Directive) Regulations 2002. If they are a “conduit” of data, transmitting data for a third party and not storing it (except for the period necessary for the transmission), they are not liable for any civil or criminal liability for that data.5 Therefore if an ISP is accused of a criminal offence, e.g. transmission of illegal pornography, it can merely lodge a defence in terms of these regulations and the onus is then on the prosecution to show that it was the ISP rather than one of its users that was choose to transmit that data.

The question therefore arises whether these provisions can apply to someone operating a Tor Exit node. The regulations refer to a “service provider”, which is defined in terms of someone providing an “information society service”; this in turn is defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”6. It is worth noting that academic institutions have been held to be protected by the regulations for their provision of internet access, data transmission, etc. For historic reasons Academic institutions do in fact provide a lot of the transmission and services backbone of the internet, without making any charge for this; however as the services they provide can be purchased elsewhere it is easy to argue that the services they provide are of a sort “normally provided for remuneration” and therefore protected.

Someone who provides a Tor service does so for no remuneration.7 So can they claim under this defence? One question is how relevant it is that the particular service is via the Tor network rather than the open internet. One analysis is that there is no functional difference between providing a Tor node and providing a Server which transfers data under any of the other numerous protocols which we collectively refer to as “the internet”. For example Usenet is a method of transmitting public messages (predating the World Wide Web) which relies on people providing Servers running the Network News Transport Protocol (NNTP) service; how does this differ from running a Tor service? Once set up, an NNTP server links to other NNTP servers and automatically exchanges data without the owners involvement; this data is put into the system by third parties and received by third parties. The only significant difference is that owners of NNTP servers can monitor the traffic between servers whereas owners of Tor servers cannot. Therefore while those providing the Tor service do not do so for remuneration, it is definitely arguable that they are providing the type of service normally provided for remuneration by commercial ISPs.

If this argument is not accepted by a court, the only obvious distinction would be on the protocol used for the “information society service”. This would have profound (and unpredictable) ramifications for the legal landscape at least in Europe. Over time fewer and fewer commercial ISPs have continued to supply NNTP services on their servers; following a protocol based ruling, should a time come when no commercial ISP supports this service, any Academic institution or non-commercial body continuing to support this service would suddenly lose the immunity of the Directive and be open to liability for what third parties post onto the Usenet system.

Interestingly the US equivalent provision, Section 230 of the Communications Decency Act, does not appear to make any reference to any commercial element in the provision of service, but also appears to give a less absolute protection to the service provider.8 In our hypothetical Usenet scenario US users could post messages for which US server owners would have no legal liability, but for which EU server owners could be held criminal responsible; the only safe option for EU residents would be to cease operating such a service. This would in essence mean that what internet services are available to individuals in the EU would rely on what is commercially supplied, cutting out the Academic and other non-profit bodies which have historically had a significant contribution to the development and expansion of the internet.9

It will therefore be interesting to see how the Austrian authorities proceed with this case…

1. Most packets are more like postcards than parcels, the intermediate computers can read them, but each only contains a few sentences of the full message. However, using encryption those few sentences are simply an unintelligible jumble
2. Of course if one is in an oppressive state these may be one and the same
3. It is a block on SMTP Port 25 used for sending mail, but you could still collect mail using e.g. the POP protocol.
4. If you believe “if you are doing nothing wrong, you have nothing to hide”, may I ask do you favour a couple wishing consensual sexual intercourse to do so in a busy city throughfare at midday, or should they get a room to themselves?
5. UK regulation implementing Art 12 of Directive
6. As an EU directive it is worth cross referencing with another language version: in French it is “c’est-à-dire tout service presté normalement contre rémunération, à distance par voie électronique et à la demande individuelle d’un destinataire de services”
7. If you wonder why someone might voluntarily donate part of their internet connection and computer equipment to such a service, please check the definitions of “altruism” and “civic responsibility”
8. Anyone qualified in US law who would be interested in collaborating in a more detailed Comparative Law examination of the US/EU laws, please get in touch.
9. Contrast this with the rise of the Open Source movement…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s