University clears Tor snooping researchers of misconduct

An internal review by University of Colorado officials has found that a controversial research project conducted by a team of computer scientists did not constitute research misconduct. University lawyers have also stated their belief that the team proba

Chris Soghoian
Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/.
Chris Soghoian
5 min read

An internal review by University of Colorado officials has found that a controversial research project conducted by a team of computer scientists did not constitute research misconduct. University lawyers have also stated their belief that the team probably did not violate US wiretapping laws.

As I reported in a blog post yesterday, a team of researchers from both the University of Colorado and University of Washington recently presented a controversial study in which they recorded a limited portion of the communications of users of Tor -- a popular anonymizing proxy network.

According to a written statement posted by the research team, an internal university review conducted on the 24th of July 2008 found that:

Based on our assessment and understanding of the issues involved in your work, our opinion was that by any reasonable standard, the work in question was not classifiable as human subject research, nor did it involve the collection of personally identifying information. While the underlying issues are certainly interesting and complex, our opinion is that in this case, no rules were violated by your not having subjected your proposed work to prior IRG scrutiny. Our analysis was confined to this IRG (HRC) issue.

In a statement made to the Boulder Daily Camera newspaper today, spokesman Bronson Hilliard said that University attorneys described the wiretap law as "broad." He added that "legal counsel's opinion was that there's no clear indication that there was any kind of criminal action on the part of the researchers."

The Electronic Communications Privacy Act (ECPA), which governs network surveillance and access to private stored communications is particularly difficult to understand, something the US 9th Circuit Court of Appeals recognized when it described ECPA as "a complex, often convoluted, area of the law" (pdf). Computer scientists simply have no business making judgments about the legality of network monitoring and interception research -- and should, as the EFF advises, seek legal advice before doing so.

While I have strong personal objections to the methods employed by the researchers, the primary criticism in my original blog post was that the researchers had not sought a review of their project by university lawyers and the school's human subjects review board before conducting their study. Given that the University of Colorado was able to conduct both of these within 12 hours of the publication of my blog post yesterday, it is difficult to see how seeking such reviews ahead of time would have been any significant burden.

Personally Identifying Information

In reaching its decision, the University of Colorado review determined that the researchers did not collect any "personally identifying information" from users of the Tor network. This is in spite of the fact that for 15 days, the researchers collected the unique network addresses of each user sending data through their server.

While that may be the view of the University, there are certainly others that disagree. Back in February of this year, the European Union announced that it now considers IP addresses to be personally identifiable information.

IP addresses have been used by law enforcement to justify FBI raids on homes, by the record companies in copyright infringment suits, as well as in foreign countries, where suspects have been arrested and beaten because their IP addresses appeared in an incriminating log files.

In the last few weeks, there has been a significant amount of discussion of this issue, after a court ordered YouTube to hand over the IP addresses of millions of users to Viacom as part of its massive copyright infringement suit against the video sharing site. While Google (which own YouTube) has long argued that IP addresses are not personally identifying information, at least with regard to calls for the company to delete its own search log files, it rapidly changed its position once it was faced with the possibility of handing such data over to Viacom.

"Safe" storage of data

The researchers themselves admit that the data that they have collected is extremely sensitive. In their statement issued yesterday, they stated that "we took extreme caution in managing these traces and have not and will not plan to share them with other researchers."

If the information was not sensitive and could be potentially used to identify Tor users, why would they need to take such care managing the data, and why could they not share it with others? If it is not personally identifying information, why don't they put it online?

The fact is that this information is extremely sensitive, and were it to fall into the wrong hands -- an oppressive foreign government that does not take kindly to anonymous speech -- users whose IP addresses could reveal their identity could soon find themselves subject to arrest, imprisonment or torture.

While we can be asked to trust this research team not to share the data with others, there is little that they can do if presented with a government subpoena, or other lawful request. Furthermore, there is always the risk that they could accidentally lose the data, or be the victim of data theft.

Finally, the researchers have not said how long they plan to hang onto this data. As much as I criticize Google, at least they partially anonymize their server logs after 18 months.

The only safe and responsible way to handle this sensitive data is to delete it. Anything else is simply irresponsible..

Be Nice to Privacy

To be clear -- my focus on this issue is not about enforcing the law, no matter how flawed it may be. There are many unjust laws that I despise, chief among them the Digital Millennium Copyright Act, and I will eagerly defend researchers who violate these.

Communications privacy laws, unlike the DMCA, are (mostly) written for our protection. After spending the last several months criticizing AT&T, and later the US Congress' complete capitulation for illegal wiretapping immunity, I do not see how I could rightfully defend these researchers. Yes, they had good intentions -- but then, so might have the Bush Administration when it asked the telecoms to help it spy on millions of Americans.