Hi folks,
Firstly, hello! Having met Arturo and Vasilis at the 31C3, I'm keen to get involved more.
On consent: at an absolute minimum, I agree we need better warnings for users.
Below is some proposed text to inform users about the risks of OONI. I'm willing to take on the job of refining this based on feedback.
IMO we need two versions. One short and simple, that users should have to read (and agree to?) before first running ooniprobe. The second comprehensive, to be put on the website and in the docs.
A) THE SHORT VERSION
WARNING: Running OONI may be illegal in your country, or forbidden by your ISP. By running OONI you will connect to web services which may be banned, and use web censorship circumvention methods such as Tor. The OONI project will publish data submitted by probes, possibly including your IP address or other identifying information. In addition, your use of OONI will be clear to anybody who has access to your computer, and to anybody who can monitor your internet connection (such as your employer, ISP or government).
[link to long version]
B) THE LONG VERSION
LEGALITY
OONI does several things which may be illegal in your country, and/or banned by your ISP.
OONI's http test will download data from controversial websites, specifically targeting those which may be censored in your country. These may include, for example, sites containing pornography or hate speech. You can find a list of sites checked at https://github.com/citizenlab/test-lists
Even where these sites are not blocked, it may be illegal to access them. It may also be illegal to bypass censorship, as OONI attempts by using Tor.
In the most extreme case, any form of network monitoring could be illegal or banned, or even considered a form of espionage.
[Include link to some resource on relevant laws globally. Someone like the EFF must have one of these; does anybody have a link?]
PRIVACY
OONI IS NOT DESIGNED TO PROTECT YOUR PRIVACY. It will reveal information about your internet connection to the whole world. Particular groups, such as your ISP and web services used by the ooni tests, will be able to discover even more detailed information about you.
THE PUBLIC will be able to see the information collected by OONIprobe. This will definitely include your approximate location, the network (ASN) you are connecting from, and when you ran ooniprobe. Other identifying information, such as your IP address, is not deliberately collected, but may be included in HTTP headers or other metadata. The full page content downloaded by OONI could potentially include further information, for example if a website includes tracking codes or custom content based on your network location.
You can see what information OONI releases to the public at https://ooni.torproject.org/reports/. You should expect this information to remain online PERMANENTLY. [include details of retention policy, once we have one]
THE OONI PROJECT will also be able to see your IP address [What other info do we get?]
ORGANIZATIONS MONITORING YOUR INTERNET CONNECTION will be able to see all web traffic generated by OONI, including your IP address, and will likely be able to link it to you personally. These organizations might include your government, your ISP, and your employer.
ANYBODY WITH ACCESS TO YOUR COMPUTER, now or in the future, may be able to detect that you have installed or run ooni
SERVICES CONNECTED TO BY OONI will be able to see your IP address, and may be able to detect that you are using OONI
On 28/12/14 06:50, royaen wrote:
Hi Arturo and all,
When it comes to ethics of soliciting measurements and informed consent, I have a different take which has been my research topic over the past years. There are many reasons why I think that directly measuring censorship is scary. First of all, you need to acquire reliable vantage points to run your measurements. Volunteering one’s machine to foreign researchers, or operating a device on their behalf, might be viewed by the government as espionage. Besides, many regions, especially places where we don’t have good infrastructure, have a limited number of companies/volunteers (if any) that allow foreigners to rent computers inside the country. All the current direct approaches, such as RIPE Atlas [1] or other distributed platforms or volunteers running Raspberry Pis are often easy to spot and data collected from them may not be reliable. For example, regarding China, we showed [2] that censorship is different in CERNET (China Education and Research Network) compared to other ISPs.
When it comes to measuring connectivity, I believe that it is better to involve the whole country in doing the measurements rather than volunteers whose safety is at stake. Therefore, I have developed effective methods for remotely measuring Internet censorship around the world, without requiring access to any of the machines whose connectivity is tested to or from. These techniques are based on novel network inference channels, a.k.a idle scans. That is, given two arbitrary IP addresses on the Internet that meet some simple requirements such as global IPID behaviour, our proposed technique can discover packet drops (e.g., due to censorship) between the two remote machines, as well as infer in which direction the packet drops are occurring. Here are more references to read [3,4]. Basically, for one of the idle scans (hybrid idle scan), we only create unsolicited packets (a bunch of SYNACK and RST segments) between two remote IPs, and look at the changes in the global IPID variable to infer whether censorship is happening and if so, in which direction packets are dropped.
Back to my main point, why I am trying so hard to convince you that we also need to use side channels and how this relates to ethics, well, here is the story: The discussion you brought up has been discussed heavily in academia in the past six months after two papers got rejected from the IMC conference because of ethics. One of them was my paper [2] after having received good reviews on the technical contribution. Here is the link to the reviews:
https://imc2014.cs.wisc.edu/hotcrp/paper/243?cap=0243a2kWYrwVqbv0
I personally just got an email with above link from IMC, and because of having had a single-entry visa, I couldn’t attend IMC or the Citizen Lab workshop where a lot of the discussions about ethics were taking place. The ethical issues that usually come up are two: First, using idle scans, no consent from users is collected. Second, censors could mistakenly assume that two machines measured by us are deliberately communicating with each other. This could have negative consequences if a censor believes that a user is communicating with a sensitive or forbidden IP address.
In response to the latter argument, it is unlikely that a censor would come to such a conclusion as only RST segments are created from a client inside a country to a server and only SYN/ACK segments are sent from a server to a client inside the censoring country. An adversary would not witness a full TCP handshake, let alone any actual data transfer.
One mitigation technique that I have been focusing on is to use routers instead of end points for the side channel measurements.
If you or anyone else is interested in using these techniques, I am more than happy to help.
Roya
[2] http://arxiv.org/abs/1410.0735
[3]http://arxiv.org/pdf/1312.5739v1.pdf
[4]http://www.usenix.org/event/sec10/tech/full_papers/Ensafi.pdf
ooni-dev mailing list ooni-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/ooni-dev