When you look at the user graphs, many of them show a weekly cycle. What's our explanation for why this occurs?
I notice it strongly when I look at the graphs for the meek pluggable transport, where usage is high on weekdays and lower on weekends. The same thing happens in some per-country graphs. (In all these graphs, the light white vertical lines are Mondays.)
https://metrics.torproject.org/userstats-bridge-transport.html?graph=usersta... https://metrics.torproject.org/userstats-relay-country.html?graph=userstats-... https://metrics.torproject.org/userstats-relay-country.html?graph=userstats-...
You can eyeball more examples in the omni-graph: https://people.torproject.org/~dcf/graphs/relays-all.pdf
But it doesn't look like that everywhere. Here are graphs for obfs3 and the United States:
https://metrics.torproject.org/userstats-bridge-transport.html?graph=usersta... https://metrics.torproject.org/userstats-relay-country.html?graph=userstats-...
And there is perhaps even the opposite pattern, where there are small peaks on the weekends, like in Germany:
https://metrics.torproject.org/userstats-relay-country.html?graph=userstats-...
Is there a usual story we tell to explain what's happening? A few hypotheses: * People use Tor at work to get their job done (work firewall blocks sites they need). * People use Tor at work to goof off. * People are relaxing and partying on the weekends, not sitting in front of a computer. * People don't have good Internet at home, so they use it more at work (and Tor use just correlates with Internet use).
George Danezis's tech report on discovering censorship events describes the weekly patterns but doesn't offer a cause. https://research.torproject.org/techreports/detector-2011-09-09.pdf "The deployed model considers a time interval of seven (7) days to model connection rates... The key reason for a weekly model is our observation that some jurisdictions exhibit weekly patterns. A 'previous day' model would then raise alarms every time weekly patterns emerge"
David Fifield
On Tue, Mar 17, 2015 at 06:09:00PM -0700, David Fifield wrote:
You can eyeball more examples in the omni-graph: https://people.torproject.org/~dcf/graphs/relays-all.pdf
That's a really useful overview! It would be great if we could include that on the metrics page.
Is there a usual story we tell to explain what's happening? A few hypotheses:
- People use Tor at work to get their job done (work firewall blocks sites they need).
- People use Tor at work to goof off.
- People are relaxing and partying on the weekends, not sitting in front of a computer.
- People don't have good Internet at home, so they use it more at work (and Tor use just correlates with Internet use).
It looks like many of these patterns started emerging after the big botnet spike. It might be caused by infected office computers whose owners don't know that Tor is running and who tend to turn off their computers over the weekend. There are probably also infected home computers that tend to be used only over the weekend. That wouldn't explain the meek-specific pattern, though, because the botnet only used vanilla Tor as far as I know.
Apparently several countries such as Ethiopia and Uzbekistan had these weekly patterns for a long time, even before the botnet. These countries have a rather small user base and the few users might only use Tor in an office setting, like you said.
Cheers, Philipp
On Wed, Mar 18, 2015 at 12:41:55PM +0100, Philipp Winter wrote:
On Tue, Mar 17, 2015 at 06:09:00PM -0700, David Fifield wrote:
You can eyeball more examples in the omni-graph: https://people.torproject.org/~dcf/graphs/relays-all.pdf
That's a really useful overview! It would be great if we could include that on the metrics page.
Here is the source code: https://lists.torproject.org/pipermail/tor-dev/2014-October/007697.html
Is there a usual story we tell to explain what's happening? A few hypotheses:
- People use Tor at work to get their job done (work firewall blocks sites they need).
- People use Tor at work to goof off.
- People are relaxing and partying on the weekends, not sitting in front of a computer.
- People don't have good Internet at home, so they use it more at work (and Tor use just correlates with Internet use).
It looks like many of these patterns started emerging after the big botnet spike. It might be caused by infected office computers whose owners don't know that Tor is running and who tend to turn off their computers over the weekend. There are probably also infected home computers that tend to be used only over the weekend. That wouldn't explain the meek-specific pattern, though, because the botnet only used vanilla Tor as far as I know.
That's a good observation about the botnet. But I agree, it seems like too much at this point for a malware author to start building in pluggable transports, especially one that's only easily usable with Tor Browser at this point.
Apparently several countries such as Ethiopia and Uzbekistan had these weekly patterns for a long time, even before the botnet. These countries have a rather small user base and the few users might only use Tor in an office setting, like you said.
I wonder if it correlates with censored-ness. I.e., people using Tor for circumvention more than anonymity. Uzbekistan and Ethiopia are both "not free" in the Freedom House 2014 summary: https://freedomhouse.org/sites/default/files/resources/FOTN%202014%20Summary...
David Fifield
-
David Fifield -
Philipp Winter