Hi folks,

Last week I was on a panel with a bunch of US Department of Justice prosecutors who specialize in child exploitation cases. I wrote notes for all the things I wanted to say, and of course my plan didn't stay intact once the panel discussions began, but here are the notes for posterity. Maybe they will be useful next time I (or you!) find ourselves in this situation.

--Roger

Three points as general Tor intro:

* Tor's history, including funding -- NRL, EFF, State Dept, Darpa, NSF * Two pieces to the "metadata security" that Tor provides: the core Tor component that hides your IP address, and Tor Browser which deals with application-level fingerprints. * Millions of users use Tor every day -- ordinary people, activists, censored people, militaries and law enforcement. That variety is part of what makes it safe to use for all of them. [Story about Dutch cop anonymity system if we want it.]

Follow-up question: The core Tor part? Why is Tor different from a standard proxy or VPN? * Distributed trust -- privacy by design, not privacy by promise. * Relays are run by community, 100gbit of traffic on average [Story about anonymizer if we want it] * Transparency for Tor is key: design docs, specs, source code, but also global engagement as real human beings. (It's not a contradiction for privacy people to believe in transparency. Privacy is about choice, and we feel that choosing to be transparent is the best way to establish and grow trust with our communities.)

* Ok, so what are hidden services? Most people use Tor to reach websites and other services safely. Onion services (aka hidden services) are special addresses inside Tor that flip that around: people can reach *you* safely. - better security built-in - can be faster since not competing with exit traffic - reduced vulnerability surface area - mobility

* We measured what fraction of Tor traffic has to do with onion services: 3%. - Something like 7000 onion service websites up at a given time https://blog.torproject.org/some-statistics-about-onions - Compare to 2.5M-or-more users *each day*

(That's not nothing, but it is tiny. If you find somebody trying to scare you with huge numbers and pictures of icebergs, make sure you understand their business model before buying their product or believing their claims.)

* Some examples of interesting onion services?

[Pause while we get distracted by other panelists]

"Securedrop" is a tool for people to communicate securely with journalists -- the New York Times, the Guardian, the Washington Post, Toronto Globe and Mail, the AP, etc all run onion sites. (Compare to the FBI's tipline, where they pay Cloudflare to mitm it.)

Ricochet

Onionshare

* The biggest website that has an onion service? Facebook. In April of last year they posted that 1 million people accessed Facebook over Tor in that month. That's .1% of their user base! * Onion services protect different metadata than https, and it's about giving the users choice.

onion services features: - stronger security, built-in: - encryption - authentication, so no dependency on the crappy CA model - authorization, so untrusted people can't even reach the webserver - can be faster since not competing with exit traffic - reduced vulnerability surface area - mobility

Surprising (to this audience) users of onion services: Facebook mobile Debian updates IoT operators Activist blogger platform example Govt and law enforcement

-------

Child exploitation sites/users are bad for Tor! They're bad for society in general, but they're bad for Tor in particular. We don't want them as users. See also the discussion at the end of https://lists.torproject.org/pipermail/tor-talk/2015-April/037538.html

What are onion services "most" used for? It depends how you count: Internet Watch Foundation annual report has hidden services listed as "<1%" of the problem: https://www.iwf.org.uk/report/2015-annual-report Terbium Labs "dark web" report concludes the majority of onion service content is legal: https://terbiumlabs.com/darkwebstudy.html I hear bad people use google drive and dropbox for better bandwidth. But all that said, I don't want to say there is no problem.

* What are some ways of screwing up your security while using Tor? Opsec mistakes; metadata fingerprinting; browser exploits; traffic analysis.

NSA/GCHQ quote about Tor: King of low-latency anonymity systems

UN HR report endorsing Tor.

----

Contradictions for the audience to think about:

- If Tor works, you don't hear about it. So it's easy to overlook or undercount the "good" users. - Sometimes investigators have to choose between being able to discover victims vs being able to bust people. - If there is some approach that is able to compromise bad people, the same approach can compromise good people. - Often, the bad guys work harder on their security than the good guys. - If we make Tor stronger, we make it stronger for all. - There are many ways to be bad on the Internet, and fewer ways to be safe.

Central to Tor is the topic of power imbalances: those who have power are less in need of Tor's protections than the most vulnerable populations.

Matt Blaze's great quote about politicians who ask for crypto backdoors: "You can put a man on the moon, so surely you can put a man on the sun!"

----

Problems with "govt hacking" as a solution to "bad people": - 1) Secrecy: we as society need to have an informed discussion, and if governments won't tell us what they do, how can society make a good decision? - NSA's goals, the existence of other countries makes this even harder. - 2) The Feds lose their zero-days, and that hurts everybody. Cf "Shadow brokers". - 3) When mass surveillance becomes the cheapest and easiest option for fighting any crime...

"Well sure, maybe you trust the people in power now... but what if the people in power change?" I bet US govt people are especially sensitive to this argument this year.

In many ways this is the same as the Apple encryption discussion, and the "https everywhere" discussion.