Do you distrust a lawyer to defend your interests, because you pay them? Do you suspect a doctor of foul play, because there is a bill? Of course not. They are there to do their job. Infact I posit that they have more to lose because you are paying them. Their reputation is on the line, they have a duty to fulfill their obligation, and hopefully word gets around if they "rat you out". But again, such a statement begs the question, why does the bottom line get in the way of trust?
First lets examine the situation: Commercial anonymity networks, versus free anonymity networks. A free anonymity network is run by unknown individuals, who may or may not collude, may or may not be monitoring your exit-node traffic, and who owe you nothing. In fact, they give up their bandwidth, which could be generosity, or could be due to ulterior motives. They are inherently prone to attempts of spying, some traffic analysis, and have even been "theoretically" compromised due to technical attacks such as Sybil. I think a strong point they have is that they are difficult to observe, since there are 1000+ nodes in the Tor network. I2P has its own great things it can boast, I think their network is designed to be unobservable, but apparently isn't quite ready for the big time. When a subpoena is served or police show up, the user may get hassled, but they probably didn't keep logs, and they aren't a single entity, and there is no guarantee of the target using that network again, even if you could track them. So in essence, the user's identity isn't known by the person who gets investigated.
Commercial anonymity networks would typically be run by a single entity. Most of them are run from the USA, which is itself a bad idea. By running, I mean the firm is incorporated, and the principle owner(s) reside, in the USA. The risk is to the corporation itself. This is because the hazardous jurisdiction may make the firm, or the principles who control the firm, come under pressure to violate their oath (promised or implied). A specific example is the situation where e-Gold had not only it's assets confiscated, but the law firm that was supposed to protect the trust which held the assets also caved under governmental pressure, and finally the owners themselves live in the US. For all intents and purposes, it was a US company, despite its foreign registration. So we know the risk that a firm endures, but how does that transfer to the customer? Via moral hazard.The moral hazard in this instance is the trust that the customer places in the firm. Due to assymetric information, the firm is inherently subject to a dilemma:
"Do we immediately comply with requests for data about our customers, or do we protect them and investigate if the claim has merit, and say NO if it doesn't?"
For firms located in the US and the UK, the dilemma has a built in answer: They have no choice. Their assets will be seized and the people involved will be arrested and imprisoned for obstruction of "justice" or some other charge. There are very few who are willing to go to jail for what they believe in, especially for someone else they've never met. So they have a different dilemma:
"Do we keep doing business and hope nobody finds out we are spying on our customers, or do we close up shop?"
Unfortunately, they may not have a choice in this situation. They may feel compelled by the powers that be to keep operating as a honeypot for the agency to drop by and collect the flies that get stuck. Or in the case of e-Gold, they openly and pro-actively worked with the FBI, without demanding proof that the customers involved are actual criminals. Of course, they do not have the prerogative to demand proof, as the governmental authority of that jurisdiction was involved. So this sort of situation could happen, or may already have happened, to many of the privacy providers located in risky jurisdictions. This bitter pill is sweetened by the fact that the firm under pressure can keep making money, and pretend that the horrible situation never happened. Such tactics are often used by police who pick up drug-dealers, turn them, and get them to become informants. For e-Gold, it didn't turn out as well. They cooperated completely, and they were still pillaged and accused. The message should be clear to providers of controversial services: It is not in your long-term interest to cooperate; but people don't live day to day by long-term decisions.
So what is the solution to a bad situation? Don't get in that situation in the first place. Don't do business with poorly structured commercial anonymity services, especially those that operate out of legally risky jurisdictions such as USA, Canada, and the United Kingdom. If you are using them, stop. Even though you aren't doing anything illegal, by using their services you could be volunteering your data to observation and snooping. A little paranoid? Maybe. But I would rather err on the side of precaution, when nobody really knows what either hand is doing. What would I personally suggest? Investigate the anonymity services out there. Find out their reputation, and what jurisdiction they are formed in. Ask their customers what they think, and take it all with a grain of salt.
Steve
10 comments:
Do you suspect a doctor of foul play, because there is a bill?
In fact, I do! You can ask yourself, is this kind of surgery necessary or is it just done to maximise profits for the hospital? (see Sicko)
Well, good article, good points! Will definitately help in the next argument.
Hi Steve, just caught you at Defcon and was doing some background checking of XeroBank. This post hits on exactly what is leaving a dirty taste in my mouth no matter how much positive information I find about XeroBank.
Trust is the issue we're having. xB is a young entity and does not have a positive or negative record that's yet publicized.
Really the only way that myself and most others trust technical systems is by completely understanding them. I wish that xB had more information on their site. I know it's in the making but right after Defcon, I was kind of disheartened to see that there was little to no useful technical information besides a hidden wiki with a few howto's.
That being said, maybe you could use this blog or that wiki to open more information to the public like tor has done.
For instance, maybe a little explanation of how the sovereignty you talked about in the Q&A works - what does it protect and what doesn't it, whether or not it is already in place, and comment on the implicit threats that a lack of jurisdiction [see anarchy] would have on end users. Specifically, what if a user needs to seek legal action against xB. Also, are there guarantees on anonymity or just strong attempts? If there IS a guarantee, what happens after an infraction? Some kind of retribution?
Lots of questions before trust is created, by I'm impressed by what is promised so far.
Thanks
Rochester, NY
Anonymous
"Trust is the issue we're having. xB is a young entity and does not have a positive or negative record that's yet publicized. "
Consider that it is likely the only news you will ever hear about a firm is bad news, as happily protected people aren't terribly forthcoming to gloat about it. So we should give it some thought, when do we hear about people getting rolled-over on? Was it legitimate? Hmm.
So what would you like, a specification? We're pretty busy building internal stuff, and less on documenting. But in the turn of things, once it is done to x degree, we'll start backfilling with documentation.
Regarding what a user needs to seek action against xB? Hmm. I think that will be difficult. I'll ask legal about it. Guarantees of anonymity, well i don't think anything is 100% anonymous, we are only dealing in degrees, and anonymity doesn't have a scientific metric of measurement. So that is a difficult question, but valid indeed.
Of course, users can always compromise their own anonymity, we can't guarantee against that. I think what we should be looking for is a specific liability and a statement of what we will and won't do under circumstances, and what the consequences of violation are. Does that make sense?
Thanks for the response. It all makes sense.
I believe that it was either Roger Dingledine or Nick Mathewson that agreed with your point when he said running any kind of anonymity service/network like this requires a "thick skin."
So yes, we will never hear about person that actually WAS anonymous because... well they wouldn't be anonymous anymore. As well, you'll never be able to post valid testimonials on Xerobank.com but rather what you'll see are the complaints and horror stories showing up on Digg that for some reason or another, whether or not it was caused by the end user, a person's anonymity was lost.
Nick Mathewson agrees with your point about "was it legitimate?" and says "follow information to it's source" when hearing bad news about anonymity networks. Tor has had the same problem when "some guy" posts a blog about how the NSA owns a backdoor to the network that is a complete lie or someone sending clear text passwords over a malicious exit node [something that xB will have to worry about less]. It's hard to defend from paranoid conspiracy theorists just as much as uninformed users.
So I completely understand the point that xB can only do so much to protect a user and then at some point it is up to the user to protect themselves. Since we like to draw correlations, would you expect a doctor to cure you of an incurable cancer that was caused by years of smoking? No, we'd expect that the doctors do all that they can to heal you, but if during a surgery they make a mistake and remove the wrong body part, it is a common consensus in the US that the surgeon or institution be held liable for the mistake.
My point being that I agree that a terms of service that would cover what you will and won't guarantee complete with case scenarios and constrained to a specific scope, would be something worthwhile to me and other future users.
It's also understood that for most of us, documentation is the last thing you do. Especially for a newer company that still has the size to be very agile and ever evolving. I still look forward to more information to make a healthy comparison between xB and other services.
So commiseration aside, and emphatic to your plights I look forward to future blog posts and website updates of the progress and challenges you face.
Rochester,NY
Steve, I also caught you at DEFCON..
Great presentation. I admire your work and your courage in developing your product line. I feel strongly that Xerobank fills a most important role to the privacy/anonymity scene. If you weren't here things would be vastly different! Having said that.. Are you willing to be forthcoming about your relationship with Metropipe? Honestly.. Xerobank seems like Metropipe+. Now.. MP is a great network!! I've used them in the past.. Very good.Solid. Trustworthy.. I think people had 2 issues with them 1) Lack of support 2) Folks really did not know who they were and if they could be trusted.. Would you care to weigh in on your relationship with them?
Anonymous from Rochester,
"Since we like to draw correlations, would you expect a doctor to cure you of an incurable cancer that was caused by years of smoking? No, we'd expect that the doctors do all that they can to heal you, but if during a surgery they make a mistake and remove the wrong body part, it is a common consensus in the US that the surgeon or institution be held liable for the mistake."
That sounds reasonable. Luckily the process is a little bit more simplified in computer terms, because the process is the same for everyone, regarding our practices. No unique body parts to remove ;)
-------
Anonymous,
"Steve, I also caught you at DEFCON..
Great presentation. I admire your work and your courage in developing your product line. I feel strongly that Xerobank fills a most important role to the privacy/anonymity scene. If you weren't here things would be vastly different!"
Thanks!
"Having said that.. Are you willing to be forthcoming about your relationship with Metropipe? Honestly.. Xerobank seems like Metropipe+. Now.. MP is a great network!! I've used them in the past.. Very good.Solid. Trustworthy.. I think people had 2 issues with them 1) Lack of support 2) Folks really did not know who they were and if they could be trusted.. Would you care to weigh in on your relationship with them?"
Sure. We greatly admire Metropipe for a lot of their design and implementation ideas. Infact, we have consulted with them in the past. Regarding our relationship, we have no commercial relationship with metropipe, but we do have two ties to them. The first is that we have hired an administrator away from Metropipe, and the second is that Metropipe and XeroBank and a few other commercial services out there acquire resources from the same independents and talents. That is pretty much "it" regarding disclosure. What I didn't get to cover at DefCon, and what may be more revealing is that I also admire some other commercial services out there such as STunnel. They seem to have a good setup and service from my surface point of view. I didn't find any big security bugs or oversights that I saw elsewhere. Unfortunately, there was nothing we could learn from them, as our software is easier to use and we have a better SSH network design, otherwise we might be talking about how XeroBank could have ties to STunnel.
Now, there are some things more to be said. We borrowed the IPSpy system from the prior Metropipe admin, which we had legal authority to do (after some discussion). It should also be noted that the ChatZilla plugin I added goes to an IRC channel for DistributedCity, an anonymity/privacy discussion outpost. It happens that this channel is hosted on a Metropipe IRC network. Coincidence? Not really. The anonymity world is a lot smaller than most imagine. We know each other, and we know who the scammers are. Perhaps you would also be surprised to learn that XeroBank, e-Gold, Rayservers, Metropipe, Liberty Reserve, eBullion, Loom, Vertoro, Privacy.li, GoldNow, etc, all read and post on the same discussion list. Does that mean we are connected? Of course not, in fact some of them are at each other's throats. What we have in common are some great design ideas, good implementations, and common visions... some more than others though. Check out our easteregg in the latest xB Browser, in addition to the comments we've made; you'll start to get where the "connection" really lies.
Steve, thanks for clearing up any confusion about XB's relationship with Metropipe. Absolutely nothing wrong there to begin with, but it seemed vague. No more!!
I wonder why you haven't mentioned Anonymouse.org which is actually one of the biggest privacy services around and the jurisdiction where they are formed in is quite good too.
Sure, we can include Anonymouse in there, but it is a different sort of beast because 1) it is a web proxy, 2) it is in a good jurisdiction.
However, the jurisdiction for Anonymous may go bad if they stay there or are incorporated there, because on Jan 1, 2008 anonymous may be required to do data-logging or shut down.
Anonymouse may not log but they are already strong cooperators with the policia. The Deutsche data retention law will certainly affect their logging claims, but it will not make much difference because they already collude.
Post a Comment