With the advent of cryptocurrencies, we're finally in a place someone can pay me to use a portion of my infrastructure for enabling their anonymity. I'm willing to contribute to the cause as long as it's worth my while.
Your infrastructure will immediately be used to download or upload child pornography. If you're exceptionally unlucky, the FBI will come knocking and, if you're unable to provide them with a useful honeypot, you may risk legal consequences. If you're unable to prove your innocence (the request for the CP did come from your IP address, after all) then you may be very screwed.
I invite the community to toss around ideas about how to protect against this. I hypothesize that it's an unsolvable problem: if you enable strong anonymity, that anonymity will immediately be used for child porn.
One way to combat this would be to have some kind of credentialing, where you are able to generate credentials for the anonymous party to use. Assuming your infrastructure is set up as a Tor hidden service, then it's possible for them to use your infrastructure anonymously, and then you can revoke the credentials for individual violators.
However, under that scheme, your IP address(es) are shared by every user. 4chan will immediately ban all of them as soon as it becomes clear you're a proxy, for example.
It may still be worth exploring, but it needs some thought. Tor itself still doesn't have "endpoint bridges," that is, endpoints which aren't publicly listed. Meaning it's very easy to ban all of Tor, as far as I know.
"I invite the community to toss around ideas about how to protect against this. I hypothesize that it's an unsolvable problem"
I'm not sure if you would count this as a solution, but, conceivably you could "enable anonymity" at very low bandwidth ... say ... the equivalent of 9600 baud ?
This is fast enough for speech. It is not fast enough for any kind of multimedia that would be acceptable in 2014 and beyond. It might be a barrier that would cause all bad guys to use other networks, but still allow the kind of "freedom" that we're all convinced twitter gives us (and so on).
Could you "enable anonymity" at very low bandwidth ... say ... the equivalent of 9600 baud?
What a fantastic idea. This seems worth pursuing. It should be possible to configure a modern browser to work with low bandwidth: HTML/CSS/JS would load, but images and other media wouldn't. Is there any reason why HN, Reddit, Twitter, webmail, and other services like IRC wouldn't be usable under those conditions?
It seems like people might be much more willing to rent out their infrastructure to anonymous parties strictly for those purposes.
When we used the Internet at slow speeds or in batch mode we had people being cautious with bandwidth. Usenet had the informal McQ limit for signatures, which led to newsgroups like alt.fan.warlord to mock people with big or ugly sigs.
The text on the current top story (the Wright Brothers article) is about 11kbytes. That doesn't include any html or css or anything else. That would make a page load at over ten seconds just for the text.
The point isn't that it can not be done, but that people would not tolerate it unless they had a real need.
I stuck with ~30K bps a lot longer than was reasonable (it's still been years...). HN would be fine, a few seconds waiting for a few minutes reading. Megabyte js monstrosities were the problem, they would time out.
Here's the issue. Return presumption of innocence back and problem's solved.
Obviously, that's impossible in a real world.
> credentials for the anonymous party to use
That wouldn't be anonymous anymore. And there's no way to realistically force a single human to have only one credential - if one's banned they'll just generate a new one.
It could be possible to enable someone you trust to use your infrustracture. You don't have to know who this person is. For example, this devconsole HN account that I'm using now is an anonymous HN account, meaning as long as Tor is secure, and I don't reveal myself through e.g. text analysis or timing correlations, it should be hard to figure out who I am. If I were to come to you and ask to use your infrastructure to help me maintain my anonymity, you may read my comment history and decide that you trust me not to do illegal things. Providing such a service would be extremely valuable, because if Tor is indeed not completely impervious, your extra layer of anonymity may be all that preserves one's privacy.
If an authority were to come to you and demand you cooperate in determining my identity, then there would be no way for you to oblige, except by providing them with a log of the VPN activity, or allowing them to set up a pen trap to log the VPN activity. At that point, the privacy is still as strong as the Tor network, so both Tor and this extra layer would have to fall in order to be unmasked.
(In practice, it's more complicated than that: your infrastructure would be a fixed endpoint, meaning that if it's compromised then an adversary would gain a log of your activity. That would provide an overall picture of what you're up to on the internet. Tor rotates endpoints, making it hard to piece together that info. So in practice a user should want your service to be something like a middleman between two different anonymity services. But that's outside the scope of this comment for now.)
This becomes a pretty attractive idea, because it's not necessarily a great idea to assume that Tor should be the world's one realistic defense. Since Snowden used Tor, you can be absolutely certain that various powers are going to take a keen interest in penetrating Tor. They may use dirty tricks to do it, such as joining the Tor project as an apparently-trustworthy developer.
Extra layers of defense such as the one outlined above may be worth pursuing.
> It could be possible to enable someone you trust to use your infrustracture. You don't have to know who this person is.
Am I the only one to whom this sounds absolutely crazy? How can I trust you if I don't know who you are? (I mean the general you, not you personally, devconsole.)
Your comments could have been deliberately sanitized -- perhaps you have trolling accounts elsewhere that you are exceptionally good at keeping separate from this one, and spend time making this one look good. One could be posing as a mild-mannered Python developer here on HN, but be spending one's evenings being Super-Mallory the Malicious, trolling and trading illegal information.
I really want to be able to support things like mesh networks and Tor, but the very risk the GP noted (people will use your resources for Bad Things, and good luck defending from the feds) prevents me from being willing to do so. There's no way I would trust you or someone else that I don't personally know enough to use my resources, unless I were somehow able to keep meticulous logs which exonerate me from any activity they do. (And, I don't trust that such logs would even do that...)
Saying that you should be able to trust a stranger is like saying that you should be able to run a courier service for strangers where you have no idea whether they are transporting drugs or counterfeit money.
> Am I the only one to whom this sounds absolutely crazy? How can I trust you if I don't know who you are?
Well, cryptographers had invented a fancy thing called "ring signatures" that allows one to check whenever a signature belongs to someone in a group, but don't allow to determine who exactly that was. So, technically, it's well possible to remail anonymous (as far as belonging to a group does not break your anonymity) and be trusted at the same time.
But, unfortunately, I don't think F2F mesh networks would prosper anytime soon.
While I don't disagree with you, at least in the UK, possession in a cache and in some circumstances, transmission of child abuse images is a strict liability offence, meaning intent doesn't come into it - I suspect it's the same in many jurisdictions. It's a ridiculous position, but it's still the reality for many.
I think our ability to communicate privately as a society at large is more important than the issues of child pornography or terrorism, both of which have policing avenues besides pervasive monitoring and tracking of all associations and messages through communication networks.
But yes, we should think of the children, 9/11, etc.
Your infrastructure will immediately be used to download or upload child pornography. If you're exceptionally unlucky, the FBI will come knocking and, if you're unable to provide them with a useful honeypot, you may risk legal consequences. If you're unable to prove your innocence (the request for the CP did come from your IP address, after all) then you may be very screwed.
I invite the community to toss around ideas about how to protect against this. I hypothesize that it's an unsolvable problem: if you enable strong anonymity, that anonymity will immediately be used for child porn.
One way to combat this would be to have some kind of credentialing, where you are able to generate credentials for the anonymous party to use. Assuming your infrastructure is set up as a Tor hidden service, then it's possible for them to use your infrastructure anonymously, and then you can revoke the credentials for individual violators.
However, under that scheme, your IP address(es) are shared by every user. 4chan will immediately ban all of them as soon as it becomes clear you're a proxy, for example.
It may still be worth exploring, but it needs some thought. Tor itself still doesn't have "endpoint bridges," that is, endpoints which aren't publicly listed. Meaning it's very easy to ban all of Tor, as far as I know.