Privacy Infrastructure: Challenges and Opportunities

Video in TIB AV-Portal: Privacy Infrastructure: Challenges and Opportunities

Formal Metadata

Privacy Infrastructure: Challenges and Opportunities
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
We started our own transit Internet Service Provider (ISP) to safely route anonymized packets across the globe, and you can too. Emerald Onion is a Seattle-based 501(c)3 not-for-profit and we want to help other hacker collectives start their own. Getting your own Autonomous System Number (ASN), managing Internet Protocol (IP) scopes, using Border Gateway Protocol (BGP) in Internet Exchange Points (IXPs), dealing with abuse complaints or government requests for user data -- this is all stuff that you can do. Not every technologist is comfortable with launching and managing a nonprofit organization let alone has all of the technical knowhow to run an ISP. We didn't either when we started. We had a goal, and that was to route unfiltered Tor exit traffic in the Seattle Internet Exchange despite National Security Agency (NSA) wiretaps in the Westin Exchange Building. This talk will cover high level challenges and opportunities surrounding privacy infrastructure in the United States.
Domain name Autonomous System (Internet) Slide rule Presentation of a group Group action Digital media Ferry Corsten Multiplication sign Web browser Drop (liquid) Information privacy IP address Session Initiation Protocol Revision control Content (media) Facebook Web service Tablet computer Internetworking Software testing Information security Autonomous System (Internet) State of matter Bit Image registration Cartesian coordinate system Data mining Process (computing) Software Internet service provider Self-organization Website Communications protocol Routing Asynchronous Transfer Mode
Group action Randomization Distribution (mathematics) Ferry Corsten State of matter Information privacy Mereology Area Subset Mathematics FAQ Personal identification number (Denmark) Autonomous System (Internet) Electronic mailing list Image registration Process (computing) Internet service provider Order (biology) Self-organization Convex hull Right angle Spacetime Ocean current Point (geometry) Maxima and minima Event horizon Code Host Identity Protocol Twitter Indian Remote Sensing Revision control Term (mathematics) Operator (mathematics) Router (computing) Task (computing) Dependent and independent variables Uniqueness quantification Projective plane Physical law State of matter Code Line (geometry) Vector potential Numerical taxonomy Software Personal digital assistant Sheaf (mathematics) Statement (computer science) Moment <Mathematik> Musical ensemble Family
Information Maxima and minima Computer network Digital signal Cache (computing) Direct numerical simulation Radical (chemistry) Process (computing) Radical (chemistry) Software Internet service provider Order (biology) Website Hill differential equation Information Extension (kinesiology) Row (database)
Email Ferry Corsten Multiplication sign System administrator Projective plane Bit Host Identity Protocol Sign (mathematics) Process (computing) Operator (mathematics) Website Router (computing) Traffic reporting Address space
Point (geometry) Ferry Corsten Online help Information privacy Mereology Event horizon IP address Computer programming Power (physics) Neuroinformatik Operator (mathematics) Computer hardware Router (computing) Address space Fiber (mathematics) Computing platform Distribution (mathematics) Email Server (computing) System call Type theory Process (computing) Software Computer hardware Data center
Software Projective plane Design by contract Information security Computing platform Connected space
Ocean current Point (geometry) Group action Server (computing) Link (knot theory) Ferry Corsten Bit rate Drop (liquid) Open set Mereology Twitter Direct numerical simulation Internetworking Operator (mathematics) Fiber (mathematics) Form (programming) Maxima and minima Connected space Peer-to-peer Inclusion map Category of being Internetworking Software Web service Design by contract Connectivity (graph theory) Thermal conductivity Routing
Area Axiom of choice Online help Ferry Corsten Computer network Limit (category theory) Distance Mereology Information privacy Peer-to-peer Band matrix Sign (mathematics) Internetworking Software Internetworking Addressing mode Internet service provider Selectivity (electronic) Traffic reporting
Key (cryptography) Ferry Corsten Decision theory Internet service provider Information privacy Theory Band matrix Category of being Radical (chemistry) Content (media) Internet service provider Order (biology) Ideal (ethics) Data center Authorization Router (computing)
Axiom of choice Group action Direction (geometry) Open set Mereology Stack (abstract data type) Information privacy Computer programming Neuroinformatik Database normalization Web service Computer configuration Encryption Fiber (mathematics) Perimeter Area Email Autonomous System (Internet) Software developer Open source Shared memory Connected space Digital rights management Addressing mode Internet service provider Self-organization MiniDisc Summierbarkeit Figurate number Freeware Spacetime Point (geometry) Autonomous System (Internet) Statistics Computer file Open source Divisor Firewall (computing) Online help Internetworking Operator (mathematics) Computer hardware Directed set Firmware Computing platform Information Server (computing) Weight Projective plane Computer network Information privacy Peer-to-peer Inclusion map Database normalization Uniform resource locator Software Personal digital assistant Computer hardware Data center
Nichtkommutative Jordan-Algebra Online help Whiteboard
hey thank y'all for coming my name is John box I co-founded emerald onion we're a 501 C 3 transit ISP we currently route a whole bunch of tor exit traffic based in Seattle Washington three years ago I started this idea I started sharing this idea with some friends of mine in the privacy community that the current way of building out the Tor network might not be ideal for our the version of the internet that we want and that might be to tor fi everything to push everything through tor whatever I think that a brave is testing using tor in the private browser mode that's awesome Facebook has their onion that's awesome Daffy Duck Go all of the media organizations that use secure drop that's great but if we want more providers using onion services to protect their users privacy then I think we need to go about building out tor infrastructure and privacy infrastructure a little bit better so a year ago me and some friends Kove co-founded emerald onion we registered in Seattle in Washington State and we've been online for a short little over a year now most of the content in my slide deck is or the details of the content is on our web site emerald any org because I don't have enough time to go through all of the detail in this talk so starting up we did the Washington named nonprofit status 50.00 the Articles of Incorporation that we did were compliant are compliant with the IRS 501c3 requirements it's there on that website there and with any org /a articles so I should step back actually real quick so one of the overall purposes of emerald onion is to like try all of this stuff make it work and then publish what we do on our website so like the articles like all the other stuff in in this presentation they're going to be online so that you all can easily approach these these problems so step two for us was registering with Erin to get our ASN in our ipv6 and ipv4 scopes so Erin if you don't know is like a domain registrar except instead of going for their four domains you go there for IPS there's an application process you have an ASN that you use to talk to other asns if you're using protocols like BGP which we which we do and this process took a little little less than a month the application process that we went through is also published on our website so that you can more usually do that so this is our ASN we have a / 36 ipv6 scope we have a / 24 hour pv 4 scope as we we use our ASN again to communicate with other asns that we peer with in the seattle internet exchange this is hard well so ya ASNs they're cool so um use your ASN to announce to other ASNs yeah we use BGP so one really cool thing
that we found out someone randomly told us on Twitter which was pretty cool so ipv4 scopes for exhausted in a few years ago Aaron actually has this 4.10 policy which was set aside to facilitate the adoption of ipv6 so if you can articulate to Aaron and apply go through that process they'll actually give you a free slash 24 ipv4 scope and so that's what we did we were able to articulate this because torque in its current state only supports ipv4 traffic ipv4 traffic between relays so for middle to or from guard to Middle's from middle to exit that's all ipv4 only tor project wants to expand and do more ipv6 but we need more operators to use ipv6 in order to curtail potential surveillance issues around having a limited subset of our nodes being ipv4 only so please add if you're an operator please support ipv6 because we need it and hopefully one day we'll be able to only use ipv6 and we can get rid of our ipv4 scopes so because our long term goal was to get 501c3 status as a public charity sorry that's a little early so the IRS CIN so this is basically your social security number for your organization it's a quick easy thing that you do online 501 C 3 so we wanted to become a public charity so that we could be sustainable in our funding it's easy if you do it right like this was one of the biggest hurdles that we had mentally like going into the we had no idea how long it was going to take if it was gonna be possible we were being coached by rise up networks and calyx Institute and other not-for-profits and it just seemed like this might be an impossible task in this current day and age for a tech organization to get 501 C 3 charity status he was actually really easy so the trick that we learned is that don't make fifty thousand dollars in your operating budget like for your first year and that qualifies you for the ten twenty three easy if the ten twenty three is what you would use to apply for 501c3 status through the IRS and make sure that you do that like within the first year roughly to do that so the ten twenty three easy not only made it cheap it was two hundred seventy-five dollars compared to I think the normal ten twenty three process is like 850 we didn't need a CPA we didn't need a lawyer and if you can see by these dates here like it was it was like sixteen days I mean for some reason the IRS didn't actually tell us that we got charity status we had to look it up manually online so cool but we got it so part of our Articles of Incorporation this is article for one of our goals as a organization that wants to support privacy was to try and make sure that our scope was general so the purpose of this corporation is to promote and support online anonymity anonymity and privacy we wanted to keep it very general so that in the event that tor is you know the hot stuff right now maybe mixed nuts maybe whatever is going to be what we need to build out in the future and there's a whole bunch of other stuff that we could potentially do as a 501 C 3 charity so we wanted a general mission statement another small thing in the 10:23 process this is how you signify to the IRS what kind of an organization that you are there's a huge list of ntee codes we spend a couple weeks like going through all of them and deciding which one we wanted to go with but we felt like this was the best one given our presumed scope for operating as a transit ISP so
as you can see here this was the timeline and how much it cost to like legitimately become a 501c3 501c3 transit I speak if we had known that the IRS process was going to be so easy we'd have done that sooner and we probably could have done it by July but yeah so like bottom line its this is something that you can do this is not that hard we didn't need a CPA we didn't need a lawyer we had them anyway because we were fortunate and our network of friends and family supported us but it's actually not needed if you if you do these things in the right way so we turned on our exit relays in July of 2017 we actually made a small mistake that I want to touch on real quick we originally first leased our IP space from our upstream ISP we should have just run as a middle relay until we got our own IP scopes so there was one day when our ISP emailed us and said hey we're getting abuse we're gonna start charging you a dollar an abuse complaint if you if you don't stop so that would have been kind of expensive and thankfully the errand had already approved our IP scope so we were in transition already to use her own scopes but it's just a lot easier starting up if you started as a middle relay and then once you get your own IP scopes go towards you can start exiting so in this year process we translated three point five petabytes of data and we received roughly 30 100 unique abuse complaints 99% of these abuse complaints were automated we noticed but they came in nonetheless most of them also don't require any kind of response but we responded anyway just to be proactive just in case something were to escalate and we we use n desks you automate that automated response back and we serve our legal FAQ which I'll be talking about shortly to educate them about what we do and why we're doing it so if basic math here which i think is pretty cool for every one point two terabyte or sorry one point one three terabytes we receive an abuse complaint and that's a unique abuse complaint and it could be anything from spam because we we run as an unfiltered exit router so we don't block any ports could be spam could be SSH attacking I don't know like there's just a bunch of random stuff we used to get a bunch of DMCA but that stops randomly so I am Romanian preemptively develops a strong legal backbone right at the beginning we reached out to Marcia Hoffman at zeitgeist law to help us create some legal FA cues that are also on our website for free so please check them out and use them if you're a operating like we are in the United States because they're not really valid anywhere else we have two versions of the legal FAQ one of them you would give to your ISP if your ISP receives an abuse complaint you could give them this IFA Q and it would be valid and explaining like what you're doing is legal and then we have another legal FAQ which is if you were to receive abuse from anyone so that is the one that we use for automated responding now that we have our own IP space [Music] so one small thing we we just note
publicly that we don't log any information it's war does a good job of this already but we audit our devices to make sure that we don't log any network information above and beyond what tor already doesn't record so the extents of what we I guess technically have is like DNS cache and BGP caches but none of those are super sensitive thankfully so this is a this is our policy that we state on our website
there's yeah so DMCA so DMC is interesting it's stupid but it's here basically in order to be compliant with the DMCA safe harbor the DMCA protections of a conduit provider you need to have a termination policy all right this is our termination policy here it basically says we don't have any subscribers we can identify our users but in appropriate circumstances will terminate we don't really have a technical way to do that because of tour but we have to have this policy just to be compliant with the DMCA protections so cool okay so also in that past year
we received two subpoenas this is just one example both of them were from the Department of Homeland Security we published a transparency report here at this owner website and there's a whole bunch of other things beyond subpoenas that we list just to be explicit so we update that regularly this was pretty scary for us to receive the first time like we kind of expected that something like this might eventually happen just talking to calyx and other operators these came in via email they don't come in via mail that surprised us so they send it to our admin at address it was really scary at first but it doesn't seem that way now just because we've had a little bit of practice so basically like some takeaways don't run an exit router from your home obviously to our project does
a good job educating people about this the reason why you don't want that is
because you don't want to be at the you
don't want the law enforcement to come and kick in your door and take your computers just because someone did something presumably malicious from your exit router so put it in a data center and ideally own your own IP scopes like your own v6 and v4 address scopes and that way you can instead of being at the part of law enforcement where they come and kicked on your door and take your stuff they come they send you an email and their civil and they're like hey we have this IP address we need some user data and we can just literally just reply and say hey we're running tor we don't have data here's a legal FAQ please let us know if we we can help further again a lawyer isn't needed for this process at first we did have her general counsel call and just talk to them just to understand this process but it's actually to the point where we're just gonna email them back now if they send us another one and just say hey we can't help sorry so today we're launching a new program it's called onions a lawyer something that's been missing in the Tor community for a while is clear legal support so our general counsel Matt McCoy is leading this and in partnership with the Yale privacy lab it's a distribution that you can contact in the event that you are under legal duress because of your operations with tort it's a network of pro bono attorneys that will do their best to support you in the event that you need help if they can't hopefully their networks and they can find someone that can but hopefully this is something that becomes important in supporting operators oh yes if you're an attorney please reach out and volunteer for this if you have a friend that's an attorney please convince them that this is something that they might want to do and have them reach out so that we can grow this okay so a datacenter stuff so to move in we had to have three types of insurance this is the three types we bought our own hardware we use low power Z on D platform that has integrated 10 gigabit fiber so it's nice and cool and has good
connectivity we because the Tor network is roughly 90% Debian we decided to go with a BSD platform we decided to go with hardened BSD because of its inherent exploit mitigations and general security which we think also improves the health of the Tor network this is an outstanding project if you are into BSD please support them if you're an operator please consider using harden BST or something that isn't Debian that'd be cool yeah ok so this is our
current colocation and under costs nothing special about it we have a Gigabit unmuted link this particular
link is actually part of our internet exchange point conductivity so we transit through that connection so we only have one 10 gigabit fiber drop which is cool and then we have connectivity the Seattle internet exchange which I'll talk about more here
so internet exchange points are really cool they provide direct access to a whole bunch of peers and what I mean what I mean by peer is someone that you physically connect you and this is really important for tor exit operating because instead of you that tor exit traffic say you're facilitating the tor traffic from a middle relay to your exit and then it's going out to the internet from that exit it is ideal I think in that that traffic that you're exiting to its final destination has as little hops as possible and what I mean by a hop is some other router or switch on the internet that is owned by some unknown company and every one that it traverses is an opportunity for surveillance in some form or fashion so peering is really awesome I think for the Tor network not just because of latency minimization like I think our average latency to our peers in the six is 0.35 milliseconds so it's really quick so that also helps accuser experience kind of but mainly it's it's the surveillance surveillance minute is minimization properties of IXPs that we think is really valuable so as you can see here we appeared directly with Google with Amazon with Akamai Open DNS Twitter so if people are using our exit relays they're gonna terminate at those endpoints very quickly and with no other third parties observing that traffic hopefully aside from the like the route servers that we connect you in the IXP hoping that they're not backdoor it and I'll talk more about that so we are
jumping into this like we were kind of fortunate with the Seattle internet exchange it's a non-profit IXP it's its it advises that you don't surveil the ports if you're up here which is good I'm hoping that they eventually one day adopt a transparency report that would be better nonprofits have inherent transparency aspects to them like publishing where they get their money what they spend on stuff like that so finding nonprofit IXPs I think is really awesome geolocation so that could mean its proximity to like an undersea cable it could mean its proximity to a certain provider it could there's like a hundred and I think 20 about IX Peas in the United States so there's quite a selection and most of them are in dense areas to begin with so there's not a lot of choice but there's some strategic things that you can some strategic choices that you can make so participation this could be like a certain provider like Amazon like CloudFlare Akamai like big providers places that traffic will go on the Internet the the more the better so that there's more peers that you're extending exit traffic to and then of course costs mostly IXPs that we've seen are for-profit and pretty expensive ours we paid 2,000 for a 10 gig port it's a one-time cost there's no recurring fees which is awesome so not many are like that this
was a recent article about the biggest one of the biggest IXPs in the worlds and it's in germany which is unfortunate because a lot of the tor network is in germany like just because of their how cheap their bandwidth is it's not clear how good or not good how bad this might be for the the Tor network personally I would try to avoid dec IX just because of this known issue of active government surveillance also part of five eyes so it's best to avoid that if possible so
challenges for finding good IXPs obviously if they're under active surveillance that's not ideal there's lots of data centers without IX keys like I said there's 120 roughly in the United States they're large ISPs so Comcast AT&T whatever because they're profit-driven they tend to have restrictive peering policies which means they're not open to peering with anyone they're only going to charge money which is not good for I think surveillance or I should say privacy and then content providers with no clearing policies so some providers just refused to appear because it doesn't make sense which is also unfortunate because that means we can't it means we have to send traffic around in some other way and it's going through some other provider that we just have no accountability for the fish no accountability for okay so undersea cables so we know that
these are we we have a good guess that these are all tapped which is lame the way that the Tor bandwidth authorities currently work means that the the tor traffic largely bounces back and forth between West Western Europe and Eastern the United States so there's a whole lot of traffic that crosses the Atlantic Ocean this that we have a working theory where there could be some more strategic decisions made in order to place tor routers especially exit routers one of them is to placed in an IXP s because of the early termination and the properties there another is because or if it can be placed close to undersea cables so again so if we can receive that traffic as soon as it comes into the u.s. and it can terminate as quickly as it can without going anywhere else in the US that I think is better so we are just developing this theory and we're trying to find things that can help us more strategically place exit routers around the u.s. today we're also launching this
project called safe crossing the first part of this is just a six emerald onion expanding into other places in the US we think we're going to go somewhere along the east coast because of the things that I just discussed but more importantly safe crossing is going to be research and development around the deployment of net new IXPs so because of our experience with not being able to find non-profit affordable IXPs with the qualities that I already talked about we want to build our own so where there is dense connectivity we're looking there there's some underserved areas that we think that i--excuse could be built places like Puerto Rico we think would be a really great starting point for something like this but it's basically to compete with the profit-driven IX peas that are also generally surveillance friendly so it's about creating safer spaces on the internet like basically the kind of the backbone of the internet this is kind of a cheap way to do that create safe spaces for traffic to move about if you're interested in helping create nonprofit ixps and being involved with safe crossing please contact us here particularly if you're involved with like the Open Compute Project or
interested in that platform because it's open hardware free liberate software goes up to 100 gigabit it just seems like an ideal platform that creates a safe space for your compute infrastructure if you have any IXP management experience we are interested in learning more about how to actually build one we'll figure it out if you have IP scopes or are working for a company that has I P scopes that you're not using like IP v4 scopes consider donating them to us because we will either use them or we'll give them to an organization like us that is able to use them for privacy and we're looking for partners so if we can create a one eye XP somewhere we want to have like big partners on day one so that it entices other people to become part of this new mission and grow grow the infrastructure in that region because the more peers the better so this is our just some quick details about our income we get started we received a grant from tor Service net for 5,000 our directors have been donating monthly currently up to the sum of about ten thousand dollars we've received about a thousand dollars of direct funding and DuckDuckGo included us in their privacy challenge this a couple months ago and received enough money to just pay for a whole year of operations next year which is awesome and the PayPal giving campaign someone signed us up for that and they just sent us a random check which is cool but that's like the benefit of like being a 501 C 3 charity is you can take advantage of some of these programs another one that I didn't mention here that we haven't really used yet is if your company price or mattress donations that you make to nonprofits because we're in those networks as well as a 501 C 3 which is cool challenges so fees obviously money it costs money to do this stuff IP transit that's our ISP ASN fees I PVC pipe II scope fees transport is where you have to lay like fiber from point to point within the data center so that has a recurring cost sometimes called location fees equipment fees peering port fees so these are all challenges that we have we're trying to figure out ways that we can make these cheap or free and share that information with the larger community generally it's hard to prioritize privacy over anything else like it's really cool to work for emerald onion and and like think about privacy first not logging using disk encryption whatever but it makes it hard because we can't we can't log so when someone tosses us we actually have no idea who doesn't because we don't we don't log the perimeter firewall just in case some tor user ends up hitting our firewall in some weird way and causes us to log the traffic we just don't want the IPS so making those kinds of choices makes it hard to operate in that way but that's what we think is important so we prioritize privacy over money open-source networking hardware so there is more and more open hardware showing up but specifically networking hardware is unique both firmware and like full stat compute is challenging there's some options out there out there like I mentioned the Open Compute projects but there needs to be more we can always use more Network redundancy so one thing that we want to do better is having redundancy in our Wayne and land stacks but if we want redundancy there we're going to be multiplying our cost by at least a factor of two just because we have to have at least two of everything but that usually comes with other additional costs as well so we we want to have that but again that's that's a big challenge ipv4 scopes obviously because of the exhaustion issue it creates a higher bar for someone jumping into this to get started if they could just jump in with only an ipv6 scope that would be easier and of course technical volunteers it's hard to find people and keep people that are passionate about this stuff so that's always a challenge so I wanted to give it a quick shout out to tor projects for hiring the they're really advocate Colin aka fool is their advocate if you are an operator he probably has already reached out to you if you have updated contact information in your touristy file so if you need help directly like something that you can't get from the email lists you can reach out to Colin and he can help you out
lastly I want to thank my team so I have a really amazing team of volunteers on the board of directors and our advisory board it we just wouldn't be here without the help of everyone so yeah
thanks you