[liberationtech] abuse control for Tor exit nodes

Mike Perry mikeperry at torproject.org
Thu Jun 27 11:41:27 PDT 2013 

Rich Kulawiec:
> On Wed, Jun 05, 2013 at 10:16:23PM -0700, Andy Isaacson wrote:
> > This is a really deeply interesting assertion.  You seem to imagine a
> > bright line of "abuse" that is agreed on by all parties, with a policy
> > that can be implemented by thoughtful operators to "make the abuse
> > stop".  I submit that that is not the real world, in many different
> > dimensions.
> 
> [ Okay, so I have a long-winded response to this.  It's possible that
> eventually I'll wander somewhere near a point. ;-) ]
> 
> Many people who are relatively new to the 'net haven't yet internalized
> parts of the fundamental ethic that has allowed it to flourish.  There is
> an implicit social contract that's far more important than any formal
> legal document -- but because it's implicit and not overt, many don't
> realize that it exists and that it serves a critical function.
> One way to put it, if I might borrow a line from popular culture, is:
> 
> 	"With great power, comes great responsibility."
> 
> Being connected to the Internet gives you incredible power.  Not because
> of who *you* are -- because for all values of "you" (including "me"),
> you are unimportant and expendable.  It gives you incredible power
> because of *everyone else* out there.  By plugging in, you have --
> whether you realize it or not, whether you acknowledge it or not --
> tacitly committed yourself to living up to the responsibility that
> accompanies the immense power you now have.
> 
> So like everyone else on the Internet -- from the tiniest single system
> connected via a slow dialup line, to the largest distributed operation
> imaginable -- you're responsible for everything your operation does to
> everything and everyone else.  You don't get a free ride.  You don't
> get to pass the blame along.  If there's abuse coming from YOUR system
> on YOUR network on YOUR watch, then it's YOUR abuse.  You own it.
> You're responsible for it.

The problem with what you suggest is that it transforms the hierarchical
'scale-free' network topology of the Internet (that others here have
already lamented in other threads as being precisely what *enables* mass
surveillance) beyond just a topology that makes packet routing efficient
and surveillance convenient.

It transforms it into a centralized hierarchy for content and traffic
control. That hierarchy gets to decide what 'abuse' is, and push their
decisions down to the leaves, who if they don't comply, can simply be
disconnected, because "They weren't being good Netizens."

This is the route to fascism.

As the "Net Neutrality" wars showed us, some members of this hierarchy
(the major consumer ISPs) would prefer to define 'abuse' as bittorrent
traffic, or more generally as any new system that causes the average
leaf user to use up more resources than what the hierarchy already
pre-ordained as sufficient for being a passive consumer of existing
content distribution systems (so the hierarchy can continue to overbook
and overbill their current pipes, and cache popular content to avoid
transit costs).

We are seeing a similar battle play out with 'three/six strikes' laws,
except instead of internal controls like QoS, this hierarchy is instead
being externally co-opted by Big Media to re-define 'abuse' to enforce a
failing business model.

> It's always been that way -- and it has to be that way, otherwise the
> Internet won't work because it can't work.  (And if you've been paying
> attention during the past decade or two, you'll note that many components
> of the 'net that aren't working very well are struggling for precisely
> this reason.)

Just because Big Brother has always cared for us doesn't mean we should
not strive for more freedom (and the associated costs in terms of
increased personal responsibility).

> Responsible and ethical operations know this and design, budget, plan,
> train, and staff accordingly.  Irresponsible and unethical operations
> don't -- they just shrug their shoulders and try to slough off their
> incompetence and negligence on someone else, often the rhetorical "they".
> 
> Note that this results in massive but silent cost-shifting: someone
> has to deal with that abuse, because it doesn't just vanish.  It goes
> somewhere.  It impacts other networks, systems and people.  And the
> people responsible for defending those need to spend their resources
> to deal with it, even though they had nothing to do with its origin.
> The costs of doing so are enormous: just look at the subindustries
> that exist to sell products to deal with this and consider that every
> single dollar/euro/yen they ever make comes from someone paying
> the price for others' negligence.
> 
> And they're making billions upon billions.
>
> Consider, for example, that companies like Cloudflare and Prolexic
> probably *would not exist* if it weren't for the ongoing epidemic
> of abuse.

The price of being on the Internet is also securing your own systems
from attack, and that is why these companies are successful.

This is not a flaw, it is a feature that prevents the net from
installing censorship systems and "Security Firewalls" and disconnect
mandates at the hierarchy level, which again would be a disaster and
would invite a new age of oppression onto the Internet.

> Here's another way to phrase that fundamental ethic, also borrowing a
> line from popular culture:
> 
> 	"The needs of the many outweigh the needs of the few."

This quote bothers me too, but I am not adept enough at philosophy to
get into its specific flaws.

I'm sure that someone more adept at philosophy can point out the failure
modes of strict dogmatic Utilitarian thinking like this, and illustrate
the ways that it can hinder many forms of progress that necessarily
start with the few before spreading to the many.

> No matter how big my operation or your operation or anyone's operation
> becomes, it will always be "the few" when compared to the rest of the
> Internet: "the many".  No single operation is ever more important than
> all operations.  Not mine, not yours, not Google, not Reddit, not anything.
> 
> I did say I'd try to get near a point.  Alright, here goes: if you
> run anything, including a Tor exit node, then you are personally,
> fully responsible for all abuse sourced from that operation.  Which
> means that you are responsible for figuring out how to detect it
> and stuff a sock in it.  Maybe that's easy.  Maybe that's hard.
> Doesn't matter: it's still your responsibility.  You signed up for
> it, you implicitly agreed to it, when you plugged *your* operation
> into *our* Internet.

Yes. All of my points are not to say that new systems like Tor shouldn't
endeavor to provide people with some options for dealing with it as it
hits their leaf nodes -- up to a point. Tor for example provides DNSRBLs
and exit lists that can be queried and used in security systems and rate
limiting firewalls that are in place on the leaf ends already.

I've also been spending whatever spare cycles I can to try to design
application-layer abuse rate limiting systems for Tor that would make it
easy for websites and other providers to reduce spam and content abuse
in the easiest way possible for them -- because doing so just makes
sense for Tor. Providing such systems will serve as an alternative to
prevent the knee-jerk reaction of simply using our exit list to ban all
Tor nodes (which is sadly quite common).
 

-- 
Mike Perry

More information about the liberationtech mailing list