Questions about content-based research of Tor

Thu Jul 24 2008 00:00:00 GMT+0000 (Coordinated Universal Time)

open source

A paper was presented yesterday at PETS where a researchers from UW and UCB monitored the Tor network (an anonymizing network) to analyze the content, source and destination of traffic over the network (see McCoy et al. below). Chris Soghoian has an interesting, if not a bit over-the-top, post on the liability and IRB implications of this work ("Researchers could face legal risks for network snooping").

My first reaction was quite selfish: we tried to do a much more narrow study for Doug Tygar's Security and Privacy course at the iSchool in 2006. We spent a ton of time on designing the experiment such that 1) we wouldn't have to involve our IRB at Berkeley, 2) we limited our own and our University's legal liability and 3) we still would have interesting results. Unfortunately, we had the experiment up and ready to turn on, but were ultimately stymied by the archaic way that our University licenses electronic library resources. (See Chen, Hall and Rothenberg below for more.) Well, I'm glad someone's doing it!

My second reaction to Soghoian's post is that it, as I said, is a bit over the top. First, Chris uses rhetoric of "snooping" and such and says they could face legal risks. Yes, the researchers should have designed in to their experiment mechanisms that would limit their liability. Yes, they should have at least submitted the experiment to their IRB or designed it such that it very clearly didn't implicate IRB issues. However, I doubt that a federal prosecutor will go after them (I would love to hear theories of who might else have standing to bring suit).

I do hope that this serves as a lesson to many: you need to talk to people like me and my colleagues that know both tech and the law during the research and experimental design stages of your work! There's no undoing bad things once you've done them... and if you talk to us too late, it's often impossible to remove or patch things that could cause problems or difficulties.

UPDATE [2008-07-25T11:01:50]: Steven Chan pointed me to an article by Aaron Burstein (one of the best collaborators known to man). The article (see Burstein below) is entitled, "Conducting Cybersecurity Research Legally and Ethically". It covers ethical obligations and possible legal liability involved with cybersecurity research on networks, honeypot projects, interdiction and publishing results. There are also slides and notes available from a presentation delivered by Aaron to Vern Paxson's Network Security class at Berkeley.

Awesome.

References

A. Burstein, Conducting Cybersecurity Research Legally and Ethically, UC Berkeley School of Law; Samuelson Law, Technology and Public Policy Clinic, 2008; .
K. Chen, J.L. Hall, and M. Rothenberg, Barriers to Tor Research at UC Berkeley, 2006; .
D. McCoy et al., “Shining Light in Dark Places: Understanding the Tor Network,” Privacy Enhancing Technologies Symposium 2008, Jul. 2008; .