Introduction to the LSSC
Earlier this year, I worked with the NorthEastern University School of Law, Legal Skills in Social Context clinic. The LSSC, as it's known, is a great program to introduce 1Ls to team legal work and extensive research in a year-long clinic. It's run by the wonderful and talented Susan Maze-Rothstein who manages to herd cats and teach the students with aplomb. It's a great program which helps many local non-profits with legal advice. I've been a client two years in a row in helping develop a cyber-stalking guide for DV organizations in 2013-2014, and then again in 2014-2015 as part of Tor and helping to answer legal questions around its usage.
There were many questions to answer, based on collected questions and feedback from the community over the past few years. Legal organizations were unwilling to tackle the questions and research behind them pro-bono. However, the LSSC was up for the task. The LSSC students were given eleven questions, to research, and to try to answer. It was a year long task for these law students.
Under what laws can the U.S. government conduct surveillance of U.S. citizens and non-U.S. citizens, both in U.S. territory and abroad? Are these laws constitutional?
Given the relevancy of CSPs and ISPs to the definitions of electronic communications service and telecommunications carrier of the ECPA and CALEA, respectively, does Tor fall under the ECPA and CALEA by way of CSP and ISP definitions?
Is it legal to use a Mutual Legal Assistance Treaty (hereinafter “MLAT”)
and a Joint Investigation Team (hereinafter “JIT”) to de-anonymize Tor users?
Since its inception, the third party doctrine has been applied to various
entities that provide services. In 2012, however, Justice Sotomayor of the Supreme Court said, in a concurring opinion, that the third party doctrine is "ill suited to the digital age." Given that Tor provides a service on the Internet with the Tor Browser, how does or may the third party doctrine apply to it?
Does Tor fall within the scope of the CALEA?
Academic researchers at the University of Colorado recently recorded network communications traffic exiting from a Tor relay they were operating. Is it a violation of
the Wiretap Act? Is it a violation of the researchers’ contract to abide by the protocols regarding ethics of using human subjects in research?
Is it legal to operate a Tor exit or non-exit relay, and could Northeastern University run its own exit relay for academic research?
Are anti-harassment laws constitutional? Is there a way to resolve the conflict between anti-cyberstalking laws and First Amendment rights?
If citizens misuse technology, or other goods or services, should that technology or those goods or services be outlawed? Will outlawing technology eliminate abuses?
How would you defend against a PinkMeth-type lawsuit?
What Constitutes Online Harassment? Does using Tor create enhanced penalties for users?
11.How might recent Backpage lawsuits be used to erode freedom of the press and freedom of speech and what ulterior motives can drive efforts to abridge those freedoms? What effect would closing Backpage have on eliminating child exploitation? If a Backpage-type argument was used to try to shut down Tor, how would you argue against it?
The result is a wonderfully dense and complete 189-page paper entitled "Tor: Technology on Trial". The full document is available in PDF format here.
The original question I had was "Can I legally study the traffic transiting my Tor exit relay?" The defacto answer of the Tor Project is "no, that's wiretapping." I have given that answer many times to the same question. However, I knew that many organizations (government and commercial alike) were recording, storing, and analyzing the traffic in transit across their exit relays. These organizations believed they could indeed record their exit traffic as it was part of managing their network. The question was, "is this legal?" Section 6 addresses this question in depth.
The conclusion in Section 6 is a carefully worded result of the research. IP Addresses and URLs are generally considered non-content data in the Federal courts. This implies that you can record traffic traversing your relay. If you are a research institution receiving federal funds, you need to consider ethics via the Common Rule. If you're just grabbing non-content data in an anonymous way, you are likely ok. This is likely true especially if you are summarizing the results, rather than sharing the raw collected data. In fact, Tor Project itself has a plan titled Including Network Statistics in Extra-Info Documents to do just this type of summation, starting with ports utilized.
Since the conclusion of this research in April 2015, a further refinement has come out as a result of a class action lawsuit about tracking cookies.A summary of the result can be found at the Washington Post. This implies that IP Addresses and base-domains are in fact non-content data and are not considered wiretapping under current statutes.
This is not legal advice. This is presented as is. I am not a lawyer, nor are the researchers (yet). If you want actionable legal advice, consult your lawyer. Or start with Stanford Center for Internet and Society, Electronic Frontier Foundation, or Berkman Center for Internet and Society.
This post was cross-posted at LinkedIn Pulse
Follow-on in 2016
S.754 - Cybersecurity Information Sharing Act of 2015 passed. The legal understanding is still to come, but here's one interpretation.