Arrested TOR nodes and the lack of a Data Retention Laws for VPNs: How they come together?
Author: Carolina Christofoletti
Link in original: Click here
What makes the whereabouts of a computer’s algorithms something odd to non-tech people is, maybe, that computers were brought to our hands in a time when things were already “graphically-friendly”. If we live in a world where you connect your computer to a cable and your access to Internet already works, who care about Internet Protocol Addresses (IP)? And this “who care about IPs” have become, as we will see in this article, a legal problem.
In the end of the derivation chain of all technical arguments, you find an IP, serves it as a client (VPNs) or a server (hosting a webpage, for example). You may not know it, but every page is accessible through an IP number, a turning point where DNS will come, also, to be a “tresspasible” gap in this exact case. But this article is not about DNS complexities and what do we do with that, but about VPNs.
As such, you may agree with me that, if every server (including the requesting client of yours, who is sending to this webpage server a connect request right now) has an IP address (dynamically or not, someone has given it to you sometime), the idea that VPNs (Virtual Private Networks) change IP addresses (even if, from outside, it looks like so) is a technically absurd one.
Your IP remains the one the Internet Service Provider has given you. And the thing with VPNs, proxies and so on is only that you are adding more steps, steps in which somewhere the track is lost. But keep on the argumentation line. Dynamic IP addresses are solved with a register with date, hour and duration of use (reason why forensic personnel should keep also track of this very data when extracting some court-related information, ex. Authorship-like). Keep the dynamic IP address and let us see how, without inventing the wheel, we go to the VPNs.
But why are we talking about VPNs at all? Because this is one of the artefacts that can be used by criminals. “If you are a VPN node, please register”. Have you ever read it? I have never, even though some nodes are already mapped (especially if you are doing business with them). Keep it in mind and follow with me the argument.
Even though much is talked about encryption when it comes to VPN, take care because that is not what we are talking about here. One thing is who sends the access request (VPN) and another thing is encryption. Usually, what is encrypted is traffic, and not IP addresses (there is a huge discussion going on about that, and if you want, you can read it here: https://powerdns.org/ipcipher/).
- VPN regulations
IPS are usually naked behind VPN nodes (and free-VPNs prove that). Free or paid, ruled by a criminal or not, the beauty of the technical side is that it remains neutral. And that gives me the opportunity to discuss something else that, from a legal point of view, seems fascinating.
Go now and search for the Internet Regulation that is currently in force in your country and look for VPNs rules. Go now and look for the “creating a VPN” rule. You disrupt a server, and now what is the crime? If you are also a reader on those matters, you will easily recognize that this was the very problem of Silk Road sentence. If you want a more practical example of the “own VPNs” case, in a FBI and Europol seizure, you can read it here. https://www.justice.gov/usao-edmi/pr/us-law-enforcement-joins-international-partners-disrupt-vpn-service-used-facilitate
As a matter of technical configurations of everything, VPN’s clients know (even if they do not want to disclose it, that is, keep the logs) where the connection request comes from (even if you decide to abandon corporations for that purpose). And that least point is, as one might guess, another point for forensic analysis. Together to the malware check, run the VPN node check.
But you might agree with me that, if you are hosting a VPN server, if there is someone using your client for the purpose of committing crimes, you have a duty to cooperate with law enforcement. Money laundering legislation knows this rule well: You are gatekeeper.
Question now is what the applicable law is if you do not know, ex ante, where the connection request comes from. And the welcomed news is that this question does not matter.
If the client sits (legally) in country A, it is a matter of country A applicable laws in terms of rules and cooperation between the VPN manager (if you can say something like that) and its clients. Country A should design things in a way that they are compliant to legislation, including to possible data retention policies, in what refers to the VPN manager and clients communication and rules. Simplify things, think about it as the parent and daughter corporation case.
But it does not end here: Country B, where the request is being redirected, has a different legislation that the node is expected to comply with.
Keeping track of who is a VPN node is important as a matter of, first of all, criminal law. But compliance is also a matter of criminal law, as record keeping of any kind are.
If you are a node, you have the duty to keep your own “Transparency Report”, including in the “this traffic is mine and this is from somebody else” case. As a matter of fact, and not of laws: This is your exculpation defence. If you kept track of things, you give it for law enforcement to analyse and, if you were not, in fact, involved, data will show so. If you do not keep track, you might be in serious trouble
Is the case familiar? Yes, it is… the arrested managers of TOR nodes (read it here).
A surprise, but a surprise that derives from a matter of silent legislation that derives, at the end of the day, about a legal environment (who cares about IPs) in which no one had or could have idea that such a criminal adjudication could happen.
And believe me, the worst situation a defendant could face is having to rely on an imputation base on Criminal Law: General Part. Consequently, it is there where a good lawyer is to recognize. But criminal Law does not solve everything and, in this case, pushes nodes against law enforcement, and not in its desired direction.
For criminal law, arresting a TOR node manager does not solve the problem of crimes in the Dark Web but, maybe, if instead of arresting people laws push them to collaborate, the path may become clear.
In cases where acquittals have come, you may read something like “no illegal material found”. I am afraid that things have become more complex than that: CSAM crimes are, for example, cases where the crime is not only possessing, but viewing it intentionally also, what brings us to a situation where things are so hidden that there is no way of claiming that you found it by chance and your tracks are, maybe, your only chance.
Adjudication there is meant to be almost automatic, if you consider only how things are written. Except, if you keep a crystalline track of the fact that, when you accessed it, you reported it immediately to the law enforcement authorities (what involves, most of the time, convincing criminals to play with the other side, that is, with law enforcement people). CSAM cases are cases where criminals are, already for the way things are written, or should be, willing to collaborate with law enforcement. Lawyers, that is, maybe, also the best way you can solve the case here.
But hold on in the TOR node case arrest. There is a matter of culpability here (and the criminal offence is very probably the original one, by negligence). We cannot punish the node for “not proving that this is a somebody else’s traffic”. What a diabolic proof. And I agree. As long as, there was no legal duty to keep track of things properly.
Seem familiar to you? That is the fundament of the so-called criminal immunities from third parties, which you can curiously note, always come with a duty to comply, that is, giving sufficient information to law enforcement for following up with the investigations.
There is another point for discussion called Honeypot, that I will but not mention now. Take it only as register.
For VPN managers, that is an important track: Keep notice of which node and when was a router and do not mix VPN traffic with your own traffic (eternal router). Otherwise, your client may be in trouble.
You might agree with me that, upon a house-search in a TOR node related to Child Sexual Abuse Imagery, deciding that it is a TOR node and going back home is quite an unacceptable solution (read about it here). And the solution must come here, from the legal side, with a duty to keep tracks.
But, if things were as I am saying, am I not creating a VPN rule for nodes that make themselves a backdoor with another name? No, if you take with me that Backdoors are illegal searches on legal things, and that Law Enforcement Cooperation is the name we would give to a node that, as a matter of law, would be under the duty to keep track (data retention) things for a certain time.
Who controls but the rule of law for you, a naked IP trying to access VPN? Your act of choosing a node in a country with a human right protective legislation, that guarantees that those tracks that legislation must still mandate you to keep can only be accessible through a court order and a valid mutual cooperation for criminal matters agreement.
Such thing as a data retention policy for VPNs but, still does not exist.
Small introduction to start thinking about… end, middle, and entrance points track & cooperation as an alternative to the backdoor proposal.