Study: What is the value of anonymous communication?

by ailanthus | May 16, 2015

Drexel University researchers in Philadelphia, Pennsylvania are recruiting Tor users for an interview study to see how they use Tor while creating things online—how they write blog posts, edit Wikipedia articles, contribute to open source projects on GitHub, post on discussion forums, comment on news articles, Tweet, write reviews, and many other things.

The researchers want to investigate the ways in which various limits, like CAPTCHAs, or even blocking access to sites entirely, inhibit or don’t inhibit Tor users’ ability to create things online. They hope to identify times when people are forced to modify their behavior to achieve the privacy they want. They want to measure the value of anonymous participation and then begin to talk to service providers and others to optimize the participation of Tor users.

“By understanding the contributions that Tor users make, we can help make a case for the value of anonymity online,” said Associate Professor Rachel Greenstadt, an investigator on the study.

The researchers are also interested in hearing from Tor users about other impediments to their anonymous participation that they have encountered while online.

“It’s critical for online projects to support contributions from anyone eager to participate,” said Assistant Professor Andrea Forte, principal investigator.

For more information about joining the study, see: The Tor Study (http://andreaforte.net/tor.html)

Comments

Please note that the comment area below has been archived.

May 16, 2015

Permalink

Dear Andrea and Rachel:

You didn't say it, so with your permission, I will:

Published research studies which tend to

* debunk the Comey/Putin narrative ("All Tor users are current or future cybercriminals"),

* present a positive view of Tor (as a tool used to create good things for other people everywhere),

are desirable because they can

* help to make Tor more mainstream, and thus harder for Comey/Putin to destroy,

* assist Tor's fund-raisers in quelling fears from potential non-USG funding sources that they might be prosecuted by the US DOJ for abetting "terrorism".

But there are potential dangers also and I think it is crucial that potential participants in your survey be aware of these, and that you (the researchers) attempt to pro-actively address them.

When researchers issue such appeals I think it is critically important to be fully transparent about who is funding the research, and how potentially dangerous raw survey data will stored, controlled, and divulged (or not) to third parties.

Some questions you should address: could FBI secretly obtain names and addresses of participants by issuing to Drexel U an NSL? Could the researchers be subpoenaed by the Grand Jury impaneled in Eastern District of Virginia which is rumored to be searching for the "second leaker"? How does present (rapidly expanding) or possible future "information sharing" among US agencies affect the privacy of the raw data for your survey? If the raw data is stored long term (perhaps at a journal's website, in order to enable other researchers to verify your statistical analysis), could it not become subject to future mandatory sharing requirements which we cannot presently anticipate?

Bearing in mind

* recent comments from FBI Director Comey about Tor and encrypted communications,

* multiple attacks on Tor users (especially, users of at least some Tor hidden services) from FBI and the Dutch National Police, which have been extensively discussed in this blog,

* multiple "academic research" projects which apparently passed identifying data of real Tor users suspected of something or other to FBI,

I believe that a certain level of paranoia about "academic research" on Tor-- even when conducted by well disposed researchers-- is amply justified.

Please recall that well intentioned NIST employees trusted NSA employees whom they thought they knew well, which turned out to be a terrible mistake which potentially endangered all users of citizen crypto. I don't want the same thing to happen with Tor.

Further, as some have pointed out on tor-talk, the aforementioned academic research which aimed to "out" real Tor users featured a notable absence of any known institutional review board (IRB) proceedings, as would otherwise be customary for studies on human subjects. Has your survey been approved by Drexel's IRB?

To repeat: I don't question your intentions, for which Roger has vouched. (I concede that if Tor users can't trust Roger, they can't trust anyone-- see above for some hints about why some of us feel that some degree of paranoia is plainly appropriate for Tor users.) But I am worried that you might not appreciate how you research might be abused by certain parts of the USG whose intentions are not so nice.

The USIC has an intense and growing interest in identifying Tor users and understanding how we might use Tor to threaten "US national interests", or to put it more plainly, the self-interest of the US political/financial elite. This interest is plain to see in a vast research program, employing among other means seemingly innocuous "surveys" such as your proposed Tor survey.

I would be much happier if I knew that you are both well aware of the scope of a massive USG effort to identity and tag alleged potential future "Enemies of the State", focusing on (predictably)

* Somali immigrants,

* returning and possibly embittered US military veterans,

* members of SPLC enumerated "hate groups",

* suspected anarchists,

* Tea party members,

* persons with extraordinary software skills,

* suspected Snowden sympathizers,

* suspected "radical environmentalists" (PETA, etc),

* Occupy organizers,

* communists,

and (here's the shocker)

* American children as young as 3-7.

I echo recent urgent appeal from The Intercept asking for leaks of more documents related to the vast CVE (Countering Violent Extremism) effort from NCTC; see

https://firstlook.org/theintercept/2015/02/09/government-develops-quest…
Is Your Child a Terrorist? U.S. Government Questionnaire Rates Families at Risk for Extremism
Murtaza Hussain, Cora Currier, and Jana Winter
9 Feb 2015

Possible leakers include social workers, ER doctors, school principals, kindergarten and primary school teachers. (I wish I were joking, but sadly, I am not.) People in these fields who work in Boston, Minneapolis, Los Angeles, and some other areas have already received NCTC sponsored questionnaires similar to the one published by The Intercept, and the public needs to know about these horrifying documents. Some of the surveys or questionnaires may carry the emblem of NIH or CDC (Centers for Disease Control) but don't be fooled: the agency which is behind this effort is NCTC.

The fact is that NCTC/USIC has become convinced that "terrorism" defined broadly can be understood in epidemiological terms, as an infectious disease.

Talk to a PETA "tabler" on your campus? Then you've been "exposed" to animal rights activism, and must be monitored, or even quarantined, lest you in turn infect others.

Some of the groups targeted by NCTC are predictable from past episodes of government hysteria: Somali refugees are the explicit focus of the research of people like John Horgan

https://en.wikipedia.org/wiki/John_Horgan_%28political_psychologist%29

and also appear to be targeted by the NCTC CVE document cited above.

But the biggest and must vulnerable group has never before been regarded by the USG as "potential Enemies of the State" [sic]: American children, all of them, of ages ranging from 3 to 7.

The NCTC's rationale for identifying and monitoring (over an almost always peaceful and uneventful lifetime) of "potential future problem persons" is this: NCTC and other parts of USG are convinced that ACE (Adverse Childhood Experiences) are a reliable predictor of who will become:

* a terrorist, "school shooter", or garden variety criminal,

* a blogger expressing views which challenge the political elite,

* a participant in hypothetical future mass street protests,

* a future financial burden on the state,

* etc.

Such surveys have been conducted in the recent past by companies such as ICF International. The Wikipedia article

https://en.wikipedia.org/wiki/ICF_International

has been bowdlerized, but until recently ICF's home page boasted of their lucrative USIC contracts. Less well known is their contract with the UN, which allows them to conduct "health research" in countries including Pakistan, Iran, and North Korea. No kidding. Their Pakistan subsidiary is named in the official report as being implicated in the fake vaccine campaign run by Dr. Afridi in Abbottabad for the CIA, whose sole purpose was to obtain blood samples from children living in the household of a mystery man who turned out to be Bin Laden. This episode was an particularly pointed example of how "medical research" can be perverted to harm people.

If you are unconcerned by state-sponsored extra-judicial assassination of bad people such as Bin Laden, please consult the ACLU for the ultimate danger to good people which seems to invariably result when good people allow governments to act unjustly toward bad people. Also please note that we should resist easy acceptance of the premise that his young children whom the US Special Forces assault exposed to mortal danger are themselves doomed to become terrorists if not thwarted. And I should stress the fact that, simply because they were directly exposed to gun violence in the Abbottabad raid, they would be tagged by NCTC's dragnet even without their genealogy, just like innocent youngsters in cities like Damascus (or Baltimore).

(As you know, Seymour Hersh just published an article claiming that top Pakistani intelligence officials had been keeping Bin Laden out of view. The version I heard at the time differs slightly: the Pakistani political leadership was kept in the dark, and Bin Laden himself was not aware that at least one high ranking Pakistani intelligence official knew exactly where he was living.)

The War on US has become a war on our *children*. Is this, at long last, the point where the People will finally cry, "Enough!?"

I'd like to end by asking you to ask yourselves how your research might fit into the ever growing surveillance-industrial complex; please see

http://www.salon.com/2015/05/16/the_dwight_eisenhower_lesson_america_fo…

for a recent passionate critique by a former US military officer who is apparently just as horrified as I am by the rampant militarization of American society, to the extent that pacifists are being progressively dehumanized by state-sponsored propaganda organs.

This post is another attempt by myself to open a dialog with Roger, Rachel, Nick and others closely associated with Tor about the persistent and ever more troubling issues raised by accepting USG funding, certainly from DARPA but also even from allegedly "innocuous" sources such as NSF, NIH, CDC, which may simply cover for NCTC or USIC. I hope the moderator will accept in the spirit of dialog. IMO, in the discussion of complex and politically charged topics, Tor Project should always prefer argument to censorship.

Gosh, you sure enjoy writing essays.

For many of your questions about the topic of this blog post, I suggest actually reading the link that the blog post points to, including the consent form.

Andrea really seems to know her social science stuff, so while some of your questions are good ones (the ones I could decipher from around the other rants), I think she's got good answers for them.

All of this said, long rants in the comments section of a blog post about external researchers are not actually a good way to "open a dialog" with Tor people.

May 16, 2015

Permalink

@arma what ever happened with that study of relays with all the scapy data?

also i support the idea behind this study, but offering Tor users Amazon gift cards and Skype credits--I mean...Skype credits???!?!!--makes me question whether these people understand the population they're trying to study.

I would be eager to participate, but the idea of someone purchasing credits for a service widely known to be backdoored to compensate me for participating makes me feel gross. I'd like to suggest these profs offer participants bitcoins instead, or at least the option to have them donate $20 back to the Jitsi people or The Tor Project or EFF or something that's less diametrically opposed to users' interests.

May 16, 2015

Permalink

(Rachel here) The donation idea is great one, but to do that we will have to amend the IRB which takes time so it won't happen right away.

May 16, 2015

Permalink

I'm more likely to comment on news stories, such as the CIA torture report, because I don't have to fear I'll be tortured or retaliated against for speaking my mind.

May 16, 2015

Permalink

offering skype credits for giving up your personal information?

what does this has to do with tor?

i hope that the researchers at least acknowledge the bias in the answers to their questions, as in "no privacy conscious tor user would fill this out or no privacy conscious tor user could be bought off by offering skype credits to them" (which i guess is lot of tor users).

May 16, 2015

Permalink

> also i support the idea behind this study, but offering Tor users Amazon gift cards and
> Skype credits--I mean...Skype credits???!?!!--makes me question whether these
> people understand the population they're trying to study.

WTF? buying the data of tor users for skype credits? how this was even supposed to work?

how many tor users are there who would fill out a form about their activities in order to be able to phone their loved ones with the NSA listening in?

May 16, 2015

Permalink

As others have pointed out:

1. Title of research study
Privacy, Anonymity and Peer Production

We offer the option to reimburse you with $20 for your help and time. If you choose to be reimbursed, we will send you an Amazon gift card or Skype credit (whichever you choose) in the amount of $20 and you will be asked to email us the confirmation number or sign a receipt

All three methods facilitate a loss of Privacy, Anonymity and Peer Production.

Bitcoin is a much better solution.

I use Tor, but I value my privacy more than a trackable $20

May 16, 2015

Permalink

Did Nazanin Andalibi and Andrea Forte not realize when they put this offer together that Skype credits, Amazon gift cards, signed receipts and email addresses compromise anonymity, or did they realize it and proceed anyway?

Plenty of Tor users are happy to come forward as Tor users and talk about themselves. If you super duper need to stay anonymous at all times, I suggest not participating in (this round of) the study.

(I don't think their choice of Amazon / Skype was malicious. I think that's what their IRB was used to saying yes to, so they started there.)

May 16, 2015

Permalink

I am not a terrorist or a drug dealer. I use Tor. I don't do Facebook. I don't use Google. I try to avoid using Windows. Some sites block me because of someone else's previous use of the same Tor exit node.

There seem to be some privacy leaks built-in (or added after the fact) to this study methodology. There may be other leaks in the questions themselves, or in the questioning methods.

Well, ultimately the study at this point is for helping the researchers get a better intuition for what the right research questions are. So it does need to give them this information, which technically is a privacy leak, if you define privacy leak as letting them get a better understanding of why some people use Tor.

(I am also not a terrorist or a drug dealer, and I use Tor, and I don't use Facebook or Windows. I'm sad to say that sometimes I still use Google search. There, we just had another privacy leak. :)

May 17, 2015

In reply to arma

Permalink

I define Privacy Leak as linking your anonymous activity to your real identity.

Great. And the goal of Tor is to let you control how much of your information you reveal to various people (the website you talk to, the network you're on, etc). Here is another chance for you to control it.

May 17, 2015

Permalink

Maybe Tor isn't meant to be a be-all solution to everyone, it might just be the quickest way to make sure that whatever hotspot you connect to at the java hut knows only that you're connecting to it and that you're using Tor instead of everything else.
To those types, I'm sure an Amazon card would be superb.

May 17, 2015

Permalink

> For many of your questions about the topic of this blog post, I suggest actually reading the link that the blog post points to, including the consent form.

FYI, I have been experiencing great difficulty using Tails 1.4. I was able to reach her page but not DL the form yesterday. Today I get a 404 error at her page.

> while some of your questions are good ones (the ones I could decipher from around the other rants),

Well then, please just try to address the issues of

* possible deanonymization as outlined above

* IRB for academic CS/social research on real Tor users (human subjects)

I think that in future these issues should be addressed in similar posts announcing surveys of Tor users. Not doing so could be seen as something like deception.

> I think [Andrea has] got good answers for them.

I hope so. Perhaps she could address the IRB issue here?

> All of this said, long rants in the comments section of a blog post about external researchers are not actually a good way to "open a dialog" with Tor people.

I don't think I ranted about anyone but Comey/Putin. I fear you may have misunderstood the nature of my concern about funding sources, including the funders of academic researchers who are not employed by Tor but are close to Tor Project. Again, I (and others before me) are attempting to challenge the status quo in the computer security and online social science academic research community, which appears to get most of its funding from dubious USG sources such as DARPA (and perhaps CDC should be added to the list for the reason I tried to explain).

Well, thanks for posting my comment despite your low opinion of my contribution. I'd just add that in several recent posts you have reached out to Tor user community (good!) and I regard myself as a member of that community.

May 17, 2015

Permalink

"We believe we can learn important things from you about how people achieve privacy online"

Our comments to this blog (although public) are more anonymous than the methods proposed for this study.

(quoted from the consent form) You will be asked to read through the consent form and ask questions or share concerns, if any.
We will set a time that is convenient for you to do the interview.
We will decide on the means of doing the interview. This could be online or on Drexel’s campus.
We will talk to you about your privacy practices for 30-90 minutes.
With your permission, we will voice-record the interview. We might quote you in our research paper; however, if we do use any of your words in our paper, we will remove all identifying information. We are serious about your privacy and we will take care that no identifiable information will be used in our report.
We offer the option to reimburse you with $20 for your help and time. If you choose to be reimbursed, we will send you an Amazon gift card or Skype credit (whichever you choose) in the amount of $20 and you will be asked to email us the confirmation number or sign a receipt. If you are local, we can reimburse you in cash in the amount of $20. You do not need to accept payment to participate.

If the research was done using moderated blog comments while using Tor, and the comments were only acknowledged and recorded, but not posted, the objectives could be met, without influencing other people's comments, and without privacy leaks.

If the research was done using moderated blog comments while using Tor, and the comments were only acknowledged and recorded, but not posted, the objectives could be met, without influencing other people's comments, and without privacy leaks.

May 18, 2015

Permalink

"how they write blog posts, edit Wikipedia articles, contribute to open source projects on GitHub, post on discussion forums, comment on news articles, Tweet, write reviews, and many other things."

Me: "I use Tor!"

They: "Hey, you must be one of those super smart hyper creative people. What are doing online."

Me: "Um, I just browse the web".

They: "What was that, you are kidding, right?"

May 19, 2015

Permalink

I sent them an email. I told them I don't think I got enough things to share for a full scale interview, but I explained how gmx.com allows people to register email accounts there using only the Tor Browser Bundle. I also mentioned that if they get in contact with GMX(for whatever reason) that they forward that I'm a user that would look forward to pay for any services there if they offered a Bitcoin payment option :)

May 19, 2015

Permalink

'edit Wikipedia articles'
That's something I'd like to know myself

May 19, 2015

Permalink

arma wrote:

> Plenty of Tor users are happy to come forward as Tor users and talk about themselves. If you super duper need to stay anonymous at all times, I suggest not participating in (this round of) the study.

But this introduces an explicit bias into the study, which will reflect only the self-reported habits of self-reported Tor users who desire a twenty dollar gift card so badly that they will happily self-report on their activities while using Tor.

Or are you saying that the Project should simply ignore the needs of anyone who "super duper needs to stay anonymous"?

And is it not.. unseemly.. when the Exec Dir of the Tor Project almost seems to be poking fun at people who feel a need to remain anonymous?

I don't want readers of this blog to be left with the impression that someone at Tor might decide that some Tor users "really need to be anonymous" (critics of Putin?) and some "do not really need to be anonymous" [sic] (critics of Comey?).

May 19, 2015

Permalink

> Andrea really seems to know her social science stuff

So Andrea knows better than we do how to run social science studies on Tor users?

I beg to differ. It seems self-evident to me that the study goals, design, the IRB review, the financial incentives, the invitation to participate which was posted above, were not well considered. Issues which were apparently omitted from the study design include data reproducible statistics publication protocols, routine USG data sharing, potential NSLs served on Drexel U or Andrea's group, illicit intrusions by gosh-knows-who into Andrea's research computer network, all of of which could potentially expose raw data.

I think that what went wrong here might come down to this: some people close to the Project think they know "how things are done in our society" and that "the herd" should just take a number, get in line, and do as they are told.

Such patriarchal attitudes resemble too closely the much reviled line in an NSA presentation leaked by Snowden: "What government does not want to make the world a better place... for itself?" That line perfectly sums up the attitude of "academic researchers" who feel free to examine and dissect the private lives of ordinary citizens who use the Internet but are, almost without exception, kept ignorant about what the government plans to do with the personal information it collects and shares. Which is: concoct a personalized experience for each "problem person" which will reshape their beliefs and attitudes into a form which does not appear to threaten the "national interests" of the political/financial elite. See Evgeny Morozov on "algorithmic governance" and decades of work in the US national laboratories on population control schemes leveraging what has come to be called "information sharing", "sensor networks", IoT, and "Big Data".

May 19, 2015

Permalink

What kind of people use Tor?

Here's one answer: people who are determined to change "how things are done in our society".

Anonymous writings are all about challenging the existing power structure. Tha was true in 1775, and it remains true today.

I hope that this episode has been a learning experience, that you will abandon the present study, think hard, read a lot, and come back when you have a much better plan for conducting research which might ultimately result in good things for The People rather than the government.

Research is not necessarily a bad idea, but when you are surveying Tor users, for reasons which should be obvious, you can't mindlessly follow the USG information sharing play book for "how surveys are done in our society".

May 20, 2015

Permalink

I believe the 3rd comment from the top says it all. For people wanting to study tor users they should have had some basic understanding of it all. For having the consent form on a google server it shows that they don't.

Academic studies have only one role, to provide information for an organization to utilize on individuals. Organizations need this information so they have power over unorganized/powerless individuals. Would a group in Somalia be able to get detailed data from Drexel as easily as some colleagues "somewhere in the US"? Most probably not.

To summarize, no matter how noble and honest the efforts of the PhD student are, the others are just supervisors, the value of any study is on the side of those already having power over people and therefore against those who need to free themselves. Meaning me, you, have no use or benefit from the cumulative information produced by the study, but some agency might.

Of course, there is the other option, of helping the student, making an easy 20 bucks, telling them what they should hear. We are all here using tor to get on facebook anonymously so we can cheat on our significant others, that's all. Of course the $20 bucks spent on used revolutionary literature may give you away together with your real address .... but hey!

Here, wherever that is, we get often visitors from the movement interested in what we do. Fine young tourists. Some come with academic interests to study, photo, record us. We explain we don't mean any personal insult but we are getting organized to study "them" but we will not be studied. Better safe. (period).

PS The system is not really interested in individuals it is their organization that is problematic for them. So organize people, get organized.

May 20, 2015

Permalink

You can see the WebRTC vulnerability in action here

The quickest way to protect yourself is to go to about:config in the Firefox address bar; search for media.peerconnection.enabled and change this value to 'false'.

May 20, 2015

Permalink

WebRTC is already disabled in the TorBrowser, but won't be on stand-alone systems:

"Disable WebRTC in Firefox build options. (closes: #8178)

WebRTC isn't slated to be enabled until Firefox 18, but the code
was getting compiled in already and is capable of creating UDP Sockets
and bypassing Tor. We disable it from build as a safety measure."

May 20, 2015

Permalink

And another thing:

"We are serious about your privacy and we will take care that no identifiable information will be used in our report."

Not identifying you "in the report" does not mean that all identifying information does not stay within the database used for the study, on a Drexel server possibly and on private PCs and other mediums. I used to do social research and consulted on stat/methodology on other projects. It was amazing how much personal information was provided to outsiders or information that could be cross-tabulated back into identification.

Do it, just take it as a given your private information and identity will be handled poorly.

May 20, 2015

Permalink

>The researchers want to investigate the ways in which various limits,
>like CAPTCHAs, or even blocking access to sites entirely, inhibit or
>don’t inhibit Tor users’ ability to create things online.

my first thought was, that this might result in a cookbook for those
parties that want to force their suspect people to not look at other
(independent ?) sources of information.

And this is what I do still think now.

greetings

PS: a bonus of $20 for the participants is a nice idea. But would it be
feasible for people who REALLY NEED the help of tor for not being put
into gulags or tortured to death.

May 20, 2015

Permalink

PPS: It was me, the anonymous fearing the outcome to an anti tor cookbook:

I'm only one small fish in the swarm, could surely survive without the shelter of tor. I use tor from time to time just for the sake to stand my grounds of having the right of my privacy.

May 20, 2015

Permalink

My main problem would be, one's voice not being anonymous in the voice data recorded from the audio interview for the study.

Voiceprinting technology is now a serious risk and if you want a modicum of anonymity over audio now, you simply MUST change enough factors in the sound like pitch, timbre, tessitura, accent, rhythm, speed, other speech mannerisms, word choice and idiom, in order to not be uniquely identified by 'the system' anymore.

They may not have HDD space to store every single piece of audio and video out there (though even that is changing, I would bet), but they DO have the ability to analyze current streams coming in and brand a UUID-like voiceprint number to all voices in the audio and add it to the metadata of the conversation nevertheless.

It is a SERIOUS issue.

Does anyone know of decent Linux real-time mic input audio modulation software (or maybe even an encrypted VoIP app/protocol has it built-in) that changes your voice enough so that it is no longer anything like your natural voice signature (and further to that, can NOT be reversed with DSP audio analysis to work out what the original was)?

It is becoming high time for someone to make a powerful Linux tool for this (which can be proven to not be reversible). The corporations and governments now have powerful technology to fully de-anonymize audio capture of the human voice, and we must fight back if we want to retain anonymity and freedom from this form of surveillance tyranny.

For now, one can 1. avoid audio recording (so in this case, do an OTR chat), or 2. try to change your voice (like social engineering, ok this is fun I admit) like an actor/impressionist and make yourself a vocal chameleon.

In the future the best clearly is changing both your own voice / word choice / accent / some mannerisms, in addition to powerful audio modulation software whose output cannot be reversed thanks to really smart DSP algorithms that don't leave any holes / trails in the way it changes the audio.

Would the researchers of this study be OK with text chat for now? I am very quick with typing after all. :-D

May 21, 2015

Permalink

Andrea here - apologies if this appears twice, posting from a bus with unreliable internet.

To clarify what is meant by identifying information- that's stories someone might tell in an interview that would be recognizable to people who know them. We don't collect names or save information like email addresses with our data. The only exception to this is, in order to provide compensation, the university requires a paper trail. To work around this we inserted language to make it clear that people can decline payment and still contribute to the research. We also discussed the Google problem and included options to return the form using alternate methods. Again, this is because we are required to obtain documentation some way or another and we are trying to provide options that allow people to mask their identities. In general I agree with you all, these are work arounds, not optimal solutions. Thanks for the suggestion of allowing contributions in lieu of payment - I've had a number of discussions with people about this and other recommendations. Tor users have been great to talk to.

May 21, 2015

Permalink

You don't really think, that you'll get representative data, do you?

Your plan reminds me of some eager media students determined to find out 'the secret' about people that don't want to be bothered by interviewing them.

The good part is, that only idiots and i_wanna_be_important creeps will engage in your silly game and render the result useless with rubbish.

''Ridiculous' is my most friendly term for your plan.

No, we do not expect representativeness using online recruitment and snowball sampling - and that would be a show stopper in an experimental study, but not for exploratory work like this. I agree, though, with the broader point that the most important information about a study is often who is not represented. When we ask to record a conversation for data collection, for example, that itself narrows our participant pool to people who are comfortable being recorded. One thing social scientists do to ensure transparency around these issues is report limitations of sampling methods so that people know whose voices are potentially missing from a dataset. You are not alone in critiquing these methods, though -- these issues are part of larger debates in the scientific community around what constitutes knowledge and what is possible to study. There are plenty of smart people who have different takes on it and I think it's good to address these differences as openly as possible.

May 22, 2015

Permalink

> To clarify what is meant by identifying information- that's stories someone might tell in an interview that would be recognizable to people who know them.

That definition is.. bizarre.

Privacy-aware people, such as Tor users, define "identifying information" as "information which an attacker (possibly state-sponsored) can be use to de-anonymize a targeted individual", by any technique.

Tor users: before you even *consider* participating in this study, you should read a bit about "re-identification":

epic.org/privacy/re-identification/

https://www.cippguide.org/2010/09/21/de-identification-re-identificatio…

https://privacyassociation.org/media/pdf/knowledge_center/Re-Identifica…

There is just no way that a privacy researcher would not be well aware of these issues, which have been raised by for example this well known researcher:

dataprivacylab.org/people/sweeney/

> You don't really think, that you'll get representative data, do you?

Exactly, the study will clearly be strongly biased against people who actually care about privacy. In which case, far from making the case that Tor is an essential part of modern Internet infrastructure, the study might seem to "prove" that nobody cares about privacy very much. Can we think of any government which would benefit from that conclusion? Perhaps the same government which is funding the study?

Roger, Andrea, Rachel: to repeat, no-one has been impugning anyone's character or even doubting your motives. What people are saying, I think, is that serious Tor users are horrified when academics with close ties to Tor continue to insist on playing by the USG's rule book for how social science research studies are done, because it is very obvious to us (maybe not to you) that this plays into NSA's "shaping" of Internet protocols, corporate policies, trade agreements, social media discussions, and cyber-related legislation around the world.

To quote again from an NSA presentation leaked by Snowden: "what government doesn't want to make the world a better place... for itself?"

That is the government which has funded your study. WTF?

May 22, 2015

Permalink

> this is because we are required to obtain documentation some way or another and we are trying to provide options that allow people to mask their identities

You simply cannot let your sponsor dictate how you will run your study. Clearly you need to abandon this study, find another sponsor, and think through the privacy issues. Then maybe put out a pre-proposal and request comments here, since users may point out further issues you missed.

Andrea et al.: you and other academic researchers running "social science" studies or surveys on living human subjects simply cannot continue to follow the USG's play book.

Tor is or ought to be all about breaking down barriers to citizen participation, not about enabling USG to conduct business as usual.

May 22, 2015

Permalink

> They may not have HDD space to store every single piece of audio and video out there

They do. The MDRs in Utah and Texas have many orders of magnitude more storage than would be required to store high quality audio recordings of all human speech ever uttered since the days of the Neanderthal. And high quality audio of entire cities 24/7. NSA wants audio-visual surveillance of every cm of the Earth's surface, and the MDRs are already capable of handling the data load; all that is needed is the IoT to provide the data streams 24/7.

Reporters should crunch the numbers because you (and your readers) will be amazed at just how much data the MDRs are designed to store. Pretty much anything you can think of is a tiny fraction of how quickly they can ingest data.

The Snowden leaks are essential reading for everyone worried about privacy, and EFF is providing a collection of published documents from the Snowden trove:

eff.org/deeplinks/2013/11/nsa-spying-primary-sources

The collection is periodically updated as new leaks are published:

eff.org/nsa-spying/nsadocs

arma wrote:

> Plenty of Tor users are happy to come forward as Tor users and talk about themselves. If you super duper need to stay anonymous at all times, I suggest not participating in (this round of) the study.

Please be careful to avoid any suggestion that the Exec. Dir. of the Tor Project might feel qualified to make judgments on behalf of individual users whether or not they require "super duper privacy".

May 26, 2015

Permalink

“By understanding the contributions that Tor users make, we can help make a case for the value of anonymity online”

Really? Make a case? Why?

May 28, 2015

Permalink

Eligibility for most institutionalized legal US FED VAWA, witsec, whistleblower, amnesty & such type protections & similar at state levels REQUIRES DISCLOSURE to law enforcement, which for many, directly defeats the so-called purposes of said so-called protections. The DOJ has spent a very long time attempting to bully press shield laws into this category in NYT journalist James Risen's case.

Further, the old informal & previously less institutionalized network of battered women's services that grew out of the women's movement, like the underground railroad, served a purpose that MOST of the demographic it served would not avail themselves of; know of, have real access to, or risk entrusting themselves to or further endangering themselves -or others- by accessing.

Data collected & published reports from such studies can hardly be expected to accurately reflect the true demographic concerned.

June 16, 2015

Permalink

Mostly, I just browse the kinds of ordinary things that I suspect most people do. I'm not a terrorist (nor even a whistleblower!) But I find it sickening, unconstitutional and just plain wrong that our own government is indefinitely storing and analyzing even these ordinary bits of data about us- using algorithms and AI to create profiles on us in case of "some event" "some day".

And so I use Tor most everywhere. I know I'm also signalling myself out because of this- I might be even more carefully and analyzed and targeted simply BECAUSE I use Tor. But ultimately, it's not about hiding- it's about making a point and living by my convictions for me. If that gets me the privacy I have a right to- Great! If that robs me of even more privacy- well, at least it's not by my consent.

I do become frustrated with all the CAPTCHAs and sometimes plain site rejections I get. I mean, I even get them when I'm LOGGED IN at a site some times. Couldn't they whitelist logged-in users? How do I modify my behavior? 90% of the time I just find an alternate site of just do without it. Rarely, I will temporarily forgo my privacy for the sake of some particular resource for good reason.

Like another user posted, I don't normally do Facebook or Google either.

As for this research- I think the questions are not that interesting, so the answers won't be either. What will be interesting is how it will be presented: Positively, negatively or neutrally. It could take on a human interest quality as well. In other words, I think how it is presented will have the greatest impact. Most of us using Tor I bet are just privacy-conscious people.

Some of us are paranoid, some of us too sane for our own good, and most of us at least well educated in computer use. Like all these things, it is a certain more educated and interested group which starts to use it (such as the case of personal computers themselves), and it takes a certain time to spread out and become more mainstream. But I think it will. I don't believe most people are really okay with government watching their every move online (and off) and people are becoming more computer/Internet-savvy every day.

September 15, 2015

Permalink

I have been using a tor/privoxy isolating proxy* for a while and would like to make a couple of observations public:

First, youtube videos and flashplayer seem to work just fine.

Lately, captchas seem to work just fine.

In general, comments do not work which probably means that if you make a comment through tor browser - it is not going through tor and your privacy is being violated.

It seems that comments cannot be made anonymously anymore.

*I have tor and privoxy on one machine with two NICs, one NIC is connected to the internet and the other is connected to firefox on another machine. Nothing should be able to get on the internet without going through privoxy and tor.

October 17, 2015

Permalink

I do become frustrated with all the CAPTCHAs and sometimes plain site rejections I get. I mean, I even get them when I'm LOGGED IN at a site some times. Couldn't they whitelist logged-in users? How do I modify my behavior? 90% of the time I just find an alternate site of just do without it. Rarely, I will temporarily forgo my privacy for the sake of some particular resource for good reason.

Like another user posted, I don't normally do Facebook or Google either.

As for this research- I think the questions are not that interesting, so the answers won't be either. What will be interesting is how it will be presented: Positively, negatively or neutrally. It could take on a human interest quality as well. In other words, I think how it is presented will have the greatest impact. Most of us using Tor I bet are just privacy-conscious people.
happy veterans day 2015
Some of us are paranoid, some of us too sane for our own good, and most of us at least well educated in computer use. Like all these things, it is a certain more educated and interested group which starts to use it (such as the case of personal computers themselves), and it takes a certain time to spread out and become more mainstream. But I think it will. I don't believe most people are really okay with government watching their every move online (and off) and people are becoming more computer/Internet-savvy every day.