[tor-relays] Police request regarding relay

Hello everyone,

We are hosting multiple relays under our AS 210558 and received an email from a local police station in Germany requesting user data, nothing unusual.

The weird thing is, that the relay in question is only a relay and not an exit node since its creation (185.241.208.179) (https://nusenu.github.io/OrNetStats/w/relay/B67C7039B04487854129A66B16F5EE3CFFCBB491.html) - anyone has an idea how this happens?

Best regards

Hi,

I've heard once of a non-exit relay getting seized because it was used
as guard by a ransomware. We can't tell for sure, but maybe it's
something alike:
some kind of virus connecting to its control server over tor and
choosing this relay as its guard, causing your ip to be flagged by
some IDS.
This is very much a guess, but I fail to see a better explanation.

Best regards,

Thanks for running relays!

Do you know what kind of user data they wanted?

It looks like your relay has been a Guard relay (i.e. has had the Guard
flag) for most of the past year. One possibility is that they have
somehow decided that a user they are trying to track uses your relay
as one of their Guards. That is, in this scenario they decided that the
user connects to your relay consistently over time, so they are asking
you to help them learn more about that user.

Of course, your Tor relay in its default settings doesn't have any useful
data for them, and you should keep it configured that way.

It is unclear how much people might be trying to do "guard discovery"
attacks in practice, and also unclear how well they might work -- there
is a lot of research on this class of attacks in theory but not much is
known about whether it matters in practice.

And who knows, it could be something else: maybe they are just fishing
for general information, or maybe they are intentionally creating useless
work and stress for you and your hosting provider to discourage you from
wanting to help Tor users.

More reading on the 'guard discovery attack' topic:

* PETS paper, From "Onion Not Found" to Guard Discovery:

* The Vanguards idea:

Part of the vanguards idea is implemented by default in Tor 0.4.7:
https://gitweb.torproject.org/torspec.git/tree/proposals/333-vanguards-lite.md

Hope this helps,
--Roger

Nothing unusual? I had a house search because of exits but never a user data
request because of entry nodes.

As a German organization, you must fully comply with Telekommunikation-
Telemedien-Datenschutz-Gesetz §9 (the German telemedia data protection law),
which prohibits to log any personally identifiable data or usage data unless
required for billing purposes. As you do not charge for using your services,
you will never be able to keep any connection data. ¯\_(ツ)_/¯

Tor routers owned by German media services are protected by Telemediengesetz
§8

https://www.gesetze-im-internet.de/ttdsg/__9.html
https://www.gesetze-im-internet.de/tmg/__8.html

Updated german exit page

We receive this mostly from France and Germany. We figured out that
they downloaded the Tor Browser then looked at the Tor Circuit widget
and just collected the addresses they could see there.

This is the same as when Police, Attention Seekers, Cyber White
Knights, Censors and other scoundrels contact every ISP they see in a
traceroute.

Without a court order, the cops have no right to request data at all.

Generally also for commercial providers:
The European Court of Justice ruled that German data retention
(Vorratsdatenspeicherung) is incompatible with EU law and therefore
inapplicable.

(only in German)

lists@for-privacy.net wrote:

Without a court order, the cops have no right to request data at all.

They have the right to send requests without court orders, they just
cannot force you to cooperate.

They do it all the time. We receive tons of them from EU Police.