As the topic in [tor-relays] Proposal: Restrict ContactInfo to Mandatory Email Address is read only due to it being a mirror from a mailing list, I’ll be writing my thoughts here, only related to reachability, not taking into account any malicious operator actor activity. Please feel free to correct me or add any other points of view.

Thanks @GeKo for the encouragement to open the topic.

Moreover, our own and others’ experience of running relays and providing an unobfuscated email address as ContactInfo shows that spam right now is actually not an issue.

I disagree, there’s been hundreds of spam and phishing emails received on the email address I use solely for the purpose of being reachable for relay issues and news. While of course those are not a serious threat, it takes time going through them. I imagine the tsunami of spam emails coming in to all operators that would add valid emails if this proposal goes through as is.

My vote would go to using several fields, some public, some visible only to directory authority operators. I’d like to see a field that would enable PGP encrypted official emails too.

About "Please do not make the email address private " reply, I think one field could be set up to be private, for official messages, and another for public reachability, and they need not be the same. Another public contact field could be a Tox ID, for example.

There’s in my opinion a possibility to send messages straight from any dirauths to relays, with those messages being put in system logs and shown by the daemon and/or Nyx when called upon.

I dislike plain emails in ContactInfo not because of spam.
But because I do not want to give attackers easy way to get email address knowing only IP address.
The more steps they need to connect different pieces of data, the better.

Dramatization: Tor becoming Russia?

https://v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion/t/russia-introducing-full-regulation-of-hoster-services/8862

The development of Tor into a direction of knowing more and more about their network donators is kind of invading. When I started to provide nodes somewhere in the 00s, it was an act of support for a network that felt anarchic and private - for users and supporters. I was very shocked once ioerror doxxed my real-name in a commit message, making it eternal. Since then I got much more cautions with revealing information about myself. Making an email mandatory basically means everyone who doesn’t do extra steps will also be easier known by the three or more letter agencies.

Example: ramping up a bigger amount of bridges somewhere where they are needed will be connected to this and that persona. Three or more letter agencies will have absolutely no problems in complying with this demand - they operate hidden and have identities for this.

http://pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/tor-social-contract/

And no - it is not a “one-time cost” to have an email, that is regularly checked and only accessed indirectly. I’m not even starting with the case, you might have to reply (stylometry) some emails with questions regarding your relay and giving out motivational reasons, because “unknown
operators” are a threat now…

This proposal would not only give the project more information - it also does give chunks to 3 letter agencies, law-enforcement and other interconnected parties. Maybe Tor could be more transparent - how often is the project approached by officials and being asked for hints? A hidden service operator is very much likely a node operator too… Warrant canary or something similar would also be nice.

I know the world is getting more and more complicated and I often tend to get as much information as possible - but I would not force someone to give me information.

And I strongly disagree with the statement “Remember that running a relay is an act of transparency” - that is “Newspeak” for me…

PS: @GeKo Asking/proposing something like that on a mailing-list will of course lead to distorted reflection of reality because everyone already opted in to reveal their email-address

A concerning statement in this write-up is:

The C-Tor codebase is in maintenance mode and not accepting any new
features anymore (with a very narrow set of exceptions). We therefore
plan to have this change included solely in the upcoming Arti relay
work.

This appears to be false, as you just rolled out conflux and onion proof of work in the C-Tor codebase.What are the exceptions for new features into c-tor? Where are the exception criteria documented (speaking of transparency)? Will this proposal become an exception?

Proposal Questions

• What does this proposal mean for those running C-Tor?
• Are you proposing a “flag day” for the entire network to switch to rust-tor?
• What happens to C-tor relays that refuse to put in valid email addresses if/when this proposal is accepted?
• Does this just bifurcate the network into c-tor and rust-tor versions?
• How do you plan to handle the duplicate email addresses on relays not in a “family”?
• What’s to stop someone from just copying a known email from the public contactinfo?

General Thoughts

Please show some transparency and document your setups where using valid email addresses in ContactInfo does not result in tens of thousands of spam/phishing emails per year.

On the general topic, it seems tor is losing its way here. If the clients do not trust the network, then why do we need more trusted relays? Are you implicitly admitting the tor network is not safe and/or the entire design is fundamentally flawed? Already, tor cannot protect against global passive adversaries. Such GPA’s already include the obvious intelligence and law enforcement agencies, but also google, facebook, apple, akamai, shein, bytedance, visa/mastercard and other with global reach on the internet. Such a proposal merely lets the GPA collect more information about relay operators.

Should this proposal be rammed onto relay operators, someone should start an anonymous email service which requires zero identifying information to accommodate those opting out of the surveillance economy.

Such services already exist.
They are designed for this exact purpose.
For example, https://10minutemail.net/.

You want transparency? Give me an email address and I will mirror&forward you my abuse@ for 3 months. Feel free to answer them if you’re bored.

I have for years 2 addresses not obfuscated in my ContactInfo. The same one I have to have in RIPE whois. My Relays
I receive 100s to 1000 tor-exit abuse emails every day. There are only 0-2 spam emails every day. And spamassassin filters them out:

# rule:[Spam-Flag]
if header :is "x-spam-flag" "YES"
{
	fileinto "INBOX.Junk";
	stop;
}

What’s the problem with a pseudonym address?
e.g. your-mail-alias-2023@privacy-provider.com

@boldsuck you were tinkering around with postfix and spam 20 years ago. maybe consider newbees who just try to start learning (like we all did at some point, and sometimes probably still do) - perhaps by setting up tor-relays or monero-nodes, what ever.
i guess it’s not the easiest for a start to also setup a mail-server with proper anti-spam. so they probably opt-in for a provider solution (like you do nowadays). doing so raises the bar, you have to find a trustworthy one. op-sec is hard and not everyone wants to have their name, e-mail, whatever connected to tor and not everyone has a “Verein” with a very good lawyer - in my opinion you are seeing this from a very privileged position.

do a thought experiment and see how hard it is nowadays to rent a server and administer it with leaving no traces to your person. and please start from zero, without already having a private stash of crypto and knowing how to send it without leaving traces…

Why do you always think so complicated? There is a solution to every problem. Who talked about (own) Postfix? Every Roundcube or Horde webmail interface has sieve filter integrated. Every mail provider has spamassassin running. All you need to do is use the existing mail header.

Until Arti becomes a reality (still years for relays), everyone will probably be able to create an anonymous email account, set an alias there and use it for their relays.

I don’t have that. I’m private, alone and the cops come to my house at my address that’s in my Whois. Every morning at 6:00 a.m. they can be at my door again. Every morning it can happen that all my IT and cell phones are confiscated because some criminal idiots are using my exits. Every Tor exit and Freifunk exit operator has this risk every day.

This is almost impossible due to the anti-terror and money laundering laws since September 11, 2001. Not even a genius like Ross Ulbricht could do that. That’s why I wouldn’t even try that.

Arti config does not have freeform. This was explained months ago in gitlab.torproject.org

I’m trying to think different perspectives - might complicate things but imho is a valid approach, when you are dealing with multiple parties.

Hosting your own mail is always a hassle, most people won’t deliberately do in their free-time. Yes, choose something from radical servers and you are pretty much save to draw more attention, have your connections observed, if not your mails itself.

afaik you are mostly running your relays with AS60729 - which is a well known “e.V.” with a good lawyer. And in summer it’s every morning from 4:00 a.m. | and this might be a valid reason not to run an operation like this attached to your persona - same applies for hidden services - Ulbricht style or more valuable ones for society.

“But the plans were on display . . .”
“On display? I eventually had to go down to the cellar to find them.”
“That’s the display department.”
“With a torch.”
“Ah, well the lights had probably gone.”
“So had the stairs.”
“But look, you found the notice, didn’t you?”
“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying Beware of the Leopard.”

verla via Tor Project Forum:

A concerning statement in this write-up is:

The C-Tor codebase is in maintenance mode and not accepting any new
features anymore (with a very narrow set of exceptions). We therefore
plan to have this change included solely in the upcoming Arti relay
work.

This appears to be false, as you just rolled out conflux and onion proof of work in the C-Tor codebase.What are the exceptions for new features into c-tor? Where are the exception criteria documented (speaking of transparency)? Will this proposal become an exception?

I think the answer to your last question is already in the text block
you quoted, no? The exceptions are determined by the network-team and
are on a case-by-case basis. The general rule is “no new features”.

Proposal Questions

• What does this proposal mean for those running C-Tor?

It should not affect them.

• Are you proposing a “flag day” for the entire network to switch to rust-tor?

We are not sure yet, but likely C-Tor relays will just be phased out via
the usual EOL mechanism: at some point there won’t be any security
updates and thus any supported C-Tor version for relays left and they
will therefore get blocked at the Directory Authority level.

• What happens to C-tor relays that refuse to put in valid email addresses if/when this proposal is accepted?

Nothing which is not happening already.

• Does this just bifurcate the network into c-tor and rust-tor versions?

No. We’ll have a period where both C-Tor and Arti relays will be in the
network but that is unrelated to the proposal at hand and is rather a
result of the overall transitioning to Arti relays.

• How do you plan to handle the duplicate email addresses on relays not in a “family”?

Not sure what you mean here, is that related to the next question?

• What’s to stop someone from just copying a known email from the public contactinfo?

You mean someone trying to impersonate an operator? We think we can
prevent that/make it detectable with the way our planned email
validation is constructed: it’s bound to the family keys/fingerprints of
relays. The details are still ironed out and will be in a technical
specification but we believe we’ll improve the situation here as well
compared to the status quo.

General Thoughts

Please show some transparency and document your setups where using valid email addresses in ContactInfo does not result in tens of thousands of spam/phishing emails per year.

Thanks @boldsuck for following up on that part.

On the general topic, it seems tor is losing its way here. If the clients do not trust the network, then why do we need more trusted relays? Are you implicitly admitting the tor network is not safe and/or the entire design is fundamentally flawed? Already, tor cannot protect against global passive adversaries. Such GPA’s already include the obvious intelligence and law enforcement agencies, but also google, facebook, apple, akamai, shein, bytedance, visa/mastercard and other with global reach on the internet. Such a proposal merely lets the GPA collect more information about relay operators.

I think the motivation section in the proposal as to why we need this is
mentioning the bad-relays case. There are some interesting ideas
mentioned as well that we could build on top of this proposal which
could help with trustworthiness. The network being safe or not is not a
yes/no topic. It’s more complicated, but we can help making it safer
with the current proposal as a building step. And that’s definitely in
the interest of Tor users.

Should this proposal be rammed onto relay operators, someone should start an anonymous email service which requires zero identifying information to accommodate those opting out of the surveillance economy.

Seems this got already addressed, too, nice.

atari via Tor Project Forum:

atari

Dramatization: Tor becoming Russia?

https://v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion/t/russia-introducing-full-regulation-of-hoster-services/8862

Nope, Tor is not becoming Russia.

The development of Tor into a direction of knowing more and more about their network donators is kind of invading.

I think we should keep things in perspective here. We are not interested
in a copy of your passport nor are we interested where you are living,
where you are born, how old you are, which gender you have, which
language you are speaking etc. Just some random email address you use
for relay related purposes.

When I started to provide nodes somewhere in the 00s, it was an act of support for a network that felt anarchic and private - for users and supporters. I was very shocked once ioerror doxxed my real-name in a commit message, making it eternal. Since then I got much more cautions with revealing information about myself. Making an email mandatory basically means everyone who doesn’t do extra steps will also be easier known by the three or more letter agencies.

Example: ramping up a bigger amount of bridges somewhere where they are needed will be connected to this and that persona. Three or more letter agencies will have absolutely no problems in complying with this demand - they operate hidden and have identities for this.

http://pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/tor-social-contract/

And no - it is not a “one-time cost” to have an email, that is regularly checked and only accessed indirectly. I’m not even starting with the case, you might have to reply (stylometry) some emails with questions regarding your relay and giving out motivational reasons, because “unknown
operators” are a threat now…

This proposal would not only give the project more information - it also does give chunks to 3 letter agencies, law-enforcement and other interconnected parties. Maybe Tor could be more transparent - how often is the project approached by officials and being asked for hints? A hidden service operator is very much likely a node operator too… Warrant canary or something similar would also be nice.

I know the world is getting more and more complicated and I often tend to get as much information as possible - but I would not force someone to give me information.

Fair enough. Now, if you feel it’s too much asked for you to provide an
email address for running relays that’s fine. There are plenty of other
ways helping and contributing to Tor, e.g. by being engaged in the forum
or in other venues (as you are already doing).

And I strongly disagree with the statement “Remember that running a relay is an act of transparency” - that is “Newspeak” for me…

Sure, as I said above there are many ways to contribute to Tor and we
are appreciating all of them. There is no way around, though, to
building are stronger and safer network by being able to reach out to
operators and connect them closer in a community. See the motivation
section in the proposal for different use-cases, not just in the
bad-relay area.

Which needs to be checked on a regular basis - and again here starts the issue. Checking means I have to connect to some kind of mail service, which leaves traces. Otherwise when I check a webmail, I could easily anonymously check a website with all news that are important for me, without any further affiliation…

Because email always was, still is and will always be the best tool to build communities!*

*)This statement might be sponsored by XKeyscore

Vort via Tor Project Forum:

I dislike plain emails in ContactInfo not because of spam.
But because I do not want to give attackers easy way to get email address knowing only IP address.
The more steps they need to connect different pieces of data, the better.

Fair enough, but as I said in my reply to @atari there are other ways to
help Tor and its users. Maybe running a snowflake proxy instead or
helping here in the forum and/or on the bug tracker (as you already do,
thanks for that!) or… There are different folks being comfortable with
different contributions and that’s fine.

Against their will.

In my opinion, community forms by itself.
Role of administrators is to create favorable conditions for it.
Desire for power and influence (even with good intents) creates opposite effect.
However, I’m not expert in this topic (fortunately), so I may be wrong.

upd. Total premoderation of messages here on forum is another anti-community-building tactic.

Vort via Tor Project Forum:

Against their will.

That’s not how it works. We provide the means and can give tips e.g. if
there are already operators close by or organizations we know where
folks could connect to. We don’t force any relay to connect to any other
operator. There is no need to send status reports to the Tor Project
either. Or, you know, folks just self-organize realizing that email
addresses could be pretty useful for that use-case:

At the risk of unintentional alienation from the main opinion, I too feel that the anonymity network is becoming much less anonymous for the people who contribute to its existence; I recall seeing a post on the Tor Reddit where a Polish based note operator had all of their nodes removed after refusing to take part in a face to face video call.

I understand wanting to know a bit more about who major network contributors are but wanting to fix a face to a network feels a step too far from my perspective. It also realistically provides no benefit of security as a bad actor could take part in a video call to ensure the continuation of their service, someone could even meet you in person. What about AI too? Someone could probably video call using someone who doesn’t even exist.

There have been several and they all either turn sketchy or vanish.

Sarcasm I assume?

Its not too much as in too much effort but rather too much risk and all while providing nodes at an expense to the operator. I can unfortunately foresee some operators exiting out and the whole Tor network becoming much smaller and much more observable.

Can Tor team confirm or disprove this story?
Refusal to do so I will treat as confirmation.

I do not agree with this proposal. Relay operators should have a choice to contribute to the Tor network with as few requirements as possible so that it remains broadly accessible. For those willing to be contacted, they can provide information if they wish to do so at their discretion.