[tor-talk] Corporate policy and procedure

Dear Tor Talk,

As part of my internship work with the ACLU of Washington, I’m looking for practical examples of corporate policies and procedures for:

  • Deploying Tor relays and management
  • Deploying Tor Browser on client computers and management

I will be preparing templates, and related Tor education/marketing materials, for organizations within Washington State that we want to see supporting Tor. We will also publish these materials using a public domain license for anyone to use.

For example, if a library or law office, etc, wanted to support Tor by one or both of the above examples, they might want to develop internal policies detailing how to deploy it and how to manage it. This might be important material to have in advance when advocating to managers or a board of directors.

A policy to manage a Tor relay might include:

  • Statement of purpose
  • Device access policy
  • Abuse complaints policy
  • Admin management policy
  • Isolated network zone exception policy
  • Links to any related standard operating procedures

A standard operating procedure for Tor relay management might include:

  • List of maintainers, contact information, and escalation procedures
  • Maintenance schedule
  • Management commands and expected outcomes
  • Troubleshooting steps. Reference to internal governing policy

Regarding policies and procedures for managing Tor Browser, should it be managed any differently than Firefox or Chrome? Clearly the network traffic is different from standard HTTP/HTTPS but more like HTTPS. QoS might not work at all. If companies replace client-side SSL/TLS certs for monitoring, would that affect Tor Browser? Exception policies might be prudent. Updating procedures might be different.

If your work place has any of the above documents or you have prepared similar documents in your own advocacy, please email me a copy or a redacted copy, and thank you!

End-to-end encryption for organizing groups

This post has more questions than answers.

At TA3M Seattle and Seattle Privacy Coalition I’ve been pushing for the use of a better communications platform. Email is not a sound decision anymore. PGP is too high an expectation, even for privacy advocates because too many things can go wrong and it doesn’t scale when communicating with stakeholders (people without PGP). I’m trying to find a better way.

What doesn’t work

E2EE (end-to-end encryption) is a requirement for better communication, including metadata. PGP doesn’t protect metadata. StartTLS helps protect some metadata, but when 5 or 10 (or more) people are emailing each other, not even privacy advocates are going to check the StartTLS status of each recipient.

OTR (off the record) encrypted messaging, typically used with Jabber/XMPP, is not a solution either. Like IRC, people are not going to stay logged in to a service, so not all messages are going to be delivered to all stakeholders.

What might work

I’ve been focusing on using TextSecure/Signal. It’s not perfect either. It has modern E2EE, most importantly for group messaging. It’s open source and the mobile apps are free to download.

TextSecure/Signal have downsides, but I don’t think they’re disconcerting for the groups I’m involved with. Each participant has to share their TextSecure/Signal number with everyone else, and for most people this means sharing their real cell number. While members can be easily added to a group conversation, anyone group participant can add anyone else, but this is also a benefit. More importantly, group participants cannot be removed, they have to voluntarily leave. Another thing to keep in mind that I discovered by accident is that creating a group on your TextSecure/Signal device, even if you don’t send any messages, automatically creates that group “discussion” on each participants device. Be warned!

Another TextSecure/Signal drawback is that it is for short-form text communications. Email can’t be completely abandoned since long-form writing is often necessary.

Importantly, TextSecure/Signal messages, even if just for communicating project statuses or meeting details, will reach each group member, and they don’t have to reply or acknowledge the information. It will be on their device for when they need it.

Please email or tweet at me your suggestions or concerns!

Simple Android adb & fastboot management for Ubuntu

Desktop OS: Ubuntu 14.04, 15.04, 15.10, or Tails Linux
Device: Nexus (tested on 6 (shamu) and 9 (flounder))
Mobile OS: Android 5.1.1 > 6.0.1

Requires phone to be unlocked and USB debugging enabled in Developer options.

sudo apt-get update
sudo apt-get install android-tools-adb android-tools-fastboot

sudo su
adb devices
adb reboot bootloader

fastboot erase system
fastboot erase all

fastboot flash bootloader bootloader.img
fastboot reboot-bootloader
fastboot flash radio radio.img
fastboot reboot-bootloader
fastboot flash system system.img
fastboot flash userdata userdata.img
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot erase cache
fastboot flash cache cache.img
fastboot reboot-bootloader
fastboot oem lock
fastboot reboot

1 http://forum.xda-developers.com/nexus-6/general/guide-flash-factory-images-nexus-6shamu-t2954008

2 https://developers.google.com/android/nexus/images?hl=en

A resolution for Seattle: encryption and anonymity as moral imperatives

Published: 2015-Sep-19
Updated: 2015-Sep-19, revision 17

RESOLUTION _________________


A RESOLUTION affirming the human right to encryption and anonymity as consistent with the findings of the United Nations report on encryption, anonymity, and the human rights framework, advancing previously adopted human rights resolutions.


WHEREAS, in December 2012, the Seattle City Council adopted Resolution 31420 proclaiming Seattle to be a Human Rights City, endorsing the human rights set forth in the Universal Declaration of Human Rights, recognizing the importance of using the international human rights framework for cities to work on their commitment to protecting, respecting, and fulfilling the full range of universal human rights; and

WHEREAS, in July 2015, the Seattle City Council adopted Resolution 31598 affirming privacy as a human right and aligning the work of the City’s privacy initiative with the right to privacy as described in the Universal Declaration of Human Rights; and

WHEREAS, in May 2015, the United Nations report on encryption, anonymity, and the human rights framework was published and finds that encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age; and

WHEREAS, with respect to encryption and anonymity, the City of Seattle should adopt policies of non-restriction or comprehensive protection: (1) only adopt restrictions on a case-specific basis and that meet the requirements of legality, necessity, proportionality and legitimacy in objective, (2) require court orders for any specific limitation, and (3) promote security and privacy online through public education; and

WHEREAS, potential criminality and emergency situations do not relieve the City of its obligation to ensure respect for international human rights law; and

WHEREAS, legislative proposals for the revision or adoption of restrictions on individual security or privacy online should be subject to public debate and adopted according to regular, public, informed and transparent legislative process; and

WHEREAS, the City must promote effective participation of a wide variety of civil society actors and minority groups in such debate and processes and avoid adopting such legislation under accelerated legislative procedures; and

WHEREAS, all Seattle organizations should not block or limit the transmission of encrypted communications and should permit anonymous communication; and

WHEREAS, all Seattle organizations should support secure technologies for websites and software applications, develop widespread end-to-end encryption, and employ anonymity-preserving software to support privacy-sensitive populations; and

WHEREAS, the City’s laws must recognize that individuals are free to protect the privacy of their communications by using encryption technology and tools that allow anonymity online; and

WHEREAS, the City’s legislation and regulations protecting human rights defenders and journalists must include provisions enabling access and providing support to use the technologies to secure their communications; and

WHEREAS, the City must avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows; and

WHEREAS, the City must refrain from making the identification of users a condition for access to digital communications and online services and requiring SIM card registration for mobile users; and

WHEREAS, all Seattle organizations should consider their own policies that restrict encryption and anonymity (including through the use of pseudonyms); and

WHEREAS, all Seattle organizations should follow internationally and regionally accepted principles for conducting business in accordance with human rights law; and

WHEREAS, court-ordered decryption, subject to domestic and international law, may only be permissible when it results from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (i.e., not to a mass of people) and subject to judicial warrant and the protection of due process rights of individuals; and

WHEREAS, all Seattle organizations will not conduct any manner of intentional or unintentional mass tracking, monitoring, or surveillance of person-linkable information or metadata without strict anonymization processes during collection, transfer, and storage processes; and

WHEREAS, if strict anonymization processes during person-linkable information or metadata collection, transfer, and storage cannot be performed, then those tracking, monitoring, or surveillance technologies will not be used; and

WHEREAS, given the relevance of new communication technologies in the promotion of human rights and development, all those involved should systematically promote access to encryption and anonymity without discrimination; and

WHEREAS, given the threats to freedom of expression online, corporate actors should review the adequacy of their practices with regard to human right norms; and

WHEREAS, Seattle companies should adhere to principles such as those laid out in the Guiding Principles on Business and Human Rights (PDF), the Global Network Initiative’s Principles on Freedom of Expression and Privacy (PDF), the European Commission’s ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights, and the Telecommunications Industry Dialogue Guiding Principles; NOW, THEREFORE,


Section 1. In accordance with the findings of the UN Report on encryption, anonymity, and the human rights framework, the City Council affirms the human right to encryption and anonymity are foundational to human dignity, intellectual freedom, and democratic governance in the digital age.

Section 2. The City Council implores that all City of Seattle past, present, and future technology projects maximize person anonymity during the collection, transference, and storage of person-linkable data and information.

Section 3.

How to use an iPod Touch as a secure calling and messaging device

Published: 2015-Sep-12
Updated: 2015-Oct-10, revision 64


Modern communication technologies are abundant, but legacy phone calling and texting (SMS, MMS) are inherently insecure. Communications content in addition to metadata is collected and stored by various organizations and for many years. People have a responsibility to safeguard their personal communications with strong encryption technologies because only then will your friends and family be able help collectively defend your rights. In professions where privacy is expected between you and clients (law, journalism, etc), policy should dictate to either communicate securely or not at all.

Encryption technology is not new but default strong encryption in mass-market devices is. We’re slowly evolving. The political cost of default security is at an all-time low while the social expectations of strong encryption are at an all-time high. Modern telecommunications largely depend on legacy communications infrastructure which is unfortunate:

  • All cell phones transmit insecure content and metadata because cell networks were designed for surveillance.
  • All cell phones not broken, off, or in airplane mode can be easily tracked.
  • All cell phones contain baseband processors with system wide access that can be remotely controlled.
  • The majority of SIM cards require registration using government-issued ID.
  • Android’s default is unencrypted storage.
  • Androids get slowly patched, if at all.
  • Carrier modified versions of Android are poorly developed.
  • Until the next version of Android, apps have near limitless access to other local data.
  • Microsoft’s and Amazon’s phones are a joke in terms of capability and security.

“Nobody is listening to your telephone calls” –President Obama

President Obama is technically correct. It is not possible for the US government employees to listen to every phone call. The data requirements for maintaining recorded phone calls is feasible, but what is cheaper and more effective is to transcribe voice data to text. The solution is easy: don’t give it to them.

What is bad for the FBI is also bad for all other malicious actors. It is up to us to cause the social change that in turn lowers the financial liability and cost of default security.

The financial cost of surveillance equipment is also at an all-time low. Mobile IMSI catchers can be built and deployed by anyone technically savvy enough to learn how to build one, and law enforcement has large budgets for more feature rich devices. The most effective way to assure that you are not a victim of cell tracking or attack is to not use those systems.

The Apple iPod Touch


The modern iPod fills a much needed space. WiFi only. Generations 5 and 6 support iOS 8 which is the minimum requirement for Open Whisper System’s free and open source Signal application.

Note: WiFi only iPads could also be used and may be a better solution for people with poor eye sight.

Please review my post Signal, TextSecure, and RedPhone ecosystem notes if you would like to learn more about Signal’s capabilities and limitations. Also review my post TextSecure, RedPhone, and Signal threat modeling if you would like to learn more about Signal’s threats and adversaries in comparison to legacy cellular telephony.


  • Network: the iPod does not have inherent baseband insecurities or SIM card insecurities.
  • Network: you can control which WiFi networks to expose your device to.
  • Data at rest: The iPod employs default device encryption.
  • Data at rest: Signal employs default message database encryption and isolation.
  • Data in motion: Signal only uses modern protocols and state-of-the-art encryption.
  • OS security: Apple pushes security patches relatively quickly and the iPod is a more challenging device to infect with malware when used correctly.
  • Verifiability: Signal allows users to compare and verify encryption key fingerprints.
  • Verifiability: Signal is a free and open source software project that is publicly audited.
  • Scalability: other people with an iPod, iPhone or Android can freely install and use Signal.
  • Liability: when employed in a work place with supportive policy, work-oriented communications are compartmentalized from personal devices.


  • Configuration: using Signal on an iPod requires additional steps to get setup.
  • Network: WiFi access is not as abundant as cellular data.
  • Privacy: iOS requires an Apple ID account to download apps — alternative information can be given if Apple is an adversary in your threat model.


If you use your iPod minimally to maintain good system health, there is no reason to get anything above 16GB. That is enough free space to upgrade to iOS 9. A new 16GB iPod has 11.7GB usable. A USB wall charger is not included when buying a new iPod, you must buy one or use an existing one (don’t plug it into any computer). If you will be making voice calls with Signal, a required additional purchase is any manner of corded headset.

Apple’s prices:

  • 16GB – $199
  • 32GB – $249
  • 64GB – $299
  • 128GB – $399
  • 16GB – 229€
  • 32GB – 279€
  • 64GB – 339€
  • 128GB – 449€

U.S. Costco prices, only available with membership:

  • 16GB – $189 in store
  • 32GB – $229 in store
  • 64GB – $289 online

Phone number

Signal, for the foreseeable future, requires a phone number to use for registration. Since an iPod does not have a SIM card or any other phone service, we have to use a phone number that you have SMS or voice access to. It is possible to use any manner of burner phone number, but this guide will not instruct how to do that since there are inherent risks with using a number you don’t have long term control of. If someone gains SMS or voice control of a phone number you use with Signal were to register that number with their own Signal device, you would no longer be able to communicate with that number, and someone else could impersonate you if your contacts blindly trust a new key fingerprint.

PC Magazine has a decent article covering VoIP options.

Below are some example procedures when using the following services, or modify them to fit your needs:


If your home or work has a landline phone number that can be called directly–no extensions to jump through–then you can register that number with Signal. This is ideal for journalists or lawyers who already have landline numbers that people already have in their phone books.

  1. Enter your landline phone number into Signal for registration.
  2. Click verify this device.
  3. Click call me instead.
  4. Open Whisper Systems will call your landline number and provide you an auditory verification code. Enter that code into Signal to verify.


Skype allows anyone to buy a phone number for $18 every 3 months or $60 every 12 months. Skype can’t receive SMS so you will need to install the desktop client onto your computer and be able to receive a Skype call.

  1. Enter your Skype phone number into Signal for registration.
  2. Click verify this device.
  3. Click call me instead.
  4. Open Whisper Systems will call your Skype number and provide you an auditory verification code. Enter that code into Signal to verify.

Google Voice

Google Voice is a great option for most people in the United States as long as you have a number you can forward calls to. Google will provide any US Gmail account a free, long term phone number. Voice has the added benefit of setting up voicemail which could be useful in case legacy phone calls attempt to call — you can let them know in voicemail to call back with Signal or RedPhone.

  1. Enter your Google Voice phone number into Signal for registration.
  2. Click verify this device.
  3. Open Whisper Systems will send a verification code to your Google Voice account via SMS. Enter that code into Signal to verify.


Twilio allows anyone to register a voice and SMS number for $1 a month.

  1. Enter your Twilio phone number into Signal for registration.
  2. Click verify this device.
  3. Open Whisper Systems will send a verification code to your Twilio account via SMS. Enter that code into Signal to verify.

Operational security practices

Define a strict use case for your iPod for when certain groups of people ask. If you routinely travel, possibly through airport or border security, you don’t want to raise suspicion of your device. It is an iPod after all, people will have expectations that it is for listening to music. You may be coerced to provide access to the device to prove its legitimacy. Plan ahead.

  • If your iPod is for professional services (like law, journalism, etc) only certain groups of people, maybe clients, should be aware of your communications practices. Your organization may even make certain policy decisions like making it public information that you can be reached via Signal for secure communications.
  • If your iPod is for personal use, since you can’t risk connecting the iPod to computer systems to sync files, perhaps use it for photography and picture viewing.


  • Buy your iPod Touch in cash or at least in person.
  • Don’t risk infection or leave behind security certificates: do not connect your iPod into any computer system or automobile.
  • Only charge the iPod via wall charger or firewalled USB charger.
  • Don’t use any third-party apps that aren’t Signal. No Web browsing, social media, or email.
  • Keep the iPod physically safe — maybe even keep it in an actual safe when not in use.

Firewalled charging options:


Be aware that several privacy settings must be reconfigured once you upgrade to iOS 9. Review these settings once you update.

Set up your iPod:

  1. Connect to WiFi
  2. Disable location services
  3. Set Up as New iPod Touch
  4. Sign in, or Create an Apple ID
  5. Don’t use iCloud
  6. Don’t use Siri
  7. Don’t send Diagnostics

Configure your iPod:

  1. Settings > Bluetooth > Off
  2. Settings > Passcode Lock > Simple Passcode (Off – set an alpha-numeric passphrase)
  3. Settings > Passcode Lock > Erase Data (On)
  4. Settings > Privacy > Advertising > Limit Ad Tracking (On)
  5. Settings > Software Update > Download and Install

Set up Signal:

  1. Open the App Store
  2. Don’t install any new apps other than Signal.
  3. Search for an install “Signal – Private Messenger” by Open Whisper Systems
  4. Open Signal
  5. Enter the phone number that you’ve chosen to use (VoIP, landline, etc)
  6. Depending on how you need to verify Signal (SMS or call), perform that action (see examples above)
  7. If and when it asks, allow Signal to send notifications

Once Signal is installed:

  1. Settings > Notifications > Signal > Show on Lock Screen (Off)
  2. Signal > Settings > Privacy > Fingerprint (Tap to copy)

Libraries shouldn’t provide free Internet because it may be used by criminals

Libraries shouldn’t provide free Internet, it may be used by criminals. That’s the logic used by law enforcement in telling libraries, of all places, that Tor is not welcome in our society.

There are many problems with this logic and many problems with the information DHS intended to be facts.

From Julia Angwin’s ProPublica article:

DHS spokesman Shawn Neudauer said the agent was simply providing “visibility/situational awareness,” and did not have any direct contact with the Lebanon police or library. “The use of a Tor browser is not, in [or] of itself, illegal and there are legitimate purposes for its use,” Neudauer said, “However, the protections that Tor offers can be attractive to criminal enterprises or actors and HSI [Homeland Security Investigations] will continue to pursue those individuals who seek to use the anonymizing technology to further their illicit activity.”

When the DHS inquiry was brought to his attention, Lt. Matthew Isham of the Lebanon Police Department was concerned. “For all the good that a Tor may allow as far as speech, there is also the criminal side that would take advantage of that as well,” Isham said. “We felt we needed to make the city aware of it.”

This is the logical slippery slope:

  1. Tor traffic is part malicious. We must ban it.
  2. Internet traffic is part malicious. We must ban it.
  3. Human activity is part malicious. We must ban it.

Does Tor have a statistically significant amount of criminal activity? It might, if roughly 2% of traffic is considered statistically significant.

“Think back to the Internet in the late 80’s, early 90’s. We heard that the Internet was for child-molesters, money laundering, drug dealing and pornography. ‘Who would want to use this Internet thing? It’s only bad!’ That’s where the deep web is now.”

Using the Internet was a scary proposition at one point in history. Tor has a lower adoption rate comparatively because most people haven’t found a value motive for it. Slowly but surely, people found a use for the Internet, despite some of our law makers (leaders?) missing out.

Every person connecting to the Internet at home using a Wi-Fi access point is using a technology called Network Address Translation. NAT translates your personal computer’s IP address into a publicly routable one that has the effect of distancing its users from more specific, attributable metadata. Police aren’t up-in-arms over NAT because it’s a transparent process and used by almost every person using the Internet. However, it’s not like special interest groups haven’t tried to make it illegal:

A simple ban on devices capable of concealing communication would make a wide range of multi-purpose tools illegal. Widely-used home networking equipment could be banned because it often includes “network address translation” (NAT) and firewall features that incidentally conceal the origin and destinations of Internet communication.

Like NAT, Tor is fundamentally a security tool. Tor provides physical anonymity to vulnerable populations by separating an Internet user from their associated metadata. A progressive government would have different value motives. A progressive government would be asking how we can support Tor users and further ask why Tor is needed in the first place. DHS is about stopping politically defined evil doers, not about security, and therefore is regressive when it comes to solutions that also happen to support statistically trivial malice.

Tor sits on a fine line between perceived use and actual use. A lot of people won’t safeguard their privacy because of the notorious logical fallacy and blockage of “nothing to hide, nothing to fear.” At one point in history, a lot of people were opposed to using toothpaste just like a lot of people were opposed to using condoms. But over time, people learned about the factual uses of fluoride and the long term benefits of not contracting sexually transmitted diseases. It’s just something that you have to do to safeguard yourself from potential harm.


Criminals still have the right to free speech, right? Do we take away the free speech rights of non-criminals because criminals get to write books?

Tor has been popularized as something notorious and even something that can’t be trusted. We can thank educational ineptitude and regressive media. Journalists working in extremely regressive nations who rely on Tor to protect their life understand the value of Tor. People who lambaste Tor are not those people, they are people who have time to invent false causality based on financial facts.

Tor is a complex, technical system that empowers socially acceptable progress. Sometimes technical people have presumptions about Tor. Sometimes Tor gets in the way of what someone gets paid to do and we hear about it in technically and socially regressive ways. If your capacity for understanding Tor stops at the opinions of these people, then maybe you should ignore your tendency to accept what other people say and learn for yourself. Read the Tor specification. Watch the abundant amount of YouTube videos where Tor developers and security trainers are providing [meaningful, factual, applicable] information.

I hope that libraries around the world, who appreciate technologies that increase access to information, understand the net-benefit and cause-and-effect relationship between anonymity, self education, free speech, and a free press.