|
|
http://chronicle.com/weekly/v53/i23/23b00501.htm
By PAUL CESARINI
The Chronicle Review
February 9, 2007
Volume 53, Issue 23, Page B5
At 9:15 one Thursday morning, there came a polite knock on my mostly
closed office door. I was expecting the knock. A student was coming to
talk to me about getting into one of my courses, which he needed to
graduate.
So when I heard the knock, I said, "C'mon in, Kyle." Someone said,
"Hello?" and came in, along with two smartly dressed men extending
business cards to me.
I recognized the speaker as a network-security technician in my
university's office of information-technology services. The other men
were not familiar, but a quick glance at their cards told me they were
detectives on our campus police force. They closed my office door behind
them, sat down, took out notepads and pens, and asked if I had a few
minutes to speak with them about Tor.
Tor an acronym for The Onion Router is a freely available, open-source
program developed by the U.S. Navy about a decade ago. A browser
plug-in, it thwarts online traffic analysis and related forms of
Internet surveillance by sending your data packets through different
routers around the world. As each packet moves from one router to the
next, it is encoded with encrypted routing information, and the previous
layer of such information is peeled away hence the "onion" in the name.
Basically, Tor is a way to surf the Internet anonymously. Someone
looking up potentially sensitive information might prefer to use it like
a person who is worried about potential exposure to a sexually
transmitted disease and shares a computer with roommates. Abuse
survivors might not want anyone else knowing they have visited Web sites
for support groups related to rape or incest. Journalists in repressive
regimes with state-controlled media use Tor to reach foreign online news
sites, chat rooms, blogs, and related venues for information.
Tor can also be useful in e-commerce. For example, Amazon.com knows more
about my shopping habits and tastes than my wife does. I appreciate
Amazon's ability to make recommendations based on my previous purchases.
But in 2000, Amazon admitted experimenting with so-called dynamic
pricing, charging different people different prices for the same MP3
player; the prices were presumably based on estimates of what each user
would be willing to pay, considering prior purchases. Online merchants
could all do that, thanks to traffic analysis. They know who I am when I
log on unless I delete their cookies or use Tor.
Of course, anonymous Web surfing can be used to conceal fraud and other
forms of electronic malfeasance. That was why the police had come to see
me. They told me that only two people on our campus were using Tor: me
and someone they suspected of engaging in an online scam. The detectives
wanted to know whether the other user was a former student of mine, and
why I was using Tor.
Widespread use of Tor could be a huge headache for network-security
administrators, particularly in higher education. My university alone
has more than 21,000 students. Imagine what would happen if even a tenth
of them and a similar percentage of faculty and staff members started
using Tor regularly. With all the spam scams, phishing scams, identity
theft, and related criminal enterprises going on around the world many
of which involve remotely hijacking university-owned computers we could
approach technological anarchy on the campus.
My reason for downloading and installing the Tor plug-in was actually
simple: I'd read about it for some time, was planning to discuss it in
two courses I teach, and figured I should have some experience using it
before I described it to my students. The courses in question both deal
with controlling technology, diffusing it throughout society, and
freedom and censorship online.
When I cover online censorship in countries with no free press, I focus
on how those countries rely on hardware, software, and phalanxes of
people to make sure citizens can reach only government-approved media.
Crackdowns on independent journalists, bloggers, and related dissidents
all too often result in their being beaten, incarcerated, or worse.
Technologies like Tor represent a beacon of freedom to people in those
countries, and I would be doing my students a disservice if I didn't
mention it.
The detectives and network-security technician listened patiently to me,
wearing their best poker faces. They then gave me a copy of the
university's responsible-use policy, which employees must agree to abide
by when we first sign up for our e-mail accounts. They pointed out that
my actions violated at least three provisions of that policy.
I wasn't particularly impressed. I had helped edit and revise that
policy when I worked for the information-technology office before I
earned my Ph.D., and I knew that neither Tor nor any similar program had
existed when the policy was first written. I also knew that the
provisions in question were vague.
My visitors next produced page after page of logs detailing my apparent
use of Tor. While I couldn't dispute most of the details in the logs,
they seemed inaccurate. For example, the technician said I had been
using Tor earlier that morning. In fact, I had been at Wal-Mart that
morning looking for a good deal on an HDTV; I had reached my office only
about five minutes earlier.
More important, the logs did not prove any wrongdoing on my part. All
they demonstrated was that I, like thousands of others around the world,
had installed and infrequently used Tor. In my case, of course, there
was no wrongdoing.
Nonetheless, my visitors made two requests: that I stop using Tor, and
that I avoid covering it in class.
Having been on the administrative end of academic technology, I
appreciate the difficulties facing the information-technology staff. No
one pats you on the back if nothing goes wrong, but if something does if
a virus or worm sweeps through the campus's network infrastructure, or
someone hijacks some computers to churn out spam you are off everyone's
Christmas-card list. The last thing my former colleagues needed was some
smarmy faculty member spouting off about academic freedom and
threatening to demonstrate Tor to 100-plus students each semester.
Their job is to protect the network that allows me to do my job: to
teach classes that are mostly or entirely online, and to conduct
research. If they weren't here as the first or even only line of defense
against the unscrupulous elements of our technological society, my
university would cease to function. It's as simple as that.
Furthermore, I do not rely heavily on Tor, or even think much about it
outside the context of my courses. I find all that routing makes it slow
to use, even with the superfast connection I have at work.
But it is being used all around the world, by people in countries that
restrict their access to information, by corporate whistle-blowers, and
by digital-rights activists. It's even being used by average people like
me, as a way to keep innocuous and personal online activities private.
So in the head-on collision between my appreciation of the role IT staff
members play on my campus and my understanding of the role I have to
play for my students, my need for academic freedom won. I found myself
lecturing my three visitors into near catatonia about the uses of Tor.
Finally, they shook my hand, thanked me for talking with them, reminded
me that I was probably violating the responsible-use policy, and left.
They had bigger game to catch: the other Tor user on the campus.
A moment later, I heard another knock on my door. One of the detectives
had come back to ask if I would reconsider my position. I told him that
while I would think about giving up Tor, I honestly felt that this was a
clear case of academic freedom, and I could not bow to external
pressure. I reminded him that Tor is a perfectly legal, open-source
program that serves a wide variety of legitimate needs around the world.
He nodded and left. Feeling an odd mixture of righteous indignation,
patriotism, and dread, I closed the door.
Almost immediately, I heard still another knock. In perhaps an overly
dramatic fashion, I raised my voice and bravely said, as I opened the
door, "I'm sorry, but it's about academic freedom!"
There was Kyle, add/drop slip in one hand, pen in the other, grooving to
his iPod, looking at me blankly.
-=-
Paul Cesarini is an assistant professor of visual communication and
technology education at Bowling Green State University.
______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss