Tor, plausible deniability, watchdog and seizures
It looks like the German police has recently seized some servers running the TOR anonymity program because the TOR network seems to have been used to anonymously access child pornography. While of course nobody can publicly stand up against such an action, these seizures may sever the privacy of server owners.
TOR can be configured in several ways:
as a client only, it will transmit encrypted requests to an entry point in the TOR network
as an exit point: encrypted packets are decrypted and sent to the targetted server and answers are reencrypted and reinjected into the TOR network to be delivered to the original requestor
as a middle-man server: encrypted packets are resent to another TOR server; each server in the middle only see encrypted packets, and doesn’t know where they will be directed once they have reached the immediate next node in the network
This technique is called Onion Routing, because the sender builds the packets by encrypting them successively for the latest, next-to-latest, … relay in the chain. It also provides a response block that will be used to send the answer back and thus establish a stateful TCP connection (a circuit).
The TOR servers that have been seized by the German police were probably exit points. Even if by default a TOR server keeps no log of the packets it transmits, it may be possible (e.g., if the access provider keeps extensive traces) to go to the previous hop in the chain, meaning that more servers will be seized and searched. Since the length of the chain is freely chosen by the emitting TOR node, examination of a node is the only solution for the police to know whether the suspected computer is the request originator or only acted as a relay.
The problem is that a machine acting as a TOR server may well host private data, totally unrelated to this investigation. It can also host hidden TOR services. Those services are only accessible from within the TOR network. Their real location is unknown, even to other TOR operators (even if some researchers pretend that they are able to get partial information by warming up the server CPU and measuring the induced clock jitter).
By searching a seized server, the police may find a hidden service, be it legal or not, thus compromising the anonymity of such a hidden node. What are the best way to avoid that? How can you still hide your hidden TOR services even if the police gets your server and if you are obliged to reveal your encryption keys by law? In general, how can you keep your data private? I can think of a few solutions, that combined together should make it possible to better protect one’s privacy:
use an encrypted filesystem with plausible deniability, such as FreeBSD GBDE or David McNab’s PhoneBook (probably unmaintained): with such a filesystem, you can get many different encrypted volumes whose number and capacity is unknown to the observers; you may reveal some or all of the keys, they have no way to tell
use encrypted swap: what good is it to use an encrypted filesystem if some service traces can be found in your previously used swap partition?
use a watchdog program that reboots your computer whenever an IP address (your nearest router) stops pinging: it is easy to imagine that forensics experts may want in some cases not to pull the plug out of your machine; as more and more dedicated servers are run out of small power outlets, it is easy to get one without disturbing the power flow by switching them to a battery; of course, a laptop could play the role of the gateway as well, but it is in my opinion more unlikely; anyway, if you router doesn’t work, your machine isn’t probably really useful, by rebooting it you automatically unmount the encrypted filesystems as well
Those actions should let you host legal hidden services with less risk that they are discovered by side-effect of an unrelated police operation. At system boot time, your TOR-enabled server would start using a default relay-only configuration. When you log in and mount the filesystems, you can then restart it with the relay and hidden service configuration.
Note that I do not recommend that you use those techniques to hide illegal activities or that you don’t comply with the law enforcement agencies when you have to do so, just as the authors of GBDE or PhoneBook do not condone such activities. I am only trying to show how one can protect TOR hidden services or private data if those services or data are not the goal of the current investigation.