Saturday, July 12, 2014

Austrian Court Sentenced a Tor Exit Node Operator

Last week, Austrian Regional Criminal Court in Graz (Landesgericht für Strafsachen in Graz) sentenced 22-year old William Weber to 3 months jail time with 3 years probation period for aiding distribution of child pornography by operating a Tor Exit Node, according to

For those who don't know Tor Project, it is a Free Software enabling online anonymity. Tor is increasingly used by activists, human rights defenders, journalists and others who need to or just want to use Internet more anonymously. Among them, of course, also criminals such as distributors of child pornography use it. Tor Exit Nodes are Tor's gateways where encrypted Tor traffic hits the Internet. Nodes are run by volunteers all over the world in order to increase the capacity and speed of the Tor Network.

William Weber was running one of such Tor Exit Nodes upon which the system relies. The Austrian Court found that this activity may lead to criminal liability for aiding and abetting of a crime of distribution of child pornography when coupled with other circumstances. Of course, mere provision of Tor Nodes would not be enough to establish at least indirect intent (bedingte Vorsatz), which such aiding and abetting under criminal laws usually requires (§ 5 StGB).

In order to find such circumstances, according to PCWorld, the court cited transcripts of chat sessions uncovered during the investigation in which the Weber told an unidentified correspondent “You can host 20TB child porn with us on some encrypted hdds”, “You can host child porn on our servers” and “If you want to host child porn ... I would use Tor.” Weber defended himself against this on his blog saying: "Yes, this logs existed – Yes, i recommended Tor to host *anything* anonymously, including child pornography – Yes, this is of course taken out of context."

From the reporting I have found, it is not clear to me if the Austrian discussed mere conduit safe harbor under Art. 12 of the eCommerce Directive [Section 13 of the Austrian eCommerce Act]. Commenting Austrian lawyers, Franz Schmidbauer and Huťko's friend Maximilian Schubert, however, referred to this provision in the media coverage [here, here, here].

Article 12 of the eCommerce Directive states in this respect that:

1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:
(a) does not initiate the transmission;
(b) does not select the receiver of the transmission; and
(c) does not select or modify the information contained in the transmission.
An operator of a Tor Exit Node in my opinion clearly falls into the definition of the mere conduit services, as it only helps to route the Internet traffic. Because eCommerce Directive cuts through all the fields of liability, including criminal liability, it might appear questionable that Weber, who most likely satisfied (a)-(c) requirements, could have been held liable for the routed traffic at all. But things are never that simple, and so is not the eCommerce Directive itself. In Recital 44 of the Directive, you find following:

(44) A service provider who deliberately collaborates with one of the recipients of his service in order to undertake illegal acts goes beyond the activities of "mere conduit" or "caching" and as a result cannot benefit from the liability exemptions established for these activities.
This provision is an extra requirement; one which relates to (in)famous CJEU requirement of passivity of intermediary activities in general, including hosting; In other words, Austrian court was free to impose criminal liability if a Tor Exit Node operator intentionally collaborated with the perpetrator of the crime of distribution of child pornography. The open question, however, is, how extensively can one understand such "deliberate collaboration". First of all, given that it is defined nowhere in the eCommerce Directive, it is clearly an autonomous term of the Union law, which is in hands of the CJEU. The Austrian courts thus might have been interested in seeing whether their local interpretation of indirect intent is still in line with this requirement. I know close to nothing about the exact facts of the case, but from the media coverage it appears that Weber did identifiably encourage exact perpetrators over chat.

This decision shows that one should be not only technically, but also legally cautious with operating a Tor Exit Nodes [perhaps Tor should add a note here]. Don't get me wrong, operation of such Nodes is very important in serving all the legitimate Tor traffic. But one should not forget that legitimacy of Tor is based on these case, and aiding identifiable misuses can be penalized. The main problem I see with this decision is not the application of the criminal liability in the current case. And I don't even worry that people would start generalizing this too much. Although we should be really careful in keeping the standard of "deliberate collaboration" very high, otherwise it might be easy to criminalize Tor Exit Nodes operators.

At least in Europe, the CJEU should be able to prevent such excess. More troubling could be that if the same logic is applied in countries with less legitimate criminal offences such as anti-state propaganda crimes, it can be very easy to criminalize Tor Exit Nodes operators. The case also shows that limited liability of intermediaries also serves protection of privacy, and that without clear rules, even technical solutions might have problems in their deployment.

Weber told media that he will not appeal the case due to legal fees. Moritz Bartl from TorServers, however, expressed himself:
This particular case went bad because of multiple reasons. We  strongly believe that it can be easily challenged. While certainly shocking, lower court ruling should not be taken too seriously, and this won't necessarily mean that all Tor relays in Austria are now automatically illegal. The ruling only happened two days ago, there is no written statement from the court yet, so we should all be patient and wait for that before we make any assumptions. We will definitely try and find some legal expert in Austria and see what we can do to fight this.
I believe that the last thing we should try, is to see things black and white here.

1 comment:

Martin Pančišin said...

his own (possibly biased) point of view can be found here: