Sunday, January 23, 2005

The Dangers of Using Anonymous Proxies

(I originally wrote this into the wiki but it falls within the scope of the blog also so... It still needs a bit of polish but you'll get the idea.)

First off, the disclaimer: I am not a lawyer. While I've taken a few classes in technology-related law, I am not an expert. This article should not be considered legal and/or expert advise. That said...

This piece is about anonymous proxies. While some of the information here may aid in setting up or configuring a proxy, the intent is discuss some of the "darker" issues involved with their existence. Please use Google for help if you're looking for information to set up or use a proxy. There are an ample number of those sites available.

Anonymous proxies (web, mail or otherwise) and proxy filters have a number of uses, both for good and bad. Reasons for using them may include:

  • sending a nasty note to a spammer you've tracked down
  • avoiding spyware
  • doing just about anything unethical, immoral, or illegal

Using anonymizing services is not illegal by itself but will surely draw attention if you're being watched for any other purpose. If your driver's license expires and you never drive above 55 or get in an accident, no one will probably notice. However, if you consistently drive like a jerk, passing all the other cars on the highway, you'll get "noticed" within a day or two. You'll also likely discover that you'll be charged with more than one crime.

If you use encryption in the commission of a crime, you may find yourself in deeper trouble for using encryption than you think. Various states have laws which add penalties (of various degree) in such a manner.

For example, Virginia Code[4] (18.2-152.15. Encryption used in criminal activity) reads:

Any person who willfully uses encryption to further any criminal activity shall be guilty of an offense which is separate and distinct from the predicate criminal activity and punishable as a Class 1 misdemeanor.

"Encryption" means the enciphering of intelligible data into unintelligible form or the deciphering of unintelligible data into intelligible form.

While Virginia treats it as a minor crime (anyone know of a compiled list of States' laws?), various efforts have been made to introduce federal statutes where prison sentences of up to 10 years can be applied to persons using encryption in such a manner.

While you may be able to argue that you didn't notice that the illegal web site you visited was employing SSL, use of encryption usually involves a conscious decision to use it. Anonymizing proxies which employ encryption require manual configuration and possibly installation of software.

All of that aside, there's still a few issues that should be discussed: use of remote proxies which are in violation of the owner's ToS, use of foreign proxies and use of covertly installed proxies. One will only get the proxy owner into trouble with his provider but the other two may involve criminal proceedings against you, even if the only sites that you visit are as tame as Playboy or Amnesty International.

Many U.S.-based Internet users access the Internet via a broadband connection purchased from either the local cable or telephone utility. As part of the installation of the service, a subscriber signs or click-agrees to a document entitled "Terms of Service" (ToS). Somewhere in the fine print is the agreement to not install/run servers. If the user then installs an anonymizing proxy or remailer and allows the outside world to access it, he/she is in violation of his/her ToS.

Detection of these services is easy enough. A network monitor (a sniffer or IDS) configured to detect inbound packets with only the SYN flag set will produce a list of suspect IPs. The utility company can then record the count and size of packets passed through the suspect system. At a minimum, the proxy owner will be de-subscribed.

If amount of traffic is large enough, the utility may attempt to pass the costs to the proxy owner via the court system. Remember, most if not all ISPs buy their connectivity "by the bit" and having large volumes of traffic pass in and then out of their domain can make it cost effective for the ISP to at least spot check for suspicious network traffic.

If you use proxies which are located within other countries, you need to consider that you may be wandering into the jurisdiction of foreign or international law. Accessing a site as tame as Playboy is not a crime here in the U.S. but it definitely is in China. While "the Great (fire)Wall" may block direct access to Playboy, there are ways around it, such as chaining yet another proxy. Care to be the first test case for this portion of international law?

The final thing you should consider involves the use of covertly installed proxies. The average home user knows (or even cares) little about the security of their machine(s). Hackers, spammers, and worm authors are able to install all sorts of backdoors and other code in these poorly protected systems. Proxies are some of the milder examples.

There are numerous sites on the Internet that specialize in providing lists of open proxies. As entries in these lists are highly transient, usually residential in nature and often involve port numbers over 1024, it's not an overly large assumption that some of these proxies exist without the machine's owner's knowledge.

This is another area where existing laws have not been tested. Unauthorized use of computer services is against the law, in the U.S.[2] and many other countries[1]. Most are statutory in nature, meaning that proving intent is not an issue for the court. A lot of them have not been "tested". Just because you didn't know the proxy was illegal may or may not be enough of an excuse to avoid prosecution. If you a proxy to commit a crime, the point may become moot. Care to become the first test case for this portion of your country's law?

To make a convoluted discussion short, when you're configuring your browser, it may be a good idea to at least perform a cursory investigation of the IP address(es) that you will be using for proxy services. If the machine is located in another country or has a hostname that is obviously within a residential subscriber domain, it may be a good idea to find a different proxy to use.

If you're an ISP, it's probably a good idea to periodically check the available proxy lists[5][6][7] for addresses in your IP range.


References & Footnotes: