CNET News reports:
A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act.
The researchers set up their own servers on Tor, then monitored the data they were sent. Such activity may have been illegal snooping.
But why should looking at data you were voluntarily sent count as snooping? To use an old economy example, if you fax me all of your important documents and I read them, have I engaged in wiretapping? The researchers are in a similar position. As part of their project, they received data (such as exit node information) voluntarily sent by Tor users – just as every other Tor server receives. The only difference is that the researchers actually looked at the data and used it for research purposes.
The Tor researchers are just the latest example of the general truth that you cannot expect that no one to whom you send data will ever look at it. The intenet is fundamentally open. If you send data through your ISP’s lines, your ISP can read it. If you send it to a website, the website can use it. Ideally, private contracts – like ISP service agreements and website privacy policies – would govern such data use. But in the absence of an explicit agreement, if you send me data, the law must assume that you have given it to me. If you don’t want me looking at your medical records, don’t stuff them in my mailbox.
It should be noted that users have found ways to secure their privacy online, but the government often hinders such innovations. When researchers decide to use data they were voluntarily sent, government should stay out.