Online Privacy and the Use of the Tor Network in the Library

The issue of Internet privacy and anonymous web browsing in public libraries has received a lot of focus in the news lately after a public library in New Hampshire implemented a technology designed to ensure private Internet use. This activity raised concerns for the Department of Homeland Security and local law enforcement.

This article is intended to summarize the issues that were raised on this topic, to explain how The Seattle Public Library helps protect the privacy of our computer and network users, and to discuss what steps we’re taking to explore how we could expand our services to protect patron privacy.

What happened in New Hampshire?
In July 2015, the Kilton Public Library in Lebanon, New Hampshire implemented a computer called a “Tor relay” as part of a global effort to provide greater privacy and anonymity for users of the Internet. Earlier this month, the Department of Homeland Security contacted local law enforcement in Lebanon and expressed concerns that the Tor network could be used to conduct undetectable criminal activity. The City Manager asked the Kilton Public Library to remove the Tor relay. The library initially complied with the request, but within days – following shows of support from its local community and national privacy advocates – the Tor relay was reinstated.

What is the Tor Network?
To understand what the Tor network is and how it works and why it’s important, you first need to know a little something about how the Internet works.

When you use a Web browser and click a link to access a Web site or read an email, your Web browser sends a request to a remote computer asking it to send you the content you want to view.

That request contains the computer address of the destination computer – the one that has the content you’re asking for – and your computer’s Web address so that the remote computer knows where to send the content.

These addresses are visible to every computer and network device that handles your request and passes it along across the Internet to its destination. Even if the content of Internet traffic is encrypted – such as information from your bank or your emails – the address information is plainly visible.

The way the Internet works, therefore, is very much like mailing a letter to someone: You may seal a private letter inside an envelope, but you write an address and return address on the outside of the envelope. The information about who is sending the letter and where it’s going have to be readable by the post office, the mail carrier, and the recipient. Otherwise, the letter will never go anywhere!

This may be troubling for people who are concerned about protecting their online privacy. Your computer’s address can reveal information about where you are or possibly even who you are. Also, computers and network devices that route Internet traffic might keep long-term records or logs of requests they handle. Furthermore, there have been reliable reports that government agencies, such as the National Security Agency, can routinely access those records.

OK, So Then What is the Tor Network?
The Tor network is a free and volunteer-operated network of computers – called “relays” – that encrypt Internet traffic – including the source and destination address information – and then route Internet traffic randomly from its source to its destination. The Tor network ensures that Web site requests, for example, make it back-and-forth successfully, but it protects all information about those requests along the way. Only certain Tor relays know where the source and destinations really are, and they erase that information as soon as the message is delivered.

Individual users can download and install a special Web browser from the Tor Project website and use it instead of browsers such as Internet Explorer or Google Chrome to access the Internet. The Tor Browser functions like a normal web browser, but routes all traffic across the Tor network automatically. Certain technologies, like Adobe Flash, do not function on the Tor network, but most typical web browsing activities can be performed in the Tor Browser just like any other browser.

How Does The Seattle Public Library Protect Patrons’ Online Privacy
When you use a public computer at the Library or our free WiFi service, your privacy is protected in three ways.

First, the Library routes all Internet traffic through a small number of network interfaces before the traffic goes to our Internet Service Providers (ISPs). This has the effect of making all traffic that originates from the Library appear as if it is coming from these computers instead of the actual computers patrons use. When the responses come back from remote servers, they are directed back to the computer that requested them.

Second, as soon as that “request/response” transaction is complete and you are reading the Web site you requested, all the data about that transaction is deleted from the library’s records.

Third, as soon as a public computer session is ended, all information on that computer is deleted and an entirely new “image” that contains the operating system and all applications is loaded onto the computer.

All of these measures have the effect of providing a pretty good level of anonymity and privacy for users of library computers and networks. We ensure that the only information exposed to outside parties is that someone at one of the libraries in Seattle requested a Web site. After that request is complete, even we have no way of determining which of our 800+ computers or which wireless network user requested it. We also have no way of retrieving Web browser logs on public computers after a session has ended.

Our computer privacy measures are all governed by the Library’s “Confidentiality of Borrower Records” policy, which considers one’s “use of Library computers and the online sites and resources they access” to be protected, confidential information. In addition, section 42.56.310 of the Revised Code of Washington provides public disclosure and retention exemptions for public library records. This means that we are not required by state law to keep records related to patrons’ use of the Library. It is under this exemption that we are permitted to delete computer use and network log data as soon as it is no longer needed to provide service.

Can I Use Tor at the Library?
Patrons are free today to download and install the Tor Browser on Library Internet workstations. You may also install the Tor Browser on a portable device, such as USB thumbdrive, and run it from there. The Library removed most restrictions on the use of our public computers last year, and we have no policies that restrict the use of the Tor Browser. Users are, however, still subject to our “Public Use of the Internet” policy, which prohibits illegal activity on Library computers, and the Library’s “Rules of Conduct.”

The Library believes that privacy is essential to free speech, free thought and free association and we support efforts that enhance online privacy for lawful uses of the Internet. The Library’s Information Technology department, the Leadership Team and the Board of Trustees will weigh in on this in the next few months to determine any additional library support for a Tor Relay. In the meantime, the Library remains committed to protecting patron privacy as outlined above, and does not prohibit the use of the Tor Browser on Library Internet workstations.

All questions or comments regarding the Library’s privacy policies and practices or our evaluation of Tor and Tor relays may be posted below or directed to Jim Loter, the Director of Information Technology at jim.loter@spl.org.

This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Online Privacy and the Use of the Tor Network in the Library

  1. Pingback: This week at the iSchool | The Information

  2. Hey! I’m a developer for the Tor Project.

    This is absolutely wonderful! I can’t think of any greater compliment than libraries stating that the software I write helps protect the freedoms of speech, thought, expression, and association. It would be the most awesome thing ever if the Seattle Public Library also ran a Tor relay.

    Thank you so much, you totally just made my week.

  3. I notice that although SPL admirably uses HTTPS for its website and catalog, the proxy server that you mention here converts secure connections to resources such as Overdrive to insecure connections open to eavesdroppers. So while there may be improved privacy in some ways, it opens users to multiple types of surveillance.

    Anyway, SPL should consider endorsing the Library Freedom Project’s “Library Digital Privacy Pledge

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s