Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: e6447a5a29
Branches Tags
tor-parallel...
/
doc
/
spec
/
proposals
/
ideas
/
xxx-geoip-survey-plan.txt

xxx-geoip-survey-plan.txt 3.8 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788 
  1. 

  2. 

  3. Abstract
    4. 

  4. 

  5.    This document explains how to tell about how many Tor users there
    6. 

  6.    are, and how many there are in which country.  Statistics are
    7. 

  7.    involved.
    8. 

  8. 

  9. Motivation
    10. 

  10. 

  11.    There are a few reasons we need to keep track of which countries
    12. 

  12.    Tor users (in aggregate) are coming from:
    13. 

  13. 

  14.       - Resource allocation.  Knowing about underserved countries with
    15. 

  15.         lots of users can let us know about where we need to direct
    16. 

  16.         translation and outreach efforts.
    17. 

  17. 

  18.       - Anticensorship.  Sudden drops in usage on a national basis can
    19. 

  19.         indicate the arrival of a censorious firewall.
    20. 

  20. 

  21.       - Sponsor outreach and self-evalutation.  Many people and
    22. 

  22.         organizations who are interested in funding The Tor Project's
    23. 

  23.         work want to know that we're successfully serving parts of the
    24. 

  24.         world they're interested in, and that efforts to expand our
    25. 

  25.         userbase are actually succeeding.  So, when you come right
    26. 

  26.         down to it, do we.
    27. 

  27. 

  28. Goals
    29. 

  29. 

  30.    We want to know about how many Tor users there are, and which
    31. 

  31.    countries they're in, even in the presence of a hypothetical
    32. 

  32.    "directory guard" feature.  Some uncertainty is okay, but we'd like
    33. 

  33.    to be able to put a bound on the uncertainty.
    34. 

  34. 

  35.    We need to make sure this information isn't exposed in a way that
    36. 

  36.    helps an adversary.
    37. 

  37. 

  38. Methods:
    39. 

  39. 

  40.    Every client downloads network status documents.  There are
    41. 

  41.    currently three methods (one hypothetical) for clients to get them.
    42. 

  42.       - 0.1.2.x clients (and earlier) fetch a v2 networkstatus
    43. 

  43.         document about every NETWORKSTATUS_CLIENT_DL_INTERVAL [30
    44. 

  44.         minutes].
    45. 

  45. 

  46.       - 0.2.0.x clients fetch a v3 networkstatus consensus document
    47. 

  47.         at a random interval between when their current document is no
    48. 

  48.         longer freshest, and when their current document is about to
    49. 

  49.         expire.
    50. 

  50. 

  51.         [In both of the above cases, clients choose a directory cache at
    52. 

  52.         random with odds roughly proportional to its bandwidth.]
    53. 

  53. 

  54.       - In some future version, clients will choose directory caches
    55. 

  55.         to serve as their "directory guards" to avoid profiling
    56. 

  56.         attacks, similarly to how clients currently start all their
    57. 

  57.         circuits at guard nodes.
    58. 

  58. 

  59.     We assume that a directory cache can tell which of these three
    60. 

  60.     categories a client is in by the format of its status request.
    61. 

  61. 

  62.     A directory cache can be made to count distinct client IP
    63. 

  63.     addresses that make a certain request of it in a given timeframe.
    64. 

  64.     For the first two cases, a cache can get a picture of the overall
    65. 

  65.     number and countries of users in the network by dividing the IP
    66. 

  66.     count by the probability with which they (as a cache) would be
    67. 

  67.     chosen.  Assuming that our listed bandwidth is such that we expect
    68. 

  68.     to be chosen with probability P for any given request, and we've
    69. 

  69.     been counting IPs for long enough that we expect the average
    70. 

  70.     client to have made N requests, they will have visited us at least
    71. 

  71.     once with probability P' = 1-(1-P)^N, and so we divide the IP
    72. 

  72.     counts we've seen by P' for our estimate.
    73. 

  73. 

  74.     If directory guards are in use, directory guards get a picture of
    75. 

  75.     all those users who chose them as a guard when they were listed
    76. 

  76.     as a good choice for a guard, and who are also on the network
    77. 

  77.     now.  The cleanest data here will come from nodes that were listed
    78. 

  78.     as good new-guards choices for a while, and have not been so for a
    79. 

  79.     while longer (to study decay rates); nodes that have been listed
    80. 

  80.     as good new-guard choices consistently for a long time (to get a
    81. 

  81.     sample of the network); and nodes that have been listed as good
    82. 

  82.     new-guard choices only recently (to get a sample of new users and
    83. 

  83.     users whose guards have died out.)
    84. 

  84. 

  85.     Note that these measurements *shouldn't* be taken at directory
    86. 

  86.     authorities: their picture of the network is too skewed by the
    87. 

  87.     special cases in which clients fetch from them directly.
    88. 

  88.