For university officials
Your university is a beacon of free thought. Naturally, you have been asked to allow a Tor relay on your campus. But should you?
Yes you should! We think running a Tor relay is a safe and legal way to help support free speech and democracy all over the world. But it’s not just us, thousands of Tor relay operators have run Tor relays for years all over the world.
If this all sounds too technical, don’t worry. All you’ll need is: a computer, bandwidth, some basic networking and system administration skills from your interested students or professors, and depending on the relay, you may need some help from the IT department. Once it’s set up, a Tor relay requires very little maintenance, but will help millions of people.
You may have many legal, technical, and policy questions. We tried to answer many of these types of questions below, but if you have other questions we would like to hear from you.
Setting up a Tor relay not only benefits the world, it signals to others that your university is a defender of free speech and intellectual freedom. Running a Tor relay can help your university in all sorts of ways, including:
- Provide hands-on cybersecurity experience: setting up and maintaining a Tor relay means students can practice this knowledge in a real environment while helping real people.
- Show students various career paths: by getting more involved with Tor and running a Tor relay, students get to learn about EFF, Tor Project, Citizen Lab, Access Now, and many more civil society and non-profit organizations.
- Get students thinking about global policy, law, and society: Tor is more than a technology project. People around the world use Tor for many different reasons, from safe censorship circumvention to simple good data hygiene. Understanding these reasons is a great way to learn about what’s going on in the wider world.
- Help refine privacy advocacy skills: operating a Tor relay as part of the Tor community creates opportunities to explain the importance of privacy and security, both inside the university and outside it.
- Connect student groups to professors and research groups: one of the great community-building aspects of running a relay at a university is the process of finding and cultivating allies. Enthusiastic students often need a faculty connection to endorse their relay plans, while faculty are always looking for great students to join their research projects.
- Support freedom of speech and freedom of learning: universities have long been bastions of learning and cutting-edge thinking. Just as universities have libraries to help maintain and improve knowledge, they can also support more modern equivalents for safe learning.
- Increase capacity of the Tor network: the Tor network is made up of volunteer organizations and individuals all around the world who share Tor’s values and are in a position to contribute time and bandwidth.
- Help the Tor network stay strong so people can use it for research: the sciences of anonymous communication and censorship-resistance are active research fields. Having a testbed is critical to understanding real-world factors ranging from user behavior to network connectivity.
- Get a “competitive advantage” over your peer institutions: recruiting the best grad students and faculty is challenging for universities. Being able to point to your participation in Tor—with its impacts on education, community, and research—is a factor that can set your institution apart.
- Have access to your own Tor relay: some research simply can’t be done without direct access to pieces of the Tor network. But be careful, since you want to make sure that your research isn’t putting users or the network at risk. See the Tor Research Safety Board guidelines to learn more about safe and ethical Tor research.
We hope you’re excited to have a Tor relay on your campus, but if you have questions or want to learn more, please get in touch with us!
Frequently Asked Questions
Why are universities a good place to run relays?
Universities are ideal candidates for hosting Tor relays as they tend to have good network connectivity, lots of technical expertise to run relays (including professors, students, and IT teams), and generally value freedom of thought and expression. By running a Tor relay, universities can directly promote themselves as defenders of intellectual freedom and vanguards against censorship.
I’m ready to run a relay at my university, but I don’t want to run an exit relay.
That’s fine! The Tor network needs relays of all types to be healthy. By default the relay you set up will act as an entry or middle relay, only relaying traffic to other Tor nodes. This is the most low maintenance form of relay and it ensures you will not have to deal with any complaints or other issues. You can also additionally consider running a bridge or a snowflake proxy to help people access Tor where it is censored.
Great. That’s exactly why we implemented exit policies.
Each Tor relay has an exit policy that specifies what sort of outbound connections are allowed or refused from that relay. The exit policies are propagated to Tor clients via the directory, so clients will automatically avoid picking exit relays that would refuse to exit to their intended destination. This way each relay can decide the services, hosts, and networks it wants to allow connections to, based on abuse potential and its own situation. Read the support entry on issues you might encounter if you use the default exit policy, and then read Mike Perry’s tips for running an exit node with minimal harassment.
The default exit policy allows access to many popular services (e.g. web browsing), but restricts some due to abuse potential (e.g. mail) and some since the Tor network can’t handle the load (e.g. default file-sharing ports). You can change your exit policy by editing your torrc file. If you want to avoid most if not all abuse potential, set it to “reject *:*”. This setting means that your relay will be used for relaying traffic inside the Tor network, but not for connections to external websites or other services.
If you do allow any exit connections, make sure name resolution works (that is, your computer can resolve internet addresses correctly). If there are any resources that your computer can’t reach (for example, you are behind a restrictive firewall or content filter), please explicitly reject them in your exit policy otherwise Tor users will be impacted too.
Tor’s mission is to advance human rights with free and open-source technology, empowering users to defend against mass surveillance and internet censorship. We hate that there are some people who use Tor for nefarious purposes, and we condemn the misuse and exploitation of our technology for criminal activity.
It’s essential to understand that criminal intent lies with the individuals and not the tools they use. Just like other widely available technology, Tor can be used by individuals with criminal intent. And because of other options they can use it seems unlikely that taking Tor away from the world will stop them from engaging in criminal activity. At the same time, Tor and other privacy measures can fight identity theft, physical crimes like stalking, and be used by law enforcement to investigate crime and help support survivors.
Distributed denial of service (DDoS) attacks typically rely on having a group of thousands of computers all sending floods of traffic to a victim. Since the goal is to overpower the bandwidth of the victim, they typically send UDP packets since those don’t require handshakes or coordination.
But because Tor only transports correctly formed TCP streams, not all IP packets, you cannot send UDP packets over Tor. (You can’t do specialized forms of this attack like SYN flooding either.) So ordinary DDoS attacks are not possible over Tor. Tor also doesn’t allow bandwidth amplification attacks against external sites: you need to send in a byte for every byte that the Tor network will send to your destination. So in general, attackers who control enough bandwidth to launch an effective DDoS attack can do it just fine without Tor.
First of all, the default Tor exit policy rejects all outgoing port 25 (SMTP) traffic. So sending spam mail through Tor isn’t going to work by default. It’s possible that some relay operators will enable port 25 on their particular exit node, in which case that computer will allow outgoing mails; but that individual could just set up an open mail relay too, independent of Tor. In short, Tor isn’t useful for spamming, because nearly all Tor relays refuse to deliver the mail.
Of course, it’s not all about delivering the mail. Spammers can use Tor to connect to open HTTP proxies (and from there to SMTP servers); to connect to badly written mail-sending CGI scripts; and to control their botnets — that is, to covertly communicate with armies of compromised computers that deliver the spam.
This is a shame, but notice that spammers are already doing great without Tor. Also, remember that many of their more subtle communication mechanisms (like spoofed UDP packets) can’t be used over Tor, because it only transports correctly-formed TCP connections.
Tor has implemented exit policies. Each Tor relay has an exit policy that specifies what sort of outbound connections are allowed or refused from that relay. This way each relay can decide the services, hosts, and networks it wants to allow connections to, based on abuse potential and its own situation. We also have a dedicated team, Network Health, to investigate bad relays behavior and kick them out of the network.
It is important to note that while we can combat some type of abuse like bad relays in our network, we can’t see or manage what users do on the network and that is by design. This design overwhelmingly allows for beneficial uses by providing human rights activists, journalists, domestic violence survivors, whistleblowers, law enforcement officers, and many others with as much privacy and anonymity as possible. Learn more about our users here: https://community.torproject.org/user-research/personas/.
If you run a Tor relay that allows exit connections (such as the default exit policy), it’s probably safe to say that you will eventually hear from somebody. Abuse complaints may come in a variety of forms. For example:
- Somebody connects to Hotmail, and sends a ransom note to a company. The FBI sends you a polite email, you explain that you run a Tor relay, and they say “oh well” and leave you alone. [Port 80]
- Somebody tries to get you shut down by using Tor to connect to Google groups and post spam to Usenet, and then sends an angry mail to your ISP about how you’re destroying the world. [Port 80]
- Somebody connects to an IRC network and makes a nuisance of himself. Your ISP gets polite mail about how your computer has been compromised; and/or your computer gets DDoSed. [Port 6667]
- Somebody uses Tor to download a Vin Diesel movie, and your ISP gets a DMCA takedown notice. See EFF’s Tor DMCA Response Template, which explains why your ISP can probably ignore the notice without any liability. [Arbitrary ports]
Some hosting providers are friendlier than others when it comes to Tor exits. For a listing see the good and bad ISPs wiki.
For a complete set of template responses to different abuse complaint types, see the collection of templates. You can also proactively reduce the amount of abuse you get by following these tips for running an exit node with minimal harassment and running a reduced exit policy.
You might also find that your Tor relay’s IP is blocked from accessing some Internet sites/services. This might happen regardless of your exit policy, because some groups don’t seem to know or care that Tor has exit policies. (If you have a spare IP not used for other activities, you might consider running your Tor relay on it.) In general, it’s advisable not to use your home internet connection to provide a Tor relay.
A collection of templates for successfully responding to ISPs is collected here.
How does Tor manage the misuse of Tor technology?
We condemn the misuse and exploitation of our technology for criminal activity and nefarious purposes. We built Tor to advance human rights and will act to the best of our abilities whenever we detect malicious activity – or activity that violates our code of conduct and mission statement – by our relay operators. However, because of the design of Tor, we are incapable of tracking users and managing their use of our technology. While we can ban bad relays, we can’t ban users.
Please consider that our software is used every day for a wide variety of purposes by human rights activists, journalists, domestic violence survivors, whistleblowers, law enforcement officers, and many others. Unfortunately, the protection that our software can provide to these groups of people can also be abused by criminals and malware authors.
If your questions aren’t answered there please contact us.
NOTE: This FAQ is for informational purposes only and does not constitute legal advice. Our aim is to provide a general description of the legal issues surrounding Tor in the United States. Different factual situations and different legal jurisdictions will result in different answers to a number of questions. Therefore, please do not act on this information alone; if you have any specific legal problems, issues, or questions, seek a complete review of your situation with a lawyer licensed to practice in your jurisdiction.
Also, if you received this document from anywhere besides the EFF web site or https://community.torproject.org/relay/community-resources/eff-tor-legal-faq, it may be out of date. Follow the link to get the latest version.
Last reviewed: March 2023
Has anyone ever been sued or prosecuted for running Tor?
Although we are not aware of an individual being sued, prosecuted, or convicted for running a Tor relay, law enforcement in the United States and other countries has occasionally mistakenly investigated individuals running a Tor relay. We believe that running a Tor relay, including an exit relay that allows people to anonymously send and receive traffic, is legal under U.S. law. Law enforcement, however, often misunderstands how Tor works and has occasionally attributed illegal traffic on the network as originating from a Tor exit relay. This has resulted in police suspecting Tor relay operators of crimes and sometimes seizing computer equipment, including Tor relays. For example, in 2016 Seattle police mistakenly raided the home of a privacy activist operating a Tor exit relay. And Russian authorities wrongfully arrested math instructor and Tor relay operator Dmitry Bogatov, though they later cleared him of charges.
Should I use Tor or encourage the use of Tor for illegal purposes?
No. Tor has been developed to be a tool for free expression, privacy, and human rights. It is not a tool designed or intended to be used to break the law, either by Tor users or Tor relay operators.
Can EFF promise that I won’t get in trouble for running a Tor relay?
No. All new technologies create legal uncertainties, and Tor is no exception. We cannot guarantee that you will never face any legal liability as a result of running a Tor relay.
Will EFF represent me if I get in trouble for running a Tor relay?
Maybe. While EFF cannot promise legal representation for all Tor relay operators, it will assist relay operators in assessing the situation and will try to locate qualified legal counsel when necessary. Inquiries to EFF for the purpose of securing legal representation or referrals should be directed to our intake coordinator by sending an email to info at eff.org. Such inquiries will be kept confidential subject to the limits of the attorney/client privilege. Note that although EFF cannot practice law outside of the United States, it will still try to assist non-U.S. relay operators in finding local representation.
How should I deal with a police visit/raid/interrogation?
If you are detained and questioned by police, you have a right to request to speak with an attorney before and during any questioning. It is best to say “I want my attorney and I choose to remain silent” and then refuse questioning until you have a chance to talk to a lawyer.
However, if you do decide to waive your right to the assistance of counsel and answer questions without an attorney present, be sure to tell the truth. Lying to law enforcement may lead to more trouble than for whatever it was they wanted to talk to you about in the first place.
Does U.S. law provide any protections for the Tor network against civil lawsuits?
Yes. A federal law, 47 U.S.C. § 230 (often called Section 230), provides legal immunity for online intermediaries that host or republish speech. Though there are important exceptions for certain criminal and intellectual property-based claims, Section 230’s immunity protects online services, such as the Tor network, against a range of laws that might otherwise be used to hold them legally responsible for what others say and do. Another federal law, 17 U.S.C. § 512(a), part of the Digital Millennium Copyright Act, provides a legal safe harbor against copyright infringement claims based on material that is simply transmitted without modification, as a Tor relay does.
Should I contact the Tor developers when I have legal questions about Tor or to inform them if I suspect Tor is being used for illegal purposes?
No. Tor’s developers are available to answer technical questions, but they are not lawyers and cannot give legal advice. Nor do they have any ability to prevent illegal activity that may occur through Tor relays. Furthermore, your communications with Tor’s developers are not protected by any legal privilege, so law enforcement or civil litigants could subpoena and obtain any information you give to them.
You can contact firstname.lastname@example.org if you face a specific legal issue. We will try to assist you, but given EFF’s small size, we cannot guarantee that we can help everyone.
Do Tor’s core developers make any promises about the trustworthiness or reliability of Tor relays that are listed in their directory?
No. Although the developers attempt to verify that Tor relays listed in the directory maintained by the core developers are stable and have adequate bandwidth, neither they nor EFF can guarantee the personal trustworthiness or reliability of the individuals who run those relays. Tor’s core developers further reserve the right to refuse a Tor relay operator’s request to be listed in their directory or to remove any relay from their directory for any reason.
Exit relays raise special concerns because the traffic that exits from them can be traced back to the relay’s IP address. While we believe that running an exit relay is legal, it is practically impossible to stop the use of an exit relay for illegal activity. That may attract the attention of private litigants or law enforcement. An exit relay may forward traffic that is considered unlawful, and that traffic may be attributed to the operator of a relay. Indeed, police have mistakenly attributed traffic from an exit relay as coming from the relay’s operator. If you are not willing to deal with that risk, a bridge or middle relay may be a better fit for you. These relays do not directly forward traffic to the internet and so can’t be easily mistaken for the origin of allegedly unlawful content.
The Tor Project’s blog has some excellent recommendations for running an exit with as little risk as possible. We suggest that you review their advice before setting up an exit relay.
Should I run an exit relay from my home?
No, this is risky and not recommended. If law enforcement becomes interested in traffic from your exit relay, it’s possible that officers will mistakenly attribute that traffic as originating from your home. This could result in law enforcement raiding your home, seizing your computer, and suspecting you of criminal activity. For that reason, it’s best not to run your exit relay in your home or using your home Internet connection.
Given those risks, you should instead consider running your exit relay in a commercial facility that is supportive of Tor. Have a separate IP address for your exit relay, and don’t route your own traffic through it.
Of course, you should avoid keeping any sensitive or personal information on the computer hosting your exit relay, and you never should use that machine for any illegal purpose. If you do decide to run an exit relay from your home despite these risks, please review Tor’s recommendations, including telling your ISP and obtaining a separate IP address for the exit relay.
Should I tell my ISP that I’m running an exit relay?
Yes. Make sure you have a Tor-friendly ISP that knows you’re running an exit relay and supports you in that goal. This will help ensure that your internet access isn’t cut off due to abuse complaints. The Tor community maintains a list of ISPs that are particularly Tor-savvy, as well as ones that aren’t.
Is it a good idea to let others know that I’m running an exit relay?
Yes. Be as transparent as possible about the fact that you’re running an exit relay. If your exit traffic draws the attention of the government or disgruntled private party, you want them to figure out quickly and easily that you are part of the Tor network and not responsible for the content. This could mean the difference between having your computer seized by law enforcement and being left alone.
The Tor Project suggests the following ways to let others know that you’re running an exit relay:
- Set up a reverse DNS name for the IP address that makes clear that the computer is an exit relay.
- Set up a notice like this to explain that you’re running an exit relay that’s part of the Tor network.
- If possible, get an ARIN registration for your exit relay that displays contact information for you, not your ISP. This way, you’ll receive any abuse complaints and can respond to them directly. Otherwise, try to ensure that your ISP forwards abuse complaints that it receives to you.
Should I snoop on the plaintext traffic that exits through my Tor relay?
No. You may be technically capable of modifying the Tor source code or installing additional software to monitor or log plaintext that exits your relay. However, Tor relay operators in the United States can possibly create civil and even criminal liability for themselves under state or federal wiretap laws if they monitor, log, or disclose Tor users’ communications, while non-U.S. operators may be subject to similar laws. Do not examine anyone’s communications without first talking to a lawyer.
If I receive a subpoena or other information request from law enforcement or anyone else related to my Tor relay, what should I do?
Educate them about Tor. In most instances, properly configured Tor relays will have no useful data for inquiring parties, and you should feel free to educate them on this point. To the extent you do maintain logs, however, you should not disclose them to any third party without first consulting a lawyer. In the United States, the data may be protected by the Electronic Communications Privacy Act, and relay operators outside of the United States may be subject to similar data protection laws.
You may receive legal inquiries where you are prohibited by law from telling anyone about the request. We believe that, at least in the United States, such gag orders do not prevent you from talking to a lawyer, including calling a lawyer to find representation. Inquiries to EFF for the purpose of securing legal representation should be directed to our intake coordinator (info at eff.org). Such inquiries will be kept confidential subject to the limits of the attorney/client privilege.
For information on what to do if law enforcement seeks access to your digital devices, check out EFF’s Know Your Rights guide.
My ISP, university, etc. just sent me a DMCA notice. What should I do?
EFF has written a short template to help you write a response to your ISP, university, etc., to let them know about the details of the Digital Millennium Copyright Act’s safe harbor, and how Tor fits in. Note that template only refers to U.S. jurisdictions, and is intended only to address copyright complaints that are based on a relay of allegedly infringing material through the Tor node.
If you like, you should consider submitting a copy of your notice to the Lumen Database. The email address for submissions is email@example.com. This will help us recognize trends and issues that the lawyers might want to focus on. Lumen encourages submissions from people outside the United States too.
EFF believes that Tor relays should be protected from copyright liability for the acts of their users because a Tor relay operator can raise an immunity defense under Section 512 of DMCA as well as defenses under copyright’s secondary liability doctrines. However, no court has yet addressed these issues in the context of Tor itself. If you are uncomfortable with this uncertainty, you may consider using a reduced exit policy (such as the default policy suggested by the Tor Project) to try to minimize traffic types that are often targeted in copyright complaints.