Just for the reference. It was posted under different category:
I hadn’t actually heard of Mysterium until this post.
Just spooled up a node, thanks for the tip!
While I love what Mysterium is trying to do. I don’t think they meet their due diligence of informing node operators of the risks involved.
I was looking for any information and it’s not readily available. Somewhere kind of buried they link to this page for guidelines of measures to take to protect yourself.
Link: Tips for Running an Exit Node in a Distributed Network - dVPN Alliance
What can I do to protect myself as an Exit Node Runner in a distributed network?
In order to start the information sharing we have tried to collect good practices, advices for node runners, so they could stay safe and protected, when running a node:
1. Consider where you are running your node
There are several ways in which you can ensure that you are running a node safely. Here are a list of suggestions, they are by no means comprehensive:
- Make sure that running a node in your jurisdiction is legal
- Set up a separate company (this could even be a non-profit) to run the node (it could potentially grow to an actual business)
- Use a colocation data center
- Ask for a separate IP address for your node from ISP.
2. Separate your traffic from encrypted traffic flowing through your node
- Ensure that you do not run your own internet traffic through the same IP address on which you are running your node.
- Ask if your Internet Service Provider (ISP) allows you to run a node, and inform them of your plans to run a node in a distributed network. Not all ISPs look positively at node running activities. For a comprehensive list of ISP sentinment towards node runners have a look at Bad ISPs - VuzeWiki or https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISPs. If your ISP isn’t on the list, here is a template email you can send to educate them on the function of node running in preserving human rights in a digital environment.
- Avoid keeping any sensitive or personal information on the computer hosting your node.
3. Register your IP address
Be as transparent as possible about the fact that you’re running an exit node. Register your IP address with the Regional Internet registry (depending on your country, for example: ARIN, RIPE NCC, APNIC etc.). Doing this can help you to get any claims against you dismissed much faster.
4. Understand your rights, and your risks
Each jurisdiction has its own views on the legality of node running. Many western countries have regulations that exclude communication service providers from liability. Please add your country’s regulations to this list:
- USA: DMCA 512;
- Germany: TMG 8 and 15.
- Netherlands: Artikel 6:196c BW
- Austria: ECG 13
- Sweden: 16-19 2002:562
We encourage you to share your experiences and local regulations regarding node running. It is important in order to push policy such that node runners cannot be held liable for traffic that passes through exit nodes.
You can always seek help and additional information from organizations fighting for internet freedom, such as Electronic Frontier Foundation or EDRi (or its national members, the list can be found here: https://edri.org/members/).
5. Be smart and critical if you receive a cease and desist claim
When running a node you might get attention from law enforcement or private litigants with “cease and desist” claims that you have breached intellectual property rights of a third party.
You should be aware that in some countries law firms send such claims without actually representing the owner of the intellectual property rights. They do so in the hopes of getting a settlement without going to court.
In the event of receiving a cease and desist claim, always inform any claimant that you are running a node and ask for proof that the claimant has the actual rights to represent the company he is claiming to be representative of. Also check the jurisdiction from which you are receiving the claim.
Answer any abuse complaints within a reasonable time span and be polite and professional. You can find drafts of possible answers at the following link: [link].
In a spirit of educating society about the importance of internet freedom we encourage you to send any claims you get to us at [address] and to the Lumen database (https://lumendatabase.org/), which collects and analyzes cease and desist letters concerning online content.
You can find a lot of helpful information on how to defend your rights at their site: DMCA Safe Harbor :: Topics :: Lumen.
6. Do not log traffic going through your node
Do not log the traffic, which is going through your node. Not only does it give additional proof for you to show that you are acting only as a relay for information passing through your node, but also it protects the confidentiality of the user, using your node. Finally, traffic analysis can defeat your ability to show that you did not know what content is passing through your node and you might be held responsible for that content.
You are sending people out on the internet using your IP. Traffic from your end point to the sites they visit might not be encrypted. The sites or at least the IP addresses connected to are always visible. You can be expected to know what is going on on your connection based on that. Basically you are taking on all the responsibilities of running a VPN. The guidelines they point to are in direct contradiction to running a node on your own private ISP connection. Yet it is promoted as a simple setup that everyone can run on their home connection.
In short… this is nothing like running a storage node. Both privacy and security of your systems and network are at significantly higher risk and this post reads to me like it’s up to you to resolve those risks. I really believe in their cause, but this goes way too far for me. @ACarneiro please read this over and decide for yourself.
Yes, I have had experience running tor nodes and looked long and hard at running an exit node… and abandoned the idea fairly quickly.
I agree that Mysterium are, shall we say, “not forthcoming” with the risks of running a node. Fortunately they also have an option of running a node solely on whitelisted traffic (which is also open to interpretation and does not, I suppose, completely eliminate the possibility of foul play). The rewards are less (because whitelisted traffic is a lot less), but I think I’m not willing to take the risk of running a normal node form home.
I dunno, the way things after going in the UK Surveillance State, I may be using Mysterium soon enough but in the opposite direction!
I believe such privacy nodes (also Tor Exit Nodes) you can only run as legal entity like NGO or VPN company. As private individual I believe you are subject to get into real problems too easily.
Interesting. Thanks for the feedback, will follow-up with their team. How do you think this compares to Orchid: https://www.orchid.com/? Do they have similar issues?
It seems to be quite hard to find information on how to run an orchid node to begin with. But I don’t currently see a way around these risks if you allow others to use your private connection. You’re basically punching a hole through your defenses and giving people free reign to do with your connection what they please. Just like a traditional VPN they emerge onto the internet at the VPN exit point, which in this case would be your own system on your own network.
I noticed for Mysterium that the docker setup requires you to give the container NET_ADMIN permissions too. I can’t find much info on how to setup an orchid node, but I imagine it won’t be much different.
These are basically just VPNs tied to a crypto access control and payment system. But they don’t provide a way around taking on the responsibility and risk of running a VPN. It really doesn’t sound like something you want to run on your own network or even under your own personal legal entity.
And thats the reason why i never would host a Mysterium Node. There are now incidents where node operators have received letters from lawyers regarding illegal activities and had to pay large sums of money as a fine.
Becasue of this, i think Mysterium has no big future.
This is interesting, can you please provide more details?
Where is this published?
I find it unlikely that anyone had to pay large sums of money, as the legislation is mostly on the side of the node operators and as far as I understand there has never been a conviction.
It would be interesting to get more information on that indeed.
But it is not unlikely at all. I mean first of all it depends on the definition of ‘large’.
But speaking for Germany, it is very very common especially in copyright violation cases to receive a cease and desist letter from a lawyer, which you have to pay for and promise to never ever do it again.
Of course you can go to court and fight it through, but it will cost you tons of money and you might lose any way.
Some node operators hang around on the Official Discord. Here I am in the German channel e.g. on the go. The people there also speak openly about the problem. I talked to someone who was affected and they had to pay a fine of around € 936.
There are general indications that as a node operator you should be very careful, because the Mysterium Team should not be helpful if this occurs. Just go to the Discord and ask openly about the problem. There may be enough people to contact you if they haven’t left the project long ago.
I would never run a VPN exit node. There is a high chance of it being abused for hacking or (d)dos and you may get shut down by your ISP.
I would only host a StorJ VPN Node it its just for the StorJ traffic.
Right. Here is where I have a problem: your use of the word “fine”.
Unless you’ve been to court and convicted, nobody has been fined. What you are describing is the work of unscrupulous lawyers throwing sueballs and seeing if the scare tactics work. And they seem to have done on occasions.
I’m pretty sure that they wouldn’t stand a chance in court due to Safe Harbour provisions, but I also completely understand that a node operator would much prefer to throw money at the problem to make it go away. I probably would, if I’m honest.
This distinction is important because it would set a precedent that would essentially destroy ISPs as they exist now.
In conclusion, I agree that you would have to be a fool to run a node in your own home in any European country but if you have nothing else to do with your time (and have enough money!) and take the necessary precautions, it is still unlikely that you could get convicted.
It is more about rights agents, for example. These look at file sharing sites which IP are used for uploading protected content from their customers and warn these people. I don’t think there’s any great chance here in court. Because the whole thing was never commissioned by an IPS but by the companies whose protected content is uploaded.
But then you could still consider what happens when child pornography or illegal starfoots are distributed. Again, the ISP is not the person who reports it, but the state.
I understand the thing with the IPS and also support a project in which a mesh network is used to create a kind of VPN.
But in the end the partnership exists even if it is not really interesting for users within the EU.
You protection from copyright claims is the same as the protection from kiddy porn claims. You are a transit provider, you have no control and no say in what flows though the pipe.
I wholeheartedly agree, though, that I would definitely not want to be the man standing in front of a judge making that argument.
Might be more difficult in Germany. If they sue you, you have to provide proof of who broke the law. If you don’t, you’re the one responsible and will have to pay.
But with a VPN exit node (and theoretically potentially with storj data), you can hardly proof who was responsible.
But anyway, I’m merely speculating. This is not something I want to test myself. Ever.
For the Dutch situation: obviously it’s a very large and nuanced topic.
The TLDR is that running a general proxy/vpn has never lead to fines or court cases.
The only risk is your ISP. Some will warn you and eventually shut you down if they receive reporrs about hosting/uploading copyrighted material and ALL ISP’s will (temporarily) shut you down if they get mass abuse reports about activity like port scans and DDOS.
Source: worked at an ISP for 2,5 years.