The controversy that erupted in September over the West Lebanon public library’s participation in a privacy network known as Tor has led to a proposed state law to make it clear libraries are free to “allow the installation and use of cryptographic privacy platforms” on their computer systems.
The bill’s main sponsor, Rep. Keith Ammon, a New Boston Republican, admitted in committee testimony Tuesday that the bill may not strictly be needed, since running Tor or similar programs is perfectly legal for public libraries. But he told the Municipal and County Government Committee that the bill would be useful to clear up uncertainty, noting last year’s debate in Lebanon, when the Kilton Public Library Board of Trustees shut down what is known as a Tor node following questions from law enforcement, only to start it back up a month later after public outcry.
“This way there’s not a doubt in someone’s mind if this comes up again,” Ammon said of HB 1508.
Kilton Library remains the only public library in the country participating in the Library Freedom Project to handle encrypted traffic for the Tor system, largely because the national attention generated by debate in Lebanon overwhelmed the Massachusetts-based project.
“There was so much attention that we were not prepared for it. We were bombarded by requests,” said Alison Macrina, a librarian who founded the Library Freedom Project. “That’s a good problem to have, but it means we had to stop and do a lot of groundwork.”
Macrina said the project was “in some stage” of preparation with about 10 more libraries to launch Tor servers of some kind, although none of them are in New Hampshire.
Tor is a way of bouncing encrypted messages around the internet via hundreds or thousands of volunteer servers, called nodes. This peer-to-peer traffic gets combined with encryption software applied in layers – Tor stands for “the onion router” because the layers of encryption must be peeled off like layers of an onion – and makes it extremely difficult or impossible for others to read Tor messages or even know who sent them.
Tor is free and open for anybody to use.
Supporters praise Tor as a way to remain anonymous and untraceable online, useful for spies and foreign dissidents – it was developed by the Naval Research Laboratory to aid in espionage and the U.S. State Department remains the project’s biggest financial supporter. The program is also used by whistleblowers, people hiding from abusive spouses, activists and ordinary people who don’t want others to know what they’re doing online.
Critics point out, however, that Tor is also a good way to hide unsavory or illegal behavior, which is why it is often criticized by law enforcement.
The Tor server was shut off in Lebanon after questions were raised by a Department of Homeland Security agent and passed through the local police department.
The committee hearing Tuesday raised this issue more than once. Starting with Rep. Ken Peterson, a Bedford Republican, who asked Ammon whether “terrorists can use this and not be detected” and Rep. Jane Beaulieu, a Manchester Democrat, noted that pedophiles would have “the opportunity to do what they want to do and not have any surveillance.”
Ammon agreed that “privacy is a two-edged sword.”
“This might challenge your thinking. Which side do you err on – privacy or security?” he asked.
In testimony, Devon Chaffee, executive director of the New Hampshire Civil Liberties Union, noted that FBI Director James Comey told the U.S. House Intelligence Committee in September that law enforcement was not worried about Tor, although whether this means that law enforcement has figured out how to read supposedly unreadable messages is unclear.
A bigger obstacle to the bill may be whether it is needed.
Randy Brough, director of the Laconia Public Library and representing the New Hampshire Library Association, told the committee that the association opposed the bill partly because it seemed unnecessary. Under an existing law (RSA 201-D:11), the confidentiality of library records “stored in electronic form” is already covered.
Brough was also concerned by the bill’s final line, which said “records relative to use of cryptographic privacy software” cannot be given “to a government agency without first providing written notice to the person in question.” Libraries do not generally keep records about how people use its services as a way to protect their privacy.
(David Brooks can be reached at 369-3313, firstname.lastname@example.org, or on Twitter @GraniteGeek.)