I believe the argument is more focused than that: there is no expectation that one's IP address is private when the process of connecting to a server involves disclosing the IP address as the respond-to destination. I have a hard time seeing a flaw in that reasoning.
Why do they specifically mention the fact that the Tor Project warns about possible vulnerabilities?
There's a reasonable expectation of privacy in a hotel room, for example[1]. To me this argument reads like: "The hotel owner cannot guarantee that a previous patron hasn't left a listening device in your room, so there's no reasonable expectation of privacy."
You have a reasonable expectation of privacy inside an abode. If a patron left a recording device, they likely would be in violation of Federal and/or State laws.
The whole Internet Protocol is based on sending packets with your public IP, by a stretch of that logic are we supposed to understand that no privacy should be expected on all of the Internet?
This argument seems sketchy at best.
That seems like a decent assumption to me. When your IP talks to another on the Internet, you no longer have any control over the metadata of that connection. It will show up in the logs of the other IP, and the owner of that IP is free to do anything with those logs.
It seems far more naive to assume there is an expectation of privacy on the Internet.
So the government mining of all meta data sent to any third party (including all texts, phone calls, and internet usage) is fine? Also, what about the data itself. You are putting the data on lines you don't own, so that is all fine too, no?
I think you've just stumbled across the crux of the government's position regarding PRISM.
To provide a contrasting example: GCHQ tapped fiber-optic lines between corporate datacenters. Those lines are not public and are therefore not supposed to be up for grabs; tapping them without the consent of their owners is an espionage activity.
Attaching to an open network that fuzz-routes data and then cheating on the policies of that network that are intended to anonymize the requesters of the data is just good old-fashioned protocol circumvention. Definitely rude and demonstrative of a major practical weakness in tor, but probably not illegal. It doesn't sound like there was any law for SEI to break here (though I hadn't heard the suggestion that the CFAA might apply, which is an interesting legal angle to explore).
That's why you encrypt your data, and assume it is not secure if it is not encrypted. "Here, third party, please have my meaningless binary blob. You may do with it as you wish. Thank you for transiting it across your network in accordance with the TCP/IP protocol."
Third party: "You're welcome! Since you seem to be very interested in that specific subject (the destination IP address happens to map to a site specified for that subject), we sold this information to Google and they will now show more ads regarding that subject."
No, seriously. I believe it is good practice to encrypt all data over all kind of wires (public or not). However, most of the time, we do not encrypt metadata, which can be just about as useful as the actual data (and way easier to analyze). Do you really think that any government cares much about what you say to a specific person? They only care that you talk to that person, when you talked to that person, and how frequently you talked to that person. The same goes for almost anything. If your ISP were interested in your data, they would actually value metadata a lot more then the actual payload because metadata can be analyzed quite easily and reliably.
Tor was (and still is) your only protection against these kinds of attacks because your ISP only knows you're talking to some Tor nodes, the Tor nodes can see very few of the websites you visit (or email recipients you send to) because you will use another nodes for the next website/email, and the website will not know who you are if you don't authenticate because many requests can come from that Tor node.
Please remember that Tor has since fixed these bugs. What is important, though, is that nobody (not even the government) should be allowed to legally decipher _all_ (or most) of the traffic going through a network/service.
We could say the same for HTTPs, because it also had its fair share of vulnerabilities.
Yes, but in the case of onion routing, the IP address is masked by layers of the onion.
It's understandable that Layer 3 knows Layer 2, that Layer 2 knows Layer 1 and that Layer 1 knows the originator.
But Layer 2, 3 and the website should not know Layer 1 by design. Defeating this is akin, IMHO, to circumventing a lock by photographing the key that you don't own.
Not at the base layer, not at all. That's why commercial traffic is handled by secure encryption, and not an elaborate fabric of internationally-agreed-upon laws that will assign fair and standardized punishments to people for snooping each other's IP packets on an open wifi router without permission of the packet sender.
Well, at least in who you talk to. You can encrypt the content.
Perhaps like visiting your cult friend. You have an expectation of privacy for what you say in his house, but the fact that you traveled to his house does not have an expectation of privacy.
What privacy can you expect? Do a tracert to see the reporting nodes that your packets talk to before getting to their recipient. All of those nodes know about your packets, as do whomever are running them.
No, avoiding the need to disclose one's IP address is the entire point of Tor! Yes, the Tor project does warn about ways in which this could fail. It does this in the tone of a lock-maker warning about power drills.
