Tor Summer of Privacy - Enhance GetTor

Below is my proposal for the first Tor Summer of Privacy.

What project would you like to work on?

I would like to continue the work I've been doing at GetTor. In particular, I intend to finish the pending stuff from last year's GSoC and implement some new features. The plan of work can be summarized as follows:

  1. Generate stats and automatic report. We currently keep record of the number of requests and users we receive, along with the hashed addresses/accounts of users (to avoid flooding). I intend to open a discussion on what other things we could keep record in a monthly basis without exposing users. For instance, we could learn what are the most common type of requests (e.g. help, links), what is the most common OS, etc. All of this making sure that the recorded data is completely anonymous. We also need to specify policies to forget data of previous months, and enable code logging to have a better debugging process if something goes wrong.

  2. Deploy more providers. Last year's work considered at least two providers, and we deployed just one (Dropbox). After that, a contributor poly developed an script to include Google Drive as a provider too. It's time to test it on getulum and deploy it, along with some minor changes in the code. I'm currently waiting for a Python library to be installed on getulum to deploy GitHub as a provider too. I hope to do that before TSoP begins.

  3. Deploy more distribution channels. Last year's work considered two other distribution channels besides SMTP, namely: XMPP and Twitter. Both channels were successfully finished but not deployed. However, there were some concerns about the two implementations:

    1. XMPP: No support for OTR communication. The idea would be to research if this option is possible with the current implementation. In addition, logging should be reviewed and be consistent with 1), along with enabling the distribution of localized Tor Browser packages 4).

    2. Twitter: Someone watching users that follow the bot account (needed for send direct messages) can learn which users could be asking for links. In addition, there was a misunderstanding about the need of the bot to follow someone back to send direct messages, which in the end was not needed, and thus it does not fall under the misuse of Twitter policies.

    For the purposes of TSoP I intend to keep working in these distribution channels and deploy them.

  4. Localized Tor Browser. Last year's work considered the option of sending an e-mail to gettor+lc@tpo and receive a reply according to the specified locale. For simplicity, we deployed the revamped GetTor with support for English requests only, as we didn't have the translated messages and the process of deployment was taking much longer than expected. For TSoP I intend to enable reply messages in English but with links for the localized Tor Browser packages as a first step to full localized messages, in other words, someone asking for gettor+fa@tpo should receive links to download Tor Browser in Farsi.

  5. New features. I suggest two new features to implement for this TSoP:

    1. Send mirrors: One should be able to send a message to one of the distributions channels (i.e. SMTP) and receive an updated list of tpo's mirrors. This can be done by processing the tor-mirrors.csv file. This list should be updated on a daily basis. Simple enough.

    2. Testing: This is a must in my opinion. We should be able to test all or part of GetTor's code when adding new features, or fixing bugs, or as a way to check if it does what it is intended to do. GetTor serves hundreds (if not thousands, we can't know for sure) of users a month; we need a secure-and-well-defined way to add new stuff to the code.

Discussion: Point 1) might be open to discussion. If you think that more stats are not necessary or there is other stuff that needs attention, please point it out.

Mentors: I have spoken to Sukhbir and Nima about this idea, and they have both read this proposal and are willing to be mentors.

Below is a roadmap for the proposed work. I'm considering to start working a couple of weeks before the official start of TSoP in order to compensate the time consumed by classes at university.

July 2015

What When Ticket Comment
Better debugging July 6th - July 17th - If something fails or is not working, we should be able to know why, and without exposing any type of user data. I'm considering two weeks because I'll be on exams by the end of May.
First status report July 17th
Send mirrors July 18th - July 22nd - Return a message with current mirrors (from tpo/include/tor-mirrors.csv).
Deploy Google Drive provider July 23rd - July 31st #13779 Configure and deploy the script contributed by poly.
Second status report July 31st

August 2015

What When Ticket Comment
Return localized Tor Browser August 1st - August 8th #3291 Return localized packages when gettor+locale is requested.
Deploy XMPP channel August 9th - August 14th - Research if adding OTR communication is possible. Deploy it afterwards.
Third status report and midterm evaluation August 14th
Finish and deploy Twitter channel August 15th - August 31st - -
Fourth status report August 28th

September 2015

What When Ticket Comment
More stats September 1st - September 14th - Discuss what (anonymous) stats could be useful and implement it.
Implement tests September 1st - 30th #1593 Figure out a nice way to create tests for GetTor and impelement it.
Fifth status report September 11th
Start working on new features September 15th - September 30th - Start working on new features (such as Tor Distributor) discussed during SoP.
Sixth status report September 25th

October 2015

What When Ticket Comment
Keep working on pending stuff from previous months October 1st - October 13th - -
Keep working on new features October 1st - October 13th - -
Seventh status report October 7th
End-of-term evaluation October 13th

Point us to a code sample

As you might expect, the main code sample I could point out is the revamped GetTor, which can be found here. I've also collaborated with Tor2web to implement a GetTor feature, and I've suggested a DuckDuckGo's instant answer idea related to GetTor.

Why do you want to work with The Tor Project in particular?

Because I strongly believe in the right to privacy and freedom of expression, and I feel I can really contribute to that by working at the Tor Project. In particular, I believe GetTor is a very important project (although technically simple), for it's intended for people who live in places of high censorship, where this might be the only/easier/safer way to get access to Tor Browser. GetTor also works for scenarios where people have access to Tor Project's website and its mirrors, but they do not want to expose the fact that they are downloading the Tor Browser (e.g. there is no DNS requests to the official website). As one Tor developer said: "if users cannot get access to Tor Browser, our work is in vain!". Besides, I've found in the Tor community a great environment to work with, and I'd like to keep collaborating for an unsigned long long time.

Other commitments (a second job, classes, etc)?

I live in the south of the world, which means I will not be in summer and I will be attending classes at university. My first semester should finish some time around the first days of July, and the second semester should start by the end of August. I've been working and studying for more than two years now, including last year's GSoC (which I approved). I'm perfectly capable of working at TSoP and attend university at the same time.

Will your project need more work and/or maintenance after the summer ends? What are the chances you will stick around and help out with that and other related projects?

Definitely, at least to make sure that everything is working as intended. I'm currently the maintainer of GetTor (I have an ldap account and access to getulum), so keep maintaining it after TSoP won't be a problem. I've been collaborating with the Tor project for almost a year now, chances I stick around are very very high :-)

What is your ideal approach to keeping everybody informed of your progress over the course of the project? Said another way, how much of a "manager" will you need your mentor to be?

Like GSoC, my idea is to send bi-weekly reports to tor-reports and/or tor-dev mailing lists, and also to get feedback via IRC in #tor-dev and #tor-project. I don't think I'll need much of a manager, since I'm already familiar with what I'm doing and with the Tor community in general.

What school are you attending? What year are you, and what's your major/degree/focus?

I'm currently pursuing a Bachelor of Science in Computer Science at Universidad de Santiago de Chile. I'm interested mostly in cryptography, privacy and censorship circumvention schemes. My plan for the future is to get a graduate degree and do research about these topics.

How can we contact you to ask you further questions?

The most effective way to contact me is via email: ilv at torproject_org. You can also reach me via IRC: ilv at OFTC, Indymedia. Less technical people can reach me via @ancianosol. My current time zone is UTC-3.

Is there anything else that we should know that will make us like your project more?

As I've mentioned several times in this proposal, I've already collaborated with the Tor Project during last year's GSoC, and I've been maintaining and developing GetTor since then, with the help of Sukhbir and Nima. I've also collaborated to other projects (see code samples) trying to replicate the same idea behind GetTor, since I strongly believe in the principles behind it. I would love to keep working on this, and it would be really great if I can get paid for it :-)

As a curious note, a couple of months ago I convinced my twin brother (clv) to start collaborating with the Tor Project, and now we are both applying for TSoP :D

Let's keep fighting against dystopia!