Man Jailed for Parole Violations After Refusing to Decrypt His Tor Node
Posted4 months agoActive4 months ago
reddit.comTechstoryHigh profile
heatednegative
Debate
85/100
TorPrivacyCfaaGovernment Surveillance
Key topics
Tor
Privacy
Cfaa
Government Surveillance
A man was jailed for parole violations after refusing to decrypt his Tor node, sparking a heated discussion on HN about government overreach, privacy, and the Computer Fraud and Abuse Act (CFAA).
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
7m
Peak period
117
0-3h
Avg / period
20
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 16, 2025 at 8:10 AM EDT
4 months ago
Step 01 - 02First comment
Sep 16, 2025 at 8:17 AM EDT
7m after posting
Step 02 - 03Peak activity
117 comments in 0-3h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 17, 2025 at 7:44 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45261163Type: storyLast synced: 11/26/2025, 1:00:33 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
You can catch one of these by logging into your moms netflix account.
However the quote on its own is not necessarily true without further qualifications as mentioned above.
It's absolutely true, you're accessing an unauthorized account. All law enforcement need to do is ask you, did you access an electronic account that was not yours ?
Nuance will be ignored when it suits them.
> [Supreme Court Justice Amy Coney] Barrett ruled that for the CFAA, a person violates the "exceeds authorized access" language when they access files or other information that is off-limits to them on a computer system that they otherwise have authorized access to. The majority opinion distinguished this from Van Buren's case, in that the information that he obtained was within the limits of what he could access with his authorization, but was done for improper reasons, and thus he could not be charged under CFAA for this crime.
This still does criminalize logging into your mom’s Netflix account, probably (?), but at least browsing HN on your work computer not covered anymore.
Project 2025 was announced in 2023.
I don't normally agree with this man, but he is dead right. There are too many fucking laws.
https://www.theatlantic.com/ideas/archive/2024/08/america-ha...
Of course there was no reporting on the Tor aspect, just “local man arrested for CSAM” in the local papers. He eventually had the charges dropped after years of court battles, but his name is forever tarnished as a result.
This particular job we had a lot of idealist folks, two of whom ran relays - they immediately ceased to do so in the aftermath of the coworker’s arrest.
https://cyber.fsi.stanford.edu/news/investigation-finds-ai-i...
https://www.techpolicy.press/laion5b-stable-diffusion-and-th...
Someone somehow downloaded the images in LAION 5B to do the actual training, and we know that thousands of these images contained illegal content.
Where's the strict liability? Everyone who ever downloaded and ran Stable Diffusion 1.5, or even Lora's from it, could in some way be held "strictly liable" for the fact that you are simply one prompt away...
Even from the early days of Tor I remember all of the warnings to not run an exit node in a country where internet activity was likely to lead to prosecution.
Running any sort of proxy (including Tor exit nodes) allows other people’s traffic to appear as your traffic. That’s the entire purpose of the software. You’d have to be willing and able to handle the consequences of any traffic any other person decides to send through the system.
Your local zoning code is probably chock full of them. And if not there then your local stormwater/runoff rules probably have a bunch of examples too.
Federal stuff is much more highly litigated so you don't see as much of it there. State is a middle ground.
This is exactly the argument for privacy to people who say "I have nothing to hide". Authoritative governments will always find a reason to dig something up and the less privacy you have the easier it will be.
As a side note it sickening to see USA government doing this arrest straight out of gestapo/kgb playbook.
The state does what it wants and in the end it doesn't even need an excuse.
An excuse is a nice to have, but that's it.
It doesn't need an excuse because people let it not need an excuse.
Every idiot, even on HN, heck, particularly on HN and other places where demographic factors result most never having been the target of government or think that they would be, is perfectly fine with it when the government behaves this way in pursuit of things they agree with. And so the only people complaining about any one government abuse are the small minority that care all the time plus whatever group care about the specific issue.
If people would stop being two faced snakes and have some principals and stand by them the problem would decrease on its own. But that's like saying "just go as fast as light", it's not a tractable problem.
Anything other than that is just wishful thinking.
People who say this will not be swayed by any argument. What they are really saying is "I don't want to think about this".
There's a truth I've come to accept in recent times: The vast majority of people are not able to extrapolate from their immediate personal situation. If they are not effected by something right now in a way they personally feel, they do not and will never care.
Once you accept that fact, so many things make so much more sense in this world. The whole MAGA movement explains itself, the complete disregard of climate change or even local environmental issues make sense and the complete ignorance of privacy issues. The only way to sway these people is when they are personally affected. So consider this Truth the next time you find out a service has been collecting private information in an unsecured S3 Bucket.
This is also why mobile phone camera tech led to BLM as more and more people became aware of how police act when they think nobody is watching.
https://www.youtube.com/watch?v=isYZoFrIeo0
However, the poor guy only defeated criminal charges on appeal!
How is 3 years pretrial not blatantly unconstitutional and thrown out immediately?
Some BS CFAA charge for not helping decrypt a Tor session? Fucking evil.
https://en.wikipedia.org/wiki/H._Beatty_Chadwick
And this in a civil matter!
New Yorkers spend an average of 10 months in pretrial detention. This kind of abuse is routine in the American system, and by and large Americans want it that way for their usual reasons about "crime".
Under US law, pretrial detention is not prison. You are technically not being "punished" even though generally the conditions in pretrial are vastly worse than in prisons. (I did a deposition with a jail warden once and asked him why this was: "Because these facilities are designed for the average stay, which is 30 days if you run the numbers. Sure there are people here for a decade, but most people pay their bail within 24 hours.")
Technically most states have pretty short Speedy Trial statutes which require the gov to try you within several months of arrest. This almost universally doesn't happen because the defendants don't have all the information necessary for their defense, and because they want to run motions to try and quash any existing evidence.
Well, I hear that if you make being gay a crime again, you cut off the head of palantir.
I remember when I used to think Thiel had libertarian values!
Money can do a lot more things, including inducing hypocrisy, double standardism and blindness.
1. The fbi asks you to be an informant or "cooperate" with an investigation in some way.
2. If you refuse, they investigate you, and basically throw the book at you.
Your local building commissioner or whatever just has a lot less money and muscle on tap and much more circuitous access to court judgements in their favor than the FBI does. Differences in their strategic and tactical approach is a reflection of this.
We voted for this, the time to fix the problem was last November, and now we have to live with the results. It's also why I, and anyone else who values their freedom, their career, their family, needs to post such sentiment anonymously. It is NOT safe to criticize this administration.
This will become practically impossible very soon if it isn't already.
It's not one side or the other - any group with authority has to be watched closely and rebuked when they try to expand their power.
One the first comments on reddit was actually:
> … in trump's america lmao
Someone had to awkwardly point out it was biden’s america. Which makes it easier and saves keystrokes: it’s just “america, lmao”. Then other countries can be even worse so it’s “lmao”. And soon enough they are just laughing their asses off while the person is stuck in jail.
> "clear hacking tools" I had installed in my computer, e.g CCleaner
I have always wondered if they are primarily that stupid or just evil and pretending to be stupid. I am leaning towards evil.
The Reddit post is an attempt to garner sympathy by leaving out all of the actual crimes committed.
Yeah, good point. That happens sometimes. It's sad, people just see reddit as sort of a platform of gullible people. I was just pointing out reddit's reaction, mainly.
Then my other reply was in reply to GP's own story ("clear hacking tools" = CCleaner).
I hope you’re doing well.
This sounds awful lot like Middle Eastern mafia stuff, where it's technically illegal to do some things but you can do a lot of things if you are aligned with the people in power.
I have no idea what this person was up to but this selective treatment(if true) smells very bad. IIRC behind the release of Ross there was some libertarian NGO or something, maybe contact them?
Didn't Ulbricht get pardoned for being a hero of the cryptocurrency-bros, as kind of a deal to get support from the Libertarians in the election? I think he was a one-off, or at least part of a small category that doesn't extend to cryptography and privacy idealists.
Even if this Administration is friendly to Tor (which I doubt), the FBI is a very large organization and installing a new head doesn't magically make current caseload at the agent level go away. There are still Biden-era and even Trump v1 era investigations likely still open and active there.
That was the National Libertarian Party and the party chair was forced to resign in disgrace shortly after, due to accusations of kickbacks and embezzlement.
https://thirdpartywatch.com/2025/01/25/mcardle-resigns/
This didn't work out for SBF, but you can clearly see this process being set up for other people.
1. Admitting to using cannabis during supervised release
2. Failing to make scheduled restitution payments and to cooperate with the financial investigation that sets restitution payment amounts.
3. Falling out of contact with his probation officer, who attempted home visits to find him.
4. Opening several new lines of credit.
5. Using an unauthorized iPhone (all his Internet devices apparently have keyloggers as a condition of his release).
These read like kind of standard parole terms? I don't know what the hell happened to get him into this situation in the first place, though.
Edit:
Reminds me a lot of the lives of people in this saga:
https://www.amazon.com/gp/aw/d/B01L8C4WBG/
The poor wife, “can you stop being a criminal for like, one month, please?”.
According to the court documents his crimes extended into “real life” as well, with intentional damage to his former employer to shut down their operations.
He also lied about using his computer, his wife told on him to his parole officer, according to the court documents.
He was on parole for DDOSing* a former employer...
*Ah, I see your update, guess it was less distributed and more direct denial of service with the physical destruction and all.
Page 28, lines 3 to 8 on https://rockenhaus.com/wp-content/uploads/2025/09/U.S.-v.-Ro...
e: really? why am i downvoted for this
Back in 2014, Rockenhaus worked for a travel booking company. He was fired. He used stale VPN access to connect back to the company's infrastructure, and then detached a SCSI LUN from the server cluster, crashing it. The company, not knowing he was involved, retained him to help diagnose and fix the problem. During the investigation, the company figured out he caused the crash, and terminated him again. He then somehow gained access to their disaster recovery facility and physically fucked up a bunch of servers. They were down a total of about 30 days and incurred $500k in losses.
(He plead this case out, so these are I guess uncontested claims).
People take this to the extreme and think that their country is somehow a lawless hellscape where police are openly shooting innocent people, dragging them from cars for seemingly no reason etc... but those stories make the news precisely because it's not the norm.
Warrants (in the US anyway) require reasonable belief that the crimes listed were committed.
They don't have to be right, mind you (after all, that's what trial is for), they just need reasonable belief.
They also can't recklessly disregard the truth (IE deliberately write lies they know are wrong).
Again, it's okay for them to be wrong about their belief. It's just not okay to know they are wrong and write it anyway.
Here, reading the warrant, etc, there is nothing obviously fraudulent here.
Perhaps it is, of course, but i read everything i could find and it's completely non-obvious which part of the warrant is supposed to be fraudulent.
Even the sort of retaliation claim made here is strange - Arresting you when you appear to actually hvae broken the law is generally only considered retaliation if (among other things) the enforcement of the law is uneven - IE targeted at you and nobody else.
Given the arrest was for a parole violation and they arrest parole violations like this all the time, ....
Like if you are at a traffic stop becuase you ran a red light, call a cop an asshole, and they arrest you because you have 50kg of cocaine bricks in your back seat, it's not retaliation.
Retaliation would be if you call a cop an asshole on facebook, and they come arrest you for violation of an 1825 law that hasn't been used against anyone in 200 years.
I was responding to the implication I keep seeing here that it's OK that he got arrested because he did bad things, regardless of how the arrest came about.
We also know from prosecutions in other statutes that the government will often prosecute a a broad crime with many separate sub-definitions of the various way you can break it, then refuse to tell you under which sub-definition you're being charged, meaning you have no way to know if the jury even were unanimously convicting for the same thing and no way to know what you're even defending against.
https://www.w3schools.com/tags/ref_httpmethods.asp
Unlocked doors, open windows, any lack of security doesn't give you permission to enter. Just as "incrementing a GET request" doesn't mean anything outside of the intent.
The intent was to do damage.
His intent of releasing the data was bad (assuming he started with that intent!) but he wasn't committing any fraud when collecting it. He didn't bypass any authentication or damage the server. CFAA is the wrong law to use.
If a restaurant puts a bunch of proprietary documents in a dusty corner of the public lobby, you shouldn't browse through them but you're not breaking and entering if you do so. No matter what your intent is.
Don't fuck with other people's shit if they don't want you to.
I seem to remember cases or interpretations of the CFAA in which even guessing the username password combo of "admin:admin" would violate the act, resulting in teenagers or children being caught up in cYbEr FrAuD
Which raises sincere doubts about the commenter's credibility to make such a claim.
To continue the garage door analogy, you wouldn't walk up to any random garage door and try code 12345 to help protect the owner's stuff, would you?
There is no law for "white-hat hackers". You don't get to break into a system because the color of your hat.
"White-hat hackers" have contracts, or very specific rules of engagement. Having run many a bug bounty, if someone was malicious, we would absolutely work to prosecute.
You can also find bugs in software freely, as long as you don't obtain unauthorized access to other people's systems.
Don't mess with people's stuff if they don't want you to. This seems very simple to me. But I'm aware that you're trying to find some fringy gray area where you think it will be OK to mess with people's stuff even though they don't want you to.
The point is that in the physical world there is some notion of proportionality in the response to trespassing depending on the actual damage done and sophistication and premeditation of the act. We don't generally lock up people because they accidentally walked into an area they shouldn't have. But once computers are involved we have laws that automatically make even even minor infractions into a big scary issue that allows the government to essentially destroy someone's live.
Or not, depending on how the party who owns what's inside that door feels. But if it feels he should be prosecuted, then hell yes, the state should do that. My 2c.
I suppose if it's the White House the guy'd just get pardoned by the next president anyways.
But CFAA charges should, and this is the issue a lot of people have with them afaict, have a sliding scale for premeditation though.
If I knock on a door, it swings open, and I walk inside and steal something, then imho there should be a lesser maximum charge for possessing burglary tools than if I show up with a lock gun, crowbar, and concrete saw.
A lot of the CFAA excesses are maximum penalties from the CFAA being thrown at people using minimally sophisticated / premeditated methods, in addition to charges about the underlying crime.
That doesn't seem just or fair.
In practice it's turned into an if(computer){increase maximum penalty} clause, solely at the government's discretion.
Why? (I'm not a lawyer...) - shouldn't intent and harm (i.e. the value of the stolen item) be the only relevant details? Now of course its much easier to demonstrate intent if there's a crowbar involved, but once that's already established, it seems irrelevant.
But if there are burglary tool charges, they should depend on whether you used burglary tools to burgle, not how much theft you did.
Suppose you are leaving a store and heading to your car. For whatever reason, the button on your keys unlocks someone else's car that is the exact same make and model as yours. You hop into the car, your key starts the ignition, and you drive off (Yes, this has really happened). That isn't legally theft because you legitimately believed that was your car - aka you didn't intend to take something that wasn't yours.
For 98% of laws, in order to be convicted, the government needs to prove you intended to commit the crime. Obviously, I'm oversimplifying what is a very complicated topic you spent two years learning, but that's the gist
There's an underlying result crime (eg causing business harm by destroying a database), then the method by which one chose to do it (eg exceeding authorized access to a computer with the intent to cause harm).
The CFAA was originally passed under the erroneous worry that existing laws wouldn't be enforceable against cybercrime, which turned out to generally be false.
When you cause damage, there's almost always a law by which someone can sue you for those damages.
What there wasn't, and what the CFAA created, were extra penalties for computer crimes and an ability to charge people with computer crimes where there were no damages (eg Aaron Swartz).
And why should those things need to exist? Theft is theft. Destruction is destruction.
It was an underspecified law, ripe for prosecutor overreach. See: https://www.congress.gov/crs_external_products/R/HTML/R47557...
It fit with 'premeditated intent' intensifiers (where penalties escalate if premeditated intent can be proven)... but that wasn't actually how it was written or how it is used. Instead, it's a method-based checkbox that allows prosecutors to tack on additional charges / penalties. If a computer was used to destroy this thing, add X years the sentence.
I think intent probably matters a lot more than the technicality of how you succeeded.
As far as I am concerned, I am allowed to send any traffic I wish to public-facing hosts, and if they respond with content that the owners would not wish me to see, I have no responsibility to refrain. The only traffic I am not permitted to send are credentials I am not authorized to use (this would include password guessing, because if I manage to guess correctly, I was still not permitted to use it).
So which was it?
Shutting down the server (you solely maintained) before leaving would be "minor" to me... intentionally causing damage, earning money from that, getting caught, and again causing physical damage.. that's pretty "major" to me.
The article provides a good foundation for opposing arguments.
Excerpting:
> The researchers wanted to find a way to do the seemingly impossible — to give the military the benefits of a global, high-speed communications network without exposing them to the vulnerabilities of the metadata that the network relied on to operate.
> ...
> There are other implications, as well. For a CIA agent to use Tor without suspicion in non-U.S. nations, for example, there would need to be plenty of citizens in these nations using Tor for everyday internet browsing. Similarly, if the only users in a particular country are whistleblowers, civil rights activists and protesters, the government may well simply arrest anyone connecting to your anonymity network. As a result, an onion routing system had to be open to as wide a range of users and maintainers as possible, so that the mere fact that someone was using the system wouldn’t reveal anything about their identity or their affiliations.
> ...
> Anonymity loves company — so Tor needed to be sold to the general public. That necessity led to an unlikely alliance between cypherpunks and the U.S. Navy.
> The NRL researchers behind Onion routing knew it wouldn’t work unless everyday people used it, so they reached out to the cypherpunks and invited them into conversations about design and strategy to reach the masses.
209 more comments available on Hacker News