This blogpost looks at legal issues associated with making your web site or other online service available within Tor as an onion service.

Tor, and onion services: a very quick primer

If you are familiar with Tor, and the concept of onion services, you can safely skip this bit.

If you've heard of Tor but never used it, negative connotations — the "dark net", the place where criminals hide, and so on — are common.

And, undoubtedly, some criminals do use it. (For example, R v Falder, R v Lewis.)

But Tor, like any communications network, is neither inherently good nor inherently bad. That comes from how it is used, and it can be used for both good things and for bad things.

Tor basics

Tor is an anonymity network, which bounces your traffic through multiple different computers before connecting to the site you intend to visit.

You can download software — usually, Tor Browser — to connect to this network. This lets you do two things:

• you can connect to sites and services on the Internet, by routing your traffic through Tor.
  • You connect to the site just as if you were using any other browser but, because you are connecting to Tor, your traffic is routed through other computers before breaking out to the Internet for the final connection to the site you want to visit.
• you can connect to sites and services within Tor. These are known as "onion" or "hidden" services. For simplicity, I'll call them "onion" services for the rest of this post.

Onion services

This post is about that second group: hosting sites within Tor, and making them available as onion services.

Onion services do not have a normal domain name, but rather a unique string of letters and numbers, ending in .onion.

For example, our clearnet website is decoded.legal, and our onion service version is dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion (yes, quite a mouthful).

OnionShare: secure file transfer via onion services

Beyond the most common scenario of hosting a web or other Internet service within onion space, you can use an onion service for the secure sharing of files, without needing to know anything at all about onion services. This is thanks to the rather excellent free software, OnionShare.

OnionShare lets you host an onion service on your computer to temporarily share a file with someone — you just send them (securely) the link it generates, and they paste it into Tor Browser on their own computer or phone.

We use OnionShare for file transfers in some situations, alongside our other, more traditional, file sharing systems.

Running an onion service is not illegal...

You might be worried that merely having a site on the dark net — running an onion service — is, in itself, illegal.

From an English law perspective, it's not.

...but doing illegal stuff is illegal

Oddly enough, using your onion service to do illegal things, or accessing illegal content on or through someone else's onion service, is illegal.

This shouldn't come as a surprise, but it is, I think, worth emphasising.

Some people may attempt to use onion services as a way of reducing the risk of detection and thus prosecution — which doesn't necessarily work (content warning: January 2020 report of an onion site run by someone in the UK for the distribution of heinous child abuse imagery) — but I'm assuming here that what you are doing is inherently lawful.

You still need to comply with your legal obligations

The "dark net" is often portrayed in the media as an unregulated, lawless place. It's not, in the sense that the same laws apply to what you post on, and how you use, an onion service, as they do for any other website.

You are not shielded from compliance just because you are operating as an onion service.

For example:

• if you are selling to consumers via your onion service, you'll need to provide the right information to them before they enter into a contract with you
• your advertising must avoid misleading actions or omissions. It must not contain false information which is likely to lead the average consumer to make about trading with you that they would not otherwise make
• copyright applies within onionspace too: you still infringe if you commit an unlicensed, unpermitted act restricted by copyright
• if you are a cryptoasset exchange provider or custodian wallet providers, you have to comply with your obligations around customer identification and verification

And so on.

Transparency requirements may make anonymity tricky

If you are trying to remain anonymous while operating on a commercial basis, that's likely to be tricky. In practice, if you are operating an onion service to offer your customers a bit of extra privacy and security, this should not be a problem: you are not trying to hide your identity.

For example, decoded.legal has onion services for some of its online services, but we are not attempting to hide that they are ours — they use the same branding, and contain the same identifying information, as our clearnet sites.

Of course, if you are trying to hide your identity, requirements to identify yourself are unlikely to be helpful — but that's outside the scope of this post.

Trading disclosure regulations

For example, if you are trading through a company, you need to comply with the trading disclosure requirements on your onion service site, just as you do for your main website. This includes your company's registered number, and the address of the company’s registered office.

eCommerce rules

Similarly, if you are providing an information society service, you need to provide the usual gamut of information, including your name, geographic address, and details (including an email address) to enable someone to contact you rapidly, directly, and effectively.

GDPR, and your privacy notice

If what you are doing brings you within the scope of the GDPR, you'll need to provide a compliant privacy notice. This includes (amongst a lot of other things), your identity and contact details.

You'll also want to revisit your record of processing activities, to check it remains up to date, for the personal data you are processing through your onion service. Although courts have ruled that IP addresses can be regarded as personal data (although not in all situations), it seems unlikely to me that web server access logs for an onion service will constitute personal data in and of themselves, since there is no reasonably likely mechanism for identifying the actual visitor.

Check your terms and conditions

As with any online service, you'll want to make sure that you have terms and conditions for your onion service that make sense, give you the rights you want, and impose the correct obligations on your users. Even in onionspace, you might want to have a robust legal basis to deny service, for example, or to moderate someone's comments.

In practice, this may not require substantials changes to your normal service terms, but this will inevitably vary from service to service.

(We don't have any terms governing access to our website; I don't see the point.)

Check your hosting / connectivity agreements

Check for any terms in your contract with your hosting provider or Internet access provider (including those) hidden in an acceptable use policy) which might preclude you from running an onion service.

If there's a risk that you could be terminated for running an onion service, or if the position is unclear, you might want to move to a hosting provider which is more open minded.

onion services and site blocking

The future: a "duty of care"

There is a proposal that social media providers should be subjected to a rather broad "duty of care". We're waiting on the proposed legislation, due in the autumn, so we'll know more then.

I do wonder quite how running an onion service would sit with a "duty of care". As I say, running a onion service is not, in itself, unlawful, but we just don’t know how the "online harms regulator" would see it.

(Facebook, for example, has an onion service. I don't know about other social networks.)

Part of the reason I am wondering is that an onion service is essentially unblockable. They certainly can't be blocked using the DNS blocking techniques which underpin the blocking regime in the UK to date, which relies on Internet access providers messing about with the records in the DNS service they run for their customers.

If a site chooses to run an onion service — chooses to make itself unblockable — would that be held against it? Could the "duty of care" include ensuring that ISPs can block it, if so ordered?

Site blocking generally

One of the backstops of the (now defunct) Part 3, Digital Economy Act 2017, which imposed obligations on people who provided porn sites to people in the UK, was access provider blocking.

Pornhub has an onion service, which would have been immune to this. Perhaps others would have done the same.

The same technique has been imposed on a number of Internet access providers in the UK, on the basis of our copyright and trade mark laws (and, indeed, the High Court has posited that, even if there was no mechanism for issuing a blocking injunction under copyright law, it might turn to its general powers to impose an injunction).

As above, legally, operating in .onionspace does not remove the legal obligations imposed upon you, and I'm certainly not suggesting that you should run an onion service to avoid meeting your legal obligations.

But if the legislation relies on site blocking as one of its enforcement sticks — perhaps the main enforcement stick in the case of a site operated by someone with no presence or assets in the UK — it loses at least some of its teeth when faced with sites operating as onion services.

While onion services remain uncommon, it is perhaps not a big enough problem for a legislature to attempt to tackle. But it they become more common (and that's likely, I'd have thought, if the number of site blocking orders increases drastically, or if particularly popular services are blocked), I suspect that this become more of an issue.

Whether there's anything a legislature or court can do about it, though, is a different matter...