<!--
Copyright:
{{project_name_long}} Trust wiki page Copyright (C) Amnesia <amnesia at boum dot org>
   {{project_name_short}} Trust wiki page Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@{{project_clearnet}}>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to:

    Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor
    Boston, MA 02110-1301, USA.

On Debian GNU/Linux systems, the complete text of the GNU General Public
License can be found in the /usr/share/common-licenses' directory.

The complete text of the GNU General Public License can also be found online on gnu.org <https://www.gnu.org/licenses/gpl.html>, in {{project_name_short}} virtual machine images in /usr/share/common-licenses/GPL-3 file or on Github <{{Github_link|repo=derivative-maker|path=/blob/master/GPLv3}}>.
--> <!--
The Introduction chapter of this website is forked from the Tails trust page, from this exact source <https://git.immerda.ch/?p=amnesia.git;a=blob;f=wiki/src/doc/about/trust.mdwn;hb=d249db72228b498407d85fb762b49ec155871ded>.
--> {{Header}} {{Title|title=
Placing Trust in {{project_name_short}}
}} {{#seo:
|description=Is {{project_name_short}} trustworthy? Is there a backdoor in {{project_name_short}}? How does {{project_name_short}} protect itself from backdoors?
|image=Candle-335965-640.jpg
}}
{{audit_mininav}}
[[File:Candle-335965-640.jpg|thumb|200px]] {{intro|
Is {{project_name_short}} trustworthy? Is there a [[backdoor|backdoor]] in {{project_name_short}}? How does {{project_name_short}} protect itself from backdoors?
}}
= Introduction =

Trust is a very problematic issue. This is the essence of why security is difficult in every field, including general computing and Internet communication. A skeptical user might ask themselves the following questions before relying upon {{project_name_short}} for sensitive activities on a daily basis:

* Can {{project_name_short}} and its developers be trusted?
* Are backdoors present in {{project_name_short}} that can take control over a computer or exfiltrate data?
* Does {{project_name_short}} generate compromised encryption keys to enable government spying?
* How trustworthy and sincere are the stated security goals of the {{project_name_short}} project?

Opinions will vary widely, but the reasoning process used to reach the conclusion should be closely examined. It is important that both trust and distrust are based on facts, and not gut feelings, instincts, paranoid conceptions, unfounded hearsay or the words of others.

It is unsurprising that the {{project_name_short}} project and other security platforms / tools claim to be honest, but written assurances are worthless. For an informed decision, it is worth looking at the bigger {{project_name_short}} picture: core components, affiliations, project track record,  and how reasonable trust might be established.

{{Anchor|Free Software and Public Scrutiny}}
== Freedom Software and Public Scrutiny ==

{{project_name_short}} and other Freedom Software makes it possible to check the source code to determine how a software distribution functions and what it consists of. Suitably skilled individuals can thoroughly audit the code to search for the presence of any malicious code, like a backdoor. In addition, software can be manually built from source code and the result compared against any versions that are pre-built and already being distributed, like the {{project_name_short}} ova images that can be [[Download|downloaded]] from {{code|{{project_clearnet}}}}. This comparison can determine whether any malicious changes were made, or if the distributed version was actually built with the source code.

Naturally most people do not have the requisite knowledge, skills or time to properly audit software. However, the public scrutiny of popular, open source software implies a certain degree of trustworthiness. The axiom attributed to Linus Torvalds <ref>
Creator of the Linux kernel.
</ref> -- "Given enough eyeballs, all bugs are shallow" -- is a reasonable assumption in user communities that are large, vibrant, and focused on fixing security vulnerabilities quickly. <ref>
https://web.archive.org/web/20170420125809/https://www.govtechworks.com/open-source-is-safe-but-not-risk-free/
</ref> The Freedom Software community has a strong tradition of publicly reporting and resolving serious issues, and a large pool of developers and beta testers can help to identify and remedy problems. <ref>
On the flip-side, there is no guarantee that just because software is open to review, that sane reviews will actually be performed. Further, people developing and reviewing software must know the principles of secure coding.
</ref>

The opposite of Freedom Software is non-freedom software. Freedom Software provides strong advangages over non-freedom software, which should be avoided. The case for Freedom Software is made on the [[avoid nonfreedom software|avoid non-freedom software]] wiki page.

== Backdoors ==
See [[Backdoor]].

== Trusting Debian GNU/Linux ==

Nearly all the software shipped in {{project_name_short}} comes from the [https://www.debian.org/ Debian GNU/Linux distribution]. Debian's packages are heavily scrutinized as it is one of the [https://distrowatch.com/table.php?distribution=debian largest Linux distributions] at present. Debian is also one of the most popular distributions for derivative platforms; [https://distrowatch.com/table.php?distribution=ubuntu Ubuntu Linux] is a Debian derivative, and the same applies to all Ubuntu derivatives such as [https://distrowatch.com/table.php?distribution=mint Linux Mint].

The sheer number using Debian's software packages and the large developer pool inspecting software integrity are significant factors in Debian's favor. Debian regularly identifies and patches [https://www.debian.org/security/ serious security issues] like the infamous SSH PRNG vulnerability <ref>https://lists.debian.org/debian-security-announce/2008/msg00152.html</ref>, but backdoors or other purposeful security holes have never been discovered to date. Debian's focus on security is further evidenced by their Security Audit team which constantly searches for new or unfixed security issues. <ref>Debian also participates in security standardization efforts and related overarching projects.</ref>

== Trusting {{project_name_short}} ==

In one sense, {{project_name_short}} is the simple union of Debian and Tor and a mechanism to glue them together. If a user already  trusts Debian and The Tor Project, then a method for assessing {{project_name_short}} trustworthiness is also necessary.

The {{project_name_short}} project was founded on 11 January, 2012, see also [[History|history]]. As mentioned earlier, {{project_name_short}} is Freedom Software which makes the source code available for inspection. In the main, {{project_name_short}} is comprised of specifications for which Debian software packages should be installed and their appropriate configuration. See also [[Security Reviews and Feedback|this list of notable reviews and feedback about the security of {{project_name_short}}]].

With a relatively small development team and estimated user base, the "many eyeballs" theory may work against {{project_name_short}} at present. However, the source code is comparably small and devoid of complexities, meaning the project is in relatively good shape compared to many other similar projects. Interested readers can learn more about the {{project_name_short}} specification and design [[Design|here]]. <ref>This is a good starting point to understand how {{project_name_short}} works.</ref>

With these factors in mind, the reader can now make an informed decision about the trustworthiness of {{project_name_short}}.

== Digital Signatures Verification Policy ==
See [[Digital_Signature_Policy|{{project_name_short}} Digital Signature Policy]].

{{Anchor|canary}}

== Warrant Canary ==
{{anchor|{{project_name_short}} Warrant Canary}}
[[File:Forestcanary.jpg|thumb|Canary|250px]]

The {{project_name_short}} [https://en.wikipedia.org/wiki/Warrant_canary warrant canary] is intended to provide a means of communication to users in the event {{project_name_short}} is served with a secret subpoena, despite legal prohibitions on revealing its existence. For any canary in force, once the signature of the canary file is verified with OpenPGP and/or signify, this confirms that no warrants have been served on the {{project_name_short}} project.

<u>Note:</u> the canary date of issue is represented by the gpg signature date. A new canary should be released within 4 weeks. <ref>
Meaning doubts should surface if a new canary was not issued for longer than 4 weeks.
</ref>

The canary and signature are available here:

* Canary text file: {{ExtLink
|https://download.{{project_clearnet}}/developer-meta-files/canary/canary.txt
|http://download.{{project_onion}}/developer-meta-files/canary/canary.txt v3
|text=canary.txt
}}
* OpenPGP signature: {{ExtLink
|https://download.{{project_clearnet}}/developer-meta-files/canary/canary.txt.asc
|http://download.{{project_onion}}/developer-meta-files/canary/canary.txt.asc
|text=canary.txt.asc
}}
* signify signature: {{ExtLink
|https://download.{{project_clearnet}}/developer-meta-files/canary/canary.txt.sig
|http://download.{{project_onion}}/developer-meta-files/canary/canary.txt.sig
|text=canary.txt.sig
}}

As a backup, the canary and signature are also available on github: <ref>
If issues arise with the <code>{{project_clearnet}}</code> server, this ensures the canary is always available online.
</ref>

* {{Github_link|repo=canary|path=}}

Readers are reminded this canary scheme is <u>not</u> infallible. The canary declaration is provided without any guarantee or warranty, and it is not legally binding upon any parties in any form. The signer should never be held legally responsible for any statements made in the canary.

Related:

* [https://forums.whonix.org/t/whonix-warrant-canary/3208 Forum Discussion]
* [[Dev/Warrant Canary Draft]]

= Trusting Downloaded Images =

Users should not blindly trust the {{project_name_short}} project or its developers. Logically it is unwise to trust unknown persons, especially on the Internet. On that basis, trust in {{project_name_short}} developers should not rely on his public persona or the appearance of the {{project_name_short}} project alone. {{project_name_short}} may be or could become a high profile target, and it is risky to assume that developer's build machines would remain clean under those circumstances.

== Trusting the Download Location ==
Binary images can be trusted to some extent if a user verifies that they received exactly the same code as thousands of other users, and no one has found or publicly reported any serious security issues. This requires verification of the {{project_name_workstation_long}} and {{project_name_gateway_long}} images using the available OpenPGP signatures. <ref>
This feature has been available since {{project_name_short}} <code>0.4.5</code>.
</ref> All source code tags for releases are OpenPGP-signed by lead {{project_name_short}} developer Patrick Schleizer.

In order of increasing security, the {{project_name_short}} images can be:

# Downloaded via {{Code|https://www.{{project_clearnet}}}}. TLS provides some trust and integrity of the hash file, but it is still advisable to check the site's certificate and perform [[Verifying Software Signatures|digital software signature verification]] ([[Verify the images|instructions]]).
# Downloaded over the [http://www.{{project_onion}} {{project_name_short}} v3 onion address] with Tor Browser before digital software signature verification. Onion addresses provide a higher standard of authentication than clearnet addresses.
# [[Dev/Build Documentation|Built from source]] since it is a relatively easy procedure.

== Trusting {{project_name_short}} Images ==
{| class="wikitable"
|+ ''Maintainer Overview - Platform, Source Code, Binary Images, Permissions''

!
! {{project_name_short}} VirtualBox
! {{project_name_short}} KVM
! {{q_project_name_long}}
! Built from Source Code
|-

! Source Code Creation
| Patrick
| Patrick
| Qubes project and Patrick
| Patrick
|-

! Source Code Trust
| Patrick
| Patrick
| Qubes project and Patrick
| Patrick
|-

! Binary Image Creation
| Patrick
| HulaHoop
| Qubes project <ref>Builds can be [[Dev/Qubes#Official_Builds|initiated]] by Patrick but the template build server and template repository are hosted by the Qubes project.</ref>
| -
|-

! Binary Images Trust
| Patrick
| HulaHoop
| Qubes project and Patrick
| -
|-

! Package Upgrades Creation
| Patrick
| Patrick
| Qubes project and Patrick
| -
|-

|}

Since [[Based_on_Debian|{{project_name_short}} is based on Debian]], Debian releases package upgrades. See also: [[Trust#Trusting Debian GNU/Linux|Trusting Debian GNU/Linux]].

== Binary Images Policy ==
* '''A)''' <u>[[Trust#Trusting_Kicksecure_Images|{{project_name_short}} binary image maintainers]]</u>: Only the currently existing {{project_name_short}} binary image maintainers are permitted to redistribute software forked binary builds of <code>{{project_name_short}}</code> and advertise these on the <code>{{project_clearnet}}</code> project website or forums.
* '''B)''' <u>Unofficial software fork maintainers</u>: Rebranding required. Change the project name <code>{{project_name_short}}</code> and [[Dev/Logo|{{project_name_short}} logo]] to something else, and host these on a different website to avoid confusing users about the origin of the software.

Reasons:

* <u>Build verification</u>: [https://www.whonix.org/wiki/Verifiable_Builds Verifiable Builds], let alone reproducible builds, let alone automatic verification of reproducible builds, rebuilders <ref name=rebuilders>
rebuilders as defined here: https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/
</ref> are unavailable and their availability many years ahead. In other words, the binary builds by {{project_name_short}} are not yet verifiably created from project's own source code <ref name=hidden-source-code>Hidden source code is defined as code which is added by an adversary. They may have: compromised a build machine, conducted compiling prior to the binary build process, or be responsible for building the actual binary. The secret source code will remain unpublished and it will appear (or be claimed) that the software was built from the published source code. Reliably detecting such hidden code - added on purpose or due to build machine compromise - requires comparison with deterministic builds, which are discussed above. Other methods like watching network traffic are less reliable, since a backdoor can only be spotted when it is used. Backdoors are even less likely to be found through [https://en.wikipedia.org/wiki/Reverse_engineering reverse engineering], because very few people are using a [https://en.wikipedia.org/wiki/Disassembler disassembler].</ref>.
* <u>Trust</u>: Binary images unfortunately still require trust.
* <u>Freedom Software rights</u>: Others are welcome to exercise their right to [https://en.wikipedia.org/wiki/Fork_(software_development) software fork] the {{project_name_short}} project under the respective licenses. ([[Reasons for Freedom Software|Why {{project_name_short}} is Freedom Software]])
* <u>No additional restrictions</u>: There is no restriction of software redistribution rights under the respective licenses. ([[Copyright]])
* <u>Trademark</u>: <code>{{project_name_short}}</code> is a trademark, see [[Trademark Policy|{{project_name_short}} Trademark Policy]].
* <u>Reputation</u>: To protect the reputation of the {{project_name_short}} project, quality control, non-maliciousness, potential [[#Evil Developer Attack|Evil Developer Attack]].
* <u>Fork friendly</u>: {{project_name_short}} is [[Reasons for Freedom Software#Software Fork Friendly|Software Fork Friendly]].
* <u>Common practice</u>: Trademark protection is commonplace even for Freedom Software. For example, see Tor Project, which also develops Freedom Software, [https://www.torproject.org/about/trademark/ The Tor Project Trademark Policy] or [https://www.debian.org/trademark Debian Trademark Policy], [https://ubuntu.com/legal/trademarks Ubuntu], [https://www.redhat.com/en/about/trademark-guidelines-and-policies Red Hat], [https://fedoraproject.org/wiki/Legal:Trademark_guidelines Fedora] and most if not all Linux distributions doing the same which can easily be seen by a web search for the name of the Linux distribution and trademark.

A reasonable process on how new {{project_name_short}} binary image maintainers could be securely admitted is yet to be developed. Please start a new {{project_name_short}} forum thread if you are interested to develop the process and/or to become a {{project_name_short}} binary image maintainer.

Please [[Reporting_Bugs#Contributions|contribute]] towards {{project_name_short}} source code generally or specifically towards verifiable builds, reproducible builds and rebuilders<ref name=rebuilders /> so the trust requirement can be removed from the equation.

== Builds from Source Code versus Builds including Binary Packages ==
What "building from source code" means in the context of building Linux distributions from source code is not well defined. See also [[Dev/bootstrappable_builds|Dev/bootstrappable builds]].

To explain the situation for {{project_name_short}}, it is first important to mention the general, [[unspecific]] situation for other Linux distributions.

Rhetoric <ref>
Rhetoric exercises since doing these things is unfortunately so difficult that most readers will not attempt it.
</ref> exercises left for the reader:

# Build a Debian installer ISO completely from source code without using any binary packages from <code>packages.debian.org</code>. Unfortunately, this is difficult. There was once a bounty [https://web.archive.org/web/20201214130930/https://github.com/Whonix/Whonix/issues/400 Build Debian Packages from Source Code] worth $3000 USD, but no implementation was ever contributed. See also [https://unix.stackexchange.com/questions/184812/how-to-update-all-debian-packages-from-source-code How to update all Debian packages from source code?], [https://wiki.debian.org/DebianBootstrap DebianBootstrap], and [https://wiki.debian.org/HelmutGrohne/rebootstrap rebootstrap]. <ref>https://github.com/QubesOS/qubes-issues/issues/4447#issuecomment-904007298</ref> <blockquote>In this context, bootstrapping refers to building binaries for an architecture from source without using any pre-built binaries for that architecture. In the past 20 years, about 20 architectures have been bootstrapped for Debian. At all times this has been a manual and non-repeatable process. rebootstrap is trying to address the very early bootstrap phase involving the gcc/eglibc dance.</blockquote>
# Install Debian using an installer ISO (from completely source code) without using any binary packages from <code>packages.debian.org</code>.
# Upgrade Debian completely from source code without using any binary packages from <code>packages.debian.org</code>.
# Using any Debian (from source code or not): Build and install from source code while also acquiring all the build dependencies without using any binary packages from <code>packages.debian.org</code>. [https://packages.debian.org/<code>apt-build</code>] is the closest approximation of that but it uses binary packages from <code>packages.debian.org</code> to fulfill build dependencies. The development of <code>apt-build</code> stalled and the package was [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365427 orphaned].
# Build any Qubes template image or a Qubes installer ISO from source code without using any binaries from <code>deb.qubes-os.org</code>. This will probably be very difficult or impossible without Qubes source code modifications. Qubes build script function [https://github.com/QubesOS/qubes-builder-debian/blob/master/template_debian/distribution.sh#L430 <code>installQubesRepo</code>] enables <code>deb.qubes-os.org</code>, i.e., binary packages from <code>deb.qubes-os.org</code> are used during the Qubes build process.
# Attempt the previous example but without using <code>packages.debian.org</code> and its Fedora equivalent.
# Attempt to upgrade an installed Qubes installation using Qubes source code only without using any binary packages from <code>qubes-os.org</code>.
# Create your own <code>packages.debian.org</code>, <code>deb.{{project_clearnet}}</code>, and/or <code>deb.qubes-os.org</code> under a different domain name or on local disk.

All of the above tasks are very difficult tasks for which unfortunately very little documentation exists. Even description and awareness of the issues rarely exist. These issues are, however, [[unspecific]] to {{project_name_short}}. These are mentioned to explain the context and set realistic expectations of what the {{project_name_short}} project might be able to provide. The situation in [[About|{{project_name_short}}]] is as follows:

* [[{{non_q_project_name_short}}|{{non_q_project_name_short}}]]:
** Builds: When [[Dev/Build Documentation|{{project_name_short}} is built from source]], no contents from <code>{{project_clearnet}}</code> are used and no binaries created by the {{project_name_short}} project are used. However, unfortunately running the {{project_name_short}} build script results in using binary packages from <code>packages.debian.org</code>. This is because {{project_name_short}} inherits the same limitations as the above examples mentioning Debian.
** APT repository: No issues with [[#APT Repository Default Settings|{{project_name_short}} APT Repository Default Settings]].
** Upgrades from source code: There is a wiki page [[Dev/Build Documentation/Upgrading Derivative Deb Packages from Source Code|Upgrading {{project_name_short}} Deb Packages from Source Code]] and a {{Github_link|repo=developer-meta-files|path=/blob/master/usr/bin/dm-upgrade-from-local-repository|text=<code>locally-upgrade-debian-packages</code>}} but, see footnote. <ref>
The <code>locally-upgrade-debian-packages</code> script should probably be moved to a different package and installed by default.

Only approximately 1 user in approximately 10 years expressed interest in using it.

Usage would be difficult. The high-level overview is:

# Get {{project_name_short}} source code.
# Checkout the desired {{project_name_short}} version source code git tag.
# Optionally, recommended: Digital signature verification {{project_name_short}} source code git tag.
# Optionally, recommended: Review {{project_name_short}} source code.
# Create the {{project_name_short}} packages from {{project_name_short}} source code and create a local {{project_name_short}} APT repository using the {{Github_link|repo=derivative-maker|path=/tree/master/build-steps.d/2100_create-debian-packages|text=<code>2100_create-debian-packages</code>}} build step. (Ideally, these build steps would be packaged and installed by default. Contributions welcome.)
# Upgrade {{project_name_short}} from local {{project_name_short}} APT repository using APT.

How you can help? As possible:

# Try the script.
# Contribute to the script.
# Package {{project_name_short}} build script.
# Contribute documentation.
# Keep maintaining it.
</ref>
* [[Qubes|{{q_project_name_short}}]]: Inherits the same limitations as the above examples mentioning Qubes. Unfortunately, binary packages from <code>packages.debian.org</code>, <code>deb.{{project_clearnet}}</code>, and <code>deb.qubes-os.org</code> are used.

Undeniably, this situation is unsatisfactory. In the future, [https://reproducible-builds.org/ reproducible builds] and [https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/ rebuilders] will hopefully reduce or eliminate the requirement to trust binaries.

Asking about these issues will very most likely not result in people writing documentation on how to accomplish these very difficult tasks. The only realistic option to improve this situation is to contribute to reproducible builds and/or build from source code-related projects.

Related:
<!--EDITOR comment: useful in case users follow a direct link to this wiki chapter-->
* [[#Trusting Downloaded Images|Trusting Downloaded Images]]
* [[#{{project_name_short}} Updates|{{project_name_short}} Updates]]
* [[#Software Update APT Repository Security|Software Update APT Repository Security]]
* [[#Software Build Process Security|Software Build Process Security]]
* [[Malware and Firmware Trojans]]
* [[Malware_and_Firmware_Trojans#Malware Audits|Malware Audits]]

= Trusting the {{project_name_short}} Website =
== Web Application Shortcomings ==

As noted in the [[Privacy Policy Technical Details#Privacy on the Website|Privacy on the {{project_name_short}} Website]] chapter, the following separate web-based platforms are currently in use:

# [https://www.discourse.org/ Discourse] for the {{project_name_short}} forums.
# [https://www.mediawiki.org/wiki/MediaWiki MediaWiki] for online documentation.

The problem is these web applications (web apps) are developed independently from {{project_name_short}}. This means {{project_name_short}} developers have little to no control over the course these projects take. Since privacy and security issues often take a back seat to "enhanced features", websites relying on these or similar web apps can at best only provide <u>privacy by policy</u>, which is equivalent to a promise.

It is infeasible from a monetary, time and manpower perspective to address perceived shortcomings in these web apps. This means the {{project_name_short}} community should not place undue trust in the live version of this site on the Internet, due to the potential for interference.

== Distrusting Infrastructure ==

In an identical fashion to the Qubes project, {{project_name_short}} has adopted the principle that all infrastructure should be explicitly distrusted. Infrastructure in this context refers to "...hosting providers, CDNs, DNS services, package repositories, email servers, PGP keyservers, etc."

Third parties who operate infrastructure are "known unknowns" and potentially hostile. It is safer to voluntarily place trust in a few select entities, such as the contributors of {{project_name_short}} packages, the holder(s) of {{project_name_short}} signing keys and so on. By sufficiently securing endpoints, it is unnecessary to try and improve the trustworthiness of those operating the "mid-points". This also provides two benefits: {{project_name_short}} forgoes the need to invest valuable resources on the problem, and no illusory security expectations are raised in the {{project_name_short}} community.

[https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastructure Quote] [https://www.qubes-os.org/ Qubes OS] (security-focused operating system):

<blockquote>What does it mean to “distrust the infrastructure”?

A core tenet of the Qubes philosophy is “distrust the infrastructure,” where “the infrastructure” refers to things like hosting providers, CDNs, DNS services, package repositories, email servers, PGP keyservers, etc. As a project, we focus on securing endpoints instead of attempting to secure “the middle” (i.e., the infrastructure), since one of our primary goals is to free users from being forced to entrust their security to unknown third parties. Instead, our aim is for users to be required to trust as few entities as possible (ideally, only themselves and any known persons whom they voluntarily decide to trust).

Users can never fully control all the infrastructure they rely upon, and they can never fully trust all the entities who do control it. Therefore, we believe the best solution is not to attempt to make the infrastructure trustworthy, but instead to concentrate on solutions that obviate the need to do so. We believe that many attempts to make the infrastructure appear trustworthy actually provide only the illusion of security and are ultimately a disservice to real users. Since we don’t want to encourage or endorse this, we make our distrust of the infrastructure explicit.

[https://www.qubes-os.org/faq/#should-i-trust-this-website Also see: Should I trust this website?]</blockquote>

== Self-Hosting vs Third Party Hosting ==

Some users mistakenly believe that servers of security-focused projects are virtually impenetrable and hosted in the homes of developers; this is not the case. The <code>{{project_clearnet}}</code> server is actually hosted at an Internet hosting company. Similarly, [https://www.torproject.org The Tor Project] and [https://tails.boum.org Tails] servers are not hosted in a developer's home either. Hosting at home is the exception, rather than the rule. At the time of writing, there are no known cases where servers are hosted in a developer's home. This means employees of the associated Internet hosting company have physical access rights to the server, along with any other capable, malicious actors.

Since virtually every project is hosted by a third party (an Internet hosting company), the capability to physically secure server hardware is largely forfeited. Without physical security and due to the risk of untrusted visitors, a hardware backdoor could easily compromise the security of the server.

Any demand that servers ought to be super secure and hosted in a developer's home is idealistic. Home Internet connections are generally too slow to meet the requirements of a public web server in terms of traffic quota and connection upload speed. Internet service providers (ISPs) do not usually allow a busy public web server to be hosted on home connections; throttled connections or terminated contracts are likely if that happens.

The "proper solution" would require purchase of a business Internet uplink, similar to becoming an Internet hosting company. This would incorporate a business building with a good Internet uplink, full camera security, security officers and so forth. Unfortunately this is economically infeasible at the current stage of project development.

== serverless ==
Decentralized hosting, serverless without a server are unfortunately very weak movements, both for demand from users and development focus for developers. Instead mandatory more and more centralization in the form of clouds, CDNs is happening.

Decentralized hosting - sometimes also called serverless (as in without server) - even had their word definition amended. For reference, see {{whonix_wiki
|wikipage=The_World_Wide_Web_And_Your_Privacy#serverless
|text=definition of serverless
}}.

== Security Level ==

Many [[Trust#Trusting_the_Kicksecure_Website|web applications]] in use by <code>{{project_clearnet}}</code> did not provide software signatures at the time of installation or still do not provide them. Therefore, in stark contrast to software installed by default in {{project_name_short}}, for the <code>{{project_clearnet}}</code> server it was not possible to always enforce [[Verifying Software Signatures|verification of software signatures]].

Many web application and extensions updaters did not, or still do not, securely verify software signatures. Therefore, the [[Verifying_Software_Signatures#System_Security_Level|security level]] of most servers is probably only equivalent to <code>plaintext</code>. In the case of the <code>{{project_clearnet}}</code> server, the system security level is only equivalent to <code>always use TLS</code> and not <code>always use software signatures verification</code>.

== Server Privacy ==

In the past, various suggestions for "perfect server privacy" <ref>Using quotes since this is not well defined. </ref> were made such as [[#Self-Hosting vs Third Party Hosting|"self-hosting in developers' homes"]] or "host the server outside the [https://en.wikipedia.org/wiki/Five_Eyes five eyes] ([https://en.wikipedia.org/wiki/UKUSA_Agreement#9_Eyes,_14_Eyes,_and_other_%22third_parties%22 nine eyes, fourteen eyes]) countries". Despite the good intentions, these suggestions do not easily translate into an actionable plan.

First, these suggestions assume there is a sane method of rating the privacy protections afforded by a specific country. Moreover, the privacy rights granted for local citizens in a specific jurisdiction do not necessarily extend to non-citizens. {{project_name_short}} developers are unaware of any project that rates privacy protections in this way, considers the feasibility of operating servers (by running tests), and then makes recommendations for locations which provide the best possible privacy.

In [https://www.whonix.org/wiki/The_World_Wide_Web_And_Your_Privacy today's world] following the Snowden disclosures, it has to be assumed that if surveillance is possible it is being done. The likelihood is that surveillance is undertaken in all jurisdictions, and it is only a matter of degree.

Even The Tor Project -- a much older,  established and better funded organization -- does not attempt to implement any suggestion concerning "perfect server privacy". As noted on their [https://www.torproject.org/about/sponsors/ sponsor's page]:

<blockquote>Fastly generously hosts our Tor Browser update downloads that can be fetched anonymously.</blockquote>

[https://www.fastly.com/ Fastly] is providing content delivery network (CDN) services and is headquartered in America (arguably the most aggressive member of the five eyes network). Even [https://forums.whonix.org/t/debian-apt-get-updates-over-https-ssl-tls-by-default-or-avoiding-amazon-aws-pick-one/6272 Debian uses CDNs Amazon AWS and Fastly].

In a similar fashion to the [[#Distrusting Infrastructure|Distrusting Infrastructure]] chapter, {{project_name_short}} has concluded it is not worthwhile investing valuable resources to try and provide "perfect server privacy", because it is simply uneconomical. For this reason, the viewpoint that no undue trust should be placed in the server arrangements is made explicit.

== Onion Domain Name ==
{{project_clearnet}} provides an alternative onion domain name.

<blockquote>Onion addresses provide a higher standard of authentication than clearnet addresses.</blockquote>

<blockquote>Onion services offer strong authentication via [https://support.torproject.org/onionservices/ multiple layers of encryption]. This does not prohibit an advanced adversary from trying to impersonate an onion service, but together with multiple fingerprint sources, it becomes increasingly difficult and improbable that a single entity could impersonate them all.</blockquote>

Due to [[#Self-Hosting vs Third Party Hosting|server security issues]] this however might be negated in part. For example, consider:
* How realistic is it that an adversary could break TLS, but not the server?
* How realistic is it that the {{project_clearnet}} clearnet domain name gets suspended, but the server provider stays online? This is related to [[#Legal Issues|Legal Issues]].

related: [[Forcing_.onion_on_Project|Forcing .onion on Project]]

== Server Security ==

Server security issues should not be conflated with software security issues. If an advanced adversary wanted to tarnish the reputation of any security-focused project, then breaking into the data center where it was hosted and "hacking" them would be one way to achieve that aim. Projects that are honest need to mention this possibility beforehand, so it is not unexpected.

The world's largest and most profitable technology companies like Google, Facebook, Microsoft and Amazon can easily afford to employ large, dedicated and skilled teams of system administrators to work around the clock to protect their servers. <ref>Even then, capable adversaries have hacked their servers in the recent past; see [https://www.theatlantic.com/politics/archive/2013/10/nsa-hacked-google-and-yahoos-private-networks/354570/ here].</ref> For small projects, this scale of server protection is completely unrealistic.

== Software Update APT Repository Security ==
A compromise of the <code>{{project_clearnet}}</code> server would not result in a compromise of users attempting to upgrade {{project_name_short}}. This is because of a standard APT security feature: digital signature verification of APT repository metadata ([https://wiki.debian.org/SecureApt SecureApt]). An adversary who compromised the <code>{{project_clearnet}}</code> server would lack the signing key required to generate valid signed APT repository metadata. Invalid APT repository metadata would be rejected by the user's APT updater software. APT repository metadata is signed locally on the developer's computer before the signed metadata is uploaded to the <code>{{project_clearnet}}</code> server. The {{project_name_short}} APT repository signing key is never exposed to the server. Thanks to digital signature verification the {{project_name_short}} software update APT repository can be in theory considered more secure than the <code>{{project_clearnet}}</code> website.

== Software Build Process Security ==
A compromise of the <code>{{project_clearnet}}</code> server would not result in a compromise of software packages (image downloads, Debian packages, <code>.deb</code>s) because all software is built locally on the developer's computer. No binary builds offered to download for users of software developed under the {{project_name_short}} umbrella is ever created on remote servers hosted by third parties. Users who [[Warning#Always_Verify_Signatures|always correctly verify software signatures]] could detect malicious software before use. However, note these [[#Consequences of Server Compromise|Consequences of Server Compromise]].

== Server Privacy vs Server Security ==

In an ideal world, both server privacy and server security would be maximized at the same time. However, in the real world this is an impossibility.

In a world with specialization and division of labour, those companies who excel at hosting web applications have more focus, time, energy, knowledge and money to work on server security; it is their raison d'etre (reason for being). In contrast, small projects use web applications only as a means to an end. Therefore, using third party web application hosters may provide better security than self-hosting, but better server privacy demands self-hosting. This means it is impossible to optimize both security and privacy simultaneously; the goals are at odds with each other.

== Server Downtime ==

The almost perfect uptime of popular web services such as Google, Facebook, and Amazon (perhaps 99.99 per cent) might lead some to conclude this is an easy goal to achieve; this is a false assumption.

Expecting the same uptime from much smaller projects like {{project_name_short}} is unrealistic. At best, ''maybe''  only 99.0 per cent uptime can be provided because no resources are spent on server uptime statistics, server upgrades need to be performed, and reboots are necessary. These factors necessarily lead to downtime when the website is unavailable. With a huge budget it would be possible to approach the 99.99 per cent uptime that popular websites have via technical solutions such as server farms, load balancing, and [https://en.wikipedia.org/wiki/Failover failover], but this is infeasible for small projects. Similarly, large companies can afford to pay for whole teams of system administrators who are working 24/7, in concert with these technical options. Again, small projects do not have that option.

Finally, server downtime is not evidence of a server compromise, but normally relates to server issues (for example, failing hard drives) and routine server maintenance.

== Consequences of Server Compromise ==
A compromised <code>{{project_clearnet}}</code> would result in one or more of the following issues:

* Provision of poor and/or malicious advice to visitors of the <code>{{project_clearnet}}</code> website.
* Offer malicious software downloads to users who do not [[Warning#Always_Verify_Signatures|always verify software signatures]].
* Unavailability of legitimate software downloads and updates.
* Reputational damage for {{project_name_short}}.

== Conclusion ==

Due to the multiple issues outlined in this section, the software produced by the {{project_name_short}} project is theoretically considered more secure than the website provided by the {{project_name_short}} project (<code>{{project_clearnet}}</code>). The {{project_name_short}} software is the main product delivered by the {{project_name_short}} project, while the <code>{{project_clearnet}}</code> server is only a tool to document and deliver {{project_name_short}}. For further reading on this topic, see: [[Website_Tests|Website and Server Tests]].

= OpenPGP =
== Introduction ==
{{always_verify_signatures_reminder}}

== Fingerprint Trust ==

Most users retrieve OpenPGP fingerprints directly from a website and then download an associated key from a key server. The problem with this method is that TLS is fallible and the connection could be insecure or broken. Greater security necessitates a key signing party, whereby a direct and trusted path of communication can be confirmed by all attendees. If this step is not followed, OpenPGP is only secure as TLS.

It is often impossible to meet this condition of meeting in person. To mitigate the risk, any OpenPGP fingerprint should be cross-referenced on multiple "secure" (<code>https://</code>) sites. An additional fail-safe is to use an alternative authentication system, for example comparing the Tor signing keys on both the [https://2019.www.torproject.org/docs/signing-keys.html clearnet] and [http://jqyzxhjk6psc6ul5jnfwloamhtyh7si74b4743k2qgpskwwxrzhsxmad.onion/docs/signing-keys.html.en .onion] domains.

Onion services offer strong authentication via [https://community.torproject.org/onion-services/ multiple layers of encryption]. This does not prohibit an advanced adversary from trying to impersonate an onion service, but together with multiple fingerprint sources, it becomes increasingly difficult and improbable that a single entity could impersonate them all.

== {{project_name_short}} Binaries and Git Tags ==

All {{project_name_short}} binaries are OpenPGP-signed by {{project_name_short}} developer Patrick Schleizer. <ref>{{project_name_short}} developer, [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/proper?version=1 named proper in the past], [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/proper?version=6 renamed himself to adrelanos], [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/proper?version=3 published his OpenPGP key on 05/29/12] ([https://gitlab.torproject.org/legacy/trac/-/wikis/doc/proper?action=history wiki history]). [https://forums.whonix.org/t/giving-up-pseudonymity-after-collecting-experiences-with-pseudonymous-project-development/2369 Revealed his identity on 01/18/14.] [https://lists.torproject.org/pipermail/tor-talk/2014-January/031741.html Patrick Schleizer posted his OpenPGP key transition message on 01/18/14, signed by both his old and new key.]</ref> The source code is directly available on github over TLS, and it can be cloned using git over <code>https://</code>. Git tags for each release are also OpenPGP-signed by {{project_name_short}} developer Patrick Schleizer. Users can also request signed git development tags from the same developer.

Even if {{project_name_short}} developers are distrusted, verifying binary downloads or git tags with OpenPGP is still useful. For example in order to audit {{project_name_short}}, it is important to verify the download came from {{project_name_short}} developers and that it was not tampered with by third parties. This is a realistic threat, as these recent examples show:

* [https://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted An attacker could modify source codes on github]
* [https://sourceforge.net/blog/sourceforge-attack-full-report/ sourceforge hacked]
* [https://www.theregister.com/2012/09/26/sourceforge_backdoor_code_compromise/ sourceforge mirror hacked]

The OpenPGP key also ensures that if the {{project_name_short}} infrastructure is ever compromised by a powerful adversary (such as a domain takeover), the original {{project_name_short}} developers can at least prove they owned the infrastructure.

== {{project_name_short}} Developer OpenPGP Guidelines ==

All long-term {{project_name_short}} developers are encouraged to:

* Create a 4096/4096 RSA/RSA OpenPGP key.
* Retrieve the latest {{code|gpg.conf}} which comes with {{project_name_workstation_short}} for stronger hashes, no-emit-version, and other improved settings.
* Store the private key inside an encrypted file.
* Make a backup of that encrypted file.
* Remember the password and regularly test one's memory of it.
* Upload the encrypted file to a (free) online cloud-based host to protect against theft, fire, natural events and so on.

From the beginning of the {{project_name_short}} project, greater trust has been placed in developers who publish their OpenPGP public key earlier on, since this reduces the probability of an [[#Evil_Developer_Attack|evil developer attack]].

= {{project_name_short}} Updates =

== Introduction ==

When it comes to trust, there is a large difference between building {{project_name_short}} from source code and using the Default-Download-Version.

== APT Repository and Binary Builds Trust ==

When {{project_name_short}} is built from source code using the build script and the source code is audited by the builder to be non-malicious and reasonably bug-free, {{project_name_short}} developers are unable to access the system. On the other hand, if {{project_name_short}} APT repository is enabled, developers holding a {{project_name_short}} repository signing key could release a malicious update to gain full access to the machine(s). <ref>
At the moment, {{project_name_short}} developer Patrick Schleizer is the only one holding the {{project_name_short}} APT repository OpenPGP signing key.
</ref>

Even if the {{project_name_short}} APT repository is not used with the Default-Download version, it is still theoretically possible for {{project_name_short}} developers to sneak a backdoor into the binary builds which are available for download. Although an unpleasant threat, using {{project_name_short}} APT repository poses a greater risk: a malicious {{project_name_short}} developer might sneak in a backdoor at any time.

It is easier to sneak backdoors into binary builds, since they contain compiled code in binary packages which are downloaded from the Debian repository when built.

== APT Repository Default Settings ==

<u>[[{{non_q_project_name_short}}|{{non_q_project_name_short}}]]:</u>

* [[Dev/Build Documentation|Building]] from source code: {{project_name_short}} APT Repository is ''disabled by default.''
* Default [[Download|binary download]]: {{project_name_short}} APT Repository is ''enabled by default.''

<u>[[Qubes|{{q_project_name_short}}]]:</u>

* [[Qubes/Install]]: {{project_name_short}} APT Repository is ''enabled by default.''
* [[Dev/Build Documentation|Building]] from source code: {{project_name_short}} APT Repository is ''enabled by default.'' <ref>To disable this setting, see: broken link: [<nowiki>{{Github_link|repo=qubes-template-{{project_name_short}}|path=}}</nowiki> qubes-template-{{project_name_short}}]: broken link: [<nowiki>{{Github_link|repo=qubes-template-{{project_name_short}}|path=/blob/master/builder.conf}}</nowiki> <code>builder.conf</code>], and set <code>DERIVATIVE_APT_REPOSITORY_OPTS = off</code></ref>

Most users will have the {{project_name_short}} APT repository enabled. This means when updated {{project_name_short}} debian packages are uploaded to the {{project_name_short}} APT repository, these packages will be automatically installed when the system is upgraded. <ref>After running <code>sudo apt update && sudo apt full-upgrade</code> manually or via a GUI updater.</ref> If this behavior is unwanted, this can be [[Project-APT-Repository#Disable_{{project_name_short}}_APT_Repository|disabled]]. Refer to the previous section outlining security implications before proceeding.

== Security Conclusion ==

Legend:

* *: poor security.
* ****: best security.

{| class="wikitable"
|+ ''Build and APT Repository Security Comparison''

!
! Binary Download with {{project_name_short}} APT Repository
! Binary Download without {{project_name_short}} APT Repository
! Built from Source Code and {{project_name_short}} APT Repository Enabled
! Built from Source Code and {{project_name_short}} APT Repository Disabled
|-

! Security
| style="background-color: {{Red}}"| *
| style="background-color: {{Yellow}}"| **
| style="background-color: {{Red}}"| ''*''
| style="background-color: {{Green}}"| ****
|-

! Convenience
| style="background-color: {{Green}}"| ****
| style="background-color: {{Red}}"| ''*''
| style="background-color: {{Yellow}}"| **
| style="background-color: {{Red}}"| *
|-

|}

In summary:

* The {{project_name_short}} binary download using the {{project_name_short}} APT repository is the most convenient method, but also the least secure.
* It is somewhat safer to use the {{project_name_short}} binary download and then disable the {{project_name_short}} APT repository. However, the user must then manually download updated {{project_name_short}} deb packages upon release, and independently verify and install them.
* The greatest security comes from [[Dev/Build_Documentation|building {{project_name_short}}]] and updated packages from source code, particularly if the source code is verified before building {{project_name_short}}.

= Appendix =

== What Digital Signatures Prove ==
{{always_verify_signatures_reminder}}

See [[Verifying_Software_Signatures|Verifying Software Signatures]] for details on what digital signatures prove.

In short, a user must be careful to ensure the public keys that are used for signature verification are the [[Signing Key|{{project_name_short}} key pair]] belonging to the {{project_name_short}} developer of the component specific component. At time of writing there are two different components and signing keys.

* [[Main/Project Signing Key|{{project_name_short}} Main, APT Repository and Source Code Signing Key]]

== TLS ==

TLS, SSL and HTTPS are all flawed since they rely on the vulnerable Certificate Authority (CA) model; see [[Warning#The_Fallible_Certificate_Authority_Model|here]] for further details and SSL/TLS alternatives. <ref>{{project_name_short}} developers place little trust in the CA model. Even if the numerous implementation problems were solved, such as problematic revocation and the ability for every CA to issue certificates for anything (including "*"), third party trust cannot be established. Until an alternative arrives and is widely adopted, everybody has to rely upon SSL/TLS to some extent.</ref>

== Evil Developer Attack ==

=== Introduction ===

An "evil developer attack" is a narrow example of an ''insider threat'': <ref>https://www.se.rit.edu/~samvse/publications/An_Insider_Threat_Activity_in_a_Software_Security_Course.pdf</ref>

<blockquote>Software development teams face a critical threat to the security of their systems: insiders.<br />

[...]

An insider threat is a current or former employee, business partner, or contractor who has access to an organization’s data, network, source code, or other sensitive information who may intentionally misuse this information and negatively affect the availability, integrity, or confidentiality of the organization’s information system.</blockquote>

In the case of software, a disguised attack is conducted on the integrity of the software platform. While this threat is only theoretical, it would be naive to assume that no major software project has ever had a malicious insider. {{project_name_short}} and all other open source software projects face this problem, particularly those that are focused on anonymity such as VeraCrypt, <ref>TrueCrypt has been discontinued.</ref> Tails, I2P, The Tor Project and so on.

=== Attack Methodology ===

A blueprint for a successful insider attack is as follows:

# Either start a new software project or join an existing software project.
# Gain trust by working hard, behaving well, and publishing your sources.
# Build binaries directly from your sources and offer them for download.
# Attract a lot of users by making a great product.
# Continue to develop the product.
# Make a second branch of your sources and add malware.
# Continue to publish your clean sources, but offer your malicious binaries for download.
# If undetected, a lot of users are now infected with malware.

An evil developer attack is very difficult for end users to notice. If the backdoor is rarely used, then it may remain a secret for a long time. If it was used for something obvious, such as adding all the users to a botnet, then it would be quickly discovered and reported on.

Open source software has some advantages over proprietary code, but certainly not for this threat model. For instance, no one is checking if the binaries are made from the proclaimed source and publishing the results, a procedure called "deterministic builds". <ref>https://mailman.stanford.edu/pipermail/liberationtech/2013-June/009257.html</ref> <ref>https://gitlab.torproject.org/legacy/trac/-/issues/3688</ref> This standard is quite difficult to achieve, but is being worked towards. <ref>Interested readers can investigate its complexity by searching with the phrase "trusting trust".</ref>

=== Related Attacks ===

While most security experts are focused on the possibility of a software backdoor, other insider attacks can have equally deleterious effects. For instance, the same methodology can be used to infiltrate a targeted project team but in a role unrelated to software development; for example, as a moderator, site administrator, wiki approver and so on. This approach is particularly effective in smaller projects that are starved of human resources.

Following infiltration, disruption is caused within the project to affect productivity, demoralize other team members and (hopefully) cause primary contributors to cease their involvement. For example, using a similar blueprint to that of the evil developer attack, a feasible scenario is outlined below:

# Join an existing software project as a general member.
# Gain trust by working hard, behaving well, assisting readily in forums, making significant wiki contributions and so on.
# Attract a lot of community admiration by outwardly appearing to be a bona fide and devoted project member.
# Eventually attain moderator, administrator or other access once team membership is extended. <ref>The time period is likely to be shorter for smaller projects, perhaps less than 12 months.</ref>
# Continue to behave, moderate and publish well.
# Once trust is firmly established, subtly undermine the authority, character and contributions of other team members. <ref>For example, by casting unjustified aspersions.</ref>
# If the insider threat is undetected for a significant period, this can lead to a diminished software product due to a fall in contributions in numerous domains and team ill will.

=== Conclusion ===

The insider threat nicely captures how difficult it is to trust developers or other project members, even if they are not anonymous. Further, even if they are known and have earned significant trust as a legitimate developer, this does not discount the possibility of serious mistakes that may jeopardize the user. The motives and internal security of everyone contributing to major software projects like Tor, distribution developers and contributors, and the hundreds of upstream developers and contributors is a legitimate concern. <ref>In the case of {{project_name_short}}, binaries are not distributed nor created. Only unmodified upstream binaries are distributed, along with shell scripts. This claim is much easier to verify than if {{project_name_short}} were distributing binaries from project source code.</ref>

The trusted computing base of a modern operating system is enormous. There are so many people involved in software and complex hardware development, that it would be unsurprising if none of the bugs in existence were intentional. While detecting software changes in aggregate may be easy (by diffing the hash sums), finding and proving that a change is a purposeful backdoor rather than a bug in well designed source code is near impossible.

== Legal Issues ==

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = The following is [[Terms_of_Service#No_Legal_Advice|not legal advice]] and does not refer to any specific laws; it is a theoretical consideration by non-lawyers.
}}

Users occasionally raise the possible privacy and security implications if contemporary, draft laws were to be passed. For example, how the {{project_name_short}} project would react to laws:
* banning end-to-end encryption
* outlawing anonymity tools like Tor
* demanding that operating systems include a backdoor

It is important to note that government members have diverse and conflicting interests. Bills which are hostile to Internet privacy and security are regularly introduced in various jurisdictions, but common sense usually prevails and ill-conceived legislation normally stalls and fails to become law. Conversely, bills that allocate funding to support cryptographic development and privacy tools garner support and are normally passed because most legislators understand their importance in an open society. While Internet privacy advocacy groups should remain vigilant, it is unproductive to become unduly stressed whenever a bill hostile to privacy or security is proposed.

Although it may be counter-intuitive, in the event privacy-hostile laws are passed this is not a {{project_name_short}}-specific issue, even though {{project_name_short}} would obviously be affected. For the most part, {{project_name_short}} is a compilation of existing software packages provided by third parties which allow re-use in a compilation due to permissive licensing (Freedom Software). In this context, noteworthy components which {{project_name_short}} relies on directly or indirectly are the base operating system (Debian at time of writing) and an anonymizer (Tor at time of writing). At first, such a law would very likely harm the security properties of these and other projects (see footnote). <ref>To learn more about this organizational structure, see: [[Linux User Experience versus Commercial Operating Systems]].</ref>

=== Legal Jurisdiction ===
{{IntroLike|
In response to the possibility of privacy-hostile laws being implemented, it is usually suggested that the {{project_name_short}} legal entity should relocate to a different country.
}}

The effectiveness of moving to another jurisdiction would of course depend upon the specifics of the legal text, however it might be unlikely that simple legal loopholes would exist. For example, legal entity relocation does or did not help people who would like to sell controlled substances (such as medicine) or goods (such as weapons) without all authorizations required by law. Another example are financial services; this is also why unnamed stock certificates on the blockchain do not exist.

{{IntroLike|
Some U.S. laws and enforcement actions can reach people, companies, or projects outside the United States, especially where U.S. authorities claim a connection to the United States.
}}

Take the case of Kim Dotcom who is a German/Finnish dual national. Although a permanent resident of and physically present in New Zealand at the time of alleged copyright infringement charges brought forth by the USA, he had his assets seized, worldwide bank accounts frozen, was arrested, and is fighting extradition to the USA. As Kim Dotcom [https://twitter.com/KimDotcom/status/582068295366410240 summarized on Twitter]:

{{quotation
|quote=
I never lived there<br />
I never traveled there<br />
I had no company there<br />

But all I worked for now belongs to the U.S.
|context=[https://www.techdirt.com/2015/03/27/how-us-government-legally-stole-millions-kim-dotcom/ How The US Government Legally Stole Millions From Kim Dotcom]
}}

[https://www.ccn.com/1broker-shut-down-will-more-bitcoin-exchanges-be-targeted-by-us-govt/ Quote ccn.com] <ref>
https://web.archive.org/web/20211027101647/https://www.fbi.gov/investigate/cyber/information-on-1broker-com-seizure
</ref> (<u>Underline</u> added.):

{{quotation
|quote=1Broker, <u>a Marshall Islands-based</u> securities dealer and bitcoin trading platform, was recently <u>taken down by the US authorities</u>. The FBI seized the domain of 1Broker, shutting down the platform for allegedly violating money laundering regulations and distributing securities as an unregistered dealer.
}}

The domain name got seized (and apparently returned after the legal case). [https://www.sec.gov/newsroom/press-releases/2018-218 CEO Patrick Brunner got charged (legal accusation case opened).]

{{quotation
|quote=8. Plaintiff SEC is an agency of the United States of America charged with enforcing the federal securities laws.
|context=[https://www.sec.gov/files/litigation/complaints/2018/comp24330.pdf court document]
}}

{{quotation
|quote=9. Defendant Brunner, age 26, resides principally in Austria. He is 1Broker’s CEO, sole shareholder, and the only person authorized to represent the company. He also developed 1Broker’s software platform.
|context=[https://www.sec.gov/files/litigation/complaints/2018/comp24330.pdf court document]
}}

{{quotation
|quote=Following a recent U.S. district court’s ruling, foreign companies operating cloud-based services may find themselves subject to federal long-arm jurisdiction under the Federal Rules of Civil Procedure 4(k)(2), even if they have no physical presence in the United States.
|context=https://www.jdsupra.com/legalnews/foreign-cloud-based-service-providers-49211/
}}

For more, see footnote. <ref>
* https://ofac.treasury.gov/media/932746/download?inline
** https://www.arnoldporter.com/en/perspectives/advisories/2024/03/compliance-with-us-sanctions-and-export-control-laws
** https://www.mofo.com/resources/insights/240311-publication-of-tri-seal-compliance
* https://www.porterhedges.com/patent-litigation-law-blog/clicks-carts-and-courts-personal-jurisdiction-in-ip-cases-arising-from-online-marketplace-sales
* https://www.swlaw.com/blogs/swiplit/2024/10/07/second-circuit-clarifies-showing-necessary-to-satisfy-new-yorks-long-arm-statute-for-cases-involving-foreign-internet-based-companies/
* https://www.reuters.com/legal/legalindustry/schedule-litigation-provides-an-efficient-means-combat-online-counterfeiters--pracin-2025-12-12/
* https://harris-sliwoski.com/es/blog/will-your-u-s-judgment-be-enforced-abroad/
* https://www.thenewyorklawblog.com/2016/06/enforcing-judgments-in-foreign-countries-hague-service.html
* https://www.finnegan.com/en/insights/blogs/federal-circuit-ip/the-hague-service-convention-does-not-prohibit-service-of-process-by-mail.html
* https://www.reuters.com/world/china/huawei-cfos-alleged-actions-had-no-genuine-connection-us-her-lawyers-say-2020-12-18/
* coppa:
** [https://www.coppa.org coppa.org]: [https://www.coppa.org/coppa/ COPPA’s Reach: Does it Apply Beyond US Borders]
</ref>

See also:

* [https://en.wikipedia.org/wiki/Piercing_the_corporate_veil Piercing the corporate veil]
* [https://en.wikipedia.org/wiki/Enforcement_of_foreign_judgments Enforcement of foreign judgments]

=== Extraterritorial Jurisdiction ===
{{quotation
|quote=The phenomenon of extraterritorial jurisdiction, or the exercise of legal power beyond territorial borders
|context=[https://scholar.smu.edu/law_faculty/189/ SMU Scholar (Cornell Law Review, 2014)]
}}

{{quotation
|quote=The terms ‘extraterritoriality’ and ‘extraterritorial jurisdiction’ refer to the competence of a State to make, apply and enforce rules of conduct beyond its territory.
|context=[https://opil.ouplaw.com/display/10.1093/law:epil/9780199231690/law-9780199231690-e1040 Oxford Public International Law (September 15, 2020)]
}}

{{quotation
|quote=Extraterritoriality refers to the application of a state’s law beyond the state’s borders.
|context=[https://tlblog.org/extraterritoriality/ Transnational Litigation Blog (updated September 1, 2025)]
}}

The following example cases may not necessarily show pure "extraterritorial" application of U.S. law. In the cited sources, U.S. authorities typically allege some U.S. nexus, such as U.S. users or customers, U.S. infrastructure, sanctions / blocked property, asset seizure, or extradition cooperation.

=== Legal Jurisdiction Comparison Table ===
<!--
NOTICE For WIKI EDITORS

* minimal inference
* zero speculation
* neutral, factual
* provide evidence for each claim backed up with strong sources and a short quotation
-->
{{IntroLike|
Examples of U.S. law enforcement action against foreign people and companies.

Looks at whether they were non-U.S. citizens, based abroad, or registered abroad, and whether that led to charges, extradition, asset seizure, or arrest.

For case specific questions, contact a licensed attorney because [[Terms_of_Service#No_Legal_Advice|this not legal advice]]. 
}}

{| class="wikitable"
|+ Comparison of Selected Cross-Border U.S. Enforcement Cases
|-

! <!-- Column Headers -->
! <!-- Megaupload --> [https://en.wikipedia.org/wiki/Megaupload Megaupload]
! <!-- 1Broker --> [https://www.sec.gov/enforcement-litigation/litigation-releases/lr-24330 1Broker]
! <!-- Samourai Wallet --> [https://en.wikipedia.org/wiki/Samourai_Wallet Samourai Wallet]
! <!-- Tornado Cash --> [https://en.wikipedia.org/wiki/Tornado_Cash Tornado Cash]
! <!-- Miniclip --> [https://www.ftc.gov/news-events/news/press-releases/2020/05/swiss-digital-game-developer-settles-ftc-allegations-it-falsely-claimed-it-was-member-coppa-safe Miniclip]
|-

! <!-- feature --> Case type
| <!-- Megaupload --> criminal <ref>
{{quotation
|quote=were indicted
|context=[https://www.justice.gov/archives/opa/pr/justice-department-charges-leaders-megaupload-widespread-online-copyright-infringement U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> civil / regulatory <ref>
{{quotation
|quote=civil enforcement action
|context=[https://www.cftc.gov/PressRoom/PressReleases/7809-18 CFTC]
}}
</ref>
| <!-- Samourai Wallet --> criminal <ref>
{{quotation
|quote=criminal charges
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> criminal / sanctions <ref>
{{quotation
|quote=charged today
|context=[https://www.justice.gov/opa/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations U.S. Department of Justice]
}}
</ref> <ref>
{{quotation
|quote=sanctioned Roman Semenov
|context=[https://home.treasury.gov/news/press-releases/jy1702 U.S. Department of the Treasury]
}}
</ref>
| <!-- Miniclip --> civil / administrative <ref>
{{quotation
|quote=administrative complaint
|context=[https://www.ftc.gov/news-events/news/press-releases/2020/05/swiss-digital-game-developer-settles-ftc-allegations-it-falsely-claimed-it-was-member-coppa-safe FTC]
}}
</ref>
|-

! <!-- feature --> Type of business / service
| <!-- Megaupload --> file hosting / content storage and distribution <ref>
{{quotation
|quote=content storage and distribution site
|context=[https://www.justice.gov/archives/opa/pr/justice-department-charges-leaders-megaupload-widespread-online-copyright-infringement U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> bitcoin-funded securities dealer; CFD trading platform <ref>
{{quotation
|quote=bitcoin-funded securities dealer
|context=[https://www.sec.gov/newsroom/press-releases/2018-218 SEC]
}}
</ref> <ref>
{{quotation
|quote=online trading platform
|context=[https://www.cftc.gov/PressRoom/PressReleases/7809-18 CFTC]
}}
</ref> <ref>
{{quotation
|quote=contracts for difference
|context=[https://www.cftc.gov/PressRoom/PressReleases/7809-18 CFTC]
}}
</ref>
| <!-- Samourai Wallet --> cryptocurrency mixer; unlicensed money transmitting business (according to U.S. Department of Justice) <ref>
{{quotation
|quote=a cryptocurrency mixer
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref> <ref>
{{quotation
|quote=an unlicensed money transmitting business
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> cryptocurrency mixer <ref>
{{quotation
|quote=a cryptocurrency mixer
|context=[https://www.justice.gov/opa/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations U.S. Department of Justice]
}}
</ref>
| <!-- Miniclip --> mobile and online digital games <ref>
{{quotation
|quote=develops, publishes, and distributes mobile and online digital games
|context=[https://www.ftc.gov/system/files/documents/cases/192_3129_miniclip_complaint.pdf FTC complaint]
}}
</ref>
|-

! <!-- feature --> Date case opened / announced
| <!-- Megaupload --> January 5, 2012 <ref>
{{quotation
|quote=on Jan. 5, 2012
|context=[https://www.justice.gov/archives/opa/pr/justice-department-charges-leaders-megaupload-widespread-online-copyright-infringement U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> September 27, 2018 <ref>
{{quotation
|quote=September 27, 2018
|context=[https://www.cftc.gov/PressRoom/PressReleases/7809-18 CFTC]
}}
</ref>
| <!-- Samourai Wallet --> April 24, 2024 <ref>
{{quotation
|quote=Wednesday, April 24, 2024
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> August 23, 2023 <ref>
{{quotation
|quote=Wednesday, August 23, 2023
|context=[https://www.justice.gov/usao-sdny/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations U.S. Department of Justice]
}}
</ref>
| <!-- Miniclip --> May 19, 2020 <ref>
{{quotation
|quote=May 19, 2020
|context=[https://www.ftc.gov/news-events/news/press-releases/2020/05/swiss-digital-game-developer-settles-ftc-allegations-it-falsely-claimed-it-was-member-coppa-safe FTC]
}}
</ref>
|-

! <!-- feature --> Project / service name
| <!-- Megaupload --> Megaupload <ref>
{{quotation
|quote=MEGAUPLOAD LIMITED is the registered owner of Megaupload.com
|context=[https://www.justice.gov/sites/default/files/usao-edva/legacy/2013/12/20/Certified%20Mega%20Superseding%20Indictment%20%282-16-2012%29.pdf U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> 1Broker <ref>
{{quotation
|quote=1pool Ltd. a/k/a 1Broker
|context=[https://www.sec.gov/news/press-release/2018-218 SEC]
}}
</ref>
| <!-- Samourai Wallet --> Samourai Wallet <ref>
{{quotation
|quote=Samourai Wallet ("Samourai"), a cryptocurrency mixer
|context=[https://www.justice.gov/usao-sdny/media/1349321/dl U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> Tornado Cash <ref>
{{quotation
|quote=Tornado Cash, a cryptocurrency mixer
|context=[https://www.justice.gov/opa/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations U.S. Department of Justice]
}}
</ref>
| <!-- Miniclip --> Miniclip <ref>
{{quotation
|quote=Miniclip, S.A.
|context=[https://www.ftc.gov/news-events/news/press-releases/2020/07/ftc-gives-final-approval-settlement-digital-game-maker FTC]
}}
</ref>
|-

! <!-- feature --> Incorporated legal entity name
| <!-- Megaupload --> Megaupload Limited <ref>
{{quotation
|quote=Dotcom founded Megaupload Limited
|context=[https://www.justice.gov/archives/opa/pr/justice-department-charges-leaders-megaupload-widespread-online-copyright-infringement U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> 1pool Ltd. <ref>
{{quotation
|quote=Defendant 1Broker is a limited liability company registered as 1pool Ltd.
|context=[https://www.sec.gov/files/litigation/complaints/2018/comp24330.pdf SEC]
}}
</ref>
| <!-- Samourai Wallet --> <!-- no incorporated legal entity established in cited source -->
| <!-- Tornado Cash --> <!-- no incorporated legal entity established in cited source -->
| <!-- Miniclip --> Miniclip S.A. <ref>
{{quotation
|quote=Respondent Miniclip S.A. is a Swiss corporation
|context=[https://www.ftc.gov/system/files/documents/cases/192_3129_miniclip_complaint.pdf FTC complaint]
}}
</ref>
|-

! <!-- feature --> Targeted person
| <!-- Megaupload --> [https://en.wikipedia.org/wiki/Kim_Dotcom Kim Dotcom]
| <!-- 1Broker --> Patrick Brunner
| <!-- Samourai Wallet --> William Lonergan Hill
| <!-- Tornado Cash --> Roman Semenov
| <!-- Miniclip --> -
|-

! <!-- feature --> Non-U.S. citizenship / nationality
| <!-- Megaupload --> {{yes}}, German-Finnish <ref>
{{quotation
|quote=dual citizen of Finland and Germany
|context=[https://www.justice.gov/sites/default/files/usao-edva/legacy/2013/12/20/Certified%20Mega%20Superseding%20Indictment%20%282-16-2012%29.pdf U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> {{yes}}, Austrian <ref>
{{quotation
|quote=Patrick Brunner of Austria
|context=[https://www.cftc.gov/PressRoom/PressReleases/7809-18 CFTC]
}}
</ref>
| <!-- Samourai Wallet --> {{no}}, U.S. national <ref>
{{quotation
|quote=a U.S. national
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> {{yes}}, Russian <ref>
{{quotation
|quote=Roman Semenov, 49, of Russia
|context=[https://www.justice.gov/opa/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations U.S. Department of Justice]
}}
</ref>
| <!-- Miniclip --> unknown <!-- no individual person identified in cited FTC sources -->
|-

! <!-- feature --> Non-U.S. residency of targeted person
| <!-- Megaupload --> {{yes}}, Hong Kong; New Zealand <ref>
{{quotation
|quote=a resident of both Hong Kong and New Zealand
|context=[https://www.justice.gov/archives/opa/pr/justice-department-charges-leaders-megaupload-widespread-online-copyright-infringement U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> {{yes}}, Austria <ref>
{{quotation
|quote=resides principally in Austria
|context=[https://www.sec.gov/files/litigation/complaints/2018/comp24330.pdf SEC]
}}
</ref>
| <!-- Samourai Wallet --> unknown
| <!-- Tornado Cash --> {{yes}}, Dubai, United Arab Emirates <ref>
{{quotation
|quote=Dubai, United Arab Emirates
|context=[https://www.fbi.gov/wanted/wcc/roman-semenov/download.pdf FBI]
}}
</ref>
| <!-- Miniclip --> unknown <!-- no individual person identified in cited FTC sources -->
|-

! <!-- feature --> Non-U.S. incorporated legal entity
| <!-- Megaupload --> {{yes}}, Hong Kong <ref>
{{quotation
|quote=MUL is a registered company in Hong Kong
|context=[https://www.justice.gov/sites/default/files/usao-edva/legacy/2013/12/20/Certified%20Mega%20Superseding%20Indictment%20%282-16-2012%29.pdf U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> {{yes}}, Republic of the Marshall Islands <ref>
{{quotation
|quote=registered as 1pool Ltd. in the Republic of the Marshall Islands
|context=[https://www.sec.gov/files/litigation/complaints/2018/comp24330.pdf SEC]
}}
</ref>
| <!-- Samourai Wallet --> unknown
| <!-- Tornado Cash --> unknown
| <!-- Miniclip --> {{yes}}, Switzerland <ref>
{{quotation
|quote=Swiss corporation with its principal office or place of business at 18 Faubourg de l’Hôpital, 2000 Neuchâtel, Switzerland
|context=[https://www.ftc.gov/system/files/documents/cases/192_3129_miniclip_complaint.pdf FTC complaint]
}}
</ref>
|-

! <!-- feature --> No users / customers based in USA
| <!-- Megaupload --> {{no}} <ref>
{{quotation
|quote=resident of Alexandria, Virginia
|context=[https://www.justice.gov/sites/default/files/usao-edva/legacy/2013/12/20/Certified%20Mega%20Superseding%20Indictment%20%282-16-2012%29.pdf U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> {{no}} <ref>
{{quotation
|quote=solicited investors from the United States
|context=[https://www.sec.gov/news/press-release/2018-218 SEC]
}}
</ref>
| <!-- Samourai Wallet --> {{no}} <ref>
{{quotation
|quote=customers located in the United States and in the Southern District of New York
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> {{no}} <ref>
{{quotation
|quote=The six plaintiffs-appellants are users of Tornado Cash.
|context=[https://www.ca5.uscourts.gov/opinions/pub/23/23-50669-CV0.pdf U.S. Court of Appeals for the Fifth Circuit]
}}
</ref>
| <!-- Miniclip --> unknown
|-

! <!-- feature --> Monetary figure in cited sources
| <!-- Megaupload --> alleged > $175 million criminal proceeds; alleged > $500 million harm <ref>
{{quotation
|quote=more than $175 million in criminal proceeds
|context=[https://www.justice.gov/archives/opa/pr/justice-department-charges-leaders-megaupload-widespread-online-copyright-infringement U.S. Department of Justice]
}}
</ref> <ref>
{{quotation
|quote=more than half a billion dollars in harm
|context=[https://www.justice.gov/archives/opa/pr/justice-department-charges-leaders-megaupload-widespread-online-copyright-infringement U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> $990,000 total case settlement <ref>
{{quotation
|quote=paying a total of $990,000
|context=[https://www.cftc.gov/PressRoom/PressReleases/7886-19 CFTC]
}}
</ref>
| <!-- Samourai Wallet --> alleged > $2 billion unlawful transactions; alleged > $100 million criminal proceeds <ref>
{{quotation
|quote=executed over $2 billion in unlawful transactions
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref> <ref>
{{quotation
|quote=laundered over $100 million in criminal proceeds
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> alleged > $1 billion criminal proceeds; alleged hundreds of millions for Lazarus Group <ref>
{{quotation
|quote=more than $1 billion in criminal proceeds
|context=[https://www.justice.gov/usao-sdny/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations U.S. Department of Justice]
}}
</ref> <ref>
{{quotation
|quote=hundreds of millions of dollars for the Lazarus Group
|context=[https://www.justice.gov/usao-sdny/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations U.S. Department of Justice]
}}
</ref>
| <!-- Miniclip --> -
|-

! <!-- feature --> Asserted U.S. nexus / enforcement hook
| <!-- Megaupload --> U.S. users; Virginia servers <ref>
{{quotation
|quote=targeted sites where Megaupload has servers in Ashburn, Va.
|context=[https://www.justice.gov/archives/opa/pr/justice-department-charges-leaders-megaupload-widespread-online-copyright-infringement U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> U.S. investors; FBI agent in Texas / D.C. <ref>
{{quotation
|quote=U.S. investors traded the CFDs through 1broker.com
|context=[https://www.sec.gov/files/litigation/complaints/2018/comp24330.pdf SEC]
}}
</ref> <ref>
{{quotation
|quote=acting in an undercover capacity
|context=[https://www.sec.gov/files/litigation/complaints/2018/comp24330.pdf SEC]
}}
</ref>
| <!-- Samourai Wallet --> U.S. customers; undercover agent in SDNY <ref>
{{quotation
|quote=customers located in the United States and in the Southern District of New York
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref> <ref>
{{quotation
|quote=agent located in the Southern District of New York
|context=[https://www.justice.gov/usao-sdny/media/1349321/dl U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> U.S. users; victims in the United States; alleged sanctions violations; blocked property <ref>
{{quotation
|quote=The six plaintiffs-appellants are users of Tornado Cash.
|context=[https://www.ca5.uscourts.gov/opinions/pub/23/23-50669-CV0.pdf U.S. Court of Appeals for the Fifth Circuit]
}}
</ref> <ref>
{{quotation
|quote=including those committed against victims in the United States
|context=[https://home.treasury.gov/news/press-releases/jy0916 U.S. Department of the Treasury]
}}
</ref> <ref>
{{quotation
|quote=property and interests in property are blocked
|context=[https://home.treasury.gov/news/press-releases/jy1702 U.S. Department of the Treasury]
}}
</ref>
| <!-- Miniclip --> alleged false claims of current participation in an FTC-approved COPPA safe harbor program; statements also available through apps <ref>
{{quotation
|quote=falsely claimed it was a current member of the Children’s Advertising Review Unit’s (CARU) COPPA safe harbor program
|context=[https://www.ftc.gov/news-events/news/press-releases/2020/05/swiss-digital-game-developer-settles-ftc-allegations-it-falsely-claimed-it-was-member-coppa-safe FTC]
}}
</ref> <ref>
{{quotation
|quote=the Terms and Conditions also were available to users through the settings menu in Respondent’s apps
|context=[https://www.ftc.gov/system/files/documents/cases/192_3129_miniclip_complaint.pdf FTC complaint]
}}
</ref>
|-

! <!-- feature --> U.S. action taken
| <!-- Megaupload --> charged; extradition sought; assets seized; domains seized <ref>
{{quotation
|quote=seized approximately $50 million in assets
|context=[https://www.justice.gov/archives/opa/pr/justice-department-charges-leaders-megaupload-widespread-online-copyright-infringement U.S. Department of Justice]
}}
</ref> <ref>
{{quotation
|quote=ordered the seizure of 18 domain names associated with the alleged Mega conspiracy
|context=[https://www.justice.gov/archives/opa/pr/justice-department-charges-leaders-megaupload-widespread-online-copyright-infringement U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> sued by SEC and CFTC <ref>
{{quotation
|quote=filed charges against an international securities dealer and its Austria-based CEO
|context=[https://www.sec.gov/news/press-release/2018-218 SEC]
}}
</ref>
| <!-- Samourai Wallet --> charged; extradition sought <ref>
{{quotation
|quote=The United States will seek HILL's extradition
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> charged; sanctioned; arrest warrant <ref>
{{quotation
|quote=The DOJ charged Semenov and Storm
|context=[https://home.treasury.gov/news/press-releases/jy1702 U.S. Department of the Treasury]
}}
</ref> <ref>
{{quotation
|quote=A federal arrest warrant was issued
|context=[https://www.fbi.gov/wanted/wcc/roman-semenov FBI]
}}
</ref>
| <!-- Miniclip --> FTC complaint issued; consent agreement accepted; final order approved <ref>
{{quotation
|quote=The Commission voted 5-0 to issue the proposed administrative complaint and to accept the consent agreement with Miniclip
|context=[https://www.ftc.gov/news-events/news/press-releases/2020/05/swiss-digital-game-developer-settles-ftc-allegations-it-falsely-claimed-it-was-member-coppa-safe FTC]
}}
</ref> <ref>
{{quotation
|quote=FTC Gives Final Approval to Settlement with Digital Game Maker
|context=[https://www.ftc.gov/news-events/news/press-releases/2020/07/ftc-gives-final-approval-settlement-digital-game-maker FTC]
}}
</ref>
|-

! <!-- feature --> Place of arrest
| <!-- Megaupload --> Auckland, New Zealand <ref>
{{quotation
|quote=arrested today in Auckland, New Zealand
|context=[https://www.justice.gov/archives/opa/pr/justice-department-charges-leaders-megaupload-widespread-online-copyright-infringement U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> -
| <!-- Samourai Wallet --> Portugal <ref>
{{quotation
|quote=HILL was arrested this morning in Portugal
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> -
| <!-- Miniclip --> -
|-

! <!-- feature --> Date last cited public update
| <!-- Megaupload --> September 10, 2025 <ref>
{{quotation
|quote=10 Sept 2025
|context=[https://www.courtsofnz.govt.nz/cases/dotcom-v-minister-of-justice- Courts of New Zealand]
}}
</ref>
| <!-- 1Broker --> March 11, 2019 <ref>
{{quotation
|quote=March 11, 2019
|context=[https://www.cftc.gov/PressRoom/PressReleases/7886-19 CFTC]
}}
</ref>
| <!-- Samourai Wallet --> November 19, 2025 <ref>
{{quotation
|quote=Wednesday, November 19, 2025
|context=[https://www.justice.gov/usao-sdny/pr/founders-samourai-wallet-cryptocurrency-mixing-service-sentenced-five-and-four-years U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> August 6, 2025 <ref>
{{quotation
|quote=Wednesday, August 6, 2025
|context=[https://www.justice.gov/usao-sdny/pr/founder-tornado-cash-crypto-mixing-service-convicted-knowingly-transmitting-criminal U.S. Department of Justice]
}}
</ref>
| <!-- Miniclip --> July 6, 2020 <ref>
{{quotation
|quote=July 6, 2020
|context=[https://www.ftc.gov/news-events/news/press-releases/2020/07/ftc-gives-final-approval-settlement-digital-game-maker FTC]
}}
</ref>
|-

! <!-- feature --> Service / project consequence
| <!-- Megaupload --> sites targeted; 18 domains seized <ref>
{{quotation
|quote=ordered the seizure of 18 domain names
|context=[https://www.justice.gov/archives/opa/pr/justice-department-charges-leaders-megaupload-widespread-online-copyright-infringement U.S. Department of Justice]
}}
</ref>
| <!-- 1Broker --> defendants permanently enjoined; U.S. customers repaid <ref>
{{quotation
|quote=permanently enjoins the defendants
|context=[https://www.cftc.gov/PressRoom/PressReleases/7886-19 CFTC]
}}
</ref> <ref>
{{quotation
|quote=repaid to U.S. customers approximately 93 bitcoins
|context=[https://www.cftc.gov/PressRoom/PressReleases/7886-19 CFTC]
}}
</ref>
| <!-- Samourai Wallet --> closed for business; domain seized <ref>
{{quotation
|quote=seize their domain
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref> <ref>
{{quotation
|quote=Samourai Wallet is now closed for business
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> sanctions removed; users still identified in later litigation <ref>
{{quotation
|quote=remove the economic sanctions against Tornado Cash
|context=[https://home.treasury.gov/news/press-releases/sb0057 U.S. Department of the Treasury]
}}
</ref> <ref>
{{quotation
|quote=The six plaintiffs-appellants are users of Tornado Cash.
|context=[https://www.ca5.uscourts.gov/opinions/pub/23/23-50669-CV0.pdf U.S. Court of Appeals for the Fifth Circuit]
}}
</ref>
| <!-- Miniclip --> order prohibits misrepresentations about participation in privacy programs <ref>
{{quotation
|quote=must not misrepresent
|context=[https://www.ftc.gov/system/files/documents/cases/1923129c4722minicliporder.pdf FTC order]
}}
</ref> <ref>
{{quotation
|quote=Participation in or Compliance with Privacy Programs
|context=[https://www.ftc.gov/system/files/documents/cases/1923129c4722minicliporder.pdf FTC order]
}}
</ref>
|-

! <!-- feature --> Current status
| <!-- Megaupload --> judicial review declined <ref>
{{quotation
|quote=Application for judicial review declined
|context=[https://www.courtsofnz.govt.nz/cases/dotcom-v-minister-of-justice- Courts of New Zealand]
}}
</ref>
| <!-- 1Broker --> settled <ref>
{{quotation
|quote=Consent Order
|context=[https://www.cftc.gov/PressRoom/PressReleases/7886-19 CFTC]
}}
</ref>
| <!-- Samourai Wallet --> pleaded guilty; sentenced <ref>
{{quotation
|quote=pled guilty
|context=[https://www.justice.gov/usao-sdny/pr/founders-samourai-wallet-cryptocurrency-mixing-service-plead-guilty U.S. Department of Justice]
}}
</ref> <ref>
{{quotation
|quote=were respectively sentenced to five and four years in prison
|context=[https://www.justice.gov/usao-sdny/pr/founders-samourai-wallet-cryptocurrency-mixing-service-sentenced-five-and-four-years U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> co-founder convicted; Semenov remains at large; wanted <ref>
{{quotation
|quote=The defendant was found guilty following a four-week jury trial
|context=[https://www.justice.gov/usao-sdny/pr/founder-tornado-cash-crypto-mixing-service-convicted-knowingly-transmitting-criminal U.S. Department of Justice]
}}
</ref> <ref>
{{quotation
|quote=SEMENOV remains at large
|context=[https://www.justice.gov/usao-sdny/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations U.S. Department of Justice]
}}
</ref> <ref>
{{quotation
|quote=wanted
|context=[https://www.fbi.gov/wanted/wcc/roman-semenov FBI]
}}
</ref>
| <!-- Miniclip --> final order approved <ref>
{{quotation
|quote=FTC Gives Final Approval to Settlement with Digital Game Maker
|context=[https://www.ftc.gov/news-events/news/press-releases/2020/07/ftc-gives-final-approval-settlement-digital-game-maker FTC]
}}
</ref>
|-

! <!-- feature --> Punishment / penalty
| <!-- Megaupload --> -
| <!-- 1Broker --> $990,000 total case settlement <ref>
{{quotation
|quote=paying a total of $990,000
|context=[https://www.cftc.gov/PressRoom/PressReleases/7886-19 CFTC]
}}
</ref>
| <!-- Samourai Wallet --> 4 years; $250,000 fine <ref>
{{quotation
|quote=were respectively sentenced to five and four years in prison
|context=[https://www.justice.gov/usao-sdny/pr/founders-samourai-wallet-cryptocurrency-mixing-service-sentenced-five-and-four-years U.S. Department of Justice]
}}
</ref> <ref>
{{quotation
|quote=each pay a fine of $250,000
|context=[https://www.justice.gov/usao-sdny/pr/founders-samourai-wallet-cryptocurrency-mixing-service-sentenced-five-and-four-years U.S. Department of Justice]
}}
</ref>
| <!-- Tornado Cash --> -
| <!-- Miniclip --> -
|-

|}

=== Legal Jurisdiction Comparison Table - Addendum ===
{{IntroLike|
'''Addendum:''' This section clarifies how to interpret the Legal Jurisdiction Comparison Table. It defines what the yes / no markers and "unknown" mean, explains how "residency" is used in the table, and notes that entries are limited to what the cited sources establish. It also explains why U.S.-nexus rows are included, since enforcement can be alleged even without U.S. citizenship, U.S. residence, or a U.S. company.
}}

* <u>Yes / no markers:</u> These answer only the narrow row question.
* <u>Country and residence entries:</u> These are jurisdiction facts only.
* <u>Residency definition:</u> In this table, "residency" means the place or places where the cited source describes the person as resident, residing, or listed with a residence-like location.
** <u>Residency limits:</u> It does not by itself prove immigration status, visa status, tax residence, or that the person had only one residence.
* <u>Why these rows exist:</u> These rows are included because many readers assume that no U.S. citizenship, no U.S. residence, and no U.S. company automatically shield a person or project from U.S. enforcement.
** <u>Purpose:</u> The table is meant to show that this assumption can still fail where a U.S. nexus is alleged.
* <u>"unknown" meaning:</u> "unknown" means the point was not established in the cited source.
* <u>"project / service name" meaning:</u> For Samourai Wallet and Tornado Cash, "project / service name" means the cited source describes a service or project name.
** <u>Entity status:</u> It does not by itself prove or disprove a separate incorporated legal entity.
* <u>Why Samourai Wallet is included:</u> Samourai Wallet is included mainly as an abroad arrest / extradition comparison row.
** <u>Hill's status:</u> Unlike the other highlighted rows, DOJ identifies Hill as "a U.S. national." <ref>
{{quotation
|quote=a U.S. national
|context=[https://www.justice.gov/usao-sdny/pr/founders-and-ceo-cryptocurrency-mixing-service-arrested-and-charged-money-laundering U.S. Department of Justice]
}}
</ref>

forum discussions:

* https://forums.whonix.org/t/coin-mixing-illegal-wallet-developers-arrested-blockchain-crypto-coinjoin/19742

=== Legal Compliance ===

Sometimes it is suggested to simply not comply with new laws impacting privacy, however this is an unreasonable request. Most laws include an enforcement mechanism, although it can be selectively applied depending on government interests. Serious penalties apply if a law is not being complied with, especially for repeat and continuous offenses. Penalties may include:
* imprisonment
* monetary fines
* for failure to pay monetary fines, the threat of asset seizure, imprisonment or worse

Law enforcement has incredibly long arms. In most cases there is no way to openly defy the law for an extended period and get away with it. To a large degree policy issues cannot be fixed only via technological means; it must be combined with peaceful resistance on a political level. Government policy is affected by popular opinion, and those who support privacy-enhancing technologies can help the cause by sharing their reasoned opinions with others. Casual supporters are also important to raise public awareness.

Even if privacy-hostile laws are in place, it might still be permitted to contribute Open Source code to Open Source projects. For example, perhaps only the person(s) redistributing binary builds to the public would be held personally accountable. This is pure speculation until a new draft law catastrophic to security software eventuates.

If {{project_name_short}} was ever forced to add a backdoor by law, users would be notified and the project would be shut down before the law took effect. Fortunately, as yet there are no outrageous law proposals that would force the continued running of backdoored projects. In this case, efforts might focus on a new Linux-based project centered on stability, reliability, documentation, recovery, and usability.

Forum discussion:<br />
[https://forums.whonix.org/t/eu-wants-to-create-device-os-level-backdoor/10402 EU Wants To Create Device/OS Level Backdoor]

== Other Projects Discussing Trust ==

* Tails is a live CD or USB that aims to preserve privacy and anonymity - [https://tails.boum.org/doc/about/trust/index.en.html Tails about trust.]
* I2P (anonymizing network) has also discussed [https://geti2p.net/en/docs/how/threat-model#dev development attacks].
* [https://www.qubes-os.org/security/verifying-signatures/ Qubes OS: What digital signatures can and cannot prove]
* [https://hyper.to/blog/link/attack-scenarios-software-distribution/ Miron’s Weblog: Attack Scenarios on Software Distributions]
* A list of incidents concerning compromised servers: [https://web.archive.org/web/20160313141340/http://www.koch.ro/blog/index.php?/archives/153-On-distributing-binaries.html On distributing binaries]
* https://forum.qubes-os.org/t/qubes-os-could-be-honeypot/16180

= Footnotes  =
{{reflist|close=1}}

= License =
{{License_Amnesia|{{FULLPAGENAME}}}}

{{Footer}}

[[Category:Documentation]]