wiki:org/meetings/2019Stockholm/Notes/TorAppEcosystem

Tor Application Ecosystem Branding

How can we provide consistent branding for applications in the Tor ecosystem?

Facilitator(s): Nathan

Audience: Steph, Antonela, Isa?, Roger?, Pili?

Duration: 1 hour

Prep

Back in May Nathan and Fabiola from Guardian Project, Carrie and Tiffany from OkThanks and Steph and Pili from Tor Project had a call to discuss Tor brand usage in applications that use Tor in some way.

The purpose of the call was to align all of our efforts towards providing consistent branding family for applications that use tor and are somehow “endorsed" by the Tor Project. For example, there are currently a number of apps in the Apple Store that include Tor in the name and it can be hard for users to make an informed choice as to which apps are trustworthy and somehow “endorsed” by the Tor Project.

For example, we discussed the need for defining a set of requirements and criteria that applications would have to meet in order to be included in this “Tor applications ecosystem” as well as a common language for talking about privacy features within applications. Some ideas for criteria and requirements that came up for me from this discussion are:

  • If it’s using tor, this should be compiled using source code
  • Should be open source?
  • Should be developed by a Tor community member, e.g.
    • Someone we know
    • actively engaged in the community

Furthermore, when talking about a “Tor applications ecosystem” we should clearly define what it means for an app to be included in this ecosystem and also what it does not necessarily mean, e.g we’re not committing or saying that the application code has been audited by us.

We also spoke about a potential rating system, e.g level 1 - 5 to allow users to make some sort of value judgement on these apps. Another option could be some sort of feature/properties table, similar to the way matrix currently does this: https://matrix.org/docs/projects/clients-matrix, the idea being that we could list these somewhere on a Tor portal, e.g the new developer portal.

Another idea that was shared was the possibility of designing some sort of “Powered by Tor” or “Tor Community" badge (possibly with some sort of rating attached) for these apps that could be added to their website or GitHub repo and link out to a page explaining what this means exactly. Since we had this discussion I also had a thought about what should happen if we need to revoke the "badge”? How do we announce something like this?

Other thoughts around branding Guidelines for “Tor Ecosystem Applications”:

  • dos and don’ts, e.g can't put "powered by tor" unless…
  • can't use same colour scheme
  • differentiate core branding
  • Tor Browser icon
  • Should we have a common logo family for community apps ?

We briefly discussed Onion Browser and Orbot, and in particular where does Orbot fit in to all this and where should it live going forward e.g Tor Project Android account or Guardian Project Android account.

Notes from Dev Meeting

Tor App Ecosystem

Desktop Tor Browser OnionShare TAILS WHONIX Brave TorBirdy

Server STEM Globaleaks SecureDrop

Software STEM Tor.framework Netcipher Nix Tor Onion Proxy Library

Service Onions Protonmail Riseup

Mobile TBA Onion Browser - Tor Browser lite? Orbot Haven Cryptowallet Conversations XMPP Chatsecure - iOS

There's an awareness of Tor being a part of something, but not the brand, like Brave What if another browser comes along? How do we talk about these things broadly?

Common naming:

  • Onion in name
  • Powered by Tor

What is a good phrase or what's in use? Works with Tor Use with Tor Powered by Tor Tor Mode .. with Tor Super Private Browsing Uses Onion Routing Connects to the Tor Network

  • could conduct a survey to find out what these mean and in different languages

Consider: necessary disclosures and expectations How is DNS handled? Are there potential leaks? Trustworthy dev practice Transparency legal requests Ephemeral storage Onion service support Collaboration/official support Do users understand what beta software means

Who are you defending against? App, OS, ISP, country

  • we could use these in a matrix with other apps/software

When you go to DDG on onion, safe searching

Tor vs Tor Browser -- do users know the difference? Has always been a problem

Java had a built out way to deal with use, not that we need that exactly

How do developers express their connection to the tor community? how do they brand?

Historically Orbot called Tor for Android, now that there is TBA, need to change Less of a problem now that Orbot/Orfox not a browser -- now unblocking apps. Still need to address the considerations Because Tor main use is through browser, so biggest risk of misconception

Securedrop does not specifically mention Tor in most communications but may add to site if there were guidelines

  • determine boilerplate text

Levels of support? Tor Developed Tor Partnered Tor Affiliated

Why Tor? Why is Tor in your product?

  • max privacy - potential anonymity
  • bypass censorship (passive or active)
  • stop tracking
  • share and access onions
  • easy remote access -- dont want to buy an SSL cert for my port or I can't
  • free proxy

is it possible to get a grant related to this? evaluating and cataloguing ecosystem

create something similar to cc self evaluation do not have the capacity to verify and audit someone else hopefully audits but it is not tor's responsibility not sure this fits into the security considerations that tor requires tor browser protects against your machine being seized, nsa actors, ad tracking -- protecting against a whole lot of things that dont necessarily have something to do with each other, a person trying to evaluate would not know enough tor browser is an outlier, tries to do everything. the only other browser with tor in it doesn't do much of these things instead of prescribe, figure out what users think things mean instead of trying to force a pedagogy

but back to the problem of onion browser -- tor browser not possible but closest possible if something is called onion or tor whatever does that mean you trust it? onion browser goal to become a stronger brand

stronger trademark enforcement would be helpful

the tor naming problem: everything is tor firefox has separate names signal going all signal

better for developers not to wrap entire identity in tor

tor browser lite sounds fake onion browser needs own name name (powered by Tor)

badge could distinguish what security properties tor endorses -- but would that actually be useful for users?

could we have community developer meetups? so people who want to use the name came participate more easily

capacity to chase tor trademark violation an issue

securedrop offers consultant services - could Tor?

--- incorporate some of this into the development portal where projects will be listed

Last modified 2 months ago Last modified on Jul 19, 2019, 1:52:48 PM