From 9f6dc240eacf78fa5b0c446150ab785f3bc98068 Mon Sep 17 00:00:00 2001 From: yawnbox Date: Thu, 5 Sep 2024 20:59:02 +0200 Subject: [PATCH] Update site content --- blog/feed.xml | 2 +- blog/starting-a-human-rights-isp/index.html | 2 +- feed.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/blog/feed.xml b/blog/feed.xml index c73f414..d586400 100644 --- a/blog/feed.xml +++ b/blog/feed.xml @@ -15,7 +15,7 @@ <h1 id="introduction">Introduction<a class="zola-anchor" href="#introduction" aria-label="Anchor link for: introduction">#</a></h1> <p>This article was originally published on emeraldonion.org in 2017 and has been revamped in 2024. In addition, in 2018, yawnbox <a rel="noopener nofollow noreferrer" target="_blank" href="https://www.youtube.com/watch?v=cs6a1i4Owic">spoke at DEF CON 26</a> (YouTube link) about creating Emerald Onion. Please be aware that because Emerald Onion is a US-based not-for-profit, this guide is centered on US laws and programs. To date, we are aware of at least four human rights ISPs that have formed in part because of Emerald Onion's example. We are always excited to provide guidance to those interested.</p> <p>Part of Emerald Onion’s mission is to share our actions in detail in order to help educate others who wish to create their own human-rights focused transit internet service provider. We have a vision that entails many trusted nonprofits setting up and operating long-term, stable, and fast Tor routing operations. Below you will find a high level overview of tasks that we needed to complete in order to create Emerald Onion. As we develop, we will publish greater detail behind each action by linking to a related blog post or external resource.</p> -<h1 id="our-steps-that-we-took-to-create-emerald-onion">Our steps that we took to create Emerald Onion<a class="zola-anchor" href="#our-steps-that-we-took-to-create-emerald-onion" aria-label="Anchor link for: our-steps-that-we-took-to-create-emerald-onion">#</a></h1> +<h1 id="the-steps-we-took-to-create-emerald-onion">The steps we took to create Emerald Onion<a class="zola-anchor" href="#the-steps-we-took-to-create-emerald-onion" aria-label="Anchor link for: the-steps-we-took-to-create-emerald-onion">#</a></h1> <h2 id="founding">Founding<a class="zola-anchor" href="#founding" aria-label="Anchor link for: founding">#</a></h2> <ol> <li> diff --git a/blog/starting-a-human-rights-isp/index.html b/blog/starting-a-human-rights-isp/index.html index 9dc6a1f..0366b7b 100644 --- a/blog/starting-a-human-rights-isp/index.html +++ b/blog/starting-a-human-rights-isp/index.html @@ -1 +1 @@ -Guide to Starting a Human Rights ISP

Guide to Starting a Human Rights ISP

2024-09-05

Introduction#

This article was originally published on emeraldonion.org in 2017 and has been revamped in 2024. In addition, in 2018, yawnbox spoke at DEF CON 26 (YouTube link) about creating Emerald Onion. Please be aware that because Emerald Onion is a US-based not-for-profit, this guide is centered on US laws and programs. To date, we are aware of at least four human rights ISPs that have formed in part because of Emerald Onion's example. We are always excited to provide guidance to those interested.

Part of Emerald Onion’s mission is to share our actions in detail in order to help educate others who wish to create their own human-rights focused transit internet service provider. We have a vision that entails many trusted nonprofits setting up and operating long-term, stable, and fast Tor routing operations. Below you will find a high level overview of tasks that we needed to complete in order to create Emerald Onion. As we develop, we will publish greater detail behind each action by linking to a related blog post or external resource.

Our steps that we took to create Emerald Onion#

Founding#

  1. Invite meaningful and trusted people for the board of directors, executive leadership, and advisory board.

  2. Create a mission and vision statements, and organizational goals.

  3. Setup a password manager for generating and documenting organizational passwords.

  4. Purchase a domain name, setup the website, and setup social media accounts.

  5. Setup Microsoft hosted email service for admin@ and abuse@ inboxes. Once you become a 501(c)3, Microsoft provides free enterprise services for not-for-profits.

2024 note: After much research, we found that Google email does not allow domain admins to have access to admin@ and abuse@ email addresses. We presume because Google wants to be able to perform their own conotrols over what comes into these email addresses. It's critical for Tor relay operators to have access to these email addresses, and use them to their fullest extent. If you're up to the challenge, self-hosted email can work great (with proper SPF, DMARC, DKIM, and DNSSEC/DANE configurations) with open source solutions such as MailCow.

  1. Setup a UPS Store mailbox for registration (your primary “place of business” address) and find Registered Agent services for your registered agent. A legitimate Registered Agent is required in the State of Washington.

2024 note: Since 2024, and since more than one of our Board of Director members lives abroad, we've since moved to Legal Zoom's mail scanning service so we can be responsive to US government legal demands that get send my mail.

  1. Establish Articles of Incorporation. Our articles were drafted with the help of our attorney, and they merge both (at the time) Washington state requirements and IRS requirements.

  2. Apply for Washington State nonprofit status. Be sure to use your Registered Agents and also your mail receiving or mail forwarding service as your "place of business", unless of course you have a physical office somewhere.

2024 note: Even before this step, but certainly after, be sure to conduct B2B communications with your business email and phone number.

  1. Begin contacting local data center service providers and upstream internet service providers that offer their services in said data center.

2024 notes:

  • Picking up "the language" of data centers and internet service providers has its own learning curve. First and foremost, you need data center co-location: a place to rack your servers and network gear. Colo service requests include but are not limited to, the amount of physical "U space" that you need for your servers, like a half-rack, quarter-rack, or shared space. We disadvise shared rack space because Tor relays should be behind lock and key. Colo requests also need to know how much power in amps you expect to need. Secondly, you need IP transit, which is your organization's general internet access. Some colo providers offer their own "mixed network" transit, which means they blend multiple Tier-1 ISPs together to offer cheaper transit. Otherwise, you need to seek out Tier-1 or Tier-2 transit ISPs, and the cheaper the better. Tor relays can saturate bandwidth easily, so it may be important to seek "unmetered" or "fully commited" 1Gbps or 10Gbps ports. Otherwise, "95th percentile" 10Gbps will be cheaper and allow you to burst up to 10Gbps. Getting your own IP transit, in other words not provided by the colo provider, may require "cross connects", which usually cost money. A cross-connect is simply the service of the data center seting up then maintaining the physical copper or fiber connection from your rack to your upstream ISP. Lastly, you may need, and should seek out, access to Internet Exchange Points (IXP). Expect cross-connects to IXPs, but some colo providers may provide free cross-connects to local IXPs, be sure to ask about free or reduced cross-connects.

  • Again and again, data center and transit ISPs have extremely little empathy for not-for-profits like Emerald Onion. They do not care that we are 100% volunteer run and 100% donation-based. They certainly don't care about Tor when you are bringing your own ASN and IP space. The internet infrastructure ecosystem is for-profit.

  • To date, we've found that Huricane Electric's FMT2 datacenter is the cheapest unmetered 10Gbps transit that we can find. We have also found many regional co-ops exist, but rarely do they support 10Gbps transit, or more. Most critically, it's important to find solutions that minimize recurring fees. One-time setup fees, for things like cross-connects, are the kinds of things to ask for, or kindly request to waive or reduce recurring costs.

  • Are you going to have your own BGP-capable edge router? and will you announce your own ASN and IP space to the rest of the internet? If not, and you want your upsteam ISP to do this for you, then you need to be clear about this in your service request. You'll need to ask them for a Letter of Authorization.

  • Be mindful about the opportunities that IXPs provide.

  1. Apply for Employer Identification Number (EIN/TIN) from IRS, even without paid employees.

  2. Apply for a business bank account with a local nonprofit credit union and obtain debit cards.

  3. Apply for 501(c)3 status using the 1023-EZ (See our 2017 1023-EZ).

Establishing#

  1. Once your Charity status has been granted by the IRS, sign up the org for PayPal’s Nonprofit services.

2024 note: Paypal has been instrumental for us to receive funding. Both direct from people, but also to fasciliate corporate donations. Paypal waives all fees for 501(c)(3) not-for-profits, meaning we get 100% of a person's donation. One weird potentially odd thing about this setup is that Paypal's not-for-profit org is the entity that people give a donation to, and that org simply forwards 100% of the donation to Emerald Onion. To donation/tax receipts will appear to be Paypal.

  1. Apply for nonprofit startup grants when available.

2024 note: We were very fortunate to be provided a $5,000 startup grant by the then TorServers.net. We would not have been able to launch without this initial funding.

  1. Setup a phone call with chosen legal representation to discuss optional support. The EFF may be an option. If seeking private practice, request a quote to create a general legal FAQ and abuse response templates for managing complaints from our upstream ISP and direct complaints. Feel free to start with our free Legal FAQ. If needing paid legal support, request a “Form Engagement Letter” from legal representation.

2024 note: Our Legal FAQ has been a foundational element for our sustained legal safety. We use this exact template in our email autoresponses via ZenDesk, and anytime we are emailed by government law enforcement officials, we link them to our public Legal FAQ.

  1. Deposit enough funds into the business bank account. This may include: several months of business insurance, data center services including IP transit services, legal services, all RIR (like ARIN) registration and IP allocation costs, and hardware costs.

  2. Purchase computer and networking parts for a Tor router and edge router.

  3. Setup a Zendesk free trial for testing, tracking, and responding to abuse@ communications, and set up automated responses with the Legal FAQ.

  4. Create ARIN POC records for your organization, which will also depend on personal records.

2024 note: When setting up POC records, be very sure to use the businesses's receiving/forwarding mail service address. We did not use our Registered Agent address with our POC records since we want to minimize who has access to government legal demands.

  1. Setup insurance provider(s) needed for data center co-location service, including “commercial general liability”, “business property protection”, and “professional liability” insurance.

2024 note: We use The Hardtford, and have since day one.

  1. Finalize negotiating all fees with your data center and IP transit service (upstream ISP) providers and then sign contracts. The transit provider needs to perform an IP SWIP for updating ARIN’s WHOIS so that your organization is on record for using leased IP space. Once you have your upstream ISP-provided IP addresses, now you can apply for your own ASN and your own IP space.

  2. Apply to ARIN (or your RIR) for your organization's Autonomous Systems Number (ASN) and then an /48 or /32 IPv6 block. It's important to get IP space in this order. Understand ARIN's 4.10 rule for obtaining a free /24 IPv4 block. Once you have obtained an ASN and IPv6 block, apply for a free /24 IPv4 block using ARIN's 4.10 rule.

2024 note: Emerald Onion pays an annual fee of $250 for our ASN and $250 for our /48 IPv6 block. Back in 2017, we applied for our first 4.10 IPv4 block with success by explaining how Tor needs more IPv6 relays in order to eventually allow IPv6-only relays. So in order to facilitate more IPv6 in the Tor network, operators such as Emerald Onion needs "immediate" access to an IPv4 block. A few years later, since Emerald Onion now has multiple POPs, we successfully obtained a second /24 IPv4 block using the same 4.10 rule. So, our IPv4 blocks are free and perpetual.

Deploying#

  1. Publish a donation page, legal FAQ, mission, and vision statements on the website.

  2. Deploy your gear in your new data center. Only run Tor bridges or Tor middle relays until securing and configuring RIR-provisioned IP scopes so that you don't cause a legal headache for your transit provider.

2024 note: When configuring operating systems and applications, be sure to minimize or avoid any network logging, and be transparent about that on your published Legal FAQ. Never operate out-of-scope of your Legal FAQ.

  1. Actively publish work performed on social media and the blog. We recommend Mastodon!
\ No newline at end of file +Guide to Starting a Human Rights ISP

Guide to Starting a Human Rights ISP

2024-09-05

Introduction#

This article was originally published on emeraldonion.org in 2017 and has been revamped in 2024. In addition, in 2018, yawnbox spoke at DEF CON 26 (YouTube link) about creating Emerald Onion. Please be aware that because Emerald Onion is a US-based not-for-profit, this guide is centered on US laws and programs. To date, we are aware of at least four human rights ISPs that have formed in part because of Emerald Onion's example. We are always excited to provide guidance to those interested.

Part of Emerald Onion’s mission is to share our actions in detail in order to help educate others who wish to create their own human-rights focused transit internet service provider. We have a vision that entails many trusted nonprofits setting up and operating long-term, stable, and fast Tor routing operations. Below you will find a high level overview of tasks that we needed to complete in order to create Emerald Onion. As we develop, we will publish greater detail behind each action by linking to a related blog post or external resource.

The steps we took to create Emerald Onion#

Founding#

  1. Invite meaningful and trusted people for the board of directors, executive leadership, and advisory board.

  2. Create a mission and vision statements, and organizational goals.

  3. Setup a password manager for generating and documenting organizational passwords.

  4. Purchase a domain name, setup the website, and setup social media accounts.

  5. Setup Microsoft hosted email service for admin@ and abuse@ inboxes. Once you become a 501(c)3, Microsoft provides free enterprise services for not-for-profits.

2024 note: After much research, we found that Google email does not allow domain admins to have access to admin@ and abuse@ email addresses. We presume because Google wants to be able to perform their own conotrols over what comes into these email addresses. It's critical for Tor relay operators to have access to these email addresses, and use them to their fullest extent. If you're up to the challenge, self-hosted email can work great (with proper SPF, DMARC, DKIM, and DNSSEC/DANE configurations) with open source solutions such as MailCow.

  1. Setup a UPS Store mailbox for registration (your primary “place of business” address) and find Registered Agent services for your registered agent. A legitimate Registered Agent is required in the State of Washington.

2024 note: Since 2024, and since more than one of our Board of Director members lives abroad, we've since moved to Legal Zoom's mail scanning service so we can be responsive to US government legal demands that get send my mail.

  1. Establish Articles of Incorporation. Our articles were drafted with the help of our attorney, and they merge both (at the time) Washington state requirements and IRS requirements.

  2. Apply for Washington State nonprofit status. Be sure to use your Registered Agents and also your mail receiving or mail forwarding service as your "place of business", unless of course you have a physical office somewhere.

2024 note: Even before this step, but certainly after, be sure to conduct B2B communications with your business email and phone number.

  1. Begin contacting local data center service providers and upstream internet service providers that offer their services in said data center.

2024 notes:

  • Picking up "the language" of data centers and internet service providers has its own learning curve. First and foremost, you need data center co-location: a place to rack your servers and network gear. Colo service requests include but are not limited to, the amount of physical "U space" that you need for your servers, like a half-rack, quarter-rack, or shared space. We disadvise shared rack space because Tor relays should be behind lock and key. Colo requests also need to know how much power in amps you expect to need. Secondly, you need IP transit, which is your organization's general internet access. Some colo providers offer their own "mixed network" transit, which means they blend multiple Tier-1 ISPs together to offer cheaper transit. Otherwise, you need to seek out Tier-1 or Tier-2 transit ISPs, and the cheaper the better. Tor relays can saturate bandwidth easily, so it may be important to seek "unmetered" or "fully commited" 1Gbps or 10Gbps ports. Otherwise, "95th percentile" 10Gbps will be cheaper and allow you to burst up to 10Gbps. Getting your own IP transit, in other words not provided by the colo provider, may require "cross connects", which usually cost money. A cross-connect is simply the service of the data center seting up then maintaining the physical copper or fiber connection from your rack to your upstream ISP. Lastly, you may need, and should seek out, access to Internet Exchange Points (IXP). Expect cross-connects to IXPs, but some colo providers may provide free cross-connects to local IXPs, be sure to ask about free or reduced cross-connects.

  • Again and again, data center and transit ISPs have extremely little empathy for not-for-profits like Emerald Onion. They do not care that we are 100% volunteer run and 100% donation-based. They certainly don't care about Tor when you are bringing your own ASN and IP space. The internet infrastructure ecosystem is for-profit.

  • To date, we've found that Huricane Electric's FMT2 datacenter is the cheapest unmetered 10Gbps transit that we can find. We have also found many regional co-ops exist, but rarely do they support 10Gbps transit, or more. Most critically, it's important to find solutions that minimize recurring fees. One-time setup fees, for things like cross-connects, are the kinds of things to ask for, or kindly request to waive or reduce recurring costs.

  • Are you going to have your own BGP-capable edge router? and will you announce your own ASN and IP space to the rest of the internet? If not, and you want your upsteam ISP to do this for you, then you need to be clear about this in your service request. You'll need to ask them for a Letter of Authorization.

  • Be mindful about the opportunities that IXPs provide.

  1. Apply for Employer Identification Number (EIN/TIN) from IRS, even without paid employees.

  2. Apply for a business bank account with a local nonprofit credit union and obtain debit cards.

  3. Apply for 501(c)3 status using the 1023-EZ (See our 2017 1023-EZ).

Establishing#

  1. Once your Charity status has been granted by the IRS, sign up the org for PayPal’s Nonprofit services.

2024 note: Paypal has been instrumental for us to receive funding. Both direct from people, but also to fasciliate corporate donations. Paypal waives all fees for 501(c)(3) not-for-profits, meaning we get 100% of a person's donation. One weird potentially odd thing about this setup is that Paypal's not-for-profit org is the entity that people give a donation to, and that org simply forwards 100% of the donation to Emerald Onion. To donation/tax receipts will appear to be Paypal.

  1. Apply for nonprofit startup grants when available.

2024 note: We were very fortunate to be provided a $5,000 startup grant by the then TorServers.net. We would not have been able to launch without this initial funding.

  1. Setup a phone call with chosen legal representation to discuss optional support. The EFF may be an option. If seeking private practice, request a quote to create a general legal FAQ and abuse response templates for managing complaints from our upstream ISP and direct complaints. Feel free to start with our free Legal FAQ. If needing paid legal support, request a “Form Engagement Letter” from legal representation.

2024 note: Our Legal FAQ has been a foundational element for our sustained legal safety. We use this exact template in our email autoresponses via ZenDesk, and anytime we are emailed by government law enforcement officials, we link them to our public Legal FAQ.

  1. Deposit enough funds into the business bank account. This may include: several months of business insurance, data center services including IP transit services, legal services, all RIR (like ARIN) registration and IP allocation costs, and hardware costs.

  2. Purchase computer and networking parts for a Tor router and edge router.

  3. Setup a Zendesk free trial for testing, tracking, and responding to abuse@ communications, and set up automated responses with the Legal FAQ.

  4. Create ARIN POC records for your organization, which will also depend on personal records.

2024 note: When setting up POC records, be very sure to use the businesses's receiving/forwarding mail service address. We did not use our Registered Agent address with our POC records since we want to minimize who has access to government legal demands.

  1. Setup insurance provider(s) needed for data center co-location service, including “commercial general liability”, “business property protection”, and “professional liability” insurance.

2024 note: We use The Hardtford, and have since day one.

  1. Finalize negotiating all fees with your data center and IP transit service (upstream ISP) providers and then sign contracts. The transit provider needs to perform an IP SWIP for updating ARIN’s WHOIS so that your organization is on record for using leased IP space. Once you have your upstream ISP-provided IP addresses, now you can apply for your own ASN and your own IP space.

  2. Apply to ARIN (or your RIR) for your organization's Autonomous Systems Number (ASN) and then an /48 or /32 IPv6 block. It's important to get IP space in this order. Understand ARIN's 4.10 rule for obtaining a free /24 IPv4 block. Once you have obtained an ASN and IPv6 block, apply for a free /24 IPv4 block using ARIN's 4.10 rule.

2024 note: Emerald Onion pays an annual fee of $250 for our ASN and $250 for our /48 IPv6 block. Back in 2017, we applied for our first 4.10 IPv4 block with success by explaining how Tor needs more IPv6 relays in order to eventually allow IPv6-only relays. So in order to facilitate more IPv6 in the Tor network, operators such as Emerald Onion needs "immediate" access to an IPv4 block. A few years later, since Emerald Onion now has multiple POPs, we successfully obtained a second /24 IPv4 block using the same 4.10 rule. So, our IPv4 blocks are free and perpetual.

Deploying#

  1. Publish a donation page, legal FAQ, mission, and vision statements on the website.

  2. Deploy your gear in your new data center. Only run Tor bridges or Tor middle relays until securing and configuring RIR-provisioned IP scopes so that you don't cause a legal headache for your transit provider.

2024 note: When configuring operating systems and applications, be sure to minimize or avoid any network logging, and be transparent about that on your published Legal FAQ. Never operate out-of-scope of your Legal FAQ.

  1. Actively publish work performed on social media and the blog. We recommend Mastodon!
\ No newline at end of file diff --git a/feed.xml b/feed.xml index 01b4a39..9765819 100644 --- a/feed.xml +++ b/feed.xml @@ -15,7 +15,7 @@ <h1 id="introduction">Introduction<a class="zola-anchor" href="#introduction" aria-label="Anchor link for: introduction">#</a></h1> <p>This article was originally published on emeraldonion.org in 2017 and has been revamped in 2024. In addition, in 2018, yawnbox <a rel="noopener nofollow noreferrer" target="_blank" href="https://www.youtube.com/watch?v=cs6a1i4Owic">spoke at DEF CON 26</a> (YouTube link) about creating Emerald Onion. Please be aware that because Emerald Onion is a US-based not-for-profit, this guide is centered on US laws and programs. To date, we are aware of at least four human rights ISPs that have formed in part because of Emerald Onion's example. We are always excited to provide guidance to those interested.</p> <p>Part of Emerald Onion’s mission is to share our actions in detail in order to help educate others who wish to create their own human-rights focused transit internet service provider. We have a vision that entails many trusted nonprofits setting up and operating long-term, stable, and fast Tor routing operations. Below you will find a high level overview of tasks that we needed to complete in order to create Emerald Onion. As we develop, we will publish greater detail behind each action by linking to a related blog post or external resource.</p> -<h1 id="our-steps-that-we-took-to-create-emerald-onion">Our steps that we took to create Emerald Onion<a class="zola-anchor" href="#our-steps-that-we-took-to-create-emerald-onion" aria-label="Anchor link for: our-steps-that-we-took-to-create-emerald-onion">#</a></h1> +<h1 id="the-steps-we-took-to-create-emerald-onion">The steps we took to create Emerald Onion<a class="zola-anchor" href="#the-steps-we-took-to-create-emerald-onion" aria-label="Anchor link for: the-steps-we-took-to-create-emerald-onion">#</a></h1> <h2 id="founding">Founding<a class="zola-anchor" href="#founding" aria-label="Anchor link for: founding">#</a></h2> <ol> <li>