Emerald Onion

a self-hosted write freely blog

By yawnbox

Introduction and Vision

Emerald Onion has been online for 8.5 years and in that time we have remained sustainable and uncompromising. It hasn't always been easy, but thanks to our community of supporters and volunteers, I think we've helped prove that a grassroots, human rights, privacy infrastructure nonprofit is viable.

Leading up to the formation of Emerald Onion, it took me a couple of years of thinking and discussing my ideas with other like-minded folks before taking the plunge, including discussions I had during my brief time at The Tor Project. A few years after creating Emerald Onion, I began thinking about how I can help cause even greater change for the Tor community. I strongly agree with The Tor Project that there is a huge need for diversification of the Tor network, and to expand to countries below Earth's equator.

I'm a white, male-identifying privileged person, even while having grown up poor, having multiple cognitive disabilities, and being queer. I deeply value ethics and I have fears of overstepping the boundaries of others, including cultural boundaries. I fear repeating any number of mistakes made by my imperialist home country. For example, I've thought a lot about what it would mean for an American to operate Tor relays in a country where I don't even know the local language. What I keep having to remind myself are two primary ideas: 1) that diversity is inclusive, and 2) that my intentions are to respect, support, and lift up the community that I want to engage with. My intentions are to teach, learn, and participate.

I have a vision of establishing a coalition of trusted Tor relay operators from around the world and to deploy and maintain a long-term point of presence (POP) in Central or South America for not-for-profit privacy infrastructure. I wish to establish this new organization within a foreign municipality in order to deeply understand the legal customs, limits, and risks in order to operate safely and to teach everyone about these risks. I want to run more Tor exit, middle, and bridge relays, hosted collectively, and, like with Emerald Onion, teach people in that region about this stuff, with the aim of sprouting even more local nonprofit privacy infrastructure operators.

Traditionally, Tor operators are not supposed to have access to other Tor operator's infrastructure. However, for this limited organization, I am proposing shared resources and shared access to this shared POP, and through careful security, privacy, and transparency mechanisms, I believe we can maintain trust with the Tor community and with the public. Related to this topic, there's two highly related ethical issues that I have with the Tor community that I wish to challenge:

1) The Tor network is hyper-centralized in western Europe. This has to change. Given the realities of our world, the cost of IP transit is what attracts people to host relays in Europe. This is highly problematic for at least two reasons:

1a) The Tor network needs to work together to decentralize. Western Europe is made up of governments and intelligence agencies that like to work together. I don't blame them, but that cooperation is an existential risk to a human rights privacy network like Tor. Personal privacy and security will forever be an “arms race,” and de-anonymization is always a risk no matter how intelligent the protocol. Centralizing a multi-hop network, where, probabilistically, all of those hops are in countries who are working together is an objective risk.

1b) I don't like to have to be an alarmist, but, working as a senior cybersecurity engineer for many years, it sort of comes naturally to me. I believe that the Russian oligarchy, not to be confused with the incredible people of Russia, is a legitimate threat to Europe and to western democracies. What happens if war breaks out between Russia and Europe? How will that impact Tor, and Tor users globally? How many European datacenters are going to stay online? How many courageous individuals who run Tor relays in Europe are going to keep paying for their relays to continue running? Even if it's not the Russian oligarchs, the Tor operators of Europe have to realize that we need to do more to get more relays in more places around the world despite the cost of IP transit in those places.

2) I've been running Tor relays for 15 years. I see many individuals step up and run relays by themselves. They are courageous people who want to help the world in a small but meaningful way, which is incredible. What I see less of is people coming together to form organizations that further reduce certain financial and legal risks of running relays thus creating greater network sustainability and resiliency. What I see even less of, of those limited organizations who have established to run privacy infrastructure, is for those organizations to work together to be a catalyst for even greater network resiliency.

My vision of this new Central or South American organization is not to stop at being a sustainable org and say “we did a good job”. Just like with Emerald Onion, it's just the beginning. We need to actively teach more people in those regions about relay operations, about privacy and anonymity infrastructure, about decentralized technology, and about the legal issues of these things. We need to create and become part of communities in those regions. We need to grow the Tor community together through new partnerships. We need to become more aware of what is happening politically in those places because we all know about the threats to similar tech like end-to-end encryption, and what losing access to that tech in one country would mean for everyone globally.

Did you know that Brazil essentially adopted the European GDPR? It's called the Lei Geral de Proteção de Dados Pessoais in Portuguese, or LGPD. This is one reason, for me, why establishing a Brazilian nonprofit is a good idea, because, as a European data protection law student, I already have a general understanding of privacy law in Brazil.

Goals

  1. Identify trusted relay operators who would like to contribute time, skill, money, and other resources.

  2. Narrow down to a select country that has decent supporting free speech, privacy, or other related laws. Known options include Brazil, Chile, Costa Rica, or Uruguay.

  3. Narrow down to a select country that supports establishing as a nonprofit made up of (mostly? all?) foreign nationals.

  4. Identify possible co-location options after establishing an agreed upon list of functional requirements. Functional requirements might include: an isolated quarter rack (10U) or less that can be locked, and a provider allowing the installation of at least one IP camera on one or both sides of the rack. 1Gbps to start with.

  5. Establish as a regional legal entity, ideally as a non-profit. Establish a local bank account that is also shared and owned by this new legal entity.

  6. Identify possible local partnerships: human rights orgs, legal orgs, university orgs, and/or hacker orgs to partner with.

  7. Openly talk about our plans and operations in order to teach others how do it safely and as cheaply and sustainably as possible. The long term goal is to fill South/Central America with Tor relays by many operators.

Resources

  1. Emerald Onion can contribute 23.190.144.0/24 for exit relays.
  2. Anonymous can contribute 3 x IPv4 /24 subnets for guard and middle relays.

Help

I need your help. Are you an existing relay operator that can help out? Are you a private person who can donate IP subnets, hardware, or money? Please get in touch. Signal: yawnbox.01

Thank you!

This is a test blog post now that Write Freely is deployed.

Introduction

This article was originally published on emeraldonion.org in 2017 and has been revamped in 2024. In addition, in 2018, yawnbox spoke at DEF CON 26 (YouTube link) about creating Emerald Onion. Please be aware that because Emerald Onion is a US-based not-for-profit, this guide is centered on US laws and programs. To date, we are aware of at least four human rights ISPs that have formed in part because of Emerald Onion's example. We are always excited to provide guidance to those interested. But we are not the first nonprofit to do this in the US! Our inspiration was RiseUp and The Calyx Institute.

Part of Emerald Onion’s mission is to share our actions in detail in order to help educate others who wish to create their own human-rights focused transit internet service provider. We have a vision that entails many trusted nonprofits setting up and operating long-term, stable, and fast Tor routing operations. Below you will find a robust overview of tasks performed to create Emerald Onion.

The steps we took to create Emerald Onion

Founding

  1. Invite meaningful and trusted people for the board of directors, executive leadership, and advisory board.

  2. Create a mission and vision statements, and organizational goals.

  3. Setup a password manager for generating and documenting organizational passwords.

  4. Purchase a domain name, setup the website, and setup social media accounts.

  5. Setup Microsoft hosted email service for admin@ and abuse@ inboxes. Once you become a 501©3, Microsoft provides free enterprise services for not-for-profits. After much research, we found that Google email does not allow domain admins to have access to admin@ and abuse@ email addresses. We presume because Google wants to be able to perform their own conotrols over what comes into these email addresses. It's critical for Tor relay operators to have access to these email addresses, and use them to their fullest extent. If you're up to the challenge, self-hosted email can work great (with proper SPF, DMARC, DKIM, and DNSSEC/DANE configurations) with open source solutions such as MailCow.

  6. Setup a UPS Store mailbox for registration (your primary “place of business” address) and find Registered Agent services for your registered agent. A legitimate Registered Agent is required in the State of Washington. Since 2024, and since more than one of our Board of Director members lives abroad, we've since moved to Legal Zoom's mail scanning service so we can be responsive to US government legal demands that get send my mail.

  7. Establish Articles of Incorporation. Our articles were drafted with the help of our attorney, and they merge both (at the time) Washington state requirements and IRS requirements.

  8. Apply for Washington State nonprofit status. Be sure to use your Registered Agents and also your mail receiving or mail forwarding service as your “place of business”, unless of course you have a physical office somewhere. Even before this step, but certainly after, be sure to conduct B2B communications with your business email and phone number.

  9. Begin contacting local data center service providers and upstream internet service providers that offer their services in said data center. Picking up “the language” of data centers and internet service providers has its own learning curve.

  • You need data center co-location: a place to rack your servers and network gear. Colo service requests include but are not limited to, the amount of physical “U space” that you need for your servers, like a half-rack, quarter-rack, or shared space. We disadvise shared rack space because Tor relays should be behind lock and key. Colo requests also need to know how much power in amps you expect to need.

  • You need IP transit, which is your organization's general internet access. Some colo providers offer their own “mixed network” transit, which means they blend multiple Tier-1 ISPs together to offer cheaper transit. Otherwise, you need to seek out Tier-1 or Tier-2 transit ISPs, and the cheaper the better. Tor relays can saturate bandwidth easily, so it may be important to seek “unmetered” or “fully commited” 1Gbps or 10Gbps ports. Otherwise, “95th percentile” 10Gbps will be cheaper and allow you to burst up to 10Gbps. Getting your own IP transit, in other words not provided by the colo provider, may require “cross connects”, which usually cost money. A cross-connect is simply the service of the data center seting up then maintaining the physical copper or fiber connection from your rack to your upstream ISP.

  • You may need, and should seek out, access to Internet Exchange Points (IXP). Expect cross-connects to IXPs, but some colo providers may provide free cross-connects to local IXPs, be sure to ask about free or reduced cross-connects.

  • Again and again, we found that data centers and transit ISPs have extremely little empathy for not-for-profits like Emerald Onion. They do not care that we are 100% volunteer run and 100% donation-based. They certainly don't care about Tor when you are bringing your own ASN and IP space. The internet infrastructure ecosystem is for-profit, so don't get discouraged with your kind requests are not supported.

  • To date, we've found that Huricane Electric's FMT2 datacenter is the cheapest unmetered 10Gbps transit that we can find. We have also found many regional co-ops exist, but rarely do they support 10Gbps transit, or more. Most critically, it's important to find solutions that minimize recurring fees. One-time setup fees, for things like cross-connects, are the kinds of things to ask for, or kindly request to waive or reduce recurring costs.

  • Are you going to have your own BGP-capable edge router? and will you announce your own ASN and IP space to the rest of the internet? If not, and you want your upsteam ISP to do this for you, then you need to be clear about this in your service request. You'll need to ask them for a Letter of Authorization.

  • Be mindful about the opportunities that IXPs provide.

  1. Apply for Employer Identification Number (EIN/TIN) from IRS, even without paid employees.

  2. Apply for a business bank account with a local nonprofit credit union and obtain debit cards. In the US, a state nonprofit corporation only needs to provide the business name, contact information, the EIN, and the state registration of the corporation that shows the Unified Business Identifier (UBI).

  3. Apply to the IRS for 501©(3) status using the 1023-EZ. You can see our 2017 1023-EZ. The 1023-EZ route is prudent for small nonprofits. As long as you plan on making less than $50,000 a year, which we have done every single year, this is the quickest and easiest path to 501©(3) public charity status. A lawyer is not needed! From then on, every year, the only tax filing that is required at the IRS level is the 990-N postcard, simply attesting to the fact that Emerald Onion has not made more than $50,000 in the taxable year. It's very manageable for small volunteer group.

Establishing

  1. Once your Charity status has been granted by the IRS, sign up the org for PayPal’s Nonprofit services. Paypal has been instrumental for us to receive funding. Both direct from people, but also to fasciliate corporate donations. Paypal waives all fees for 501©(3) not-for-profits, meaning we get 100% of a person's donation. One weird potentially odd thing about this setup is that Paypal's not-for-profit org is the entity that people give a donation to, and that org simply forwards 100% of the donation to Emerald Onion. To donation/tax receipts will appear to be Paypal.

  2. Apply for nonprofit startup grants when available. We were very fortunate to be provided a $5,000 startup grant by the then TorServers.net. We would not have been able to launch without this initial funding.

  3. Setup a phone call with chosen legal representation to discuss optional support. The EFF may be an option. If seeking private practice, request a quote to create a general legal FAQ and abuse response templates for managing complaints from our upstream ISP and direct complaints. Feel free to start with our free Legal FAQ. If needing paid legal support, request a “Form Engagement Letter” from legal representation. Our Legal FAQ has been a foundational element for our sustained legal safety. We use this exact template in our email autoresponses via ZenDesk, and anytime we are emailed by government law enforcement officials, we link them to our public Legal FAQ.

  4. Deposit enough funds into the business bank account. This may include: several months of business insurance, data center services including IP transit services, legal services, all RIR (like ARIN) registration and IP allocation costs, and hardware costs.

  5. Purchase computer and networking parts for a Tor router and edge router.

  6. Setup a Zendesk free trial for testing, tracking, and responding to abuse@ communications, and set up automated responses with the Legal FAQ.

  7. Create ARIN POC records for your organization, which will also depend on personal records. When setting up POC records, be very sure to use the businesses's receiving/forwarding mail service address. We did not use our Registered Agent address with our POC records since we want to minimize who has access to government legal demands.

  8. Setup insurance provider(s) needed for data center co-location service, including “commercial general liability”, “business property protection”, and “professional liability” insurance. We use The Hardtford, and have since day one.

  9. Finalize negotiating all fees with your data center and IP transit service (upstream ISP) providers and then sign contracts. The transit provider needs to perform an IP SWIP for updating ARIN’s WHOIS so that your organization is on record for using leased IP space. Once you have your upstream ISP-provided IP addresses, now you can apply for your own ASN and your own IP space.

  10. Apply to ARIN (or your RIR) for your organization's Autonomous Systems Number (ASN) and then an /48 or /32 IPv6 block. It's important to get IP space in this order. Understand ARIN's 4.10 rule for obtaining a free /24 IPv4 block. Once you have obtained an ASN and IPv6 block, apply for a free /24 IPv4 block using ARIN's 4.10 rule. Emerald Onion pays an annual fee of $250 for our ASN and $250 for our /48 IPv6 block. Back in 2017, we applied for our first 4.10 IPv4 block with success by explaining how Tor needs more IPv6 relays in order to eventually allow IPv6-only relays. So in order to facilitate more IPv6 in the Tor network, operators such as Emerald Onion needs “immediate” access to an IPv4 block. A few years later, since Emerald Onion now has multiple POPs, we successfully obtained a second /24 IPv4 block using the same 4.10 rule. So, our IPv4 blocks are free and perpetual.

Deploying

  1. Publish a donation page, legal FAQ, mission, and vision statements on the website.

  2. Deploy your gear in your new data center. Only run Tor bridges or Tor middle relays until securing and configuring RIR-provisioned IP scopes so that you don't cause a legal headache for your transit provider. When configuring operating systems and applications, be sure to minimize or avoid any network logging, and be transparent about that on your published Legal FAQ. Never operate out-of-scope of your Legal FAQ.

  3. Actively publish work performed on social media and the blog. We recommend Mastodon!