[tor-talk] Corporate policy and procedure

Dear Tor Talk,

As part of my internship work with the ACLU of Washington, I’m looking for practical examples of corporate policies and procedures for:

  • Deploying Tor relays and management
  • Deploying Tor Browser on client computers and management

I will be preparing templates, and related Tor education/marketing materials, for organizations within Washington State that we want to see supporting Tor. We will also publish these materials using a public domain license for anyone to use.

For example, if a library or law office, etc, wanted to support Tor by one or both of the above examples, they might want to develop internal policies detailing how to deploy it and how to manage it. This might be important material to have in advance when advocating to managers or a board of directors.

A policy to manage a Tor relay might include:

  • Statement of purpose
  • Device access policy
  • Abuse complaints policy
  • Admin management policy
  • Isolated network zone exception policy
  • Links to any related standard operating procedures

A standard operating procedure for Tor relay management might include:

  • List of maintainers, contact information, and escalation procedures
  • Maintenance schedule
  • Management commands and expected outcomes
  • Troubleshooting steps. Reference to internal governing policy

Regarding policies and procedures for managing Tor Browser, should it be managed any differently than Firefox or Chrome? Clearly the network traffic is different from standard HTTP/HTTPS but more like HTTPS. QoS might not work at all. If companies replace client-side SSL/TLS certs for monitoring, would that affect Tor Browser? Exception policies might be prudent. Updating procedures might be different.

If your work place has any of the above documents or you have prepared similar documents in your own advocacy, please email me a copy or a redacted copy, and thank you!