As Qubes-Whonix users, we have not been “benefitting” from Tor’s Persistent Entry Guard design and will not until bind-directory functionality is implemented upstream. Lately, I’ve been wondering if I want persistence at all.
First, let’s assume that I am a permanently stationary user. So disregard any drawbacks related to Persistence & Location Tracking.
Some arguments in favor of persistence (from some heavyweights):
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters
Why is a longer guard rotation period with fewer guards better than the other way around? - Tor Stack Exchange
I’ve had an uneasiness with the conclusions above; and @mirimir’s comment to Peter Palfrader’s stackexchange answer helped me pin down my thoughts. The comment first:
I’ve never quite understood why it’s better for a few users to be more-likely compromised while most users are less-likely compromised. Is it that, once a given user has been compromised, further compromise doesn’t matter? Do these models assume particular patterns of Tor usage, such as daily versus occasional?
I think my question would be somewhat analagous to that comment:
Would I rather have a 100% probability of having 5% of my traffic observed and correlated? (by using non-persistent entry guards)
Or would I rather have a 5% probability of having 100% of my traffic observed and correlated? (by using persistent entry guards)
Obviously, the proportions used are completely made up but I think my point stands across a wide range of inputs. I think (like @mirimir) there is an implied assumption, in the conclusions that favor persistence, that any observation is fatal. Since I spend most of my time online watching Beyonce videos on YouTube , clearly that assumption does not hold for me. While third-party observation of my Beyonce viewing habits would certainly violate my privacy, I would not consider that as fatal a de-anonymization as having 100% of my traffic observed and correlated.
If all of my traffic is sensitive, and observation of any of it will result in complete de-anonymization, then in my example, both scenarios will equate and there will be a 5% chance of being de-anonymized regardless of the entry-guard persistence model. However, if only a portion, say X, of my traffic is critically sensitive, then in my example, non-persistent entry guards will only be fatal X*5% of the time. So I would be willing to risk more and more of my traffic being observed as the amount of sensitive traffic decreases.
Does this reasoning hold any validity?