University Accused Of Accepting $1 Million For Exposing Tor Users, FBI Denies

2 minute read

Posted by: Benjamin Vitáris

November 17, 2015

Researchers at the Carnegie Mellon University (CMU) have been accused by the Tor Project for accepting $1 million from the Federal Bureau of Investigation. According to Tor, the researchers were helping the FBI to deanonymize users of the anonymous browser in order for the FBI to track them. We already published an article about the busts (Silk Road 2 and a child porn case) that were potentially made with the help of the Carnegie Mellon University.

Tor’s official statement, as of November 11, goes by this:

”The Tor Project has learned more about last year’s attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes.”

”We have been told that the payment to CMU was at least $1 million. There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon’s Institutional Review Board. We think it’s unlikely they could have gotten a valid warrant for CMU’s attack as conducted since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once. Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users. This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses “research” as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.”

”Whatever academic security research should be in the 21st century, it certainly does not include “experiments” for pay that indiscriminately endanger strangers without their knowledge or consent.”

This alleged act of the FBI does not go unanswered. It raises serious ethical questions and it could really bother the security of current Tor users. Edward Felten, the Deputy U.S. Chief Technology Officer for the White House made this comment on the case:

“I’m hard pressed to think of previous examples where legitimate researchers carried out a large-scale attack lasting for months that aimed to undermine the security of real users.

“Did the researchers gather and keep this data? With whom have they shared it? If they still have it, what are they doing to protect it?

“It’s too late to cover up what happened; now it’s time for [the Software Engineering Institute] to give us some answers.”

Despite the evidence the Tor Project has on the CMU’s involvement with the FBI, the Federal Bureau of Investigation denies that the federal agency paid at least $1 million to researchers of the Carnegie Mellon University for criminal investigation purposes. An FBI representative even told the press that allegation is inaccurate.

Updated: 2015-11-17