Following a week of speculation over allegations that its researchers were paid $1 million by the U.S. Federal Bureau of Investigations to hack the Tor online anonymity network, Carnegie Mellon University (CMU) yesterday issued a brief statement saying those reports were inaccurate.
"In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed," the statement noted. "The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance."
The university's response was prompted by comments last week by members of the Tor Project, the non-profit organization that maintains the Tor (The Onion Router) software for private and anonymous online communications. A November 11 blog post on the Tor Project's Web site linked a persistent attack on the network last year to Carnegie Mellon researchers. "We have been told that the payment to CMU was at least $1 million," according to the post.
Shortcomings Enable 'Breaking Tor Anonymity'
Last week's allegations by the Tor Project coincided with a November 11 Vice Media Motherboard report that said information from university researchers enabled the FBI to bring charges of drug dealing and child pornography against two users of the Tor network. The publication said it had reviewed court documents in connection with those cases that showed a "university-based research institute" had helped the FBI identify the defendants.
The article noted that the dates given in the government's documents lined up "perfectly" with an attack on Tor users that had been observed in 2014. Suspicions about Carnegie Mellon's possible involvement were raised after two cybersecurity researchers from the university's Software Engineering Institute abruptly withdrew a planned August 2014 presentation at the Black Hat hacker conference that described their success at de-anonymizing users on the Tor network.
"In this talk, we demonstrate how the distributed nature, combined with newly discovered shortcomings in design and implementation of the Tor network, can be abused to break Tor anonymity," according to an archived description of that withdrawn presentation. "During this talk, we will quickly cover the nature, feasibility, and limitations of possible attacks, and then dive into dozens of successful real-world de-anonymization case studies, ranging from attribution of botnet command and control servers, to drug-trading sites, to users of kiddie porn places."
While the Tor Project took steps to stop last year's attack on the network, members of the organization said last week that Carnegie Mellon's apparent involvement "sets a troubling precedent" for civil liberties.
"There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board," according to the organization's blog post. "We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once."
Writing on his Web site Monday, cybersecurity expert Bruce Schneier said recently disclosed information about last year's Tor hacking provided "pretty strong evidence that the team of researchers from Carnegie Mellon University . . . de-anonymized Tor users for the FBI."
He added, "The behavior of the researchers is reprehensible, but the real issue is that CERT Coordination Center (CERT/CC) has lost its credibility as an honest broker. The researchers discovered this vulnerability and submitted it to CERT. Neither the researchers nor CERT disclosed this vulnerability to the Tor Project. Instead, the researchers apparently used this vulnerability to de-anonymize a large number of hidden service visitors and provide the information to the FBI."
Matthew Green, a cryptographer and professor at Johns Hopkins University who also posted a commentary on the Tor hacking last week, told us today that he expected more information to eventually come out about how the FBI obtained Tor user details from CMU researchers.
"It's still very confusing," Green said, noting that while the university's statement today indicates the researchers weren't directly paid by the FBI, it appears they might have been subpoeanaed for their data. He added that the de-anonymizing and release of user information by academic researchers without users' knowledge and consent raises ethical questions that the university has yet to address.
"The best thing for CMU would be to get ahead of this," Green said. "[But] I'm not seeing it."
Posted: 2015-11-22 @ 11:44am PT
The Government helped design or funded Tor. So now the government wants in. What is good for the goose is good for the Gander. Even if CMU assisted the FBI or another gov't agency, literally, who cares. That is not collusion by any stretch or illegal or unethical in any manner. Researchers, scientists and academic institutions have received gov't money and assisted gov't entities for centuries. In the real world, if CMU helped catch perverts or terrorists ready to destroy Paris or Hong Kong, that is a good thing.
Posted: 2015-11-21 @ 1:12pm PT
Another example of blatant privacy violations...class action lawsuits should teach violators a strong lesson!