Security Experts:

Tor Project: FBI Paid Researchers $1M to Unmask Users

The Tor Project, the organization behind the Tor anonymity network, claims the FBI paid Carnegie Mellon University “at least $1 million” to help the agency deanonymize users suspected of conducting criminal activities.

The Tor network helps users maintain their anonymity online by routing traffic through a series of relays operated by individuals and organizations all over the world. In January 2014, more than 100 machines joined the Tor network as relays and attempted to deanonymize people who operated and accessed Tor hidden services.

The offending relays were identified by the Tor Project in July 2014 and removed from the network. The Tor Project also released at the time a new version of its software to close the vulnerability exploited by the attackers.

It’s believed that these attacks were conducted by a group of Carnegie Mellon University researchers who had planned to disclose their findings at the Black Hat USA conference in August 2014. However, the academics had not provided too many details on the methods they used to the Tor Project, and the Black Hat talk was suddenly canceled in July apparently due to the fact that the university had not approved the content of the presentation for public release.

In the abstract of their Black Hat presentation, researchers said they had found a method to “break Tor anonymity” and deanonymize hundreds of thousands of clients and thousands of hidden services within a couple of months. The experts noted that they had tested their findings in the wild.

Now, Tor Project Director Roger Dingledine claims the FBI paid Carnegie Mellon University at least $1 million to attack hidden services in an effort to find potential criminals.

“There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once,” Dingledine said.

“Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users,” he added.

Court documents obtained by Motherboard show that an unnamed source of information (SOI) provided the FBI reliable IP addresses for Tor hidden services between January and July 2014. The information was used to shut down websites on the dark web that sold illegal goods and services, including the Silk Road 2.0 drug bazaar. The operation, announced in November 2014 by law enforcement in Europe and the United States, resulted in the arrests of 17 suspects.

Some have speculated that Carnegie Mellon University might have helped authorities unmask the suspects by launching a sustained attack on the Tor network, and now there is new evidence to support this theory.

A motion filed last week in the case of a Silk Road 2.0 staff member who was arrested in January revealed that the man’s involvement with the drug bazaar was determined based on information from “a 'university-based research institute' that operated its own computers on the anonymous network used by Silk Road 2.0.”

Dingledine believes this incident can set a dangerous precedent.

“Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute,” Dingledine said. “Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.”

Contacted by SecurityWeek, Carnegie Mellon University said, "We have no comment."

*Updated with response from CMU

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.