Last November, the Tor project accused the FBI of paying researchers at Carnegie Mellon University to de-anonymize the Tor network. The Tor project maintains an internet browser called Tor Browser that anonymizes a user’s IP address.
The FBI responded to the allegations by saying that they were inaccurate. But simply calling the allegations inaccurate may mean that part of the allegations are true.
“The allegation that we paid [Carnegie Mellon University] $1 million to hack into Tor is inaccurate.”
According to the Tor project, the FBI almost certainly did collaborate with CMU. The $1 million number came from “friends in the security community” according to Roger Dingledine, president of the Tor. Dingledine told Wired that the researchers were indeed paid by the FBI to unmask Tor users.
“Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes,”
There definitely appears to be at least some truth to the allegations made by the Tor project. The connection between CMU and the FBI was first found during a trial for Brian Richard Farrell, who helped run Silk Road 2.0.
Silk Road 2.0 was a “deep-web” online black market where users can purchase illicit products including drugs. Brian Farrell was accused of being a Silk Road 2.0 lieutenant and charged with conspiracy to distribute heroin, methamphetamine and cocaine.
During his trial, Farrell’s defense team announced that the FBI used information gathered by researchers at Carnegie Mellon University.
“On October 12, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a ‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0,”
Co-founder of the Tor Project, Nick Mathewson, told Motherboard that the deanonymizing of Tor is immoral and not legitimate research.
“If you’re doing an experiment without the knowledge or consent of the people you’re experimenting on, you might be doing something questionable—and if you’re doing it without their informed consent because you know they wouldn’t give it to you, then you’re almost certainly doing something wrong. Whatever you’re doing, it isn’t science,”
For a project that prides itself on providing an anonymous internet browser tool, the idea of a university working to de-anonymize Tor is unsettling. It’s worth noting that while targeting individual users of Tor is possible, it’s just about impossible for anyone to fully crack the greater Tor network.
While the FBI may deny being involved in paying CMU to help them track down users of Tor, the Tor project is pretty certain that they did just that.
Shari Steele, the new executive director of the Tor project, recently spoke with Ars Technica about the CMU hack and
“Clearly CMU takes federal money in order to do research that is attacking Tor, and Tor knows about that. So how deeply was CMU involved? Whether CMU actually did the searches for the FBI, or provided the FBI with the vulnerability, we don’t know the details.”
The Tor project noticed a suspicious group of relays in the Tor network back in July 30, 2014. The organization announced through a blog post that they believed the relays were attempting to de-anonymize users within the Tor network.
As Motherboard notes, the timeframe of the relays, which began on January 30, 2014 and were removed on July 4, 2014, matches with the time period of the FBI’s alleged CMU hacking. This makes the allegations of the FBI being involved with researchers at CMU very plausible.
The idea that the goverment is paying to hack into Tor is interesting. Most of the Tor project’s funding comes from the State Department.
[Photo by Keith Srakocic / AP]