Tor Project claims FBI paid university researchers $1m to unmask Tor users

Have Carnegie Mellon University researchers been paid by the FBI to unmask a subset of Tor users so that the agents could discover who operated Silk Road 2.0 and other criminal suspects on the dark web?

Tor Project Director Roger Dingledine believes so, and says that they were told by sources in the information security community that the FBI paid at least $1 million for the service.

“The Tor Project has learned more about last year’s attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes,” he wrote in a blog post published on Wednesday.

The post is a reaction to details revealed by Motherboard’s Joseph Cox, who pointed out a paragraph in a motion filed by the defense in the court case against Brian Farrell, a staff member on Silk Road 2.0.

“On October 12, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a ‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0,” it said.

Farrell’s defense counsel tried to get more details about this, “to determine the relationship between the ‘university-based research institute’ and the federal government, as well as the means used to identify “Mr. Farrell on what was supposed to operate as an anonymous website.”

“To date, the government has declined to produce any additional discovery,” the defense counsel concluded.

The name of the institute is not mentioned anywhere in the documents, but there is circumstantial evidence that points to Carnegie Mellon University.

According to the documents, the attack against tor happened between January and July 2014. A Tor security advisory published on July 30th explained what happened, and speculated (and partly confirmed) that the attacks were mounted by researchers who were scheduled to give a talk about a cheap user deanonymizing attack at Black Hat 2014.

The talk was pulled on 21 July, and the Carnegie Mellon researchers never confirmed that they were behind the attack, nor did the university confirm these most recent speculations.

“There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon’s Institutional Review Board. We think it’s unlikely they could have gotten a valid warrant for CMU’s attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once,” noted Dingledine.

“Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users,” he pointed out.

“This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.”