FBI subpoenaed Carnegie Mellon University for Tor-using suspect’s IP address

A court order in the case of U.S. vs Brian Farrell, a man charged with conspiracy to distribute illegal drugs while he was allegedly an administrator of the Silk Road 2.0 website, has provided official confirmation that the FBI identified him thanks to the IP address provided by the Software Engineering Institute of Carnegie Mellon University, who did some research on the Tor network.

The court’s opinion

“The record demonstrates that the defendant’s IP address was identified by the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU) when SEI was conducting research on the Tor network which was funded by the Department of Defense (DOD),” the order states.

“The government previously produced information to the defense that Farrell’s IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU.”

Carnegie Mellon University previously implied – but didn’t explicitly say – that was how it all happened. They also said that they did not received payment for this, and thus shot down the accusation by Tor Project’s leader Roger Dingledine that they received least $1 million for the service they provided.

Farrell’s legal counsel filed in January a motion to compel discovery of “additional material pertaining to the relationship between SEI and federal law enforcement and the methods used by SEI to identify the defendant’s IP address.”

The judge denied the motion, and said that the government already shared enough information about the relationship between the Department of Justice and SEI, and the methods employed by SEI.

“From the record, it appears the only information passed on to law enforcement about the defendant was his IP address. There is nothing presented by the defense, other than rank speculation, that anything more was obtained by SEI and provided to law enforcement to identify the defendant,” the judge noted.

He pointed out that Tor users – i.e. in this case the defendant – “clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network”, as the Tor Project itself states that “the Tor network has vulnerabilities and that users might not remain anonymous.”

“The evidence before this Court indicates that SEI obtained the defendant’s IP address while he was using the Tor network and SEI was operating nodes on that network, and not by any access to his computer. For these reasons, any other discovery about the methodology or technique used to identify the defendant’s IP address is not material to his defense,” he concluded.

According to Motherboard, a spokeswoman for the FBI said that the question of how how the bureau knew about SEI’s Tor research so that they could subpoena for information is best replied by Carnegie Mellon University. The University didn’t offer any additional comment on this matter for now.

Is the Tor network secure?

“We read with dismay the Western Washington District Court’s Order on Defendant’s Motion to Compel issued on February 23, 2016, in U.S. v. Farrell,” Tor Project’s Roger Dingledine commented.

“The Court held ‘Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network.’ It is clear that the court does not understand how the Tor network works. The entire purpose of the network is to enable users to communicate privately and securely. While it is true that users ‘disclose information, including their IP addresses, to unknown individuals running Tor nodes,’ that information gets stripped from messages as they pass through Tor’s private network pathways,” he explained.

“This separation of identity from routing is key to why the court needs to consider how exactly the attackers got this person’s IP address. The problem is not simply that the attackers learned the user’s IP address. The problem is that they appear to have also intercepted and tampered with the user’s traffic elsewhere in the network, at a point where the traffic does not identify the user,” he noted. “They needed to attack both places in order to link the user to his destination. This separation is how Tor provides anonymity, and it is why the previous cases about IP addresses do not apply here.”

He concluded by saying that the Tor network “is secure and has only rarely been compromised,” that the vulnerabily exploited by SEI-CMU has been patched, and that the Tor network remains the best way for users to protect their privacy and security when communicating online.