Did the FBI pay Carnegie Mellon $1 million to identify and attack Tor users?


Documents published by Vice News: Motherboard and further reporting by Wired News suggest that a team of researchers from Carnegie Mellon University who canceled their scheduled 2015 BlackHat talk identified Tor hidden servers and visitors, and turned that data over to the FBI.

No matter who the researchers and which institution, it sounds like a serious ethical breach.

First, from VICE, a report which didn't name CMU but revealed that a U.S. University helped the FBI bust Silk Road 2, and suspects in child pornography cases:

An academic institution has been providing information to the FBI that led to the identification of criminal suspects on the dark web, according to court documents reviewed by Motherboard. Those suspects include a staff member of the now-defunct Silk Road 2.0 drug marketplace, and a man charged with possession of child pornography.

It raises questions about the role that academics are playing in the continued crackdown on dark web crime, as well as the fairness of the trials of each suspect, as crucial discovery evidence has allegedly been withheld from both defendants.

Here's a screenshot of the relevant portion of one of the court Documents that Motherboard/Vice News published:


1447259626008648


Later today, a followup from Wired about discussion that points the finger directly at CMU:

The Tor Project on Wednesday afternoon sent WIRED a statement from its director Roger Dingledine directly accusing Carnegie Mellon of providing its Tor-breaking research in secret to the FBI in exchange for a payment of “at least $1 million.” And while Carnegie Mellon’s attack had been rumored to have been used in takedowns of dark web drug markets that used Tor’s “hidden service” features to obscure their servers and administrators, Dingledine writes that the researchers’ dragnet was larger, affecting innocent users, too.

No official word yet from the FBI on any of this.

shutterstock

shutterstock

Here's the Tor Project's statement in full this afternoon:

The Tor Project has learned more about last year's attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future.

Here is the link to their (since withdrawn) submission to the Black Hat conference, along with Ed Felten's analysis at the time.

We have been told that the payment to CMU was at least $1 million.

There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.

Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.

This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.

When we learned of this vulnerability last year, we patched it and published the information we had on our blog.

We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor — but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of "legitimate research". Whatever academic security research should be in the 21st century, it certainly does not include "experiments" for pay that indiscriminately endanger strangers without their knowledge or consent.



Notable Replies

  1. Universities have been doing R&D for the feds, including the very, very, quiet kind, for a long time(I assume it goes back further than MIT/Lincoln Labs working radar; but certainly at least that far); but a non-IRB-approved 'experiment' on human subjects, most of them not even allegedly involved in anything, as a bespoke job for the FBI would be...atypically classy even by the grim standards of the genre.

    I doubt that indiscriminate harassment from internet strangers would be helpful; but I can only hope that any friends and/or colleagues of the CMU research team involved will ask them the requisite pointed questions and spit in their quisling faces if they don't have some very, very, compelling explanation of how they were coerced into this against their intentions for the research.

    Even if they are not legally touchable; the situation would be greatly improved if it were the case that abusing your position as an 'academic researcher' would leave you a pariah, with only spooks and arms-dealer-nerds like Vulpen and Hacking Team for company. Not as good as old fashioned slammer time; but humans are social animals.

  2. This really speaks to the inherent vulnerability of the Tor network architecture. They are based on trusting groups of untrustworthy volunteers. Over and over this is how they get breached. Compare this to a security model based on a well known, trusted entity with a clean track record. Now the interests of the customer and the provider are aligned. There is equity at stake if there is a compromise. That is why we see more breaches in distributed volunteer privacy tools than single provider companies. If an adversary can break your security system for all users for just $1 million, then it’s safe to assume lots of organizations are probably doing it.

Continue the discussion bbs.boingboing.net

6 more replies

Participants