Tor Project says FBI paid Carnegie Mellon $1m to unveil Tor users


In November 2014, a far-flung, multi-nation bust, dubbed Operation Onymous, snared 410+ supposedly hidden services running 27 markets, including Silk Road 2.0, stripping away the concealing layers of the Tor anonymizing service to lay identities bare.

Ever since, the keepers of Tor – the Tor Project – have been trying to puzzle out how the FBI pulled aside the curtain on the Tor network, which is designed to mask users’ identity by means of software that routes encrypted browsing traffic through a network of worldwide servers.

Now, the non-profit Tor Project says that the FBI did it by using a technique discovered by Carnegie Mellon University (CMU) researchers, and that the university earned a serious amount of coin in the deal.

In a blog post published Wednesday, Tor Project Director Roger Dingledine said that Tor has been told that CMU received a payment of “at least $1 million.”

He didn’t identify the informant. Nor did he offer further evidence.

But as it is, there’s already a wealth of circumstantial evidence.

In the months before the attack, research from CMU described a way to de-anonymize Bitcoin users that allows for the linkage of user pseudonyms to the IP addresses from which the transactions are generated, even when used on Tor.

In fact, two CMU researchers canceled a Black Hat 2014 talk about how easy they found it to break Tor.

The researchers claimed that it was possible to “de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months,” and promised to discuss examples of their own work identifying “suspected child pornographers and drug dealers.”

From the original description, before the university’s lawyers had the talk yanked from the lineup:

There is nothing to prevent you from using your resources to de-anonymize the network's users ... by exploiting fundamental flaws in Tor design and implementation. And you don't need the NSA budget to do so.

Looking for the IP address of a Tor user? No problem. Trying to uncover the location of a hidden service? Done. We know because we tested it, in the wild...

Dingledine thinks that the FBI got to those researchers:

Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes.

The Tor Project managed to discover and shut down the sustained attack in July 2014, subsequently concluding that the attack resembled the technique described by the CMU team.

Last week, another piece of the puzzle slid into place.

It came in a new court filing in the case of Brian Farrell, an alleged Silk Road 2.0 deputy who went by the handle “DoctorClu” and who’s due to stand trial in Seattle later this month.

The filing, first spotted by Motherboard, shows that a university helped the FBI to bust Silk Road 2.0.

From the filing, courtesy of Ars Technica:

On October 12, 2015, the government provided defense counsel a letter indicating that Mr. Farrell's involvement with Silk Road 2.0 was identified based on information obtained by a 'university-based research institute' that operated its own computers on the anonymous network used by Silk Road 2.0.

Dingledine said that there’s been “no indication yet” that the CMU researchers had either a warrant or “any institutional oversight” by Carnegie Mellon’s Institutional Review Board.

In fact, Dingledine said, the Tor Project thinks it unlikely that a valid warrant would have been issued for the attack, given that it wasn’t targeted at criminals or criminal activity.

Rather, the attackers “indiscriminately targeted many users at once,” he said.

As such, the attack not only violated the Tor Project’s trust and its guidelines for ethical research, he said.

It also put innocent users at risk:

We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.

The “outsourcing” of police investigatory work is also a troubling precedent, Dingledine said:

Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social network - If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.

Ed Desautels, a spokesman for Carnegie Mellon’s Software Engineering Institute, didn’t directly deny the accusations, but he pointed to a lack of evidence when Wired got in touch:

I'd like to see the substantiation for their claim. I'm not aware of any payment.

Image of key courtesy of