The price of de-anonymization -- FBI paid $1m to Carnegie Mellon to crack Tor
Tor has long been thought of as offering a level of privacy, security and anonymity that enables people to do whatever they want online; it also facilitates access to the so-called Dark Web. Despite this, law enforcement agencies were able to crack Tor and identify a Silk Road 2.0 user. Now it seems that the FBI was helped out by researchers at Carnegie Mellon University.
It was previously known that the FBI tracked down Brian Richard Farrrell using information from a "university-based research institute". The Tor Project itself believes that the FBI paid researchers at the university at least $1 million to attack the network and gather data from Tor relays that could be analyzed and used to identify users' IP addresses.
The project says that it is unlikely that the FBI would be able to have obtained a valid warrant to conduct such an attack as it appears to have amounted to NSA-style dredging; rather than targeting individuals, the attack was used to seek out anyone who might be involved in illegal activity. The well-publicized attack last year used techniques that were remarkably similar to those presented by Carnegie Mellon's Computer Emergency Response Team (CERT) at the Black Hat hacking conference. Interestingly, the paper has since been pulled from the Back Hat website (the Wayback Machine, however, still provides access to a cached version).
Tor is understandably upset that the FBI could pay to crack the network, and decries the attacks:
Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.
This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks -- If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.
Cryptographer Matthew Green says:
A spokesperson for CMU didn't exactly deny the allegations, but demanded better evidence and stated that he wasn't aware of any payment. No doubt we'll learn more in the coming weeks as more documents become public.
The Tor Project is quick to point out that it is not opposed to the idea of law enforcement agencies conducting investigations through Tor, but says that it should be done in an ethical fashion without infringing upon the privacy of innocent users.