Tor Project accuses FBI of paying university to ‘deanonymize’ users without warrant
The accusations against the FBI revolve around the agency’s attempt to unmask the anonymous identities of Tor Project users during a criminal probe known as Operation Onymous. Without a search warrant, federal law enforcement directed researchers at Carnegie Mellon University (CMU) in Pittsburgh, Pennsylvania to reveal the names of users, the team behind the Tor Project claimed on Wednesday.
The Tor Project also claimed that the government paid CMU for this service, but has listed no evidence to that effect.
“Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes,” Tor Project Director Roger Dingledine said in a blog post.
The source of the $1 million figure came from "friends in the security community," Dingledine told Wired.
Operation Onymous was an investigation into drug crimes related to the Silk Road 2.0 website, which relied on the Tor anonymity network to hide the IP addresses of all parties involved, began in January 2014. It resulted in the arrest of 26-year-old Brian Farrell, who was charged with one count of conspiracy to distribute hard drugs this January.
In July 2014, the Tor Project announced in a blog post it had “found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services.” The post noted that the relays, which are nodes of the Tor network that route traffic, joined Tor on January 30 and were removed by the project on July 4.
It was in the search warrant for Farrell’s home that first led the Tor Project to suspect the link between his arrest and the attack on the network. In that document, Special Agent Michael Larson wrote that from January 2014 to July 2014, an FBI source of information provided “reliable IP addresses for TOR and hidden services such as SR2.”
“The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address,” the warrant continued, referring to Tor, which is an acronym for “The Onion Router.” One of those belonged to Farrell.
The Tor Project did not appear to have any confirmation of its suspicions ‒ or any idea what the FBI’s source of information was ‒ until a motion was filed in Farrell’s case last week, Motherboard reported.
“On October 12, 2015, the government provided defense counsel a letter indicating that Mr. Farrell's involvement with Silk Road 2.0 was identified based on information obtained by a 'university-based research institute' that operated its own computers on the anonymous network used by Silk Road 2.0,” the motion read.
When Farrell’s defense team asked for additional discovery evidence and information to determine the relationship between this "university-based research institute" and the government ‒ as well as to find out how the FBI managed to identify Farrell “on what was supposed to operate as an anonymous website” ‒ they were rebuffed.
“To date, the government has declined to produce any additional discovery,” the defense attorneys wrote in the motion.
Despite the lack of information from the FBI identifying the university, the Tor Project fingered CMU, based on circumstantial evidence again involving timelines that matched up a little too well.
In July 2014, shortly after the Tor Project uncovered and removed the deanonymizing relays, two CMU researchers were set to give a much anticipated talk at the Black Hat hacking conference, but the remarks were abruptly canceled, Motherboard reported.
Alexander Volynkin and Michael McCord were supposed to reveal how a $3,000 piece of kit could unmask the IP addresses of Tor hidden services as well as their users in much the same way the Tor Project said their site was attacked. The two CMU researchers claimed they had tested such a hack in the wild.
The Tor Project isn’t alone in their suspicions that CMU was behind the attack. Nicholas Weaver, a senior researcher at the International Computer Science Institute at University of California, told Motherboard that the Pittsburgh school is “almost certainly” the university that partnered with the FBI.
"The capabilities used to provide the information to the FBI match the capabilities that the attack [uncovered by Tor officials] provided," Weaver told Ars Technica.
CMU cooperated with the FBI without a search warrant or any institutional oversight by the university’s Institutional Review Board, the Tor Project said.
“We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once,” Dingledine wrote in the blog post.
He excoriated the school for its actions, and added that there are legal ways in which the FBI could have used Tor for its investigation without CMU’s attack on the network.
"Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks ‒ If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk," Dingledine wrote.
Nick Mathewson, co-founder of the Tor Project, called CMU’s actions unethical.
"If you're doing an experiment without the knowledge or consent of the people you're experimenting on, you might be doing something questionable—and if you're doing it without their informed consent because you know they wouldn't give it to you, then you're almost certainly doing something wrong. Whatever you're doing, it isn't science,” he told Motherboard in a statement.
The FBI has not commented on the Tor Project’s accusations. For its part, CMU has not commented beyond denying that the school was paid.
“I’d like to see the substantiation for their claim,” Ed Desautels, a staffer in the public relations department of the university’s Software Engineering Institute, told Wired. “I’m not aware of any payment,” he added, declining to comment further.