Tor accuses CMU

Credit: Kyung Min Lee/Junior Artist Credit: Kyung Min Lee/Junior Artist

Last week, representatives of Tor, a network of servers used to guarantee anonymity on the Internet, accused Carnegie Mellon computer scientists of selling research to the FBI that compromised the volunteer-run service and exposed information about users of “the dark web” to the FBI and others.

Tor, which stands for The Onion Router, helps users of the dark web do their business anonymously. “The dark web” refers broadly to any part of the Internet not indexed by search engines, and is home to black markets such as the now defunct Silk Road 2.0, a trafficking hub for illegal items. In such black markets, users of the dark web can find illicit goods ranging from fake passports, to drugs, to stolen identities.

“Apparently these [Carnegie Mellon] researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes,” Tor wrote on its blog.

The suspicion against Carnegie Mellon began when a group of researchers pulled out of the Black Hat Conference, a conference for hackers and the cybersecurity community. At the conference, the researchers were slated to give a talk on how to break into Tor using only $3000 worth of hardware.

Tor alleges that the FBI paid $1 million dollars to Carnegie Mellon’s Computer Emergency Response Team (CERT), part of the Software Engineering Institute (SEI), for the research.

This conduct, the organization says, violates the tenets of ethical research. According to Tor’s blog, “There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon’s Institutional Review Board. We think it’s unlikely they could have gotten a valid warrant for [Carnegie Mellon’s] attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.”

“Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes,” the post continues. “Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.”

“I’d like to see the substantiation for their claim,” Ed Desautels, part of the SEI’s public relations department, told Wired. “I’m not aware of any payment,” he added, declining to comment further. When The Tartan reached out, university officials declined to comment.

Tor’s exploited vulnerabilities were patched last year, but not before they lead to the arrest of Brian Richard Ferrell, who was charged with conspiracy to distribute heroin, methamphetamine, and cocaine.

According to the search warrant against Ferrell’s house, a “Source of Information (SOI)” provided “reliable IP addresses for TOR and hidden services such as SR2.” For months, the source remained unidentified.

In mid-October, however, Ferrell’s defense introduced a motion claiming that a “research-based institution” gave the government the information used to arrest Ferrell. Soon, Motherboard drew a connection between Carnegie Mellon and the compromised Tor servers.

In a statement to Ars Technica, the FBI denied the allegations. “The allegation that we paid [Carnegie Mellon University] $1 million to hack into Tor is inaccurate,” an FBI spokeswoman told the website last Friday.