Carnegie Mellon Weakly Denies That It Got Paid To Help FBI Crack Anonymity Tool

Layers of intrigue in The Onion Router

Carnegie Mellon University

Carnegie Mellon University

Tomwsulcer, via Wikimedia Commons, CC0 1.0

It is easy to forget, in our social age of public profiles and constantly tracked online presence, but there are parts of the internet that still offer obscurity. Tor, an identity-cloaking tool initially funded in part by DARPA and still funded to this day in part by the United States State Department, offers a form of protection for anyone online who wants to stay anonymous, like political dissidents abroad or law-avoiding drug sellers in the United States.

But activity conducted through Tor isn’t entirely untraceable, and there’s increasing evidence that, in exchange for cash, a security research team at Carnegie Mellon turned over information to legal authorities that led to several arrests.

Tor lets people use the internet anonymously by routing data through some of the many nodes in a complex network, obscuring the start point and end point. Built from an idea in the mid-1990s to let government officials securely communicate on civilian internet networks without revealing their location, Tor was one of many tools used by activists during the Arab Spring protests of 2011 to communicate while avoiding government scrutiny. Existing Tor nodes include such innocuous sites as public libraries in New Hampshire and research universities, and the network is supported by many digital rights activists as a tool to protect personal freedoms online.

No system is without flaws, and it's through one of these that a Brian Richard Farrell was arrested in Seattle and "charged with conspiracy to distribute heroin, methamphetamine and cocaine," on the online darkweb marketplace known as Silk Road 2.0 How was he found? His legal case is ongoing, and Farrell's defense pointed to a breach in Tor for the information that revealed his identity. Motherboard reports:

“On October 12, 2015, the government provided defense counsel a letter indicating that Mr. Farrell's involvement with Silk Road 2.0 was identified based on information obtained by a 'university-based research institute' that operated its own computers on the anonymous network used by Silk Road 2.0,” the motion reads.

In response to this letter, the defense asked for additional discovery evidence and information to determine the relationship between this institute and the government, as well as the means used to identify Farrell “on what was supposed to operate as an anonymous website.”

The maintainers of the Tor project knew their network was attacked last year. In a statement published in response to the recent revelations, the Tor project claims such an attack threatens the very civil liberties of the web:

There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.

Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.

This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.

The Tor Project also claims that friends in the security community informed them that the FBI paid Carnegie Mellon $1 million for the attack.

Carnegie Mellon houses CERT, the Computer Emergency Response Team. Decades old, CERT's stated mission is "improving the security and resilience of computer systems and networks," and in that work they partner with "government, industry, law enforcement, and academia." In 2014, CERT reportedly carried an attack on the Tor network that lasted from January 30th to July 4th. (The following sequence of events come from Princeton Director of Princeton's Center for Information Technology Policy Ed Felten's timeline of the attack, published on July 31, 2014) The attack strategy including adding 115 new nodes to the network, which likely enabled the owners of those nodes to monitor Tor traffic in an unprecedented way. CERT researchers submitted an abstract on this style of attack and were scheduled to speak at the Black Hat hacker conference that year, before the presentation was canceled on account of the material not being cleared for release by Carnegie Mellon.

At the time, Felten wrote:

I’m hard pressed to think of previous examples where legitimate researchers carried out a large scale attack lasting for months that aimed to undermine the security of real users. That in itself is ethically problematic at least. The waters get even darker when we consider the data that the researchers might have gathered—data that would undermine the security of Tor users.

On Monday, security researcher Bruce Schneier said the attacks undermine CERT's role as responsible steward of the internet. He wrote:

The behavior of the researchers is reprehensible, but the real issue is that CERT Coordination Center (CERT/CC) has lost its credibility as an honest broker. The researchers discovered this vulnerability and submitted it to CERT. Neither the researchers nor CERT disclosed this vulnerability to the Tor Project. Instead, the researchers apparently used this vulnerability to deanonymize a large number of hidden service visitors and provide the information to the FBI.

Yesterday, Carnegie Mellon released a brief statement on the accusations:

There have been a number of inaccurate media reports in recent days regarding Carnegie Mellon University's Software Engineering Institute work in cybersecurity.

Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues. One of the missions of the SEI’s CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected.

In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.

At best, that’s a very tepid denial, focused more on the accusations of payment than on the actions taken by the university itself. At worst, it means the people using Tor to protect their identity, no matter the nature of their activity online, might be putting their faith in a compromised system, and one that reveals more information to law enforcement than it obscures.