Tor Project Claims FBI Paid Carnegie Mellon $1 Million To Deanonymize Tor Users

from the tying-together-loose-threads dept

First, let’s go back a year or so. A few weeks before the big Black Hat Conference in 2014, it was announced that a planned presentation from two Carnegie Mellon University researchers (Michael McCord and Alexander Volynkin), entitled “You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget” was pulled from the program, leading to lots and lots of speculation about what happened. Soon after this, the Tor Project announced it had discovered a group of relays that appeared to trying to deanonymize Tor users who were operating Tor hidden services.

A few months after this, the FBI and Europol suddenly took down a bunch of darknet sites and arrested people accused of running them (calling it “Operation Onymous”) — including arresting a guy named Blake Benthall for running Silk Road 2.0. At the time, we pointed out something odd in the criminal complaint against Benthall. While the complaint noted that the FBI had found the server that was running Silk Road 2.0 (in an unnamed foreign country) and imaged it, nowhere was it explained how.

A couple months after that (at the beginning of this year), the FBI announced the arrest of Brian Farrell, who the FBI claims was a close assistant to Benthall in running Silk Road 2.0.

Fast forward to last week — and Farrell’s lawyer filed a motion with the district court hearing his case, noting that, just last month, the Justice Department revealed to Farrell’s legal team that some of the evidence came from a “university-based research institute” and that Farrell’s defense team had requested additional discovery to get more info. From the motion (which oddly, none of the other press reports on this story published):

On October 13, 2015, the government provided defense counsel a letter indicating that Mr. Farrell?s involvement with Silk Road 2.0 was identified based on information obtained by a ?university-based research institute? that operated its own computers on the anonymous network used by Silk Road 2.0. In response to this letter, undersigned counsel requested additional discovery from the government to determine the relationship between the ?university-based research institute? and the federal government, as well as the means used to identify Mr. Farrell on what was supposed to operate as an anonymous website. To date, the government has declined to produce any additional discovery.

Farrell’s lawyers asked for more time, noting that there was another case in the same court (more on that below), seeking the same discovery, and Ferrell’s lawyers would like his case put on hold until the issue of discovery over the “university-based research institute” was settled in the other case. Vice then reported on this filing… leading the Tor Project itself to announce that it was pretty sure not just that the Carnegie Mellon research project from last year was the project in question, but that the FBI had paid CMU $1 million for that information, though the claim is from an anonymous source.

The Tor Project has learned more about last year’s attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes….


We have been told that the payment to CMU was at least $1 million.

There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon’s Institutional Review Board. We think it’s unlikely they could have gotten a valid warrant for CMU’s attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.

Wired approached Carnegie Mellon who gave a pretty big non-answer in response:

When WIRED contacted Carnegie Mellon, it didn?t deny the Tor Project?s accusations, but pointed to a lack of evidence. ?I?d like to see the substantiation for their claim,? said Ed Desautels, a staffer in the public relations department of the university?s Software Engineering Institute. ?I?m not aware of any payment,? he added, declining to comment further.

This whole complicated scenario raises some pretty serious questions — including whether or not the federal government paid a university to do research in a manner that would almost certainly violate university ethics rules on research on human subjects, but also which would allow the FBI to get all sorts of information on people without a warrant. As the director of the Tor Project, Roger Dingledine, told Wired:

?This attack?sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses ?research? as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute,? Dingledine writes. ?We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor?but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people?s privacy, and certainly cannot give it the color of ?legitimate research.’?

?Whatever academic security research should be in the 21st century,? he concludes, ?it certainly does not include ?experiments? for pay that indiscriminately endanger strangers without their knowledge or consent.?

And now… this issue moves over to the other case that Farrell’s lawyers pointed out, which is a criminal case against someone named Gabriel Peterson-Siler, who was arrested earlier this year for child porn — and whose lawyers learned from the Justice Department that some of the evidence against him, similarly came from this “university-based research institute.” That’s not directly said in the filings in that case, but Peterson-Siler’s lawyer did make clear that something was up:

This case involves a national operation targeting users of a child pornography website on a network known as the Onion Router (TOR), commonly termed the darknet. The government and the defense recently discussed a potential discovery issue which involves highly sensitive investigative materials regarding the investigation into the users of the child pornography TOR website. This potential discovery issue has involved extensive consultation with multiple Department of Justice components in Washington, D.C., and, despite the diligence of the government, took time to resolve. Defense counsel was notified of the resolution of that consultation process on the same day, October 13, 2015, and the government and defense counsel have been in regular contact regarding next steps. Any ongoing discovery issues related to this matter may also require coordination with multiple Department of Justice components in Washington, D.C.

The date, October 13 when this was revealed, was the same date that Farrell’s lawyers learned the same information. So, now, all eyes should turn to the Peterson-Siler case, to determine whether or not the details are going to come out about how the FBI got this info and whether or not it was legal. Unfortunately, Gabriel Peterson-Siler is anything but a sympathetic defendant here. He’s facing charges for child porn, and, according to the detention order in this case, this is not the first time Peterson-Siler has been in court over such an issue:

Defendant is charged by Complaint with possessing matter containing visual depictions of minors engaging in sexually explicit conduct that had been transported in interstate and foreign commerce. He has a prior conviction for possession of child pornography, for which he served 14 months of confinement, and two years of sexual deviancy treatment. Defendant was on state court supervision at the time of some of the alleged offense conduct charged in this case, some of which was during or soon after the conclusion of the sexual deviancy treatment.

One hopes that this fact won’t cloud the issue over whether or not the FBI should be allowed to pay university researchers to break Tor’s anonymity and spy on people in large groups. But, that may be asking a lot…

Filed Under: , , , , , , , , , ,
Companies: carnegie mellon, tor project

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Tor Project Claims FBI Paid Carnegie Mellon $1 Million To Deanonymize Tor Users”

Subscribe: RSS Leave a comment
Zero says:

Re: Re:

How about not wasting taxpayer money to begin with? These types of situations that highlight these agencies playing fast & loose with taxpayer money show both the lack of due process/oversight and defunct tax system.

Too bad there isn’t a taxpayer based selection system in place that could prevent this type of fraud,waste,abuse. At least then we could attempt to block these overreaches. $150 from my income tax alloted for FBI-CMU project to deanonymize TOR? No thanks; I’ll select a NASA project to fund instead.

Plus, if a university is found guilty of assisting in these “unofficial” ops, no taxpayer funding for you (plus all the negative media attention you deserve!) Win-Win.

Anonymous Coward says:

This could turn out very badly for researchers

There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon’s Institutional Review Board.

I work at a university and am well aware of the role of IRBs. IRB review is necessary for anything that even vaguely hints that it involves human subjects and it’s deliberately set up to be (somewhat) adversarial and independent in nature. The IRB does not care that you’re a star professor with a million-dollar grant: they’ll tell you no just as much as they’ll tell some first-year grad student.

So IF this is correct and IF researchers at CMU bypassed their own IRB, then there is going to be hell to pay.

Whatever (profile) says:

Re: This could turn out very badly for researchers

It would be true if the was a “human subject” project in the sense that actual humans were used for testing. It was not. it is instead a test of the data created by humans, like hand writing tests or studying graffiti to try to spot the creators.

It can’t any other way, otherwise universities wouldn’t be allowed to study pollution, traffic, queuing theory on subways, or a whole to of other things where humans are remotely involved. Human testing rules are more about tests done specifically on individuals, like drug tests, psychological testing, sleep studies, and so on. There are no human subjects in any of this, just the data created by humans.

Put another way, “no humans were harmed in this project”.

Ninja (profile) says:

Re: Re: This could turn out very badly for researchers

Really? That trope again?

“Nobody was harmed so it’s ok to let the Government violate your rights!”

This does not work in reality. Period. If there is evidence law enforcement violated laws/the Constitution to get what they wanted then these men should go free, evidence dropped. “But you are a monster! They molest children!” So? Law enforcement should have thought about it before skirting outside their obligations. If anything happens from here it’s not the judge that dismiss the case that should be blamed but rather the idiot inside the FBI that thought it’s ok to violate the law to get their ends.

That One Guy (profile) says:

When WIRED contacted Carnegie Mellon, it didn’t deny the Tor Project’s accusations, but pointed to a lack of evidence. “I’d like to see the substantiation for their claim,” said Ed Desautels, a staffer in the public relations department of the university’s Software Engineering Institute. “I’m not aware of any payment,” he added, declining to comment further.

That’s not a non-answer, that’s the kind of answer you’d expect when someone’s guilty of what you’re accusing them of, but is confident that you won’t be able to find enough evidence to prove it in court.

If they were innocent of what they’re being accused of, they’d have said so, and gone out of their way to provide evidence of their innocence given the severity of the accusation, rather than going with a response that basically amounts to ‘You can’t prove anything’.

Rekrul says:

Assuming the FBI doesn’t just use the magic words “national security” to avoid revealing anything, I can already predict exactly what they’ll say;

“We paid the university to research a way to unmask Tor users so that when we have a Valid Warrant(tm) we can do so. In the course of their research, they stumbled across blatant criminal activity, which we NEVER asked them to look for, that they then passed on to us. So while what they did might have violated the ethics rules of the university, the completely unsolicited evidence they turned over to us is entirely above board from a legal standpoint.”

Monday (profile) says:


So does Carnegie Mellon‘s Researchers keep a tight lid/copyright on any code used? Any methods used? Who owns that “research”?

Who else will come forward (Educational Institutions) before it comes out that they too were complicit with illegal Federal operations?

And, it’s already been asked, but yeah, where were their Ethics Committees and Watchdogs? I sat on the Ethics Committee at my University, and I would have jumped at the chance to “reprimand” actions like these…

Anonymous Coward says:

I wonder if they are doing all this currently illegal stuff to have a law passed to retroactively make it legal and thus bypassing the few rights citizens have that remain to them.

What do they have to worry about if they get caught blatantly breaking the law? A paid promotion, national security don’t pry or get sent to jail by the criminals behind this sort of thing.

I mean who is going to stop governmental agencies from breaking the law. Who will force them to face serious consequences for their crimes. Currently no one can.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...