Silk Road 2.0 Court Docs Show US Government Paid Carnegie Mellon Researchers To Unmask Tor Users

from the you-can-browse-privately,-just-don't-expect-your-privacy-to-hold-up-in-court dept

Rumors that the US government used a university’s research institute to uncloak Tor users began floating around nearly two years ago. In July of 2014, the first hint that something weird was going on at Carnegie Mellon took the form of a hastily-cancelled Black Hat Conference talk on the subject of de-anonymizing Tor users. Carnegie Mellon’s lawyers stepped in and called the whole thing off at the last minute. The thought process at the time was that CMU’s legal team may have been concerned the researchers’ actions had broken wiretap laws.

Nearly a year-and-a-half later, hints were dropped that CMU’s Tor-related efforts may not have been for research purposes only. An anonymous tipster claimed the FBI had paid CMU $1 million to unmask Tor users. A quasi-confirmation popped up during the DOJ’s prosecution of Brian Ferrell, who was allegedly assisting Blake Benthall in running Silk Road 2.0. Ferrell and Benthall were both swept up in the wake of a Tor-related FBI raid known as “Operation Onymous,” which began a few months after the hastily-cancelled Black Hat talk.

Included in the information handed over to Farrell’s legal representative was the following:

On October 13, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a “university-based research institute” that operated its own computers on the anonymous network used by Silk Road 2.0.

Tor Project itself claimed it had noticed a series of attacks during the first six months of 2014, seemingly aimed at de-anonymizing users. The unmasking efforts it noticed occurred shortly before the FBI Silk Road 2.0 raids. All of this was disturbing but also very circumstantial. Both CMU and the FBI (very weakly) denied any involvement in the unmasking effort. Notably, both parties only specifically denied the payment aspect, with CMU reps saying they “were not aware of any payment” and the FBI stating the allegation it had paid CMU $1 million was “inaccurate” — which is not nearly the same thing as saying the allegation was false.

Three months after the FBI rumor/tip, the government’s use of CMU to de-anonymize Tor users has been confirmed. The only aspect that appears to be incorrect is the agency behind the effort. Joseph Cox at Motherboard has the details.

[B]oth the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases.

“The record demonstrates that the defendant’s IP address was identified by the Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU”) [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense (“DOD”),” an order filed on Tuesday in the case of Brian Farrell reads. Farrell is charged with conspiracy to distribute cocaine, heroin, and methamphetamine due to his alleged role as a staff member of the Silk Road 2.0 dark web marketplace.

“Farrell’s IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU,” the filing continues.

So, the DoD “hired” CMU researchers to find ways to unmask Tor users. It’s probably worth noting here that the NSA… is a part of the DoD. The FBI was not directly involved, as alleged earlier, nor did it hand $1 million to CMU to facilitate its efforts. However, it was Johnny-on-the-Spot when it came to issuing subpoenas for Tor user info. Not that it’s interested in discussing its fortuitous timing…

When asked how the FBI knew that a Department of Defense research project on Tor was underway, so that the agency could then subpoena for information, Jillian Stickels, a spokesperson for the FBI, told Motherboard in a phone call that “For that specific question, I would ask them [Carnegie Mellon University]. If that information will be released at all, it will probably be released from them.”

The buck has been passed, but CMU refuses to touch it.

Kenneth Walters, a spokesperson from CMU, told Motherboard in an email, “We have nothing to add beyond our Nov. 18 statement.”

This statement says nothing more than CMU receives subpoenas from time to time and hints that everybody is probably wrong about everything because “inaccurate media reports.”

Farrell’s lawyers have tried to obtain more details on CMU’s DoD-funded de-anonymization efforts, but the judge has denied further discovery along these lines. Judge Richard A. Jones, echoing the judge presiding over the FBI’s now-infamous “Playpen” case (where the FBI ran a seized child porn site as a honeypot for two weeks), says there’s no expectation of privacy in an IP address, even if said IP address was obscured by the use of Tor.

“SEI’s identification of the defendant’s IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny,” the order reads.

In short, there’s no expectation of privacy in the use of a service specifically designed to protect users’ privacy. Users may believe they have an expectation of privacy but it’s a belief that won’t be upheld by this nation’s courts. Efforts made by the government to strip this protection away are not viewed as intrusive — at least not in the Fourth Amendment sense of the word.

So, nearly two years later, the story coheres: the Department of Defense has been seeking ways to unmask Tor users with the assistance of CMU’s researchers. And all the while, the FBI has apparently been looking over the DoD’s shoulder and firing off subpoenas. No one involved wants to talk about it and now it appears they won’t have to, thanks to Judge Richard Jones.

Filed Under: , , , , ,
Companies: carnegie mellon, silk road 2.0

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Silk Road 2.0 Court Docs Show US Government Paid Carnegie Mellon Researchers To Unmask Tor Users”

Subscribe: RSS Leave a comment
Uriel-238 (profile) says:

Over 200,000 German Holocaust perpetrators

Yes, Godwin’d in one.

We humans really like law. The times have been uncountable when in Techdirt articles about clear overreach (say pinning child porn charges on teens sexting others with pictures of themselves) that we’ll get a few folks saying the law’s the law. As if by enshrining something in state policy makes it sacred, and this makes it right that poor ignorant-but-sexually-explorative tyke is to be tossed into jail and onto the Sex-Offender Registry.

(It gets worse when the source is popularly sacred, such as the bible or Koran, at which point we see debacles like Kim Davis)

We’ve also seen plenty of articles on this site in which the FBI has clearly been acting not in the interest of the law, but to protect its own best interests, often contrary to the law, such as the way it doesn’t report police shootings to Congress, even through it’s mandated to do so.

So it comes down to this:

The FBI is not our friend.

We’d probably be best off dismantling it entirely and erecting an agency to do those services we’d miss. But that’s not going to happen in this political clime, any more than we’re going to move our food stamp program from Agricultural Services to Human Welfare. It’s very hard to make big changes like that in our government, so agencies like the FBI (or CIA or NSA) are here to stay even when they outlive their usefulness, or have internally changed enough that they serve no-one else but themselves.

The FBI is not our friend, and we should suffer them no more power than they already have, as those powers will only be used to persecute more innocent Americans…again as we’ve seen here in plenty of Techdirt articles.

And it’s frustrating that just because FBI guys carry a shiny badge that some people are willing to give them unlimited license.

We’ve seen where that degree of authority goes.

Anonymous Coward says:

Turn about will be sweet

At least we will be able to look back and see literally everything that our transparent government has been doing in our name by the time my children have children. There are two reasons for secrecy and no one believes it is for our good any longer. Lets see how they howl when their actions are paraded about in the light of day and their own words about how no one can expect privacy ever are shoved down their throats.

SirWired (profile) says:

Errr... Duh.

Does anybody seriously expect that the FBI wouldn’t want to have a way to eavesdrop/de-anonymize/etc. Tor users? While I am going to conveniently ignore whether or not this ability is being put to worthy ends or being requested in the right ways, this general technical concept is kind of exactly what we pay law enforcement and intelligence agencies to do and is not particularly controversial.

What did you expect them to do? “Oh, darn. Tor makes it hard to figure out who is saying what to whom. I guess we’ll just let anything that happens there slide.”

Christenson says:

1967 Katz Decision....

Our dear judge is going squarely against the 1967 Katz decision…see recent techdirt article, mentioning that taking certain actions in public *do* create an expectation of privacy.

There’s enough here to appeal — use of heavy cryptography *should* create an expectation of privacy, and require at least a warrant to break.

Buck Wheaton says:

“In short, there’s no expectation of privacy in the use of a service specifically designed to protect users’ privacy. Users may believe they have an expectation of privacy but it’s a belief that won’t be upheld by this nation’s courts. Efforts made by the government to strip this protection away are not viewed as intrusive — at least not in the Fourth Amendment sense of the word. “

Government always gives government a pass, especially when government can seize the power to define the meaning of the words.

We have no law when government is the only body that can define what it means. The only peaceful recourse for the citizen is to keep this in mind when voting.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...