First, let's go back a year or so. A few weeks before the big Black Hat Conference in 2014, it was announced that a planned presentation from two Carnegie Mellon University researchers (Michael McCord and Alexander Volynkin), entitled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget" was pulled
from the program, leading to lots and lots of speculation about what happened. Soon after this, the Tor Project announced it had discovered a group of relays
that appeared to trying to deanonymize Tor users who were operating Tor hidden services.
A few months after this, the FBI and Europol suddenly took down a bunch of darknet sites
and arrested people accused of running them (calling it "Operation Onymous") -- including arresting a guy named Blake Benthall for running Silk Road 2.0. At the time, we pointed out something odd in the criminal complaint
against Benthall. While the complaint noted that the FBI had found the server that was running Silk Road 2.0 (in an unnamed foreign country) and imaged it, nowhere was it explained how
A couple months after that (at the beginning of this year), the FBI announced the arrest of Brian Farrell
, who the FBI claims was a close assistant to Benthall in running Silk Road 2.0.
Fast forward to last week -- and Farrell's lawyer filed a motion with the district court hearing his case, noting that, just last month, the Justice Department revealed to Farrell's legal team that some of the evidence came from a "university-based research institute"
and that Farrell's defense team had requested additional discovery to get more info. From the motion
(which oddly, none of the other press reports on this story published):
On October 13, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a “university-based research institute” that operated its own computers on the anonymous network used by Silk Road 2.0. In response to this letter, undersigned counsel requested additional discovery from the government to determine the relationship between the “university-based research institute” and the federal government, as well as the means used to identify Mr. Farrell on what was supposed to operate as an anonymous website. To date, the government has declined to produce any additional discovery.
Farrell's lawyers asked for more time, noting that there was another case in the same court (more on that below), seeking the same discovery, and Ferrell's lawyers would like his case put on hold until the issue of discovery over the "university-based research institute" was settled in the other case. Vice then reported on this filing... leading the Tor Project itself to announce that it was pretty sure not just that the Carnegie Mellon research project from last year was the project in question, but that the FBI had paid CMU $1 million for that information
, though the claim is from an anonymous source.
The Tor Project has learned more about last year's attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes....
We have been told that the payment to CMU was at least $1 million.
There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.
Wired approached Carnegie Mellon who gave a pretty big non-answer in response
When WIRED contacted Carnegie Mellon, it didn’t deny the Tor Project’s accusations, but pointed to a lack of evidence. “I’d like to see the substantiation for their claim,” said Ed Desautels, a staffer in the public relations department of the university’s Software Engineering Institute. “I’m not aware of any payment,” he added, declining to comment further.
This whole complicated scenario raises some pretty serious questions -- including whether or not the federal government paid a university to do research in a manner that would almost certainly violate university ethics rules on research on human subjects, but also which would allow the FBI to get all sorts of information on people without a warrant
. As the director of the Tor Project, Roger Dingledine, told Wired:
“This attack…sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute,” Dingledine writes. “We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor–but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people’s privacy, and certainly cannot give it the color of ‘legitimate research.'”
“Whatever academic security research should be in the 21st century,” he concludes, “it certainly does not include ‘experiments’ for pay that indiscriminately endanger strangers without their knowledge or consent.”
And now... this issue moves over to the other case
that Farrell's lawyers pointed out, which is a criminal case against someone named Gabriel Peterson-Siler
, who was arrested earlier this year for child porn -- and whose lawyers learned from the Justice Department that some of the evidence against him, similarly came from this "university-based research institute." That's not directly said in the filings in that case, but Peterson-Siler's lawyer did make clear
that something was up
This case involves a national operation targeting users of a child pornography website on a network known as the Onion Router (TOR), commonly termed the darknet. The government and the defense recently discussed a potential discovery issue which involves highly sensitive investigative materials regarding the investigation into the users of the child pornography TOR website. This potential discovery issue has involved extensive consultation with multiple Department of Justice components in Washington, D.C., and, despite the diligence of the government, took time to resolve. Defense counsel was notified of the resolution of that consultation process on the same day, October 13, 2015, and the government and defense counsel have been in regular contact regarding next steps. Any ongoing discovery issues related to this matter may also require coordination with multiple Department of Justice components in Washington, D.C.
The date, October 13 when this was revealed, was the same date that Farrell's lawyers learned the same information. So, now, all eyes should turn to the Peterson-Siler case, to determine whether or not the details are going to come out about how the FBI got this info and whether or not it was legal. Unfortunately, Gabriel Peterson-Siler is anything but a sympathetic defendant here. He's facing charges for child porn, and, according to the detention order
in this case, this is not the first time Peterson-Siler has been in court over such an issue:
Defendant is charged by Complaint with possessing matter containing visual depictions of minors engaging in sexually explicit conduct that had been transported in interstate and foreign commerce. He has a prior conviction for possession of child pornography, for which he served 14 months of confinement, and two years of sexual deviancy treatment. Defendant was on state court supervision at the time of some of the alleged offense conduct charged in this case, some of which was during or soon after the conclusion of the sexual deviancy treatment.
One hopes that this fact won't cloud the issue over whether or not the FBI should be allowed to pay university researchers to break Tor's anonymity and spy on people in large groups. But, that may be asking a lot...