from the you-can-browse-privately,-just-don't-expect-your-privacy-to-hold-up-in-court dept
Rumors that the US government used a university's research institute to uncloak Tor users began floating around nearly two years ago. In July of 2014, the first hint that something weird was going on at Carnegie Mellon took the form of a hastily-cancelled Black Hat Conference talk on the subject of de-anonymizing Tor users. Carnegie Mellon's lawyers stepped in and called the whole thing off at the last minute. The thought process at the time was that CMU's legal team may have been concerned the researchers' actions had broken wiretap laws.
Nearly a year-and-a-half later, hints were dropped that CMU's Tor-related efforts may not have been for research purposes only. An anonymous tipster claimed the FBI had paid CMU $1 million to unmask Tor users. A quasi-confirmation popped up during the DOJ's prosecution of Brian Ferrell, who was allegedly assisting Blake Benthall in running Silk Road 2.0. Ferrell and Benthall were both swept up in the wake of a Tor-related FBI raid known as "Operation Onymous," which began a few months after the hastily-cancelled Black Hat talk.
Included in the information handed over to Farrell's legal representative was the following:
On October 13, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a “university-based research institute” that operated its own computers on the anonymous network used by Silk Road 2.0.Tor Project itself claimed it had noticed a series of attacks during the first six months of 2014, seemingly aimed at de-anonymizing users. The unmasking efforts it noticed occurred shortly before the FBI Silk Road 2.0 raids. All of this was disturbing but also very circumstantial. Both CMU and the FBI (very weakly) denied any involvement in the unmasking effort. Notably, both parties only specifically denied the payment aspect, with CMU reps saying they "were not aware of any payment" and the FBI stating the allegation it had paid CMU $1 million was "inaccurate" -- which is not nearly the same thing as saying the allegation was false.
Three months after the FBI rumor/tip, the government's use of CMU to de-anonymize Tor users has been confirmed. The only aspect that appears to be incorrect is the agency behind the effort. Joseph Cox at Motherboard has the details.
[B]oth the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases.So, the DoD "hired" CMU researchers to find ways to unmask Tor users. It's probably worth noting here that the NSA... is a part of the DoD. The FBI was not directly involved, as alleged earlier, nor did it hand $1 million to CMU to facilitate its efforts. However, it was Johnny-on-the-Spot when it came to issuing subpoenas for Tor user info. Not that it's interested in discussing its fortuitous timing…
“The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU”) [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense (“DOD”),” an order filed on Tuesday in the case of Brian Farrell reads. Farrell is charged with conspiracy to distribute cocaine, heroin, and methamphetamine due to his alleged role as a staff member of the Silk Road 2.0 dark web marketplace.
“Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU,” the filing continues.
When asked how the FBI knew that a Department of Defense research project on Tor was underway, so that the agency could then subpoena for information, Jillian Stickels, a spokesperson for the FBI, told Motherboard in a phone call that “For that specific question, I would ask them [Carnegie Mellon University]. If that information will be released at all, it will probably be released from them.”The buck has been passed, but CMU refuses to touch it.
Kenneth Walters, a spokesperson from CMU, told Motherboard in an email, "We have nothing to add beyond our Nov. 18 statement."This statement says nothing more than CMU receives subpoenas from time to time and hints that everybody is probably wrong about everything because "inaccurate media reports."
Farrell's lawyers have tried to obtain more details on CMU's DoD-funded de-anonymization efforts, but the judge has denied further discovery along these lines. Judge Richard A. Jones, echoing the judge presiding over the FBI's now-infamous "Playpen" case (where the FBI ran a seized child porn site as a honeypot for two weeks), says there's no expectation of privacy in an IP address, even if said IP address was obscured by the use of Tor.
“SEI's identification of the defendant's IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny,” the order reads.In short, there's no expectation of privacy in the use of a service specifically designed to protect users' privacy. Users may believe they have an expectation of privacy but it's a belief that won't be upheld by this nation's courts. Efforts made by the government to strip this protection away are not viewed as intrusive -- at least not in the Fourth Amendment sense of the word.
So, nearly two years later, the story coheres: the Department of Defense has been seeking ways to unmask Tor users with the assistance of CMU's researchers. And all the while, the FBI has apparently been looking over the DoD's shoulder and firing off subpoenas. No one involved wants to talk about it and now it appears they won't have to, thanks to Judge Richard Jones.