A judge has confirmed that researchers from Carnegie Mellon University were funded by the US government to develop ways to track and bring Tor users out of the shadows.
In a court filing (.PDF), Federal Judge Richard Jones presiding at the Western District of Washington at Seattle court revealed that the IP address of Brian Farrell, a man accused of being part of the Silk Road 2.0 team in the Dark Web, was uncovered by the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU), while "SEI was conducting research on the Tor network which was funded by the Department of Defense (DoD)."
"The government previously produced information to the defense that Farrell's IP address was observed when SEI was operating its computers on the Tor network," the filing reads. "This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU."
SEI was able to compromise the Tor network in early 2014, but the security vulnerability which allowed the team to tamper with relays and user traffic was patched as soon as the organization learned of it.
At the time, the FBI denied claims that the agency had paid the university $1 million to unmask Tor users, labelling the report as "inaccurate." However, while we now know there was definitely a relationship between US law enforcement and CMU, we can only guess at what the actual terms of the funding include.
It seems, however, that the DoD funded the research, which was then subpoenaed by the FBI, a fact missing from earlier speculation. Originally, the Tor project said the FBI paid "at least" $1 million to CMU to create an attack which slurped identifying details belonging to Tor users before focusing on users "they could accuse of crimes."
In November last year, CMU released a statement saying that "the university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance."
Farrell, who was arrested in 2014 and is being charged with conspiracy to distribute drugs as an administrator of Silk Road 2.0, attempted to pursue a "compel discovery" order with the court, which would force the university and law enforcement to reveal additional details beyond the bare bones of how his IP address was discovered -- which may have gone beyond research and into the realm of illegal surveillance.
The judge refused the request, stating that "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network."
Going further, the filing reads:
"From the record, it appears the only information passed on to law enforcement about the defendant was his IP address. There is nothing presented by the defense, other than rank speculation, that anything more was obtained by SEI and provided to law enforcement to identify the defendant.
SEI's identification of the defendant's IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny."
On Wednesday the Tor Project said they "read with dismay" the outcome of the request, commenting:
"It is clear that the court does not understand how the Tor network works. The entire purpose of the network is to enable users to communicate privately and securely.
While it is true that users "disclose information, including their IP addresses, to unknown individuals running Tor nodes," that information gets stripped from messages as they pass through Tor's private network pathways."
According to Tor, the problem is this: the attackers did not simply grab the defendant's IP address, but also appeared to tamper with the user's traffic elsewhere on the network -- and both places had to be compromise to pinpoint the user.
The security vulnerability exploited by the researchers may have cast a shadow on the Tor network, but there is always a risk with anything you visit, download or post online. Many still believe in the network as one of the best methods out there to disguise your digital tracks, and the non-profit recently raised over $200,000 in support to improve the network through crowdfunding.
Read on: Top picks
- How to increase your Bitcoin mining profit by 30 percent with less effort
- SMS Android malware roots and hijacks your device - unless you are Russian
- Bug bounties: Which companies offer researchers cash?
- Shodan: The IoT search engine privacy messenger
- What happens when you leak stolen bank data to the Dark Web?