FBI denies paying $1 million to unmask Tor users

The accusation that the FBI paid university researchers $1m to break the anonymous browsing service is "inaccurate" -- but which part, exactly?
Written by Charlie Osborne, Contributing Writer

The FBI has denied an accusation leveled against the agency concerning $1 million paid to university researchers to infiltrate Tor, but what exactly has been labeled "inaccurate" is up for debate.

The Tor Network is an open-source project which supports a surveillance-thwarting network designed to make tracking users difficult, and has long been a thorn in the side of law enforcement agencies worldwide.

Otherwise known as "The Onion Router," Tor is used by journalists, activists and the privacy-conscious -- but is also used to access a hidden part of the Internet, the Dark Web. This tiny section of the Deep Web is an area full of online marketplaces which trade in illegal goods, including drugs, counterfeit documents and weaponry.

See also: Things you didn't know about the Dark Web

If a user wishes to access .onion addresses and areas which are not indexed by standard search engines such as Google and Yahoo, they must use the Tor browser. Traffic is encrypted and routed through circuits, nodes and relays to skewer the original IP addresses and user locations, making surveillance and tracking online activities more difficult.

However, as university researchers from Carnegie Mellon University (CMU) have demonstrated, the key word is difficult, not impossible. Last year, the research team launched an attack against the Tor network with an investment of only $3,000.

While the deep and dark details of the attack have not been revealed, according to one of the CMU team members, Alexander Volynkin, the cyberattack "combined shortcomings in design and implementation of the Tor network" to abuse and break Tor anonymity.

The researchers who developed the attack were due to explain their findings at the cybersecurity conference Black Hat in 2014, but the talk was scrapped as the university's legal team did not approve the research for public release.

In a blog post, the Tor Project team said they have uncovered more data concerning last year's attack by CMU researchers.

According to the Tor team, the FBI paid "at least" $1 million to CMU to research, create and launch a successful attack on the network which slurped the details of Tor users in a broad sweep before honing in on users through data analysis "to find people they could accuse of crimes."

The Tor group says:

"There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.

Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users."

Speaking to Ars Technica, the intelligence agency denied these accusations -- somewhat -- telling the publication:

"The allegation that we paid [Carnegie Mellon University] $1 million to hack into Tor is inaccurate."

The hooker here may be the word "inaccurate," as the FBI has not specifically denied paying out to the university. The statement appears to suggest denying the amount in question -- rather than refuting the accusation outright, and ZDNet has requested clarification.

The vulnerabilities have since been patched, but this doesn't solve the core problem, according to Tor. The group says the idea of a law enforcement agency paying an academic group to conduct cyberattacks against such networks in the name of "research" sets a disturbing precedent which will have the potential to not only invade privacy but also send the entire cybersecurity research space into disrepute.

"We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor -- but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of "legitimate research," the Tor team states.

"Whatever academic security research should be in the 21st century, it certainly does not include "experiments" for pay that indiscriminately endanger strangers without their knowledge or consent."

Earlier this year, MIT researchers developed an attack tailored for the Tor network as a means to identify users and servers relaying the network's traffic. Dubbed circuit fingerprinting (.PDF), the attack uses passive network monitoring to identify a hidden service before turning its attention to Tor exit nodes -- which allowed the research team to successfully identify which service a user was accessing the majority of the time.

ZDNet has reached out to the FBI and CMU for clarification and will update if we hear back.

Top tips to stay safe on public Wi-Fi networks

Read on: Top picks

Editorial standards