Tech

University breaks silence on FBI payments to bring Tor users out of the shadows

Carnegie Mellon University has decided to speak out concerning reports that the institute was paid $1 million for ways to unmask Tor users. [Updated]

Written by Charlie Osborne, Contributing Writer Nov. 19, 2015 at 8:02 a.m. PT

[Update: 16.16GMT: CMU, FBI statement]

Carnegie Mellon University has issued a statement concerning allegations that the institute's researchers helped US law enforcement track and monitor users of Tor en masse.

The Tor network is a network of nodes and relays designed to skewer the original IP addresses of users, making them difficult to track. Tor is used by activists and journalists but is also a conduit for illegal activity -- such as the purchase of drugs, weapons and counterfeit goods.

When combined with encryption tools, software such as Tails and a VPN, users can further mask their tracks as well as access areas of the Internet left unindexed by search engines.

The Tor network is currently considered one of the top methods to hide Internet activity. However, a research team from Carnegie Mellon University (CMU)'s Software Engineering Institute, was able to use "shortcomings in design" to remove Tor's cloak, potentially leaving users of the anti-surveillance network at risk of exposure.

CMU's team were due to explain the specific details of their research at the cybersecurity conference Black Hat in 2014. The talk was scrapped due to legal reasons, but the story was far from over.

Security

A recent blog post written by Tor Director Roger Dingledine alleged that US law enforcement was also involved in the research. According to the non-profit, CMU was paid "at least" $1 million by the FBI to create and launch an attack on Tor able to "find people they could accuse of crimes" through mass surveillance and the collection of data on users.

Within the statement, the Tor group said there was "no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board," and it was "unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity."

The FBI said in retaliation that the report was "inaccurate," but was very careful in revealing little else. CMU was unwilling to talk about the report when the news surfaced earlier this week and declined to comment when requested by ZDNet.

However, lips were unsealed on Wednesday when the academic institution finally issued a media statement. The statement parroted the FBI's earlier comments concerning the report being "inaccurate," -- but also adding an interesting snippet which may imply a little more context to the issue.

The statement reads:

"Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues. One of the missions of the SEI's CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected.
In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance."

The key word here is "subpoena." The statement does not say outright that CMU's engineering department was issued a subpoena for their research in the Tor network's weaknesses, but the implication is there.

CMU has the ability to say the institute was issued a subpoena by the FBI if it wishes, but rather than open that can of worms, the implication may be enough -- and if so, there was "no funding" involved as a reward for submitting itself to the agency.

The university told ZDNet it had "nothing to add" beyond the statement, as did the FBI.

Universities host some of the world's greatest minds, and in the world of cybersecurity, research is paramount in the development of new tools and methods. Whether or not you consider the hand-over of academic research as law enforcement's weapons as ethical or not, CMU has now found itself embroiled in this debacle, which is not likely to fall to the wayside soon.

ZDNet has reached out to Tor for additional clarification and will update if we hear back.