Tor director: FBI paid Carnegie Mellon $1M to break Tor, hand over IPs

The head of the Tor Project has accused the FBI of paying Carnegie Mellon computer security researchers at least $1 million to de-anonymize Tor users and reveal their IP addresses as part of a large criminal investigation.

Neither Carnegie Mellon officials nor the FBI immediately responded to Ars' request for comment. If true, it would represent a highly unusual collaboration between computer security researchers and federal authorities.

Ed Desautels, a spokesman for Carnegie Mellon’s Software Engineering Institute, did not deny the accusations directly but told Wired: “I’d like to see the substantiation for their claim,” adding, “I’m not aware of any payment.”

One of the IP addresses revealed belongs to Brian Farrell, an alleged Silk Road 2 lieutenant who is due to stand trial in federal court in Seattle later this month. A new filing in Farrell's case, which was first reported Wednesday by Vice Motherboard, says that a "university-based research institute" aided government efforts to unmask Farrell.

As Ars reported in January 2015, a Homeland Security search warrant affidavit states that from January to July 2014, a “source of information” provided law enforcement “with particular IP addresses” that had accessed the vendor-side of Silk Road 2.

By July, the Tor Project managed to discover and shut down this sustained attack. The Tor Project further concluded that the attack resembled a technique described by a team of Carnegie Mellon University researchers who a few weeks earlier had canceled a security conference presentation on a low-cost way to deanonymize Tor users. The Tor officials went on to warn that an intelligence agency from a global adversary also might have been able to capitalize on the vulnerability.

In a blog post published Wednesday, Tor Project Director Roger Dingledine said there is "no indication yet that [federal authorities] had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board."

Dingledine did not immediately respond to Ars' request for proof of this $1 million payment allegation.

He continued:

We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.

Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.

This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.