More than a year ago, the Tor Project patched its software against a vulnerability being exploited by researchers at Carnegie Mellon University, it said, for the purpose of de-anonymizing users of Tor hidden services.
Yesterday, Tor Project director Roger Dingledine accused the prominent Pittsburgh university of accepting at least a $1 million payout from the FBI to carry out the attack, which was allegedly used to obtain evidence to put away a member of the Silk Road 2.0 operation and a man charged with possession of child pornography.
Dingledine said in a post to the Tor Project website that the attack was not carried out under the auspices of a warrant obtained by the FBI, nor under the oversight of CMU’s Institutional Review Board.
“We think it’s unlikely they could have gotten a valid warrant for CMU’s attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once,” Dingledine wrote. Dingledine told Wired that “friends in the security community” informed him of the payout amount.
Kenneth Walters, CMU’s executive director of media relations, told Threatpost: “We have no comment.”
Without more information from the university’s officials, or the CMU researchers allegedly behind the attacks, Alexander Volynkin and Michael McCord, it’s difficult to know whether they took sufficient precautions to target only the defendants, Silk Road 2.0’s Brian Richard Farrell and Gabriel Peterson-Siler, alleged to be in possession of child porn. Requests for comments made to Volynkin and McCord were not returned.
“It’s quite possible that these researchers exercised strict protocols to ensure that they didn’t accidentally de-anonymize innocent bystanders. This would be standard procedure in any legitimate research involving human subjects, particularly research that has the potential to harm,” wrote Johns Hopkins professor and security expert Matthew Green. “If the researchers did take such steps, it would be nice to know about them. CMU hasn’t even admitted to the scope of the research project, nor have they published any results, so we just don’t know.”
Green’s post yesterday points out that the case also exposes a lack ethical oversight in the security research community.
“…There’s also a view that computer security research can’t really hurt people, so there’s no real reason for sort of ethical oversight machinery in the first place,” Green wrote. “This is dead wrong, and if we want to be taken seriously as a mature field, we need to do something about it.”
This saga began last July when the Tor Project announced that attackers had been on its network for six months trying to uncloak users of Tor hidden services. At about the same time, a talk scheduled to be given at Black Hat 2014 by Volykin and McCord on breaking Tor and deanonymizing users on a budget was pulled from the conference by CMU’s legal team. Tor officials connected the dots and said at the time it was likely that the CMU researchers were on the Tor network.
Then yesterday Motherboard published court documents from Farrell’s case that explained how Farrell’s alleged involvement with Silk Road 2.0 was based on information obtained by a “university-based research institute and the federal government.”
Dingledine said the attack crosses the line between legitimate research and endangering innocent users; Tor provides users in sensitive locations or situations with an encrypted an anonymous means of communicating. For example, it’s used by journalists to communicate with sources, attorneys to connect with clients, and by activists in oppressed areas.
“This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses “research” as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.”