CARNEGIE MELLON’S researchers pulled their talk on cracking the protections of the anonymity software Tor from the schedule of the Black Hat security conference in 2014, the university has been nearly silent about rumors that their technique ended up in the FBI’s hands. Now the university has finally spoken up—to deny the Tor Project’s claim that the FBI paid Carnegie Mellon for their Tor-breaking method.
In a terse statement Wednesday, Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder. But it instead implied that the research may have been accessed by law enforcement through the use of a subpoena. “In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed,” the statement reads. “The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.”
That statement directly contradicts an account last week from the organization that runs and maintains Tor, the non-profit Tor Project. Tor’s director Roger Dingledine accused Carnegie Mellon of accepting more than $1 million in payment from the FBI to help the agency identify Tor users, and even catching innocent users in its dragnet as it helped the agency to pursue Tor-protected criminals. “Such action is a violation of our trust and basic guidelines for ethical research,” Dingledine had written at the time. “We have been told that the payment to CMU was at least $1 million,” Dingledine added in his statement, telling WIRED that it had learned of the payment through “friends in the security community.”
On Friday of last week, the FBI called Tor’s $1 million payment accusation “inaccurate,” but declined to say which part of it was untrue—the payment or the fact that it had used Carnegie Mellon’s research. Even now—despite its flat denial that the FBI paid for its research—Carnegie Mellon’s statement doesn’t contradict Tor’s claims that its research was used to unmask criminals by or on behalf of the FBI.
Speculation that the FBI had used Carnegie Mellon’s Tor exploit peaked late last year, when the FBI and Europol launched Operation Onymous, a purge of the dark web. It resulted in the takedown of dozens of the Tor-protected servers known as “hidden services”—among them several of the most popular dark web black markets for drugs and other contraband including the Silk Road 2—and the arrest of 17 suspects.
Those rumors were confirmed in part last week when Motherboard spotted a filing in the legal case of alleged drug dealer Brian Farrell that revealed a “university-based research institute” had helped the FBI to identify Farrell despite his use of Tor.
Despite Carnegie Mellon’s rebuttal, the Tor Project isn’t dropping the issue. In response to WIRED’s request for comment, Tor Project spokesperson Kate Krauss writes that it still has “many questions about CMU’s new statement.” Those questions, Krauss writes, include how the FBI might have known what to subpoena from Carnegie Mellon, and whether Carnegie Mellon’s Institutional Review Board approved of its Tor research. WIRED posed those questions to a Carnegie Mellon public relations staffer, but the university declined to comment beyond its statement.
Even so, the onus is now on Tor to prove its earlier accusation that the FBI paid Carnegie Mellon to intrude on Tor users’ privacy. In the meantime, however, the story of how the feds identified Tor users last year seems to be coming into focus—albeit through a process as messy as that anonymity-stripping technique itself.