The Tor Project claimed last yearthat researchers at Carnegie Mellon University (CMU) were behind an attack on Tor that was used to unmask users. CMU released a vague statement that strongly implied that the FBU had indeed subpoenaed the university for its research, and now we have confirmation. A court filing from one of the associated criminal cases explains how Carnegie’s Software Engineering Institute (SEI) helped the FBI track down some wanted Tor users.
In November of last year, Tor director Roger Dingledine wrote a post explaining that a number of malicious nodes had been operating on Tor for about six months in early to mid 2014. He accused CMU of hacking Tor in collusion with the FBI. Dingledine said CMU was actually paid $1 million to perform the hack, but that has never been substantiated. What we do know is that the work of SEI did indeed lead to at least one prosecution, that of Silk Road 2.0 staff member Brian Farrell.
Farrell’s lawyers filed a motion for discovery of evidence used to identify the defendant’s IP address. After being identified by law enforcement, Farrell was arrested and charged with conspiracy to distribute cocaine, heroin, and methamphetamine. The document explains that yes, CMU was subpoenaed for the data collected by SEI while it was running those Tor nodes to test its hack. That method was set to be discussed at Black Hat in 2014, but the talk was abruptly canceled after the subpoena was issued.
The filing also explains why the FBI believes the information collected by SEI can legally be used in court. Basically, collecting Farrell’s IP address didn’t violate the Fourth Amendment because Tor users have no reasonable expectation of privacy. That’s a bold claim when Tor’s entire reason for existence is to provide anonymous connections. According to the FBI’s argument, Tor users have to disclose their IP address to the nodes in Tor in order to be routed to a destination. These nodes are supposed to be encrypted and used to bounce packets around to conceal the source, but they are run by individuals unknown to the user. Therefore, the user is taking “a significant gamble.”
This is all based on documents that are part of the public record, but there are more that are still sealed. It’s not clear what those might contain, but Farrell’s lawyers have been trying to get details on the communication between SEI and the government, which funded the original research via a Department of Defense grant. The nature of any communication could make the program seem more like a paid hack and less like academic research. If SEI’s goal was simply to prove hacking Tor was feasible, why specifically monitor IP addresses accessing the vendor section of Silk Road? That sounds an awful lot like law enforcement action.
This is just the first case where we know for certain Carnegie Mellon University is responsible for unmasking the defendant. A number of other Silk Road 2.0 figures and unrelated dark Web users were swept up around the same time. CMU has refused to comment further on the situation, but it’s possible it is not legally able to discuss its role in what could be many ongoing cases.