The Tor Project has accused the FBI of paying researchers at Carnegie Mellon University $1 million to deanonymize the popular software and reveal users' locations as part of a major criminal investigation. The assertion comes after the publication of court documents in the upcoming Silk Road 2 case in which government prosecutors state the evidence used to identify the main suspect is “based on information obtained by a 'university-based research institute.' ”
Carnegie Mellon researchers were eyed suspiciously last year when they canceled a plan to present research on how they were able to identify Tor users.
Tor is an anonymity browser that cloaks the online activity of activists and criminals alike, allowing them to browse the Internet without threat of surveillance and access sites that are otherwise hidden. Now, though, the Tor Project says the FBI funded the CMU effort as part of Operation Onymous, the 2014 campaign that led to 17 arrests and the closure of the Silk Road 2 drug market.
“Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes,” Tor said in a statement Wednesday. “Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.”
The Tor statement was prompted by Vice Motherboard's publication of documents from the Silk Road 2 case Wednesday. Brian Richard Farrell, a Seattle man, is accused of conspiracy to distribute heroin, methamphetamine and cocaine as part of his alleged role as Silk Road 2 administrator. A search warrant from prosecutors and produced by Motherboard states the FBI's source of information (the “university-based research institute”) identified 78 IP addresses, one of them belonging to Farrell, who allegedly went by the name DoctorClu.
Tor added there is “no indication yet that [federal authorities] had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board.” Carnegie Mellon stopped short of denying the accusations in a statement to Wired magazine.
“I'd like to see the substantiation for their claim,” said Ed Desautels, spokesman in CMU's Software Engineering Institute. “I'm not aware of any payment.”