Tor Project Claims FBI Paid US Uni $1 Million to Attack Network

The Tor Project is claiming that members of a US university were paid by the FBI to attack the anonymizing network, enabling agents to trace users.

The non-profit accused Carnegie Mellon University of accepting at least $1 million for their efforts.

The six-month attack began in January last year and was first highlighted by the Tor Project in July.

It said at the time, the attack was carried out by a group of relays who joined the network and then set about “modifying Tor protocol headers to do traffic confirmation attacks.”

The Tor Project claimed yesterday that the researchers were paid to attack users of the anonymizing network “in a broad sweep” before trawling through their data and working out who they could accuse of crimes.

It continued:

“There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.

Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.”

The Tor Project accused the FBI of getting the university researchers to effectively do its dirty work in order to bypass legal safeguards designed to prevent federal officers from doing such things.

“We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor — but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of ‘legitimate research’,” the blog continued.

“Whatever academic security research should be in the 21st century, it certainly does not include ‘experiments’ for pay that indiscriminately endanger strangers without their knowledge or consent.”

There’s a growing concern among law enforcers and intelligence agencies that pedophiles, terrorists and cybercriminals are using anonymizing services like Tor and end-to-end encryption to mask their activities and evade detection by the authorities.

However, rights groups maintain that banning such services would only penalize the majority of legitimate users and drive the criminals deeper underground.

What’s Hot on Infosecurity Magazine?