Researchers at Carnegie Mellon university have become embroiled in an ethics row after being accused of being paid by the FBI to help track down alleged criminals online. Their help allegedly consisted of cracking the anonymous web browser Tor, in order to reveal the identities of the browser’s users.
A statement released by The Tor Project, the organisation that builds Tor to help users browse the internet anonymously, claims that researchers were paid “at least $US1 million” (£660,000) to help de-anonymize Tor users.
At its simplest, Tor works by routing its users’ traffic through one-anothers’ connections to mask their location: A Spanish Tor user might look like they’re accessing the internet from Washington, D.C., while a Venezuelan might appear to be located in Finland.
This anonymity makes it a valuable tool to a wide range of people — from whistleblowers and activists to drug dealers and child pornographers.
Any software is vulnerable to bugs and exploits, however, and in 2014, a research team from Carnegie Mellon planned to publish research at the Black Hat conference detailing an apparent vulnerability that would let an attacker “de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months.” It would cost less than $US3,000.
They withdrew their submission before exhibiting.
This research subsequently made its way into the hands of the FBI, The Tor Project claims, which allegedly paid handsomely for it. Wired reports that the research was likely used in Operation Onymous — a large-scale law enforcement operation in 2014 that shuttered more than 50 websites accessible through Tor that were used to sell drugs and for other illegal activities — most notably Silk Road 2.0.
Motherboard has seen court documents relating to the closure of Silk Road 2.0 that say its identification was thanks to a “university-based research institute.”
In a blistering statement, The Tor Project labels this a “violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.”
It continues: “This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses “research” as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.”
Carnegie Mellon didn’t outright deny the accusations when asked by Wired. “I’d like to see the substantiation for their claim,” said university Software Engineering Institute Ed Desautels. “I’m not aware of any payment.” Business Insider has also reached out to the university for comment on the claims.
NOW WATCH: Tech Insider videos
Business Insider Emails & Alerts
Site highlights each day to your inbox.