The team behind the world’s largest anonymous online network is accusing the FBI of paying security researchers at least $1 million to uncover the identities of its users as part of a sweeping criminal investigation.
If true, the payment would represent a concerning collaboration that may be illegal if the FBI didn’t obtain a warrant, according to the Tor Project, which oversees the online anonymity software Tor.
{mosads}In a late Wednesday blog post, Tor Project Director Roger Dingledine said the FBI directed researchers at Carnegie Mellon University to find out the personal details of a wide swath of Tor users.
“Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes,” Dingledine said. “There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon’s Institutional Review Board.”
“We think it’s unlikely they could have gotten a valid warrant for CMU’s attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once,” he added.
According to multiple reports, the unmasking efforts came during the FBI’s investigation into Silk Road 2.0, the major dark Web market that, like its notorious predecessor, enabled more than 100,000 people to buy and sell illegal drugs anonymously over the Internet, according to the Justice Department.
In the bust last November, authorities took down the central marketplace and dozens of other similar dark Web sites, while arresting a handful of people in connection with Silk Road 2.
At the time, Tor acknowledged it wasn’t sure exactly how investigators had cracked the anonymity of the Tor users, and many worried Tor might have been widely compromised.
If investigators indeed relied on security researchers, Tor may have some answers for how the users were discovered.
But that also “sets a troubling precedent,” according to Dingledine.
“Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities,” he said. “If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute.”
Further, Dingledine warned that the tactic could violate the Fourth Amendment rights of Internet users.
“If this kind of FBI attack by university proxy is accepted, no one will have meaningful Fourth Amendment protections online and everyone is at risk,” he said. “We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor — but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people’s privacy, and certainly cannot give it the color of ‘legitimate research.’”
Tor has not yet provided definitive proof of the payment and the FBI did not immediately respond to a request for comment.
Carnegie Mellon said it would wait for more evidence to come out.
“I’d like to see the substantiation for their claim,” Ed Desautels, a spokesman for Carnegie Mellon’s Software Engineering Institute, told Wired. “I’m not aware of any payment.”