The Tor Project, which creates free software for anonymous web browsing, has accused Carnegie Mellon University of working with the FBI to compromise its network, but the FBI has denied the allegations.
The network was breached last year, which led to information on Tor’s previously-anonymous users being leaked to a third party. Attackers created more than a hundred new relays on the Tor network and used them to harvest user data between February and July, when Tor discovered and closed the loophole.
Now Tor claims it knows who was behind the attack. In a blog post, the Tor project alleges that the FBI paid $1 million to Carnegie Mellon University to help them crack the network. Researchers from the college’s Computer Emergency Response Team (CERT) were due to give a presentation at a hacking conference last year on security vulnerabilities in the Tor network, which they claimed could be exploited with just $3,000 worth of hardware.
After the Tor Project discovered the vulnerability in July, the presentation was called off. At this point, Tor claims that the researchers stopped responding to their emails.
Shortly after the attack on Tor, the FBI and the Department of Homeland Security, along with European law enforcement agencies, began Operation Onymous, which targeted crime and malpractice on the ‘Deep Web,’ a hidden section of the internet that can be accessed via Tor browsers, but not via regular browsers. 410 hidden services only accessible through Tor were shut down, 17 sellers and site administrators were arrested, and more than $1 million in Bitcoin was seized during the operation.
The Tor project made their allegations after court documents revealed the FBI used information on Tor users obtained “by a university-based research institute” to identify a staff member of the Silk Road, a marketplace for illegal drugs and other items on the Deep Web. Court documents show the FBI referencing a source that gave “reliable IP addresses for Tor and hidden services” between January and July 2014 – the same dates as Tor’s security breach.
In their blog post, the Tor Project said:
Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.
This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses “research” as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute.
The FBI has strongly denied the Tor Project’s allegations. Speaking to The Hill, a spokesman from the agency said that the claims were “inaccurate.”