Silk Road 2.0 Court Docs Show US Government Paid Carnegie Mellon Researchers To Unmask Tor Users

from the you-can-browse-privately,-just-don't-expect-your-privacy-to-hold-up-in-court dept

Rumors that the US government used a university's research institute to uncloak Tor users began floating around nearly two years ago. In July of 2014, the first hint that something weird was going on at Carnegie Mellon took the form of a hastily-cancelled Black Hat Conference talk on the subject of de-anonymizing Tor users. Carnegie Mellon's lawyers stepped in and called the whole thing off at the last minute. The thought process at the time was that CMU's legal team may have been concerned the researchers' actions had broken wiretap laws.

Nearly a year-and-a-half later, hints were dropped that CMU's Tor-related efforts may not have been for research purposes only. An anonymous tipster claimed the FBI had paid CMU $1 million to unmask Tor users. A quasi-confirmation popped up during the DOJ's prosecution of Brian Ferrell, who was allegedly assisting Blake Benthall in running Silk Road 2.0. Ferrell and Benthall were both swept up in the wake of a Tor-related FBI raid known as "Operation Onymous," which began a few months after the hastily-cancelled Black Hat talk.

Included in the information handed over to Farrell's legal representative was the following:

On October 13, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a “university-based research institute” that operated its own computers on the anonymous network used by Silk Road 2.0.
Tor Project itself claimed it had noticed a series of attacks during the first six months of 2014, seemingly aimed at de-anonymizing users. The unmasking efforts it noticed occurred shortly before the FBI Silk Road 2.0 raids. All of this was disturbing but also very circumstantial. Both CMU and the FBI (very weakly) denied any involvement in the unmasking effort. Notably, both parties only specifically denied the payment aspect, with CMU reps saying they "were not aware of any payment" and the FBI stating the allegation it had paid CMU $1 million was "inaccurate" -- which is not nearly the same thing as saying the allegation was false.

Three months after the FBI rumor/tip, the government's use of CMU to de-anonymize Tor users has been confirmed. The only aspect that appears to be incorrect is the agency behind the effort. Joseph Cox at Motherboard has the details.
[B]oth the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases.

“The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU”) [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense (“DOD”),” an order filed on Tuesday in the case of Brian Farrell reads. Farrell is charged with conspiracy to distribute cocaine, heroin, and methamphetamine due to his alleged role as a staff member of the Silk Road 2.0 dark web marketplace.

“Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU,” the filing continues.
So, the DoD "hired" CMU researchers to find ways to unmask Tor users. It's probably worth noting here that the NSA... is a part of the DoD. The FBI was not directly involved, as alleged earlier, nor did it hand $1 million to CMU to facilitate its efforts. However, it was Johnny-on-the-Spot when it came to issuing subpoenas for Tor user info. Not that it's interested in discussing its fortuitous timing…
When asked how the FBI knew that a Department of Defense research project on Tor was underway, so that the agency could then subpoena for information, Jillian Stickels, a spokesperson for the FBI, told Motherboard in a phone call that “For that specific question, I would ask them [Carnegie Mellon University]. If that information will be released at all, it will probably be released from them.”
The buck has been passed, but CMU refuses to touch it.
Kenneth Walters, a spokesperson from CMU, told Motherboard in an email, "We have nothing to add beyond our Nov. 18 statement."
This statement says nothing more than CMU receives subpoenas from time to time and hints that everybody is probably wrong about everything because "inaccurate media reports."

Farrell's lawyers have tried to obtain more details on CMU's DoD-funded de-anonymization efforts, but the judge has denied further discovery along these lines. Judge Richard A. Jones, echoing the judge presiding over the FBI's now-infamous "Playpen" case (where the FBI ran a seized child porn site as a honeypot for two weeks), says there's no expectation of privacy in an IP address, even if said IP address was obscured by the use of Tor.
“SEI's identification of the defendant's IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny,” the order reads.
In short, there's no expectation of privacy in the use of a service specifically designed to protect users' privacy. Users may believe they have an expectation of privacy but it's a belief that won't be upheld by this nation's courts. Efforts made by the government to strip this protection away are not viewed as intrusive -- at least not in the Fourth Amendment sense of the word.

So, nearly two years later, the story coheres: the Department of Defense has been seeking ways to unmask Tor users with the assistance of CMU's researchers. And all the while, the FBI has apparently been looking over the DoD's shoulder and firing off subpoenas. No one involved wants to talk about it and now it appears they won't have to, thanks to Judge Richard Jones.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: anonymity, defense department, dod, fbi, tor, unmasking
Companies: carnegie mellon, silk road 2.0


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    NOT Judge Richard A no expectation of privacy Jone, 25 Feb 2016 @ 11:21am

    Losing Respect

    Through actions the public continues to lose respect for an overreaching government. Also CMU's computer/technology department with efforts like Alice were well respected but this will affect it.

    link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 25 Feb 2016 @ 11:29am

    Over 200,000 German Holocaust perpetrators

    Yes, Godwin'd in one.

    We humans really like law. The times have been uncountable when in Techdirt articles about clear overreach (say pinning child porn charges on teens sexting others with pictures of themselves) that we'll get a few folks saying the law's the law. As if by enshrining something in state policy makes it sacred, and this makes it right that poor ignorant-but-sexually-explorative tyke is to be tossed into jail and onto the Sex-Offender Registry.

    (It gets worse when the source is popularly sacred, such as the bible or Koran, at which point we see debacles like Kim Davis)

    We've also seen plenty of articles on this site in which the FBI has clearly been acting not in the interest of the law, but to protect its own best interests, often contrary to the law, such as the way it doesn't report police shootings to Congress, even through it's mandated to do so.

    So it comes down to this:

    The FBI is not our friend.

    We'd probably be best off dismantling it entirely and erecting an agency to do those services we'd miss. But that's not going to happen in this political clime, any more than we're going to move our food stamp program from Agricultural Services to Human Welfare. It's very hard to make big changes like that in our government, so agencies like the FBI (or CIA or NSA) are here to stay even when they outlive their usefulness, or have internally changed enough that they serve no-one else but themselves.

    The FBI is not our friend, and we should suffer them no more power than they already have, as those powers will only be used to persecute more innocent Americans...again as we've seen here in plenty of Techdirt articles.

    And it's frustrating that just because FBI guys carry a shiny badge that some people are willing to give them unlimited license.

    We've seen where that degree of authority goes.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2016 @ 11:35am

    ...the FBI stating the allegation it had paid CMU $1 million was "inaccurate"...

    Translation: It was more like $2 million.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Feb 2016 @ 2:30pm

      Re:

      Nonononono. I smell blackmail material.

      After all, why pay when you can commit crimes while you're at it? Indeed, having a badge is the first step to becoming a master criminal in the Corporate States of America.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Feb 2016 @ 2:41pm

        Re: Re:

        Having a badge only gets you so far, but to become really successful you get yourself elected to congress.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2016 @ 11:37am

    Turn about will be sweet

    At least we will be able to look back and see literally everything that our transparent government has been doing in our name by the time my children have children. There are two reasons for secrecy and no one believes it is for our good any longer. Lets see how they howl when their actions are paraded about in the light of day and their own words about how no one can expect privacy ever are shoved down their throats.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Feb 2016 @ 11:49am

      Re: Turn about will be sweet

      Thats not how this privacy/secrecy thing works. Ever see a one-way mirror. You know which side your standing on.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Feb 2016 @ 10:22pm

      Re: Turn about will be sweet

      I would say it is 50/50 if Americans will revolt or just be willing slaves to tyranny.

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 26 Feb 2016 @ 8:28am

        Re: Re: Turn about will be sweet

        There is a third way. And probably more that I can't think of right now.

        link to this | view in chronology ]

  • icon
    SirWired (profile), 25 Feb 2016 @ 11:53am

    Errr... Duh.

    Does anybody seriously expect that the FBI wouldn't want to have a way to eavesdrop/de-anonymize/etc. Tor users? While I am going to conveniently ignore whether or not this ability is being put to worthy ends or being requested in the right ways, this general technical concept is kind of exactly what we pay law enforcement and intelligence agencies to do and is not particularly controversial.

    What did you expect them to do? "Oh, darn. Tor makes it hard to figure out who is saying what to whom. I guess we'll just let anything that happens there slide."

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Feb 2016 @ 12:49pm

      Re: Errr... Duh.

      All true, however information has come to light that the federal agencies haven't been respecting boundaries or even the law as it applies to them.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2016 @ 11:58am

    Most likely, CMU isn't talking because of two reasons. One is it is highly likely they have a letter stating they are not to speak of this.

    The second is likely that someone has come by and said, "If you like the money you are getting on your projects, you won't speak of this".

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2016 @ 2:59pm

    Look at this, EFF.

    link to this | view in chronology ]

  • identicon
    Christenson, 25 Feb 2016 @ 8:49pm

    1967 Katz Decision....

    Our dear judge is going squarely against the 1967 Katz decision...see recent techdirt article, mentioning that taking certain actions in public *do* create an expectation of privacy.

    https://www.techdirt.com/articles/20160214/13474233602/judge-wants-to-know-more-about-fbis-s ecret-recordings-conversations-near-courthouse-steps.shtml

    There's enough here to appeal -- use of heavy cryptography *should* create an expectation of privacy, and require at least a warrant to break.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Mar 2016 @ 2:25pm

      Re: 1967 Katz Decision....

      Our dear judge is going squarely against the 1967 Katz decision...

      A lot things came out of the 60's that some judges would really like to roll back. Desegregation, civil rights, etc..

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2016 @ 10:14pm

    Here is the government's defense

    "we broke the law to go after people we did not like, even though they did nothing legally wrong. give us the benefit of the doubt these are horrible people without ever asking us to prove they did anything other annoy us for differant lifestyle choices"

    link to this | view in chronology ]

  • identicon
    Buck Wheaton, 26 Feb 2016 @ 10:43am

    "In short, there's no expectation of privacy in the use of a service specifically designed to protect users' privacy. Users may believe they have an expectation of privacy but it's a belief that won't be upheld by this nation's courts. Efforts made by the government to strip this protection away are not viewed as intrusive -- at least not in the Fourth Amendment sense of the word. "

    Government always gives government a pass, especially when government can seize the power to define the meaning of the words.

    We have no law when government is the only body that can define what it means. The only peaceful recourse for the citizen is to keep this in mind when voting.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.