Silk Road 2.0 Court Docs Show US Government Paid Carnegie Mellon Researchers To Unmask Tor Users
from the you-can-browse-privately,-just-don't-expect-your-privacy-to-hold-up-in-court dept
Rumors that the US government used a university's research institute to uncloak Tor users began floating around nearly two years ago. In July of 2014, the first hint that something weird was going on at Carnegie Mellon took the form of a hastily-cancelled Black Hat Conference talk on the subject of de-anonymizing Tor users. Carnegie Mellon's lawyers stepped in and called the whole thing off at the last minute. The thought process at the time was that CMU's legal team may have been concerned the researchers' actions had broken wiretap laws.
Nearly a year-and-a-half later, hints were dropped that CMU's Tor-related efforts may not have been for research purposes only. An anonymous tipster claimed the FBI had paid CMU $1 million to unmask Tor users. A quasi-confirmation popped up during the DOJ's prosecution of Brian Ferrell, who was allegedly assisting Blake Benthall in running Silk Road 2.0. Ferrell and Benthall were both swept up in the wake of a Tor-related FBI raid known as "Operation Onymous," which began a few months after the hastily-cancelled Black Hat talk.
Included in the information handed over to Farrell's legal representative was the following:
On October 13, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a “university-based research institute” that operated its own computers on the anonymous network used by Silk Road 2.0.Tor Project itself claimed it had noticed a series of attacks during the first six months of 2014, seemingly aimed at de-anonymizing users. The unmasking efforts it noticed occurred shortly before the FBI Silk Road 2.0 raids. All of this was disturbing but also very circumstantial. Both CMU and the FBI (very weakly) denied any involvement in the unmasking effort. Notably, both parties only specifically denied the payment aspect, with CMU reps saying they "were not aware of any payment" and the FBI stating the allegation it had paid CMU $1 million was "inaccurate" -- which is not nearly the same thing as saying the allegation was false.
Three months after the FBI rumor/tip, the government's use of CMU to de-anonymize Tor users has been confirmed. The only aspect that appears to be incorrect is the agency behind the effort. Joseph Cox at Motherboard has the details.
[B]oth the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases.So, the DoD "hired" CMU researchers to find ways to unmask Tor users. It's probably worth noting here that the NSA... is a part of the DoD. The FBI was not directly involved, as alleged earlier, nor did it hand $1 million to CMU to facilitate its efforts. However, it was Johnny-on-the-Spot when it came to issuing subpoenas for Tor user info. Not that it's interested in discussing its fortuitous timing…
“The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU”) [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense (“DOD”),” an order filed on Tuesday in the case of Brian Farrell reads. Farrell is charged with conspiracy to distribute cocaine, heroin, and methamphetamine due to his alleged role as a staff member of the Silk Road 2.0 dark web marketplace.
“Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU,” the filing continues.
When asked how the FBI knew that a Department of Defense research project on Tor was underway, so that the agency could then subpoena for information, Jillian Stickels, a spokesperson for the FBI, told Motherboard in a phone call that “For that specific question, I would ask them [Carnegie Mellon University]. If that information will be released at all, it will probably be released from them.”The buck has been passed, but CMU refuses to touch it.
Kenneth Walters, a spokesperson from CMU, told Motherboard in an email, "We have nothing to add beyond our Nov. 18 statement."This statement says nothing more than CMU receives subpoenas from time to time and hints that everybody is probably wrong about everything because "inaccurate media reports."
Farrell's lawyers have tried to obtain more details on CMU's DoD-funded de-anonymization efforts, but the judge has denied further discovery along these lines. Judge Richard A. Jones, echoing the judge presiding over the FBI's now-infamous "Playpen" case (where the FBI ran a seized child porn site as a honeypot for two weeks), says there's no expectation of privacy in an IP address, even if said IP address was obscured by the use of Tor.
“SEI's identification of the defendant's IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny,” the order reads.In short, there's no expectation of privacy in the use of a service specifically designed to protect users' privacy. Users may believe they have an expectation of privacy but it's a belief that won't be upheld by this nation's courts. Efforts made by the government to strip this protection away are not viewed as intrusive -- at least not in the Fourth Amendment sense of the word.
So, nearly two years later, the story coheres: the Department of Defense has been seeking ways to unmask Tor users with the assistance of CMU's researchers. And all the while, the FBI has apparently been looking over the DoD's shoulder and firing off subpoenas. No one involved wants to talk about it and now it appears they won't have to, thanks to Judge Richard Jones.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anonymity, defense department, dod, fbi, tor, unmasking
Companies: carnegie mellon, silk road 2.0
Reader Comments
Subscribe: RSS
View by: Time | Thread
Losing Respect
[ link to this | view in chronology ]
Over 200,000 German Holocaust perpetrators
We humans really like law. The times have been uncountable when in Techdirt articles about clear overreach (say pinning child porn charges on teens sexting others with pictures of themselves) that we'll get a few folks saying the law's the law. As if by enshrining something in state policy makes it sacred, and this makes it right that poor ignorant-but-sexually-explorative tyke is to be tossed into jail and onto the Sex-Offender Registry.
(It gets worse when the source is popularly sacred, such as the bible or Koran, at which point we see debacles like Kim Davis)
We've also seen plenty of articles on this site in which the FBI has clearly been acting not in the interest of the law, but to protect its own best interests, often contrary to the law, such as the way it doesn't report police shootings to Congress, even through it's mandated to do so.
So it comes down to this:
The FBI is not our friend.
We'd probably be best off dismantling it entirely and erecting an agency to do those services we'd miss. But that's not going to happen in this political clime, any more than we're going to move our food stamp program from Agricultural Services to Human Welfare. It's very hard to make big changes like that in our government, so agencies like the FBI (or CIA or NSA) are here to stay even when they outlive their usefulness, or have internally changed enough that they serve no-one else but themselves.
The FBI is not our friend, and we should suffer them no more power than they already have, as those powers will only be used to persecute more innocent Americans...again as we've seen here in plenty of Techdirt articles.
And it's frustrating that just because FBI guys carry a shiny badge that some people are willing to give them unlimited license.
We've seen where that degree of authority goes.
[ link to this | view in chronology ]
Translation: It was more like $2 million.
[ link to this | view in chronology ]
Re:
After all, why pay when you can commit crimes while you're at it? Indeed, having a badge is the first step to becoming a master criminal in the Corporate States of America.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Turn about will be sweet
[ link to this | view in chronology ]
Re: Turn about will be sweet
[ link to this | view in chronology ]
Re: Turn about will be sweet
[ link to this | view in chronology ]
Re: Re: Turn about will be sweet
[ link to this | view in chronology ]
Errr... Duh.
What did you expect them to do? "Oh, darn. Tor makes it hard to figure out who is saying what to whom. I guess we'll just let anything that happens there slide."
[ link to this | view in chronology ]
Re: Errr... Duh.
[ link to this | view in chronology ]
The second is likely that someone has come by and said, "If you like the money you are getting on your projects, you won't speak of this".
[ link to this | view in chronology ]
[ link to this | view in chronology ]
1967 Katz Decision....
https://www.techdirt.com/articles/20160214/13474233602/judge-wants-to-know-more-about-fbis-s ecret-recordings-conversations-near-courthouse-steps.shtml
There's enough here to appeal -- use of heavy cryptography *should* create an expectation of privacy, and require at least a warrant to break.
[ link to this | view in chronology ]
Re: 1967 Katz Decision....
A lot things came out of the 60's that some judges would really like to roll back. Desegregation, civil rights, etc..
[ link to this | view in chronology ]
"we broke the law to go after people we did not like, even though they did nothing legally wrong. give us the benefit of the doubt these are horrible people without ever asking us to prove they did anything other annoy us for differant lifestyle choices"
[ link to this | view in chronology ]
Government always gives government a pass, especially when government can seize the power to define the meaning of the words.
We have no law when government is the only body that can define what it means. The only peaceful recourse for the citizen is to keep this in mind when voting.
[ link to this | view in chronology ]