Silk Road 2.0 Court Docs Show US Government Paid Carnegie Mellon Researchers To Unmask Tor Users

from the you-can-browse-privately,-just-don't-expect-your-privacy-to-hold-up-in-court dept

Rumors that the US government used a university's research institute to uncloak Tor users began floating around nearly two years ago. In July of 2014, the first hint that something weird was going on at Carnegie Mellon took the form of a hastily-cancelled Black Hat Conference talk on the subject of de-anonymizing Tor users. Carnegie Mellon's lawyers stepped in and called the whole thing off at the last minute. The thought process at the time was that CMU's legal team may have been concerned the researchers' actions had broken wiretap laws.



Nearly a year-and-a-half later, hints were dropped that CMU's Tor-related efforts may not have been for research purposes only. An anonymous tipster claimed the FBI had paid CMU $1 million to unmask Tor users. A quasi-confirmation popped up during the DOJ's prosecution of Brian Ferrell, who was allegedly assisting Blake Benthall in running Silk Road 2.0. Ferrell and Benthall were both swept up in the wake of a Tor-related FBI raid known as "Operation Onymous," which began a few months after the hastily-cancelled Black Hat talk.



Included in the information handed over to Farrell's legal representative was the following:

On October 13, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a “university-based research institute” that operated its own computers on the anonymous network used by Silk Road 2.0.

[B]oth the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases.



“The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU”) [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense (“DOD”),” an order filed on Tuesday in the case of Brian Farrell reads. Farrell is charged with conspiracy to distribute cocaine, heroin, and methamphetamine due to his alleged role as a staff member of the Silk Road 2.0 dark web marketplace.



“Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU,” the filing continues.

When asked how the FBI knew that a Department of Defense research project on Tor was underway, so that the agency could then subpoena for information, Jillian Stickels, a spokesperson for the FBI, told Motherboard in a phone call that “For that specific question, I would ask them [Carnegie Mellon University]. If that information will be released at all, it will probably be released from them.”

Kenneth Walters, a spokesperson from CMU, told Motherboard in an email, "We have nothing to add beyond our Nov. 18 statement."

“SEI's identification of the defendant's IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny,” the order reads.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Tor Project itself claimed it had noticed a series of attacks during the first six months of 2014 , seemingly aimed at de-anonymizing users. The unmasking efforts it noticed occurred shortly before the FBI Silk Road 2.0 raids. All of this was disturbing but also very circumstantial. Both CMU and the FBI (very weakly) denied any involvement in the unmasking effort. Notably, both parties only specifically denied theaspect, with CMU reps saying they "were not aware of any payment" and the FBI stating the allegation it had paid CMU $1 million was "inaccurate" -- which is not nearly the same thing as saying the allegation wasThree months after the FBI rumor/tip, the government's use of CMU to de-anonymize Tor users has been confirmed. The only aspect that appears to be incorrect is the agency behind the effort. Joseph Cox at Motherboard has the details So, the DoD "hired" CMU researchers to find ways to unmask Tor users. It's probably worth noting here that the NSA... is a part of the DoD. The FBI was notinvolved, as alleged earlier, nor did it hand $1 million to CMU to facilitate its efforts. However, it was Johnny-on-the-Spot when it came to issuing subpoenas for Tor user info. Not that it's interested in discussing its fortuitous timing…The buck has been passed, but CMU refuses to touch it.This statement says nothing more than CMU receives subpoenas from time to time and hints that everybody is probably wrong about everything because "inaccurate media reports."Farrell's lawyers have tried to obtain more details on CMU's DoD-funded de-anonymization efforts, but the judge has denied further discovery along these lines. Judge Richard A. Jones, echoing the judge presiding over the FBI's now-infamous "Playpen" case (where the FBI ran a seized child porn site as a honeypot for two weeks), says there's no expectation of privacy in an IP address, even if said IP address was obscured by the use of Tor.In short, there's no expectation of privacy in the use of a service specifically designed to protect users' privacy. Users maythey have an expectation of privacy but it's a belief that won't be upheld by this nation's courts. Efforts made by the government to strip this protection away are not viewed as intrusive -- at least not in the Fourth Amendment sense of the word.So, nearly two years later, the story coheres: the Department of Defense has been seeking ways to unmask Tor users with the assistance of CMU's researchers. And all the while, the FBI has apparently been looking over the DoD's shoulder and firing off subpoenas. No one involved wants to talk about it and now it appears they won't have to, thanks to Judge Richard Jones.

Filed Under: anonymity, defense department, dod, fbi, tor, unmasking

Companies: carnegie mellon, silk road 2.0