14 DAY TRIAL // The Tor Project had some stingy words for the FBI and the Carnegie Mellon University (CMU) in Pittsburgh, USA, accusing them of joining forces in a private agreement to find a way to hack the Tor network and deanonymize users.
According to a post on the project's blog, the FBI agreed to pay $1 million (€0.9 million) for research that would allow it to unmask TOR users.
The research was carried out by Carnegie Mellon scientists back in 2015 and was the subject of a small controversy, even if never published.
The attack/research took place back in 2014
In January 2014, 115 new Tor relays belonging to CMU were added to the network. These relays were used to launch an attack on the Tor network, documented in a research paper that the scientists wanted to present at the Black Hat 2014 conference.
The Tor project found out about the research from a short abstract description on the conference's website. It contacted the researchers for more details, but they declined to comment. After further email exchanges, the scientists were careless enough to provide some hints about their upcoming presentation.
The Tor project used these clues and data logs from the attacks to issue a fix to their Tor software on July 30, just days before the Black Hat presentation, which the researchers eventually had to cancel.
The reason given for the cancellation was that the CMU's leadership did not approve the public release of this research.
The 115 Tor relays that launched the attack were also ejected from the network.
CMU might have breached research ethics and even some US laws
The entire story raised some concerns about the research's ethics and the professionalism of CMU's staff. Now, one year later, the Tor Project team is raising those questions again and is implying that the whole affair was actually orchestrated by the FBI, looking for a way to snoop on Tor traffic.
According to Tor's team, the FBI paid for the research and did not have a judge-ordered warrant to sniff user traffic.
"We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once," says the Tor team. "This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities."
For now, the Tor Project has not provided any proof of the "alleged" $1 million FBI payment.