Researchers at Carnegie Mellon University are refuting claims that a $1 million payment received from the Federal Bureau of Investigation was for their role in hacking Tor.
Tor, which stands for The Onion Router, is a project that provides any Internet user with the option of complete anonymity through a network of encrypted servers around the globe. The project is well known for its ability to protect users from Internet surveillance, including that of the NSA and GCHQ. Both organizations were revealed by whistleblower Edward Snowden to be tracking the activities of a majority of people on the Internet through unlawful data interception techniques.
While privacy advocates support Tor, the anonymity provided by the project is also used by criminals to hide their illicit deeds. In the wake of the recent Paris attacks, U.S. officials tried to use the situation, as well as other recent attacks in middle eastern countries, as examples of why they should be allowed to spy on users over the Internet. Calls were also made by these officials for technology groups to create encryption technology containing backdoors so that authorities could keep tabs on terrorist groups, which are increasingly using encryption to mask their communications.
The calls, by the way, were not well-received by the general public, nor many of the technology organizations the government was looking for support from.
Using a tragedy as an excuse to drum up fear around encryption is not ok. Encryption is not for terrorists. https://t.co/bMa7oT6Mcc
— Simply Secure (@simplysecureorg) November 20, 2015
Clearly, the U.S. has a vested interest in breaking Tor, as it’s one of the leading ways people hide their activities from prying eyes online.
In a statement made on November 11, the director of Tor, Roger Dingledine, accused Carnegie Mellon University researchers of being behind an attack that exposed users of Tor to authorities in 2014. Dingledine further claimed that the FBI paid the CMU researchers $1 million — a claim both CMU and the FBI reject.
When questioned about the accusations, an FBI spokesperson told Forbes that CMU was not compensated $1 million, though they did not deny making a payment, nor did they elaborate on the relationship they have with the university.
CMU openly admits that their cybersecurity researchers have made attempts at breaking Tor. The university denies, however, receiving any payment from any organization in respect to Tor research. In a statement, the university said that their relationship with the FBI only exists due to a subpoena that was served, and that the school received “no funding for its compliance”.
In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.
Kate Krauss, a Tor spokeswoman, questioned the claims made, arguing that if both organizations are telling the truth, then how would the FBI have known what to subpoena from CMU to begin with? The implication suggests that if a subpoena was served, the FBI and Carnegie Mellon University must have been working together prior to any court order compelling the school to do so.
The statements have done little to comfort privacy advocates who have described the exposure of users on Tor as unethical. One Twitter user, Matthew Green tweeted, “Dear CMU: one way to not get subpoenaed over your unethical research is to not do said research in the first place.”
Not all are against CMU’s attempts at breaking Tor. Some argue that it is no different from testing any other website or service for security issues — though generally the “accepted” use of that research is to help make that service better overall, not to exploit it.
The controversy demonstrates the challenges the U.S. is having balancing surveillance with privacy — a somewhat ironic issue considering that in an ideal situation, both are intended to improve the safety of citizens.
