Carnegie Mellon University today implied in a statement that it was served with a subpoena to hand over research related to unmasking the identity of users on the Tor network, and that it was not paid $1 million by the FBI for doing so, as alleged by the Tor Project.

The statement, released shortly after noon Eastern, is vague and fails to answer a number of outstanding questions not only about the ethics and legality of the attack on Tor, but also whether the research was prompted by the government, which the Snowden documents revealed, has had its struggles breaking Tor traffic.

CMU executive director of media relations Kenneth Walters said no one at the university would be available for additional comments in response to a request made by Threatpost. A request for comment made to the Tor Project was not returned in time for publication.

Carnegie Mellon’s statement in its entirety:

There have been a number of inaccurate media reports in recent days regarding Carnegie Mellon University’s Software Engineering Institute work in cybersecurity.

Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues. One of the missions of the SEI’s CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected.

In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.

“CMU suggests it did not willingly hand over the research to the government. I think the big question remains as to why did the team go out and conduct that research in the first place. Was it something they did on their own, or was it something that was requested they do?” said Chris Soghoian, principal technologist for the American Civil Liberties Union. “We don’t know the extent to which this was coordinated. CMU’s reluctance to be forthcoming about this suggests there’s probably a lot they don’t want the public to learn.”

Tor Project director Roger Dingledine threw gasoline on the fire last week when he accused CMU of accepting a $1 million payout from the FBI for the project, which was allegedly used to gather evidence to try and convict two individuals, one allegedly involved in the Silk Road 2.0 operation and the other allegedly involved in child pornography. Motherboard published court documents on Nov. 11 from the case against Brian Richard Farrell, a defendant in the Silk Road 2.0 trial, that allege Farrell’s involvement in the operation was determined from information obtained by a “university-based research institute and the federal government.”

CMU’s evasiveness, meanwhile, is not court ordered, Soghoian said.

“Subpoenas don’t come with gag orders,” he said. “If there had been a gag order, there would have been a court order. Subpoenas are like a prescription pad a doctor has in his office. Just type one up and print it out.”

The university’s researchers Alexander Volynkin and Michael McCord, both of whom list their affiliations with CERT, a DHS-funded office working out of the CMU Software Engineering Institute, are in the middle of an ethical storm as well. Again, CMU’s evasiveness is not helping here, but instead leaves the situation open to interpretation as to whether they were operating under the oversight of the CMU Institutional Review Board and whether they crossed an ethical line unmasking a significant amount of Tor traffic, putting bystanders in the crosshairs of their research along with Farrell and Gabriel Peterson-Siler, alleged to be in possession of child porn.

“…There’s also a view that computer security research can’t really hurt people, so there’s no real reason for sort of ethical oversight machinery in the first place,” wrote Matthew Green, a Johns Hopkins cryptography professor. “This is dead wrong, and if we want to be taken seriously as a mature field, we need to do something about it.”

Green was critical of the attack and wondered whether the researchers too steps to prevent the de-anonymization of “innocent bystanders,” a hallmark of any scientific research where human subjects are involved, he said.

“If the researchers did take such steps, it would be nice to know about them. CMU hasn’t even admitted to the scope of the research project, nor have they published any results, so we just don’t know.”

What is known is that CERT operating at CMU is a federally funded research and development center, meaning that if the FBI didn’t directly pay for the project, the government indirectly did support it and likely paid for the Tor servers Volynkin and McCord were running.

“The research institute gets all of its money from the federal government. They may deny they were paid by the FBI to do this thing, but the salaries of the researchers were paid with federal dollars,” Soghoian said. “What we believe is that the researchers ran a large number of Tor servers. It’s unclear who paid for them; one would imagine the money did come from research funds which came from the government.”

Volynkin and McCord, meanwhile, have been silent about this since the beginning when they pulled their Black Hat talk on July 21, 2014, several weeks before it was scheduled to be presented in Las Vegas. Then on July 30, 2014 came an advisory from the Tor Project that attackers had been on their network for close to six months trying to unmask Tor hidden services users. The traffic confirmation attacks were cut off and the vulnerability used in the attacks was patched by the Tor Project, which linked the attacks to the CMU researchers. Tor’s Dingledine said at the time that the researchers shared some information about the attack upon request, but that they’d never privately disclosed their findings to Tor.

Last week, Dingledine said in a post to the Tor Project blog that the attack set a troubling precedent.

“Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute,” he said. “Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.”

Categories: Government, Vulnerabilities, Web Security