The United States government wants to know the people who use Tor, and it has enlisted Carnegie Mellon University to do the job for it.
Tor is, of course, the free software tool designed to cloak the identity and location of people communicating with each other. The Department of Defense has recently tapped Carnegie Mellon University’s Software Engineering Institute to develop a method for breaking that anonymity network. This is bad news for people who rely on the network for obscurity. Good news for the government’s surveillance program.
The government’s effort to identify Tor users was brought to light after Brian Farrell, defendant of a charge for dealing drugs, filed a motion to learn the technique used by Carnegie Mellon University to uncover the IP addresses of the otherwise anonymous Tor users. Farrell learned that researchers at Carnegie Mellon were able to crack his IP address and submitted the information to the FBI under a subpoena order.
The government agreed to disclose the discovery technique used by the researchers at Carnegie Mellon, which acknowledged that the SEI and DoD jointly funded the project and designed the discovery method. Carnegie Mellon is washing its hands of the matter. However, the institution acknowledged that it had, indeed, collaborated with the DoD to gain the IP address of Tor users, but only because it was subpoenaed by the FBI for said information.
The US court that warranted the discovery tried to justify its decision by citing a previous ruling that dismissed the rights of Internet users to privacy on grounds that their IP addresses are accessible to the websites they visit and to the Internet service providers anyway. Besides, the court adds, Tor users must not expect privacy since most networks have vulnerabilities that can be exploited to uncover their IP addresses.
In exchange, the people behind the Tor project argued that the judge lacked proper comprehension of the network’s operations. They recognized the fact that IP addresses are visible to network nodes, but added that this information is hidden from public view as it traverses the network.
This is not the first time that Carnegie Mellon University appeared to have participated in the FBI’s work to break into the Tor anonymity. Late last year, the Tor Project blew the whistle on a collaboration between the FBI and CMU for that same purpose. In the middle of 2015, Tor also revealed a sort of spying on the network by people who wanted to establish the identity of Tor users.