Allegations are surfacing that the Federal Bureau of Investigation paid Carnegie Mellon University, here in Pittsburgh, $1 million to hack into the Tor network.
Many of us have used the Tor project, which is designed to mask users identities by encapsulating and encrypting network packets between different nodes (like layers of an onion) on the Internet. The layers obscure and anonymize the source and destination of Internet traffic. For those concerned about privacy, especially in parts of the world were oppressive governments exist, the Tor project provides an essential way for people to avoid the real risk and danger of government surveillance.
This particular attack was publicized in 2014 and since that time, the Tor project took steps to slow down or stop this type of attack in the future. The most troubling piece is that there is no indication that the FBI had a warrant or that CMU any institutional oversight (by the university’s institutional review board). It seems unlikely that the FBI could have gotten a search warrant; the traffic captured during the estimated five months the project active was not targeted to any specific source or destination, but was a large general data-gathering operation. The data was later sifted through by the FBI to find people whom they could accuse of crimes.
While there may certainly be some Tor users that utilize the anonymizing capabilities of the network for crime, many use the Tor network to protect themselves from serious harm. This attack ran for approximately five months; during that time, it had the potential to de-anonymize many thousands of Tor users.
Academic research versus outsourcing police work: In our ever increasing technological world, we need to be mindful of privacy, security and upholding the fundamentals that our system of laws is based upon, for example the fourth amendment of the U.S. Constitution.