Carnegie-Mellon University has fired back in the TOR war, saying that it wasn't paid by the FBI to reveal its de-anonymisation research outputs.
The university's statement on the matter is here and includes the following:
"There have been a number of inaccurate media reports in recent days regarding Carnegie Mellon University's Software Engineering Institute work in cybersecurity.
"Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues. One of the missions of the SEI's CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected.
"In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance."
Does it make it better that the government seized their research, which they paid to develop, without due process of law [Ed: isn't a subpoena a legal process?] or compensation?
Originally covered by SoylentNews.
Related Stories
Wired and others are reporting on a Tor blog post claiming that Carnegie Mellon University researchers were paid by the Federal Bureau of Investigation to help attack Tor hidden services:
"Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes," Dingledine writes. "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users."
Tor's statement all but confirms that Carnegie Mellon's attack was used in the late 2014 law enforcement operation known as Operation Onymous, carried out by the FBI and Europol. That dark web purge took down dozens of Tor hidden services, including several of the most popular Tor-based black markets for drugs including the Silk Road 2, and led to at least 17 arrests. Tor, for its part, has made efforts to subsequently block the attack, which it says it first detected in July of 2014.
When WIRED contacted Carnegie Mellon, it didn't deny the Tor Project's accusations, but pointed to a lack of evidence. "I'd like to see the substantiation for their claim," said Ed Desautels, a staffer in the public relations department of the university's Software Engineering Institute. "I'm not aware of any payment," he added, declining to comment further.
Tor's Dingledine responded to that call for evidence by telling WIRED that it identified Carnegie Mellon as the origin of the attack by pinpointing servers running on Tor's network that were used in the de-anonymization technique. When it asked Carnegie Mellon if the servers were being run by its researchers—a suspicion based on the canceled Black Hat conference presentation—the anomalous servers disappeared from the network and the university offered no response. The $1 million payment, Dingledine says, was revealed to Tor by "friends in the security community."
Previously:
July 26, 2014: Russia Offers $111,000 to Break TOR Anonymity Network
September 30, 2014: Tor Executive Hints at Firefox Integration
November 8, 2014: Huge Raid to Shut Down 400-plus DarkNet Sites
November 10, 2014: Tor Project Mulls How Feds Took Down Hidden Websites
November 17, 2014: Is Tor a Honeypot?
December 22, 2014: Servers Seized After Tor Developers Warn of Potential Government Attempt To Take Down Network
(Score: 2, Insightful) by Anonymous Coward on Sunday November 22 2015, @03:23AM
They already were compensated: in advance via funding. The federal government did not necessarily need a subpoena to acquire the work. It was used merely to ensure compliance.
(Score: 0) by Anonymous Coward on Sunday November 22 2015, @03:45AM
That is a bit of a twisted way of looking at it. Of they were truly compelled via subpoena that is a big difference. The real question would then be why did they start the research? Were they white or black hats?
(Score: 4, Informative) by MrGuy on Sunday November 22 2015, @04:27AM
A subpoena is not a tool to compel compliance with a contractual obligation. A subpoena is for evidence.
A court order to compel would be the tool to force someone to turn over work product that they're contractually obligated to turn over to you and have not. And applying for an order to compel would generally be a step after asking and being refused - a court isn't generally going to look kindly on a motion requesting the court order someone to do something when they haven't at least been asked to do so voluntarily first. You generally don't get a court to agree to demand someone do something just because they MIGHT refuse.
As I understand it (IANAL), the order of operations here would be a request from the government to CMU to turn over the research, followed by a refusal to do so, followed by the government filing a motion to compel, service said motion on CMU, followed by (if CMU wants to contest the issue) the government and CMU going to court and making arguments, followed by a ruling by the court issuing a motion to compel, which may or may not be appealed, etc.
Maybe that all did happen in this case - CMU's statement is more than a little vague on whether ANYTHING actually happened.
(Score: 3, Insightful) by frojack on Sunday November 22 2015, @05:03AM
a court isn't generally going to look kindly on a motion requesting the court order someone to do something when they haven't at least been asked to do so voluntarily first.
MrGuy Meet Mr FISA Court.
The whole purpose of FISA courts it to issue court orders with no advanced warning, usually accompanied with a STFU order.
I tend to agree with the GP that there was probably a generic grant that funded this research. Hell their whole mission statement starts off with:
Assured software—functioning as intended and free of vulnerabilities—is critical to the system capabilities that U.S. Department of Defense (DoD), civilian government, and industry organizations need to achieve their missions.
For over three decades, the Software Engineering Institute (SEI) has been helping government and industry organizations to acquire, develop, operate, and sustain software systems that are innovative, affordable, enduring, and trustworthy. We serve the nation as a Federally Funded Research and Development Center (FFRDC) sponsored by the U.S. Department of Defense (DoD) and are based at Carnegie Mellon University, a global research university annually rated among the best for its programs in computer science and engineering.
How much more clearly would you like them to explain it?
They didn't get any MORE money for compliance with the subpoena. All they got was deniability, which was fairly short lived.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Sunday November 22 2015, @04:02AM
They initiated the research, which was funded. It's not always easy to envision the eventual outcomes of research work, but this is not one of those cases. They may not have been _compensated_ for their _compliance_, but they'd have to be naive to the point of stupid to not have anticipated the eventual request.
Which, BTW, is not to imply that the research shouldn't have been done. Just that how you do it, what you give out, and to whom, is not value-free.
(Score: 2) by MrGuy on Sunday November 22 2015, @04:10AM
IANAL, but I would be surprised if a subpoena constituted "due process of law" in this instance. At least, not if it's being used to obtain the source code or research for law enforcement to use.
A subpoena [wikipedia.org] is a mechanism to compel testimony or evidence production, as part of a specific legal or government proceeding (generally a court proceeding). It's not a carte blanche tool for the government to seize anything it wishes to from private hands without compensation for the government's use to speculatively investigate others.
If (for example) there was a court case currently pending that related to Tor, and the specifics of the research done by SEI were relevant to that case (e.g. whether part of the case was about proving the identity of someone using Tor, and they required expert testimony whether the evidence they had "proved" the identity of a Tor user), then a subpoena would be appropriate. That's how subpoenas are supposed to work - they're used to compel specific testimony or evidence relevant to a pending case.
However, if the government wanted the source code developed by researchers so they could USE that source code as a tool to investigate others (against whom cases were NOT currently pending), then a subpoena seems wholly inappropriate. It would be like having the FBI "subpoena" a copy of the source code to Microsoft Windows, the build Windows from source and install it on all their computers without paying a royalty, on the theory that the computers help them investigate potential future crimes.
Even if all they want to do is READ the research, in hopes of learning information they can use to develop tools to potentially investigate crimes in the future, a subpoena feels inappropriate. There's no specific case pending that the research supports. Even a National Security Letter [wikipedia.org] (which is a form of subpoena) in theory shouldn't apply to general research - NSL's are supposed to be for information relevant to specific investigations, not a speculative fishing expedition (though the history of NSL's complying with that standard), and in any case are supposed to be used to gather evidence, not "tools."
(Score: 0) by Anonymous Coward on Sunday November 22 2015, @04:21AM
It's like opt-in vs. opt-out.
A search warrant is issued by a judge after receiving evidence supportive of the warrant. A subpoena is issued by an attorney and unless you go to a court and ask for a protective order, no judge looks at it but you must comply.
(Score: 0) by Anonymous Coward on Sunday November 22 2015, @04:21AM
There's a subtle difference between getting funding to do research and being paid exclusively to pursue an avenue of research. I'm sure they would be glad to receive funding from private anonymous donors instead of the government.
(Score: 2, Interesting) by Some call me Tim on Sunday November 22 2015, @05:46AM
TFA says that they are federally funded, but who exactly is funding them? You would think there would be some kind of contract stipulating how the funds are used and who gets access to the results. If it's the FBI then they may have some right to the results of the research. If that's the case, why do they need a subpoena?
If they don't like the way they're being treated they can either put up with it and stop whining or stop taking funds from the feds.
/sorry, kind of rambling...
Questioning science is how you do science!
(Score: 2) by frojack on Sunday November 22 2015, @06:23AM
DOD.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Sunday November 22 2015, @07:22AM
Right. Oddly considering they are both part of the federal system, the FBI does not have rights over DoD funded research, but the DoD probably did in writing. They often do have it in righting with their many, many research initiatives. The FBI likely used the tools they are accustomed to using when getting what they want. They used the justice system to get research that the DoD paid for.
(Score: 2) by sjames on Sunday November 22 2015, @09:52AM
A subpoena is a process of law. Depending on the court and a judge it may represent due process of law or it might be a rubber stamp from the FISA court.