Ars Technica is reporting that US District Judge Richard Jones has confirmed what many had suspected — the Feds hired Carnegie Mellon University to break Tor:
A federal judge in Washington has now confirmed what has been strongly suspected: that Carnegie Mellon University (CMU) researchers at its Software Engineering Institute (SEI) were hired by the federal government to do research into breaking Tor in 2014. The judge also made a notable statement in his court order that "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network."
However, some of the details that Tor alleged previously seem to be wrong: the research was funded by the Department of Defense, not the FBI. Tor Project Director Shari Steele told Ars earlier this year that the organization still couldn't get straight answers from CMU. According to the judge, that research was then subpoenaed by federal investigators.
In the instant case, it is the Court's understanding that in order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed toward their destinations. Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers. Again, according to the parties' submissions, such a submission is made despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous. Under these circumstances Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network. In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances.
The story goes into some detail as to what constitutes a "reasonable expectation of privacy."
[Continues.]
On the one hand, it notes:
[...] US v. Scott , involved a man suspected of tax fraud by the Internal Revenue Service. The man used a paper shredder to destroy some documents, which were then picked up as garbage by investigators, "which when painstakingly pieced together produced incriminating evidence."
In that case, the judge ruled:
What we have here is a failed attempt at secrecy by reason of underestimation of police resourcefulness, not invasion of constitutionally protected privacy. There is no constitutional protection from police scrutiny as to information received from a failed attempt at secrecy.
[...] There is no constitutional requirement that police techniques in the detection of crime must remain stagnant while those intent on keeping their nefarious activities secret have the benefit of new knowledge.
And on the other hand, the story notes two contrasting viewpoints:
Neil Richards, a law professor at Washington University in St Louis, said that this "reasonable expectation of privacy" for Internet users is "an open one." The so-called third-party doctrine, which stemmed from the 1979 Supreme Court decision Smith v. Maryland, found that telephone users do not have a privacy interest in the phone numbers that they dial, as the phone company has access to them.
[...] The Supreme Court hasn't ruled on e-mail yet, but lower courts require a warrant for e-mail, and the Supreme Court has made clear in recent cases that a majority of Justices are very concerned about digital privacy and are eager to extend the Fourth Amendment to that, just like they did for telephone calls in the 1960s."
and
Mark Rumold, an attorney with the Electronic Frontier Foundation, concurred.
"The expectation of privacy analysis has to change when someone is using Tor," he said. "Rotely applying precedent leads to bad results, like courts finding that someone 'clearly' lacks a privacy interest in their IP address, even though they're using technology specifically designed to protect that privacy interest."
It seems that just because you have made an attempt at privacy, your right to it is only as good as your implementation of that attempt.
(Score: 5, Insightful) by Anonymous Coward on Thursday February 25 2016, @02:26AM
Following that "logic", it's the homeowner's fault if someone breaks in and steals everything, because the attempt made to secure the house was so lacking that the right to be secure in one's possessions was lost.
What's the judge's address, I wonder?
(Score: 1, Disagree) by frojack on Thursday February 25 2016, @02:49AM
someone breaks in and steals everything,
Aren't you the same AC that claims if the owner is not deprived of anything, then No Theft took place?
Seems when the subject is music or movies, that claim is raised often an loudly.
Then when nothing but a series of numbers is intercepted, suddenly you scream theft.
Which is it?
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by Anonymous Coward on Thursday February 25 2016, @03:00AM
The parent isn't screaming theft. Privacy is a completely different concept from physical or electronic goods. I can't figure out how you misinterpreted the GP, so I can only assume you're trying to push your own agenda just to confuse others as your argument doesn't make sense. Piracy would be breaking into someone's home and using a 3D scanner on everything inside it. No theft takes place in that situation but it is an invasion of privacy because your home is considered a private area (until you open up parts of it to guests).
(Score: 2) by frojack on Thursday February 25 2016, @04:01AM
The parent isn't screaming theft.
oh really?
if someone breaks in and steals everything,
No, you are mistaken. I've always had this sig.
(Score: 5, Insightful) by maxwell demon on Thursday February 25 2016, @04:46AM
You clearly lack the mental capacity to understand an analogy. Here's a hint: If you make an analogy, you don't equate both things, you only equate the relevant aspects. In this case, the relevant aspect is the claim that inadequacy of your means invalidates the rights you try to protect.
If you wanted to make a copyright analogy, the analogy would be the claim that if someone breaks your DRM then you've lost copyright on the content for failing to adequately protect it.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Thursday February 25 2016, @04:55AM
Nope. When I log in, which I rarely do nowadays, I write under Fauxlosopher. While I am biased, same as everyone else, I try to push my agenda in the open. Other commenters have already correctly pointed out the details of my analogy, so I've nothing else to say for now.
(Score: 0) by Anonymous Coward on Thursday February 25 2016, @03:14PM
He's an AC. How can you be sure he's the same one?
(Score: 0) by Anonymous Coward on Thursday February 25 2016, @10:06PM
By his IP address, of course.
(Score: 0) by Anonymous Coward on Thursday February 25 2016, @11:27PM
Touche!
(Score: 3, Insightful) by arulatas on Thursday February 25 2016, @04:35PM
How about this analogy then:
Police and/or FBI can break into your home to riffle through your belongings and papers. Well your lock that you assumed would be able to protect you wasn't good enough to stop them so to bad for you.
----- 10 turns around
(Score: 5, Touché) by JoeMerchant on Thursday February 25 2016, @03:46AM
Not only homeowners, how about DMCA? If they use some lame fixed key, is it any cracker's fault if they happen to get a hold of the key and are now able to circumvent copy protection?
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 5, Insightful) by hemocyanin on Thursday February 25 2016, @04:21AM
You fail to understand the current state of American jurisprudence. If you as a lowly individual attempt to protect your information and fail, it is your fault and you should be punished. If a member of the politician-owning class attempts to protect their information and fails, it is your fault and you should be punished. The rest of these opinions is just fancy filler, might as well be lorem ipsum [wikipedia.org] repeated over and over. Just remember, it is always your fault and you should be punished (unless of course you donate at least $1m per election cycle).
(Score: 2) by Pslytely Psycho on Thursday February 25 2016, @05:34AM
"it is always your fault and you should be punished"
But, I'm not Catholic......or Jewish...
Damnit, it's just not fair.
Alex Jones lawyer inspires new TV series: CSI Moron Division.
(Score: 2) by JoeMerchant on Thursday February 25 2016, @10:25PM
Probably something to do with the Judges being the "cream of the lawyer crop" and lawyers themselves mostly occupying the upper 1% of the wealth curve, it's just their perspective on things - different from the majority, but who cares - the law says they have to power to pass judgement as they see fit - and who writes these laws? Mostly lawyers who were a bit too corrupt to become judges...
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 3, Insightful) by frojack on Thursday February 25 2016, @03:00AM
bad results, like courts finding that someone 'clearly' lacks a privacy interest in their IP address, even though they're using technology specifically designed to protect that privacy interest."
In the first instance, the sentence uses the word as the Judge used it: Interest in the legal sense, an ownership position.
In the second instance, he shifts the of the word to a concern, or a desire.
Its a subtle play on words to make a a point, even though the speaker knew what the judge meant, and knew that what he was saying was totally different.
The user may have taken steps to keep his IP secret, but in the end one's IP is invariably ASSIGNED by someone else, usually by a DHCP server, but occasionally by block ownership, but in ALL cases, the IP is only useful if you hand it over to the first machine you connect to (at a minimum). Once you have done that you have ho expectation of total privacy any more.
You may still want, and desire privacy, but that horse left the barn.
Its a cute, but disingenuous turn of a phrase.
No, you are mistaken. I've always had this sig.
(Score: 2) by legont on Thursday February 25 2016, @03:23AM
Once I protected my privacy by using pants over my member and left my house, I am bombarded by electromagnetic radiation that some can use to picture said member. Should I expect privacy or wear a lead pants?
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by frojack on Thursday February 25 2016, @04:04AM
If you expect total privacy, you should go with the lead pants.
But I rather suspect you have nothing to worry about.
No, you are mistaken. I've always had this sig.
(Score: 1) by Capt. Obvious on Thursday February 25 2016, @04:10AM
Expect privacy. IIRC, they need a warrant to use extended spectrum photography.
(Score: 2) by legont on Friday February 26 2016, @02:01AM
I wonder, if they find another way, would it be legal until prohibited, or illegal until permitted? I honestly don't know. I was under impression that it is the later - nothing can be used because of expectations of privacy.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2, Interesting) by anubi on Thursday February 25 2016, @03:12AM
I thought we had passed a law forbidding the breaking of electronic locks.
I do not think too many people have a respect for that law... apparently even the government doesn't think much of it either.
These days, we pass a lot of meaningless law - so much that fewer and fewer people pay much attention to it. Even the ones who coined it don't follow it.
Can't say as I blame them though.... given the circumstances.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1, Flamebait) by Runaway1956 on Thursday February 25 2016, @03:46AM
TOR has always been subject to man-in-the-middle attacks. That is a well known fact. In fact, all known protocols today are subject to MIM attacks. Most travelers have experienced MIM attempts in airports and elsewhere - log into a "public WIFI" and you have little idea who is logging what, or whether your credentials have been stored for future illegitimate use.
Government has the resources to set up a million TOR nodes, start evaluating the traffic flowing across all of them, and start isolating individual users according to their level of interest.
Given that, it matters not what CMU gave the government. Government controls the communications backbones, what more do they really need?
Abortion is the number one killed of children in the United States.
(Score: 2) by frojack on Thursday February 25 2016, @03:53AM
Most travelers have experienced MIM attempts in airports and elsewhere
Really?
Says who?
They seem more legend than real if you ask me.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by Runaway1956 on Thursday February 25 2016, @02:57PM
Maybe I exaggerate, maybe the articles I've read are exaggerations - I don't spend time around airports.
Then again, a search suggests that it may be more historical than it is current. I see pages of hits from 2010 and 2011, few hits for 2014 and 2015. Most recent article in the first couple pages is this one - http://www.breitbart.com/big-government/2015/05/19/free-public-wifi-poses-security-risk/ [breitbart.com]
Abortion is the number one killed of children in the United States.
(Score: 2) by frojack on Thursday February 25 2016, @09:18PM
Yeah, but again, its Breitbart. The article starts: "at an international airport in Bengaluru, India". Not that Bengaluru is a total technological backwater (in relative terms), but I would be surprised if they running modern enterprise wifi access points at a public airport.
It then goes on to say: Halder was also able to use a device that created fake WiFi hotspots that fooled travelers into thinking they had accessed the airport’s network.
But most places you go now you are so effectively vlan-ed that you can't see any other users on the wifi network.
Which means you essentially have to attack the pre-authentication portion of the air interface and hope you catch the session key negotiation phase before the user gets connected and opens a TLS session with Gmail or what-ever. Even with your tools all primed and ready to go, this is not as easy as it use to be in pre-Vlan days.
The risk of fake hotspots (and HP Printers) exists everywhere, not just airports.
There really should be some way to use some level of wifi secure connections in public spaces. Just about all hotels now require this, and you would think you could make this easier to deploy for those using wifi only devices.
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by Anonymous Coward on Thursday February 25 2016, @04:11AM
The TOR project never claimed that entry nodes can't see your real IP, in fact this is explicitely outlined in their FAQ. The node can see who you are but not what you're requesting through TOR (assuming it cannot decrypt the request).
(Score: 2) by everdred on Thursday February 25 2016, @04:54PM
Yep. And also, if I'm not mistaken, a node shouldn't be able to tell whether the request you've passed to them originated with you, or was something you were simply passing along on behalf of another node.
(Score: 2) by inertnet on Thursday February 25 2016, @12:17PM
A Tor user obviously has to use an IP address to connect to the Tor network, but it doesn't have to be his or her own IP address. So his comment should be read as "Tor users clearly lack a reasonable expectation of privacy in the used IP addresses while using the Tor network."
Tor users should assume that some people must be collecting IP addresses of Tor requests, because anyone running Tor node(s) can do that. Therefore it's logical not to use your own internet connection for Tor.
(Score: 2) by RamiK on Thursday February 25 2016, @03:22PM
If you didn't want to get raped, you shouldn't have worn that dress.
If you didn't want to get hacked, you shouldn't have passed on your IP.
If you didn't want to get spied on, you should have disclosed your face in public.
compiling...
(Score: 0) by Anonymous Coward on Thursday February 25 2016, @07:25PM
51 percent tor-miner ownership for the win! (don't forget to spend it twice)