Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Judge Confirms what Many Suspected: Feds Hired CMU to Break Tor

Accepted submission by martyb at 2016-02-24 20:10:23
Security

martyb [soylentnews.org] writes:

Ars Technica is reporting US District Judge Richard Jones [uscourts.gov] confirms what many suspected — Feds hired CMU to break Tor [arstechnica.com]:

A federal judge in Washington has now confirmed [documentcloud.org] what has been strongly suspected [arstechnica.com]: that Carnegie Mellon University (CMU) researchers at its Software Engineering Institute (SEI) were hired by the federal government [arstechnica.com] to do research into breaking Tor in 2014. The judge also made a notable statement in his court order that "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network."

However, some of the details that Tor alleged previously seem to be wrong: the research was funded by the Department of Defense, not the FBI [arstechnica.com]. Tor Project Director Shari Steele told Ars [arstechnica.com] earlier this year that the organization still couldn't get straight answers from CMU. According to the judge, that research was then subpoenaed by federal investigators.

Judge Jones wrote [documentcloud.org]:

In the instant case, it is the Court’s understanding that in order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed toward their destinations. Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers. Again, according to the parties’ submissions, such a submission is made despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous. Under these circumstances Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network. In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances.

The story goes into some detail as to what constitutes a "reasonable expectation of privacy."

[Continues.]

EXTENDED COPY FOLLOWS:

On the one hand, it notes:

[...] US v. Scott [justia.com] , involved a man suspected of tax fraud by the Internal Revenue Service. The man used a paper shredder to destroy some documents, which were then picked up as garbage by investigators, "which when painstakingly pieced together produced incriminating evidence."

In that case, the judge ruled:

What we have here is a failed attempt at secrecy by reason of underestimation of police resourcefulness, not invasion of constitutionally protected privacy. There is no constitutional protection from police scrutiny as to information received from a failed attempt at secrecy.

[...] There is no constitutional requirement that police techniques in the detection of crime must remain stagnant while those intent on keeping their nefarious activities secret have the benefit of new knowledge.

And on the other hand, the story notes two contrasting viewpoints:

Neil Richards [wustl.edu], a law professor at Washington University in St Louis, said that this "reasonable expectation of privacy" for Internet users is "an open one." The so-called third-party doctrine, which stemmed from the 1979 Supreme Court decision Smith v. Maryland, found that telephone users do not have a privacy interest in the phone numbers that they dial, as the phone company has access to them.

[...] The Supreme Court hasn’t ruled on e-mail yet, but lower courts require a warrant for e-mail, and the Supreme Court has made clear in recent cases that a majority of Justices are very concerned about digital privacy and are eager to extend the Fourth Amendment to that, just like they did for telephone calls in the 1960s."

and

Mark Rumold [eff.org], an attorney with the Electronic Frontier Foundation, concurred.

"The expectation of privacy analysis has to change when someone is using Tor," he said. "Rotely applying precedent leads to bad results, like courts finding that someone 'clearly' lacks a privacy interest in their IP address, even though they're using technology specifically designed to protect that privacy interest."

It seems that just because you have made an attempt at privacy, your right to it is only as good as your implementation of that attempt.

Original Submission