Did the FBI Pay a University to Attack Tor Users?

The Tor Project has learned more about last year's attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future:

Here is the link to their (since withdrawn) submission to the Black Hat conference:
along with Ed Felten's analysis at the time:

We have been told that the payment to CMU was at least $1 million.

There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.

Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.

This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.

When we learned of this vulnerability last year, we patched it and published the information we had on our blog:

We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor — but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of "legitimate research".

Whatever academic security research should be in the 21st century, it certainly does not include "experiments" for pay that indiscriminately endanger strangers without their knowledge or consent.

The FBI is a regulated body paid by the public to follow those rules. If they are on the public payroll and hire hackers and crackers to indiscreetly and indiscriminately net fish for criminals they are breaking the law - unless they have a secret warrant or some such for a specific reason.

Rapists, murderers and child molesters will be around whether or not the FBI breaks the law or their professional ethics.

Therefore do not do it

Someone breaks into your house. You didn't have the perfect lock. It's your fault, so don't go crying about how the thief is to blame.

I don't have any proof, but because there is a possibility you might be doing something illegal, I think the FBI should plant hidden cameras in every room in your home, and 3 in your bathroom. They should also be allowed to access your bank account and all your credit cards so they can monitor your spending habits, and to make sure you aren't buying anything they don't approve of.

If you aren't doing anything wrong, you shouldn't have anything to hide, right?

All of the stuff on the tor browser is bad also your talking about the deep web -_-
which was made by the government....
Also there is good stuff on the deep web like waffle recipes :D and cat facts.
And in country's such as North Korea people can download books/movies off of the deep web using the tor browser to not get caught.

Man, say theoretically a student at university of Pittsburgh works his ass off changes his life, pulls himself out of the depths of hell from bad mistakes when he was a kid. Goes to a community college get a 3.7 in mathematics, obtains 3 months shy of 4 years clean from drugs and alcohol, he is so proud of himself, he proudly raises his head in respect to becoming a person addicts from his home town Erie, Pa can look at to change there own lives. So happy to Make it to the university he dreamed of, a couple weeks before heading to the semester reads an article about 'the silk road' thinks it may be a lie downloads tor, looks at the site deletes it, with no intent to use or do anything with it. Keep it mind this site is overly published, he forgets about it, the semester starts he realizes having a complicated past, that there is a constant stream of ci's following him, people trying to hack his computer. So he exposes himself tells these people, "I'm a good person, I don't do drugs", but they keep following, keep nagging, only to find what he had said about changing his life was all true. The under covers notice all he's doing is helping people, stays away from drugs, tells people to do the right with there life.without having a starting knowledge they were there, they push so hard, they drive him out of the college, looses something that meant the world to him. He's so ashamed of himself, they won't stop, but finally after talking to these people through texts, they realize the criminals are not the one there investigating, but the college that pointed the finger at him, to hide something they were doing. Destroyed his life had to leave Pittsburgh, where his apartment was 7 blocks from the software engineering institute. Could be true....all for nothing.


November 11, 2015


I wish some CMU students, faculty, or alumni would start a petition demanding that the university return this dirty money, or at least donate the same amount to The Tor Project.

No just release their names to the world. If I have done nothing wrong I have no problem with signing my name. On the other hand if I don't want to be identified I might just be embarrassed by my actions. ;)

There is a difference between reparations and repentants. You shouldn't ask them to support TOR, but rather just admit activity and refuse to participate in the future.


All fair points, but this post equates CERT/SEI, which is where this work was allegedly done, with Carnegie Mellon and that is a bit misleading. CERT/SEI are not academic department, but a semi-autonomous FFRDC within CMU. This is somewhat similar to the relationship between JHU APL and Johns Hopkins, MIT Lincoln Lab with MIT, GTRC with Georgia Tech...

Whether universities should host and support such centers is a matter of debate (e.g., in 1970, SRI became completely independent from Stanford), but equating directly these centers with traditional academic research departments is quite a shortcut.

So the FBI is using schools to do their dirty work for them?
I figured the alphabet-soup government institutions recruited all the talent from the universities, thereby removing talent from the market economy. The FBI and the like should have enough talent to do 'turn the gas valves' without mixing in with the universities.
All of these 'crimes' are victimless and just creates a jobs program for the government goons.
I blame the tax payers and voters.

> I wish some CMU students, faculty, or alumni would...

...contribute back to Tor, improving any weakness they found. great security research there.

That would mean that the l33t h4x0rz in the comp.sci lounge would have to get off their butts and do something other than comparing their e-peens and how torturous their class schedules are.

Ok, great, we know that you are outraged, angry etc. But would you supply any info whether you plan to resolve this issue on technical level? Can we assume that TOR is now compromised?

Not at all.

Last summer someone provided Tor Project with information from the withdrawn talk, which outlined the vulnerability. The flaw was indeed serious but within days it was fixed.

It was probably not CMU per se, but CMU's Software Engineering Institute (https://www.sei.cmu.edu/), which specifically works with defense agencies, government organizations, and the intelligence community (with the private sector as something of an afterthought). The SEI seems to be exempt from the usual research ethics review process due to the nature of their connections (an org that has and uses a SCIF tends to be able to get some exceptions to the usual processes). If anything, it was probably a "We need this, we'll pay you to do it, get to work" kind of deal.

Like most FFRDCs, CERT/SEI will basically take as much money as they can regardless of ethics or ability to deliver on contracts.

And what do you imagine a fitting reward should be for this karma?

I used to draw loli porn for free but seems the CIA infected my brain and now I cant draw anything.

Ok... so let me get this straight ...

we should be upset that the FBI could expose drug kingpins, assassins, and child pornographers ...

... and we should be upset that some academics could study, and that a school got a large some of money, which many schools are surely lacking?

I love freedom of speech. I hate it when people are arrested for political crimes and non-violent crimes. But I have a bit of a hard time getting too upset about this event outside of my utopian idealistic "what if?" box. The end result was worth it and now Tor has been approving its security method.

Props to raising attention to the issue tho. I hope that more of those in academia will feel inspired to help improve tor as time goes on, especially through less harmful methods.

Dear 'anonymous' authors of the comments above, your names, addresses and social security numbers have been forwarded to the CMU principal for immediate academic suspension.


Well, I used Tor Browser for commenting ;)

Good for you. Keep it up, the Tor team needs to know their people like you and I fighting for liberties. :)

For every threat you make I teach another person how to use Tails

This is a really important acivity.

Even in the darkest days of the Soviet Union, Samizdat helped keep the spirit of freedom alive. Under Putin and rule by authoritarian elites in other countries, perhaps Tails can do the same.

Can CERT/SEI be sued for illegal wiretapping ?

If ex-boyfriends and estranged husbands can be sued for illegal wiretapping, I'm almost certain CMU can.

Due to their government connections, no, probably not.

There's only one way to find out. >_>

The Tor community should stop persecuting security researchers! You are all only mad because they took down your beloved pedos.

Law Enforcement say if you haven't done anything wrong you have nothing to worry about .
I say as I haven't done anything wrong who are they to invade my privacy without legal right .

Do not complain. FBI gave us a favour. They paid for research which is unveiled some flaws in tor. They gave us a kick in the butt. That is good.

If the FBI was using every means at it's disposal to prevent further abuse of a child or children that's fine by me.
Drug sites providing services that result in our citizen deaths I also support.

However our right to privacy should trump that.

If a father abuses his child in his own home and then shares that information over the network encrypted or not - then other users of that network have a duty to report that abuse.
Fairly certain that the child in that case is non-consensual or doesn't have the ability to make and understand those decisions.

When these reports are received by the FBI what would you have them do?
Grab a beer and watch helplessly?
What if it was your niece or nephew?
What if it was your extended family - a whole lot of strangers knew about it, but you didn't?

If you are connected and sharing information to a community then you have the responsibilities of that shared community.

Copyright laws, whistle blowers, drugs, child porn, murder, murder for hire, just some things you know in your gut are wrong. But the reason we need anonymity to begin with is because the laws that are enforced do not meet the will of the people it's designed to protect. When Law and common sense are no longer even speaking to each other - this is what happens.

I'd like a country that had laws that makes sense, didn't send drone attacks to people I don't know ticking off another generation of ISIS or whatever the flavor of the month group might be out there.
Because the root cause of the problems are "LAWS" written by imbeciles for to protect profit - not the the people.

How about we have a country where we don't have the NEED to hide?

Tor propaganda machine in full swing again. Let's protect the pedos and drug barons.

What they fail to mention is that cell counting techniques are just as effective at deanonymizing people as the relay_early attack - and the former has not been fixed.

Has Carnegie Mellon researchers/students/board communicate about that? I would be curious to hear what they have to say. For the moment, I might consider blacklisting this university for any kind of collaboration/exchange in the future. Maybe we'll hear more from them if this blog post get enough echo. Thank you arma.

Much as I wish it were different, the fact is there is nowhere to hide, and nowhere that is safe.

The only thing TOR, and even data encryption are good for, is keeping the casual thief out of your pocket. But if you think for even one second, that this network keeps you safe from the prying eyes of The State, you are profoundly naive. Even Edward Snowden understood that all he was really doing was just slowing them down by using encryption and anonymizers. If they want you, they will take you, sooner or later. There is no escape.

The fact that they're using universities and other institutions in this endeavor, should also not come as any kind of shock. What is shocking, is that they had to pay anything at all up front, to get the university to participate.

If you *really* want to be safe from The State online, don't go online. It's just that simple.

You want secure and private use of the internet? easy... imagine it in your mind!, there is no such thing as privacy something or someone will be watching always. Just make sure that whatever you are doing is legal...

I wonder if the university was paid in bitcoin confiscated from DPR.

Shame on CMU

http://www.bbc.co.uk/news/technology-34797188 typically poor journalism by the british bbc no mention of any real legit tor usage

I have damaged eyesight and the person I live with was cut up badly looks like a different person. I'm not a pansy / sissy so I can hide publicly I live in a so-called modern society that has a rapid culture changes through immigration a schizophrenic nature. Opinions change overnight virtually on what is acceptable. Though it has become a cliche over used and abused word I am gay.

I rely on Tor network. 12/11/2015 you fuckers better not get me killed!

congratulation tor team

you survived a $1+ Mio attack
its a good news
Now, they have to spend $10+ Mio :)

Well it is just more of the same old New World Order crap where the common people are subject to the will of those who consider themselves as the elite. Your privacy is not allowed, and is even criminalized if you try and have it. Just look at what the NSA, DHS, and alphabet soup globally think of private citizens who use encryption, they are considered terrorists, or criminals. The only right they see you as having is the right to be a subservient part of the greater collective. The worst part is that the greater public swallows it as far as attacking Tor, or any other form of encryption. True freedom, and liberty will soon be a thing of the past without even a footnote being added for fear that it might incite any form of free thought. That CMU is a part of it is of no surprise, because it is always the Ivory Tower folk who see themselves as far superior to the unwashed, and under educated masses.

Maybe the answer to this is obvious to the Tor devs. Bandwidth is expensive. So why did you not just remove the Guard & Exit flags from those nodes? This way they would become middle nodes and contribute to the Tor network. And probably also tell the Authority nodes to automatically add the Family flag to these new nodes? But instead you decided to block them completely? Why? Also what is the backup plan if law enforcement seizes all the Authority nodes as well as the place where I am commenting right now?

To undermine,cause lack of confidence, play with grey areas of law by any group, party or organization in order to justify the disruptive flow of humanity's God given right to reach out, communicate, explore, question, think, imagine or in any other way stifle the mind of man from expanding beyond his mortal limitations is a CRIME AGAINST GOD and MAN. No government or group has the right to usurp the human experience of thought and harmless expression done in supposed anonymity to justify additional Gov. monies or promotions. I say lets spy on who is not using enough disinfectant in our water supply and invoke summary execution.

A thousand thanks to Matthew Green for speaking out against rogue insecurity researchers:

Why the attack on Tor matters
Op-ed: Comp sci researchers have a blind spot to ethical issues in their field.
Matthew Green
12 Nov 2015

@arma: please consider working with civil liberties organizations such as ACLU, EFF, EPIC, Privacy International to

1. lobby civil-liberties-friendly elements of both houses of the US Congress to mandate IRBs for network-security research (even better, extend the effort to US State legislatures, which have been well in advance of the federal legislature in addressing civil liberties concerns in some states, and to EU legislatures)

2. together with such groups, try to organize an academic conference addressing the ethical conundrums exemplified by the one million dollar plus payment to CMU

3. attempt to engage professional organizations in outreach to their membership, to organize campus boycotts, not just at CMU but at other US universities which do police work for a fee for the feds (cf the attempted boycott of academics who take NSA grant money)

Assuming someone was charged as a result of this attack, is this tantamount to law enforcement hiring a university to issue a survey to a large group of individuals asking them about their recent traffic violations, then taking their answers as written confessions and issuing tickets to violators?

Moreover, aren't researches typically prohibited from releasing individually identifiable data to ANYONE, law enforcement or not?