A rumour has been circulating for a while that researchers at Carnegie Mellon University (CMU) provided information to the FBI, which led to the feds identifying Tor users linked to crimes. Details of any arrangements have been unclear, but evidence from a criminal case has confirmed a few facts.
It’s now abundantly clear that researchers from CMU used a vulnerability in Tor software to find some users’ true IP addresses. Information was collected during a months-long attack in 2014, carried out as research for a Department of Defence-funded project.
The FBI later discovered that CMU had carried out an attack, and served the researchers with a subpoena to hand over any information pertinent to a criminal case, which it did.
An earlier allegation from the Tor Project claimed that CMU was paid $US1 million by the FBI to conduct the attack. CMU strongly denied any money specifically changed hands, putting out a press release that hinted at a subpoena.
According to court filings in the case of Brian Farrell, an alleged staff member of drug marketplace The Silk Road, CMU’s side of the story is technically right: the university was hired by the DoD to conduct research, which was later subpoenaed by the FBI. It’s a convenient arrangement for sure, but one that does technically stay within ethical and legal bounds.