Last week, it was suggested that a research group from Carnegie Mellon University had been paid $US1 million by the FBI to hack Tor. Now, CMU has issued a statement denying that money changed hands — but seems to suggest it was forced to hand over data to the authorities.
In the statement, the University highlights that its Computer Emergency Response Team is part of a larger federally funded research and development center. While it admits that it is sometimes "served with subpoenas requesting information about research," it also adds that it "abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance."
That statement seems to contradict claims made by Tor's director Roger Dingledine last week, who claimed claimed that the "researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes."
Here's the Carnegie Mellon statement in full:
There have been a number of inaccurate media reports in recent days regarding Carnegie Mellon University's Software Engineering Institute work in cybersecurity.
Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues. One of the missions of the SEI's CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected.
In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.
Illustration by Tara Jacoby; source image via Shutterstock