CMU's Tor hack was unacceptable violation of user privacy
Last week, the ethics of Carnegie Mellon’s Computer Emergency Response Team (CERT) were challenged by The Onion Router (Tor) Project's accusation that the FBI had paid CERT over $1 million to target and identify users of Tor’s anonymizing service. If true, this activity is both an attack on user privacy and a blow to the image of our university. It calls into question the ethics of Internet security research being conducted at many universities and our own administration’s lack of transparency.
Tor, originally created by the U.S. Navy, is a network that allows anonymous Internet browsing. Since its creation, it has become a non-profit organization in support of Internet privacy. While Tor is commonly cited in both drug and child pornography crime reports, it is also used for many legitimate and ethical purposes, such as allowing those in oppressive nations to express and educate themselves on a free and open Internet.
Internet privacy is a right of the people. Because the right has been denied by organizations such as the NSA, networks like Tor should be protected and fostered by the academic community. Instead of protecting Internet privacy, Carnegie Mellon has been accused of adding “a group of malicious relays” to pick out people in the network. Tor works by directing user’s encrypted traffic through a series of random nodes on the Tor network. Tor believes that Carnegie Mellon has discovered and abused vulnerabilities in the system, allowing it to trace users through these nodes.
When breaches in security are discovered by the ethical hacker community, they are released to the public in hopes of quickly patching them and making services even more secure. This is just what Carnegie Mellon was planning to do during its scheduled talk at Black Hat 2014, when it described that it had found a breach to “de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months.”
However, when the talk was abruptly canceled, its research purpose and ethics became questionable. Tor’s accusations are further strengthened by documents from the Silk Road 2.0 trial, which revealed that a “university-based research institute” had helped to identify suspects. Although both the university and the FBI have denied the claims, the evidence is slanted against them.
University research is meant to bring knowledge to the people in an open and ethical way. If this accusation is true, Carnegie Mellon’s research team has gone against all that is preached to researchers. Even more importantly, this is an attack on users’ fundamental privacy and anonymity rights within the Internet. Malicious attacks like these are not only attacks on the guilty, but on everyone in this nation that is connected to the Internet. Spying on encrypted traffic is equivalent to breaking down the doors of all Americans in hopes of finding criminals. Criminals will be found, but the biggest criminals are the ones breaking down the doors.