Policy —

Judge confirms what many suspected: Feds hired CMU to break Tor

A 1992 case about paper shredders may also shed some light on Tor privacy question.

Judge confirms what many suspected: Feds hired CMU to break Tor

A federal judge in Washington has now confirmed what has been strongly suspected: that Carnegie Mellon University (CMU) researchers at its Software Engineering Institute were hired by the federal government to do research into breaking Tor in 2014. The judge also made a notable statement in his court order that "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network."

However, some of the details that Tor alleged previously seem to be wrong: the research was funded by the Department of Defense, not the FBI. Tor Project Director Shari Steele told Ars earlier this year that the organization still couldn't get straight answers from CMU. According to the judge, that research was then subpoenaed by federal investigators.

The Tor Project did not immediately respond to Ars’ request for comment. Meanwhile, Kenneth Walters, a CMU spokesman, refused to answer Ars' questions, referring us only to the university's last statement, from November 2015, which hinted that the university was served with a subpoena.

The revelation, which was first reported by Vice Motherboard, came out as part of the ongoing criminal case against Brian Farrell, allegedly one of Silk Road 2.0’s top administrators. CMU's research enabled investigators to find him. Farrell was arrested over a year ago in Washington state—his trial is scheduled for April 25, 2016, to be held in federal court in Seattle.

The Tuesday court order by US District Judge Richard Jones was in response to a still-sealed motion to compel discovery filed by Farrell. According to Judge Jones, "the defendant seeks to compel disclosure of additional material pertaining to the relationship between SEI and federal law enforcement and the methods used by SEI to identify the defendant’s IP address."

In the order, the judge seems to suggest that even though Farrell took measures to protect his privacy, his actual IP address—which was what betrayed him and made it trivial for law enforcement to find him—was not in and of itself private.

Judge Jones wrote:

In the instant case, it is the Court’s understanding that in order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed toward their destinations. Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers. Again, according to the parties’ submissions, such a submission is made despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous. Under these circumstances Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network. In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances.

The paper shredder precedent?

Orin Kerr, a law professor at George Washington University, told Ars that the court’s analysis here is "right, although the application of that idea depends on how the surveillance occurred."

He suggested that Ars examine a 1992 case decided in the 1st Circuit Court of Appeals, which found that just because someone takes steps to protect privacy, it doesn’t necessarily mean that they continue to have a "reasonable expectation of privacy."

That case, US v. Scott, involved a man suspected of tax fraud by the Internal Revenue Service. The man used a paper shredder to destroy some documents, which were then picked up as garbage by investigators, "which when painstakingly pieced together produced incriminating evidence."

Scott challenged the collection of his trash, arguing that because he had "manifested an objectively reasonable expectation of privacy in the shredded remnants" that the evidence should be suppressed. He won on this argument at the district court level but then lost on appeal.

The 1st Circuit found in that case:

What we have here is a failed attempt at secrecy by reason of underestimation of police resourcefulness, not invasion of constitutionally protected privacy. There is no constitutional protection from police scrutiny as to information received from a failed attempt at secrecy.

Appellee here thought that reducing the documents to 5/32 inch pieces made them undecipherable. It turned out he was wrong. He is in no better position than the citizen who merely tears up a document by hand and discards the pieces into the sidewalk. Can there be any doubt that the police are allowed to pick up the pieces from the sidewalk for use of the contents against that person? Should the mere use of more sophisticated "higher" technology in attempting destruction of the pieces of paper grant higher constitutional protection to this failed attempt at secrecy? We think not. There is no constitutional requirement that police techniques in the detection of crime must remain stagnant while those intent on keeping their nefarious activities secret have the benefit of new knowledge.

However, not all legal scholars agree on this point.

Neil Richards, a law professor at Washington University in St Louis, said that this "reasonable expectation of privacy" for Internet users is "an open one." The so-called third-party doctrine, which stemmed from the 1979 Supreme Court decision Smith v. Maryland, found that telephone users do not have a privacy interest in the phone numbers that they dial, as the phone company has access to them.

"Law enforcement have argued that this sharing rationale applies to all Internet and digital data held by third parties—ISPs, e-mail providers, fitness trackers, cloud storage providers, etc," Richards told Ars. "The strong form of this argument is nonsense. Law enforcement in the past also argued that they didn’t need warrants to open mail or tap telephones, and ultimately lost on both counts. The Supreme Court hasn’t ruled on e-mail yet, but lower courts require a warrant for e-mail, and the Supreme Court has made clear in recent cases that a majority of Justices are very concerned about digital privacy and are eager to extend the Fourth Amendment to that, just like they did for telephone calls in the 1960s."

Mark Rumold, an attorney with the Electronic Frontier Foundation, concurred.

"The expectation of privacy analysis has to change when someone is using Tor," he said. "Rotely applying precedent leads to bad results, like courts finding that someone 'clearly' lacks a privacy interest in their IP address, even though they're using technology specifically designed to protect that privacy interest."

Channel Ars Technica