The US Department of Defence (DoD) funded research carried out by Carnegie Mellon University with the aim of uncovering ways to crack the online anonymity provided by the Tor network, an unsealed document from a Washington District Court has confirmed.
The long suspected government-sponsored attack was first reported by the Tor Project in 2014 when it was uncovered that a large group of Tor 'relays' – which pass traffic through the network – were found to be attempting to de-anonymise users.
The following year, the Tor Project claimed that it had attained evidence the hacking activity against its security-focused web browser was orchestrated by the FBI and cost the agency up to $1m to fund. However, the allegations were never confirmed by either the university or the government at the time.
Speculation was further fuelled after a search warrant was issued against a suspected administrator of dark web drug marketplace Silk Road 2.0, Brian Farrell. In the warrant the FBI noted that it had attained a special "source of information" that provided the data implicating the suspect through his use of Tor.
Now, court documents relating to Farrell's case have finally confirmed suspicions, proving that the US government not only funded the university research but also subpoenaed its findings to locate Farrell as part of its ongoing investigation into the underground drug marketplace.
"The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU) when SEI was conducting research on the Tor network which was funded by the Department of Defense (DOD)," the unearthed court documents state.
"The government previously produced information to the Defense that Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU."
The court filings make no reference to the exact sum of money used to fund the research project.
The right to privacy
Interestingly, the judge in the case of US vs Farrell, Richard A. Jones, also indicates that even though the defendant took steps to protect his privacy by using the Tor network, the Internet Protocol (IP) address that was used to locate him is not considered to be private.
"It is the Court's understanding that in order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed toward their destinations," the documents note.
"Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers. Again, according to the parties' submissions, such a submission is made despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous.
"Under these circumstances Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network. In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances."