By Cory Bennett
Carnegie Mellon University on Wednesday rejected reports the FBI paid its researchers at least $1 million to uncover dark Web users during a large criminal investigation.
The FBI made similar denials on Friday.
Early last week, the Tor Project, which oversees the leading online anonymity software Tor, said it had evidence the FBI had made a massive payment to Carnegie Mellon University’s Software Engineering Institute in an attempt to out the personal details of a wide swath of Tor users.
The university called the allegations “inaccurate,” although it did not directly address the specifics of the claim.
The Tor Project’s accusations spurred widespread anger in the security research and digital rights community.
Such a collaboration would represent an ethically questionable tactic, Tor Project Director Roger Dingledine argued. It may have also violated the Fourth Amendment if the FBI did not obtain a warrant, he added.
“Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities,” Dingledine said in a blog post last week. “If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute.”
Carnegie Mellon explained that its Software Engineering Institute (SEI) is “a federally funded research and development center,” meaning it receives government backing for long-term projects that “focus on software-related security and engineering issues.”
One division within SEI is the computer emergency response team, or CERT, which works to “research and identify vulnerabilities in software and computing networks so that they may be corrected.”
“In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed,” Carnegie Mellon added. “The university abides by the rule of law, complies with lawfully issued subpoenas, and receives no funding for its compliance.”
It’s unclear from the statement whether the subpoena reference was directly tied to the Tor allegations. The FBI did not immediately respond to a request for comment.
According to several reports last week, the FBI turned to Carnegie Mellon during its major investigation into Silk Road 2.0, the leading dark Web market that, like its notorious predecessor, enabled more than 100,000 people to buy and sell illegal drugs anonymously over the Internet, according to the Justice Department.
The inquiry eventually led to the bust of not only Silk Road 2, but dozens of other similar dark Web pages as well. Scores of people were also arrested in connection with the sting.
Officials have indicated the FBI did not rely on Carnegie Mellon while looking into Silk Road 2.
At the time of the takedown, Tor acknowledged it was unsure how investigators had compromised the anonymity of the Tor users, leading many to worry that Tor had been widely compromised.
Despite the Tor Project’s accusations in the last week, the FBI has not provided any additional details on how it did uncover dark Web users during its investigation.
In response to the Carnegie Mellon statement, the Tor Project issued a list of questions it wants answered.
"How did the FBI even know what to subpoena? Did FBI money arrive at CMU through a pass-through organization (as is common)?"
The organization also wants to know what involvement university officials had in approving various research projects, and whether researchers seek informed consent before investigating human subjects.