The U.S. government and Carnegie Mellon University have collaborated to undermine Tor privacy technology. That’s according to a court document that became public a few days ago.
As Motherboard first reported, information surfaced back in November that a university had provided information to the FBI that enabled it to identify specific Tor users. At first, however, the name of the university in question — and the exact nature of its role in identifying the Tor users — were unknown.
Now, a new court document confirms that the FBI obtained the information from Carnegie Mellon University. It also shows that the FBI subpoenaed the university to get the data.
For now, it remains unclear precisely how Carnegie Mellon was able to identify the users. However, it appears that it relied on malicious Tor nodes in combination with Tor vulnerabilities to identify the users’ real IP addresses while they were using Tor.
The Tor project claimed earlier that the FBI had paid Carnegie Mellon to carry out the attack, but that has not been confirmed by the new court document.
In a statement to Motherboard, the Tor project says that this attack was a one-time issue, and that the vulnerability that enabled it has now been fixed. “The Tor network is secure and has only rarely been compromised,” the project said. “The Software Engineering Institute (‘SEI’) of Carnegie Mellon University (CMU) compromised the network in early 2014 by operating relays and tampering with user traffic. That vulnerability, like all other vulnerabilities, was patched as soon as we learned about it. The Tor network remains the best way for users to protect their privacy and security when communicating online.”
Tor’s insistence that this issue has been fixed should be an assurance to Tor users who want to make sure their privacy is as secure as possible. It also seems clear that the FBI had to go to great lengths to identify these Tor users, which means this is probably not the sort of attack that the government is currently able to execute (or have executed by collaborating organizations) on a large scale. It appears to be feasible only for targeting specific individuals.
Still, the episode is a reminder that even Tor — the gold standard of online privacy — is not perfect. If you really want to stay private online, you should use multiple anonymity methods at once — like Tor in combination with a VPN.