Battle over Tor's integrity is led at the university level after FBI involvement

When it comes to internet security, the struggle between organizations employing counter-measures against one another will never end, as long as there are exploits to patch. In news that surprised absolutely nobody, researchers have developed a “hardened” version of the Tor Browser, which allows users to easily browse internet in complete anonymity, Motherboard reports. While undoubtedly ingenious, it is not the solution that is so newsworthy, but the stakeholders involved and the ideologies that flow underneath.

We have written about the Tor network before and the facts remain the same. Tor is used to perform illegal trade, and some of the people who use it are sought-after terrorists, which is why the Federal Bureau of Investigation is interested. It is also used as a means of communication in countries where freedom of speech is not a given, and where online activity is under heavy surveillance. Journalists use it to get sensitive information, and researchers use it to explore the darker parts of our society. Civil rights activists and whistleblowers alike employ it regularly. It is a grey area in ever sense of the word.

It now seems that competition over this controversial part of the web is led at the level of university-based organizations, following the reports that Carnegie Mellon University (CMU) was subpoenaed by the FBI to provide intelligence regarding vulnerabilities in Tor’s security in 2014. That particular case involved charges of online drug trade and possession of child pornography and even though it resulted in the “identification of at least another seventeen black markets on TOR”, emotions ran high, as told to Motherboard by the co-founder of the Tor Project, Nick Mathewson:

“If you’re doing an experiment without the knowledge or consent of the people you’re experimenting on, you might be doing something questionable—and if you’re doing it without their informed consent because you know they wouldn’t give it to you, then you’re almost certainly doing something wrong. Whatever you’re doing, it isn’t science.”

Tor Project went as far as accusing CMU of receiving $1 million from the FBI for performing sweeping attacks on its users. They also expressed doubt over the validity of the attack warrant, given that it was not narrowly tailored to specific criminal activity.

Whatever the case, FBI is still using the method devised by CMU to deanonymize Tor users in 2016, which is why Open Technology Fund commissioned a study on current and future hardening efforts to reduce the attack surface of the Tor Browser. The recently published paper that is trying to address this specific incident was authored by researchers not only from the Tor Project, but also Italian and German universities. The question is as open as ever – what role should university-based research bodies play in state surveillance?

If some are making an effort to reinforce the Tor network, while others are finding ways of exploiting it (subpoenaed or not), the purpose of the academia in global online privacy is either undefined, or it is being violated actively.