A judicial ruling on Feb 24 longstanding fears that the FBI have used the information they obtained through a subpoena from a university research team working on Tor security vulnerabilities to take down a series of websites used for criminal activities.
The ruling in the case of Brian Farrell, who allegedly worked for a now closed Dark Web drug site, showed that the FBI has been able to bypass the anonymity software Tor for months. Tor was central to the working of Dark Websites used for criminal activity like drug trafficking because it provides users with a way to disguise themselves from police enforcement.
The FBI managed to reveal the identities of at least thousands of users of such websites through information they gained from a subpoena to a group of researchers at Carnegie Mellon University’s Software Engineering Institute.
Researchers working on security vulnerabilities are already exposed to many risks, whether they are working independently, for a university or for a company. By working to bring to light security flaws in digital products, they expose themselves to the risk of having their work censored by lawsuits from companies embarrassed by their work or even criminally indicted if their hacks are found to be breaking the Computer Fraud and Abuse Act.
Proof that the FBI can now subpoena any records that security researchers keep on their projects is a tough additional challenge. Tor Ekeland, a defence lawyer who works on computer security cases, said that the revelation could have a “chilling effect” on researchers, forcing them to restrict the research they do out of fear that they might be exposing their test subjects to a criminal indictment.
He advised security researchers to limit the data they gather from tests as much as possible and when it is absolutely necessary to collect and keep data to anonymize and restrict it to the barest information.
The case will undoubtedly remind many of Apple’s refusal to comply with a subpoena from the FBI citing worries that the law enforcement agency will weaken the security of Apple devices. From the Brian Farrell judgement and what other (little) information has emerged about how the FBI operation against Dark Web criminal activity was carried out, it is unclear if the FBI obtained only data (a list of IP addresses) from the Carnegie Mellon team or if they got a Tor-hacking technique which can reuse as many times as they wanted.
However, an important distinction is that Carnegie Mellon’s Software Engineering Institute is a government-contracted research lab which receives funding from the Department of Defence. As such, they were probably much more willing to share their work with government agencies.