Researchers from the CERT division of Software Engineer Institute (SEI) at Carnegie Mellon University, which "works closely with the Department of Homeland Security," were set to give a talk purporting to demonstrate a way to deanonymize Tor users at Black Hat USA, a major cybersecurity conference, in early August. Alexander Volynkin and Michael McCord, both researchers at CMU, were slated to disclose a method for identifying Tor users and services with "newly discovered shortcomings in design and implementation of the Tor network," an abstract for the talk said, that only cost $3,000 or so to exploit.
But on Monday, the presentation was abruptly canceled. Black Hat organizers were told by legal counsel for the SEI and Carnegie Mellon University that Volynkin would "not be able to speak at the conference because the materials that he would be speaking about have not yet been approved by CMU/SEI for public release" according to an announcement posted on the conference Web site.
Originally sponsored by the U.S. Naval Research Laboratory and still partially funded by the federal government, Tor is considered a basic part of most advocates' Internet freedom toolkits. It helps journalists connect with sources and those living under the thumb of repressive regimes evade censorship.
But, like any technology, it can also be used for nefarious purposes. The "dark web" accessed through Tor is also where places such as the digital black market Silk Road once flourished and still crop up. That activity has attracted the attention of law enforcement and intelligence agencies. Among the National Security Agency revelations from the past year was that the agency found a way to deanonymize some users due to a coding bug in the version of the Firefox browser once bundled with the service -- although an internal presentation said it would "never be able to de-anonymize all Tor users all the time" or target specific users.
The researchers behind Black Hat presentation originally referenced the NSA's tactics in their talk title: "You don't have to be the NSA to break Tor." However, so far the researchers have stayed mum about the circumstances of the cancellation. But some privacy advocates were upset about the way the talk was handled before it was pulled.
"One of the biggest issues here was that the talk was accepted to Blackhat and no one in the Tor Project knew about it before the talk was announced," says Runa Sandvik, a former Tor Project developer who is currently a technologist at the Freedom of the Press Foundation. "The researchers never contacted the Tor project to talk about things."
"CERT seem to be all about responsible disclosure and working with vendors -- and this clearly did not happen in this case," she said. "I just expected more from a group of academic researchers, basically."
Roger Dingledine, an original developer of Tor, addressed the cancellation in a blog post -- saying he was working with CERT to coordinate disclosure of the issue, possibly as soon as this week.
"In response to our questions, we were informally shown some materials," he wrote. "We never received slides or any description of what would be presented in the talk itself beyond what was available on the Black Hat Webpage." However, he said the Tor Project never asked CERT or Blackhat to remove the event. And in general, he wrote, the Tor Project is supportive of research that helps them improve the security of their services.
"I think I have a handle on what they did, and how to fix it," he wrote in a later e-mail to the Tor listserve. "Trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they'd opted to tell us everything."
It remains unclear exactly what the bug was, although Dingledine suggests it was a "nice," or significant, "bug" but not "the end for the world" for the Tor Project or its users. Sandvik thinks it may have been an issue with software commonly package with Tor. "I have not heard of an exploit that affects the Tor protocol directly in these cases, it's usually just an exploit for Firefox." If that's the case, it might directly echo some of the vulnerabilities reportedly used by the NSA to identify some Tor users.
But another source of consternation among some privacy advocates was that the description of the talk said the researchers had tested their technique "in the wild." Some privacy advocates took that to means they were experimenting with de-anonymizing data from Tor users without their consent -- something which experts say raises some legal and ethical concerns.
Christopher Soghoian, a technologist focusing on privacy and cybersecurity with the American Civil Liberties Union, says this isn't the first time research on actual Tor users has raised controversy. The motivation in these prior cases are often pure, but the methodology problematic, he says.
One issue is whether the studies methods received appropriate institutional review. Research involving human subjects done by educational institutions that receive government funding generally must go through an Institutional Review Board, or IRB, that approves the set up of the study before research commences to comply with federal regulations.
In this case, Soghoian says the research likely should have gone through the IRB process, but it is unclear if it actually did -- or were aware that they should have. A spokesperson for SEI declined to comment on if the study received prior IRB approval, saying that the institution didn't "have anything to add to the statement that was already released by Black Hat."
Legal experts have also warned that some network monitoring might put researchers on the wrong side of the law. At least one former CMU graduate student, Serge Egleman, says he hoped to do research on Tor users a while at the school, but the school ultimately decided there were too many potential legal pitfalls.
Egleman, now a research scientist at University of California at Berkeley, ran a Tor relay while in graduate school. But when he considered doing research on Tor traffic, legal counsel decided the issue was too unsettled to proceed at the time, he says.
"I was interested in looking at what people were actually using it and from where, but there were some open research questions about how to do that without wiretapping," he explained, so the process stopped before getting to the point where he would have proposed a formal methodology to an IRB.
While Egleman has no direct knowledge of if the cancelled Black Hat talk received IRB approval, he agrees with Soghoian that computer security researchers can often not realize how the approval process might apply to their work.
"I've noticed that a lot of people in the security community don't seem to be familiar with the IRB process -- which is surprising given the possible consequences for noncompliance," he says. "I think there's sort of an attitude in computer science that if you're not directly interacting with people you don't need to go through the process -- and that's incorrect if you actually read the regulation."
The silence from the researchers and CMU means it's hard to know the specific reasons the talk was pulled. But privacy advocates remain concerned about how users may have been affected by the research.
"The Tor experience is far less pleasant than the average internet connection -- these are people who are willing to give up speed and convenience to privacy," Soghoian says, arguing it would be inappropriate to use them as test subjects without their knowledge or consent.