University says FBI payment reports 'inaccurate'
- 19 November 2015
- From the section Technology
Carnegie Mellon University (CMU) says reports it was paid by the FBI to attack software sometimes used for criminal activity are "inaccurate".
The Tor web browser is designed to let people anonymously explore websites, including those hidden on the dark web which do not show up in search engines.
Last week the Tor project claimed that the FBI had paid CMU to find vulnerabilities in its software.
On Wednesday, the university said that was "inaccurate".
Why was the university accused?
In 2014, the Tor network detected a concerted effort to work out the identity of people using the platform.
That attack was linked to CMU after two of its researchers said they would give a talk at the Black Hat cybersecurity conference on a method they found to "de-anonymise hundreds of thousands Tor clients and thousands of hidden services".
The talk was cancelled, but later the same year a big FBI operation took down dozens of Tor sites, including Silk Road 2 which was a notorious marketplace selling drugs.
The Tor project has since suggested that the FBI paid the university $1m (£660,000) to carry out the research.
Last week the university was non-committal on the accusations and told the BBC: "You can read what you want into it."
On Wednesday it issued a statement and said there had been a number of "inaccurate media reports" on its work in cybersecurity.
CMU said it did have a federally funded research centre which investigated software security, but that it did not receive funding in exchange for information.
"The university from time to time is served with subpoenas requesting information about research it has performed," said the statement. "The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance."
However it has still not denied it was paid by the FBI to conduct research into Tor.
Even if the FBI had not paid the university to carry out specific research, the Tor project has raised questions about the ethics of CMU's investigation.
It has been suggested that the FBI could have ordered CMU to hand over its methods, or the identities of Tor users it had uncovered as a result of its research.
"Whatever academic security research should be in the 21st century, it certainly does not include "experiments" for pay that indiscriminately endanger strangers without their knowledge or consent," the Tor project wrote in its blog.