University researchers are being accused of ethics violations for allegedly helping the police catch drug dealers and paedophiles
A statement released by The Tor Project, the organisation that builds Tor to help users browse the internet anonymously, claims that researchers were paid "at least $1 million" (£660,000) to help de-anonymize Tor users.
At its simplest, Tor works by routing its users' traffic through one-anothers' connections to mask their location: A Spanish Tor user might look like they're accessing the internet from Washington, D.C., while a Venezuelan might appear to be located in Finland.
This anonymity makes it a valuable tool to a wide range of people - from whistleblowers and activists to drug dealers and child pornographers.
Any software is vulnerable to bugs and exploits, however, and in 2014, a research team from Carnegie Mellon planned to publish research at the Black Hat conference detailing an apparent vulnerability that would let an attacker "de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months." It would cost less than $3,000.
They withdrew their submission before exhibiting.
This research subsequently made its way into the hands of the FBI, The Tor Project claims, which allegedly paid handsomely for it. Wired reports that the research was likely used in Operation Onymous - a large-scale law enforcement operation in 2014 that shuttered more than 50 websites accessible through Tor that were used to sell drugs and for other illegal activities - most notably Silk Road 2.0.
Motherboard has seen court documents relating to the closure of Silk Road 2.0 that say its identification was thanks to a "university-based research institute."
In a blistering statement, The Tor Project labels this a "violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users."