When one year ago Blackhat presentation during which researches were supposed to show how they successfully conducted deanonymisation attack against Tor was cancelled, speculations gone through the roof. The most probable scenario, which I also supported, was that scientists defied ethical and legal boundaries and effectively committed an offence by conducting illegal interception of internet traffic. Now, motion filled in case of Brian Richard Farrell, owner of SilkRoad 2.0, which describes how Farrell was identified based on “information obtained by a ‘university-based research institute’ ” almost directly suggests that the research results were used in this case and that was the reason for cancelling presentation. Then, speculation concentrated on how come, or if at all, Institutional Review Board (IRB) have green lighted such research. Now, it seems that truth is far more concerning. According to Vice and Tor project, apparently FBI has paid Carnagie Melon University researchers one million dollars for executing newly developed against Tor users and passing gathered data to law enforcement. On the other the university claims that it was forced to hand out the results by subpoena.
Both scenarios seems to be equally troubling in terms of both ethical and legal considerations. First of all, I strongly believe that role of researchers and law enforcement agents has to be strictly separated. This does not mean that academic community has no rule in supporting LEAs’ efforts (through both research in areas of criminology, legal analysis and developing technical means of investigation), however once the actual operations are ongoing, they should be executed be LEOs exclusively. There are many reasons for this. First of all, scientists generally are not required to possess knowledge about criminal procedure required to collect evidence in a way that will ensure they are admissible in court. Second, scientists are not subject to the same level of disciplinary oversight that is (or should be) imposed on the members of law enforcement. Finally, civilians should not be expected to perform tasks (such as interception of traffic) that are only legal when conducted as a part of law enforcement operation.
Furthermore, there are significant problems and considerations in regards to the very process of obtaining evidence in Farrell’s case. If Carnegie Mellon was really forced to hand out research, is it possible that there was a pressure put on IRB to authorise the research? If not, how come research on subjects unable to provide consent was deemed to be acceptable? Does obtaining information from external source of information such as academic institution means that standard procedural safeguards does not apply? How come research conducted was not offence under US law? As long as all those questions remains unanswered, this incident should be a stark warning sign of possible abuses that might result from lack of proper oversight over ‘cooperation’ between law enforcement and academic community.
Some argued that cooperation between Carnegie Mellon and the government should not be surprise to anyone, as Software Engineering Institute is known to be funded by federal government and have ties with the Department of Defense. While this might explain why study was conducted in the first place, and why it produced particular results, it provides no consolation in terms of securing procedural safeguards. Model of obtaining evidence that involves greenlighting research, which is unacceptable from the point of view of scientific ethics, and than claiming the results as “source of information” is certainly very convenient way of bypassing criminal procedure in cases that involve digital anonymity. Let’s not forger that how controversial was FBI’s story of tracking down Ross Ulbricht, owner of the original Silk Road, with some claiming that the Bureau completely made up story that was included in criminal complaint. Furthermore, the very idea of conducting massive deanonymisation operations against suspects who could be outside the US, is not straightforward when it comes to obtaining a warrant.
Involvement of SEI as quasi-governmental entity raises questions about role of CERT’s credibility in terms of they contribution to public cybersecurity as well. The fact that vulnerability was not disclosed to Tor project would indicate that potential usefulness of exploit takes priority over securing the network. While this would be in line with policy of stockpiling zerodays for offensive use, it is not something to be expected from CERT, which claims to work in the interest of community. And if the decision to publish or use particular vulnerability is made on case by case basis, then who makes the decision?
Whether scientists were forced or paid, all these questions stem from a single decision – a decision to blur the line between investigation and science, and outsource evidence gathering to a non law enforcement entity. Consequences of this decision, most importantly how materials gathered will be assessed by court, will be a significant signpost for future collaborations between academics and LEOs.