
Confirmed: CMU Attacked Tor, Was Subpoenaed by Feds - danso
https://motherboard.vice.com/read/carnegie-mellon-university-attacked-tor-was-subpoenaed-by-feds
======
pfg
To me the most bizarre part of this story is the argument that this didn't
constitute an unlawful search because there is no reasonable expectation of
privacy for Tor users:

> [...] it is the Court's understanding that in order for a prospective user
> to use the Tor network they must disclose information, including their IP
> addresses [...] such a submission is made despite the understanding
> communicated by the Tor Project that the Tor network has vulnerabilities and
> that users might not remain anonymous. Under these circumstances Tor users
> clearly lack a reasonable expectation of privacy [...]

~~~
ikeboy
They're giving over the information to a third party, which usually destroys
any 4th amendment rights.

The fact that the third party was actually three different parties who only
got a piece (or six, when using hidden services) doesn't seem like it would
change the law.

If I split data into 6 pieces and handed it to 6 different people, the
government can take those 6 pieces and put them together without violating my
rights. I don't see why Tor would be any different.

In fact, this particular vulnerability IIRC involved the researchers acting as
both the exit node and the guard node, and finding a way to pass a message
between the two so they'd notice when they're in the same circuit. That seems
even better legally than my analogy above. They didn't need to take any data,
the victims connected to them and gave them the info.

~~~
Lawtonfogle
>They're giving over the information to a third party, which usually destroys
any 4th amendment rights.

Same reason that there is no need for a warrant to collect phone calls since
you are handing data over to the phone companies to carry between you and the
other party(ies). Also the same reason the government can shift through your
mail, since the items are in the possession of a third party (you likely gave
the items to the government itself).

To me this makes as much sense as the argument that since a plane carrying
people can fly over you, it is perfectly reasonable to put a blimp with an
extremely high zoom camera on that spies on your home constantly, detecting
not just visible light, but also infrared. Also, since when you talk things
vibrate, and since it is possible to view those vibrations though a window,
I'm actually broadcasting my speech to the public and thus don't have any
expectation of privacy.

~~~
tannhauser23
These issues have actually been litigated in court. The broad consensus is
that yes, the police can use a surveillance plane can take pictures of you
without first obtaining a warrant (Florida v. Riley), but no, they can't use
infrared camera to look inside your home without a warrant. (Kyllo v. United
States)

None of these cases are really analogous to the Tor case. Generally speaking,
you have no reasonable expectation of privacy that information that you
voluntarily provide to a third party will be kept confidential. This is why
the police doesn't need a warrant to get your phone records or to obtain your
IP address.

You bring up mail, which is an interesting case. Conents of a sealed mail IS
protected by the Fourth Amendment - it's just that the government usually
relies on the "exigent circumstances" exception to the warrant requirement
(basically, showing that there is probable cause to search the mail but that
there is no time to obtain a warrant). The government can't just mass-open all
sealed mails and look at their contents.

~~~
harry8
A helicopter with an infrared camera costs about $100.

~~~
deftnerd
I believe he is referring to a thermal imaging camera, which can see heat
sources. They're still somewhat an expensive specialty item. The police used
to use them to look for people growing marijuana in their attics, but higher
courts now say that would require a warrant.

~~~
nkurz
He may be, but over the last few years some models have come out with much
lower prices: [http://appleinsider.com/articles/14/11/23/review-flir-one-
an...](http://appleinsider.com/articles/14/11/23/review-flir-one-and-seek-
bring-thermal-imaging-to-iphone)

I wouldn't be surprised if there are usable thermal imaging sensors out there
for $100.

------
AdmiralAsshat
From Tor's front page:

 _What is Tor?

Tor is free software and an open network that helps you defend against traffic
analysis, a form of network surveillance that threatens personal freedom and
privacy, confidential business activities and relationships, and state
security._

So, if the users of a service whose explicit mission statement is to provide
anonymity and privacy apparently do not have "reasonable expectation of
privacy," who does? Are they going to argue next that the private owner of a
wifi-capable laptop has no expectation of privacy in their own home because
the webcam could be conceivably hacked and remotely activated?

~~~
Lawtonfogle
Since they didn't verify all code on the laptop, and since the EULA said that
they don't actually own the code, only rights to use the code, then there is
no reasonable expectation of privacy using the laptop.

~~~
thescriptkiddie
So anyone using a computer with any proprietary software on it has no
expectation of privacy?

~~~
stsp
There is no clear line where total privacy starts and ends with technology
currently available on the consumer market. Even if you don't use any
proprietary software at all (which is very difficult to do for most people),
your privacy could, in principle, still be compromised by the underlying
hardware.

------
jackgavigan
_> Jones claimed that IP addresses, and even those of Tor users, are public,
and that Tor users lack a reasonable expectation of privacy._

This is an interesting judgment. Tor's purpose is to provide privacy. The fact
that it may have vulnerabilities (as all software does) doesn't mean that a
person using Tor doesn't expect that it will provide them with privacy.

~~~
DSMan195276
I think you're conflating two different points. Just because providing privacy
is Tor's intended purpose doesn't mean it's reasonable to assume it provides
privacy in the 4th amendment sense, when it still involves sending your data
to Tor nodes. The argument is that public IP's are inherently not private
because you have to give that information up to a separate entity to make any
sort of communication. I'd wager that's the "vulnerability" they're
referencing - That you don't know who is running the Tor nodes, and by
extension can't assume your IP will stay private if you're freely giving away
your IP address to them.

By voluntarily giving that information up, there is no reason to expect that
the Tor server you're connecting too will keep that information private
anymore then a Facebook server would, even if we would like/hope that to be
the case. The person who owns the Tor server is well within their rights to
keep a log of every IP connected to their server.

You also have no control over the node which makes the actual connection to
the outside world - In which case that server can equally log anything it
wants about that connection. If the same person controls both servers and puts
two-and-two together and figures out you made a connection to website X, they
haven't violated your 4th amendment rights because you voluntarily gave that
information up by connecting to the Tor network without checking who you were
giving that information too.

Tor's intended goal is to provide privacy, but that doesn't mean it gives you
a legal expectation to privacy, which I think is what they're getting at. The
reality is that third-party entities that can do whatever they want with the
data you voluntarily give them - The fact that they're Tor nodes doesn't
change this.

~~~
pyre
I somehow doubt that if I as an individual performed these actions the
government would hold back from charging me under the CFAA.

~~~
fapjacks
That's because you aren't backed by thousands of men in black uniforms with
automatic weapons. And that's what it's _really_ about.

------
_archon_
Why isn't the first line of the Tor EULA or info page (and I wondered the same
about Lavabit email) "This software/service is intended to provide its users a
reasonable expectation of privacy under US and international law." Or some
such. It's unreasonable to expect every user of a tech service to understand
how it all works so they can know their level of legal protection. Phone taps
require a warrant even if the phone user doesn't know how switching or tapping
works.

What's wrong with this idea?

~~~
wlesieutre
(Not a lawyer but) I don't think it legally holds any water, once your data is
out on the public network it's out on the public network.

It's the electronic equivalent of a sticker on your car that says "This car is
intended to provide its users a reasonable expectation of privacy under US and
international law."

~~~
ViViDboarder
When I make a phone call it routes through a public network. Tapping a phone
is illegal due to my expectation that the call is private.

I dunno. I've seen some good arguments either way here, and I'm also not a
lawyer.

------
wsothr
So the information was obtained by subpoena from a university research program
that is federally funded.

Thinking back to the HeartBleed incident, does this set a precedent for the
government to subpoena information related to private keys that may have been
exposed due to a software vulnerability and recorded as part of a federally
funded university security research lab investigation into said vulnerability?
Given that HeartBleed was so public, the likelihood of private keys and
certificates not being revoked is pretty low. But what about the next major
software vulnerability that doesn't have the same publicity?

Or extrapolating even further, what about DNA that may be collected and kept
by entities receiving federal funding. Say healthcare funding? Does that
entitle the government to access?

------
chinathrow
If you work in research like that - how can you sleep at night?

This is a real question - I haven't been able to ask someone directly involved
in unmasking users like that.

~~~
nhf
From the perspective of a current CMU student: the Software Engineering
Institute (SEI) here is the responsible party here. Note that they are
separate from the main ("academic") school of CS. They are a federally-funded
research and development center, essentially a computing-focused contractor
and consultant for the DoD (see more here:
[http://www.sei.cmu.edu/about/organization/workingwithanFFRDC...](http://www.sei.cmu.edu/about/organization/workingwithanFFRDC.cfm)).

So, in short, the people at the SEI sleep as well as the people at Raytheon or
Lockheed Martin that build the drones, or the folks at Alcatel-Lucent who
helped the NSA way back, or maybe even the guys way back at Los Alamos. It's
not like some grad students or CS professor got strong-armed into doing this.
It's literally their job to do this kind of work for the DoD and other
government offices. While the ethics of this line of work are certainly up for
debate, they knew exactly what they were getting into.

------
pasbesoin
If you don't own the physical layer, sooner or later you're screwed. (My
comment is not meant to reflect on the merits or dismerits of the particular
use in question. It's a general statement.)

------
ianremsen
One minor thing: consider showing motherboard.vice.com as a separate domain?

------
maesho
Was the vulnerability made public? Was it patched?

~~~
pfg
It's covered in this blog post[1]. Some mitigations are in place now.

[1]: [https://blog.torproject.org/blog/tor-security-advisory-
relay...](https://blog.torproject.org/blog/tor-security-advisory-relay-early-
traffic-confirmation-attack/)

------
majke
I must admit the description is pretty opaque for me. Can someone translate
this to simple english? What "subpoena" is in this context? What most likely
actually happened?

------
smokeyj
I'm less interested in the courts interpretation of reasonable than why my
personal liberty depends on such a subjective term. If the bill of rights is
entirely subjective, it might as well say "We the people have rights.. and
stuff. Y'know man?".

Note to the next framers of a constitutional republic. Include some notion of
objective unit and functional tests.

~~~
Laaw
You don't "have" any personal liberties. You are not born with rights, you are
gifted them by a benevolent society. That society can easily lose its
benevolence, and take your rights away, and there is absolutely nothing you'd
be able to do about it.

You might hold a differing view, but the fact is, reality works as I've
described. Delude yourself all you want, but your rights _do_ hinge on the
imperfect and subjective manner in which your benevolent rulers have granted
them to you.

They _have not_ granted you absolute rights, specifically laid out, but they
_have_ done better than, "rights.. and stuff."

~~~
diskcat
>You are not born with rights

This argument is really semantic.

The line always devolve to the tautological "the only rules of the universe
are physical rules"

~~~
Laaw
That's not tautological at all. Also, it's not really true. There are plenty
of rules. What I'm saying is the only "unalienable" rules are the laws of the
physical universe. Every other rule is a construct of society and people, and
as such, is not guaranteed in the way as stated by the previous commenter.

It's just something I believe is worth keeping in mind when talking about your
"right to privacy", specifically. There are many prominent public figures who
actually don't believe you have that right at all, and when we remember that
rights (as we're referring to them) are granted only by the grace of the
state, if the members of the state don't believe you have a right, then you
simply don't.

The argument here should be more about whether or not it's in the state's best
interest to grant the right to privacy to its citizens, and I think there's a
pretty strong argument in favor of that, but simply stating "I have a right!"
doesn't illuminate that argument very much.

