CMU, FBI Deny Allegations CMU Received $1 Million For Tor Software Breach

Nov 18, 2015

Updated: 3:15 p.m.  

Carnegie Mellon University is facing renewed criticism over its alleged role in a massive takedown of "Dark Web" sites last year.  

Last week, the director of the nonprofit Tor Project, which publishes anonymizing software, alleged that CMU’s Software Engineering Institute had been paid for its help in unmasking an unknown number of Tor users over a period of about five months last year.

Credit (CC-BY 3.0)

90.5 WESA's Josh Raulerson spoke about the case with reporter Kashmir Hill, who covered the story in Forbes after it broke in 2014.

Tools like those available through the Tor Project are used by drug dealers and child pornographers to evade identification online. The same software is also used by whistleblowers and political dissidents.

FBI officials told Forbes on Wednesday that Tor Project Director Roger Dingledine's claim is "inaccurate,"  referring to allegations that the FBI paid CMU $1 million or more for the attack. It's still unclear whether this refers to the assertion that money was exchanged, the amount of the alleged payment or something else. WESA has attempted to reach the FBI for clarification.

CMU spokesman Ken Walters would not address whether any payment was indeed made, but said in a statement that the university's Software Engineering Institute was established specifically to focus on  software-related security and engineering issues. 

"There have been a number of inaccurate media reports in recent days regarding Carnegie Mellon University's Software Engineering Institute work in cybersecurity. ... One of the missions of the SEI’s CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected. 

"In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance."