[tor-talk] Carnegie Mellon Kills Black Hat Talk About Identifying Tor Users -- Perhaps Because It Broke Wiretapping Laws

Eugen Leitl eugen at leitl.org
Tue Jul 22 08:30:14 UTC 2014


Carnegie Mellon Kills Black Hat Talk About Identifying Tor Users -- Perhaps
Because It Broke Wiretapping Laws

from the questionable-legality dept

There's some buzz in security circles today after it came out that a session
at the upcoming Black Hat Conference entitled "You Don't Have to be the NSA
to Break Tor: Deanonymizing Users on a Budget" by Michael McCord and
Alexander Volynkin (both of whom work for Carnegie-Mellon University and
CERT) had been pulled from the conference at the request of CMU.

A Black Hat spokeswoman told Reuters that the talk had been canceled at the
request of lawyers for Carnegie-Mellon University, where the speakers work as
researchers. A CMU spokesman had no immediate comment.

There's been plenty of speculation about what's going on, but Chris Soghoian
has a pretty good thesis that the researchers likely didn't have
institutional approval or consent of the users they were identifying, meaning
that they were potentially violating wiretapping statutes. As he notes,
running a Tor server to try to spy on Tor traffic without talking to lawyers
is a very bad idea. While it hasn't yet been confirmed that this is what
happened, it certainly is a pretty sensible theory. 

Of course, none of that changes the fact that it's possible to identify some
Tor users. But... that's also not particularly new. In fact, we've discussed
in the past how the feds can identify Tor users. Tor adds an important layer
of protection, but there are plenty of ways that you can still be identified
while using Tor. Just ask Russ Ulbricht. The problem isn't so much Tor itself
but how people use it -- and the simple fact is that most people use it in a
way that will eventually reveal who they are. While it's not definite, it
seems likely that this is what the talk would have revealed. Shutting it down
wasn't any sort of big attempt to cover up this fact, but perhaps it was to
protect the researchers and CMU (potentially) from a lawsuit for violating
wiretapping laws.

More information about the tor-talk mailing list