Following reports it was paid $1 million to crack anonymous browser Tor for the FBI, Carnegie Mellon University has denied any wrongdoing. Kind of.
While the university says there has been a number of "inaccurate media reports" surrounding its cybersecurity research, it also clarified that it occasionally receives subpoenas for its researchers’ work and is legally obligated to turn over information and findings for free. "The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance," the school said. Tor wrote in a post this past week that more than a year ago, it discovered a publicly known vulnerability in its browser, one that could deanonymize users. Information collection went on for approximately half a year, from early February to July 4th of 2014.
Carnegie Mellon does comply with subpoenas, however
The university's wording suggests it's only dismissing The Tor Project’s claims that it accepted $1 million from the FBI — not that it disclosed research that led to the unmasking of possible criminal users. In its original post from this past week, Tor said it doubted the FBI would have received a valid warrant because the research and vulnerability exploitation was not "narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once." It also said, if proven true, this attack and fruitful law enforcement / university relationship would set a "troubling precedent."
"We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor — but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of ‘legitimate research,’" the blog post says.