Wednesday, November 25, 2015

Doing Infosec research? The FBI will take that, thanks... (well, maybe)

You've probably heard about the TOR hidden service unmasking that was used by the FBI to bring down Silk Road and other illegal services hiding on TOR.  There was later some speculation that FBI paid Carnegie Mellon University (CMU), a Federally Funded Research and Development Center (FFRDC) more than $1 million for research into unmasking TOR hidden services.  Needless to say, folks over at the TOR project are really mad about this.  The assertion also made CMU look bad.  Both the FBI and CMU have denied that CMU was paid specifically to decloak TOR users.

You may have also heard that CMU released a statement sort of hinting that they weren't specifically paid for the TOR research.  They don't really come out and say this, only suggest that's the case.  Whether you believe this or not doesn't really matter.  The implication is chilling.

It's probably also worth noting that CMU researchers submitted to speak at Blackhat, but withdrew their presentation.  This was probably not the result of a subpoena.  FFRDC's really do depend on their federal funding and giving away secrets the FBI is currently using is probably a bad way to secure that on a continued basis.

If CMU is truly alleging that they turned over the research based on a subpoena and CMU has no special relationship with the FBI/DoJ, then the effects for infosec researchers are potentially chilling. Not everyone wants to turn over their research to the FBI.  For some, the reasons are financial - they may plan to turn their research into a product for sale.  Others may simply not wish to assist law enforcement with a particular case (or any case).

As a security researcher, I for one would feel more comfortable if the FBI disclosed what help they received from CMU and how they received it.  I actually don't care if they FBI paid CMU for their help in de-cloaking TOR users (as some have suggested).  I I just want to know what my exposure as a security researcher is if the FBI wants my research to help with a case.  Is this something they can just take from me if it will help them solve a case?  If a subpoena truly was required for CMU, it is somewhat unlikely that CMU fought it very hard given their status as an FFRDC.  Many companies who don't have to worry about receiving FFRDC funding may have a different view on fighting a subpoena.

In the end, I don't care what the arrangement between CMU and the FBI was.  But as a security researcher, I would like to know what my liability and exposure are if the FBI wants my research.  Because quite frankly, I'd be comforted to know that at least CMU was paid.  The idea that the FBI can just subpoena my research because it's of use in a criminal investigation is a little terrifying.