(Adds comment from researcher, university and Defense
By Joseph Menn and Jim Finkle
BOSTON, July 30, Tor, the prominent system for
protecting Internet privacy, said on Wednesday many of its users
trying to reach hidden sites might have been identified by
In a note on the nonprofit's website, Tor Project leader
Roger Dingledine said the service had identified computers on
its network that had been quietly altering Tor traffic for five
months in an attempt to unmask users connecting to what are
known as "hidden services."
Dingledine said it was "likely" the attacking computers,
which were removed on July 4, were operated on behalf of two
researchers at the Software Engineering Institute, which is
housed at Carnegie-Mellon University, but funded mainly by the
U.S. Department of Defense.
The pair had been scheduled to speak on identifying Tor
users at the Black Hat security conference next month. After Tor
developers complained to Carnegie-Mellon, officials there said
the research had not been cleared and canceled the
Previous reports on the research had already raised alarms
among privacy activists. Dingledine went further, warning on
Wednesday that "users who operated or accessed hidden services
from early February through July 4 should assume they were
Those navigating to ordinary websites should be in the
It remains uncertain how much data the researchers were able
to collect and what will happen to that information, which would
be of interest to intelligence agencies and law enforcement.
Hidden services include underground drug sites such as the
shuttered Silk Road, as well as privacy-conscious outfits such
as SecureDrop, which is designed to safely connect whistle
blowers with media outlets.
Dingledine said the physical locations where the hidden
services were housed could have been exposed, although probably
not the content on them that was viewed by a visitor.
"Unfortunately, I cannot comment," lead Software Engineering
Institute researcher Alexander Volynkin told Reuters.
Institute spokesman Richard Lynch declined to comment, while
the FBI had no immediate response to questions about whether it
would seek the data.
Defense Department spokeswoman Valerie Henderson said she
did not know if officials there would have the right to raw
research from the Institute.
"You have to know what organization and which individuals
inside the Department of Defense might have set this one up,"
Even if there is an overarching guideline about access to
unpublished research, "the general rule may not apply," she
Tor is an anonymity tool designed to protect the identity of
Internet users by routing traffic through multiple nodes around
the world. It is used by human rights activists, criminals and
others looking to evade surveillance.
Dingledine advised users to upgrade to the latest version of
its software, which addresses the vulnerability that was
exploited. He cautioned that attempts to break Tor were likely
Leaked National Security Agency documents show the NSA has
logged the IP addresses of many Tor users and might have scanned
emails for users living outside of the United States and its
four closest intelligence allies, the United Kingdom, Canada,
Australia and New Zealand, media in Germany reported this month.
(Additional reporting by Joseph Menn in San Francisco; Editing
by Bernadette Baum and Andre Grenon)