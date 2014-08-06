By Joseph Menn
LAS VEGAS Aug 5 The U.S. Department of Defense
did not receive personal data on users of Internet privacy
service Tor through a government-funded project to detect
vulnerabilities, a Defense spokeswoman told Reuters on Tuesday.
"This particular project was focused on identifying
vulnerabilities in Tor, not to collect data that would reveal
personal identities of users," said Defense Department
spokeswoman Lieutenant Colonel Valerie Henderson, adding that
the National Security Agency also did not receive data.
The project was conducted by two researchers at
Carnegie-Mellon University's Software Engineering Institute with
funding from the Defense Department.
She did not rule out the FBI or other agencies obtaining the
data. The FBI and Carnegie-Mellon declined to comment.
Funded in large part by other arms of the government, Tor
hides the Internet protocol addresses of users by routing their
traffic through multiple layers of volunteered servers.
In a note last week on Tor's website, Tor Project leader
Roger Dingledine said the service had identified computers on
its network that had been quietly altering Tor traffic for five
months in an attempt to unmask users connecting to what are
known as "hidden services," which include drug bazaars and
whistleblower sites.
Dingledine said it was likely the attacking computers, which
were removed on July 4, had operated on behalf of the Software
Engineering Institute team.
He warned then that "users who operated or accessed hidden
services from early February through July 4 should assume they
were affected."
Dingledine said the physical locations where the hidden
services were housed could have been exposed, although probably
not which content was viewed by a visitor.
In an email to Reuters, Dingledine said that Carnegie-Mellon
had stopped cooperating and would not share more information
about the effort.
The researchers had planned to describe their work at the
Black Hat security conference that begins Wednesday in Las Vegas
but the university cancelled the talk amid the controversy.
