A talk on how to identify users of the Internet privacy service Tor has been withdrawn from the upcoming Black Hat security conference.
Tor is free software that uses a technique known as onion routing to anonymise web traffic by encrypting and then randomly bouncing communications through a network of relays run by volunteers, preventing eavesdroppers from being able to track user behaviour.
The US government initially funded the creation of Tor as a communications tool for dissidents in repressive countries, but it has also allowed criminals to take advantage of the same anonymity and it has frustrated the US National Security Agency for years, according to documents released by former agency contractor Edward Snowden.
Some criminal suspects on Tor have been unmasked by the FBI and other law enforcement or intelligence agencies using a variety of techniques, including tampering with software often used alongside Tor. In the best-known Tor case, US authorities shut down online drug bazaar Silk Road, a so-called hidden service reachable only via Tor, last October.
But the talk, titled "You don't have to be the NSA to Break Tor: De-Anonymizing Users on a Budget" had attracted attention within the security and privacy communities as the since-removed abstract claimed "a determined adversary" could "de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months," all for less than $3,000.
Their summary said they had tested their techniques and that they would discuss dozens of successes, including cases where suspected child pornographers and drug dealers had been found.
Event spokeswoman Meredith Corley told Reuters the talk was cancelled at the request of attorneys for Carnegie Mellon University in Pittsburgh, where researchers Alexander Volynkin and Michael McCord work. Neither man responded to a request for comment.
Corley said a Carnegie Mellon attorney informed Black Hat that one of the speakers could not give the Tor talk because the materials he would discuss have not been approved for public release by the university or the Software Engineering Institute (SEI). It was unclear what aspects of the research concerned the university.
The institute, based at the university, is funded by the Defense Department. SEI also runs CERT, historically known as the Computer Emergency Response Team, which works with the Department of Homeland Security on major cyber-security issues.
Spokesmen for Carnegie Mellon and the Defense Department did not comment on the cancellation. One official said DHS had played no role in pulling the talk.
Tor Project President Roger Dingledine, lead developer of the software, told an online mailing list that the project had not requested the talk be cancelled, saying the non-profit group was working with CERT to coordinate disclosure of details on the researchers' attack on the network.
He also said he had questions "about some aspects of the research." In years past, other researchers studying Tor traffic have been criticized for intruding on users' privacy.
This would not be the first time a talk has been canceled at Black Hat, scheduled to take place in Las Vegas on August 6 and 7. Presentations have been pulled from it and other conferences under pressure from software makers or for other reasons.