According to the affidavit from FBI Special Agent Thomas M. Dalton, the person who sent a fake bomb threat to cause Harvard to evacuate several buildings during exams used a throwaway email address from Guerrilla Mail, which he contacted via Tor. The FBI caught him anyway because the sender of the bomb threat accessed Tor via the Harvard wireless network.
The Guerrilla Mail FAQ says that “Logs are deleted after 24 hours,” but the FBI apparently got there inside that window. Presumably using the Guerrilla Mail logs, the FBI determined that the sender of the emails used Tor, an anonymization tool, to connect to Guerrilla Mail. Although the affidavit doesn’t spell any of this out, Harvard’s logs allowed it to figure out who had been using their wireless network to connect to Tor. They then somehow — correlating who among the limited pool of Tor-users with the people who had exams in the buildings evacuated due to the bomb threat? — fingered a suspect (or suspects?). I’d love to know how many people were in the intersection of those two sets. When confronted by the FBI a Harvard undergrad who confessed. One has to wonder, though, if there would have been sufficient evidence to convict beyond a reasonable doubt without that confession. After all, there are other ways to contact Tor.
Tor is widely considered to be the best tool available for online anonymity, so this serves as a cautionary lesson on how difficult it is to be anonymous on line.
The text of the affidavit is below:
Criminal Complaint Against Student Charged With Making Harvard Bomb Threat
He presumably accessed the Harvard network via wi-fi, and my best guess at how the FBI fingered the kid would be because the wi-fi network requires authentication — in which case, the University would have a log of who was using what networking protocols under which logins.
The kid probably didn’t even think about being logged in to the campus network, since a lot of people use cookies/keychains so they don’t have to enter in passwords all the time. The TOR activity on the authenticated campus network could then be correlated with the webmail logs.
TOR is good software, but it’s weak anonymity that isn’t built for privacy. Your traffic is encrypted in transit, but is all sent in the clear on exiting the network — not very private! You need discipline for TOR to be effective.
Part of the problem with how people approach TOR is they don’t properly disambiguate between privacy and anonymity. If you go to the doctor, that visit is private, though not at all anonymous — your person is examined in great detail. If you pay for a Starbucks coffee in cash, that’s not private but it’s anonymous, since there’s nothing connecting your person to that cash transaction.