According to the affidavit from FBI Special Agent Thomas M. Dalton, the person who sent a fake bomb threat to cause Harvard to evacuate several buildings during exams used a throwaway email address from Guerrilla Mail, which he contacted via Tor. The FBI caught him anyway because the sender of the bomb threat accessed Tor via the Harvard wireless network.
The Guerrilla Mail FAQ says that “Logs are deleted after 24 hours,” but the FBI apparently got there inside that window. Presumably using the Guerrilla Mail logs, the FBI determined that the sender of the emails used Tor, an anonymization tool, to connect to Guerrilla Mail. Although the affidavit doesn’t spell any of this out, Harvard’s logs allowed it to figure out who had been using their wireless network to connect to Tor. They then somehow — correlating who among the limited pool of Tor-users with the people who had exams in the buildings evacuated due to the bomb threat? — fingered a suspect (or suspects?). I’d love to know how many people were in the intersection of those two sets. When confronted by the FBI a Harvard undergrad who confessed. One has to wonder, though, if there would have been sufficient evidence to convict beyond a reasonable doubt without that confession. After all, there are other ways to contact Tor.
Tor is widely considered to be the best tool available for online anonymity, so this serves as a cautionary lesson on how difficult it is to be anonymous on line.
The text of the affidavit is below: