In Plain Sight
The Dark Web–also known as the Deep WEB–refers to a portion of the Internet that is hidden from normal search engine traffic analysis. “Think of the Dark Web as a network within the Internet where users can operate without revealing their true identities, and where Web sites exist on servers whose physical location is virtually impossible to trace,” says Thomas Brown, a former federal prosecutor and member of FTI Consulting’s global risk and investigations practice. Brown specializes in working with companies on issues related to cybersecurity and cyber investigations. He explains that the common iceberg analogy works well for the Dark Web. “You’ve got the part above the water, which is relatively small compared to the rest of the iceberg under the water. The piece you see above the waterline is the part that is seen by [a search engine], for example, and the part below the waterline, which is hidden, is the Dark Web.”
The Tor Project. Brown explains that the Dark Web is “hiding in plain sight,” and that the barriers to entry are remarkably low. “It does not require a great amount of technical sophistication to get on the Dark Web,” he says. “All that’s required is to download some software, which is freely available on the Internet. The software is maintained by a foundation called the Tor Project.”
Tor, short for The Onion Router, is the leading provider of anonymity on the Web. The network was originally developed as a third-generation project by the U.S. Naval Research Laboratory in the 1980s, primarily for protecting government communications, but has since expanded to provide privacy and security online. The Tor Project is a group that teaches organizations and individuals how to use the network protocol for privacy purposes.
Privacy and security researcher Runa Sandvik, who previously worked as a developer for the Tor Project, explains to Security Management how the network of virtual tunnels assists in providing anonymity. “Tor enables anyone to browse the Internet in a secure, anonymous way,” she says. “Tor protects you by sending your [Internet] traffic–wrapped in layers of encryption–through random servers somewhere in the world. This means that your Internet service provider…cannot see which Web sites you are visiting.”
The Silk Road. There have been a number of high-profile criminal cases in which Tor was used to hide illicit activity. As a former Assistant United States Attorney in the Southern District of New York, Brown was involved in prosecuting the owner of the Silk Road, a drug bazaar hosted through Tor and taken down by law enforcement in 2013. Known as the “Amazon for drugs,” Silk Road used Bitcoins, a type of virtual currency, to anonymize transactions of narcotics and other illicit products.
While the operators of the Silk Road Web site used Tor to facilitate their criminal activity, Ross William Ulbricht, who has been charged with being Dread Pirate Roberts, the owner and principal operator of the Silk Road site, allegedly dropped some crucial clues as to his true identity, which law enforcement was able to use. There are several points laid out in the FBI’s complaint against Ulbricht, one of which is that he used his personal e-mail address when soliciting help for starting up the site. He was using a VPN-server for a period of time to connect to the Silk Road, which at one point became corrupted and publicly displayed the IP address of the site, exposing him to law enforcement. “It’s a combination of technical and traditional gumshoe police work that was able to find him,” notes Brown.
Brown says the Silk Road case is not a reason to label both Bitcoins and Tor as inherently bad. “Tor in and of itself and Bitcoin in and of itself are not bad things,” he says. “There are legitimate uses for both.”
Privacy debate. Sandvik says she and others at the Tor Project advocate using the Dark Web for individual privacy, stating that its importance goes beyond just hiding Internet activity from prying eyes. “Over the past year, we have learned a lot about how governments collaborate, coerce, and circumvent laws to operate electronic mass surveillance programs,” Sandvik says. “This in turn changes how we think about privacy and how we behave online, and this loss of privacy has a chilling effect on freedom of expression.”
Peter Davies, who is the outgoing chief executive officer at the U.K. Child Exploitation and Online Protection Command, National Crime Agency, spoke about the Dark Web at the 2014 ASIS International European Security Conference and Exhibition, which took place in The Hague, The Netherlands, in April. Davies, who has worked on numerous cases in which child pornographers used the Dark Web to hide their activity, expressed mixed feelings on the public uses of Tor. “I think [the Navy was] right to invent it, but the fact that they made it free to everybody and allow it to be used for other purposes, I’m not so sure.”
Davies added that it is unclear how often users commit crimes via Tor. “We do not know what else is out there. We do not know the extent to which it’s been used as a mainstream means of communication or a carrier for the kind of criminality you worry about in your organization.”
Brown notes that Tor’s ability to facilitate criminal hackers by hiding their identities online should serve as a wake-up call for businesses, which need to take cyber risk seriously given the operational and reputational damage that can result from a computer intrusion. “I would say that because the cyber criminals are getting so powerful online and have so many tools at their disposal, companies should be very serious about making sure that their cyber defenses are adequate to meet this increased threat,” he says.
Sandvik emphasizes there is “nothing” the Tor Project can do to track users or figure out where a hidden service is hosted. She says that the same protections that keep bad people from breaking Tor’s anonymity also prevent the project from figuring out what’s going on. “The Tor Project is happy to work with everyone, including law enforcement groups, to train them how to use the Tor software to safely conduct investigations or anonymized activities online,” she notes.
Many experts accept that the Dark Web has both legitimate and illegitimate uses, Brown says. But, the ongoing debate between privacy advocates and those wanting the ability to track criminals “is going to be a perennial push-pull. That’s a debate that probably won’t be settled any time soon.”