Q&A: The Deep Web, Anonymity, and Law Enforcement

Following the takedown of the notorious black market Silk Road in 2013, Agora, one of the biggest online marketplaces in the Deep Web recently announced a temporary shutdown to shore up defenses and address vulnerabilities. These incidents raise a number of questions about the Deep Web, including the role of law enforcement and how this will affect the future of organizations, companies, and users who seek anonymity.

Martin Roesler, Senior Director of the Trend Micro Forward-Looking Threat Research (FTR) team, answers questions about the Deep Web, its challenges to law enforcement, and why it will continue to be used as a platform for anonymity.

How safe or efficient is TOR (The Onion Router) in protecting a person’s anonymity?

Maintaining anonymity in the Deep Web depends on the user. Because TOR has already become popular, many users tend to neglect certain things they need to do to stay hidden. If you go into the Deep Web, you'll find a lot of users who still leave their email addresses, making them searchable. For those who are careful, they know that they shouldn’t run other applications while running TOR because they could still be tracked that way. To answer the question, TOR is not as safe as one would like to think.

Some government agencies like the NSA use TOR vulnerabilities to track illegal activities in the Deep Web. How does this work?

The TOR network is based on a very simple principle wherein a communication tunnel is built with one TOR node. From that TOR node, the traffic is encrypted, repacked, and made invisible from one TOR entry node, to a middle TOR node, and on and on until it exits on another TOR gateway. While this gateway is practically untraceable, the traffic to and from the TOR gateway can be traced. This makes the TOR architecture vulnerable. Law enforcement and intelligence agencies have analyzed this weakness, and so this is one strategy that can be used to overcome the limitation that the TOR gateway represents.

To defend their countries and track criminals, law enforcement agencies want to know what’s going to happen and who’s behind it. There are many rumored numbers in the community that says 70% or more of the TOR gateways are owned by intelligence services. If this was true, then the origins of 70% of the so-called encrypted traffic can still be traced.

It’s less about TOR and more about the role of intelligence agencies like the NSA. Because of the convenient and ubiquitous nature of the Internet, the borders have become more obsolete. The NSA and FBI are using dated rule sets from the old world to fight against cybercriminals. In essence, old-school protection mechanisms can hardly stand up to the advancement and changes of Internet technology.

What challenges does the Deep Web pose to law enforcement?  

Law enforcement are already facing enough challenges when it comes to dealing with international crime on the “Surface Web.” When it comes to the Deep Web, there are additional aspects that make life for law enforcement even more difficult. Essentially, there are three major issues that law enforcement has to cope with:

  • Everything in the Deep Web or Dark Web is encrypted. That means the criminals are more wary of being monitored or trapped. Encryption is their very first countermeasure to avoid getting caught.
  • Attribution is also one of the major problems. Since everything mostly happens on the .onion domains and the routing to the domains isn't clear, it becomes extremely difficult to identify and analyze the criminal’s profile.
  • Since the Deep Web is in flux, everything is very dynamic. Illegal marketplaces are moving locations every week, causing constant changes to the naming and address schemes in the Deep Web. Unlike www.trendmicro.com, which is always static, the information harvested from the Deep Web two weeks ago will no longer be relevant today. So if a judge or an investigation wants to check a URL involved in a criminal case, they end up nowhere. So that is definitely a challenge here, all the evidence is not only written, you have to document everything, you have to have screenshots and you have to make the evidence with timestamps, so that later on you can say it was this person at this time so a defense lawyer or an advocate cannot kill your chain of argument. 

[READ: Below the Surface: Exploring the Deep Web]

Following Snowden’s leaks and recent security breaches such as the OPM hack, companies have beefed up their security by providing stronger encryption, while U.S. government websites were mandated to do the same. However, there has been an ongoing discussion about the government wanting to prevent companies from using encryption. What can you say about this issue?

The U.S. has restarted discussions on what kinds of technology are allowed to be exported. They are mainly concerned about the export of cryptographic algorithms. Turkey has a law that forbids encrypted traffic because it gives cybercriminals an unfair advantage. This becomes a major argument as they want to balance the field between police and cybercriminals. The mindset behind this is that if a user uses encryption, they have something to hide and is suspicious by default. However, on the flip side, if we talk about electronic passports, users vote via the Internet and use online banking as well—and this becomes all about needing encryption to protect and verify identity. This is anarchic because on the one end we have electronic passports, online voting and online bankingall of this relies on encryption.

There is an approach from multiple countries that paints encryption as illegal—that only the state has a right to use encryption. However, on the flip side, if we talk about electronic passports, users vote via the Internet and use online banking as well—and this becomes all about needing encryption to protect and verify identity. It doesn’t make sense to allow encryption on one end and forbid it at the other end. That is an approach by people who have no idea how the technology works or what the Internet is but want to regulate that and maintain the status quo and the influence of the state.

What is the role of security vendors in all of this?

The Deep Web part of the Internet will grow in the future, as people try to dodge stricter regulations. The battle of encryption between organizations, companies, and individuals will continue. From a security vendor’s point of view, this is a problem that needs to be addressed carefully because the Deep Web is expected to be involved in a lot of social and economic developments that will be much more important in the next five years than it is today.

Security vendors strive to protect their customers as often and as much as they can, but if users or companies get hit by malware because they used the Deep Web, then security vendors have to create and provide solutions for such problems.

The Deep Web isn’t only about drug-dealing or the procurement of drugs in general, but many users who discuss taboo topics or perform activities that aren’t socially acceptable ultimately bring them to use the Deep Web. This is why Trend Micro at this point has two tasks: one is to monitor the Deep Web and see if there are any activities that might impact customers. This is done by checking for crypto services or the sale of malware and exploit kits. Two is to protect customers like journalists and other potentially endangered individuals who exchange sensitive information, since the Deep Web isn’t just a place for criminals but also for people who want to communicate without fear of having to fall under suspicion. Trend Micro ensures that it covers all parts of the Web, including the Deep Web.

Visit the Deep Web section of the Threat Intelligence Center for more on the Deep Web and the Cybercriminal Underground.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.