Medill News Service

Caught in the Crossfire

A wave of non-criminal users is joining the dark web and stepping into the middle of a privacy battle

By Nick Hagar, Geordan Tilley, Alex Duner and Nicolas Rivero

Published on March 10, 2016

Do you want to read this story on the dark web?

The dark web might seem scary and complicated, but it's actually quite easy to get started using the Tor web browser to go onto the dark web and protect your privacy.

We published this story as a Tor hidden service — a special type of website that lets you browse with even more privacy. Though these types of sites are typically associated with the more illicit aspects of the dark web, the technology is benign. When you visit a Tor hidden service the site can't get access to your IP address or your location.

First you'll need to download and install the Tor browser.

Then, once you have Tor installed, open it and paste this address into the URL bar: http://b2lqdo3v4tphyqbf.onion. Because the URL ends in .onion, Tor hidden services are sometimes called onion sites.

You could also use Tor to navigate to this site on the "surface web". When you browse the "surface web" on Tor, after your request is anonymized in the Tor network, the connection between the exit relay and the site you are trying to access is made back on the normal internet.

However, when you access an onion site, the connection between your computer and the server never leaves the Tor network, so your metadata is never exposed to the outside Internet.

To learn more about the differences between browing "normal" sites using Tor and browising onion sites using Tor, check out this ProPublica guide.

Mike Tigas is an online privacy nerd. A web developer and journalist for ProPublica, Tigas thought it might be fun to tinker with putting the investigative news site on the dark web. And in January, what started as a side project turned into a full dark web version of ProPublica.

The dark web — long considered an anonymous, online haven for criminals and terrorists — got its first news site.

"The reaction wasn't remotely close to what I thought it would be," Tigas said. "Overwhelmingly, the reception was positive. I forgot this could be a thing that more people would be interested in, not just the nerds."

But ProPublica isn't the first company to make this move: Facebook launched on the dark web in 2014. Both companies are tapping into growing privacy concerns that push more people to use anonymous browsers like Tor.

Because of the way the Tor network is set up, as more users try to hide their online identities, it becomes harder for law enforcement agencies to unmask criminals who are using the dark web to cover their digital tracks.

Tor anonymizes Internet traffic by bouncing it around the world, obscuring its point of origin. And though Tor can be used to access sites on the dark web -- those not reachable from a normal browser -- the dark web and Tor are not the same thing. The Tor browser can also be used to access everyday “surface web” sites anonymously.

"Whenever you hear about Tor, it's all the weird shady things that people do with it — like Silk Road, child porn sites, things like that — and not many people talk about other uses," Tigas said. "It hasn't been until the past couple years when there's actually normal people who can use Tor and not be freaked out about it."

Survivors of abuse use Tor to keep their online lives hidden from stalkers. Librarians are starting to use Tor to protect patrons’ privacy. People living under repressive regimes use Tor to access censored websites.

It hasn't been until the past couple years when there's actually normal people who can use Tor and not be freaked out about it.

The Edward Snowden National Security Agency leaks, and ensuing revelations about government surveillance, played a significant role in changing public perception about the need for digital privacy, according to Robin Wilton, a spokesman for the online transparency advocacy group Internet Society.

"People are shifting from not really being conscious of what the problem is," Wilton said, "to thinking, 'You know what, I think there's something going on here. I want to find out more about it. And if it's about my privacy, I want to do something about that.'"

That attitude encapsulates the vision that the Tor Project has for its browser. In its about page, the group explains that the Tor browser benefits legitimate users like journalists, whistleblowers, academics researching sensitive topics and dissidents living under repressive regimes.

It makes no mention of the criminal enterprises for which the dark web is more infamous.

The Tor Project points out that roughly 97 percent of Tor traffic stays on the "surface" web. This means that the vast majority of users are visiting the same sites any Internet user has access to but are using Tor to keep their browsing anonymous. But one study found that if you look at the 3 percent of Tor traffic that goes to "hidden services" — the true dark web, pages that you can only access with a Tor browser and an encrypted URL — 80 percent of the traffic to those sites are for child pornography.

This is where law enforcement comes in. It’s the natural enemy of any tool criminals can use to hide what they’re doing, and several federal agencies have been working to find and exploit cracks in Tor’s anonymity protections.

An investigation published by Das Erste, a German public television channel, found that merely searching for keywords related to privacy software like Tor causes the NSA to tag and track the searcher’s IP address, whether in the U.S. or abroad. Leaked documents, including a 49-page research paper and a PowerPoint presentation titled “Tor Stinks,” show that the NSA has been exploring ways to trace Tor traffic back to users, take down hidden services and degrade the entire Tor network for at least a decade.

While the NSA concerns itself with national security threats like terrorist groups using Tor for covert correspondences, the FBI has used similar methods to take over the dark web’s biggest child pornography site. The Defense Department funded researchers who hacked into the dark web and unmasked the administrators of the online drug market Silk Road 2.0.

But ironically, the Defense Department also funds the Tor Project, which works to keep the dark web anonymous. In fact, Tor grew out of a U.S. Naval Research Laboratory project designed to protect government communications, and the Navy still uses this software to hide its communications. Law enforcement agencies also use Tor to monitor criminal activity online without revealing their government IP addresses, and the State Department funds and promotes the software as a democracy-building tool to help freedom fighters abroad evade censorship.

The Defense Department is funding both sides of a struggle between the Tor Project and law enforcement.

“There is no good policy response here,” said Eric Jardine, a research fellow at the Center for International Governance Innovation. “If you leave the network up, you are going to be facilitating illegal marketplaces, facilitating child abuse imagery sites, facilitating ransomware, hackers for hire. If you take it down, on the other side, there is evidence that for people in repressive regimes, especially, they need to use the technology to protect and exercise their basic political rights.”

There is no good policy response here.

There is nothing illegal about using Tor so law enforcement has to confine itself to tracing the illegal activity running in the midst of all the network’s hidden traffic. But as more regular users join Tor, it gets harder to find a particular needle in the haystack.

“The problem for law enforcement comes in not necessarily because there are more crimes,” Jardine explained, “but because with an expanded user base, the network becomes more resilient and more anonymous.”

David Opderbeck, a law professor at Seton Hall University, said law enforcement has lately turned to high-tech solutions, like installing spyware on computers connected to the Tor network with the hope of infecting and tracking criminals’ computers.

“That’s controversial,” Opderbeck said. “Searches are supposed to be localized, confined things. You don’t get a general warrant to search everyone...but spyware is likely to infect users who do not engage in any criminal activity and are not suspected of engaging in any criminal activity.”

He said legal authorization for those kinds of searches is a “very gray area” that needs to be addressed by Congress.

In the meantime, recent court rulings haven’t favored dark web anonymity. In both U.S. v. Jay Michaud—the case where the FBI hacked the dark web’s largest child porn site—and U.S. v. Brian Farrell—the case where the Defense Department paid hackers who found the identities of the Silk Road 2.0 administrators—district courts ruled that Tor users have no increased legal expectation of privacy. Therefore, investigators didn’t need warrants in either case to search the servers that turned up the defendants’ identities.

Legal uncertainty aside, law enforcement will likely keep trying to find ways to get around Tor’s protections, and Tor developers will keep tweaking their software to rebuff each new attempt. Jardine said this technological “arms race” actually works out well for both sides.

“They’re in a very antagonistic relationship,” he said, “but over time the effect is actually really good for the system, because it makes the network stronger and it still lets the FBI do what it needs to do.”

They’re in a very antagonistic relationship but over time the effect is actually really good for the system.

But even if the FBI is never able to truly deanonymize Tor, the increasing number of people using Tor for benign purposes may not be able to reclaim as much of their privacy as they might imagine.

Pinar Yildirim, an assistant marketing professor at the Wharton School of Business, said data collection isn’t limited to the Internet.

“This assumption that we will all move into Tor is very extreme,” Yildirim said, “but even in this extreme world, you are still alive in the offline world. You still have an address. You still have a credit card. You are still, possibly, watching TV. You still have a cellphone. You are still doing offline shopping where I can track your behavior, so I can learn plenty more about you, still, even if I don’t track you in the online world.”

Yildirim pointed out that marketing companies have been compiling this kind of information into consumer databases for decades. (If you want to see for yourself, you can plug your ZIP code into Nielsen PRIZM and find behavioral profiles of your neighborhood.)

Data surveillance extends far beyond our browsing histories. Privacy-conscious web users can take any number of measures to not leave a digital footprint, and they’ll be given a certain amount of anonymity for their efforts. But those same people live in a world where data collection is the norm in every aspect of life. Simply put, you can wear a mask online, but in the real world, your behavior can be collected, stored and matched to you. And that’s not going to change.

“We have been tracking consumers for quite some time,” Yildirim said. “It’s just that consumers are becoming more aware of it.”