At the Chaos Computer Congress in Hamburg, Germany today, University of Portsmouth computer science researcher Gareth Owen will present the results of a six-month probe of the web’s collection of Tor hidden services, which include the stealthy websites that make up the largest chunk of the Dark Web. The study paints an ugly portrait of that Internet underground: drug forums and contraband markets are the largest single category of sites hidden under Tor’s protection, but traffic to them is dwarfed by visits to child abuse sites. More than four out of five Tor hidden services site visits were to online destinations with pedophilia materials, according to Owen’s study. That’s over five times as many as any of the other categories of content that he and his researchers found in their Dark Web survey, such as gambling, bitcoin-related sites or anonymous whistle-blowing.
The researchers’ disturbing statistics could raise doubts among even the staunchest defenders of the Dark Web as a haven for privacy. “Before we did this study, it was certainly my view that the dark net is a good thing,” says Owen. “But it’s hampering the rights of children and creating a place where pedophiles can act with impunity.”
“Before we did this study, it was certainly my view that the dark net is a good thing.” Precisely measuring anything on the Dark Web isn’t easy, and the study’s findings leave some room for dispute. The creators of Tor known as the Tor Project responded to a request for comment from WIRED with a list of alternative factors that could have skewed its results. Law enforcement and anti-abuse groups patrol pedophilia Dark Web sites to measure and track them, for instance, which can count as a “visit.” In some cases, hackers may have launched denial of service attacks against the sites with the aim of taking them offline with a flood of fraudulent visits. Unstable sites that frequently go offline might generate more visit counts. And sites visited through the tool Tor2Web, which is designed to make Tor hidden services more accessible to non-anonymous users, would be underrepresented. All those factors might artificially inflate the number of visits to child abuse sites measured by the University of Portsmouth researchers.1
“We do not know the cause of the high hit count [to child abuse sites] and cannot say with any certainty that it corresponds with humans,” Owen admitted in a response to the Tor Project shared with WIRED, adding that “caution is advised” when drawing conclusions about the study’s results.
Tor executive director Roger Dingledine followed up in a statement to WIRED pointing out that Tor hidden services represent only 2 percent of total traffic over Tor’s anonymizing network. He defended Tor hidden services’ privacy features. “There are important uses for hidden services, such as when human rights activists use them to access Facebook or to blog anonymously,” he wrote, referring to Facebook’s launch of its own hidden service in October. “These uses for hidden services are new and have great potential.”
Here’s how the Portsmouth University study worked: From March until September of this year, the research group ran 40 “relay” computers in the Tor network, the collection of thousands of volunteer machines that bounce users’ encrypted traffic through hops around the world to obscure its origin and destination. These relays allowed them to assemble an unprecedented collection of data about the total number of Tor hidden services online—about 45,000 at any given time—and how much traffic flowed to them. They then used a custom web-crawling program to visit each of the sites they’d found and classify them by content.
The researchers found that a majority of Tor hidden service traffic—the traffic to the 40 most visited sites, in fact—were actually communications from “botnet” computers infected with malware seeking instructions from a hacker-controlled server running Tor. Most of those malware control servers were offline, remnants of defunct malware schemes like the Skynet botnet whose alleged operator was arrested last year.
But take out that automated malware traffic, and 83 percent of the remaining visits to Tor hidden service websites sought sites that Owen’s team classified as related to child abuse. Most of the sites were so explicit as to include the prefix “pedo” in their name. (Owen asked that WIRED not name the sites for fear of driving more visitors to them.) The researchers’ automated web crawler downloaded only text, not pictures, to avoid any illegal possession of child pornographic images or video. “It came as a huge shock to us,” Owen says of his findings. “I don’t think anyone imagined it was on this scale.”
Despite their popularity on the Tor network, child abuse sites represent only about 2 percent of Tor hidden service websites—just a small number of pedophilia sites account for the majority of Dark Web http traffic, according to the study. Drug-related sites and markets like the now-defunct Silk Road 2, Agora or Evolution represented a total of about 24 percent of the sites measured in the study, by contrast. But visits to those sites accounted for only about 5 percent of site requests on the Tor network, by the researchers’ count. Whistleblower sites like SecureDrop and Globaleaks, which allow anonymous users to upload sensitive documents to news organizations, accounted for 5 percent of Tor hidden service sites, but less than a tenth of a percent of site visits.
The study also found that the vast majority of Tor hidden services persist online for only a matter of days or weeks. Less than one in six of the hidden services that was online when Owen’s study began remained online at the end of it. Since the study only attempted to classify sites by content at the end of its six month probe, Tor director Roger Dingledine points out that it could over-represent child abuse sites that remained online longer than other types of sites. “[The study] could either show a lot of people visiting abuse-related hidden services, or it could simply show that abuse-related hidden services are more long-lived than others,” he writes. “We can’t tell from the data.”
The Study Raises the Question: How Dark Is The Dark Web? Other defenders of the Tor network’s importance as an alternative to the public, privacy-threatened Web will no doubt bristle at Owen’s findings. But even aside from the Tor Project’s arguments about why the study’s findings may be skewed, its results don’t necessarily suggest that Tor is overwhelmingly used for child abuse. What they may instead show is that Tor users who seek child abuse materials use Tor much more often and visit sites much more frequently than those seeking to buy drugs or leak sensitive documents to a journalist.
Nonetheless, the study raises new questions about the darkest subcultures of the Dark Web and law enforcement’s response to them. In November, the FBI and Europol staged a massive bust of Tor hidden services that included dozens of drug and money laundering sites, including three of the six most popular anonymous online drug markets. The takedowns occurred after Owen’s study concluded, so he doesn’t know which of the pedophilia sites he measured may have been caught in that dragnet. None of the site takedowns trumpeted in the FBI and Europol press releases mentioned pedophilia sites, nor did an analysis of the seizures by security researcher Nik Cubrilovic later that month.
“It came as a huge shock to us. I don’t think anyone imagined it was on this scale.” In his Chaos Computer Congress talk, Owen also plans to present methods that could be used to block access to certain Tor hidden services. A certain number of carefully configured Tor relays, he says, could be used to alter the “distributed hash table” that acts as a directory for Tor hidden services. That method could block access to a child abuse hidden service, for instance, though Owen says it would require 18 new relays to be added to the Tor network to block any single site. And he was careful to note that he’s merely introducing the possibility of that controversial blocking measure, not actually suggesting it. One of Tor’s central purposes, after all, is to evade censorship, not enable it.
The study could nonetheless lead to difficult questions for the Tor support community. And it could also dramatically shift the larger public conversation around the Dark Web. Law enforcement officials and politicians including New York Senator Chuck Schumer have railed against the use of Tor to enable online drug sales on a mass scale, with little mention of child abuse. Owen’s study is a reminder that criminal content is hiding in the shadows of the Internet that make drug sales look harmless by comparison—and whose consumers may be more active than anyone imagined.
source: wired.com By Andy Greenberg