Making Informed Choices about the Deep, Dark Web

As these practices develop, attorneys may be called upon to advise clients on their activities and how to avoid crossing the line into civil or criminal liability.

Is it 'Deep' or 'Dark'?

“Deep Web” and “Dark Web” do not have the same meaning, although they are commonly conflated. See, “Clearing Up Confusion ' Deep Web vs. Dark Web,” BrightPlanet (March 27, 2014). As a starting point, the indexed websites that can be easily visited through URLs, or found through search engines like Google and Bing, are known as the “Surface Web” or “Clear Web.”

By contrast, the “Deep Web” refers mostly to dynamic Web pages, blocked sites and content on access-restricted sites or servers that are not indexed by search engines. This includes information at academic institutions, medical and financial records, subscription-only sites, government and military systems, and corporate networks. Some estimates claim that only 4% of the Web is visible on the Surface Web, and the other 96% resides in the Deep Web. Although the Deep Web is not open to search engines or the public-at-large, it is often accessible through login portals on the Surface Web. For example, individuals routinely access their bank accounts and corporate networks through the Surface Web.

The “Dark Web” operates within the Deep Web, and refers to the infamous Wild West of the Internet. Individuals can interact anonymously on the Dark Web through layers of encrypted communication protocols like The Onion Router (Tor), often using the Tor browser. The Dark Web is popular for four key activities: 1) transactions involving illegal goods, services, or content (such as stolen data); 2) cyber warfare; 3) espionage and terrorism; and 4) communications intended to maintain secrecy or bypass censorship. See, “The Darknet: The Underground for the Underground,” BatBlue.

Law Enforcement

In recent years, law enforcement authorities have worked to identify and prosecute criminals operating in the Dark Web, despite the many technical and legal challenges they face.

The UK's National Crime Agency and GCHQ operate a “Joint Operations Cell” that was recently tasked with tackling child exploitation and other cybercrime on the Dark Web. See, “GCHQ and NCA Join Forces to Ensure No Hiding Place Online for Criminals,” GCHQ Press Release (Nov. 6, 2015). Also in 2015, Interpol announced that it was offering law enforcement personnel a dedicated Dark Web training program featuring technical information on Tor, cybersecurity and simulated Dark Web market take downs. See, “Darknet Training Shines Light on Underground Criminal Activities,” Interpol (July 31, 2015).

In 2013, the FBI famously brought down one of the most popular Dark Web marketplaces for illegal drugs ' Silk Road ' and arrested Ross Ulbricht in San Francisco for operating the site. In 2015, Ulbricht was convicted for narcotics trafficking, money laundering, and computer hacking, and sentenced to life in prison without possibility of parole. See, “Bitcoin and Technology Challenges in Criminal Law,” in the September 2014 issue of Internet Law & Strategy.

Lawful Uses of the Dark Web

Cyber Threat Intelligence

“Threat Intelligence” is the new buzzword in cybersecurity. For example, in June 2015, the Federal Financial Institutions Examination Council (FFIEC) released a Cybersecurity Assessment Tool that identifies threat intelligence as an entire one of five domains that financial institutions are advised to use in assessing risks and cybersecurity preparedness. See, FFIEC Cybersecurity Assessment Tool (June 2015). The Tool indicates that maturing cybersecurity programs are expected to implement technology for automatically receiving and monitoring intelligence on potential threats and vulnerabilities from multiple sources in real time. In a similar vein, the 2015 FINRA Report on Cybersecurity Practices states that “[f]irms should use cyber threat intelligence to improve their ability to identify, detect and respond to cybersecurity threats.” See, FINRA Report on Cybersecurity Practices (February 2015) at 34. Given the prevalence of cyber threat and vulnerability information on the Dark Web, it is often a resource identified by companies with real-time cyber intelligence programs.

Security researchers and cybersecurity professionals monitor the Dark Web for activities that might impact their customers or company. Researchers at security vendors follow developments and discussions on the Dark Web regarding malware and exploit kits in order to preempt or at least mitigate future attacks. Certain cybersecurity service providers specialize in mining Dark Web sites to identify any reference to their clients' data, employees, customers, products, or supply chain. The filtered information is analyzed to determine if an organization is being targeted or has already been breached by bad actors. Some of the intelligence sources include:

• Marketplaces selling stolen trade secrets, personally-identifiable information (PII), or stolen financial account information such as credit card data;
• Sites offering zero-day vulnerabilities, back doors, account credentials or other information specific to particular software or organizations; and
• Forum gossip regarding targets of phishing campaigns, DDoS attacks, or other malicious activity.

In recent years, a number of organizations were caught off-guard when first informed of a data breach by law enforcement, security researchers or journalists who found their data for sale on the Dark Web. This has prompted a number of companies to buy or build threat intelligence services to observe the Dark Web. The goal of these services is to provide early warning of a pending attack, or detect any disclosure of an organization's confidential information on the Dark Web. This is a burgeoning but still young field, and there are still many technical and legal challenges to providing cost-efficient, automated and actionable intelligence on Dark Web activities.

Ethical Hacking

Organizations often retain ethical hackers (“white hats”) to adopt the persona of criminal hackers (“black hats”) and use many of the same hacking tools and exploits to attempt attacks on their information systems. Ethical hackers provide these penetration testing services in order to identify and remediate potential vulnerabilities in information systems.

Ethical hackers and cybersecurity researchers must stay current on the wide array of hacking tools and exploits used by criminals. They often follow discussions and developments in the seedier parts of the Surface Web and down in the Dark Web, test hacking tools, and study zero-day vulnerabilities and malware in order to better prepare their clients for malicious attacks.

Commercial Endeavors

The Dark Web remains a viable resource for information gathering and analysis, and a number of companies are exploring its use for lawful commercial activities and tracking consumer trends. For example, Facebook recently announced that over a million individuals are now using the Facebook site on Tor. Such commercial use cases are relatively new, and a lot of questions remain about the suitability and legitimacy of lawful commerce on the Dark Web.

Highly-Sensitive Communications

The Dark Web is often used for secure communications, especially with the increasing surveillance of Internet communications by government authorities. Some travelling business executives use the Dark Web to securely connect to corporate systems unseen by state-backed surveillance or espionage systems. Journalists communicate through the Dark Web to bypass censorship and protect their sources. Whistleblowers use the Dark Web to disclose sensitive information while remaining anonymous. Despite its infamy, the Dark Web is seen as a valuable resource in the international fight for human rights, freedom of speech and the preservation of privacy.

Dark Web: Five 'Rules of Engagement'

Rule 1: Do Not Commit a Crime

Most individuals understand that affirmatively purchasing drugs and other illegal products or services constitutes a crime, but they must also understand that simply clicking on a link and loading a website with child pornography can be a criminal act. Downloading pirated films, music and software is illegal, and knowingly obtaining stolen trade secrets and sensitive personal information such as credit card data can also lead to legal troubles. Using many of the freely-available hacking tools is also a dangerous proposition.

The FBI and other law enforcement agencies have developed sophisticated techniques for monitoring the Dark Web and have been able to successfully prosecute numerous individuals for breaking the law. For example, the U.S. Access Device Fraud statutes prohibit practices generally relating to producing, trafficking, processing or using certain devices intended to commit fraud or gain unauthorized access to a telecommunications service. See, 18 U.S.C. '1029. The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. '1030, is considered the broadest U.S. criminal statute for combatting cybercrime and, in general terms, prohibits intentional unauthorized computer access, obtaining government, financial, or any other online information without authorization, damaging an online computer, trafficking in passwords, damaging or threatening to damage an online computer, and conspiracy to commit a cyber-crime. The Stored Communications Act of 1986 (SCA), 18 U.S.C. '2701 et seq. (1986), prohibits intentionally obtaining, altering, or preventing authorized access to a wire or electronic communication without authorization.

Ethical hackers and other cybersecurity professionals therefore need to be careful when sharing hacking information online, when using hacking tools, and when accessing systems. Participation in Dark Web forums and efforts to access underground resources under the pretense of being a black hat can induce well-meaning individuals to engage in legally-questionable activities. Journalists and enthusiasts must also be careful to avoid any behavior that could run afoul of criminal laws. In April 2016, a U.S. judge sentenced a former Reuters journalist to two years in prison after he was convicted under the CFAA for providing login and password credentials to hacktivist group Anonymous with bad intent. Anonymous used the information to deface the Los Angeles Times website. See, Steven Musil, “Former Reuters Journalist Gets Two Years in Hacking Case,” CNET (April 13, 2016).

Where there is a need for law-abiding individuals to conduct questionable activities online, they should discuss the precise scope of their intended activities with legal counsel. In some instances, individuals should consult with the FBI or another suitable law enforcement agency before engaging in activities that could be perceived as unlawful.

Rule 2: Do Not Become a Victim

The Dark Web is filled with scammers and hackers looking to dupe individuals into downloading malicious software that compromises their computer. Individuals should never provide personal information (including their regular e-mail address) on the Dark Web, and should be very cautious about using Bitcoins. Although Bitcoins are the most accepted form of payment on the Dark Web, they are frequently used for money laundering or illegal products and services, and transactions can be recorded in public blockchains unless additional measures are taken to preserve privacy. In addition, Bitcoin repositories are frequently targeted by hackers, and millions of Bitcoins have been stolen or scammed from Dark Web marketplaces, currency exchanges and individuals. There is little fear of prosecution for Bitcoin theft in the Dark Web.

Rule 3: Do Not Violate Company Policies

Most organizations have acceptable use policies for computer equipment and electronic communications that prohibit users from engaging in many activities implicated by the Dark Web, such as using unapproved Web browsers, visiting websites with inappropriate content, or introducing potentially harmful code to the organization's network environment. Violations of these policies can result in disciplinary action up to and including termination. In some instances, employees engaging in hacking activities may be subject to civil liability and criminal prosecution.

Security professionals that are expressly tasked with data mining and other threat intelligence activities in the Dark Web will typically conduct their work using computers on an independent network that is completely isolated from the organization's other computers and network infrastructure.

Rule 4: Be Careful When Using the Tor Browser and Other Cyber Tools Outside of the United States

Many countries outside the United States have stricter legal regimes for Internet use, especially with respect to the use of advanced encryption and bypassing censorship infrastructure. For example, China has outlawed the use of Tor and has blocked access to Tor entrance nodes (see, Keith Watson, “The Tor Network: A Global Inquiry into the Legal Status of Anonymity Networks,” Washington University Global Studies Law Review, 11 (2012), 715-37), and Saudi Arabia, the U.A.E., and Iraq have blocked Tor's website. See, id.; “Iraq Crisis: Government Blocks Access to Tor Project Following Isis Insurgency,” International Business Times (June 16, 2014). Individuals planning to use Tor or other sophisticated communication tools in foreign countries may want to first confer with counsel regarding their legal exposure.

Rule 5: Serving as an Exit Relay May Be Legal, But It Is Risky for Most Individuals and Companies

The Electronic Frontier Foundation (EFF) has suggested that running a Tor relay ' including an exit relay that allows people to anonymously send and receive traffic ' is legal under U.S. law. However, even the EFF has recognized that “[a]n exit relay may forward traffic that is considered unlawful, and that traffic may be attributed to the operator of a relay.” See, “TOR Challenge Legal FAQ,” Electronic Frontier Foundation (April 21, 2014). This did in fact occur in the EU, where in 2014, an Austrian was convicted for aiding and abetting the distribution of child pornography, by virtue of operating a Tor exit relay. See, Loek Essers, “Tor Exit Node Operator Convicted of Abetting Spread of Child Porn,” PC World (July 10, 2014). As a general rule, therefore, individuals and organizations should not provide Tor Relay functionality without a specific need, and without being aware of the potential legal risks they face.

Conclusion

As use of the Dark Web continues to expand, organizations will increasingly take a more active role in this hidden sector of the Web, be it for threat intelligence, secure communications or commercial gain. To some extent, such engagement will be by choice, but business realities and regulatory expectations will also pressure companies to develop a Dark Web strategy. Individuals and organizations that intend to operate in this space should therefore seek expert counsel and take suitable precautions to protect themselves from business, technical and legal perspectives.

Mark S. Melodia and Paul Bond are Partners, and Mark H. Francis is an Associate, at Reed Smith, where they practice in the IP, information and innovation group.