The mysterious corner of the Internet known as the Dark Web is designed to defy all attempts to identify its inhabitants. But one group of researchers has attempted to shed new light on what those users are doing under the cover of anonymity. Their findings indicate that an overwhelming majority of their traffic is driven by the Dark Web’s darkest activity: the sexual abuse of children.
At the Chaos Computer Congress in Hamburg, Germany today, University of Portsmouth computer science researcher Gareth Owen will present the results of a six-month probe of the web’s collection of Tor hidden services, which include the stealthy websites that make up the largest chunk of the Dark Web. The study paints an ugly portrait of that Internet underground: drug forums and contraband markets are the largest single category of sites hidden under Tor’s protection, but traffic to them is dwarfed by visits to child abuse sites. More than four out of five Tor hidden services site visits were to online destinations with pedophilia materials, according to Owen’s study. That’s over five times as many as any of the other categories of content that he and his researchers found in their Dark Web survey, such as gambling, bitcoin-related sites or anonymous whistle-blowing.
The researchers’ disturbing statistics could raise doubts among even the staunchest defenders of the Dark Web as a haven for privacy. “Before we did this study, it was certainly my view that the dark net is a good thing,” says Owen. “But it’s hampering the rights of children and creating a place where pedophiles can act with impunity.”
“BEFORE WE DID THIS STUDY, IT WAS CERTAINLY MY VIEW THAT THE DARK NET IS A GOOD THING.”
Precisely measuring anything on the Dark Web isn’t easy, and the study’s findings leave some room for dispute. The creators of Tor known as the Tor Project responded to a request for comment from WIRED with a list of alternative factors that could have skewed its results. Law enforcement and anti-abuse groups patrol pedophilia Dark Web sites to measure and track them, for instance, which can count as a “visit.” In some cases, hackers may have launched denial of service attacks against the sites with the aim of taking them offline with a flood of fraudulent visits. Unstable sites that frequently go offline might generate more visit counts. And sites visited through the tool Tor2Web, which is designed to make Tor hidden services more accessible to non-anonymous users, would be underrepresented. All those factors might artificially inflate the number of visits to child abuse sites measured by the University of Portsmouth researchers.1
“We do not know the cause of the high hit count [to child abuse sites] and cannot say with any certainty that it corresponds with humans,” Owen admitted in a response to the Tor Project shared with WIRED, adding that “caution is advised” when drawing conclusions about the study’s results.
Tor executive director Roger Dingledine followed up in a statement to WIRED pointing out that Tor hidden services represent only 2 percent of total traffic over Tor’s anonymizing network. He defended Tor hidden services’ privacy features. “There are important uses for hidden services, such as when human rights activists use them to access Facebook or to blog anonymously,” he wrote, referring to Facebook’s launch of its own hidden service in October. “These uses for hidden services are new and have great potential.”
Here’s how the Portsmouth University study worked: From March until September of this year, the research group ran 40 “relay” computers in the Tor network, the collection of thousands of volunteer machines that bounce users’ encrypted traffic through hops around the world to obscure its origin and destination. These relays allowed them to assemble an unprecedented collection of data about the total number of Tor hidden services online—about 45,000 at any given time—and how much traffic flowed to them. They then used a custom web-crawling program to visit each of the sites they’d found and classify them by content.
The researchers found that a majority of Tor hidden service traffic—the traffic to the 40 most visited sites, in fact—were actually communications from “botnet” computers infected with malware seeking instructions from a hacker-controlled server running Tor. Most of those malware control servers were offline, remnants of defunct malware schemes like the Skynet botnet whose alleged operator was arrested last year.