Open Access Governments speaks with Gareth Owenson, one of the founders of Searchlight, to uncover the murky underbelly of the world wide web
Though originally set up by the Tor Project to allow whistle-blowers and those living in repressive regimes speak out anonymously online, the dark web has since been largely taken over by criminals. Gareth Owenson provides an insight into what really goes on behind closed doors. His responses are fascinating, but also reinforce that the dark web is dangerous and extremely disturbing.
Q) What is the dark web?
A) The dark web is an area of the internet which is designed to provide people browsing the dark web but also participating in activity on it. In terms of user experience, it very much looks like accessing the open web, except for you use a special piece of software. It looks like a web browser. You go to websites, but these websites are hosted within the dark web. The thing that the dark web gives you is the ability to browse this sort of anonymously, so no one knows who you are. No one knows where host websites are. So if you want to start selling drugs, for example, it’s very easy to spin up an eBay style website on the dark web, and it’s difficult for law enforcement to locate where that website is located. Also, it’s difficult for law enforcement to locate where people are buying and selling drugs on that eBay style website. So dark web essentially gives a degree of anonymity to the people that participate in this sort of separate web, if you like.
people think they can act with impunity and without consequence
And as you would expect, anywhere where you give degrees of anonymity to people, you end up with lots of criminal activity. This takes place because people think they can act with impunity and without consequence. And that’s really what’s happened on the dark web.
The dark web was originally developed by the US. Government as a way to provide secure communication between spies abroad. They were worried that if the only people using the dark web were spies, then it would be very obvious who were the spies, because they’re the only people using the dark web and so they wanted other people that were not spies to also use the dark web so that they can hide in the noise of the system. But as I say, with anonymity, comes criminality and impunity.
Q) So can anybody legally access the dark web?
A) Yes. It’s not a crime to go on the dark web, but it may be a crime to participate in some of the activities. So, for example, there are child exploitation sites. If you went on child exploitation sites, that’s a crime. While certain activities are a crime, obviously, engaging in cyber crime activities and selling drugs and things, those are crimes. But as for going on a drugs marketplace and just having a look, that is not a crime. Obviously, buying drugs would be a crime. Law enforcement identify these criminal actors and punish them accordingly.
Q) What exactly is the difference between the dark web and the deep web?
A) There’s a subtle difference between the two, but the two are quite different. The deep web is generally classified as websites which you wouldn’t find on a search engine, but are not on this dark web area. So, for example, if you’ve been on an intranet before, for example, your organisation’s intranet, that is part of the deep web because you can’t find it on Google. Right. It’s just part of your internal organisation, as well as websites that have a login screen, for example, areas of Facebook are part of the deep web because you wouldn’t find the content in those Facebook groups on Google because they are private groups. That’s also the deep web. Whereas the dark web is very much this encrypted anonymous area of internet where the key property of it is that you get some anonymity as to the activity that’s taking place. As for the deep web. We don’t necessarily get none. It’s just stuff that you wouldn’t find on Google.
Q) How does this information get on the dark web, then?
A) Well, the criminals go and put the stuff on there, right. One of them will create a website, which is a dark web forum, and then dark web criminals come on there and start posting criminal activity.
Q) How is personal data sold on the dark web?
A) There are cybercrime forums and marketplaces where criminals are essentially trading stolen data. And so in the same way you go into a web forum on the open web, these forums exist on the dark web, and someone will come along and say, ‘I’ve hacked in to LinkedIn and I’ve got all the credentials for 100,000 users and I’m selling it for this price.’ And people respond to them and buy the data, and perhaps ask for some samples to verify that it is real before they buy it. But in the same way the transactions happen on the open web, it’s a similar process. Probably the main difference, other than being on the dark web, is the payment typically happens via cryptocurrency. So rather than taking payment by Visa, they use cryptocurrencies because cryptocurrencies give them a degree of anonymity, although they’re not quite as anonymous as the dark web is.
Q) And so you said that the US government set up the dark web. Who now runs dark web? Is it the US government or is it these criminals?
A) It’s not run by criminals, it’s actually run by a non-profit charity or the Tor Project. Tor is one of the dark webs, one of the biggest dark web and it’s run by this non-profit charity. The stated aims of the Tor project are to provide this anonymous place which could be used by people for good reasons, for example whistle-blowers and people in repressive regimes, for example, that want to access material and those sorts of things. Those are the stated aims for it. And some of that activity does take place in the dark web, but it’s dwarfed by the criminal activity which takes place.
The stated aims of the Tor project are to provide this anonymous place which could be used by people for good reasons, for whistleblowers and people in repressive regimes
Q) So what sort of data is most often traded and sold on the Dark Web?
A) We see credentials. These are usernames and passwords for people’s accounts. We see people selling access to companies networks. So I have a username and password for this company’s VPN. It’s going to cost you this much. So I guess you’ve seen all the ransomware attacks which take place over the last year where someone hacks the organisation and they encrypt all the files. They demand a ransom to decrypt this organisation’s files. Typically these ransomware groups are buying access into that company’s networks like they’re buying from other criminals that have already penetrated into the company’s network for access and then they’re using that access to launch the ransomware attack. We see drugs being sold, child exploitation material being sold, occasionally involving the set of children as well. Obviously the drug stuff, anything that you can fit, guns, hit men, criminal society stuff available on the dark web.
drugs, guns, hitmen and child exploitation…
Q) What drives the cost or value of the information sold on the Dark web?
A) I mean, it’s the same as any other marketplace, supply and demand. Obviously something which is in low supply and high demand is always going to cost more. It’s the same way in the real world, the effort of producing something is also influenced by the price and the volume. That market works very much like any other market in the modern world in terms of price setting and what is sold.
Q) How can you protect yourself from identity theft?
A) The best things that consumers can do I have good password. Use a password manager, turn on two factor authentication, have a different password for every website, which is what a password manager will allow you to do without having to remember lots of passwords. So you’re a consumer and you create an account on the website with your email address and the password which you normally use, and then that website gets hacked. Those credentials are going to get sold on the dark web. And if you use that same username and password for lots of other websites, then criminals are going to use them to access your other accounts also of those websites. So we’re having different passwords for every website, which is what password managers would allow us to do. They would very much protect you from that case. And you’d only be a victim on that particular site and not on other sites. Having something like two factor authentication on means that even if a criminal has a username and password, unless they’ve got your phone, your phone controlled, the phone number, they still can’t get access into those accounts. So those two are two things which I think consumers can do that would have the biggest impact on that personal data security as well as having antivirus and all those sorts of things on your desktop.
Q) Is it big organisations and companies that are targeted more than your average consumer on the dark web in terms of information being sold on?
A) No, not really. You see huge databases of consumer usernames and passwords being sold. People buy that and then they try to use those. We use those usernames and passwords to access the consumer’s bank accounts, Facebook accounts, email accounts and so on, and then basically enrich themselves by getting access to those things. Companies are also targeted. I wouldn’t say it’s one necessary more than the other, but I mean, we’ve got in our database of like 11 billion usernames. We don’t have that many companies, but obviously companies tend to be more impactful and impact a large number of employees. We see with ransomware attacks, for example, entire companies going out of business because they lose access to all their data which they need to run their business. Universities shut down for months at a time because they can’t run the campus. That obviously has a network effect on other people.