Dark Web

March 10, 2017 (R44101)
Jump to Main Text of Report

Contents

Figures

Summary

The layers of the Internet go far beyond the surface content that many can easily access in their daily searches. The other content is that of the Deep Web, content that has not been indexed by traditional search engines such as Google. The furthest corners of the Deep Web, segments known as the Dark Web, contain content that has been intentionally concealed. The Dark Web may be used for legitimate purposes as well as to conceal criminal or otherwise malicious activities. It is the exploitation of the Dark Web for illegal practices that has garnered the interest of officials and policy makers.

Individuals can access the Dark Web by using special software such as Tor (short for The Onion Router). Tor relies upon a network of volunteer computers to route users' web traffic through a series of other users' computers such that the traffic cannot be traced to the original user. Some developers have created tools—such as Tor2web—that may allow individuals access to Tor-hosted content without downloading and installing the Tor software, though accessing the Dark Web through these means does not anonymize activity. Once on the Dark Web, users often navigate it through directories such as the "Hidden Wiki," which organizes sites by category, similar to Wikipedia. Individuals can also search the Dark Web with search engines, which may be broad, searching across the Deep Web, or more specific, searching for contraband like illicit drugs, guns, or counterfeit money. While on the Dark Web, individuals may communicate through means such as secure email, web chats, or personal messaging hosted on Tor. Though tools such as Tor aim to anonymize content and activity, researchers and security experts are constantly developing means by which certain hidden services or individuals could be identified or "deanonymized."

Anonymizing services such as Tor have been used for legal and illegal activities ranging from maintaining privacy to selling illegal goods—mainly purchased with Bitcoin or other digital currencies. They may be used to circumvent censorship, access blocked content, or maintain the privacy of sensitive communications or business plans. However, a range of malicious actors, from criminals to terrorists to state-sponsored spies, can also leverage cyberspace and the Dark Web can serve as a forum for conversation, coordination, and action. It is unclear how much of the Dark Web is dedicated to serving a particular illicit market at any one time, and, because of the anonymity of services such as Tor, it is even further unclear how much traffic is actually flowing to any given site.

Just as criminals can rely upon the anonymity of the Dark Web, so too can the law enforcement, military, and intelligence communities. They may, for example, use it to conduct online surveillance and sting operations and to maintain anonymous tip lines. Anonymity in the Dark Web can be used to shield officials from identification and hacking by adversaries. It can also be used to conduct a clandestine or covert computer network operation such as taking down a website or a denial of service attack, or to intercept communications. Reportedly, officials are continuously working on expanding techniques to deanonymize activity on the Dark Web and identify malicious actors online.


Dark Web

Beyond the Internet content that many can easily access online lies another layer—indeed a much larger layer—of material that is not accessed through a traditional online search. As experts have noted, "[s]earching on the Internet today can be compared to dragging a net across the surface of the ocean. While a great deal may be caught in the net, there is still a wealth of information that is deep, and therefore, missed."1 This deep area of the Internet, or the Deep Web, is characterized by the unknown—unknown breadth, depth, content, and users.

2011 Silk Road reportedly launched by Ross William Ulbricht, who was known online as the "Dread Pirate Roberts."

SEP 2013 Federal agents seized the Silk Road site.

OCT 2013 the Federal Bureau of Investigation (FBI) arrested Ulbricht.2

May 2015 Ulbricht sentenced to life in prison for his role in operating the Silk Road.

Ulbricht received over $13 million in commissions from sales on the Silk Road. While the Silk Road was primarily used to sell illegal drugs, it also offered digital goods, including malicious software and pirated media; forgeries, including fake passports and Social Security cards; and services, such as computer hacking.3

The furthest corners of the Deep Web, known as the Dark Web, contain content that has been intentionally concealed. The Dark Web may be accessed both for legitimate purposes and to conceal criminal or otherwise malicious activities. It is the exploitation of the Dark Web for illegal practices that has garnered the interest of officials and policy makers. Take for instance the Silk Road—one of the most notorious sites formerly located on the Dark Web. The Silk Road was an online global bazaar for illicit services and contraband, mainly drugs. Vendors of these illegal substances were located in more than 10 countries around the world, and contraband goods and services were provided to more than 100,000 buyers.4 It has been estimated that the Silk Road generated about $1.2 billion in sales between January 2011 and September 2013, after which it was dismantled by federal agents.5

The use of the Internet, and in particular the Dark Web, for malicious activities has led policy makers to question whether law enforcement and other officials have sufficient tools to combat the illicit activities that might flow through this underworld.6 This report illuminates information on the various layers of the Internet, with a particular focus on the Dark Web. It discusses both legitimate and illicit uses of the Dark Web, including how the government may rely upon it. Throughout, the report raises issues that policy makers may consider as they explore means to curb malicious activity online.

Layers of the Internet

Many may consider the Internet and World Wide Web (web) to be synonymous; they are not. Rather, the web is one portion of the Internet, and a medium through which information may be accessed.7 In conceptualizing the web, some may view it as consisting solely of the websites accessible through a traditional search engine such as Google. However, this content—known as the "Surface Web"—is only one portion of the web. The Deep Web refers to "a class of content on the Internet that, for various technical reasons, is not indexed by search engines," and thus would not be accessible through a traditional search engine.8 Information on the Deep Web includes content on private intranets (internal networks such as those at corporations, government agencies, or universities), commercial databases like Lexis Nexis or Westlaw, or sites that produce content via search queries or forms. Going even further into the web, the Dark Web is the segment of the Deep Web that has been intentionally hidden. The Dark Web is a general term that describes hidden Internet sites that users cannot access without using special software. While the content of these sites may be accessed, the publishers of these sites are concealed. Users access the Dark Web with the expectation of being able to share information and/or files with little risk of detection.

In 2005, the number of Internet users reached 1 billion worldwide. This number surpassed 2 billion in 2010 and crested over 3 billion in 2014. As of July 2016, more than 46% of the world population was connected to the Internet.9 While data exist on the number of Internet users, data on the number of users accessing the various layers of the web and on the breadth of these layers are less clear.

Surface Web. The magnitude of the web is growing. According to one estimate, there were 334.6 million Internet top-level domain names registered globally during the second quarter of 2016.10 This is a 12.9% increase from the number of domain names registered during the same period in 2015.11 As of February 2017, there were estimated to be more than 1.154 billion websites.12 As researchers have noted, however, these numbers "only hint at the size of the Web," as numbers of users and websites are constantly fluctuating.13

Deep Web. The Deep Web, as noted, cannot be accessed by traditional search engines because the content in this layer of the web is not indexed. Information here is not "static and linked to other pages" as is information on the Surface Web.14 As researchers have noted, "[i]t's almost impossible to measure the size of the Deep Web. While some early estimates put the size of the Deep Web at 4,000–5,000 times larger than the surface web, the changing dynamic of how information is accessed and presented means that the Deep Web is growing exponentially and at a rate that defies quantification."15

Dark Web. Within the Deep Web, the Dark Web is also growing as new tools make it easier to navigate.16 Because individuals may access the Dark Web assuming little risk of detection, they may use this arena for a variety of legal and illegal activities. It is unclear, however, how much of the Deep Web is taken up by Dark Web content and how much of the Dark Web is used for legal or illegal activities.

Figure 1. Layers of the Internet

Source: Congressional Research Service (CRS).

Notes: Proportions in the figure may not be to scale.

Accessing and Navigating the Dark Web

The Dark Web can be reached through decentralized, anonymized nodes on a number of networks including Tor (short for The Onion Router)17 or I2P (Invisible Internet Project)18. Tor, which was initially released as The Onion Routing project in 2002,19 was originally created by the U.S. Naval Research Laboratory as a tool for anonymously communicating online.

Tor "refers both to the software that you install on your computer to run Tor and the network of computers that manages Tor connections."20 Tor's users connect to websites "through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy."21 Users route their web traffic through other users' computers such that the traffic cannot be traced to the original user. Tor essentially establishes layers (like layers of an onion) and routes traffic through those layers to conceal users' identities.22 To get from layer to layer, Tor has established "relays" on computers around the world through which information passes.23 Information is encrypted between relays, and "all Tor traffic passes through at least three relays before it reaches its destination."24 The final relay is called the "exit relay," and the IP address of this relay is viewed as the source of the Tor traffic. When using Tor software, users' IP addresses remain hidden. As such, it appears that the connection to any given website "is coming from the IP address of a Tor exit relay, which can be anywhere in the world."25

While data on the magnitude of the Deep Web and Dark Web and how they relate to the Surface Web are not clear, data on Tor users do exist. According to metrics from the Tor Project, the mean number of daily Tor users in the United States across the first two months of 2017 was 353,753—or 19.2% of total mean daily Tor users.26 The United States has the largest number of mean daily Tor users, followed by Russia (11.9%), Germany (9.9%), and United Arab Emirates (9.2%).

Communicating On (and About) the Dark Web

There are several different ways to communicate about the Dark Web. One of the first places individuals may turn is Reddit.27 There are several subreddits28 pertaining to the Dark Web, such as DarkNetMarkets, DeepWeb, or Tor. These forums often provide links to sites within the Dark Web. Reddit provides a public platform for Dark Web users to discuss different aspects of the Tor. It is not encrypted or anonymous, as users who wish to engage in forum discussion must create an account.29 Individuals who wish to use a more secure form of communication may choose to utilize email, web chats, or personal messaging hosted on Tor:

Navigating the Deep Web and Dark Web

Traditional search engines often use "web crawlers" to access websites on the Surface Web. This process of crawling searches the web and gathers websites that the search engines can then catalog and index.34 Content on the Deep (and Dark) Web, however, may not be caught by web crawlers (and subsequently indexed by traditional search engines) for a number of reasons, including that it may be unstructured, unlinked, or temporary content.35 As such, there are different mechanisms for navigating the Deep Web than there are for the Surface Web.

Users often navigate Dark Web sites through directories such as the "Hidden Wiki," which organizes sites by category, similar to Wikipedia. In addition to the wikis, individuals can also search the Dark Web with search engines. These search engines may be broad, searching across the Deep Web, or they may be more specific. For instance, Ahmia, an example of a broader search engine, is one "that indexes, searches and catalogs content published on Tor Hidden Services."36 In contrast, Grams is a more specific search engine "patterned after Google" where users can find illicit drugs, guns, counterfeit money, and other contraband.37

When using Tor, website URLs change formats. Instead of websites ending in .com, .org, .net, etc., domains usually end with an "onion" suffix, identifying a "hidden service."38 Notably, when searching the web using Tor, an onion icon displays in the Tor browser.

Tor is notoriously slow, and this has been cited as one drawback to using the service. This is because all Tor traffic is routed through at least three relays, and there can be delays anywhere along its path. In addition, speed is reduced when more users are simultaneously on the Tor network.39 On the other hand, increasing the number of users who agree to use their computers as relays can increase the speed on Tor.

Tor and similar networks are not the only means to reach hidden content on the web. Other developers have created tools—such as Tor2web—that may allow individuals access to Tor-hosted content without downloading and installing the Tor software.40 Using bridges such as Tor2web, however, does not provide users with the same anonymity that Tor offers. As such, if users of Tor2web or other bridges access sites containing illegal content—for instance, those that host child pornography—they could more easily be detected by law enforcement than individuals who use anonymizing software such as Tor.

Is the Dark Web Anonymous?

Guaranteed anonymity is not foolproof. While tools such as Tor aim to anonymize content and activity, researchers and security experts are constantly developing means by which certain hidden services or individuals could be identified or "deanonymized."41

Why Anonymize Activity?

A number of reasons have been cited why individuals might use services such as Tor to anonymize online activity. Anonymizing services have been used for legal and illegal activities ranging from keeping sensitive communications private to selling illegal drugs. Of note, while a wide range of legitimate uses of Tor exist, much of the research on and concern surrounding anonymizing services involves their use for illegal activities. As such, the bulk of this section focuses on the illegal activities.

Online Privacy

Tor is used to secure the privacy of activities and communications in a number of realms. Privacy advocates generally promote the use of Tor and similar software to maintain free speech, privacy, and anonymity.54 There are several examples of how it might be used for these purposes:

Illegal Activity and the Dark Web

Just as nefarious activity can occur through the Surface Web, it can also occur on the Deep Web and Dark Web. A range of malicious actors leverage cyberspace, from criminals to terrorists to state-sponsored spies. The web can serve as a forum for conversation, coordination, and action. Specifically, they may rely upon the Dark Web to help carry out their activities with reduced risk of detection. While this section focuses on criminals operating in cyberspace, the issues raised are certainly applicable to other categories of malicious actors.

Twenty-first century criminals increasingly rely on the Internet and advanced technologies to further their criminal operations.65 For instance, criminals can easily leverage the Internet to carry out traditional crimes such as distributing illicit drugs and sex trafficking. In addition, they exploit the digital world to facilitate crimes that are often technology driven, including identity theft, payment card fraud, and intellectual property theft. The FBI considers high-tech crimes to be among the most significant crimes confronting the United States.66

The Dark Web has been cited as facilitating a wide variety of crimes. Illicit goods such as drugs, weapons, exotic animals, and stolen goods and information are all sold for profit. There are gambling sites, thieves and assassins for hire, and troves of child pornography.67 Data on the prevalence of these Dark Web sites, however, are lacking. Tor estimates that only about 1.5% of Tor users visit hidden services/Dark Web pages.68 The actual percentage of these that serve a particular illicit market at any one time is unclear, and it is even less clear how much Tor traffic is going to any given site.

The Dark Web can play a number of roles in malicious activity. As noted, it can serve as a forum—through chat rooms and communication services—for planning and coordinating crimes. For instance, there have been reports that some of those engaged in tax-refund fraud discussed techniques on the Dark Web.76 The Dark Web can also provide a platform for criminals to sell illegal or stolen goods. Take the role of the Dark Web in data breaches, for example:

Cybercriminals can victimize individuals and organizations alike, and they can do so without regard for borders. How criminals exploit borders is a perennial challenge for law enforcement, particularly as the concept of borders and boundaries has evolved.81

Physical Borders. For law enforcement purposes, jurisdictional boundaries have been drawn between nations, states, and other localities. Within these territories, various enforcement agencies are designated authority to administer justice. When crimes cross boundaries, a given entity may no longer have sole responsibility for criminal enforcement, and the laws across jurisdictions may not be consistent.82 Criminals have long understood these phenomena—and exploited them.

Physical–Cyber Borders. The relatively clear borders within the physical world are not always replicated in the virtual realm. High-speed Internet communication has not only facilitated the growth of legitimate business, but it has bolstered criminals' abilities to operate in an environment where they can broaden their pool of potential targets and rapidly exploit their victims. Frauds and schemes that were once conducted face-to-face can now be carried out remotely from across the country or even across the world. For instance, criminals can rely upon botnets83 to target victims across the globe without crossing a single border themselves.

Cyber Borders. While cyberspace crosses physical borders, boundaries within cyberspace—both jurisdictional and technological—still exist. Some web addresses, for instance, are country-specific, and the administration of those websites is controlled by particular nations. Another barrier in cyberspace involves the lines between the Surface Web and the Deep Web. Crossing these boundaries may involve subscriptions or fee-based access to particular website content. Certain businesses—news sites, journals, file-sharing sites, and others—may require paid access. Other sites may only be accessed through an invitation.

Do malicious actors need, or benefit from, the Dark Web to carry out their activities? Researchers have pointed to pros and cons of relying upon the anonymity of the Dark Web. Criminals selling illicit goods may benefit from the Dark Web's added protection of anonymity by being better able to evade law enforcement. However, they may have more trouble getting business. Trend Micro's study of the Dark Web notes that on it, "[s]ellers suffer from lack of reputation caused by increased anonymity. Being untraceable can present drawbacks for a seller who cannot easily establish a trust relationship with customers unless the marketplace allows for it."84 In other words, anonymity can be a barrier online if one is trying to sell goods and has not been otherwise vetted.

Payment on the Dark Web

Bitcoin is the currency often used in transactions on the Dark Web.85 It is a decentralized digital currency that uses anonymous, peer-to-peer transactions.86 Individuals generally obtain bitcoins by accepting them as payment, exchanging them for traditional currency, or "mining" them.87

When a bitcoin is used in a financial transaction, the transaction is recorded in a public ledger, called the block chain. The information recorded in the block chain is the bitcoin addresses of the sender and recipient. An address does not uniquely identify any particular bitcoin; rather, the address merely identifies a particular transaction.88

Users' addresses are associated with and stored in a wallet.89 The wallet contains an individual's private key,90 which is a secret number that allows that individual to spend bitcoins from the corresponding wallet,91 similar to a password. The address for a transaction and a cryptographic signature are used to verify transactions.92 The wallet and private key are not recorded in the public ledger; this is where Bitcoin usage has heightened privacy. Wallets may be hosted on the web, by software for a desktop or mobile device, or on a hardware device.93

Government Use of the Dark Web

Because of the anonymity provided by Tor and other software such as I2P, the Dark Web can be a playground for nefarious actors online. As noted, however, there are a number of areas in which the study and use of the Dark Web may provide benefits. This is true not only for citizens and businesses seeking online privacy, but also for certain government sectors—namely the law enforcement, military, and intelligence communities.

Law Enforcement

Just as criminals can leverage the anonymity of the Dark Web, so too can law enforcement. It may use this to conduct online surveillance and sting operations and to maintain anonymous tip lines.94 While individuals may anonymize activities, some have speculated about means by which law enforcement can still track malicious activity.

As noted, the FBI has put resources into developing malware that can compromise servers in an attempt to identify certain users of Tor. Since 2002, the FBI has reportedly used a "computer and internet protocol address verifier" (CIPAV) to "identify suspects who are disguising their location using proxy servers or anonymity services, like Tor."95 It has been using this program to target "hackers, online sexual predators, extortionists, and others."96 Law enforcement has also reportedly been working with companies to develop additional technologies to investigate crimes and identify victims on the Dark Web.97

In addition to developing technology to infiltrate and deanonymize services such as Tor, law enforcement may rely upon more traditional crime fighting techniques; some have suggested that law enforcement can still rely upon mistakes by criminals or flaws in technology to target nefarious actors. For instance, in 2013 the FBI took down the Silk Road, then the "cyber-underworld's largest black market."98 Reportedly, "missteps" by the site's operator led to its demise; some speculate that "federal agents found weaknesses in the computer code used to operate the Silk Road website and exploited those weaknesses to hack the servers and force them to reveal their unique identifying addresses. Federal investigators could then locate the servers and ask law enforcement in those locations to seize them."99

Less than one month after federal agents disbanded the Silk Road, another site (Silk Road 2.0) came online. After discovering that the site's proprietor made critical errors, such as using his personal email address to register the servers, federal agents seized the servers and shut down the site.100 While law enforcement may aim to defeat criminals operating in the Dark Web technologically, some of their strongest tools may be traditional law enforcement crime-fighting means. For example, law enforcement can still request information from entities that collect identifying information on users. In March 2015, federal investigators "sent a subpoena to Reddit demanding that the site turn over a collection of personal data about five users of the r/darknetmarkets forum [a subreddit where users discussed anonymous online sales of drugs, weapons, stolen financial data, and other contraband]."101 Though, as some have suggested, such law enforcement actions could drive these conversations and activities to anonymous forums such as those on Tor.102

Military and Intelligence

Anonymity in the Dark Web can be used to shield military command and control systems in the field from identification and hacking by adversaries. The military may use the Dark Web to study the environment in which it is operating as well as to discover activities that present an operational risk to troops. For instance, evidence suggests that the Islamic State (IS) and supporting groups seek to use the Dark Web's anonymity for activities beyond information sharing, recruitment, and propaganda dissemination, using Bitcoin to raise money for their operations.103 In its battle against IS, the Department of Defense (DOD) can monitor these activities and employ a variety of tactics to foil terrorist plots.

Tor software can be used by the military to conduct a clandestine or covert computer network operation such as taking down a website or a denial of service attack, or to intercept and inhibit enemy communications. Another use could be a military deception or psychological operation, where the military uses the Dark Web to plant disinformation about troop movements and targets, for counterintelligence, or to spread information to discredit the insurgents' narrative. These activities may be conducted either in support of an ongoing military operation or on a stand-alone basis.

DOD's Defense Advanced Research Projects Agency (DARPA) is conducting a research project, called Memex, to develop a new search engine that can uncover patterns and relationships in online data to help law enforcement and other stakeholders track illegal activity. Commercial search engines such as Google and Bing use algorithms to present search results by popularity and ranking, and are only able to capture approximately 5% of the Internet.104 By sweeping websites that are often ignored by commercial search engines, and capturing thousands of hidden sites on the Dark Web, the Memex project ultimately aims to build a more comprehensive map of Internet content. Specifically, the project is currently developing technologies to "find signals associated with trafficking in prostitution ads on popular websites."105 This is intended to help law enforcement target their human trafficking investigations.

Similar to the military's use of the Dark Web, the Intelligence Community's (IC's) use of it as a source of open intelligence is not a secret, though many associated details are classified. According to Admiral Mike Rogers, Director of the National Security Agency (NSA) and Commander of U.S. Cyber Command, they "spend a lot of time looking for people who don't want to be found."106 Reportedly, an investigation into the NSA's XKeyscore program—one of the programs revealed by Edward Snowden's disclosure of classified information—demonstrated that any user attempting to download Tor was automatically fingerprinted electronically, allowing the agency to conceivably identify users who believe themselves to be untraceable.107

While specific IC activities associated with the Deep Web and Dark Web may be classified, at least one program associated with Intelligence Advanced Research Projects Activity (IARPA) may be related to searching data stored on the Deep Web.108 Reportedly, conventional tools such as signature-based detection don't allow researchers to anticipate cyber threats; as such, officials are responding to rather than anticipating and mitigating these attacks.109 The Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program seeks to develop and test "new automated methods that forecast and detect cyber-attacks significantly earlier than existing methods."110 It could use factors such as actor behavior models and black market sales to help forecast and detect cyber events.

Going Forward

The Deep Web and Dark Web have been of increasing interest to researchers, law enforcement, and policy makers. However, clear data on the scope and nature of these layers of the Internet are unavailable; anonymity often afforded by services such as Tor for users accessing the deepest corners of the web contributes to this lack of clarity, as does the sometimes temporary nature of the websites hosted there. Individuals, businesses, and governments may all rely upon the digital underground. It may be used for legal and illegal activities ranging from keeping sensitive communications private to selling illegal contraband. Despite some reaching for increased privacy and security online, researchers have questioned whether there will be a corresponding uptick in individuals turning to anonymizing services such as Tor.111 They've suggested that while there may not be the incentive for individuals to migrate their browsing to these anonymizing platforms, "it is much more likely for technological developments related to the Dark Web to improve the stealthiness of darknets."112 As such, law enforcement and policy makers may question how best to contend with evolving technology such as encryption and the challenges of attribution in an anonymous environment to effectively combat malicious actors who exploit cyberspace, including the Dark Web.

Author Contact Information

[author name scrubbed], Specialist in Domestic Security ([email address scrubbed], [phone number scrubbed])

Footnotes

1.

Michael K. Bergman, The Deep Web: Surfacing Hidden Value, Bright Planet, September 24, 2001.

2.

Department of Justice, United States Attorney's Office, "Manhattan U.S. Attorney Announces Seizure Of Additional $28 Million Worth Of Bitcoins Belonging To Ross William Ulbricht, Alleged Owner And Operator Of "Silk Road" Website," press release, October 25, 2013.

3.

Department of Justice, United States Attorney's Office, "Ross Ulbricht, A/K/A "Dread Pirate Roberts," Sentenced In Manhattan Federal Court To Life In Prison," press release, May 29, 2015.

4.

Ibid.

5.

Department of Justice, United States Attorney's Office, "Manhattan U.S. Attorney Announces Seizure Of Additional $28 Million Worth Of Bitcoins Belonging To Ross William Ulbricht, Alleged Owner And Operator Of "Silk Road" Website," press release, October 25, 2013.

6.

See, for instance, U.S. Congress, Senate Committee on Homeland Security and Governmental Affairs, Beyond Silk Road: Potential Risks, Threats, and Promises of Virtual Currencies, 113th Cong., 1st sess., November 18, 2013.

7.

The Internet is also used for email, file transfers, and instant messaging, among other things. Michael Chertoff and Toby Simon, The Impact of the Dark Web on Internet Governance and Cyber Security, Global Commission on Internet Governance, Paper Series: No. 6, February 2015.

8.

Michael Chertoff and Toby Simon, The Impact of the Dark Web on Internet Governance and Cyber Security, Global Commission on Internet Governance, Paper Series: No. 6, February 2015, p. 1.

9.

Internet Live Stats, Internet Users, http://www.internetlivestats.com/internet-users/.

10.

Verisign, The Domain Name Industry in Brief, Volume 13, Issue 3, September 2016. A top-level domain is one at the top of the Internet's domain name system (DNS) hierarchy. For instance, the top-level domain is .com.

11.

Ibid.

12.

Internet Live Stats, http://www.internetlivestats.com.

13.

Stephanie Pappas, "How Big Is the Internet, Really?," Live Science, February 18, 2016.

14.

Bright Planet, Deep Web: A Primer, http://www.brightplanet.com/deep-web-university-2/deep-web-a-primer/.

15.

Ibid.

16.

DeepDotWeb, for instance, is a website that outlines statistics on select Dark Web markets, providing information such as uptime status and ratings.

17.

More information on Tor is available at https://www.torproject.org/. Tor is the most widely used anonymous network and thus is the focus of discussion in this report.

18.

Originally designed as a way to be able to use Internet Relay Chat (IRC) anonymously, I2P has become one of the more popular anonymous networks. While similar to Tor, key differences include the fact that I2P focuses on gaining access to sites within the network, and not to the Internet at large. Not as much academic research has been done on this project as on Tor. This service is very popular in Russia and about half the routers appear to be located there. For more information, see https://geti2p.net.

19.

Roger Dingledine, Nick Mathewson, and Paul Syverson, "Tor: The Second-Generation Onion Router," Proceedings of the 13th USENIX Security Symposium, San Diego, CA, August 9-13, 2004, https://www.usenix.org/legacy/events/sec04/tech/full_papers/dingledine/dingledine.pdf.

20.

Adam Clark Estes, "Tor: The Anonymous Internet, and If It's Right for You," Gizmodo, August 30, 2013.

21.

Tor Project, Tor: Overview, https://www.torproject.org/about/overview.html.en.

22.

Adam Clark Estes, "Tor: The Anonymous Internet, and If It's Right for You," Gizmodo, August 30, 2013.

23.

Individuals can volunteer their computers to be "relays" through which information may pass.

24.

Electronic Frontier Foundation, What is a Tor Relay?, https://www.eff.org/pages/what-tor-relay.

25.

Ibid. According to the Electronic Frontier Foundation, "[a]n exit relay is the final relay that Tor traffic passes through before it reaches its destination. Exit relays advertise their presence to the entire Tor network, so they can be used by any Tor users. Because Tor traffic exits through these relays, the IP address of the exit relay is interpreted as the source of the traffic."

26.

Data available at https://metrics.torproject.org/.

27.

Reddit is a website for online content ranging from news and entertainment to social networking where registered members can enter and share content. Members can also vote and comment on important stories and discussions. For more information, see https://www.reddit.com/about.

28.

A subreddit is a feed within Reddit on which users discuss a particular topic.

29.

In 2015, the Department of Homeland Security subpoenaed Reddit for the information of five Reddit users that were active in discussion of the Dark Web. See Andy Greenberg, "Feds Demand Reddit Identify Users of a Dark-Web Drug Forum," Wired.com, March 30, 2015.

30.

Examples include Mailtor, Mail2tor and Ruggedinbox, all only accessible through the Tor browser.

31.

For more information about how Bitmessage works, see Jonathan Warren, "Bitmessage: A Peer-to-Peer Message Authentication and Delivery System," http://www.bitmessage.org, November 27, 2012.

32.

For more information on Ricochet, see https://ricochet.im/.

33.

Andy Greenberg, "An Interview with Darkside, Russia's Favorite Dark Web Drug Lord," Wired.com, December 4, 2014.

34.

For a detailed description of this process, see Google, Inside Search, How Search Works, Crawling & Indexing, http://www.google.com/insidesearch/howsearchworks/crawling-indexing.html.

35.

Caroline Craig, "'Google Search on Steroids' Brings Dark Web Into the Light," InfoWorld, February 13, 2015.

36.

TorProject blog, Ahmia Search After GSoC Development, September 7, 2014. Ahmia is available at https://ahmia.fi/search/.

37.

Kim Zetter, "New 'Google' for the Dark Web Makes Buying Dope and Guns Easy," Wired.com, April 17, 2014.

38.

InfoSec Institute, Diving in the Deep Web, March 14, 2013, http://resources.infosecinstitute.com/diving-in-the-deep-web/. These .onion addresses "are 16-character alpha-semi-numeric hashes which are automatically generated based on a public key created when the hidden service is configured."

39.

Adam Clark Estes, "Tor: The Anonymous Internet, and If It's Right for You," Gizmodo, August 30, 2013. Speed issues are reportedly most noticeable for audio and video content.

40.

Kim Zetter, "New Service Makes Tor Anonymized Content Available to All," Wired.com, December 12, 2008.

41.

Rob Jansen, Florian Tschorsch, and Aaron Johnson, et al., "The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network," December 2013; TorProject, "Tor Security Advisory: "Relay Early" Traffic Confirmation Attack," press release, July 30, 2014; Yixin Sun, Anne Edmundson, and Laurent Vanbever, et al., "RAPTOR: Routing Attacks on Privacy in Tor," March 13, 2015; and Cammy Harblson, "Deanonymizing Tor Hidden Service Traffic Through HSDir Is A Cake Walk, Say Researchers: HITB Presenters Showcase New Threats," iDigitalTimes, May 29, 2015.

42.

Hacktivism is a term often used to refer to the use of computers and online networks to conduct politically or socially motivated protest. For more information on hacktivism and the collective known as Anonymous, see CRS Report R42547, Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement, by [author name scrubbed] and [author name scrubbed].

43.

Sean Gallagher, "Anonymous Takes Down Darknet Child Porn Site on Tor Network," ArsTechnica, October 23, 2011. See also Mathew Schwartz, "Anonymous Attacks Child Pornography Websites," InformationWeek, October 24, 2011. Some later estimates put the number of child porn websites hosted by Freedom Hosting to be over 100. See Kevin Poulsen, "FBI Admits It Controlled Tor Servers Behind Mass Malware Attack," Wired.com, September 13, 2013.

44.

Sean Gallagher, "Anonymous Takes Down Darknet Child Porn Site on Tor Network," ArsTechnica, October 23, 2011.

45.

Ibid. A denial-of-service attack attempts to prevent legitimate users from accessing a resource—in this case a network or website. This is most commonly done by "flooding" a network with information and overloading the server with so many requests for information that it cannot process other, legitimate requests. A distributed denial-of-service (DDoS) attack utilizes other computers—often from unwitting individuals—to assist in flooding a network. For more information, see the U.S. Computer Emergency Readiness Team, http://www.us-cert.gov/cas/tips/ST04-015.html.

46.

Mathew Schwartz, "Anonymous Attacks Child Pornography Websites," InformationWeek, October 24, 2011.

47.

Kevin Poulsen, "FBI Admits It Controlled Tor Servers Behind Mass Malware Attack," Wired.com, September 13, 2013.

48.

Ibid.

49.

"Anonymous Hacks Freedom Hosting II, Bringing Down Almost 20% of Active Darknet Sites," DeepDotWeb, February 9, 2017.

50.

Mascherari Press, OnionScan Report: September 2016 - Uptime, Downtime, and Freedom Hosting II, October 1, 2016.

51.

US v. Ferrell, (Affidavit in Support of Application for a Search Warrant 2015).

52.

Mary-Ann Russon, "FBI Crack Tor and Catch 1,500 visitors to Biggest Child Pornography Website on the Dark Web," International Business Times, January 6, 2016. Joseph Cox, "The FBI's 'Unprecedented' Hacking Campaign Targeted Over a Thousand Computers," Motherboard, January 5, 2016.

53.

Mike Carter, "Investigation of FBI's Child Pornography Operation Sparks Controversy Over Internet Privacy," Government Technology, August 31, 2016.

54.

Cooper Quintin, 7 Things You Should Know About Tor, Electronic Frontier Foundation, July 1, 2014.

55.

Tor Project, Tor: Overview, https://www.torproject.org/about/overview.html.en.

56.

See, for example, Jeff Stone, "Russian Censorship: Tor, Anonymous VPNs Could Be Target Of Next Crackdown, Kremlin Warns," International Business Times, February 12, 2015.

57.

China, for instance, has reportedly been able to block access to Tor. See, for example, Tor blog, A Closer Look at the Great Firewall of China, October 6, 2014. See also Kari Paul, "Russia Wants to Block Tor, But It Probably Can't," Motherboard, February 18, 2015.

58.

Free Software Foundation, "2010 Free Software Awards Announced," press release, March 22, 2011.

59.

Tor Project, Tor: Who Uses Tor, https://www.torproject.org/about/torusers.html.en.

60.

Tor Project, Tor: Overview, https://www.torproject.org/about/overview.html.en.

61.

Ibid.

62.

The New Yorker, Strongbox, https://projects.newyorker.com/strongbox/.

63.

Klint Finley, "Out in the Open: Inside the Operating System Edward Snowden Used to Evade the NSA," Wired.com, April 14, 2014.

64.

Bruce Schneier, "Attacking Tor: How the NSA Targets Users' Online Anonymity," The Guardian, October 4, 2013.

65.

For more information on cybercrime, see CRS Report R42547, Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement, by [author name scrubbed] and [author name scrubbed]. See also CRS Report R44481, Encryption and the "Going Dark" Debate, by [author name scrubbed].

66.

See remarks by James B. Comey, Director, Federal Bureau of Investigation before the RSA Cyber Security Conference, San Francisco, CA, February 26, 2014. See also testimony by James B. Comey, Director, Federal Bureau of Investigation, before U.S. Congress, House Committee on the Judiciary, Oversight of the Federal Bureau of Investigation, 114th Cong., 2nd sess., September 28, 2016.

67.

See, for example, Michael Chertoff and Toby Simon, The Impact of the Dark Web on Internet Governance and Cyber Security, Global Commission on Internet Governance, Paper Series: No. 6, February 2015.

68.

Tor Project Blog, Tor: 80 Percent of ??? Percent of 1-2 Percent Abusive, December 30, 2014. See also Andy Greenberg, "No, Department of Justice, 80 Percent of Tor Traffic is Not Child Porn," Wired.com, January 28, 2015.

69.

Andy Greenberg, "Over 80 Percent of Dark-Web Visits Relate to Pedophilia, Study Finds," Wired.com, December 30, 2014. A majority of traffic to the Tor hidden services came from botnets, most of which were defunct. Researchers evaluated the remaining non-automated traffic.

70.

Ibid.

71.

Ibid. Some traffic to these sites may have come from law enforcement tracking criminals or hackers launching denial of service attacks against these sites, for instance.

72.

Daniel Moore and Thomas Rid, "Cryptopolitik and the Darknet," Survival, vol. 58, no. 1 (February 2016).

73.

"Some Statistics About Onions," Tor Project Blog, February 26, 2015.

74.

Ibid.

75.

Data available at https://metrics.torproject.org/.

76.

Brian Krebs, "Tax Fraud Advice, Straight From the Scammers," Krebs on Security, March 24, 2015.

77.

Kim Zetter, "How RAM Scrapers Work: The Sneaky Tools Behind the Latest Credit Card Hacks," Wired.com, September 30, 2014.

78.

Brian Krebs, "Cards Stolen in Target Breach Flood Underground Markets," Krebs on Security, December 20, 2013.

79.

The types of information available for sale online fluctuate in value. For example, while some researchers have suggested that the price of stolen email account credentials has declined, the price of bank account credentials has remained relatively stable. See Candid Wueest, Underground Black Market: Thriving Trade in Stolen Data, Malware, and Attack Services, Symantec, November 20, 2015.

80.

Kelly Jackson Higgins, "What Happens When Personal Information Hits The Dark Web," Information Week, April 7, 2015. See also Pierluigi Paganini, "How Far Do Stolen Data Get in the Deep Web After a Breach?," Security Affairs, April 12, 2015.

81.

CRS Report R41927, The Interplay of Borders, Turf, Cyberspace, and Jurisdiction: Issues Confronting U.S. Law Enforcement, by [author name scrubbed].

82.

For more information, see Daniel C. Richman, "The Changing Boundaries Between Federal and Local Law Enforcement," Boundary Changes in Criminal Justice Organizations, pp. 81-111, http://www.ncjrs.gov/criminal_justice2000/vol_2/02d2.pdf.

83.

Botnets are groups of computers that are remotely controlled by hackers. They have been infected by downloading malicious software and are used to carry out malicious activities on behalf of the hackers.

84.

Vincenzo Ciancaglini, Marco Balduzzi, and Max Goncharov, et al., Deepweb and Cybercrime: It's Not All About TOR, Trend Micro, p. 21.

85.

Pierluigi Paganini, "What is the Deep Web? A First Trip Into the Abyss," Security Affairs, May 24, 2012. Of note, a number of digital currencies exist, though Bitcoin is the most prominent. These currencies include Ripple and Litecoin, among others. See https://coinmarketcap.com/.

86.

For more information on Bitcoin, see CRS Report R43339, Bitcoin: Questions, Answers, and Analysis of Legal Issues, by [author name scrubbed], [author name scrubbed], and [author name scrubbed]. See also Timothy Lee, "12 Questions About Bitcoin You Were Too Embarrassed To Ask," The Washington Post, November 19, 2013.

87.

More information is available at https://bitcoin.org/en/faq#how-does-one-acquire-bitcoins.

88.

If users are concerned with attribution to themselves from multiple bitcoin transactions, a new address can be used for each transaction. See "Protect your privacy" at https://bitcoin.org/en/protect-your-privacy.

89.

Elli Androulaki et al., Evaluating User Privacy in Bitcoin, ETH Zurich and NEC Laboratories Europe, n.d., at http://fc13.ifca.ai/proc/1-3.pdf.

90.

See "Some Bitcoin words you might hear," https://bitcoin.org/en/vocabulary/.

91.

See, "Elliptical Curve Digital Signature Algorithm," https://en.bitcoin.it/wiki/ECDSA.

92.

These transactions are confirmed by miners. See "Some Bitcoin words you might hear," https://bitcoin.org/en/vocabulary/.

93.

For information on different types of wallets, see https://bitcoin.org/en/choose-your-wallet.

94.

Michael Chertoff and Toby Simon, The Impact of the Dark Web on Internet Governance and Cyber Security, Global Commission on Internet Governance, Paper Series: No. 6, February 2015.

95.

Kevin Poulsen, "FBI Admits It Controlled Tor Servers Behind Mass Malware Attack," Wired.com, September 13, 2013.

96.

Ibid.

97.

For instance, Thorn is beta testing a new tool intended to help law enforcement more quickly identify victims—namely victims of exploitation and trafficking—on the Dark Web. See U.S. Congress, Senate Committee on Foreign Relations, End It: The Fight to End Modern Slavery, 115th Cong., 1st sess., February 15, 2017.

98.

Donna Leinwand Leger, "How FBI Brought Down Cyber-Underworld Site Silk Road," USA Today, May 15, 2014.

99.

Ibid.

100.

Brian Krebs, "Feds Arrest Alleged 'Silk Road 2 Admin,' Seize Servers," Krebs on Security, November 6, 2014.

101.

Andy Greenberg, "Feds Demand Reddit Identify Users of a Dark-Web Drug Forum," Wired.com, March 30, 2015. Reddit is not anonymous and does collect information from users who create accounts.

102.

Ibid.

103.

Patrick Tucker, "How the Military Will Fight ISIS on the Dark Web," Defense One, February 24, 2015,

104.

Kim Zetter, "DARPA Is Developing A Search Engine or the Dark Web," Wired.com, February 10, 2015.

105.

Cheryl Pellerin, DARPA Program Helps to Fight Human Trafficking, Department of Defense, January 24, 2017.

106.

Interview of Admiral Michael S. Rogers by Jim Sciutto, New America Foundation Conference on Cybersecurity, February 23, 2015, responding to a question concerning the IC's use of the Dark Web.

107.

Patrick Tucker, "If You Do This, the NSA Will Spy on You," Defense One, July 7, 2014.

108.

IARPA is the research and development arm of the Office of the Director of National Intelligence (ODNI). IARPA invests in "high-risk, high-payoff" research programs. More information is available at http://www.iarpa.gov.

109.

"Cyber Researchers Need to Predict, Not Merely Respond to, Cyberattacks: U.S. Intelligence," Homeland Security News Wire, March 9, 2015. See also "Cyber-attack Automated Unconventional Sensor Environment (CAUSE)," IARPA website at http://www.iarpa.gov/index.php/research-programs/cause.

110.

IARPA, Broad Agency Announcement: Cyber-Attack Automated Unconventional Sensor Environment (CAUSE), IARPA-BAA-15-06, July 17, 2015, p. 2. IARPA has already awarded several multi-million dollar contracts to entities such as Charles River Analytics, BAE Systems, Leidos, and the University of Southern California's Information Sciences Institute to work on the CAUSE program.

111.

Vincenzo Ciancaglini, Marco Balduzzi, and Robert McArdle, et al., Below the Surface: Exploring the Deep Web, Trend Micro, June 2015.

112.

Ibid., p. 40.