Combatting Crime on the Dark Web: How Law Enforcement and Prosecutors are Using Cutting Edge Technology to Fight Cybercrime.

• Author: Altvater, B.J.

CRIMINALS ARE INCREASINGLY using shadowy corners of the internet to mask their identities and conduct illicit activities. Marketplaces on the "dark web" facilitate a range of criminal activities, including human trafficking and the distribution of child pornography. However, law enforcement and prosecutors are not helpless in the fight against these new criminal tactics. This paper will focus on two ways that law enforcement and prosecutors have utilized technology to find and prosecute criminals on the dark web. Part 1 of this article explains this new terrain of criminal activity by exploring the differences between the surface web, deep web, and dark web. Part 2 explores the use of Network Investigative Techniques (NITs) to pierce the anonymity of criminals on the dark web. Finally, Part 3 discusses a new toolkit of programs that can help investigators combat human trafficking with data-mining of the dark web.

PART I--WHAT IS THE DIFFERENCE BETWEEN THE SURFACE WEB, DEEP WEB, AND DARK WEB?

The average person interacts with the internet on what is referred to as the"surface web." The common definition of the surface web is all web pages that are indexed by normal search engines (e.g. Google, Yahoo, or Bing). Search engines index web sites by following the links to all available sites and mapping out the web of connections. (2) For example, social media, news sites, and online retailers all exist on the surface web. According to one study, the surface web contains over 4 billion indexed web sites. (3)

As big as that sounds, many experts believe that the surface web makes up less than 1% of the internet. (4) The much larger part of the internet is made up of content that is not indexed and is referred to as the "deep web." One large source of deep web content is databases. (5) Some very large databases on the deep web are available to the public, such as those hosted by the U.S. Census Bureau, Securities and Exchange Commission, and Patent and Trademark Office. Other databases are owned by companies (e.g. LexisNexis and Westlaw) that charge a fee to access the content. (6) Another large source of content on the deep web is private networks, like those operated by companies, universities, or government agencies. (7)

The "dark web" is similarly made up of sites that are not indexed by search engines. However, websites on the dark web are also anonymously-hosted and are only accessible with special software and browsers that mask one's IP address. (8) The most common tool to navigate the dark web is the Tor (The Onion Router) browser. (9) Tor routes internet traffic through a series of "nodes," which are computers hosted on the Tor network by volunteers. The process of randomly bouncing data through many different nodes makes it nearly impossible to trace the data back to an internet user. (10) In fact, the U.S. Naval Research Laboratory initially developed Tor as a way to secure communications. (11)

While the dark web was not designed to facilitate criminal enterprises, law enforcement and prosecutors are increasingly facing legal challenges involving anonymous services online. In fact, one recent study revealed, "the most common uses for websites on Tor hidden services are criminal, including drugs, illicit finance and pornography involving violence, children and animals." (12)

PART 2--How CAN PROSECUTORS AND LAW ENFORCEMENT USE NETWORK INVESTIGATIVE TECHNIQUES (NITS) ON THE DARK WEB?

Criminal actors and organizations are increasingly relying on the anonymity provided by the dark web to host web sites that traffic illicit materials and content. One way that law enforcement and prosecutors are able to pierce the dark web's cloak of anonymity is by employing a network investigative technique (NIT). Operation Pacifier is a recent example where the FBI and DOJ employed an NIT to find and prosecute criminals operating on the dark web. While the use of NITs has been limited to federal law enforcement, state and local law enforcement agencies with advanced cyber capabilities may employ this tactic in the future.

What is Operation Pacifier?

In August 2015, a new website called "Playpen" appeared on the dark web.

Playpen's focus was "the advertisement and distribution of child pornography," and this new site allowed users to post images. (13) The site had almost 60,000 accounts registered in its first month and nearly 215,000 accounts by 2016. (14) Playpen hosted over 117,000 posts with 11,000 visitors per week, and much of the content included "some of the most extreme child abuse imagery one could imagine." (15) The FBI described Playpen as "the largest remaining known child pornography hidden service in the world." (16)

In February 2015, the FBI seized the server running Playpen from a web host in Lenoir, North Carolina. (17) However, the FBI did not immediately shut the site down. (18) Instead, the FBI operated the site from its own servers in Virginia from February 20th to March 4th. (19) While the FBI maintained control of Playpen during this period, law enforcement officers were able to deploy a network investigative technique (NIT) to identify, and later prosecute, users of the site. (20)

The FBI's efforts to take control of Playpen's servers, deploy an NIT (i.e. a hacking tool) to identify users, and then prosecute individuals on child pornography charges became known as Operation Pacifier. (21) Currently, the Department of Justice has publicly acknowledged, "at least 137 cases have been filed in federal court as a result of this investigation." (22) An FBI special agent explained in one court that "The NIT was deployed against users who accessed posts in the 'Preteen Videos--Girls Hardcore' forum because users accessing posts in that forum were attempting to access or distribute or advertise child pornography." (23) Additionally, Judge Robert J. Bryan has stated "The FBI setup the NIT so that accessing the forum hyperlink, not Website As [Playpen] main page, triggered the automatic deployment of the NIT from a government-controlled computer in the Eastern District of Virginia." (24)

What is a Network Investigative Technique (NIT)? Playpen's existence in the dark web meant that the locations of both its servers and the computers accessing the site were concealed. As discussed above, users could only access the site via the Tor browser, which anonymized user traffic. As part of Operation Pacifier, the FBI successfully located the Playpen server and gained control. However, the FBI still was not able to identify the locations of individuals who were posting or consuming child pornography on the web site through Tor. (25) In order to determine the Playpen users IP addresses, the FBI employed a court-authorized hacking method referred to as an NIT. (26)

An NIT consists of four main components: (1) a generator, (2) an exploit, (3) a payload, and (4) a logging server. A generator runs on the "hidden service" (e.g. Playpen) and produces a unique identification (ID) number that is associated with each user of the dark web site. The generator then transmits that unique ID, along with the exploit and payload, to each user's own computer. Once on a user's computer, the exploit takes control of the Tor browser (i.e. hacks) and executes the payload. The details of exactly how the exploit works is "the most sensitive part of an NIT--public disclosure not only risks losing the opportunity to use the technique against other offenders but would also permit...