Mapping Real-World Use of the Onion Router

Published date01 May 2023
Date01 May 2023
Subject MatterArticles
Journal of Contemporary Criminal Justice
2023, Vol. 39(2) 239 –256
© The Author(s) 2023
Article reuse guidelines:
DOI: 10.1177/10439862231157553
Mapping Real-World Use
of the Onion Router
Adam K. Ghazi-Tehrani1
Since its inception, The Onion Router (TOR) has been discussed as an anonymizing
tool used for nefarious purposes. Past scholarship has focused on publicly available
lists of onion URLs containing illicit or illegal content. The current study is an attempt
to move past these surface-level explanations and into a discussion of actual use
data; a multi-tiered system to identify real-world TOR traffic was developed for
the task. The researcher configured and deployed a fully functioning TOR “exit”
node for public use. A Wireshark instance was placed between the node and the
“naked” internet to collect usage data (destination URLs, length of visit, etc.), but
not to deanonymize or otherwise unmask TOR users. For 6 months, the node ran
and collected data 24 hr per day, which produced a data set of over 4.5 terabytes.
Using Python, the researcher developed a custom tool to filter the URLs into human-
readable form and to produce descriptive data. All URLs were coded and categorized
into a variety of classifications, including e-commerce, banking, social networking,
pornography, and cryptocurrency. Findings reveal that most TOR usage is rather
benign, with users spending much more time on social networking and e-commerce
sites than on those with illegal drug or pornographic content. Likewise, visits to legal
sites vastly outnumber visits to illegal ones. Although most URLs collected were for
English-language websites, there were a sizable amount for Russian and Chinese sites,
which may demonstrate the utilization of TOR in countries where internet access
is censored or monitored by government actors. Akin to other new technologies
which have earned bad reputations, such as file-sharing program BitTorrent and
intellectual property theft or cryptocurrency Bitcoin and online drug sales, this study
demonstrates that TOR is utilized by offenders and non-offenders alike.
cyber-crime, the onion router, tor, e-commerce, drugs, bitcoin, wireshark, python
1The University of Alabama, Tuscaloosa, USA
Corresponding Author:
Adam K. Ghazi-Tehrani, The Department of Criminology and Criminal Justice, The University of
Alabama, Tuscaloosa, AL 35487, USA.
1157553CCJXXX10.1177/10439862231157553Journal of Contemporary Criminal JusticeGhazi-Tehrani
240 Journal of Contemporary Criminal Justice 39(2)
The Onion Router, more commonly known as “Tor,” is the world’s most popular web
anonymization tool. By providing access to the “Dark Web,” where illicit and illegal
content are typically found, Tor has earned a reputation for being an application uti-
lized by drug dealers (Dolliver, 2015; Dolliver & Kenney, 2016), terrorists (Weimann,
2016), and people seeking child abuse material (Leclerc et al., 2021). This oversimpli-
fication belies the myriad of other legitimate use-cases for online anonymity tools.
To better understand the realities of Tor usage patterns, unbiased data are needed;
this study is an attempt at quantifying Tor traffic using real-world data. The goal is to
provide a comprehensive snapshot of (a) what types of sites are being visited using
Tor, (b) how long (on average) they are being accessed, (c) how long (in total) they are
being accessed, and (d) where they are being hosted from. To accomplish this, a rigor-
ous data collection and organizing effort was undertaken.
What Is the Dark Web?
The internet can be categorized into three levels: the Surface Web, the Deep Web, and
the Dark Web. The Surface Web is “a collection of websites indexed by search engines
[that can be] easily accessed through standard browsers and internet protocols”
(Chertoff, 2017, p. 26). The Surface Web is what most end-users consider “the inter-
net,” since it is the Web’s “most easily accessible and permissive layer” (Bertram,
2015, p. 56).
Contrary to common perception, 90% of internet traffic occurs at the Deep Web
level (Chertoff, 2017, p. 27) or the “class of content on the internet that, for various
technical reasons, is not indexed by search engines” (Chertoff & Simon, 2015, p. 1).
The Deep Web includes unlinked sites, private sites, limited-access networks, and
other content which require a password to access. For example, while the main “Bank
of America” website is indexed by search engines such as Google, the webpages a
member of that bank may access after logging in with a password are not. Thus, www. is part of the Surface Web, while an end-user’s bank account page
is part of the Deep Web. It is impossible to quantify how much larger the Deep Web is
than the Surface Web, but it is safe to assume it is many magnitudes larger (Finklea,
2017, p. 3).
A small subset of the Deep Web is the Dark Web, a collection of purposely hidden,
unindexed content that can only be accessed through specialized software, such as Tor
(Chertoff & Simon, 2015). Estimates place the Dark Web as 0.01% of internet con-
tent (Chertoff, 2017, p. 27).
Although Tor is the most popular access point for the Dark Web, it is not the only,
or even first, tool to attempt online anonymity and safety from governmental surveil-
lance. Freenet was developed by Ian Clark and publicly released in March of 2000.
Freenet was created to allow users to “anonymously share files, browse and publish
‘freesites’ (web sites accessible only through Freenet) and chat on forums without fear
of censorship” (Clarke et al., 2001, p. 46). The creator described the software as “a

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT