While digital investigations can benefit from info on the dark web, venturing into this hidden web has unique challenges and hazards. To safely navigate this complex landscape, here’s a list of what to avoid when researching dark websites.
When discussing what not to do on the dark web, intentionally malicious or criminal activity goes without saying. For the purposes of this post, we are going to address some gray areas of using the dark web in the context of threat intelligence gathering, security research or other online investigations. Often, these activities may necessitate access to online forums where criminal activity is discussed or carried out.
Like the other blogs in our dark web series, our primary reference is the Department of Justice’s Cyber Security Unit guidance to the private sector on gathering cyberthreat intelligence in dark marketplaces. You can read the complete memo here.
(The memo and following discussion do not constitute legal advice. Authentic8 is prohibited from offering you legal advice. Please consult your attorney or your organization’s attorney for legal advice before undertaking the activities considered here.)
What is the dark web?
First, if you’re not familiar, let’s start with the basics of the three layers of the internet: the surface, deep and dark web:
- Surface web: Also known as the open web or clear web, this is the most accessible layer of the internet, available via standard web browsers (e.g., Chrome, Safari). Webpages are indexed by popular search engines (e.g., Google, Bing) to easily explore a vast array of content.
- Deep web: A hidden web, this layer is still accessible via standard browsers, but webpages are not indexed. The difference between surface web and deep web is that deep web sites require login or subscription to access (e.g., for academic journals, court record databases or services like Netflix) and content is often hidden behind a security wall.
- Dark web: The dark web requires a specialized dark web browser like Tor to access a specific darknet (Tor or “The Onion Router” isn’t the only darknet — there’s also ZeroNet, Freenet and I2P, for example). Dark web sites are not indexed by standard search engines.
The very nature of the dark web network infrastructure varies greatly from the surface web, and enables multi-layer encryption to prevent location tracking and preserves confidentiality among the dark web users and hosts. While this has perfectly legitimate uses (e.g., dissidents avoiding repressive regimes), it has made the dark web a hub for criminals to sell illicit goods and services. A notorious example is the Silk Road, which was shuttered in 2013, but many more have risen (fallen and risen again) to take its place.
The dark web’s popularity among criminals is why it’s so often useful to open-source intelligence (OSINT) investigations concerning cyberthreats, financial crime, fraud, human trafficking, child abuse, terrorism and narcotics.
But it’s important for OSINT analysts, threat intel analysts and law enforcement agents to know that the dark web is not totally anonymous, and there are several considerations to take in terms of when and how you access it and what you do while searching there.
Don’t access the dark web without the right tools and capabilities
You’ll need a dark web browser like Tor to access the dark web. However, utilizing Tor without additional protections could leave your device and network vulnerable to cyberattack, and could attribute your activity back to you or your organization.
- Managed attribution platform: This is the foolproof way to safely access and gather OSINT on the dark web. It includes a fully isolated, cloud-based browsing interface, so no malware you would encounter can pass to your device or network. Learn more about Silo for Research: Dark Web.
- VPN: If you don’t have access to a managed attribution platform, a VPN can give you an added layer of protection. But it needs to be configured correctly and connections can drop, potentially putting you at risk.
- Proxy services: Again, this is just one layer of protection and should be used in combination with a VPN and the Tor browser. It also needs to be properly configured.
Don’t access forums in an unauthorized manner
If you come across a forum on the dark web that requires credentials to access, do not attempt to evade the authorization requirements.
“Access Forums Lawfully: Accessing a forum in an unauthorized manner, such as by exploiting a vulnerability or by using stolen credentials, can implicate the CFAA and statutes like the Access Device Fraud statute (18 U.S.C. § 1029).”—DOJ Cybersecurity Unit
Don’t assume someone else’s identity
If you need a persona to access or interact on the dark web, don’t use someone else’s identity (name, photo, phone number, email, etc.) to do so without their consent. Posing as someone else can not only create legal trouble for you, it also puts the other person at risk of receiving targeted malicious and illegal activity from criminal actors whom you’ve interacted with. The best approach for accessing the dark web is to create an entirely fake persona of anonymous nature that cannot be connected to you or your organization.
“Do Not Assume Someone Else’s Identity without Consent: Using a fake online identity to gain access to or participate in a forum where criminal conduct is occurring, standing alone, is typically not a violation of federal criminal law. However, assuming the identity of an actual person without his or her permission rather than manufacturing a false persona can cause legal problems.”—DOJ Cybersecurity Unit
Learn how to control your digital fingerprint to match browser and device details to your online identity and avoid tipping off investigative targets >
Don’t do research without a plan
This is important for two reasons. First, having a set of written guidelines will help keep your research efforts focused and within the bounds of your organization’s risk appetite. Secondly, documented plans, policies and procedures are helpful in the event you or your organization comes under investigation from law enforcement. You can read more on creating a dark web access policy at your organization here.
“Create ‘Rules of Engagement’: If your organization conducts activities described in this document, or is planning to do so, it should prepare “rules of engagement” or a “compliance program” with protocols that outline acceptable conduct for its personnel and contractors who interact with criminals and criminal organizations. Following deliberately crafted protocols that weigh legal, security, and operational considerations beforehand will discourage rash decisions that could put an organization, its employees, and its data in jeopardy. Having documented rules may also prove useful if the organization ever faces criminal, civil, or regulatory action.”—DOJ Cybersecurity Unit
Don’t put your corporate network at risk
This one is up there with the “goes without saying” category of what not to do on the dark web. But you can never be too careful, especially when it comes to activities that pose both technical and operational risks, like dark web investigations.
“Practice Good Cybersecurity: In the situations discussed in this document, information is exchanged with cyber criminals. There is no such thing as being ‘too suspicious’ in those circumstances. Practice good cybersecurity at all times and use systems that are not connected to your company network and are properly secured when communicating with cyber criminals.”—DOJ Cybersecurity Unit
Learn more about isolated, cloud-based browsing that provides 100-percent separation between the web and your device >
Play it smart
When conducting a dark web investigation where criminal activity occurs, there are several risks to consider. Make sure legal challenges for your team aren’t among them by creating a best practices protocol. These simple pieces of advice can go a long way toward avoiding legal pushback, but as always, consult your legal and security departments to create an official policy.
To protect yourself, use a program to document your activity on the dark web, such as Silo for Research. In addition to managed attribution for safe browsing, Silo for Research can help protect investigators and their employers in an audit.
More from our dark web blog series
Understanding the dark web and how it can aid your investigation: What is it, and how does it vary from the internet most of us use everyday? Which darknet should I use for my investigation? And how can I access it safely?
Leveraging the dark web in online investigations: Why you should utilize the dark web in your investigation, where to begin and how to protect yourself (and your company) along the way.
3 things to consider before you start your dark web investigation: When determining if you should begin a dark web investigation, ask yourself these three questions concerning dark web content, risk and precautions.
Essential tools for improving surface and dark web research: Leveraging these easy-to-use dark web tools for investigations can help improve the quality and speed of your research.
Best practices for creating a dark web access policy: Protect your company and employees by creating a dark web access policy to set protocol for investigations to mitigate security and legal challenges.Anonymous research Dark web basics Dark web research OSINT research VPN