peel back the layers

Who commits crime on Tor? A new analysis has a surprising answer

When it's good it's good, but when it's bad it's very bad.

Science Photo Library / Getty Images

There are two sides to the internet. One is littered with cookies, targeted adware, and other tracking devices. The other is dark. So dark, you may remain anonymous.

Anonymity is Tor's calling card. One of the key parts of the Dark Web, the Tor anonymity network can grant users freedom from government censors and technology giants alike — a kind of Libertarian utopia. But the Dark Web is also where the online sale of firearms, drugs, and child abuse content typically takes place. It's called "dark" for a reason.

But to scientists, the activity on Tor is somewhat traceable. In a new study, a team of researchers peel back the layers to reveal how Tor's users across the world browse the Dark Web. They found roughly one in every 20 Tor users employed the network to view illicit or illegal content.

But behind these findings lurked an even more concerning discovery: people in countries with the most political freedoms are more likely to browse illicit content on the Dark Web than those in countries with fewer freedoms.

This raises the question: should these networks exist at all?

The findings were published Monday in the journal Proceedings of the National Academy of Sciences.

Hiding out — Internet privacy is a perennial problem. As long as the internet has existed, so computer scientists have wrung their hands over how to best police it. In an effort to dodge tracking on the newly minted web, researchers working at MIT in the early 2000s designed a way to anonymize web browsing using a series of decentralized network points all hosted on volunteer computers.

They called it onion routing. It works by bouncing users' signals between different, disconnected network "nodes," and encrypting it along the way. As a result, a user's IP address — the unique string of digits which connect your personal device to your web traffic — cannot be tracked using the conventional ways of the web. And so Tor — "the onion routing" — was born.

Via these onion routes, users can either anonymously access the "clear web," (which contains sites already accessible via browsers like Chrome or Firefox) or sites hosted only on the Dark Web, which are otherwise inaccessible.

Tor was created in 2002 to provide anonymity to internet browsers.NoDerog/iStock Unreleased/Getty Images

Dark Web dilemma — Tor launched in 2002. Since then, it has enabled political movements, like the Arab Spring in 2012, and given a platform to whistleblowers, like Edward Snowden in 2013. Two million people use it on a daily basis.

But despite the network's altruistic intentions, the anonymity provided by Tor has the potential to promote illicit and potentially harmful behavior, too. This is the motivation behind the new research — as the controllers of the web have cracked down on illicit material, more has emerged on the Dark Web, the paper's authors say, leading to a debate over the morality of these networks.

"Debate rages about the social utility of an anonymous portion of the global Internet accessible via the Tor network. Like any tool that is inherently dual use, questions abound whether its benefits are worth the costs... Overall, a technology like the Tor anonymity network might do more harm than good."

To try and work out if Tor does more harm than good, the researchers looked at user traffic data from a random sampling of one percent of users between December 2018 and August 2019.

"Simply working to shut down Tor would cause harm."

Seeing the invisible — Tracking activity on Tor, by design, is hard. As a result, the scope of this investigation is limited. The research team only look at a small fraction of Tor's total users over the course of eight months. And they assumed a users' location based on the network entry node they used.

Once they had found the users, the researchers also had to decrypt these users' browsing history. But it was impossible to view each users' actual history. So instead, the team lumped users' browsing habits into two categories: legal clear web browsing (e.g. using Tor to access Facebook) and illicit Dark Web browsing (e.g. browsing sites hosted only on the Dark Web.)

This assumption is not without flaws. Not all sites hosted on the Dark Web contain illicit material (some host Libertarian book clubs, for example), but the researchers argue the assumption is accurate enough for the purposes of their study.

See also: ProPublica builds a dark web outpost

Inside the onion — According to these data, only 6.7 percent of users on Tor were visiting illicit or Dark Web-hosted websites on average.

This works out to roughly 1 in 20 users or about 150,000 of Tor's 2 million users on an average day.

Eric Jardine, the study's first author and assistant professor of political science at Virginia Tech, points out in an accompanying statement that if Tor users mostly surf use it to view "benign" content, then it may be considered beneficial overall.

"Even though the Tor anonymity network can be used for some highly malicious purposes, most people on an average day seem to use it more as a hyper-private version of Chrome or Firefox," Jardine says.

Countries will less political freedoms need online anonymity even more.Shutterstock

Clusters of harm — But a slightly different pattern began to emerge when looking at differences in Tor browsing activity between countries, Jardine says. Specifically, differences between countries viewed as having more or less political freedoms.

"Potentially harmful use clusters disproportionately in liberal democratic regimes, which already have significant rights protections, and incidentally, host most of the Tor anonymity network infrastructure," Jardine says.

These countries include the United Kingdom, Netherlands, and the United States — where Tor is run as a non-profit. In "free" countries, 7.8 percent of users' Tor browsing was considered illicit, while people in countries with less political freedoms, including China and Algeria, used Tor to browse illicit content only 4.8 percent of the time.

What this boils down to may be to do with motivations, the researchers say. The opportunity to view illicit material appears to drive browsers in free nations, while the political need to circumvent censorship seems to drive browsers in less free nations, they conclude.

What to do about the Dark Web — These findings shed some light on the Dark Web, but they also prompt new questions about motivation and the assumptions we make about it, too.

"Leaving the Tor network up and free from law enforcement investigation is likely to lead to direct and indirect harms. [Yet] simply working to shut down Tor would cause harm to dissidents and human rights activists [in countries] where technological protections are often needed the most. Determining if these increased costs are an acceptable burden to pay so that others might exercise basic political rights is [the next question.]

The researchers hope offering clues to the individuals who use anonymity networks like Tor may inform future research, and perhaps answer whether such a platform should continue to exist — and how to police it.

Abstract: The Tor anonymity network allows users to protect their privacy and circumvent censorship restrictions but also shields those distributing child abuse content, selling or buying illicit drugs, or sharing malware online. Using data collected from Tor entry nodes, we provide an estimation of the proportion of Tor network users that likely employ the network in putatively good or bad ways. Overall, on an average country/day, ∼6.7% of Tor network users connect to Onion/Hidden Services that are disproportionately used for illicit purposes. We also show that the likely balance of beneficial and malicious use of Tor is unevenly spread globally and systematically varies based upon a country’s political conditions. In particular, using Freedom House’s coding and terminological classifications, the proportion of often illicit Onion/Hidden Services use is more prevalent (∼7.8%) in “free” countries than in either “partially free” (∼6.7%) or “not free” regimes (∼4.8%).