Down in the Deep, Dark Web
I've seen a lot of ads recently for dark web monitoring services. These companies throw out phrases like “cyber threats,” “bad actors,” and “scanning the deepest, darkest places.” They make it sound as though there's a gigantic underground crime network on the internet, lurking in the shadows, waiting for the opportunity to steal your credit card information. But is that true?
Layering the web
Before we get too far into this discussion, let's go over the three layers of the internet as popularly defined.
The surface web (or clearnet) consists of the places that are easily accessible, meaning that we can hop on any search engine and find them and access them with no problem. Sites like YouTube, MSN, Wikipedia, eBay – you get the point. If the internet were a city, these are your public parks, restaurants, and the like.
The deep web is made up of pages that require some level of permission to access and don't show up on search engines. You've almost certainly spent some time on the deep web – if you have an online bank account, e-mail address, or a portal for work or school, then you've been on the deep web. Sometimes people confuse the deep web and dark web, but they are different places. Returning to our city analogy, the deep web is like the inside of private residences. You can go inside if you have permission from the owner.
The dark web (or darknet) is also part of the deep web and not indexed by search engines, but separate in that you can't access it with a normal browser. There are several different sub-networks on the dark web. You may have heard of Tor, the most popular of such services, which is generally accessed via the Tor browser. This part of our city is the underground catacombs that aren't fully mapped and require specific gear to access (we may be in Europe now).
Anonymity
Depending on how your web browser is configured, it sends out information about you when you access a website. Primarily this information is used so that websites know what to show you: if you are on a cellphone it needs to load the mobile website; if you are in China the language should be Chinese; if the website is only for members of a specific country it checks to see if you are in that country. You may have seen this last one when browsing YouTube or Netflix; a message pops up that says something like “This content is unavailable in your region.”
It is possible to stay anonymous, however, by using tools like VPNs (virtual private networks) and/or specialized browsers to either fake the information or prevent it from being sent entirely. So where does that leave us?
A wretched hive of scum and villainy
You can in theory use the dark web to do innocent, wholesome things like exchange photos and talk to your friends without fear of government surveillance. There are blogs and forums and chat rooms on the dark web for regular conversation. Some large organizations like the BBC, Forbes, and Facebook (to name a few) have a presence on the dark web to allow users to browse their sites anonymously or share tips with journalists without government interference. That said, the vast majority of internet users don't really care that much about privacy or anonymity, so while you do end up with some people who just want to browse in private, you end up with criminals as well.
Even though there is crime on the dark web, it is often overstated. YouTubers and other internet celebrities love to make up stories about how they got on the dark web one time and saw a terrible horrible awful video of unspeakable things or downloaded a video game full of viruses and evil. There is little reason that either of these things would be on the darknet:
(1) the people who create/share things like that are doing so for shock value and have a much larger audience on the clearnet, and
(2) you can already easily find gore videos and virus filled programs on the clearnet.
I'm not saying that there aren't shock sites and the like on the dark web, only that their presence and extent are greatly exaggerated.
Much more notable on the dark web are the numerous sites dedicated to piracy, illegal pornography, and the purchase of illicit materials (drugs, guns, etc). Yes, you can really go on the internet and buy cocaine, though it is far from straightforward. Some of these pages are honeypots, fake websites set up to catch people trying to break the law. Various three-letter agencies have run operations on the darknet to infiltrate and break up organized crime groups, but enforcement is difficult. Other pages are scams, like the numerous murder-for-hire sites that will happily collect a few grand from unwitting visitors before vanishing.
Back to the monitoring bit
Beneath the traps, however, there are real criminal activities going on, some of which involve selling information stolen in data breaches. Cybersecurity researchers at Privacy Affairs have published price lists for data ranging from $1 (social media login info) to thousands (bank account info). And with the thousands of cybersecurity breaches that have happened in the past two decades, there is no shortage of information to be sold.
Despite this, I don't recommend dark web monitoring services. Why?
Well, for starters, the internet is international and criminals on the darknet are more tech savvy than average. Law enforcement in the United States has enough trouble prosecuting cyber crime at all – take a look at the FBI Internet Crime Complaint Center statistics and you'll see that asset recovery in general doesn't have great odds, and those odds are even worse when you factor in international jurisdiction issues. And this is when people have lost large amounts of money – you can go ahead and kiss your stolen Facebook account goodbye as far as the police are concerned.
You might still be thinking “At least I would know that my data was stolen and put up for sale.” And you might, but remember how I said that federal agencies have a hard time keeping up with crime going on across the darknet? Agencies which have access to highly trained cybersecurity experts, lots of money, and an extensive history in internet operations? Private companies can use tools like data scrapers to check darknet sites for keywords or visit forums that are known to engage in the sale of illegally obtained data and ask around, but they can't force people to hand over information. If the seller has figured out that they're dealing with someone from a cybersecurity company or if the website is somehow inaccessible to those scrapers, then there's not much they can do. To further my point, here's a section from the EULA of a popular dark web monitoring service:
[...] the Company gives no warranty or undertaking and makes no representation of any kind that the Software will meet customer’s requirements, achieve any intended results, be compatible or work with any other software, applications, systems or services, operate without interruption, meet any availability, performance or reliability standards [...]
Maybe they'll find something, maybe they won't. But you don't have to waste money on a “maybe” service or wait for INTERPOL to raid a scam complex in Asia. You can be totally responsible for your data. Practice good cybersecurity habits, keep an eye on your accounts (particularly financial ones), use free credit monitoring if you have it. Change your passwords if you notice weird activity. Use two factor authentication (scammers overseas don't have your cellphone, hopefully).
Your data is out there – at this point, most people have been involved in at least one breach, if not many. That doesn't mean you should let the alarmists get to you so they can sell you something. There are billions of people on the internet and billions of leaked records, meaning someone first has to find or buy your specific information, hope that you haven't changed your information since it was leaked, hope that you won't notice them logging in, and hope that you have something to steal. As an individual, you are much more likely to fall victim to a scam than have a random person on the darknet obtain your bank account information.
In short: dark web monitoring? No. Good cyber hygiene? Yes.
Rebecca B. – BS Interdisciplinary Studies (Marketing/Computing) Return to home