The term “dark web” evokes a common set of impressions. Some compare it to the Mos Eisley cantina from Star Wars, “a wretched hive of scum and villainy.” Others call it the “underbelly" of the internet. That’s no surprise, since it’s well known that nearly anything can be bought on the dark web, from stolen medical records to methamphetamines.
But is the dark web the seedy place suggested by these metaphors? This article is intended to introduce readers to the dark web; to its uses (both legal and illegal), and to some best practices that readers can follow to protect their businesses — and themselves — from the dark side of the internet.
What is the dark web?
Understanding the dark web requires seeing it in relation to the rest of the internet. Think of the internet as an iceberg. At the top of the iceberg is the "surface web," the public part of the internet that anyone can access. For example, people curious about the International Association of Privacy Professionals need only type www.IAPP.org into their internet browser to reach the IAPP’s public website. Publicly available information from IAPP’s website is an example of data stored in the surface web.
But many organizations, including the IAPP, have exclusive resources available only to members. For example, business leaders wishing to read IAPP’s “Bring your own device” guidance documents can’t access this information directly. They’ll need an IAPP member ID and password to open the members-only section of IAPP’s website. This part of the internet is called the “deep web,” the access-controlled portion of the internet which lies underneath the surface web. The majority of online content (typically estimated to be around 90 percent) is found in the deep web.
Finally, at the bottom of the internet iceberg is the “dark web,” also known as the “dark net.” The dark web resembles the deep web to the extent that they store information that is not publicly available. The key difference, however, is in the type of effort and tools required to reach these different parts of the internet. Regular people can use regular online browsers, like Google Chrome or Apple Safari, to reach deep web content; they simply need the right login credentials to ultimately access it. By comparison, reaching the dark web requires special software tools and skills. One common tool is called the TOR Network. By masking the users’ IP addresses (and more), the TOR Network software acts as the key to open the door to the dark web.
What does the dark web look like? Put aside the shadowy metaphors because, in reality, much of the dark web will look familiar to many. Are you a Google fan? Use the Google-inspired “Grams” dark web search engine. There are even book clubs where dark web denizens debate their favorite novels.
How do people use the dark web?
In the right hands, the dark web can be used positively. For example, democracy activists in foreign countries use the anonymity of the dark web to organize their activities. The United States State Department has invested time and resources to encourage this use of the dark web.
But that same anonymity also be used to hide illegal activity. For example, white supremacists are moving their activities to the dark web. And this part of the internet enjoys a reputation as host of some of the world’s premier black markets.
The presence of these black market websites are among the most concerning elements of the dark web for business leaders and attorneys. Customers of dark web websites can buy drugs, credit card information, customer lists and other contraband stolen from legitimate businesses and their employees. Some of these illicit marketplaces reap huge profits. For example, according to federal prosecutors, the recently shut-down dark web marketplace AlphaBay was worth upwards of $23 million.
What can be done to minimize the dark web's risks?
The following steps may help minimize the risks posed by the dark web:
Being proactive
This part may be “old hat” to business leaders and counsel. Being proactive means using industry standard (or better) cybersecurity practices to avoid being hacked, or to minimize the ability of bad guys to read data that is successfully stolen. Common examples include encrypting important information, using strong passwords, joining information sharing organizations and more. In other words, being proactive means practicing good cybersecurity.
Being responsive
Information gets stolen and placed for sale on the dark. So how can individuals and businesses respond?
The first step is to find out if your information was stolen. Companies and individuals that don’t have the ability to monitor the dark web for stolen information can turn to specialized entities and agencies that do. For example, the credit monitoring company Experian recently launched a dark web monitoring service for individuals. Other companies may follow suit. If Experian spots their subscribers personal information (Social Security numbers, bank account information and more), those subscribers get notice of that. This service is a step up from the “old school” method of monitoring for credential theft, checking credit reports for new, unauthorized accounts.
Businesses have even more options. For example, the National Cyber & Forensics Training Alliance, a nonprofit information sharing organization affiliated with the FBI, offers a free “Internet Fraud Alert” program that provides businesses with a degree of dark web monitoring. Companies requiring personalized levels of monitoring can pay for services from a number of forensic firms.
If individuals and companies learn their personal or business information has been spotted the dark web, the next step is to minimize damage. Individuals can change login passwords or cancel compromised financial accounts. Businesses can similarly instruct employees to change compromised credentials, and can begin investigating their company’s systems for infiltration to plug holes. Finally, knowing you’re your company’s (or personal) information was stolen gives a reason to contact law enforcement.
Report incidents
Finally, consider reporting theft of online information to organizations like the FBI. Individual victims may not want to walk to an FBI Office to report the crime. To make the process easier, victims can inform law enforcement online via the Internet Crime Complaint Center, though reporting incidents in-person may yield faster results. Even if law enforcement does not act upon a particular complaint, providing this information may help them develop trends and patterns to find criminal actors. And there have been success stories: In 2017, law enforcement agencies throughout the world seized control of “AlphaBay” and “Hansa,” two of the biggest online criminal markets on the dark web.
Following good cybersecurity practices may reduce the risk of your information being taken and sold on the dark web. Responding quickly to incidents may help minimize the harm, and reporting them to law enforcement may reduce the risk in general.