On September 27th 2016 Europol released their annual Internet Organised Crime Threat Assessment, the intent of which is to help Europol set priorities, drive consensus and "to inform decision-makers at strategic, policy and tactical levels on how to fight cybercrime more effectively and to better protect online society against cyber threats."
The report makes for an interesting read. I am going to focus on the section titled "Darknets and Hidden Services"
Traditionally, dark web investigations have been undertaken by departments responsible for cybercrime. This split has been criticized by those working in departments focused on drugs, firearms or other illicit commodities - and for good reason, while the technology is different, the underlying organization structure has not changed. Organizations continue to blend offline trafficking with online point of sale and the current way of partitioning investigatory work is proving ineffective - leading to duplication and information silos.
It isn't just departmental boundaries which are being strained; One of the main investigatory hurdles, according to the report, is out of date national laws and policies.
one quarter of respondents [were] clearly restricted by their national legislation.
In many countries the legislation has not kept pace with the development of new technologies, and as such criminal investigations are often hampered by unclear jurisdictional boundaries - at both the national and international level.
With organizations crossing and ignoring national boundaries the concept of a single state having ownership over investigations into these organizations becomes counterproductive.
The Evolution of Darknets
Recent years have seen a rise in the number of tools and software aimed at making distributed, anonymous applications easier.
The focus in this report on locating hidden services to a single jurisdiction is flawed in a world where applications don't have to live in a single server in a single country.
Which brings me on to my main takeaway from this report; Law enforcement are struggling to understand the technologies and potential futures of anonymous systems.
A harmonised approach to undercover investigations with clear directions and boundaries and is required across the EU. Part of this effort must focus on locating hidden services, to give ownership of an investigation to a specific Member States.
For those who haven't read my thoughts on Riffle from earlier this year I will simply summarize by stating that Riffle is not a contender for most promising Tor replacement.
Riffle is an academic experiment with no real world potential as a general purpose anonymity network. The novel development of the Riffle research, the fast shuffle algorithm, may well make it's way into anonymous technologies - but it is unlikely to ever be the basis of an effective anonymity network - where scale and number of users can only be achieved by a variety of potential overlay applications.
OpenBazaar represents a more likely trend for anonymity tools - distributed, decentralized, peer-driven applications.
The report ends this section with this assertion:
What the repercussions of the migration of existing Darknet drug and illicit commodities markets to this type of system would be for law enforcement investigations is not yet clear
Europol, if you are reading, allow me to fill in some of the repercussions for you:
- There is no longer a single point of disruption - actually there may be hundreds or thousands of separate instances.
- Investigations become vendor focused, rather than site/marketplace focused - it no longer becomes possible to shut down a marketplace by finding the operators or location, instead investigations have to focus on individual buyers and sellers in order to disrupt criminal operations.
- Investigations become harder - Websites are generally full of bugs, have to be centrally hosted and paid for and the client are susceptible to browser 0-days. Decentralized solutions remove much of that risk. There is still the possibility of a bug in a client, but there are now many different clients, and they are often much simpler than a browser. This means existing attacks and investigation techniques fail and are reduced to hoping for an opsec failure - whether accidental, or constructed through an undercover operation.
All of this together means that investigating the dark web is going to become much more difficult and costly. I believe the recommendations published by Europol fail to address this future and that, from all perspectives, law enforcement is struggling to deal with the Dark Web as-is and has little idea of what is in store.
If you would like to support further research into the dark web and development of tools like OnionScan you can become a patron at Patreon