What We Can Learn from the ICE Darknet Investigations Feature
The U.S. Department of Homeland Security: Immigration and Customs Enforcement (ICE) recently published a feature on their darknet investigations. Overall the feature adds up to more PR than insight - however there are a few things we can take away from what ICE has published.
Takeaway 1: Investigations Often Begin (and End) in the Postal System
Cyber investigations sometimes begin as traditional in nature then progress into the cyber environment. HSI was one of the primary agencies on the Silk Road investigation that revealed large-scale illegal drug and contraband smuggling through the U.S. Postal Service.
Postal service tracking and interception has long been known to be a key law enforcement strategy in drug trafficking investigations
Littered through the video, text and images are references to previous investigations nearly always starting with an intercepted package - this should come as no surprise - one of ICE's key mandate is preventing the smuggling of goods across the US border - so parcel inspection and the resulting investigations are right up their alley.
No doubt by now some areas of the governments involved in darknet operations are tracking the rise of new darkweb marketplaces and building intelligence - but, without hard evidence, in the form of intercepted contraband - it is difficult to build any kind of case.
Takeaway 2: ICE does a huge about of Image Analysis
While nothing is said in the text or the video, the images attached to the article, tell an interesting story about the roll of image analysis in ICE's overall approach to investigations.
At least 3 separate images (about 50% of the images not related to showing darkweb sites) appear to show different stages of image analysis - whether analyzing pictures directly, looking for camera artifacts or metadata analysis.
Pictures are often worth 1000s of words, and with various opsec mistakes by vendors meaning there is a treasure trove of data out there waiting to analyze. Just last month we have seen vendors making trivial mistakes when posting photos of their operations - it would seem this behavior has not gone unnoticed.
Takeaway 3: ICE wants us to believe the dark web is all bad.
At times the video attached to the article borders on bad satire. The below image saying it all, while provided as an example of how seedy the darkweb is, it doesn't show a dark web site - in fact it doesn't appears to show an illegal site - live sex web cam sites are not illegal in most jurisdictions relevant to this discussion.
So why would ICE be attempting to make this connection between the dark web and (legal) sex? I suspect because sex, especially in the US, is still seen as something to hide away in the shadows - much like drugs and rock 'n' roll (ok, maybe not so much rock 'n' roll) - and as such those links are intended to brand the darkweb as something that no regular citizen should ever be find themselves dealing with.
Whatever the true intent of ICE, it must be seen as harmful - darknets have plenty of legitimate purposes - anonymous publishing, private instant messaging, simple file sharing, whistleblowing and many, many more.
Despite, and in someways because of, the misleading PR, the feature itself is a small window into how ICE perceives itself, the work it does, and the kinds of work it needs to be doing in the future - and these kinds of insights are essential for defending darknets, and their applications, against future adversaries - be they government departments, private corporations or open source investigation toolkits