How effective is dark web anonymisation?

Author: Richard Flint, Research assistant, RAND Europe

Where would someone buy a gun? Or Class A drugs? Or false identification documents? Or any other illegal item for that matter? If this were 20 or 30 years ago, the first port of call might have been the local dodgy-looking pub, but today there is a new place to go to shop around for the latest range of illegal goods, and that’s the dark web.


Originally developed by the US government in the 1990s to hide the identities of law enforcement officers online, the dark web is an unindexed part of the Internet that is only accessible using specific anonymising software packages, such has Tor. The additional anonymisation provided by Tor allows users to find and view hidden pages on the dark web whilst concealing their computer’s IP address. As a result, the dark web has grown increasingly popular for users who seek to engage in both legitimate and criminal online activity whilst hiding their personal identities.

As a recent study by RAND illustrates, users can browse and purchase any number of illegal items on the dark web, either on single vendor sites, or on larger cryptomarkets that provide a platform for multiple sellers to operate. Yet, before browsing the range of guns or drugs or false identification documents available, the first question that any criminal – and indeed any user of the dark web – may ask is: how reliable is this anonymisation software that supposedly protects their identity?

De-anonymisation can currently be achieved using technical analysis, but with a probability of error

Certainly, the anonymisation provided by Tor is not unbreakable by design. Tor Project Inc. – the organisation that developed and maintains the Tor platform – openly acknowledges that trade-offs were made between the software’s usability and security, which in turn may introduce vulnerabilities into the system. Statements from law enforcement agencies also suggest that they are able to circumvent the anonymisation of the dark web, albeit to a limited degree. Leaked documents from the US National Security Agency (NSA), for example, state that the organisation will never be able to de-anonymise all Tor users at the same time, but may use manual analysis to identify a small fraction of Tor users at any one moment. The European law enforcement agency Europol also states that the dark web is not untraceable, and that law enforcement officers can apply both technical analysis and more traditional targeted profiling to identify users and operators.

Recent academic and media publications seem to confirm these statements by outlining a number of ways in which the dark web can be de-anonymised. In 2015, for example, a joint research team from the Massachusetts Institute of Technology (MIT) and Qatar Computing Research Institute demonstrated two methods of de-anonymising Tor users, both of which used a combination of artificial intelligence and tailored traffic fingerprinting techniques. The researchers were able to identify users of dark web hidden platforms with an 88% true positive rate, and a false positive rate between 2.9% and 7.8%, depending on the particular method used.

Whilst these methods would not allow law enforcement agencies to identify Tor users with a full level of certainty (i.e. with 100% accuracy and 0% false positive rate), they point towards some of the ways in which law enforcement agencies may use technical analysis to identify possible suspects on the dark web. The proposed methods were examples of passive de-anonymisation techniques which, according to the authors, pose a greater risk to online anonymity than the range of active de-anonymisation techniques that have already been developed. Active de-anonymisation techniques require the investigator to actively influence traffic to a website through, for example, induced congestion, influence routing or adding kill circuits. Passive techniques, on the other hand, do not influence the network during the de-anonymisation process, and so are undetectable by either a client or server. A passive technique, for example, may de-anonymise users using old traffic network data.

De-anonymisation can also be achieved using non-technical methods

On top of these technical forms of de-anonymisation, press releases and media reports highlight some of the other ways in which law enforcement agencies are able to identify users of the dark web. One of the most successful techniques in recent years was the use of so-called “honeypot” sites that, whilst appearing to be legitimate to dark web users, were in fact monitored and operated by law enforcement agencies. In 2015, for example, FBI officers seized the servers that supported Playpen – a dark web bulletin board that allowed the sharing of images of child sexual abuse. According to reports, the agency then ran the website from their own servers for an additional two weeks, and installed a Flash application onto users’ computers that allowed them to capture IP address and other identifiers. Similarly, in 2013, Dutch law enforcement officers seized the servers of the dark web marketplace Hansa, and ran the platform as a honeypot site for at least one month to allow them to monitor activity, obtain login credentials, and identify the real-world addresses of over 500 marketplace buyers.

If this wasn’t already sufficient disincentive, law enforcement agencies also seek to exploit human errors that give away user identities without having to technically break the anonymisation provided by the dark web. Undiscerning users may, for example, use the same pseudonyms across open web and dark web platforms, or make comments on the dark web that allows their hidden identities to be linked to open web identities via sylometric techniques that analyse their style of language. Indeed, the arrest and prosecution of Ross Ulbricht – the founder of the now infamous Silk Road marketplace – was seemingly made not through complex technical de-anonymising techniques, but rather by linking an advertisement he posted on the open web for a software developer job to a handle that was used to post the very first advertisements for the Silk Road platform.

Developments in technology and software may improve the security of dark web anonymisation, but de-anonymisation techniques will continue to improve

Although much of the current focus is on Tor, there are other software platforms that also seek to provide individuals with anonymised access to the dark web. Two of the most well-known examples are Freenet and I2P, both of which were developed after Tor, and both of which use different anonymisation techniques in an attempt to protect user identities. I2P in particular has benefited from the focus and research on Tor, which has allowed developers to include additional measures that protect against some of the vulnerabilities identified in the older Tor software. Both I2P and Freenet, however, are much smaller in scale and have received much less attention than Tor, meaning less is known about the potential vulnerabilities in their software architectures.

In addition to developing alternative software platforms and patching existing vulnerabilities in Tor, future development and application of new technologies may provide dark web users with a greater degree of anonymity than the current status quo. In their most recent threat assessment on online organised crime, Europol notes the development of decentralised marketplaces, which were set to be compatible with the Tor infrastructure from February 2017 onwards. Such decentralised systems would remove the need for centralised servers and single ownership that were exploited in cases such as Silk Road and Hamsa, which in turn could make it more difficult for law enforcement agencies to identify users or operate sites as honeypots.

But in the seemingly endless game of tit-for-tat between governments and law enforcement agencies on the one hand, and both altruistic and nefarious developers on the other, it seems unlikely that fully secure online anonymisation will be achieved, at least in the near future. While the risk of de-anonymisation can be reduced through careful use, users of the dark web will contintue to operate with a risk of detection and identification, regardless of the scale or type of their activity.