Sophos Cloud Optix
The term dark web refers to a largely secret and anonymous part of the internet where, in two words, anything goes.
Almost all of this dark web is accessed via Tor, a freely available anonymising service that lets you browse without being easily tracked.
💡 LEARN MORE: Tor explained in plain English ►
The word dark, by the way, refers to “lack of light,” meaning content that isn’t illuminated and indexed via regular search engines, rather than to “broodingly evil,” the sort of content you might expect to find in an online world where anything goes and it’s tricky for law enforcement to follow.
Nevertheless, some of the dark web really is evil, by any definition you’d like to bring to the table, and a lot of it is illegal.
In fact, researchers at King’s College London recently made an effort to measure how much of the dark web is being used for illegal services – a tricky task, given that it’s supposed to be unilluminated – and ended up with a figure of 57%.
The accuracy of that research, and how to intepret that simple-looking number 57%, has been the subject of much discussion, as you can see from the comments on our write-up of it.
But Professor Alan Woodward, a security researcher at the University of Surrey in England, recently dug into the King’s College data and presented a well-reasoned discussion of its validity.
Now, Woodward has written that the number of dark websites inside the Tor network, having shown a slow but steady increase over the past three months, suddenly shot up by about 50%, from around 40,000 to just over 60,000:
This, of course, raises the question, “Why?”
Who set up more than 20,000 new dark sites in a few days? What’s going on?
The mystery is deepened by Woodward’s suggestion that the amount of dark web traffic on Tor actually went down very slightly at the same time:
Woodward’s preferred explanation is that there has been a sudden and explosive growth in the use of a recently-released, Tor-based anonymous messaging service called Ricochet, which works, simply put, by creating a dark website for every user.
Ricochet isn’t entirely new: it’s the pet project of Australian IT journalist Patrick Gray, who first wrote about it at length back in 2014.
Ricochet’s main purpose, says Gray, is to help whistleblowers to contact the media without leaving metadata traces – in other words, data that shows the contact took place.
Metadata is the sort of information that says, “You emailed Paul Ducklin at 13:37 yesterday,” but without any content from the email itself. Because it doesn’t contain actual content, metadata is treated as “mostly harmless” in many countries and can be requested without a warrant, despite the obvious threat to privacy posed by its widespread collection and use.
And Ricochet recently made minor headlines in the security community after receiving a positive code review from a security assessment company called NCC.
That was on 15 February 2016; perhaps, speculates Professor Woodward, this news prompted a sudden surge in Ricochet use, and thus accounts for 20,000 new sites in the dark web?
Gray himself, however, has tweeted that he “would be surprised” if that were the explanation:
So that leaves us with the question, “What’s going on?”
What’s your theory? Tell us in the comments…
Update. The mystery deepens! In the few days since Woodward’s article was published, the number of dark websites has fallen again, down to just over 50,000.
I am wondering why I never see the 60 second security from Paul Ducklin anymore. Has it been discontinued or have I just misplaced it?
You haven’t misplaced it. But it hasn’t actually been discontinued, either. It’s just “having a vacation”, so to speak. I don’t think we’ve quite decided whether to bring it back yet or not. I’m assuming you are as good as voting for its return… if so, noted with thanks 🙂
For what it’s worth………I really miss 60 second Security!
I get your emails daily, plus follow the blog and try to absorb all the things I should………then……..I found the audio on 60 Second Security brought the whole lot together, and both reminded and reconfirmed stuff simply and quickly…..Well in 60 seconds.
Yes for selfish reasons I hope it returns……..yes this is a vote!
Bring it back! (please)
Testing for a new botnet?
Prof Woodward himself just suggested to me that it might be down to the Locky ransomware, which uses .onion sites for payment and has had a stonking run of attacks lately. I’m not sure how to test that idea…or how to test whether it really is Ricochet after all.
I would guess that ricochet was to blame…. in that once the review came out, tons of people installed it to give it an evaluation… after some review and the new-ness wearing off, most of them have uninstalled it.
Locky and Ricochet are to blame for sure…. Both had a HUGE uptick around the same time frame, and lower darkweb usage also corresponds to a “bot like” creation….
Hello Mike, how do you know that? Are you a security researcher? I’m just curious.
The NSA set up these extra nodes.
Ah, Duck, how can you call them ‘dark’ if they can be measured? That implies that they’re known about. So I’d speculate that the measurement criteria changed, or a ‘corner’ of Tor has been opened up…
That’s “dark”, as in “unlit”, like a country road at night; not “black” as in “beyond the event horizon,” like a black hole 🙂
IIRC, Prof Woordward considered that possibility and formed the opinion that Tor’s measuring methods had stayed consistent.