Quantcast
Dark Web Child Porn Sites Are Using 'Warrant Canaries'

Whereas tech companies use signed messages to flag government demands for data, criminals are trying to use them to warn of compromised sites.

For coal mines, canaries raised the alarm on toxic leaks. For tech companies, cryptographically signed messages—or warrant canaries—flag secret demands for user data. And on the dark web, they are supposed to show that a criminal site has not been infiltrated by law enforcement.

At least, that's the plan behind canaries on child pornography forums. Administrators of such sites have taken to posting signed messages every few weeks; if they fail to do so, they may have been arrested by investigators, and their absence can act as an early-warning mechanism to other site members.

"[Child porn site] will be providing a PGP signed message from [user] and myself within the first week of every month as an additional security precaution," an administrator on one dark web child pornography site wrote in April of this year.

"If either [user] or myself fail to provide a signed message, consider this site compromised," the admin continues.

Motherboard has decided not to name the site or print the users' pseudonyms, as that information could be used by readers to more easily find illegal material. Motherboard did not access this website either.

The post added that the idea originally came from the administrator of another child pornography site called GiftBox. (On Wednesday, Motherboard reported that a Tor Browser exploit had been deployed against users of GiftBox, which may have been used to, in turn, reveal their IP address).

Over the next few months, the admin of the unnamed child pornography site posted more signed messages, which included references to events that had happened recently to prove it wasn't a pre-scheduled post. And then again, and again.

"Another month, another chalk line on the wall," one of the canaries read.

But, the admin has apparently been late posting at least one of these canaries, much to the annoyance of other members.

"Your canary was 5 days late in October without any reasoning provided as to why," one user complained, according to a post on The Uncensored Hidden Wiki, a sort of Wikipedia for the dark web.

Typically, cryptographic canaries have been used to alert website users of government demands for data. Last week, the canary for privacy-focused email service Riseup seemingly expired. In March, Reddit removed its own canary from the company's transparency report, implying that it had received a classified request for user data.

But the same method probably does not translate well to criminal forums. Law enforcement agencies have taken over, and subsequently ran, plenty of forum accounts belonging to child pornographers, including administrators of sites. Criminals often work with law enforcement after a bust; it's possible that one might continue to post cryptographically signed messages even after they've been arrested, fooling users into thinking the site is safe.

Australian police ran one site for six months and pretended to be the owner, posting from his account; the FBI did the same when they briefly operated the dark web child pornography site Playpen in 2015.

"Blah Blah nobody reads these anyways," one of the canaries reads.