One Step Ahead: Pedophiles on the Deep Web
Keeping up with how pedophiles use technology is a cat-and-mouse game, on the deep web and beyond.
Image: Dean Terry/Flickr
Criminals are always one step ahead. While the public can enjoy anonymity tools or hard-drive encryption for privacy and security, people with more nefarious motivations are going to use these technologies to stay undetected, make money, or improve the efficiency of existing criminal enterprises.
Nowhere is this more apparent than with pedophiles. Recently, one study claimed that four out of five visits to hidden websites hosted on the anonymity network Tor are to pedophilic content. There were serious caveats with the study: the Tor Project told Wired that law enforcement bots visit these sites constantly to check for new content, skewing the results. Regardless, there is no doubt that anonymous networks are used for accessing child abuse material.
And child abusers have been using other freely available encryption and software for decades to protect their identities.
"The main thing is, they don't really have special tooling. They don't have anything other than what the general public has," the information security expert known as the Grugq told me. "There is no, as far as I know, pedophile-specific privacy technology."
Getting an introduction to the tools these people use to cover their tracks is easy enough. On the uncensored version of The Hidden Wiki, a site that maintains a regularly updated list of what's available on the deep web, is a selection of guides for pedophiles who want to browse, download, or share material.
Unsurprisingly, the use of Tor, and in particular the Tor Browser Bundle (TBB), is often the first thing mentioned in these guides. Tor, used by journalists, activists, and criminals alike, conceals peoples' identities by routing their traffic through different points all over the world. TBB is just one way to access this network.
As well as allowing anonymous browsing, Tor lets people host websites only accessible through the network. These sites, which end in the suffix .onion rather than .com, protect both the visitor to the site and its owner by disguising their IP addresses, as well as the physical location of the site servers.
Sites such as these are part of the deep web: the section of the internet unavailable to normal search engines such as Google. The deep web contains lots of boring stuff, such as banal databases. A part of the deep web, though, has been used for criminal purposes: drug sites, weapon vendors and pedophilic sites.
One guide listed on The Hidden Wiki, called 'Your Own Pedo Site,' is aimed at those who want to use Tor hidden services to distribute child abuse material. Before going into the technical details on hosting and configuration, the author lists some of the main obstacles in setting up such a site.
"Paying to host it is a crime, so payments must be untraceable," he or she writes. Another guide explains how to use Bitcoin to properly hide any payments. "Security requirements are equal or higher than those of banks," the author adds.
Detective Roy Calarese works at the Chester County Computer Forensics Lab, whose computer forensics department is considered one of the best in the country. He is very familiar with the challenges these sites present to law enforcement.
"There are more difficult cases where the child abuse material is being hosted on the deep web, and much of it is gone very quickly, stuff moves around," he told me.
"There is no, as far as I know, pedophile-specific privacy technology"
There is evidence of pedophiles using other hidden site systems too. Child abuse material exists on both I2P, a truly decentralised network, and Freenet, which can allow people to only connect to known associates, increasing their privacy.
But while plenty of attention has been given to the deep web, some child abusers have gone even further.
"There are people who are running private networks, private servers, that are very difficult to hunt down," Calarese said. "We certainly are seeing screen-sharing. We are certainly seeing virtualization."
Screen-sharing is exactly that: when you remotely provide someone else with a view of what is on your computer. The latter, meanwhile, is the use of a virtual machine, essentially a mini operating system or other technology running within your computer's usual system. Using a virtual machine means a user can do the tasks associated with a normal operating system, such as browsing the internet, while leaving a minimal trace on their computer. Some pedophiles choose to use a virtual machine when hosting their own website to prevent personally identifiable information from their computer leaking into their web server, according to one of the Hidden Wiki guides.
It wasn't always this sophisticated. Chester County District Attorney and former US federal prosecutor Tom Hogan recalled how pedophiles' security used to be as simple as hiding boxes of photographs. Then came phones, and we've also seen social networks like MySpace used to prey on children, as well as Skype and Snapchat.
"They will adapt everything they see out there," Hogan said.
Hosting websites on the deep web was a logical next step. One site, 'The Love Zone,' has been running since December 2010, making it one of the longest-lasting of any hidden service, according to a post on the Hidden Wiki.
But even with all of these advancements, Calarese is optimistic that the cops will be able to keep up. "Typically, they're going to be uncovered; they're going to be found out, and once they're exposed, and come to the attention of law enforcement, that's the end for them."
In order to protect the contents of their laptop from being accessed, a pedophile might encrypt their hard-drive. One security guide suggests a way to keep child abuse material stored on a computer hidden, even if the owner is forced to reveal their password.
"Add 'Overage' Porn to your external Volume [...] Store your CP [child porn] in your HIDDEN Volume," it reads. Some encryption programs include a feature that can protect information even when the user is forced to reveal a password. When asked to enter a password, a user can enter one password and reveal one volume, or another password and reveal another, hidden section.
"They will adapt everything they see out there"
But if it does get to the point where a child abuser is raided, and police find the suspect's laptop is encrypted, that might not be much of a problem for prosecutors.
"We have had cases where we've had some pretty serious encryption, that we've had difficulty with," Calarese said. "But I can't think of a case where we've had encryption that has prevented a prosecution."
"You have to remember they're coming to our attention to begin with because there's a reason why we have that laptop, there's some legal process that has been executed and enabled us to get hold of that laptop for forensic examination."
The switch to digital media more generally does still generate problems for law enforcement, however. As well as the extra time and effort needed, "the sheer volume of the data that you have to go through, painstakingly, can create problems," Calarese said, with some cases bringing in multiple laptops each with terabyte drives.
"The other issue is that sometimes the technology is so new, that we simply are not ready for it," he added. For this reason, his team is buying new devices as they come out, before they end up in the lab as part of an investigation.
But people still get away, and maybe it's not due to any one particular piece of technology. Staying hidden is as much about running a tight operation.
One case, analysed by the Grugq, involved an undercover operation into a group of around 45 online pedophiles, but only about a third were captured.
"The reason the majority of the group was able to avoid capture was in a small way due to the technology they were using (Tor), but primarily it was adherence to the security rules of the group. They had very good OPSEC and they followed it consistently" the Grugq wrote in a blog post. 'Yardbird,' the group's leader, is still at large.
This year, the amount of resources pumped into uncovering online criminals is going to increase.
In December, UK Prime Minister David Cameron announced the creation of a new, dedicated unit that will target child abuse on the deep web. It will combine staff from GCHQ and the National Crime Agency, which is essentially the UK's version of the FBI.
Both agencies declined to provide anyone for interview, but the NCA said the new unit will "become fully operational" in April 2015, and will comprise 15 to 20 co-located officers.
"The team's focus will be on enhancing the use of intelligence to identify the most serious offending, in turn bringing greater opportunities for action against the most prolific and destructive perpetrators of online child sexual exploitation, and other cyber-enabled crime," a spokesperson said.
But if in the end it boils down to criminal smarts and good old police work rather than just technology, the chase will continue.
"It's forever a cat and mouse game," Calarese said.