Lying beneath the billions of Google-indexed websites on the internet is a hidden web, thousands of times larger than the indexed, or ‘surface’, internet. The vast majority of this hidden, or ‘deep’, web is made up of inaccessible areas such as libraries, archives, corporate intranets and Facebook posts. There are however, a number of web pages that have been deliberately hidden that include illegal, or morally questionable, material- this area is known as the ‘Dark Web’.
Only a web user who makes themselves ‘anonymous’ online can gain access to the deep web. Using ‘anonymity network’ software, a user’s IP address can be hidden by routing the user to the web page via random servers around the world and creating a temporary IP address instead, essentially anonymising their computer.
This mechanism provides multiple layers of encryption and has therefore become known as ‘onion routing’. Onion routing was originally developed by the United States military to enable untraceable communication between the armed forces. Through software applications such as Tor, this is now accessible to individual internet users. Onion routing means that new pages can be added without detection and pages can be hosted and visited anonymously. The result is that it is often used by political activists in repressive regimes to disseminate messages. For this reason, the deep web was used extensively during the ‘Arab Spring’ uprisings.
However, there is an attraction to the deep web for the more nefarious internet user. This anonymous space on the internet has created a marketplace for providers of goods and services seeking to avoid the attention of the authorities- the so-called ‘Dark Web’. This includes criminal activity such as the distribution of child pornography, but also includes activity which is less obviously illegal. For example, there are websites specialising in the sale of research-level pharmaceuticals and others in the sale of significantly discounted (and presumably counterfeit) electronics. It is websites such as these that pose the greatest threat to legitimate business.
The sale of goods and services in these dark web marketplaces remains anonymous through the use of an online, ‘untraceable’, currency known as ‘Bitcoin’. There are only ever 21 million bitcoins (or BTCs) in circulation. These are traded between individuals on a peer-to-peer network and therefore do not require a central bank.
It is the lack of audit trail surrounding the use of Bitcoin that makes it so attractive to dark web businesses and the ideal currency for dealing in the dark web marketplace. Added to this, there is something known as the ‘Bitcoin mixer’, a central repository where bitcoins can be placed, randomised and withdrawn, affectively removing any audit trail and ‘laundering’ the BTCs much like a traditional money launderer would do using the real-world banking system.
The combination of hidden web space, anonymous web users and untraceable currency has created near perfect conditions for the sale and purchase of illegal goods and services. The most infamous online retail outlet operating in this marketplace is known as Silk Road. The Silk Road web page presents a host of illegal drugs, weapons, currency and hardcore pornography for sale. In order to preserve the total anonymity surrounding the trade that takes place on Silk Road, the only currency accepted on the site is Bitcoin.
The dark web, and sites such as Silk Road, is not yet on the list of high priority threats facing today’s boardrooms; but it may be in the future. A growing marketplace is emerging; one in which trade can occur in an unregistered online location between two anonymous parties using untraceable currency. This marketplace is therefore the ideal setting for the sale of commodities that could potentially harm the business or reputation of legitimate organisations; including:
Robust and exercised internal and external controls are key to ensuring that a company does not ‘leak’ any product, IP or information which could be traded on the dark web. A strong physical security, cyber security and policy framework, supported by the right cultural drivers, can prevent such things falling into the wrong hands and making their way onto the anonymous dark web market.
However, few companies fully understand their own online profile, increasing the risk that the organisation’s brand and reputation is being harmed by the online activities taking place in the dark web.
This has led an increasing number of organisations to ask: “Are we a hit on the dark web?”
This article represents the views of the author only, and does not necessarily represent the views or professional advice of KPMG in the UK.