Dark Web

Dark Web—Committing Crimes to Catch Criminals

The legally gray areas of the dark web could serve as the extremes that help to define the less convoluted areas of cyber law many local and international governing bodies are currently grappling with

Avraham Chaim Schneider 14:5817.02.20
The saying “it takes a thief to catch a thief” is true, often enough, especially as far as the dark web is concerned. It is also a terrible legal argument to make in front of a court of law when looking to justify questionable, if not outright illegal methodologies for the exfiltration of criminal data and the surveilling of suspects.


Such was the sentiment underlying the frustration expressed in one of the last legal filings by the defense team for Eric Eoin Marques, the man behind the dark web’s original Freedom Hosting platform:


“(P)erhaps the greatest overarching question related to the investigation of this case is how the government was able to pierce Tor’s veil of anonymity and locate the IP address of the server in France … the government revealed vague details of how investigators discovered the IP address (and location) of the server. The undersigned contend that the … disclosure is incomplete and inadequate, and that additional discovery on this point is due.”


In its heyday, back in 2013, Freedom Hosting was the dominant cloud hosting operation for sites on the dark web. Estimates were over half the dark web’s sites were being hosted on its servers. Drug dealing, hack sharing, money laundering, even a fine upstanding criminal banking institution dubbed Onion Bank; these were the freedoms Marques was promoting on his platform, any one of which could serve as an excuse to put him away for many years. But in the end it was his hosting of 95% of all child exploitation sites that did him in. Marques pled guilty earlier this month, despite his lawyers expressing doubts as to the prosecution being forthcoming with procedural evidence:


“Regardless of whether the government agrees to provide additional discovery, the undersigned requires the continued assistance of an expert to evaluate the discovery provided thus far, most significantly to assist in evaluating the legality of the investigative techniques explained in the (documentation provided).”


In other words, Marques’ team was not all that convinced the FBI did not resort to criminal activity themselves to get the goods on their client. Some might make a moral argument that even if authorities broke a few rules here and there, the end justifies the means. Perhaps, but legally this does not hold up. His lawyers knew it, and the suspicion is that the FBI knew it as well.


Dark web legal issues as well as other pressing topics will be touched upon at the upcoming Dark Web Economy Meetup hosted by Herzog Fox and Neeman in collaboration with CTech, this week on February 19. Click here for details and registration


The jury is still out on jurisdiction


It is noteworthy that the Defense specifically mentioned a lack of disclosure with regard to how authorities were able to crack Tor’s traffic to a case-critical server in France. Jurisdiction is one of the most problematic gray areas affecting the legalities of dark web investigations.


In a 2017 Stanford Law Review article on jurisdiction with regard to the dark web, Professor Ahmed Ghappour detailed the problems stemming from the fly-by-night way lawmakers have been attempting to modernize laws on the books to satisfy the new realities of digital globalization. U.S. Federal Rule of Criminal Procedure 41 (other Western States would presumably have similar governing laws) specified that a search warrant was to be issued only to a magistrate situated in the locality where the warrant was to be carried out.


The problem with this original formulation was the impossible chicken and egg scenario it created, where law enforcement would first need a warrant to determine where the location of a server was in order to legally procure a warrant to search the server in the first place. Clearly the situation was untenable, so updated language was introduced in Rule 41(b)(6) that allowed magistrates to issue warrants without knowing the location of targeted devices in instances where said device “has been concealed through technological means.”


Seems a simple enough fix, but the devil is in the details. Although the intention of the amendment was for national use, the practical reality of the dark web’s global network and the fact that investigators won’t know where their searches will lead them before they get there pretty much guarantee the unauthorized violation of international sovereignty. Or as Ghappour put it, “the largest expansion of extraterritorial enforcement jurisdiction in FBI history.” He further pointed out that the legality of national authorities launching cross-border exfiltration operations is still an open question:


“(The) well-established international law axiom (is) that one state may not unilaterally exercise its law enforcement functions in the territory of another state, which has not been adequately addressed by courts or scholarship in the context of cyberspace.”


Herein lies the legal Bermuda triangle that is the dark web, as authorities won’t know for sure they are even involved in a cross-border operation if the target is a Tor-hosted site, at least not until they execute. At which point, should they confirm the likely reality that their target is located outside their jurisdiction, they may have already undermined their entire legal case against the suspect. Such a discovery might make an investigator want to leave out a few of these inconvenient details from a court filing.


Speculating on the legalities of the Wall Street bust


Not much has changed since Marques’s arrest in 2013. Back in March 2019, authorities surprised the men behind Wall Street Market (WSM), another fine upstanding establishment for dark web degenerates. Of the three men accused—Tibo Lousee, Jonathan Kalla, and Klaus-Martin Frost—Frost’s and Lousee’s arrests seemed to have been on the up-and-up, or at least there’s enough evidence to make the case that they were.


Kalla’s arrest, however, draws suspicion. According to court documents, Dutch National Police (DNP) were able to correlate administrative changes to the WSM made via a specific VPN provider, with overlapping time-frames of an IP (originating from the house where Kalla was staying) accessing the same VPN provider.


That is some investigative magic. Basically, what the DNP are claiming is that they happened to be monitoring an individual using the same VPN provider that an administrator of WSM was using at the time changes were made to the site; and although WSM had a million subscribers at the time (many of whom, presumably, may have also been using the same VPN, for all the investigators knew), luckily they happened to be watching the right guy at the right time.


Based solely on the information above, it would seem at the very least a realistic possibility that the authorities used some questionable hacking techniques of their own to zero in on Kalla before they started monitoring him for evidence they could present in court. Again, the average internet citizen may be happy about the results, not caring much about the means; good riddance to bad rubbish and all that. But legal minds and libertarian hearts more familiar with these types of cases are expressing the same concerns summed up by Marques’s defense team. The combination of violating both national sovereignty and individual rights is a slippery slope, one with a bottom that looks disturbingly similar to many authoritative regimes.


Still, it is not all doom and gloom, as there is opportunity here as well. The legally gray areas of the dark web (should they be clearly legislated) could serve as the extremes that help to define the less convoluted areas of cyber law many local and international governing bodies are currently grappling with. Working all this out in advance may go a long way toward avoiding the evolutionary consequences of a lawless vacuum and all the mayhem such a sociopolitical environment tends to foster. More of the right people need to get working on this, and the sooner the better.


Avraham Chaim Schneider is coordinator of Israel-based law firm Herzog Fox & Neeman’s cyber and innovation media project.