12 January 2019

The Pitfalls of Policing the Dark Web

Cara Tabachnick 

Criminals on the dark web are compelling law enforcement agencies in the United States and Europe to alter the way they conduct investigations on the internet, opening up new possibilities for international police collaboration against cybercrime but also, critics warn, expanding the long arm of the law without a clear understanding of the impact. Since 2013, the proliferation of decentralized cryptocurrencies and online black markets has created countless new avenues for easy criminality. From the confines of a living room in China, a drug dealer using an anonymous browser can sell opioids to a user in the United States that are shipped through Malta, constructing a complex web of transactions around the world. 

“Cybercrime is borderless and criminals take advantage of it, so we have to make sure we are working together to catch these guys,” says Nan van de Coevering, who leads the Dutch national police’s Dark Web Team, which was instrumental in dismantling the dark web market Hansa in 2017. Almost 4,000 drug dealers were active on Hansa, selling heroin, MDMA and other substances.

Supported by Europol, the European Union’s main law enforcement agency, van de Coevering worked with her federal policing counterparts in Germany and the United States to dismantle the Hansa network and assist in the takedown of AlphaBay, another cryptomarket. Their successful collaboration led to more momentum for law enforcement to cooperate across borders to investigate and police the dark web. Last June, Europol created a dedicated Dark Web Team, six months after the U.S. Justice Department started its own Joint Criminal Opioid Darknet Enforcement team, known as J-Code, to combat online opioid sales. 

Although these initiatives represent progress in policing rapidly evolving criminal terrain online, law enforcement must navigate a host of tricky procedural and ethical issues. There are various legal systems with different rules that complicate coordination, especially since Europe and the U.S. diverge widely on internet privacy restrictions. It is also unclear how, if at all, European and American authorities could collaborate with countries that have been adversaries in cyberspace, such as China and Russia. And at its core, there still isn’t much collective understanding of the scope and dimension of criminal activity on the dark web, which could provide some structure for law enforcement to use during their investigations.

“There is no established framework for dealing with these types of crimes,” says Rob Wainwright, the former director of Europol, who now advises businesses and governments on these issues as a senior partner for cybersecurity at Deloitte, the global professional service company. But he contends that this moment provides law enforcement with a golden opportunity. In a 2017 report detailing Operation Avalanche—Europol’s successful dismantling of an international criminal syndicate known as the Avalanche network, which had launched costly cyberattacks on banking systems in Europe—Wainwright argued for law enforcement to mimic more closely the way tech companies, such as Uber or Airbnb, operate. 

In an interview, Wainwright explains how disparate law enforcement groups should work with a coordinating agency on dark web investigations, such as Europol’s Cybercrime Center. While Europol doesn’t have traditional policing powers—meaning its officers can’t arrest people—it has the ability to correlate data shared from EU member states, possibly discovering information not easily seen during a ground-level police investigation. Europol can use its technology to connect the dots and guide law enforcement agencies involved in these complex operations—just as Uber does not own its taxis, but uses its platform to direct drivers to customers.

“Criminals are becoming ever more transnational in nature, but law enforcement operates at a national level,” Wainwright says. “On the ground there is a reality gap, and using a broader technology-based tactic to coordinate information across agencies and countries gives law enforcement an opportunity to bridge that.” 

In the daily world of police agencies, though, there may not be time to consult with a third party or negotiate various country regulations. Police work at its core is still national, van de Coevering says. The way her team in the Netherlands collaborated with German and American authorities during the Hansa investigation was more informal and based on existing relationships. 

Some scholars warn that the rush to police the dark web has resulted in less judicious operations and unchecked, extended police powers.

“We were aiming to take down a big dark market, and it was only after we spoke to our counterparts, we realized it was part of the same network,” van de Coevering explains. The U.S. and many EU member states already have different liaisons stationed in the Netherlands, so after the Dutch police discovered that one of Hansa’s administrators was based in Germany, it reached out to the German Federal Police. As the inquiry progressed, van de Coevering and her team communicated with U.S. authorities in the Drug Enforcement Agency, Homeland Security and the FBI. Dutch prosecutors later reviewed everything before the Dutch police released information about Hansa to ensure they were abiding by different country’s rules and regulations regarding internet privacy.

But scholars who are skeptical of these new levels of collaboration against cybercrime warn that the rush to police the dark web has resulted in less judicious operations and unchecked, extended police powers.

Police investigations on the dark web have opened “the greatest extraterritorial expansion of enforcement jurisdiction in U.S. law enforcement history,” Ahmed Ghappour, an associate professor of law at Boston University, argued in a 2017 paper. He focused on “the use of hacking tools by law enforcement to pursue criminal suspects who have anonymized their communications on the dark web,” which he wrote “presents a looming flashpoint between criminal procedure and international law.”

“Some of this stuff is so new, we don’t know yet what is going to work in practice,” says Eric Jardine, an assistant professor of political science at Virginia Polytechnic Institute and State University who studies the dark web. Given the sheer volumes of information on the dark web—Jardine estimates there are somewhere between 65,000 and 90,000 hidden service sites—police have a daunting task monitoring online forums and sites and trying to figure out where crime is happening. “We don’t yet know how these trends are going to manifest,” Jardine adds.

Ghappour says in an interview that during cybercrime investigations, U.S. authorities have used government agents to encroach on other countries’ sovereignty. Since most dark web markets are run outside of U.S. jurisdiction, Ghappour contends that police investigations take place without the target countries being fully informed about them. Given that the dark web is anonymous by nature, U.S. law enforcement doesn’t know if they are probing networks in Italy or Kansas. It is more than likely police are investigating somewhere else—and in the process violating the well-established international law that one state must not unilaterally exercise law enforcement functions in another state. There has yet to be cooperative agreements put into place, Ghappour says, that fully account for how to handle these nascent issues.

Not only does the dark web open up new space for policing, “law enforcement investigations now use techniques that create new legal uncertainties,” Ghappour adds. He points to the investigation into a dark web child pornography site called Playpen, in which a foreign law enforcement agency notified FBI investigators about the site. The FBI obtained a single warrant to use what are known as “network investigative techniques,” or NIT—code that allowed it to remotely install malware on nearly 9,000 computers in 120 countries to locate the administrators of the site. Critics called the move the single largest government hacking job in history. In the subsequent court case against Playpen, the government didn’t want to disclose the source code and refused to explain to defendants how the FBI used the malware. It then moved to dismiss the case. About 200 cases are pending against the government over its ability to hack suspects accused of accessing the site. 

“During investigations of dark web crimes, governments aren’t using normal channels to enforce the law,” says Ghappour. “This is a tipping point for law enforcement, and there needs to be lines drawn.”

Cara Tabachnick is a journalist who writes about the criminal justice system. She is currently based in Spain.

No comments: