Avoid a world of trouble by following these four simple recommendations of what not to do on the dark web during online investigations.
When discussing what not to do on the dark web, intentionally malicious or criminal activity goes without saying. For the purposes of this post, we are going to address some gray areas of using the dark web in the context of threat intelligence gathering, security research or other online investigations. Often these activities may necessitate access to online forums where criminal activity is discussed or carried out.
Like the other blogs in our dark web series, our primary reference is the Department of Justice’s Cyber Security Unit guidance to the private sector on gathering cyberthreat intelligence in dark marketplaces. You can read the complete memo here.
(The memo and following discussion does not constitute legal advice. Authentic8 is prohibited from offering you legal advice. Please consult your attorney or your organization’s attorney for legal advice before undertaking the activities considered here.)
If you come across a forum on the dark web that requires a credential for access, do not attempt to evade the authorization requirements.
“Access Forums Lawfully: Accessing a forum in an unauthorized manner, such as by exploiting a vulnerability or by using stolen credentials, can implicate the CFAA and statutes like the Access Device Fraud statute (18 U.S.C. § 1029).”—DOJ Cybersecurity Unit
If you need a persona to access or interact on the dark web, don’t use someone else’s identity (name, photo, phone number, email, etc.) to do so without their consent. Posing as someone else can not only create legal trouble for you, it also puts the other person at risk of receiving targeted malicious activity from criminal actors whom you’ve interacted with. The best approach for the dark web is to create an entirely fake persona that cannot be connected to you or your organization.
“Do Not Assume Someone Else’s Identity without Consent: Using a fake online identity to gain access to or participate in a forum where criminal conduct is occurring, standing alone, is typically not a violation of federal criminal law. However, assuming the identity of an actual person without his or her permission rather than manufacturing a false persona can cause legal problems.”—DOJ Cybersecurity Unit
Learn how to control your digital fingerprint to match browser and device details to your online identity and avoid tipping off investigative targets >
This is important for two reasons. First, having a set of written guidelines will help keep your research efforts focused and within the bounds of your organization’s risk appetite. Secondly, documented plans, policies and procedures are helpful in the event you or your organization comes under investigation from law enforcement. You can read more on creating a dark web access policy at your organization here.
“Create ‘Rules of Engagement’: If your organization conducts activities described in this document, or is planning to do so, it should prepare “rules of engagement” or a “compliance program” with protocols that outline acceptable conduct for its personnel and contractors who interact with criminals and criminal organizations. Following deliberately crafted protocols that weigh legal, security, and operational considerations beforehand will discourage rash decisions that could put an= organization, its employees, and its data in jeopardy. Having documented rules may also prove useful if the organization ever faces criminal, civil, or regulatory action.”—DOJ Cybersecurity Unit
This one is up there with the “goes without saying” category of what not to on the dark web. But you can never be too careful, especially when it comes to activities that pose both technical and operational risks like dark web investigations.
“Practice Good Cybersecurity: In the situations discussed in this document, information is exchanged with cyber criminals. There is no such thing as being ‘too suspicious’ in those circumstances. Practice good cybersecurity at all times and use systems that are not connected to your company network and are properly secured when communicating with cyber criminals.”—DOJ Cybersecurity Unit
Learn more about isolated, cloud-based browsing that provides 100-percent separation between the web and your device >
When conducting a dark web investigation where criminal activity is taking place, there are several risks to consider. Make sure legal challenges for your team aren’t among them by creating a best practices protocol. These simple pieces of advice can go a long way toward avoiding legal pushback, but as always, consult your legal and security departments to create an official policy.
To protect yourself, use a program to document your activity on the dark web, such as Silo for Research. In addition to managed attribution for safe browsing, Silo for Research can help protect investigators and their employers in an audit.