Mapping Real-World Use of the Onion Router

Abstract

Since its inception, The Onion Router (TOR) has been discussed as an anonymizing tool used for nefarious purposes. Past scholarship has focused on publicly available lists of onion URLs containing illicit or illegal content. The current study is an attempt to move past these surface-level explanations and into a discussion of actual use data; a multi-tiered system to identify real-world TOR traffic was developed for the task. The researcher configured and deployed a fully functioning TOR “exit” node for public use. A Wireshark instance was placed between the node and the “naked” internet to collect usage data (destination URLs, length of visit, etc.), but not to deanonymize or otherwise unmask TOR users. For 6 months, the node ran and collected data 24 hr per day, which produced a data set of over 4.5 terabytes. Using Python, the researcher developed a custom tool to filter the URLs into human-readable form and to produce descriptive data. All URLs were coded and categorized into a variety of classifications, including e-commerce, banking, social networking, pornography, and cryptocurrency. Findings reveal that most TOR usage is rather benign, with users spending much more time on social networking and e-commerce sites than on those with illegal drug or pornographic content. Likewise, visits to legal sites vastly outnumber visits to illegal ones. Although most URLs collected were for English-language websites, there were a sizable amount for Russian and Chinese sites, which may demonstrate the utilization of TOR in countries where internet access is censored or monitored by government actors. Akin to other new technologies which have earned bad reputations, such as file-sharing program BitTorrent and intellectual property theft or cryptocurrency Bitcoin and online drug sales, this study demonstrates that TOR is utilized by offenders and non-offenders alike.

Keywords

cyber-crime the onion router tor e-commerce drugs bitcoin wireshark python

Introduction

The Onion Router, more commonly known as “Tor,” is the world’s most popular web anonymization tool. By providing access to the “Dark Web,” where illicit and illegal content are typically found, Tor has earned a reputation for being an application utilized by drug dealers (Dolliver, 2015; Dolliver & Kenney, 2016), terrorists (Weimann, 2016), and people seeking child abuse material (Leclerc et al., 2021). This oversimplification belies the myriad of other legitimate use-cases for online anonymity tools.

To better understand the realities of Tor usage patterns, unbiased data are needed; this study is an attempt at quantifying Tor traffic using real-world data. The goal is to provide a comprehensive snapshot of (a) what types of sites are being visited using Tor, (b) how long (on average) they are being accessed, (c) how long (in total) they are being accessed, and (d) where they are being hosted from. To accomplish this, a rigorous data collection and organizing effort was undertaken.

What Is the Dark Web?

The internet can be categorized into three levels: the Surface Web, the Deep Web, and the Dark Web. The Surface Web is “a collection of websites indexed by search engines [that can be] easily accessed through standard browsers and internet protocols” (Chertoff, 2017, p. 26). The Surface Web is what most end-users consider “the internet,” since it is the Web’s “most easily accessible and permissive layer” (Bertram, 2015, p. 56).

Contrary to common perception, 90% of internet traffic occurs at the Deep Web level (Chertoff, 2017, p. 27) or the “class of content on the internet that, for various technical reasons, is not indexed by search engines” (Chertoff & Simon, 2015, p. 1). The Deep Web includes unlinked sites, private sites, limited-access networks, and other content which require a password to access. For example, while the main “Bank of America” website is indexed by search engines such as Google, the webpages a member of that bank may access after logging in with a password are not. Thus, www.bankofamerica.com is part of the Surface Web, while an end-user’s bank account page is part of the Deep Web. It is impossible to quantify how much larger the Deep Web is than the Surface Web, but it is safe to assume it is many magnitudes larger (Finklea, 2017, p. 3).

A small subset of the Deep Web is the Dark Web, a collection of purposely hidden, unindexed content that can only be accessed through specialized software, such as Tor (Chertoff & Simon, 2015). Estimates place the Dark Web as <0.01% of internet content (Chertoff, 2017, p. 27).

Although Tor is the most popular access point for the Dark Web, it is not the only, or even first, tool to attempt online anonymity and safety from governmental surveillance. Freenet was developed by Ian Clark and publicly released in March of 2000. Freenet was created to allow users to “anonymously share files, browse and publish ‘freesites’ (web sites accessible only through Freenet) and chat on forums without fear of censorship” (Clarke et al., 2001, p. 46). The creator described the software as “a near-perfect anarchy” (McCormick, 2013). Likewise, there is the Invisible internet Project (I2P), focused on messaging and communication and which was publicly released in 2003. I2P claims to be “an anonymous network, exposing a simple layer that applications can use to send messages anonymously and securely to each other” (Zantout & Haraty, 2011).

The Onion Router has governmental roots and a storied history. In the early 2000s, the United States Naval Research Laboratory (NRL), funded by the Defense Advanced Research Projects Agency, developed its own anonymizing technology with the intention of creating software that would protect the identities of United States military personnel and American operatives and dissidents located in repressive countries (McCormick, 2013). What resulted was the creation of Tor, which “worked by camouflaging internet requests [and] passing them through several random other IP addresses in the onion routing network before contacting the destination,” allowing for the user’s request to “remain unattached to [that] user” (Jacoby & Chow, 2016, p. 2). The name, “The Onion Router,” derives from the fact that each IP address the requests pass through “adds a layer of encryption to the signal that only it can decrypt” much like layers of an onion (Chertoff, 2017, p. 27).

Although Tor was not initially intended to be shared with the public, the NRL ran into a nearly intractable problem: If Tor were to be used only by the military, law enforcement, and related institutions, then outsiders could easily and automatically identify any Tor connections on the Dark Web as government-related and would, thus, put its users in harm’s way (Finklea, 2017; Jacoby & Chow, 2016). For governmental personnel to truly remain anonymous through Tor, they had to take a risk and allow the software to be expanded and used by all, including “those enforcing the law, those breaking it, and those just wanting an anonymous connection for a myriad of reasons” (Jacoby & Chow, 2016, p. 2).

Tor was ultimately released to the public in September of 2002, becoming a “free, open-source project for all to use and began downplaying its government origins to attract all types of users” (Jacoby & Chow, 2016, p. 3). Today, Tor is maintained by The Tor Project, a non-profit organization, and receives funding from “average users, government agencies, corporations, and NGOs” (Jacoby & Chow, 2016, p. 3). The Tor Project claims that “the goal of onion routing was to have a way to use the internet with as much privacy as possible,” and it believes that “internet users should have private access to an uncensored web” (Misata, 2013, p. 45). Currently, the United States, Russia, Germany, and the United Arab Emirates are the countries with the most Tor users (Finklea, 2017, p. 4).

Studying the Dark Web

Most scholarship and popular media coverage of Tor (and, by extension, the Dark Web) has focused on the content of “hidden services.” Hidden services are .onion (as opposed to .com or .org, etc.) web addresses that may be accessed only through Tor. These .onion hidden services are anonymous information exchanges, which hide their true IP addresses and, thus, are more secure than regular web addresses. Because these sites can only be accessed through the Tor Browser’s “.onion” addresses (Jacoby & Chow, 2016, p. 5) this allows for both the site creator and the site visitor to remain anonymous (Owen & Savage, 2015, p. 2). This layer of anonymity has allowed for drug marketplaces, child abuse material, and terrorist support hidden services to thrive and, subsequently, garner media attention. For example, one study found that, out of 3,513 illicit sites sampled on the Dark Web, 963 or nearly 30% of them consisted of content that featured child abuse images (Al Nabki et al., 2017). Likewise, Owen and Savage (2015, p. 6) found that, although child abuse images only accounted for only 2% of hidden services within the Dark Web, it was responsible for more than 80% of total hidden service requests. The number of requests over a random 12-day period to access child abuse content amounted to 168,152 requests, exceeding the number of Silk Road requests observed over the same period (8,067 requests) (Owen & Savage, 2015, p. 6). While this is disconcerting, “[m]ost Tor users have never visited any hidden website at a *.onion address” and “hidden services account for around 3% to 6% of overall Tor traffic” (Moore & Rid, 2016, p. 16).

Post-September 11, 2001, America has witnessed a dramatic increase in government surveillance coupled with severe restrictions on the privacy rights of citizens (Burney, 2007). In addition, rapid advances in technology have put “big data” at the forefront of commercial and marketing strategies, creating an online world in which every single computer click can be digitally stored, analyzed, and then used for any number of corporate-driven (i.e., profit-oriented) purposes (Cukier & Mayer-Schoenberger, 2013; Pavolotsky, 2013; Schroeder, 2018). With this immense cultural shift, Americans have begun to use the Dark Web to combat growing privacy concerns to circumvent surveillance and protect against such intrusions. A 2019 Pew Research Study highlighted these shared sentiments, observing that “Americans are concerned about how much data is being collected about them, and many feel their information is not as secure as it used to be” as well as that “much of their online activity [is] being tracked” (Auxier & Rainie, 2019). Furthermore, many Americans reported that they had “very little understanding of current data protection laws,” that there are “more risks than benefits from personal data collection,” and that they “do not think it is possible to go about daily life without corporate and government entities collecting data about them” (Auxier & Rainie, 2019).

Indeed, the results of a 2018 study reflect data privacy apprehensions. The study concluded that an increase in privacy concerns led to a 34.82% reduction in likely opposition to the Dark Web, while concerns of increased censorship led to a 10.78% reduced likelihood (Jardine, 2018b). The study also noted that Tor and related technologies observed spikes in their usage numbers following Edward Snowden’s information leaks regarding government surveillance, indicating that, if growing surveillance and subsequent privacy concerns were not addressed, more citizens would gravitate toward accessing and using the Dark Web (Jardine, 2018b).

One solution to these privacy concerns is Tor. Tor allows for anonymous web browsing of the regular Surface Web, in addition to hidden services, and approximately 96.6% of Tor users employ the software simply to browse the Surface Web free from the fear of surveillance (Jardine, 2018a, 2018b). Users can utilize Tor to access censored or blocked content, making it particularly effective in repressive countries by allowing citizens to “see the free press or talk with others about their own government without fear” (Jacoby & Chow, 2016, p. 9). Whistleblowers and political activists can use the Dark Web and Tor to report abuses from dangerous locations, blog anonymously, and speak out against government corruption (Chertoff & Simon, 2015). Similarly, journalists can use the Dark Web to access sites that allow them to transport important stories and information regarding repressive regimes safely out of the country while simultaneously protecting their identities (Chertoff, 2017, p. 29). Regarding communication, many users of Tor travel to the Dark Web to access more secure and private pipelines of messaging (Finklea, 2017, p. 8). In addition, law enforcement can use the Dark Web to establish anonymous tip lines, carry out sting operations, and to conduct online surveillance of Dark Web communities (Chertoff & Simon, 2015). Although clearnet web browsing via Tor is much more common (Jardine, 2018a, 2018b), there remains a lack of scholarship on the legal uses of the tool; most studies focusing on drug markets (Dolliver, 2015; Dolliver & Kenney, 2016) or abuse material (Leclerc et al., 2021).

Quantifying Real-World Tor Use

Before describing the methodology and data collection process, a more in-depth explanation of how both the internet and Tor operate must occur first:

When browsing the normal Surface Web internet (also known as the clearnet), web traffic follows a rather direct path. First, the user enters an URL (such as www.google.com) they wish to visit in the address bar of their web browser. Then, their internet service provider (ISP) resolves this URL into an IP address using a domain name server. Next, the user’s web browser connects to that IP address and requests the homepage of that webserver.

Tor is like this normal, clearnet process except it includes a few extra steps to increase anonymity and security. Tor operates through a series of nodes, akin to a complicated version of the childhood game Telephone. There are two types of nodes: relay and bridge. Relay nodes forward a request from an end-user through the Tor network, jumping from node to node, until the request reaches its destination (a dark web .onion or clearnet .com/.org/etc. website). This shields the IP address of the end-user from the website, so the website host does not know the location or identity of the end-user. The requested webpage is then sent back through relay nodes to the user that requested it, shielding the IP address of the webserver from the user in much the same manner. The final jump between Tor relay nodes and the destination webserver occurs on a special kind of node known as a bridge node, as this is where the request bridges the Tor network and connects to the destination website.

Monitoring web traffic is possible through specialized software called a packet analyzer. Packet analyzers, also known as packet sniffers, are computer programs or computer hardware that can intercept and log traffic that passes over a computer network. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet’s raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate specifications. Using a packet analyzer, it is possible to see which websites are being visited on a network. By placing a packet analyzer between a Tor bridge node and the internet, it becomes possible to log website requests being made via Tor.

Methodology and Data

This study is an attempt to quantify and categorize real-world Tor usage, not an effort to unmask users. This was accomplished as follows:

First, the researcher downloaded, configured, and ran a standard Tor bridge node in a virtual machine on a robust private webserver. As of May 2022, there are approximately 6,500 relay nodes, 2,500 bridge nodes, and 2.5 million Tor users worldwide (The Tor Project, 2022). As there are relatively few bridge nodes, traffic began flowing rather quickly through this new node. Next, a second virtual machine was created, which hosted the popular open-source packet analyzer Wireshark. The web traffic from the bridge node was routed through Wireshark before it connected to its destination. This process ran for 6 months, from September 2021 through February 2022, and produced 4.5 terabytes of URL and timecode data.

Given the expected illicit content on some of the destination URLs and the massive amount of collected data, it was infeasible for the researcher (or even a team of researchers) to manually review the URLs for the content being hosted. Thus, a Python script was created to automate the process. The script would pull the unique URLs from the Wireshark data, connect to the URL, and log the header text from every site it could connect to, while also noting which sites were unreachable. It also noted how long users stayed connected to each URL and what language the headers were in. This process created a series of .csv files containing: (a) unique URLs, (b) heading text, (c) length of visit, and (d) page language.

A second Python script was then created to go through the header text and categorize the websites using wordlists (see: Appendix A). A total of 27 categories were created: (1) Abuse, (2) Age_Restricted, (3) Anonymity, (4) Blog, (5) Books, (6) Chats, (7) Counterfeiting, (8) Cryptocurrency, (9) Directory, (10) Drugs, (11) Finance, (12) Forum, (13) Fraud, (14) Gambling, (15) Gay, (16) Gay_Porn, (17) Hacking, (18) Hosting, (19) Mail, (20) Market, (21) News, (22) Politics, (23) Pornography, (24) Weapons, (25) Weapons_Market, (26) Whistleblower, and (27) Wiki. This complete list was created using an iterative process; the original attempt to categorize the URLs contained only eight categories and an “other,” catch-all category. Header text for URLs in the “other” category were checked manually and added to the wordlist, then the script was rerun. This process was repeated multiple times until all URLs had a correct categorization. The results are presented in Table 1 below.

Table 1.

Tor browsing usage (September 2021 through February 2022).

Category	Percent of URLs	Average visit length (min)	Total browsing time (min)
Abuse	0.8	5	1,115
Age_Restricted	10.7	12	34,128
Anonymity	3.8	7	7,042
Blog	7.8	5	10,345
Books	0.6	6	927
Chats	1.8	16	7,808
Counterfeiting	0	0	0
Cryptocurrency	0.4	3	327
Directory	1.1	2	604
Drugs	0.2	12	684
Finance	29.7	5	39,365
Forum	4.2	14	15,484
Fraud	0.1	2	34
Gambling	0.2	22	1,034
Gay	1	20	5,160
Gay_Porn	0.9	24	5,784
Hacking	0.6	11	1,837
Hosting	0.9	18	4,140
Mail	6.1	33	53,757
Market	3.5	18	16,524
News	2.5	16	10,736
Politics	1.8	17	8,279
Pornography	1.9	21	10,542
Weapons	18.6	26	127,920
Weapons_Market	0.3	28	2,576
Whistleblower	0.1	4	104
Wiki	0.2	19	969
Average	3.7	13.6	13,600.9
Total	99.8	366	367,225

Findings

After running the bridge node for exactly 6 months (September 2021 through February 2022), the Wireshark data totaled 4.5 terabytes. The first Python script turned this into 546,542 URLs, many of these URLs were repeated, and the second Python script revealed that the data consisted of 26,495 unique URLs. Figure 1 demonstrates the categorical breakdown of these 26,495 URLs providing a “map” of Tor web browsing destinations. This allows for a discussion of the types of websites being visited via Tor but does not fully explain browsing habits. For example, while there are many more Finance unique URLs than Forum ones, it is typical to spend longer using an online forum than it is to conduct online banking. Figure 2 demonstrates usage patterns as average length of page visit (rounded to nearest whole minute). Figure 3 displays total browsing minutes for each category, which allows for an analysis of overall browsing habits. Figure 4 demonstrates the percentage of URLs in each of the 13 most common languages.

Figure 1.

Tor browsing usage by Percent of URLs.

Figure 2.

Tor browsing usage by Average Visit Length (in minutes).

Figure 3.

Tor browsing usage by Total Browsing Length (in minutes).

Figure 4.

Language by Percent of URLs.

When considering the first set of data (Figure 1), URLs by category, it is revealed that the most frequent site type is Financial (29.7%), followed by Weapons (18.6%), Age_Restricted (10.7%), Blogs (7.8%), and Mail (6.1%). These results are, perhaps, unsurprising. If end-users are fearful of their banking credentials or activities being monitored by the government or hackers, then using Tor to obfuscate finances is a worthwhile security measure. Likewise, while most firearms are legal in the United States of America, that does not mean people would like to “share” their interest in weaponry with their ISP. A manual check of the Age_Restricted sites found that the “Click if you’re 18+ years old” landing page was used almost exclusively by pornographic websites. Blogs and Mail can both be innocent or innocuous, but there are undoubtedly situations where illicit behavior can occur through each medium.

The least common categories were Fraud (0.1%), Whistleblower (0.1%), Gambling (0.2%), Wiki (0.2%), and Drugs (0.2%); none of which surpassed 1% of unique URLs. This is somewhat to be expected. Fraud, Gambling, and Drugs are all varying levels of illegal, both in the United States and around the world. Whistleblowing and Wikis are legal, but niche interests for the average web user. For example, while Whistleblowing is important and benefits from the existence of the Dark Web, there are so few whistleblowers that there is likely no need for dozens of site catering to it.

Although Figure 1 provides a useful “map” of Tor-accessed URLs, this does not provide a complete picture of browsing habits. For this, Figure 2 is much more illustrative. This figure demonstrates the average visit length for each of the categories. Mail (33 min) is the longest, followed by Weapons_Markets (28 min), Weapons (26 min), Gay_Pornography (24 min), and Gambling (22 min). This breakdown shows where on the URL “map” most time is being spent. Reading and responding to emails are time-consuming tasks, whereas Weapons_Markets, Weapons pages, Gay_Pornography, and Gambling are all content or marketplaces to be passively consumed.

The categories with the shortest visit lengths were Directory and Fraud (2 min each), Cryptocurrency (3 min), Whistleblower (4 min), and Finance, Blog, and Abuse (5 min each). URLs dealing with aspects of money (Fraud, Cryptocurrency, and Finance) were among the shortest visited sites, providing some credence to the possibility that these are simply users checking bank accounts or the daily price of Bitcoin. Whistleblower sites are usually simple “dropbox” sites, so it follows that site engagement would be temporary and it seems like most users leave Abuse sites after a few minutes, instead of engaging in extended visits.

Figure 3 produces several interesting results. First, Weapons (1st) was the category with the most overall browsing minutes, by far; more than double the next category, Mail (2nd). It is possible this is a function of being “legal enough” that there is a wide interest in the category, but “illicit enough” that end-users would prefer to keep their browsing habits private. Total minutes spent on Mail also make sense given the high average URLs visit length, plus the widespread interest in email, especially given private email services, such as “ProtonMail.” Other top categories include Finance (3rd), Age_Restricted (4th), and Market (5th); all of which skirt the line of legality, but also are widely appealing.

Categories with few overall minutes include Fraud (26th), Whistleblower (25th), Cryptocurrency (24th), Directory (23rd), and Drugs (22nd). Again, this breakdown makes sense for several reasons. The clearly illegal categories, Fraud and Drugs, are less likely to appeal to a large audience and are unlikely to have many pages devoted to them, especially on the Surface Web. Cryptocurrency is mainstream, so there is little reason to visit via Tor, Whistleblower sites are typically low-interest and simple, and Directory sites are quick stops on the way to the more interesting pages they link to.

The Surface Web is Anglo-centric with 61.1% of all websites in English, followed by Russian at 5.5% and Spanish at 4.0% (W3Techs, 2022). Although the bridge node for this research ran 24 hr a day, 7 days a week and was open to all traffic, this Anglo-centric pattern is maintained for the Dark Web as well (Figure 4). English webpages accounted for 77.7% of all unique URLs, followed by Russian (11.0%), German (2.5%), French (2.4%), and Spanish (0.8%). Just as English is most popular for both the Surface Web and Dark Web, Russian is the second-most popular language on both. Given that Tor also helps end-users circumvent governmental censorship and surveillance, the popularity of Russian-language websites is not surprising.

Limitations

Time, funding, and the Tor protocol itself necessitated some limitations to this study. First, Wireshark can only collect “clearnet” web requests made via Tor, not encrypted hidden service requests. Other studies (Jardine, 2018a, 2018b; Moore & Rid, 2016) have shown that hidden services make up only 3% to 6% of Tor requests and that clearnet requests account for the other ~95% of Tor traffic. Although this means the dataset likely summarizes the majority (~95%) of the traffic coming through the monitored node, it is safe to assume that the hidden service traffic (3-6%) is wholly different than the traffic captured. This is a sizable limitation, but to remove this limitation would require breaking Tor itself; a task that does not seem currently possible, nor moral.

Second, the data were collected over a 6-month period. Although the researcher believes this is a relatively long period of time, more data are always better, and it is possible that browsing habits during the Fall-Winter months over which the data were collected may differ from habits during Spring-Summer months. The data collection period has continued; future studies using this dataset will be based on the calendar year and include the full year.

Third, the metrics chosen (unique URLs, average page visit length, total page visit length, and page language) are not all encompassing. Indeed, categorizing pages based on header text is a rather crude method, but the only one feasible for a small research team. In the future, it would be beneficial to visit a random sample of URLs from each category to offer a more in-depth understanding of page content; though, by automating the process the researchers have shielded themselves from possibly viewing harmful content, a problem that would have to be rectified prior to introducing any level of human interaction.

Discussion

Tor and the Dark Web are widely studied (Davis & Arrigo, 2021; Dordal, 2018; Jardine, 2015; Zulkarnine et al., 2016), but usually in a similar vein: focused on the clearly illegal/illicit activities that hidden services tend to cater to. Supporters of the Dark Web frequently tout the possible benefits of anonymity software, without producing data to bolster their claims. This study is an attempt to bridge this divide and offer data that may illuminate Tor use more clearly.

The data in Figure 1 (types of sites measured as Percent of URLs) make it clear that the vast majority of clearnet sites being visited via Tor are legal and the use of Tor appears to be due to a desire for privacy. Financial, Blog, and Mail websites are all relatively innocuous; Weapons and Age_Restricted sites are less innocuous, but still probably legal. For example, given that child abuse content is illegal, not many sites with that type of content tend to have age verification checks; the check itself is one indicator that the site is attempting to err on the side of legality.

The high visit-count for banking and email websites indicates that users may be using Tor as a free alternative to paid VPNs (virtual private networks). The tool provides an additional level of protection while accessing websites via public wireless networks, like the encryption provided by a paid VPN.

The data in Figure 2 (Average Visit Length) show that another use for Tor may be to access content that is not necessarily inherently immoral, but illegal in certain jurisdictions. Gambling and Gay_Pornography content both appear to be sought-after and are frequently illegal under more oppressive governments, such as in Iran, Russia, or China.

The top three longest average page visits belong to Mail, Weapons_Market, and Weapons. Emails take time to compose, so the lengthy page visits are explainable, but it is unclear why both Weapons_Market and Weapons had such long average page visits. Perhaps end-users seeking this content are heavily interested and more privacy-focused than other types of Tor users. This type of content is not typically illegal (in the United States, at least) and American 2nd Amendment supporters are stereotyped as anti-government surveillance; this data could be evidence that there is some legitimacy to that belief.

Figure 3 (Total Browsing Minutes) shows how unbelievably disproportionate the Weapons category was overall. One possible explanation could be an interaction between browsing habits and the data collection methodology. The scripts recorded time between page visits, so using one tab or window and navigating from page to page relatively quickly would show an end-user’s “true” browsing page visit time. Another user utilizing many windows or tabs is going to “spend more time” per tab or window open, as they slowly navigate between pages on each of their open tabs or windows. An example helps illustrate: the Market and Weapons_Market categories both have lower overall browsing minutes because end-users are likely navigating the sites like Amazon: searching for one item at a time, possibly adding it to their cart, and then continuing onto the next item. An end-user searching for information about weapons might be opening dozens of tabs at once and moving between them in a more haphazard manner, each tab adding browsing minutes to the category total, while sitting inactive in the background.

Figure 4 (languages measured as Percent of URLs) offers the beginnings of a geographic map of hidden services. The data provides evidence that Tor use is heavily Anglo-centric, with secondary use in major European nations, such as Russia, Germany, France, and Spain. Although one would expect China to also be on this list, with Tor being used to evade censorship, Tor is actively blocked by the Chinese government and this is reflected in the relatively low number of Chinese-language sites being accessed (Winter & Lindskog, 2012).

It is unexpected for Drugs to be middling-to-low on both Percent of URLs (Figure 1) and Total Browsing Minutes (Figure 3). This is apart from other studies on Tor (Kaur & Randhawa, 2020; Moore & Rid, 2016), especially ones directly focused on the network and drug marketplaces (Dolliver, 2015; Dolliver & Kenney, 2016). The most likely explanation is that drugs and drug marketplaces are incredibly popular as hidden services and are, thus, outside the data collection capabilities currently possible. “The Silk Road” and its contemporary brethren (Jardine et al., 2022) may be so popular that there is no demand for clearnet drug websites accessed via Tor; once a user has set up Tor, why not visit an .onion site where the “goods” are?

The policy implications of this study vary depending on the context in which they are being suggested. The findings indicate that Tor is used to defeat state censorship and surveillance efforts (at least outside China). For liberal democracies with undercover intelligence agents in need of secure communication, Tor is a proven tool. For the domestic law enforcement agents of those same liberal democracies, Tor represents a Pandora’s box: The layers of encryption also protect law-breaking citizens. Any policy (or technology) to make users identifiable would aid law enforcement efforts, while simultaneously hindering intelligence gathering. It appears that the sites visited during our monitoring period were largely legal (in English-speaking nations), which could explain why these same nations have not spent considerable resources attempting to “break” Tor. Alternatively, if these same countries wanted to help defeat censorship under oppressive regimes, states could implement policies to further Tor penetration beyond the primarily English-speaking audience it currently has. Furthermore, the categories with possible law-breaking (ex: Abuse, Drugs, and Weapons) tend to rely on cryptocurrency payments, so efforts tracing Bitcoin are likely to be more fruitful and cost effective for law enforcement than attempts to unmask users via compromising the Tor protocol.

In conclusion, this study demonstrates that previous studies (Auxier & Rainie, 2019; Jacoby & Chow, 2016; Jardine, 2018a, 2018b), and proponents of Tor, are largely correct: The majority of Tor use appears to be largely, and simply, an attempt to browse the internet away from prying (governmental or corporate) eyes. The author hopes that this study demonstrates a novel methodology that may be adopted by future researchers to further the productive study of the Dark Web.

Footnotes

Appendix A

Category: abuse

abuse:abuse faq;report abuse

abuses abused:abuse faq;report abuse abusing:abuse faq;report abuse torture tortured tortures torturing

Category: account_page

Category: advertising

ad advert advertise advertising marketing marketers

Category: age_restricted

enter the site must be 18 18 years old 18 or older must be 21 21 years old 21 or older must be 13 13 years old 13 or older verify your confirm your

Category: anonymity

anonymity anon anonymous privacy incognito

Category: blog

blog blogs

Category: books

books libgen

Category: chats

chats chat

Category: counterfeit

counterfeit counterfeiting fake passport fake money fake usd

Category: cryptocurrency

cryptocurrency crypto blockchain btc bitcoin bitcoins binance cardona eth ethereum solana tether ltc litecoin litecoins monero ripple dashcoin dashcoins peercoin emercoin emercoins namecoin namecoins dash zcash

Category: directory

Declaration of Conflicting Interests

The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author received no financial support for the research, authorship, and/or publication of this article.

Author Biography

Adam Ghazi-Tehrani is an assistant professor in the Criminology and Criminal Justice department (with specializations in cyber-crime and white-collar crime) at the University of Alabama. Adam holds a BA from the University of California at Davis, an MS from the California State University at Long Beach, and both MA and PhD degrees from the University of California at Irvine. He is interested in regulatory, compliance, governmental, and societal factors on cyber and white-collar offenses.

His past work has discovered (or uncovered and explained) hidden crimes such as food adulteration, an attempt by the Chinese political apparatus to cover up a high-speed train crash, and ongoing virtual threats from state-sponsored cyber actors.

His current work examines international legal issues that allow for the ongoing global cyber offenses, as well as the domestic regulatory and compliance issues in the United States that allow private companies to remain vulnerable, and the effects of both on global trade and security.

His most recent publications include the book Wayward Dragon: White-Collar and Corporate Crime in China, an article on the cyber-crime phishing in Victims & Offenders, as well as an article on the media and bias crimes in Studies in Conflict & Terrorism.

References

Al Nabki

M. W.

Fidalgo

Alegre

de Paz

. (2017). Classifying illegal activities on tor network based on web textual contents. Proceedings of the 5th Conference of the European Chapter of the Association for Computational Linguistics: Volume 1, Long Papers, 35–43. https://aclanthology.org/E17-1004

Auxier

Rainie

(2019). Key takeaways on Americans’ views about privacy, surveillance and data-sharing. Pew Research Center. https://policycommons.net/artifacts/616510/key-takeaways-on-americans-views-about-privacy-surveillance-and-data-sharing/1597188/

Bertram

S. K.

(2015). The Tao of open source intelligence. IT Governance Publishing. http://www.books24x7.com/marc.asp?bookid=93180

Burney

(2007). The patriot act. Privacy: It’s None of Your Business, 24(5), 26–30.

Chertoff

(2017). A public policy perspective of the dark web. Journal of Cyber Policy, 2(1), 26–38. https://doi.org/10.1080/23738871.2017.1298643

Chertoff

Simon

(2015). The impact of the dark web on internet governance and cyber security (Global Commission on Internet Governance, No. 6, pp. 1–18). Chatham House. https://www.cigionline.org/sites/default/files/gcig_paper_no6.pdf

Clarke

Sandberg

Wiley

Hong

T. W.

(2001). Freenet: A distributed anonymous information storage and retrieval system. Designing Privacy Enhancing Technologies, 46–66. https://link.springer.com/chapter/10.1007/3-540-44702-4_4

Cukier

Mayer-Schoenberger

(2013). The rise of big data: How it’s changing the way we think about the world. The Best Writing on Mathematics, 2014, 20–32. https://doi.org/10.1515/9781400865307

Davis

Arrigo

(2021). The dark web and anonymizing technologies: Legal pitfalls, ethical prospects, and policy directions from radical criminology. Crime, Law and Social Change, 76(4), 367–386. https://doi.org/10.1007/s10611-021-09972-z

10.

Dolliver

D. S.

(2015). Evaluating drug trafficking on the Tor network: Silk road 2, the sequel. International Journal of Drug Policy, 26(11), 1113–1123. https://doi.org/10.1016/j.drugpo.2015.01.008

11.

Dolliver

D. S.

Kenney

J. L.

(2016). Characteristics of drug vendors on the Tor network: A cryptomarket comparison. Victims & Offenders, 11(4), 600–620. https://doi.org/10.1080/15564886.2016.1173158

12.

Dordal

P. L.

(2018). The dark web. In Jahankhani

(Ed.), Cyber criminology (pp. 95–117). Springer International Publishing. https://doi.org/10.1007/978-3-319-97181-0_5

13.

Finklea

(2017). Dark web (p. 19). Congressional Research Service. https://sgp.fas.org/crs/misc/R44101.pdf

14.

Jacoby

Chow

(2016). The onion router and the dark web. Tufts University. http://www.cs.tufts.edu/comp/116/archive/fall2016/cjacoby.pdf

15.

Jardine

(2015). The dark web dilemma: Tor, anonymity and online policing (Global Commission on Internet Governance Paper Series, No. 21, pp. 1–16). Chatham House. https://doi.org/10.2139/ssrn.2667711

16.

Jardine

(2018a). Tor, what is it good for? Political repression and the use of online anonymity-granting technologies. New Media & Society, 20(2), 435–452. https://doi.org/10.1177/1461444816639976

17.

Jardine

(2018b). Privacy, censorship, data breaches and Internet freedom: The drivers of support and opposition to dark web technologies. New Media & Society, 20(8), 2824–2843. https://doi.org/10.1177/1461444817733134

18.

Jardine

Cruz

Kissel

(2022). Media coverage of darknet market closures: Assessing the impact of coverage on US search and Tor use activity. Crime, Law and Social Change. Advance online publication. https://doi.org/10.1007/s10611-022-10046-x

19.

Kaur

Randhawa

(2020). Dark web: A web of crimes. Wireless Personal Communications, 112(4), 2131–2158. https://doi.org/10.1007/s11277-020-07143-2

20.

Leclerc

Drew

Holt

T. J.

Cale

Singh

(2021). Child sexual abuse material on the darknet: A script analysis of how offenders operate. Trends and Issues in Crime and Criminal Justice [Electronic Resource], 627, 1–14.

21.

McCormick

(2013, December 9). The darknet: A short history. Foreign Policy. https://foreignpolicy.com/2013/12/09/the-darknet-a-short-history/

22.

Misata

(2013). The tor project: An inside view. XRDS: Crossroads, The ACM Magazine for Students, 20(1), 45–47.

23.

Moore

Rid

(2016). Cryptopolitik and the darknet. Survival, 58(1), 7–38. https://doi.org/10.1080/00396338.2016.1142085

24.

Owen

Savage

(2015). The Tor darknet (Global Commission on Internet Governance, pp. 1–20). Chatham House. https://www.cigionline.org/sites/default/files/no20_0.pdf

25.

Pavolotsky

(2013). Privacy in the age of big data. The Business Lawyer, 69(1), 217–225.

26.

Schroeder

(2018). Big data: Shaping knowledge, shaping everyday life. In Social theory after the internet: Media, technology, and globalization (pp. 126–148). UCL Press. https://www.jstor.org/stable/j.ctt20krxdr.9

27.

The Tor Project. (2022, May). Servers. Tor metrics. https://metrics.torproject.org/networksize.html

28.

W3Techs. (2022, September 30). Usage statistics of content languages for websites. https://w3techs.com/technologies/overview/content_language

29.

Weimann

(2016). Going dark: Terrorism on the dark web. Studies in Conflict & Terrorism, 39(3), 195–206. https://doi.org/10.1080/1057610X.2015.1119546

30.

Winter

Lindskog

(2012, April 2). How China blocks the Tor anonymity network. MIT Technology Review. https://www.technologyreview.com/2012/04/04/186902/how-china-blocks-the-tor-anonymity-network/

31.

Zantout

Haraty

(2011). I2P data communication system. Proceedings of ICN, 401–409. https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.927.1044&rep=rep1&type=pdf

32.

Zulkarnine

A. T.

Frank

Monk

Mitchell

Davies

(2016). Surfacing collaborated networks in dark web to find illicit and criminal content. 2016 IEEE Conference on Intelligence and Security Informatics (ISI), 109–114. https://doi.org/10.1109/ISI.2016.7745452