Deep Web & Law Enforcement: From a Buyer Perspective, Part 2

9 minute read

Posted by: Allen Hoffmann, JD

December 16, 2014

Meet Matt the intelligent buyer

Matt never uses TOR at home, instead preferring to carry an encrypted USB drive with the TOR browser bundle on board and uses internet cafes and public libraries; he leaves his phone at home/work when he goes to use TOR, or removes the battery from the phone completely before he heads in that direction, preferably using public transportation. If he absolutely MUST use a computer of his own, he uses a TAILS DVD or USB with no persistent volume. He does his best to avoid CCTV or going places where he is known to employees or residents.

Matt is very careful to make sure that aspects of his ‘dark market’ online persona, in terms of username and identifying details, don’t correlate with any of his real life details, or for that matter, any usernames or similar information he uses on the clear net.

Matt always uses strong PGP keys (at least 2048 bit), which when not in use are again stored in an encrypted form, when communicating any information with sellers, because he knows that if a whole marketplace goes down, all the PMs will make for useful intelligence information, even if he’s not prosecuted. He knows that weak PGP keys are susceptible to cracking, and also knows that if the Government can break stronger PGP keys, they’re not likely to admit it to make a dopecase. More will follow on encryption and why you should love it, even if some guy in an Embassy basement somewhere can read every word you say, will follow in later articles

Matt buys his BTC for cash from any of a variety of sellers, and doesn’t communicate with them via phone or email which he either:

A) created at home, work or somewhere else tied to him.

B) was used for any other purpose than dark market buying.

C) used to communicate with himself or with anyone tied to him.

Matt knows that he needs to use a burner phone, not a burner SIM; one that stays off, with battery out, unless he’s away from home and his own cell phone. A full, burner cell phone is what you need if you live somewhere that SIM cards are easy to change, because, as Matt knows– changing the SIM does NOT change the IMEI associated with the phone, and in some jurisdictions, a warrant can be gotten on the basis of the IMEI. Matt also knows that the phone companies keep a record of the SIM plugged into a given phone, thus tagging the SIM and IMEI as being associated forever, along with any calls into or out of that SIM before it reached that phone. More on intelligence development tactics used by LE will follow in later articles.

Matt has either established a drop which he checks only sometime after a package is due as he knows that the police can’t spend days waiting for him to show up, or doesn’t mind having goods sent to his house in his own name; considering that there’s no unencrypted data to be found in the house tying him to his purchases and he can, if raided, exercise he right to silence, and later, via a lawyer, deny he made any purchase. More will follow on this in the next article.

When an order doesn’t arrive on time, Matt holds off further orders and TOR use for a period of time to see if anything unusual occurs. This last point is especially important, as you will see in a moment.

Case study – Regular drug dealer in Australia uses dark market for purchases.

Another story from Australia; hailed in early 2013 as the first Dark Web-specific conviction, by media outlets including Wired, was the story of a guy who bought drugs via a TOR marketplace… and then proceeded to deal them like anyone else. What brought him down? Did the police use a sophisticated intelligence device to trick his computer into thinking it was connecting to his Wi-Fi but instead letting them access his laptop? That technology and methodology exists and will be covered in a later article, but no, it wasn’t. Did they bug his phone? Well, they probably did, but that’s not how it all got started. No, this guy’s problem was that when a package of drugs was detected in mid-2012, he didn’t take the hint, and attempted to bring in another 10 or so packages in the next 60 days – yes, 10 more packages. A total weight of almost 50 grams of MDMA and a quantity of cocaine. This went from ‘maybe this guy is of interest’ to ‘this guy is definitely of interest’ very quickly for LE, who later recovered 20,000 (not a typo – twenty THOUSAND) text messages relating to his trafficking operation. Sounds like our friend Paul the idiot, doesn’t it? The price for his stupidity? 3 and a half years in jail.

Part 4 – Who is that knocking at my door?

So, the absolute worst case scenario has happened, and the police have shown up at your house, probably in the early morning, with a piece of paper saying they can go through your things and take what they want. The reasons for why they are there are not important at this moment; what you do, however, is VERY important. You may think you’re a very skilled liar, and usually, you may perhaps even be right. Right now, you are up against people who deal with liars every single day of their working lives; both the people they deal with, and each other.

Police will talk to you about making it easier on yourself, making it easier on others, how they will go toss your friend’s house, your girlfriend’s house, your parents’ house if you don’t comply, how they’ll talk to the prosecutor for you, you name it, if they think they can get evidence from you or make their job easier (or both), they will say it to you. If the cop can get evidence on you, or already has enough to go and turn over some other location, rest assured, they will do so, even if you tell them where Jimmy Hoffa is buried.

Never, ever forget; A cop is not there to help you, or anyone else, when working as an investigator. Him ‘protecting the community’ right now takes a distant third place to his most likely fairly substantial ego, and something else; the investigating cop’s job is to gather evidence on behalf of the state in an effort to more effectively prosecute you. This is what they are paid for, this is what they signed up for, and this is what they are aiming to do, regardless of how they are interacting with you. In most jurisdictions, competition for these sorts of roles (as a detective or other investigator) is fierce; they didn’t wake up one morning and say ‘I want to be an investigator’, go down to the police academy, pick up a shield, and start investigating. Some have been doing it for years, and underestimating a cop, especially an investigator or a detective, is potentially suicide from an investigative perspective. They have practice in getting you to start talking, or getting you when talking to omit or change something around. They want you on the record so they can try to pick apart what you said, bleary eyed and maybe hungover, in a court room where your whole future could be in the balance. The simplest solution; No matter how good you think you are, no matter what you think you are saving yourself or others from – Shut your mouth, and keep it shut. Think about this every time you consider opening it; “They are already here, and they have a warrant, the time for assuming I’m under the radar is over, now they’re in “f*ck me over’ mode”

The flipside to this? The police are here and you want to confess all your sins and hope they will have mercy? If they’re going to find out about what you confess anyway, you’ve earned yourself no discounts. Remember, the cop who you spill your secrets to is not the same guy who decides if the matter goes to court, nor is he the guy who will be at court telling the judge what you (supposedly) did. He has very limited input on what happens; remember, the investigator is a tool employed by the state to gather evidence, not decide your fate. Nothing you can say is going to bail you out to a greater extent than getting this critical time wrong can damage your life. You have the right, in most first world countries, to say nothing, so exercise it.

Want to be super safe? Don’t access TOR from home.

This is not likely to be a suggestion that many will adopt, but best practice is to not access TOR at home or work at all. Maybe you live in a part of the world where all internet usage is monitored or recorded for extended periods; using TOR will not protect you. What makes this an attractive option for the highly cautious is simple; unless you are the target of a protracted intelligence and surveillance operation, the resources do not exist to put together evidence sufficient to convict you for a mere purchase. There is no computer data on any computer to which you can be definitively tied which proves you ordered illegal goods, or for that matter, even used TOR.

Learn to use encryption – even if LE can break it, they aren’t telling anyone.

PGP keys are a layer of protection so easily incorporated into your routine that its lazy not to do so. But you have to keep your private key protected for two reasons; one, all your inbound correspondence, if its been intercepted, will be available to an investigator who manages to compromise your key, and two, it’s a very convincing piece of the evidentiary puzzle, if a private key which you possess unlocks data encrypted with a public key, which may be associated with a particular user name (across who knows how many marketplaces), that you are that user name or user names who provided the cognate public key. Learn to use an encryption program. TrueCrypt is a good option; as you’ll see in a moment.

Case study: “John Doe” won’t give up his password, and the FBI publicly admits it can’t break it (at least, from an evidentially admissible perspective)

It was alleged by the FBI that a guy known by the pseudonym John Doe had some child exploitation material, in an appeal in the matter of the United States v John Doe (D.C. Docket Number 3:11-mc-00041-MCR-CJK for those playing at home). They’re case as far as circumstantial evidence and the intelligence leading them to believe they had their man, and that the hard drives contained damning evidence, was solid work. Problem was, his external hard drives were encrypted with TrueCrypt, and they were forced to publicly admit that they couldn’t break the encryption, in an effort to compel Mr. Doe to admit the password. They failed to sustain this argument, but that’s not the take home message; as far as FBI cases go, if they actually can unlock this program’s encryption methods behind the scenes, they certainly aren’t prepared to admit they can in a court proceeding, and as such, as of at least 2012 (and probably for the foreseeable future), the FBI won’t be able to lead contents of your encrypted drive in evidence against you – even if they know what you did.

Knowing what you did, and proving it, are very different things.

Coming up next: Intelligence and evidence are different things.


Updated: 2014-12-16