Tor and the Bitcoin: An Exploration into Law Enforcement Surveillance Capability Online

Share on Facebook Share on Twitter Share on LinkedIn Share in Email Print article
Written by Kimberly Mehlman-Orozco, PhD

In an age of security, surveillance, and Snowden, even civilians with nothing to hide may presuppose that they are under some form of surveillance from the government. The public assumption is simple, saying something as innocuous as “bombardier” might be a trigger word that could result in a wiretap without a warrant. While this may very well be the perception in the United States, thousands of criminal networks are still operating regardless of the increased reach of government surveillance. Drug dealers, human trafficking syndicates, prostitutes, and child pornographers are all able to sell, market, and distribute their services and wares openly online and through alternative forms of communication and mechanisms for transactions.

While it is common knowledge that law enforcement surveillance in the United States has increased in recent years, most assume that it was primarily a policy response to the tragedy on 9-11. Within the field of criminology, theory and empirical research provide an evidentiary basis that accompanied this policy shift. Specifically, Routine Activities Theory provides a framework for focusing on surveillance to prevent crime. According to Routine Activities Theory, crime occurs where a motivated offender, victim, and lack of a capable guardian converge in time and space. While earlier solutions to addressing these crimes focused on incapacitating, rehabilitating, or otherwise deterring the “motivated offender,” more recent strategies focus on strategically deploying “capable guardians” or law enforcement to areas with high concentrations of crime, called “hot spots.” A “capable guardian” can be an actual law enforcement officer, a camera, or something as simple as a streetlight to increase visibility. Theoretically, having strategically placed surveillance or “capable guardianship” prevents crime.

Borne from routine activities theory, “hot spot policing” focuses on the provision of capable guardianship at high crime locations. This technique is recognized as an evidence-based innovation within the field of criminology and policing. Hot spot policing research is supported by millions of federal and state grant dollars, the topic of hundreds of peer-reviewed articles in top-ranked journals, and recognized with the most competitive awards in criminology, such as the Stockholm prize. This research provides rich evidence to suggest that police should focus their resources on the location of crime as opposed to the offender. When focusing on the individual or motivated offender, police are always chasing a moving target. Instead, police can better allocate resources toward areas with high concentrations of crime, called “hot spots”. These “hot spot” crime locations are stable over time and research suggests that patrolling these areas decreases crime without geographic displacement. Collectively, crime and place scholars claim that crime just does not move around the corner, and police can make a measurable impact on preventing crime by focusing on geographic concentrations.

A growing body of hot spot policing literature empirically validates the Routine Activities theoretical framework and associated “hot spot policing” solutions. These studies suggest that crime is in fact concentrated in small units of geography or “hot spots,” and deploying capable guardians to these “hot spots” is shown to result in strong reductions in crime. The idea that crime is concentrated in to relatively few micro units of geography was initially supported by the work of Lawrence Sherman et. al. Using spatial data on 323,979 calls for service to police in Minneapolis, MN over one year, Sherman, Gartin, and Buerger (1989) found that 3% of the street addresses produced 50% of police calls for service. Over the years, this spatial relationship was substantiated with new and more rigorous research. Using data on drug crimes in Jersey City, NJ, Weisburd and Mazerolle (2000) concluded that 4% of street segments generated approximately 50% of narcotics arrests, as well as a greater proportion of serious crime and disorder problems. Weisburd, Morris, and Groff (2009) corroborated this pattern with their study, which analyzed juvenile arrest data in Seattle, WA over 14 years. Their longitudinal study found that 50% of arrests occurred in less than 1% of street segments. Using a trajectory analysis of the Seattle, WA juvenile arrest data—which included over 1.5 million incident reports linked to almost 30,000 street segments—Weisburd, Bushway, Lum, and Yang (2004) established that geographic crime concentration is stable over time, with 4‐5% of street segments accounting for approximately 50% of crime over 14 years. These data provide strong empirical evidence that the majority of crime is concentrated to relatively few geographic places.

In developing a response to these findings, scholars evaluated the efficacy of deploying police to crime “hot spots,” a strategy termed “hot spot policing”. Koper (1995) examined the residual deterrence effects of police patrols in crime “hot spots” in Minneapolis. His study established that the optimal dosage of preventative patrol was 15 minutes, which led to statistically significant reductions in crime. Similarly, Weisburd, Wyckoff, Ready, Eck, Hinkle, and Gajewski (2005) found that by deploying limited police resources to crime hot spots in Jersey City, NJ, they were able to reduce prostitution and drug crimes significantly and effectively. In fact, they found that the beneficial reductions in crime were actually diffused to the surrounding geographic catchment areas as well. Given these findings, researchers and practitioners in the field of criminology have begun to conclude that crime just doesn’t move around the corner; police can effectively deter crime by directing patrols to crime “hot spots.”

The Virtual Displacement of Street Crime with Tor

Although a growing body of experimental research supports the conclusion that hot spot policing can effectively prevent crime on the street, how does this surveillance affect “street crimes” that occur online? Arguably, the surveillance reach of the government may fall short of providing capable guardianship online. Services that make users virtually anonymous like The Onion Router (Tor) stifle government investigation and policing. Theoretically an Internet user’s IP address serves as their virtual identification. In a perfect world for law enforcement, anything an Internet user did or said online could be traced back to their real identity and location using their IP address. However, computer savvy criminals can easily use the IP addresses of others by hacking into computers remotely. As a result, when law enforcement does track a particular illegal activity back to an individual IP address, it may be that of an innocent victim of virtual identity fraud, not the criminal himself or herself. Alternatively, for the less than adept criminal, The Onion Router (Tor) can automatically provide virtual anonymity to anyone who simply downloads and uses the Tor browser package. The browser facilitates anonymity by constantly bouncing the IP addresses between users across the world and periodically erasing the trace memory. Technically, information accessed or distributed through Tor travels through encrypted layers of the network and Internet Exchange Points (IXPs) or autonomous systems (ASes) that control multiple routers, such as ISPs (Internet Service Providers). At present there are over 3,000 relays randomly used to encrypt the identity of users to and within the Tor network. While the Tor service may have an important legitimate purpose by protecting the civil liberties of users, such as whistleblowers or journalists, we would be remiss if we did not recognize the implications for criminal enterprise.

To illustrate the anonymity provided by Tor, a series of Tor browser login attempts were recorded by documenting the masked IP addresses and associated locations. Although the IP address for each user changes after every login, it should be noted that some of the routed IP addresses are eventually repeated. In this series, three IP addresses from France, Canada, and an unknown location were repeated three times each and three IP addresses from France, United Kingdom, and an unknown location were repeated twice. This repetition is important because it highlights a potential opportunity for law enforcement to identify the user over time; a possibility discussed further below.

The diverse geographic dispersion of the masked IP addresses illustrates a prima facie barrier to tracking down cyber criminals operating on Tor. Extradition complexities may further inhibit the ability to identify, surveil, and arrest illicit users. Furthermore, while IP address repetition may create an opportunity for law enforcement, it is important to recognize that 30% of the IP addresses returned as “unknown” locations. Host relays employing additional security measures such as a second Virtual Privacy Network (VPN) or Transport Layer Security (TLS) cryptographic protocol may provide further protection from surveillance.

The Bitcoin

The online anonymity facilitated by masking, routing, or concealing the user IP address is one piece of the online black market. The development of the Bitcoin is also part of the equation. Bitcoin are marketed as a “decentralized digital currency” for a global market. It is a peer-to-peer electronic currency that removes banks and other exchange entities from transactions. However, the anonymity it provides also further protects illicit transactions online. Essentially, instead of using a credit card, debit card, or online payment system like PayPal, which can easily be tracked back to a person, black market virtual industries use Bitcoin, an Internet currency, to anonymously pay for their purchases without a trace. The Bitcoin currency used in an illicit transaction is “tumbled” with the currency of others before and after each transaction, so hypothetically it would be difficult if not impossible to trace the actual Bitcoin back to a particular transaction or user. This automated money laundering process creates an additional barrier for law enforcement and prosecutors. According to Christopher, few digital-currency money laundering “charges have been filed and no cases have yet proceeded through trial to verdict.” Bitcoin prosecution is difficult because digital currency agencies are not necessarily considered financial institutions, and as such, anti-money laundering regulatory schemes and requirements may not apply. More importantly, “serious questions exist regarding whether U.S. courts have jurisdiction for crimes that occur in cyberspace.”

Despite evident barriers, recent developments suggest that law enforcement may be closing in on illicit Bitcoin transactions. For example, shortly after the Department of Homeland Security issued a seizure warrant for the failure to register as a money transmitting business, one of the largest digital currency exchange services, Mt. Gox, collapsed and filed for bankruptcy in February 2014. Although the bankruptcy resulted in a loss of $450 million worth of Bitcoins, which was followed by a value decrease from $1,200 in 2013 to $600 in 2014, financial analysts suggest that the Bitcoin value and use will continue to increase in the future.

The Virtual Black Market Bazaar

With the backdrop of anonymous access to the Internet and the ability to conduct untraceable transactions, anything can be bought, sold, and distributed online. Millions of pornographic images and videos of children aged 0-17 can be procured on Tor as easily as a children’s book on Amazon. Terrorists communicate freely, and anyone can purchase guns, C4, explosives, or armor piercing ammunition without a background check. Are you in the market for drugs? Large and small quantities of cocaine, marijuana, ecstasy, and heroin are available, with drug dealer reviews from other users to describe quality and expediency, just as if you were purchasing from a reputable eBay seller. Would you like to buy a human, or perhaps have one killed? You can arrange that as well. These illicit transactions are accessed through Tor on the dark net. The dark net is a peer-to-peer network for exchanging non-commercial goods on encrypted sites, such as .Onion sites.

While many of the .Onion sites are shared through peer-to-peer referral, they can also be publicized through Pastebin lists. Many of the websites are oriented toward drug consumerism, such as The Silk Road, Atlantis, and Black Market Reloaded, while a smaller proportion facilitate other illicit activities such as child pornography, arms trafficking, and counterfeiting. Despite operating under the protection of Tor, the .Onion websites often migrate the URL to further stifle surveillance. Recent research suggests that member support and harm reduction ethos of the online illicit marketplaces minimizes actual and consumer perceived risks.

While these illicit websites seem to operate without interference from law enforcement, the perception of security is wavering. Most notably, the arrest of Ross Ulbricht and the closure of the largest black market bazaar, Silk Road, in October 2013 caused considerable concern within the Tor community. Ulbricht was tracked by the FBI after he accessed his website using a Virtual Privacy Network (VPN) linked to an e-mail with his actual name instead of TOR. However, following the closure of Silk Road, hundreds of illicit websites opened up to absorb the traffic. The resiliency of the illicit market gave users the impression that these criminal enterprises will continue to flourish on Tor; an impression of impunity that manifested with the quadrupling in value of the Bitcoin post Ulbricht’s arrest.

Law enforcement entities have made it clear that the Internet is too vast for them to police entirely. While they are aware of the larger illicit websites and making attempts to monitor and track hosts, there are thousands of smaller websites providing illicit services, millions of individual users producing illicit materials, and billions of peer-to-peer transactions that take place concurrently, without garnering attention from authorities. Ultimately, in the race against crime it seems as if two steps taken by illicit syndicates precede every step taken by law enforcement.

Future Research

It is important for criminologists, law enforcement agents, practitioners, and the general public to understand that law enforcement innovation is a process of competition and adaptation. When law enforcement practices begin to threaten the survival of criminal enterprises, they will adapt. With each adaptation, there is a learning curve for law enforcement to overcome. Illicit enterprises such as Silk Road had been in operation for several years, but only recently have researchers begun to theorize and test algorithms for corrupting the anonymity provided by secure browsers like Tor. Johnson et. al. use a Tor path simulator (TorPS) to illustrate how the anonymity provided by Tor could be susceptible to threats over time, facilitating the identification of users. Points of entry and exit to the Tor network are identified as weaknesses, which could be exploited. Johnson et. al. found that there was an “80% chance of deanonymization within six months by malicious guard and exit.” Although these simulation methods are likely already utilized by federal agencies in attempt to identify website hosts and possibly track frequent users, at present they can not identify the occasional user or users who employ multiple levels of security in addition to Tor. Furthermore, even if law enforcement does identify a particular user responsible for a large amount of illicit traffic, chances are the responsible party may be based in a foreign country, presenting additional problems regarding jurisdiction and extradition. Future research should further evaluate methods for identifying anonymous users engaged in criminal activity online and extend these tools to international and state level law enforcement agencies.

In addition to developing methods for compromising the anonymity provided by Tor, researchers are also beginning to develop methods of tracking exchanges with Bitcoin currency, linking transactions to users and illicit purchases. Meiklejohn et. al. apply heuristic clustering methods to group Bitcoin purchases, which could hypothetically be used by agencies with subpoena power to track transactions. While these innovative methods of virtual policing continue to develop, we must recognize that neither hot spot policing, nor virtual policy, nor any other police innovation will reduce the underlying market for drugs, illegal arms, child pornography, terrorism, or human trafficking. They will only improve or hurt our chances of enforcing the law until the next adaptation, and then the cat and mouse game will ensue.

It is also important to adapt and expand evidence-based concepts to cyber crime, such as Routine Activities Theory and “hot spot” policing. According to Yar, in order to apply routine activities theory to cyber crime, virtual environments must exhibit “spatiotemporal ontology congruent with that of the physical world.” In her application of Routine Activities Theory to cyber crime, Yar recognizes that these crimes do have cyber-spatial relationships, originating in certain virtual places, with geographic concentration in various countries. Additionally, motivated offenders and suitable targets seem homologous between terrestrial and virtual settings. Innovative research in this area has begun to uncover potential patterns to suggest that online surveillance should target cyber crime hot spots. For example, Moeira Moura found that 20 out of 42,201 Internet service providers (ISPs) were responsible for approximately 50% of all spamming IP addresses, most of which were based in Southern Asia. Future research should continue applying these concepts to the dark net and other types of cyber crimes.

According to Routine Activities Theory and the growing body of research on “hot spot policing,” capable guardians have the ability to significantly deter motivated offenders. However, although “hot spot policing” significantly reduces crime on the street, current levels of guardianship may fall short in addressing burgeoning criminal enterprises online. Criminologists should consider evaluating this new trend, further explore innovative methods of online surveillance, and test the effects of capable guardianship on the prevention of virtual “street crimes.” Since research and data on the deep web are in their infancy, this essay only provides limited insight into these trending criminal markets. A better understanding of these markets is imperative because the new frontier of policing is online, and the sooner law enforcement adapts, the better.

Kimberly Mehlman-Orozco, PhD, is the Executive Director of The Justitia Institute.