Compliance Management, Threat Management, Privacy

Tor creators debate research saying 80 percent of dark web traffic attributed to child abuse sites


Although a recent study found that nearly 80 percent of anonymous network Tor's traffic was to child abuse sites containing pedophilia material, one of the network's original designers and various experts have spoken out to say that the staggering stat cannot be taken at face value.

After six months of running 40 “relay” computers in the Tor network, Gareth Owen, computer science researcher at the University of Portsmouth, and his team categorized the sites anonymous users visited through the group's machines. A majority of Tor hidden service traffic came from botnet computers that were looking for instructions from a command-and-control (C&C) server running Tor. But with this automated traffic taken out of the count, Owen's team found that 83 percent of remaining visits were to child abuse sites.

However, the team, as well as Nick Matthewson, chief architect, researcher and director of Tor, also noted that the majority of the network's hidden services pertain to drug-related sites. Only about 2 percent of hidden services are considered child abuse sites.

The discrepancy between the findings and reality of hidden services could have to do with the surfing habits of users visiting the pedophilic sites. Matthewson explained in a Tuesday blog post that the research group might have observed a disproportionate number of hidden service directory requests.

“Basically, a Tor client makes a hidden service directory request the first time it visits a hidden service that it has not been to in a while,” Matthewson wrote. “If you spend hours at one hidden service, you make about one hidden service directory request. But if you spend one second each at 100 hidden services, you make about 100 requests. Therefore, obsessive users who visit many sites in a session account for many more of the requests that this study measures than users who visit a smaller number of sites with equal frequency.”

He went on to say that the data the researchers collected could tell more about the surfing habits of a particular group of Tor users, as opposed to the reality of the network's traffic.

Adam Kujawa, head of malware intelligence at Malwarebytes Labs, wrote in a Wednesday comment to that Matthewson's response reminds that, “while the results sound scary, it's likely that they can be misinterpreted, skewed, and the original data might contain lots of outliers. The fact is unless Tor decided that they were going to have monitoring software installed on every single node available, as a requirement, then we will never be able to identify the exact user activity, as a whole, on the network; we can only look at bits and pieces of a puzzle with no solution.”

The data could also have been skewed by law enforcement and anti-abuse groups who monitor pedophilia dark web sites, which could have counted as visits. Additionally, distributed denial-of-service (DDoS) attacks could have created traffic, Tor's creators told Wired.

The findings were presented at the Chaos Computer Congress in Germany on Tuesday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.