Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
IGotItOnSilkRoad:AnExaminationofKnowledgeandAttitudesTowardsTorand
theDarkWeb
©2016
ByZacharyDylanMitchell
AthesispresentedinpartialfulfillmentoftherequirementsforcompletionOftheSallyMcDonnellBarksdaleHonorsCollege
TheUniversityofMississippiUniversity,Mississippi
May,2016
Approvedby:
_______________________________Advisor:Dr.BartL.Garner
______________________________Reader:Dr.BrianJ.Reithel
____________________________Reader:Dr.DwightD.Frink
2
3
Abstract
Ascommunicationtechnologyhasgrown,sohasthepotentialforcrimestobe
committedwiththenewtechnology.TheUnitedStatesgovernmenthasattempted
tostaycurrentwiththetimesbyintroducinglegislationtoincreasefederalpowerto
detectandstopthesecrimes,butsomefeelthatsomeofthesenewlawsandacts
reducepersonalfreedomsandliberties.EnterTorandtheDarkWeb,asetofoften
misunderstoodtoolsandweb-basedresourcesdesignedtomakeusers’dataand
behaviorontheInternetanonymous.Thispaperdescribestheaforementionedlaws,
howTorandtheDarkWebwork,andexamineshowattitudestowardsprivacy
impactknowledgeandattitudestowardstheDarkWebandTor.
4
Acknowledgements
First,IwouldliketothankDr.BartGarnerforadvisingmeonthisresearchproject.
Hisadvice,knowledge,andguidancemadethisthesispossible.Iwouldalsoliketo
thankAlexisJaffeforstickingbymeandencouragingmealongtheway,evenwhenI
wastoodownaboutmyresultsortheinsurmountableresearchaheadofmeto
listen.
5
6
INTRODUCTION
Inrecentyears,newsheadlinesseemliketheyarerippedstraightfrom
sciencefictionnovels.ManybelievethatGeorgeOrwell’spredictionsin1984have
cometrue,thatBigBrotheristrulywatchingusall.Onecanprattleoffnamesofhot
buttonissuesinvolvingthegovernmentharvestingprivatecitizens’data:Eric
Snowden’sleaks,theNationalSecurityAdministration,Torandthe“deepweb.”
Softwaremanufacturersaretoldbythegovernmenttoputbackdoorsintotheir
programsthatalloweasyaccesstodata.Asclichéasitis,everycitizenisslowly
becomingtheirownWinstonSmith,whethertheyknowitornot.Whatsoundslike
theravingsofatinfoilhatwearingmanonastreetcornerhassuddenlybecomethe
featuredstoryonthenightlynews.
Towhatendisthegovernmentcollectingdataonitscitizens?Theargument
isthatitkeepsussafe.Withthisdata,theNSAwillbeabletostopcrimesbefore
theyhappenorcatchterroristsintheactjustbythesearchtermstheyenteron
Google.Maybetheyareright.Maybeitiscompletelypossibletojustifythe(upuntil
recently)secretivedatabasesofpreviouslyencrypteddataacquiredthrough
surveillancesystemslikePRISMorbyimplantingmalwareintophonestocollect
textmessages.
7
Thismakessensetosome;theinnocenthavenothingtohide,and,even
thoughtheirdataisbeingmined,whatrealharmisthereinthegovernmentseeinga
fewworke-mailsorafewquicktextstoinvitefriendsoutfordrinks?Someare
willingtosacrificetheirpersonalfreedominordertogainasenseofsafety.Yes,
thereistheoldadageaboutthosewillingtogiveupprivacyforfreedomdeserving
neither,butthisisadifferenttime.Weliveinanagewhereenemiesoffreedom,
bothfromtheUnitedStatesandoutsideofit,cancommunicatewithincredibleease
andcarryoutactsofcyberterrorismintheblinkofaneye.Thisbegsthequestion:
shouldtherebeinformationthatthegovernmentcannotaccessthroughsubpoena?
Furthermore,docitizenshavetheinnaterighttoprivacyforalloftheirdata?Do
citizenstrulycareabouttheirrighttoprivacyenoughtoseekoutmethodsto
circumventorescapegovernmentsurveillance?Toanswerthisquestion,wemust
lookatthelawsinplaceregardinginformationprivacy,thesurveillancetechnology
thegovernmentisusingtogatherdata,andtheencryptiontechnologiesthatare
usedtosecuredata.
8
REVIEWOFLITERATURE
TheOmnibusCrimeControlandSafeStreetsActof1968
Accordingtothe2013U.S.census,between73%to84%ofAmericanhomes
haveacomputerintheirhomeswithInternetaccess(RaineandD’Vera).TheUnited
Statesisanationof“pluggedin”people,withgigabytesupongigabytesofdatabeing
transmittedeveryday,whetheritisthroughhomecomputers,publiccomputers,
workcomputers,orsmartphones.TheInternethaschangedthewaypeople
communicate,bothinpersonandacrosslongdistances,butbeyondthat,ithas
becomeapartofalmosteveryfacetofanaveragecitizen’slife.Thenormalmorning
paperandcoffeeroutinehasbeenreplacedbycheckinge-mailsandreadingnews
siteheadlines.Textmessagesseemtohavereplacedtheneedforactual,physical
conversation.PurchasesaremadeeverydayovertheInternet,whethertheyarefor
consumerorbusinesspurposes.Currentsocietyistrulythebestargumentforthe
Singularitybecomingareality.
Itfollowsthat,withsuchsensitiveinformationfloatingoutincyberspace,the
governmentmayfeeltheneedtoprotecttheirowninterestsandthesafetyof
citizensbyregulatingcommunication.Althoughtherearemanylawsgoverning
communications,TheOmnibusCrimeControlandSafeStreetsActof1968,specifically
TitleIIIregardingwiretaps,laidthebasicframeworkforgovernmentpowerin
acquiringcitizen’sprivatecommunications.Theactstatedthatthenothing
9
containedwithinthedocumentitself,norpreviouslaws,wouldlimitthepresident’s
powerto“protectthenationfromactualorpotentialattackorotherhostileactsofa
foreignpower,toobtainforeignintelligenceinformationdeemedessentialtothe
securityoftheUnitedStates,ortoprotectnationalsecurityinformationagainst
foreignintelligenceactivities”(U.S.SelectCommitteetoStudyGovernment
Operations289).Atthispoint,whilethepresident’spowerseemedvirtually
unlimitedtotapwireswithoutawarrant,thelawswerestructuredaround
protectingtheUnitedStatesfromforeignattackandonlyforeignattack.Theact
simplystatesthatthesepowersdoexist,butdoesnottrulydefinetheminanyway.
BeforeTitleIII,wiretaps(whetherunderwarrantornot)wereagrayareain
theeyesoftheFourthAmendment,whichprotectscitizensfromunlawfulsearch
andseizureofproperty.Sincethereisnophysicalinvasioninawiretap,the
definitionof“search”intheFourthAmendmentwascontested,andin1928,the
UnitedStatesSupremeCourtallowedwiretapsforsuspectedbootleggersbecause
theFourthAmendment“didnotapplyunlesstheG-menphysicallyinvadedthe
defendant’spremises”(Swire12).By1968,timeshadchanged,andafurther
SupremeCourtcaseruledthatanyattempttosearch,includingwiretaps,would
havetomeettheFourthAmendmentstandardsbeforebeinglegal.TitleIIIwasan
attempttocodifythatsentimentintolaw.TheFourthAmendmentrequiresthat
searchesbereasonable,definedas“balancingthedegreeofintrusionagainstthe
needforit”(Swire13).WhileTitleIIIislargeinscope,itonlyallowswarrantless
wiretapsinsituationsthatinvolveaforeignpowerorprotectingthegovernment
frombeingcompletelyoverthrown.Again,thereisnodiscussionofexactlywhat
10
thesepowersentail,butjustabroadstatementthattheydoexist.Atthetime,small
actsofdomesticterrorismseemednegligibleintheeyesofthislaw.
TheForeignIntelligenceSurveillanceActof1978
Thenextlarge-scalepieceoflegislationtodealwithinformationprivacywas
theForeignIntelligenceSurveillanceActof1978(FISA).Asthenameimplies,the
actfocusedonforeignintelligence.TheFISAhelpeddefineexactlywhata“foreign
power”is,specificallythatthedefinitionnowincludedaforeigngovernmentnot
recognizedbytheUnitedStates,“factionsofaforeignnation”,or“agroupengaged
ininternationalterrorismoractivitiesinpreparationtherefor,”aspersection1801.
Theaforementionedforeignpowers“certainlyincludedtheCommuniststates
arrayedagainsttheUnitedStatesintheColdWar”andwerespecificallywordedto
targetsatellitenationsoftheUSSR,accordingtocyberlawexpertPeterSwire(24).
TheFISAdrewdistinctlinesbetweenUnitedStates-personsandnon-UnitedStates
persons,butwasnotsoclear-cutonwhocouldbewatched.Allagentsofaforeign
powercouldbetargetsofsurveillanceandthecriteriawasassimpleasbeingan
employeeofanon-UnitedStatesnation.UnitedStatescitizenscouldonlybe
declaredanagentofaforeignpoweriftheywere“knowinglyengagedinalisted
activity,suchasclandestineintelligenceactivitiesforaforeignpower”(Swire25).
ThisdefinitionfedoffofColdWarpanicandallowedKGBagents(orsuspected
agents)actingdomesticallytobespiedoneveniftheyweretechnicallylivinginthe
UnitedStates.
11
OnelargechangefromTitleIIItoFISAwasthat,underTitleIII,targetsof
surveillancewouldbenotifiedaftertheyhadbeenspiedonthatinformationhad
beentaken.TheFISA,however,was“cloakedinsecrecy,”onlynotifyingthetarget
whentheevidencewasusedincourtagainstthembutnotevenguaranteeingthem
therighttoseewhatthatevidencewas(Swire28).TheFISAallowedthePresident,
throughtheAttorneyGeneral,toauthorizeelectronicsurveillancewithoutacourt
orderforuptoayearoncommunicationsusedbytheforeignpowers.TheFISAalso
createdaForeignIntelligenceSurveillanceCourttograntordersforsurveillanceon
foreignpowers,effectivelycreatingachecksandbalancessystem.Inaddition,the
AttorneyGeneralwasrequiredtoreporttotheHouseandSenateIntelligence
Comitieseverysixmonthsandyearlytothegeneralpublicaboutthetotalnumber
ofapplicationsforwiretapsandthenumberthatwereactuallyapproved.
However,wiretapscouldstillbegrantedonUnitedStatescitizensthrougha
courtorder,pursuanttosection1805,whichrequiresthatthecourtfind“probable
cause”thatthesurveyedindividualorindividualsareaforeignpoweroranagentof
aforeignpower.Furthermore,theymustalsoadhereto“minimizationprocedures,”
which,accordingtoSection1801(h)(1)aredesignedtoreducedissemination,
acquisition,andretentionofmaterialcollectedfromUnitedStatescitizens.
WhiletheFISAdidregulatewiretapswithbureaucraticpressure,italso
dismissedtheFourthAmendmentrighttobenotifiedofanyseizureofpropertyin
thecaseofawiretap.Italsolegitimizedsecretwiretaps,evengoingsofarasto
provideapathtolegallyapprovethem.Thelaws,whileseeminglyopenended,still
12
requiredthatinvestigations’primarypurposebegainingintelligenceonforeign
powers.
TheUSAPATRIOTAct
AfterthetragicterroristattackthattookplaceonSeptember11th,2001,the
nextlargeprivacylegislation,theUSAPATRIOTAct(PATRIOTAct)wassetintolaw.
TheActwasdesignedtobothprovidepreventativemeasuresagainstfuture
terrorismattacksandbringinformationprivacylawsuptodatewiththeincreasing
amountofInternetaccessandtelecommunicationintheUnitedStates.The
PATRIOTAct,specificallyTitlesII,VII,andIX,dealtwithhowinformationcouldbe
collectedandthereasonswhyitcouldbecollected.Asstatedabove,theFISA
requiredordersforwiretapstocertifythat“thepurposeofthesurveillanceisto
obtainforeignintelligenceinformation”(Swire39).ThePATRIOTActchangedthis
tojusta“significant”purpose,meaningthatthesurveillancedidnothaveto
explicitlylookintoforeigncommunication.Thechange,whilesmall,highlightedthe
paradigmshiftaftertheeventsofSeptember11th.“Terrorism,”asawhole,was
morebroadlylookedatwhendeterminingthreatstoAmericanlife,notjustlarge-
scaleforeignespionage.WhileTitle18ofUSCodealreadydefineddomesticand
internationalterrorism,thePATRIOTActbroadenedtheseterms,adding
assassination,massdestruction,andkidnappingtobothforms.Somepoliticians,
suchascongresswomanTammyBaldwin,haveexpressedoutrageoverthe
expansionofthedefinitionofterrorism,deemingthedefinitiontooexpansiveand
13
implyingthatitcouldmakeAmericancitizenswhodisplaytheirdissentina
peacefulmannerouttobeterrorists(Moore,Fahrenheit9/11).
Particularlyimportanttoinformationprivacyissection814,whichredefined
termsdealingwithcyberterrorism,creatinglawsthatcouldlabelthosethatcommit
computercrimesasterrorists.AccordingtoEllenPodgoroftheAmericanBar’s
CriminalJusticeMagazine,computerdamagecanonlybeclaimedasaterroristicact
iftheaction“beknowinglycommittedandthedamageintentional.”
TitleIIiswherethesedefinitionsstarttotakeeffect.Entitled“Enhanced
surveillanceprocedures,”thesectiongreatlyenhancesthepowertointercept
communications(oral,wire,andelectronic)relatingtoterrorismandcomputer
fraud.Whileotheractsattemptedtolimitthescopeofwhomthesurveillancecould
target,thePATRIOTAct,bornfrompost-9/11fear,broadenedthespectrumof
terrorismandthuswidenedthescopeofhowmuchandwhatkindofinformation
couldbeintercepted.Onelarge,sweepingmotionisfoundinSection215,which
changesFISAlawsfromfocusingjustonelectroniccommunicationstoany
“tangible”formofintelligence,includingrecords,documents,andpapers.According
toSwire,thisallowedFISAorderstosupersedepreviouslawsandtarget
informationthatis“generallysubjecttoprivacyprotections”(40).Inaddition,the
FISAwasamendedsothattheordersonlyhavetoprovethattheinformationis
pertinenttoanauthorizedinvestigation,notthatthetargetisaforeignpoweroran
agentofaforeignpower.
WhiletheexplicitpurposeofthePATRIOTActseemstobecombating
terrorism,thischangeallowsanyonetobesubjecttoaFISAorderaslongasitcan
14
bereasonablyarguedthattheinformationgatheredisrelevanttoaninvestigation.
Therearevirtuallynolimitstothetypeoramountofdatagathered.Section206
goesevenfurtherbyprovidingalegalpathfor“roving”wiretaps.Previously,FISA
actsweretiedtoaspecifictelephone,but,toadapttochangingtimesandnew
technologylikecellphones,thePATRIOTActallowedwiretaprequeststobetiedto
anindividualpersoninstead.
Section212,titled“Emergencydisclosureofcommunicationstoprotectlife
andlimb,”detailswhenacommunicationsprovidercandiscloseinformationabout
acustomer’scommunications.Previously,providerscouldneverdothis,butnowif
they“reasonably”believethatdeathorinjuryisimminent,theycandosotoan
investigativeagency.Inaddition,whenagovernmentagencyhasacourtorderfor
thisinformation,theymustdiscloseit.This,intandemwithsection213,which
allowsthenotificationofsearchwarrantstobedelayed,presentsagovernment
withaccesstobothconsumerandpersonalinformationwithouthavingtotell
targetswhentheyarebeingsearched.
WhiletheFISAordersmayhavebeengatheredinsecret,theFISAincludeda
clausethatallowedsomeofthetargetstobenotifiedthattheywerebeingspied
upon.ThePATRIOTActgetsaroundthiswithSection215,oneclauseofwhich
states“nopersonshalldisclosetoanyotherperson(otherthanthosepersons
necessarytoproducethetangiblethingsunderthissection)thattheFederalBureau
ofInvestigationhassoughtorobtainedtangiblethings.”Whentakingthelaw
literallyatitsword,theFBIcantargetanyoneforsurveillance,forvirtuallyany
reason,andobtainanyamountofanyinformationtheywant.
15
Strangelyenough,inascenefromdirectorMichaelMoore’scontroversial
documentaryFahrenheit9/11,anewsclipfromsmalltownAmericahascitizens
extollingthevirtuesofthePATRIOTAct,callingit“agoodthing”andsomething
“thatneededtobedone.”InafitofColdWar-esqueparanoia,workingclass
Americancitizensfromalloverthecountryhadstartedtobecomesuspiciousof
terroristactivity.Thedefinitionhadexpandedsomuchthatanythingcouldbecome
atargetforterroristsandanyonecouldbeaterrorist.Onemanlivedoutatextbook
OrwellianexperienceafterbeingturnedintotheFBIbyhisfriendsbecausehespoke
outagainsttheWaronTerror.
OnemajorsafetyprovisionofthePATRIOTActisthatisstillallowsthe
protectionsofferedbytheFirstAmendment(freedomofthepress,speech,
assembly,religion,etc.)toremainuntouched.Section214,“Penregisterandtrap
andtraceauthority,”expresslyforbidsinvestigationsfromviolatingthefirst
amendment.However,italsolaysoutguidelinesforelectronicsurveillanceon
anyonesuspectedofterroristicactivities.AccordingtocongressmanJohnConyers,
“therehadtobeasurrenderingofcertain[…]rights”inorderforcitizenstofeel
safefromterrorism(Moore,Fahrenheit9/11).
HomelandSecurityAct
AlittleoverayearafterthePATRIOTActwaspassed,Congressfeltthatsome
ofthenewpowersgiventothegovernmentwereabittoobroadinscope.Thus,the
followingyear,theHomelandSecurityActof2002(HSA)waspassed.Accordingto
16
PresidentGeorgeW.Bush,thepurposeoftheHSAwasto“defendtheUnitedStates
andprotectcitizensfromthedangersofanewera”(KirkpatrickandLockhartLLP
1).TheHSAismostknownforcreatingtheDepartmentofHomelandSecurity,but
TitleIIoftheAct,“InformationAnalysisandInfrastructureProtection,”deals
directlywithcyberterrorismandinformationsecurity.Thistitleisdividedintofour
subtitles:SubtitleA–DirectorateforInformationAnalysisandInfrastructure
Protection;AccesstoInformation,SubtitleB–CriticalInfrastructureInformation,
SubtitleC–InformationSecurity,andSubtitleD-OfficeofScienceandTechnology.
SubtitleAcreatedanUnderSecretaryforInformationAnalysisand
InfrastructureProtectionwhoisresponsibleforanalyzinglawenforcementand
intelligenceinformationtodetectpotentialactsofterrorismagainsttheUnited
States.TheUnderSecretarymustalsodevelopaplanfor“securingthekeyresources
andcriticalinfrastructureoftheUnitedStates,”which,asdefinedinthislaw,
includesinformationtechnologyandsatellitesystems,effectivelygivingtheUnder
Secretarypowerovertheseareas.TheUnderSecretarycanalsodeveloppolicies
andproceduresdesignedtoprotecttheseareasofinterest,usingdata-miningand
“advancedanalyticaltools”tocarryoutthesemeasures.AccordingtotheHomeland
SecuritypracticegroupofKirkpatrick&LockhartLLP,theSecretaryofthe
DepartmentofHomelandSecurityis“broadlyauthorized”togaininformationfrom
theprivatesectorrelatingtoterrorismorsuspectedterroristactivities(2).The
informationisbrokendownintothreebroadcategories:anyassessmentor
analyticaldataregardingthreatsofterrorismtotheUnitedStates,anyinformation
17
relatingtheinfrastructureoftheUnitedStatestoterrorism,oranyunprocessed
dataonothersubjectsthatrelatetothedutiesoftheSecretary.
SubtitleBisaimedatencouraging,butnotrequiring,theprivatesectorand
stateandlocalgovernmentstoshareinformationwiththeDepartmentofHomeland
Security.Section213(3)definescriticalinfrastructureinformationas“information
notcustomarilyinthepublicdomainandrelatedtothesecurityofcritical
infrastructuresorprotectedsystems.”Thisexplicitlyincludesanyactual,
threatened,orpotentialcomputerattackormisuseofelectroniccommunications
systems.However,anyinformationvoluntarilysubmittedthroughthisactisnot
subjecttoanytypeofdisclosure,evenifitwouldfallundertheFreedomof
InformationAct.Aslongastheinformationwasknowingly,voluntarilysubmitted
andthesubmitterknewaheadoftimethattheinformationwouldnotbedisclosed,
nodisclosureisrequired.However,withoutwrittenconsentfromthesubmitter,the
informationcannotbeuseddirectlyinanycivilaction.Theinformationcanstillbe
usedtostartaninvestigationorusedtobuildevidenceagainstasuspectedterrorist.
SubtitleCprovidessomelimitationsfortheinformationcollectedbyTitleII
oftheHSA.Section221ensurestheconfidentialityandsecurityoftheinformation,
aswellaslimitsunauthorizedredistributionofinformation.Furthermore,it
attemptstoprotect“constitutionalandstatutoryrights”oftargetedindividuals.
Section225createsanothersub-actofsortswithintheHSA,entitled“CyberSecurity
EnhancementActof2002.”Whileasizableportionofthisactdealswithstricter
penaltiesforthoseconvictedofcybercrimes,oneofthemoreinterestingdetailsis
thestrikingofSection212ofthePATRIOTAct,broadeningit’sdetailedpowersand
18
allowingeasieraccesstoinformation.Thissectionchangedthewordingfrom
“reasonablebelief”to“goodfaithbelief”thatinjuryordeathmayoccur,lowering
thebarforgaininginformationontelecommunicationproviders’customers.In
addition,theword“immediate”wasdroppedandanymentionofanexpirationdate
wasstricken,makingthispermanent.
EventhoughtheDepartmentofHomelandSecuritywasestablishedinthis
act,theneedforaspecificgoverningbodyfornewlawsregardingcomputercrimes
stillremained.SubtitleDestablishedanOfficeofScienceandTechnologywithinthe
DepartmentofJustice,taskedwithdevelopingnewlawenforcementtechnology.
Thisincludedbothphysicalweaponryand“monitoringsystems[…]capableof
providingpreciselocationinformation”andtoolstoaidpreventionofcomputer
crime.
ConsideringthegreatpoweraffordedbythePATRIOTActandtheHSA,it
seemsthatitcouldbeeasyforagovernmentagencytomisusethispowerand
manipulatethelaw.TheElectronicFrontierFoundationactuallycitestwoincidents
ofthishappening:onewhereaDepartmentofJusticeattorneyusedthepretenseof
aterrorismthreatinordertoinvestigateabankrobberyandanotherwhere
informationusedtopreventa“bio-terrorism”threatwasusedinadrugsting(“Let
theSunSetonPATRIOT:Section212andHomelandSecurityActSection225:
‘EmergencyDisclosureofElectronicCommunicationstoProtectLifeandLimb”).
CriticsoftheselawsfeelthatAmericanlibertiesarebeingstrippedawayinorderfor
citizenstofeelfreer.AtwhatcostareAmericansgainingaperceivedsenseof
19
security?Thisisaquestioncriticshavegrappledwithforyearsasthesepowers
haveexpandedwitheachpassingactorlaw.
Asshowninthisthesis,thescopeofbothwhocanbetargetedfor
unwarrantedsurveillanceandhowmuchinformationcanbegleanedfromthat
surveillancehaveincreasedgreatly.Eachofthemajorlawsoractsaffected
informationprivacyareaproductoftheirtime,fromtheFISA’sconcernsabout
AmericancitizensworkingasagentsofSovietforcestothePATRIOTAct’sobsession
withbroadeningthedefinitionofterrorismtoanearall-encompassingpoint.As
such,thelawsarereactionaryresponsestotheperceivedthreatsagainstthe
structureofUnitedStateswayoflife.Theyarenotsomuchpreventativemeasures
todeterminewhowillbecomeathreatandcombatitaheadoftime,astheyare
waysofincreasinggovernmentpowerbyusingfearasacatalyst.Thisbegsthe
question:howfaristoofar?Whereisthelinebetweenthecitizens’rightprivate
informationandthegovernment’sneedtohaveit?
TorandtheDarkWeb
SomefeelthatthereshouldbeinformationontheInternetthatcannotbe
peeredintothroughnormalmeans.Thosewantingtoescapefromtheall-seeing
eyesofbigbrotherhavecreatedInternetsitesbasedaroundkeepingtheir
informationanonymous.Thesesites,collectivelyknownastheDarkWeb,are
definedbyBrightPlanet(awebsitethatcollectscontentandresourcesaboutthe
DarkWeb)asaportionofwebsites“thathavebeenintentionallyhiddenand[are]
20
inaccessiblethroughstandardwebbrowsers.”Theymakeupasmallportionofthe
DeepWeb,whichisfurtherdefinedas“anythingasearchenginecan’tfind”
(“ClearingUpConfusion–DeepWebVs.DarkWeb”).WhiletheDeepWebincludes
“normal”websitesusedeveryday,suchasbusiness’intranets,DarkWebwebsites
aretypicallyonlyaccessiblebyusingaspecializedbrowsercalledTor,andthese
sitesutilizetheextension.onioninsteadoftheordinary.comor.net.These
websites,accordingly,liveintheTornetwork.
Asexpected,afullyfunctional“secondinternet”basedinanonymityhasits
illicituses.ThemostfamousDarkWebwebsite,SilkRoad,wasamarketplacewhere
consumerscoulduseBitcoin(anInternetcurrencyalsorootedinanonymity)to
purchaseillegaldrugs,fakepassports,and“illegalservices”suchascomputer
hackers,accordingtoUSAToday(Leger).Thisisthe“face”oftheDarkWebtothe
Americanpublic:itisscary,illegal,andnationalnewspapersandmagazinescanuse
ittoexplainwhyhavingananonymousInternetisabadidea.Whenspunlikethis,it
seemslikethegovernmentwantstohavepersonalinformationsolelytostop
legitimatecrimefromhappening.However,TorandtheDarkWebcanbeusedfor
farlessinsidiouspurposes.
Tor’sofficialwebsitedefinesthenetworkas“agroupofvolunteer-operated
serversthatallowspeopletoimprovetheirprivacyandsecurityontheInternet”
(“Tor:Overview”).Tor’suseofoutsideserversmeansthatauserdoesnothaveto
makeadirectconnectiontothewebsite;theirconnectionisroutedthroughaseries
ofhiddenvirtualpassages,guardingtheiridentity.Torcanbeusedtocircumvent
censorshipfirewallsortocommunicateaboutsensitiveinformation(suchasabuse
21
andrape)withoutgivinganysortofpersonalinformationabouttheuser’s
whereaboutsorcomputer.Moreover,Torcanalsobeusedtoconnecttoandcreate
DarkWebsites,whichdonotgiveoutanylocationinfoaboutthewebsite.SinceTor
isnotapublicnetwork,itisnotsusceptibleto“trafficanalysis,”whichisthe
capabilitytoseewhoistalkingtowhoonapublicnetwork(“Tor:Overview”).
WhendataissentovertheInternet,itcontainstwoparts:adatapayloadand
aheader.Thepayloadcontains,toputitsuccinctly,the“information”ofthepacket,
suchasthetextofane-mailorthecontentofavideo.Theheadercontainsrouting
informationandthisistheparttargetedintrafficanalysis.Inlayman’sterms,as
longassomeonecansitbetweenthesenderandreceiveroftheinformation,they
canlookattheheaderandseewheretheinformationiscomingfromandwhereitis
going.TorroutesthesentcommunicationtodifferentpointsontheInternet,similar
toactionmovievillainsthatbounceillegalfundsfromhiddenbankaccountto
hiddenbankaccount.Inordertoachievethisandmaintainaspeedthatmostusers
woulddeemusable,Tormusthavealargenumberofnodes.AccordingtoRoger
Dingledine,NickMathewson,andPaulSyversonofTheFreeHavenProject,thiswas
actuallyagoalinthedesignchoicesofTor.Toachievethiscapacity,Tormustbe
usable,flexible,andsimple.Theauthorsarguethatacomplexsystemwillhavetoo
fewusers,andbecause“anonymitysystemshideusersamongusers,asystemwith
fewerusersprovideslessanonymity”(Dingledine,Mathewson,andSyverson).Ata
certainpoint,duetothemassofusersthatTorisabletousetohideinformation,the
information’soriginbecomesnearlyimpossibletodiscern.TheTornetworkcreates
aprivatepathwayby“incrementally[building]acircuitofencryptedconnections
22
throughrelaysonthenetwork”withonlythecurrentrelaypointknowingwherethe
informationdirectlycamefrom(onestepback)andwheretheinformationisgoing
(onestepforward)(“Tor:Overview”).Theclientcomputerhasadifferentsetof
encryptionkeysthanthenodecomputersdo,sononodeeverhasthecomplete
picture.Thecircuitsarerefreshedovertime,makingthemevenhardertopindown.
TheTornetworkencryptsthedatasentusingTransportLayerSecurity(TLS)
encryption(“TorFAQ”).AccordingtoT.DierksandE.RescorlaoftheInternet
EngineeringTaskForce,theTLSprotocolallowsclientstocommunicatewith
servers“inawaythatisdesignedtopreventeavesdropping,tampering,ormessage
forgery.”Theprotocolconsistsoftwolayers:theTLSRecordProtocolandtheTLS
HandshakeProtocol.TheTLSRecordProtocolprovidestwobasicfunctions:it
guaranteesthattheconnectionisprivateandthattheconnectionisreliable.
Symmetriccryptographyisusedtoguaranteeprivacy;thekeysaregenerated
separatelyforeachconnectionbasedonaseparateprotocolandeachsetofkeysis
unique.TheTLSHandshakeprotocolactsbefore“theapplicationprotocoltransmits
orreceivesitsfirstbyteofdata”andallowstheclientandservertonegotiatean
encryptionalgorithm(DierksandRescorla4).TheHandshakeProtocolprovidesa
secureandreliableconnectionfornegotiatingthesecretencryption.Inaddition,it
alsoallowseachpartytoidentifyeachotherusingasymmetric(publickey)
cryptographyinordertoauthenticatethattheinformationisbeingsenttothe
correctplace.
EachnodeintheTorsystemhasit’sownonionkey,whichisapublic
decryptionkeyusedtoauthenticateit’sstatusasatrueTorrelaypoint(“TorFAQ”).
23
AstheTorclientdeterminesitsdatapath,itstopsateachrelaypointandusesthe
keytoprovetheauthenticityofthenode.Eachrelayalsohasitsowndistinct
identitykey,whichischeckedagainstthedirectoryauthority’sdirectorysigning
key,essentiallyamasterlistofallknownTorrelays.Furthermore,Torsendsdatain
packetsof512byteseach,nomattertheactualsizeofthedatabeingtransmitted,
makingithardtodetermineexactlyhowmuchdataisactuallybeingsent.
Atfirstglance,Torseemslikeeveryblackmarketclichécometolife.What
criminalwouldnotwantavirtuallyuntraceable,anonymouswaytoselltheirwares
andcommunicateaboutillicitactivities?However,TorandtheDarkWebpresenta
newwayforaverageAmericancitizenstocommunicateaboutsensitivesubjects
withoutrevealingtheirIPaddresstopryingeyes.AccordingtotheTorProject’s
website,theFriendsServiceCommitteeandotherenvironmentalgroupsare
becomingmoreandmoreawareofgovernmentsurveillanceoftheiractivities(“Tor
Users”).Theiractivities,whilepeaceful,caneasilybeconstruedasterrorismunder
thePATRIOTAct;thusTorprovidesawaytocircumnavigatetheriskoftheir
personalinformationbecomingexposed.Furthermore,governmentwhistleblowers,
whoserightsarebeingstrippedawaymoreandmoreastheirinformation
disseminatesfurthertoAmericancitizens,canuseTortoreporttheirfindings
withoutexposingtheirlocation.Journalists,lawenforcement,bloggers,and
businessexecutives(amongothers)areallgroupsthatuseTorforlegalpurposes
(“TorUsers”).
TheTorProject’sFAQonabusestatesthatonlya“handful”ofcomplaints
havebeenlodgedagainsttheservicesinceitscreationin2003(“AbuseFAQ”).
24
Currently,Torisnotillegalinanypartoftheworld,andtheTorProjectclaimsthat
theservice’sgoodpartsoutweighitsbadones(“TorFAQ”).Torhasnobackdoorin
theirsoftware,whichwouldallowgovernmentagenciestopeekintotheflowofdata
despiteitssupposedanonymity.TheTorProjectsaysthatputtinginabackdoor
wouldbe“tremendouslyirresponsibleto[their]users,andsetabadprecedentfor
securitysoftwareingeneral”(“TorFAQ”).Becauseofthewaydatapacketssent
throughTorskiparoundfromcomputertocomputer,Internetserviceproviders
(ISPs)cannotcollectanysortofinformationontheircustomersthatuseTorand
thustheycannotsupplyanyinformationintheeventofasubpoena.AllanISPcan
seeisthattheuserisinteractingwithTorservers.
Asstatedbefore,Torbrowserscanaccessspecialsiteswiththetop-level
domainname.onion,colloquiallyreferredtoas“onions.”Thesesitesarepartofthe
DarkWeb,andthustheTordirectoryservermustprovidethelook-upservicetoget
tothesewebsites(“TorFAQ”).Thesewebsitesfunctiondifferentlyfromnormal
websiteinthatthereisnoIPaddressassociatedwiththemduetohowTorworks.
Toaccessthesite,theusermustmanuallyenterinthelong,complexstringsof
lettersandnumbers,followedby“.onion.”Whilemanyoftheseonionsareusedfor
illegalpurposes(suchastheaforementionedSilkRoad),othersareusedforless
insidiouspurposes,suchashostingabackupofgovernment-transparencywebsite
Wikileaks.Theinterestingpartaboutonionsisnotthecontentthattheycontain,but
theirmereexistenceandthequestionstheypose.Onionsallowinformationtobe
storedontheInternetbutnotstoredinanyonelocation.Whilethesitescanbeshut
down(again,aswasthecasewithSilkRoad)theinformationisnotsubjecttothe
25
samerulesthattherestoftheInternetmustfollow.Onionsareawaytobuild
websites,andthereforeanInternet,inawaythatcircumventsgovernmenttraffic
monitoring.
26
RESEARCHMETHODSANDPROCEDURES
Method TheoverallobjectiveofthisstudyistodetermineiflevelsofDarkWeb
awarenessrisewhenlevelsofgovernmentsurveillanceawarenessrise.Iam
hypothesizingthattheydo,soasaperson’sawarenessofgovernmentsurveillance
rises,themorelikelytheyaretohavesomesortofknowledgeabouttheDarkWeb.
Itstandstoreasonthatapersonawareofgovernmentsurveillancewouldwantto
takestepstoprotecttheirinformationandidentityonline,andthuswouldseekout
toolstodoso.Governmentsurveillancehasbecomesuchaningrainedpartoflife
thatcitizensareconstantlyremindedof.Citizensmaywanttofightbackanddo
somethingtoprotecttheiranonymity.WhileTormaynotbetheeasiesttooltoseek
out,itisoneofthemoreeffectiveones.Thisstudytakestheformofaquestionnaire,
giventomanagementinformationsystemsstudentsattheUniversityofMississippi.
Theyweregiventheoptiontotakethesurveyinclass.
Instrument
Thestudyitselfisintwoparts.Thefirstpartisbasedonasurveycreatedby
Dr.AnnieI.AntonandDr.JuliaB.Earpintheirpaper“ExaminingInternetPrivacy
ValueswithintheContextofUserPrivacyValues.”Thesurveymeasuresattitudes
towardsvariousissuesininformationprivacywhicharebrokendownintosix
factors:personalization(theuseofcookiesandpersonallyidentifyinginformation
(PII)tocustomizeadvertisementsorotherfacetsofusers’onlineexperience),
27
notice/awareness(websitesmakingusersawareoftheirPIIbeingusedindifferent
ways),transfer(users’PIIbeingtransferredtoathirdparty),collection(different
sortsofinformation,suchasbrowserconfigurationorinformationaboutbrowsing
habitsbeinggathered),informationstorage(unauthorizedpersonnel,including
hackers,gainingaccesstoauser’sinformation),andaccess/participation(users
beinginvolvedintheprocessoftheirPIIbeingcollected).Thisinstrumentis
modeledinFigure1.AntonandEarp’ssixindependentvariables,thesixfactors,
Figure1:AntonandEarp’sInstrument
directlyimpactthedependentvariable,attitudestowardsinformationprivacy.
Personalization
N/A
Transfer
Collection
InfoStorage
A/P
Privacyattitudes
28
Ihaveaddedaseventhfactorintothestudy,DarkWeb.Asthenameimplies,
thissectionmeasuresDarkWebawarenessandtheparticipant’sintenttousethe
DarkWebinthefuture.ThisismodeledinFigure2.Thesixindependentvariables
arejoinedbyanothervariable,DarkWeb.Allsevenoftheseindependentvariables
affecttheoriginaldependentvariable,privacyattitudes,whichinturnimpactsa
newdependentvariable,DarkWebawareness.Eachofthesefactorsisfurther
brokendownintomultiplequestions,whichareratedbytheparticipantonascale
ofhowmuchtheparticipantagreeswitheachstatement,from“stronglyagree”to
“stronglydisagree.”Whilemany
Figure2:AntonandEarp’sInstrumentWiththeDarkWebVariable
Personalization
N/A
Transfer
Collection
InfoStorage
A/P
Privacyattitudes
DarkWeb
DarkWebawareness
29
ofthequestionsinAntonandEarp’ssurveyarefocusedonexaminingtheuseofPII
bymarketers,itwillbeinterestingtoseehowattitudestowardsaperceived“good”
use(customizationofwebexperience)willdifferfromaperceived“bad”use
(governmentsurveillance),eventhoughbothinvolvetheuseofsimilarinformation.
Theadvantageofusingthisscaleoverothersisthatparticipantsfindthedifferent
factorsrelatable(Preibusch1141).Thismeansthattheparticipantswillhavemore
knowledgeandunderstandingofthefactorsandwillhopefullyleadtomore
accurateanswers.ThisisthemainreasonwhyAntonandEarp’sinstrument’swas
chosenasopposedtoothers;thecurrentstudyisfoundedonthatbreakingthe
complexprivacyissuesbroughtuponbygovernmentactaftergovernmentactinto
smaller,morerelatablepieceswillresultintherespondentstrulyexaminingtheir
ownvaluesandattitudestowardsinformationprivacyandtherebyyieldingmore
accuratedataforanalysisinthisstudy.
AntonandEarpcreatedthisinstrumentbysplittingdifferentwebsites’
privacypoliciesintosmallerphrasestoanalyzetrends(Earp,Anton,Aiman-Smith,
andStufflebeam229).Thesestatementswerethenplacedintooneoftwelve
categoriesdealingwithinformationprivacy.Thecategorieswereconsolidatedinto
thesixaforementionedfactors,designedspecificallyto“tapintotheuser’svaluein
termsofprivacypolicies”(Earp,Anton,Aiman-Smith,andStufflebeam231).Ina
followuppaper,“HowInternetUsers’PrivacyConcernsHaveChangedSince2002,”
AntonandEarpnotedthatInternetusersseemedprimarilyconcernedwith
informationtransfer,notice/awareness,andinformationstorage,whicharealsoof
primaryconcerninthecurrentstudy(Anton,Earp,andYoung1).
30
Figure3:InstrumentwithOptionalUnifiedTheorySection
ThesecondsectionofthesurveyistakenfromtheUnifiedTheoryof
AcceptanceandUsageofTechnology,developedbyViswanathVenkatesh,Michael
G.Morris,GordonB.Davis,andFredD.Davisforthearticle“UserAcceptanceof
InformationTechnology:TowardaUnifiedView.”Thisspecificallymeasuresthe
participants’perceivedusefulnessandintenttousetheDarkWeb.Thissectionof
thesurveyisonlyaccessibletothosewhoindicatethattheyhavepreviouslyused
TortoaccesstheDarkWeb.ThesecondsectionactsasamoderatortotheDark
Webawarenessvariable,providingmoreinsightintousers’perceivedvalueofthe
DarkWebandTor,asshowninFigure3.Theseresults,combinedwiththeresults
Personalization
N/A
Transfer
Collection
InfoStorage
A/P
Privacyattitudes
DarkWeb
DarkWebawareness
UnifiedTheory
31
fromthefirstpartofthesurvey,shouldprovideabetterideaofhowinformation
securityawarenessimpactsDarkWebusageandawareness.
Figure4:DataModelSummary
Factor1:Personalization PersonalizationdealswithhowmuchuserswouldliketheirPIItobeusedcustomizetheirwebexperience.
Factor2:Notice/Awareness NoticeandawarenessdealwithhowmuchuserswouldliketobenotifiedthattheirPIIisbeingused.
Factor3:Transfer TransferdealswithauserinterestinwhotheirPIIistransferredtoafterawebsitecollectsit.
Factor4:Collection Collectiondealswiththekindsofinformationthatarecollectedfromauserandthevaluetheyplaceoneachtype.
Factor5:InformationStorage Informationstoragedealswiththeuser’sinterestinunauthorizedpersonnelgainingaccesstotheirdata.
Factor6:Access/Participation AccessandparticipationdealwiththeuserbeinginvolvedintheprocessoftheirPIIbeingcollected.
Factor7:DarkWeb DarkWebdealswiththeparticipant’sknowledgeoftheDarkWeb.
UnifiedTheoryofAcceptanceandUsageofTechnology
WhentheparticipantrespondsthattheyhaveusedTortoaccesstheDarkWeb,theyaretakentothissectiontomeasuretheirattitudesandopinionsabouttheDarkWeb.
32
DATAANALYSISANDRESEARCHRESULTS
AntonandEarp’sSevenFactors
Figure1.1
Figure1.1showstheresultsofthefirstfactorofthesurvey,personalization.
Theuserswerepresentedaseriesofstatementsregardingtheuseoftheir
personallyidentifyinginformation(PII)tocustomizewhattheyseeonline.Across
theboard,mostrespondentsshowedsomelevelofconcernovertheirinformation
andpurchasinghabitsbeingusedtocustomizetheirwebexperience.Thefirst
statementreadthattheymindedtheirPIIbeingusedtocustomizetheirbrowsing
experience,towhich29.87%stronglyagreed.Thesecondstatementdealtwith
cookies,towhich32.47%ofrespondentsstronglyagreedthattheymindedcookies
ontheircomputer.Thethirdstatementdealtwithpurchasinghistory,and28.57%
stronglyagreedthattheymindedtheirpurchasinghistorybeingusedtocustomize
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
1 2 3 4 5
Factor1:Personalization
StronglyAgree
Agree
NeitherAgreenorDisagree
Disagree
StronglyDisagree
33
theirwebexperience.Themaincauseofconcernwasstatementfour,whichsaid
thattheymindedtheirPIIbeingusedformarketingandresearchactivities.45.45%
respondedthattheystronglyagreed.Finally,thefifthstatementsaidthatthe
respondentsmindedawebsitemonitoringtheirpurchasingactivities,towhich
35.06%stronglyagreed.Whilecustomizationofwebexperiencecouldbe
consideredapositiveoutcomeofPIIorpurchasinghistorycollection,itisevident
thatmostrespondentsarestillwaryofit,withfewdisagreeingwiththestatements
(andinthecaseofquestiontwo,noonestronglydisagreeing).
Figure1.2
Figure1.2showstheresultsofthesecondfactorinthesurvey,
notice/awareness.Inthisfactor,respondentswerepresentedwithstatements
aboutbeingnotifiedthattheirPIIisbeingusedorthatitisbeingcollected.Notably,
twoofthestatementshadnoonestronglydisagreewiththem,andstatementfour
hadnodisagreementatall.Thefirststatement,which57.14%stronglyagreedwith,
statedthattherespondentswantedtheoptiontodecidehowtheirPIIisused.The
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
1 2 3 4 5
Factor2:Notice/Awareness
StronglyAgree
Agree
NeitherAgreenorDisagree
Disagree
StronglyDisagree
34
secondstatementstatedthattheywantedawebsitetodisclosesecuritysafeguards
inplacetoprotecttheirPII,which51.95%stronglyagreedwith.Thethirdstatement
dealtwithwebsitesdisclosinghowtheirPIIwouldbeuse,which59.74%strongly
agreedwith.Thefourthstatement,whichhadthehigheststronglyagreepercentage
at61.04%,statedthattheywantedawebsitetotellthemwhenthewebsitewould
usetheirPIIinawaynotpreviouslydisclosed.Finally,thefifthstatementsaidthat
therespondentswantedtobeinformedofchangestoawebsite’sprivacypractices,
which59.74%stronglyagreedwith.Again,aswithfactor1,mostoftheresponsesto
thissectionwerepositive,almostoverwhelminglyso.
Figure1.3
Figure1.3showstheresultsoftheanswersfromthethirdfactor,transfer.
Thesestatementswereabouttherespondents’PIIandpurchasinghabitsbeing
transferredfromthewebsitethatcollectedthemtoathirdparty.Thefirststatement
saidtheparticipantsmindedwhentheirpurchasinghabitsweretransferredtoa
thirdparty,whichgathereda53.25%stronglyagreeresponserate.Thesecond
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
1 2 3
Factor3:Transfer
StronglyAgree
Agree
NeitherAgreenorDisagree
Disagree
StronglyDisagree
35
statement,whichdealtwiththeir“information”inageneralsensebeingsharedwith
thirdparties,had58.44%stronglyagree.Finally,thethirdstatementsaidthatthe
respondentsmindedwhentheirPIIwasboughtbyortradedtothirdparties,which
gotthehigheststronglyagreeresponseofthisfactorat66.23%.Again,the
responsestrendedmostlypositive,withonlyasmallportiondisagreeingwiththe
statementseachtime.Interestinglyenough,asmallernumberofrespondents
stronglyagreedwiththemarketingandresearchquestionsinFactor1thantheydid
forthefirstquestioninthissection.Thiscouldbeattributedtothefirstsection
dealingwithwebexperiencecustomization,apotentiallypositiveoutcomeofPII
sharing,whilethissectiononlydealswithitinvaguetermsofsharing.
Factor1.4
Factor1.4containstheresultsoftheresponsestothefourthfactor,
collection.Inthisportion,respondentswereprovidedaseriesofstatementsabout
thekindofinformationawebsitemaycollectfromauser.Thefirststatementsaid
thattheparticipantsmindwhenawebsitegathers(withouttheirpermission)
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
1 2 3 4 5
Factor4:Collection
StronglyAgree
Agree
NeitherAgreenorDisagree
Disagree
StronglyDisagree
36
informationabouttheirbrowsingpatterns.Thisgarnereda53.25%stronglyagree
responserate.Thesecondstatement,whichdealtwithawebsitegathering
informationabouttheuser’sbrowserconfiguration,gathereda54.55%strongly
agreeresponse.Thethirdstatementsaidtheusersmindedwhenawebsitecollected
theirIPaddresswithouttheirpermission,which61.04%stronglyagreedwith.The
stronglyagreeresponsesfinallydipinthefourthstatement,withonly44.16%
stronglyagreeingwithmindingawebsitecollectinginformationaboutthecomputer
oroperatingsystemtheyareusing.Thefifthandfinalstatementsaidthe
respondentsmindedawebsiterecordingthepreviouswebsitesthattheyhadbeen
to,andonly45.45%ofparticipantsstronglyagreedwithit.
Thestronglyagreenumberstendedtotrenddowninthissection,asmore
respondersbegantofeelneutralaboutthestatements.Statementfour’sneutrality
ratewas20.78%.Thismaybebecausewebsitesroutinelyneedinformationabout
operatingsystemorbrowserconfigurationtodisplaycontentcompletelyand
accurately(forexample,awebsiteshowingadifferentprogramdownloadtoOSX
usersthanWindowsusers).Interestingly,lessuserstendedtoagreewiththe
statementfromfactor1dealingwithcookies,anotheracceptedpartofinternet
browsingandwebsitefunctionality.
37
Figure1.5
Figure1.5showstheresultsofthefifthfactor,informationstorage.This
factorcontainedtwostatementsaboutwhoisactuallyaccessingthedatastoredby
websites.Thefirststatementsaidthattheparticipantwasconcernedwith
unauthorizedemployeesgainingaccesstotheirinformation,which64.94%strongly
agreedwith.Thesecondstatementsaidthattherespondentswereconcernedwith
unauthorizedhackersdoingthesame,and74.03%stronglyagreedwiththat.
Almostnoonerespondednegativelytoeitherstatement.Theseareveryeasy
statementstoagreewith,asbotharegenuineconcernsoverdataprivacyandsafety.
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
1 2
Factor5:InformationStorage
StronglyAgree
Agree
NeitherAgreenorDisagree
Disagree
StronglyDisagree
38
Factor1.6
Factor1.6containstheresultsoftheanswerstothethirdfactorofthe
survey,access/participation.Thetwostatementsinthisfactordealtwithwhata
usercoulddowiththeirPIIafterawebsitehascapturedit.Thefirststatementsaid
thattheuserswantedtobeabletochecktheirPIIforaccuracy,which42.86%
agreedwith.Thesecondandfinalstatementsaidthattheparticipantswantedtobe
abletomodifytheirPII,whichgathereda35.06%stronglyagreerate.
Thissectionhadthesmallestgapbetweenstronglyagreeandagreeofanyof
theoriginalsixfactors.Itisalsotheonlyfactortodealwithhowauserinteracts
withtheirdataafteritiscollected,whichmayexplainsomeoftheapathyandthe
highneutralityrate.Still,barelyanyparticipantsdisagreedwithwantingtobeable
tochangetheirPII.
0.00%5.00%10.00%15.00%20.00%25.00%30.00%35.00%40.00%45.00%50.00%
1 2
Factor6:Access/Participation
StronglyAgree
Agree
NeitherAgreenorDisagree
Disagree
StronglyDisagree
39
Factor7:DarkWeb
Figure1.7
Figure1.7containsinformationabouttheseventhfactor,darkweb.Thisis
oneofmyowndesignthatIaddedtotheendoftheoriginalinstrument.Itspurpose
istotestknowledgeofthedarkweb,andtheresponsesvariedgreatlyfromtherest
ofthesurvey.Thefirststatementsuccinctlysaidthattheparticipantwas
knowledgeableaboutthedarkwebanditsuses.Interestingly,25.97%agreedwith
thestatementfollowedby23.38%disagreeing.Thesecondstatementsaidthatthe
participanthasaccessedtheDarkWebthroughtheTorbrowseratsomepointinthe
pastorwillinthefuture.31.17%neitheragreednordisagreedwiththestatement,
while27.27%disagreedand20.78%stronglydisagreed.Thefinalstatementinthe
surveyandthisfactorisaninverseofthefirststatementinthisfactor.Itstatesthat
theparticipanthaslimitedknowledgeofthedeepweb.Strangely,36.36%actually
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
1 2 3
Factor7:DarkWeb
StronglyAgree
Agree
NeitherAgreenorDisagree
Disagree
StronglyDisagree
40
agreedwiththisstatementversusthe23.38%thatdisagreedwithbeing
knowledgeable.
UnifiedTheoryofAcceptanceandTechnology
TheresultsfromtheUnifiedTheoryofAcceptanceandUsageofTechnology
(includedinAppendix#1)shedssomelighthowtherespondentsthatanswered
thattheyhadusedTorforbrowsingtheDarkWeb.Whilenegativeresponserates
foreverystatementwerelow,ofnoteisstatement9,“usingthesystemisabad
idea.”54.55%neitheragreednordisagreedwiththestatement,meaningthat,
overall,mostrespondentsthathadusedTortoaccesstheDarkWebdidnotassigna
moralvaluetoit.Thesameamountneitheragreednordisagreedwiththestatement
thatTorwasfun.Thestatement“Iamapprehensiveaboutusingthesystem”
actuallygarneredthemostrespondentsstronglydisagreeing,with18.18%,buta
highnumberalsoagreed,with45.45%respondingthattheyagreedinsome
capacity.EvenTorusers(frequentandinfrequent)viewTorandtheDarkWebas
somethingthatmightnotbethebestidea.Therecouldbemanyreasonsforthis,
frommediastereotypingtotheuserspotentiallyseeingsomethingillicitwhileusing
theDarkWeb.
41
Analysis
Figure2.1
Overall,45.45%eitheragreedorstronglyagreedthattheyhadknowledgeof
theDarkWebanditsusesbutonly20.78%agreedthattheyhaduseditorwould
useitinthefuture.Theobjectiveofthisstudywastodetermineifanincreasein
privacyconcernwouldleadtoanincreaseinattitudesregardingtheDarkWeb.One
waytodeterminethisiscorrelation,whichexamineshowtwovariablesmovein
tandem.Ascoreof1isperfectpositivecorrelation,meaningthatasonevariable
increasestheothervariablealwaysincreaseswithit.Likewise,ascoreof-1is
perfectnegativecorrelation,meaningthatasonevariableincreases,theother
-0.1
-0.05
0
0.05
0.1
0.15
0.2
0.25
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
CorrelationwithQuestion23
42
alwaysdecreases.Inthiscase,theindependentvariableisanyoneofthequestions
aboutprivacy(takenseparately)andthedependentvariableisDarkWeb
knowledge.
Figure2.1containsthecorrelationresultsforstatement23,“Iam
knowledgeableabouttheDarkWebanditsuses.”Thehighestvariablepositively
correlatedwiththisstatementisstatement18,“Imindwhenawebsiterecordsthe
previouswebsiteIvisited”with0.22correlation.Otherhighlypositivelycorrelated
variablesincludestatement3,“Imindwhenawebsiteusescookiestocustomizemy
browsingexperience”(0.19)andstatement5,“Imindwhenawebsitemonitorsmy
purchasingpatterns”(0.20).Afewstatementsdipintonegativecorrelation,the
lowestofwhichbeingstatement12,“Imindwhenmyinformationissharedwith
thirdparties”(-0.067).Thereisnotmuchinformationtogleanfromthis;thethree
highestpositivelycorrelatingstatementsdonothaveatrendrunningthroughthem
(besidesthefirstandthelastbothdealingwithinternetbrowsinghabits,albeit
tangentiallyonthelast)andtheyarenothighlypositivelycorrelatedwiththe
dependentvariable.Thisimplicitlymeansthatanincreaseinattitudestowards
InternetprivacydoesnotleadtoanincreaseinDarkWebknowledge.Thetwo
variablesdonothavemuchpositiveimpactoneachotherandatworsttheyare
negativelycorrelated.
Thesecondmethodofanalysischosenwasthet-test,whichexaminestwo
groupstoseeiftheyarestatisticallydifferentfromeachother.Itcomparesthe
meansofbothgroupstoseehowsimilartheyare,whichgoestoshowhowmuch
overlapthereisineachsection.Iwantedtotesteachvariableindividuallyagainst
43
Factor7,“IamknowledgeableabouttheDarkWebanditsuses.”Todothis,I
selectedthefirstquestionofeachfactortouseasthefirstgroup(asthefirst
questionwasgenerallythemostexplanatoryfortheentirefactor)andusedthefirst
questionofFactor7asthesecondgroup.Inthiscase,thenullhypothesisisthatthe
twovariablesmeasuredinthetesthavenorelationshiptoeachother.Iusedthe
standardalphaof0.05forallofthetests.
t-Test:Two-SampleAssumingUnequalVariances
Variable1
Variable2
Mean 2.350649 2.792208Variance 1.467532 1.666781Observations 77 77HypothesizedMeanDifference 0
df 151tStat -2.18858P(T<=t)one-tail 0.015082tCriticalone-tail 1.655007P(T<=t)two-tail 0.030164tCriticaltwo-tail 1.975799
Figure3.1
Figure3.1showsthefirstquestionofFactor7testedagainstthefirst
questionofFactor1,“ImindwhenawebsiteusesmyPIItocustomizemybrowsing
experience.”Thealphaoftheseresults,0.030164,islessthanthealphausedto
conductthetest,0.05,thenullhypothesisisrejected,meaningthatthetwovariables
haveastatisticallysignificantrelationship.
44
t-Test:Two-SampleAssumingUnequalVariances
Variable1
Variable2
Mean 1.506494 2.792208Variance 0.411141 1.666781Observations 77 77HypothesizedMeanDifference 0
df 111tStat -7.82664P(T<=t)one-tail 1.6E-12tCriticalone-tail 1.658697P(T<=t)two-tail 3.19E-12tCriticaltwo-tail 1.981567
Figure3.2
Figure3.2showsthefirstquestionofFactor7testedagainstthefirst
questionofFactor2,“IwanttheoptiontodecidehowmyPIIisused.”Again,the
variablesarestatisticallysignificant,asthealphaisfarlessthan0.05.
Variable
1Variable
2Mean 1.844156 2.792208Variance 1.291183 1.666781Observations 77 77HypothesizedMeanDifference 0
df 150tStat -4.83706P(T<=t)one-tail 1.62E-06tCriticalone-tail 1.655076P(T<=t)two-tail 3.24E-06tCriticaltwo-tail 1.975905
Figure3.3
45
Figure3.3showsthefirstquestionofFactor7testedagainstthefirst
questionofFactor3,“Imindwhenawebsitedisclosesmybuyingpatternstothird
parties.”Again,thealphavalueoftheresultsismuchlowerthanthealphausedto
conductthetest,sowecanrejectthenullhypothesis.
t-Test:Two-SampleAssumingUnequalVariances
Variable1
Variable2
Mean 1.831169 2.792208Variance 1.273753 1.666781Observations 77 77HypothesizedMeanDifference 0
df 149tStat -4.91783P(T<=t)one-tail 1.14E-06tCriticalone-tail 1.655145P(T<=t)two-tail 2.29E-06tCriticaltwo-tail 1.976013
Figure3.4
Figure3.4showstheresultsofthetestingdoneonthefourthfactor.Once
again,thealphaislessthan0.05,sowecanrejectthenullhypothesis.
46
t-Test:Two-SampleAssumingUnequalVariances
Variable1
Variable2
Mean 1.454545 2.792208Variance 0.488038 1.666781Observations 77 77HypothesizedMeanDifference 0
df 117tStat -7.99625P(T<=t)one-tail 5.11E-13tCriticalone-tail 1.657982P(T<=t)two-tail 1.02E-12tCriticaltwo-tail 1.980448
Figure3.5
Figure3.5showsthefirstquestionofFactor5testedagainstthefirst
questionofFactor7.Onceagain,thealphaislowerthan0.05,sowecanrejectthe
nullhypothesis
t-Test:Two-SampleAssumingUnequalVariances
Variable1
Variable2
Mean 1.454545 2.792208Variance 0.488038 1.666781Observations 77 77HypothesizedMeanDifference 0
df 117tStat -7.99625P(T<=t)one-tail 5.11E-13tCriticalone-tail 1.657982P(T<=t)two-tail 1.02E-12tCriticaltwo-tail 1.980448
Figure3.6
47
Figure3.6holdstheresultsforthefinaltestinwhichthefirstquestionof
Factor6wastestedagainstthefirstquestioninFactor7.Onceagain,wecannot
rejectthenullhypothesis.
Suggestionsforimprovement
Thestatementsregardingprivacyinthefirstsectionofthesurveyarevery
broadandeasytoagreewith.Forexample,mostInternetusersareprobably
worriedabouthackersonsomesortofbroadlevelormostuserswouldliketobe
notifiedwhentheirPIIisbeingusedinwaystheyhadnotpreviouslyagreedto.The
factthatseveralearlyquestions(especiallyinfactor4)hadlittletonodisagreement
provesthis.Thesebroad,generallyagreeablestatementsmaynothaveprobeddeep
enoughtoproveanysortofdeeperinvestmentintoprivacyissuesandtherefore
agreeingwiththemdoesnotprovethattherespondentswouldseekoutwaysto
remedytheirfears.Usingmorepointed,directstatementsmaybemoreeffective.PII
isalsoabroadtermthatcouldpotentiallyhaveaconnotationfrompersonto
person,whichcouldalsoskewtheresults.Finally,thisstudywasalsodone
exclusivelywithmanagementinformationsystemsstudents.Perhapswideningthe
scopetothoseoutsideofcollegeaswellcouldprovidemoreenlighteninganswers.
48
CONCLUSION
TorandtheDarkWebaretoolstocircumventgovernmentsurveillanceand
pryingeyes.TheyexisttomaintainanonymityontheInternetandcouldbe
consideredaformofpeaceful,civildisobedience(dependingonwhatthat
communicationisusedfor).Findingsfromtheresearchconductedsuggestthat
concernwithinternetprivacyissuesandtheuseofpersonallyidentifying
informationbywebsitesandthirdpartiesisnotcorrelatedtodarkwebknowledge
orusage.Mostrespondentsagreedorstronglyagreedwiththestatements
regardingprivacybutthoseconcernsdidnottranslatetoaneedorwantto
circumventthemwithTor.
Whycouldthatbe?45.45%ofrespondentsthatusedToratallsaidthatthey
wereapprehensiveaboutusingthesystem,eventhoughresponsestoother
questionsindicatepositiveattitudestowardsusingTor.Itstandstoreasonthatthe
numberofthosethatareapprehensiveaboutTorthathavenevertoucheditcould
behigher.Coulditbethesocialstigma?Theterm“DarkWeb”isgenerallyassociated
withbuyingdrugsontheinternetorviewingillicitpornography,twoactsthatmost
peopledonotwanttobeassociatedwith.Orcoulditperhapsbethattheyare
frightenedofbeingputontheeverpresent“watchlist”thatthegovernmentholds?
Regardlessofthereason,myhypothesisthatahigherconcernwithInternetprivacy
leadstohigherDarkWebawarenessisincorrect.However,eachofthe
representativequestionsforthefactorswerestatisticallysignificantinsomeway.
Takenindividually,eachofthefactorsseemstohavesomesortofaneffectonDark
49
Webknowledge,butacrosstheboardtheyaren’tcorrelated.Itispossiblethatthe
impactthateachofthevariableshasonDarkWebawarenessissmall,albeit
significant,meaningthatmyhypothesisisindeedcorrect,butasimpleglanceatthe
numbersseemstoprovethatwrong.Allthatwastestedforisthatthevariables
werestatisticallysignificantintheirimpact,notthattheimpactwaspositiveor
negative.
EventhoughIwaswrong,thisleadstoevenmorequestionsandmore
opportunitiesforresearch.CoulditbethatTorisjusttoomuchfortheaverage
user?Hasthemediastigmatizedittoomuch?Itisveryinterestingthatconcerns
withInternetprivacydonotleadtoaneedtocircumventit.Perhapssomecitizens
havejustgiveninandfeltlikethereisnothingtheycandotoprotectthemselves.
Limitations
Thisresearchwassubjecttolimitations.Thefirstlimitationofthisproject
wasthedemographic.Whilethesamplesizeof79isreasonable,thestudywasonly
conductedwithmanagementinformationsystemsstudents,mostabovetheageof
20andbelow30.Whileopeningthedemographicsuptopeopleoutofcollegemay
justmakethevariablesevenlesscorrelated,itcouldalsoprovideamoretruetolife
picture.
Inaddition,thethesiswaslimitedbytheinstrumentchosen.Whilethe
instrumentprovidedvaluableinsightintoattitudesregardinginternetprivacy
issues,itcontainsquestionsaboutmarketingresearchandothertopicsthatare
50
slightlyoutsidethescopeofthestudy.Theoriginalinstrumentwascreatedby
examininghealthcarewebsites’privacypolicies.Thatmaygivesomeinsightinto
thekindsofprivacyinvasionsthatpeopleagreeto,butdoesnotexactlyfitthe
standardsofgovernmentsurveillance.
Whilethoseattitudesareincludedwithinthebroadumbrellaof“privacy
issues,”theymaybealittletoobroadtoleadtotheexpectationthattherespondents
woulduseTor;thatistosay,justbecauseyouareconcernedthatFacebookis
changingitsadstoreflectwhatyouhavelookedatonAmazon,thatdoesnotmean
youaregoingtoseekoutTor.Manyoftheissuesbroughtupbythestatementshave
solutionsoutsideofaccessinganewnetwork,suchasadblockersoftwareor
browserextensionslikeNoScript.TheDarkWebfactormayhavealsobeennot
extensiveenoughtoreallygraspthequestionof“why,”eventhoughthatwasnot
necessarilyapartofthehypothesis.Eventhenatureofasurveyitself(giveninclass,
noless)lendsitselftopotentiallylessthanhonestanswers.
FurtherResearch
Forfurtherresearch,Iwouldfirstsuggestexpandingthescopeofthe
researchtoincludethoseoutofcollege.Ifthefocusremainspeoplewhoare
computersavvy(asistheassumptionwhendealingwithmanagementinformation
systemsstudents),possiblyexpanditouttoITprofessionals.Iwouldalso
recommendexpandingtheinstrumenttoincludemorequestionsaboutspecific
51
governmentsurveillance,possiblyinanentirelynewfactor,andexpandingtheDark
WebsectiontoincludesomeoftheideasfromtheUnifiedTheory.
52
REFERENCES
Raine,Lee,andD’veraCohn.“Cenus:Computerownership,InternetconnectionvarieswidelyacrossU.S.”PewResearchCenter.14Sept.2014.17March2015.
UnitedStates.SelectCommitteetoStudyGovernmentOperations.Supplementary
DetailedStaffReportsofIntelligenceActivitiesandtheRightsofAmericans.Washington:GPO.Web.18March2015.<http://www.aarclibrary.org/publib/church/reports/book3/html/ChurchB3_0001a.htm>.
Monnat,DanielE.,andAnneL.Ethen.“APrimerontheFederalWiretapActandItsFourthAmendmentFramework.”KansasTrialLawyersAssociationJournalMarch(2004):12-15.Web.18March2015.<http://www.monnat.com/wpcontent/uploads/2012/03/Wiretap.pdf>.
ForeignIntelligenceSurveillanceActof1978.Pub.L.95-511.92Stat1783.25
October1978.Web.20March2015.<http://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg1783.pdf>.
Swire,Peter.“TheSystemofForeignIntelligenceSurveillanceLaw.”George
WashingtonLawReview.72(2004):1-104.Web.20March2015.USAPATRIOTAct.Pub.L.107-56.115Stat272.26October2001.Web.1April2015.
<http://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg1783.pdf>.
Podgor,EllenS.“ComputerCrimesandtheUSAPATRIOTAct.”CriminalJustice
Magazine17.2(2002).Web.2April2015.<http://www.americanbar.org/publications/criminal_justice_magazine_home/crimjust_cjmag_17_2_crimes.html>.
“ClearingUpConfusion–DeepWebVs.DarkWeb.”Brightplanet.n.p.27March
2014.Web.15April2015.<http://www.brightplanet.com/2014/03/clearing-confusion-deep-web-vs-dark-web/>.
Leger,DonnaLeinwand.“FBICracksSilkRoad.”USAToday15May2014.Web.15
April2015.<http://www.usatoday.com/story/news/nation/2013/10/21/fbi-cracks-silk-road/2984921/>.
Tor:Overview.TorProject.n.d.Web.16April2015.
53
<https://www.torproject.org/about/overview.html.en>.TorUsers.TorProject.n.d.Web.16April2015.
<https://www.torproject.org/about/torusers.html.en>.
AbuseFAQ.TorProject.n.d.Web.16April2015.<https://www.torproject.org/docs/faq-abuse.html.en>.
TorFAQ.TorProject.n.d.Web.16April2015.
<https://www.torproject.org/docs/faq.html.en>.Dierks,T.andE.Rescorla.“TheTransportLayerSecurity(TLS)ProtocolVersion
1.2.”InternetEngineeringTaskForce.August2008.Web.20April2015.<http://tools.ietf.org/html/rfc5246?as_url_id=AAAAAAVBehpzRqATU5xWpMSTPjTY4oV6aOnai43OyHdsdcjqdSlYu0y-i_wtuyMcDhdfR_le_fBCnWW1xu50YwXZ7oot>.
KirkpatrickandLockhartLLP.“TheHomelandSecurityActof2002–ASummary.”
HomelandSecurityBulletin.March2003.Web.20April2015.<http://www.martindale.com/matter/asr-8824.pdf>.
HomelandSecurityActof2002.Pub.L.107-296.116Stat2135.25November2002.
Web.25April2015.<http://www.dhs.gov/xlibrary/assets/hr_5005_enr.pdf>.
“LettheSunSetonPATRIOT:Section212andHomelandSecurityActSection225:
‘EmergencyDisclosureofElectronicCommunicationstoProtectLifeandLimb.”ElectronicFrontierFoundation.n.d.Web.25April2015.<https://w2.eff.org/patriot/sunset/212.php>.
Dingledine,Roger,NickMathewson,andPaulSyverson.“Tor:TheSecond-
GenerationOnionRouter.”TorProject.n.d.Web.25April2015.<https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf>.
Fahrenheit9/11.Dir.MichaelMoore.LionsgateFilms,2004.Earp,J.B.;Anton,A.I.;Aiman-Smith,L.;Stufflebeam,W.H.“ExaminingInternet
privacyvalueswithinthecontextofuserprivacyvalues.”IEEETransactionsonEngineeringManagement.2005.6December2015.<http://ieeexplore.ieee.org.umiss.idm.oclc.org/stamp/stamp.jsp?tp=&arnumber=1424412>.
Anton,AnnieI.;Earp,JulieB.;Young,JessicaD.“HowInternetUsers’Privacy
ConcernsHaveEvolvedSince2002.”IEEESecurityandPrivacy.29July2009.6December2015.<http://theprivacyplace.org/blog/wp-content/uploads/2009/07/tr_2009_16.pdf>.
54
Preibusch,Soren.“Guidetomeasuringprivacyconcern:Reviewofsurveyand
observationalinstruments.”Int.J.Human-ComputerStudies.71(2013)113-1143.15September2015.
Venkatesh,Viswanath,MichealG.Morris,GordonB.Davis,andFredD.Davis.“User
AcceptanceofTechnology:TowardsaUnifiedView.”MISQuarterly.September2003.6December2015.<http://nwresearch.wikispaces.com/file/view/Venkatesh+User+Acceptance+of+Information+Technology+2003.pdf>.
55
APPENDIX1:INSTRUMENT
Factor1:Personalization1. Imindwhenawebsiteusesmypersonallyidentifyinginformation(PII)to
customizemybrowsingexperience.2. Imindwhenawebsiteusescookiestocustomizemybrowsingexperience(A
cookieisinformationthatawebsiteputsonyourharddisksoitcanremembersomethingaboutyouatalatertime).
3. Imindwhenawebsiteusesmypurchasinghistorytopersonalizemybrowsingexperience(e.g.bysuggestingproductsformetopurchase).
4. ImindwhenmyPIIisusedformarketingorresearchactivities.5. ImindwhenaWebsitemonitorsmypurchasingpatterns.
Factor2:Notice/Awareness
1. IwanttheoptiontodecidehowmyPIIisused.2. IwantaWebsitetodisclosesecuritysafeguardsusedtoprotectmyPII.3. IwantaWebsitetodisclosehowmyPIIwillbeused.4. IwantaWebsitetoinformmebeforeusingmyPIIinamannerthatithad
notpreviouslydisclosedtome.5. IwantaWebsitetokeepmeinformedofchangestoitsprivacypractices.
Factor3:Transfer
1. ImindwhenaWebsitedisclosesmybuyingpatternstothirdparties.2. Imindwhenmyinformationissharedwiththirdparties.3. ImindwhenmyPIIistradedwithorsoldtothirdparties.
Factor4:Collection
1. ImindwhenaWebsitethatIvisitcollects(withoutmyconsent)informationaboutmybrowsingpatterns.
2. ImindwhenaWebsitethatIvisitcollects(withoutmyconsent)informationaboutmybrowserconfiguration
3. ImindwhenaWebsitethatIvisitcollects(withoutmyconsent)informationaboutmyIPaddress(anumberthatidentifiesyoucomputerfromallothercomputersontheInternet).
4. ImindwhenaWebsitethatIvisitcollects(withoutmyconsent)informationaboutthetypeofcomputer/operatingsystemIuse.
5. ImindwhenaWebsiterecordsthepreviousWebsiteIvisited.Factor5:InformationStorage
1. Iamconcernedaboutunauthorizedemployeesgettingaccesstomyinformation.
2. Iamconcernedaboutunauthorizedhackersgettingaccesstomyinformation.
Factor6:Access/Participation
1. IwantaWebsitetoallowmetocheckmyPIIforaccuracy.
56
2. IwantaWebsitetoallowmetomodifymyPII.Factor7:DarkWeb
1. IamknowledgeableabouttheDarkWebanditsuses.2. IplanonaccessingtheDarkWebthroughtheTORnetworkinthefutureor
haveinthepast.3. MyknowledgeoftheDarkWebislimited.