The Dark Web
As we’ll learn in Chapter 6, “Encrypting Your Moving Data,” information can be transferred securely and anonymously through the use of a particular class of encrypted connections known as a virtual private network (VPN). VPNs are tools for communicating across public, insecure networks without disclosing your identifying information. That’s a powerful security tool. But the same features that make VPNs secure also give them so much value inside the foggy world of the internet’s criminal underground.
A popular way to describe places where you can engage in untraceable activities is using the phrase dark web. The dark web is made up of content that, as a rule, can’t be found using mainstream internet search engines and can be accessed only through tools using specially configured network settings. The private or hidden networks where all this happens are collectively known as the darknet. The tools used to access this content include the Tor anonymity network that uses connections that are provided and maintained by thousands of participants. Tor users can often obscure their movement across the internet, making their operations effectively anonymous. Like VPNs, the dark web is often used to hide criminal activity, but it’s also popular among groups of political dissidents seeking to avoid detection and journalists who communicate with whistleblowers.
A great deal of the data that’s stolen from servers and private devices eventually finds its way to the dark web.
What Are My Responsibilities as a Site Administrator?
Besides the moral obligation to protect your users and organization from harm, you will probably also need to ensure that your infrastructure configurations meet legal and regulatory requirements. One particularly prominent set of laws is the European Union’s General Data Protection Regulation (GDPR). The GDPR affects any organization that processes data that is sent either to or from the European Union (EU). Failure to appropriately protect the privacy and safety of protected data moving through EU territory can result in significant—even crippling—fines.
Other regulatory systems that might, depending on where and how your organization operates, require your compliance include the Payment Card Industry Data Security Standards (PCI-DSS) administered by major international credit card companies and the US government’s Health Insurance Portability and Accountability Act (HIPAA).
Can Escaped Genies Be Forced Back into Their Bottles?
Well, let me ask you this: have you ever successfully returned a genie to its bottle? I thought so. Unfortunately, it would probably be just as impractical to even try to find and delete all copies of stolen data that’s been spread across an unknown number of sites, including some on the dark web.
Even getting private references removed from search engine results can involve a long, uphill struggle with no guarantee of success. Thanks to the GDPR, European residents can request help from Google using the Personal Information Removal Request Form. But you can never be sure how that will turn out, and sometimes submitting your request can make things worse. Considering taking down an offending website? Are you sure you even know how to find all the copies? Are you aware, for instance, that the Internet Archive project (https://archive.org/web/), as of this writing, hosts historical versions of more than 376 billion web pages? I’ve actually used the project to recover lost data from 15-year-old iterations of my own sites.
What Can I Do as a User?
Here’s a good place to start: think carefully before posting anything on an online platform. Are you revealing too much about yourself? Will you be comfortable having your future employers and grandchildren read this 10 or 20 years from now? Try to anticipate the places your content might end up and what value it might have for people you’ve never met—people unconstrained by ethical concerns who care only about making money.
Be realistic about your data. Don’t assume that the contacts with whom you share files and information will be the only ones to see them. Even if your own accounts will remain secure, their accounts might not. And who says those friends or colleagues will respect your privacy preferences indefinitely?
Never assume the file storage or sharing platform you’re relying on won’t change its privacy rules at some point in the future—or, even better, that it’ll never decide to sell your data to someone else.
Finally, here’s one that makes a ton of sense and is absolutely obvious. But not only am I sure you’ve never done it, I’m confident that you probably never will. Remember those check boxes you’re required to click before you can open a new online account? You know, the ones that say something like this:
“I have read and accept the terms of the privacy policy.”
Well, have you ever actually read through one of those documents before clicking? Me neither. I mean, Google’s Privacy and Terms document (https://policies.google.com/privacy?hl=en) is around the same length as this chapter (and not nearly as much fun). Who’s got the time? On the other hand, reading it from start to finish would probably give you important insights into the real-world consequences of using Google services. It might even convince you to change the way you use its products. And reading the privacy documents for all the platforms you use would undoubtedly make you a better and safer consumer.
But we all know that’s not happening, right?
Establishing Authenticity
You’ve got a strong and active interest in distinguishing between what’s real and what’s fake in your digital life. Considering how much unreliable content is out there, making such distinctions might not be so simple. Many of the choices you make about your money, property, and attitudes will at least partly rely on information you encounter online, and you certainly don’t want to choose badly. So here’s where we’ll talk about ways you can test and validate content to avoid being a victim.
Think About the Source
Always carefully consider the source of the information you want to use. Be aware that businesses—both legitimate and not—will often populate web pages with content designed to channel readers toward a transaction of some kind. The kind of page content that’ll inspire the most transactions is not necessarily the same as content that will provide honest and accurate information. That’s not to say that private business websites are always inaccurate—or that nonprofit organizations always produce reliable content—but that you should take the source into account.
With that in mind, I suggest that you’re more likely to get accurate and helpful health information, for example, from the website of a well-known government agency like the UK’s Department of Health and Social Care or an academic health provider like the Mayo Clinic (https://www.mayoclinic.org/) than from a site called CheapCureZone.com (a fictitious name but representative of hundreds of real sites).
Similarly, you should consider the context of information you’re consuming. Did it come in an email message from someone you know? Were you expecting the email? Did you get to a particular web page based on a link in a different site? Do you trust that site?
By