If you’ve spent any of the past week binge-watching the second season of Netflix’s House of Cards, you’ll know that there’s a lot of talk about the “Deep Web.” (If not, be warned: Spoilers ahead.) When our stalwart and unkempt reporter Lucas Goodwin (Sebastian Arcelus) wants to dig into the dark deeds of nefarious Vice President Frank Underwood (Kevin Spacey), a techie friend helps Goodwin get onto the Deep Web and make contact with the hacking underworld, where he connects with hacker Gavin Orsay—except that Orsay has already been turned by the feds and is being used to entrap Goodwin. You can’t trust anyone on this Deep Web. Goodwin’s techie friend brags that the Deep Web is 96 percent of the Internet, with us plebes only seeing a mere 4 percent.
You might be thinking, “Whoa, the Deep Web is 96 percent of all Internet content? I must be missing out!” But I wish this number would go away. That figure refers to an entirely different definition of the Deep Web, one created back in 2001 that simply referred to anything that couldn’t be reached by crawling links. By that I mean dynamically generated Internet content without stable URLs or that required set cookies in order to view—anything that you couldn’t reliably get to just by clicking a permanent link. Online library catalogs, for one example, subscription sites like JSTOR, or sites that produce content via typed search queries, or this Hangman game. Search engines have gotten better at crawling this content, though much of the work is an exercise in avoiding crawling too much of it. That dumb Hangman game can produce more unique URLs than the entirety of Slate’s website.
Aside from gated subscription sites, however, many producers of this so-called Deep Web content want their information to be publicly available via Google. Google offers ways for websites to indicate where such content is and how best to crawl it. Some sites are indifferent to whether Google indexes them, but Google will try to crawl them anyway.
Sometimes the definition of Deep Web has been extended to include non-publicly accessible sites, such as organizational intranets—think the Department of Transportation or Dunder Mifflin. And although there’s probably some juicy stuff hidden in those mountains of publicly inaccessible Web pages, it’s not exactly the mountain of crime that House of Cards makes it out to be (unless you’re looking at New Jersey’s intranet). Nor is it anything like the virtual reality counterculture described as the Deep Web (and “DeepArcher”) in Thomas Pynchon’s recent Bleeding Edge (but then, accuracy was certainly not Pynchon’s intent).
In the House of Cards context, the Deep Web is a Wild West of illegality and shady activity, sometimes called “Darknet.” This is a distinct subset of the Deep Web, which only includes sites that are publicly accessible (not on a firewalled intranet, that is) but lack DNS addresses (like slate.com) or a known IP address (Slate’s is 184.29.104.216, last I checked). Those DNS and IP addresses form the backbone of the public Internet routing infrastructure. This Darknet is stuff that is not available through that infrastructure without going through customized and anonymized Darknet routing.
This Darknet is what you can reach via decentralized, anonymized nodes via a number of networks including Tor (short for The Onion Router—it has nothing to do with torrents) and I2P (Invisible Internet Project). Client tools (that also go by the same names) connect you to these networks while obscuring the source of your traffic. They encrypt and route traffic through random nodes in the decentralized network in order to make it difficult to identify where any piece of traffic is actually coming from. You are “off the grid,” so to speak.
What all this means is that people using Darknet are people who don’t want to be identified or caught using Darknet. The most notorious site of the entire Darknet is/was the black market the Silk Road, which was shut down by the feds last year when the alleged founder and operator (who went by the nom de Web Dread Pirate Roberts) was charged with drug trafficking.
It’s harder to be tracked on Tor or I2P than it is on the normal Web, but you have to be extremely careful. The Tor and I2P protocols themselves are quite secure, but a chain is only as strong as its weakest link. Even if the government can’t see where you’re going, they may still see that you’re using Tor or I2P to get there—or at least that you’re not behaving like a normal citizen whose traffic is completely in the clear and viewable. That makes you look suspicious already. Seeing Tor or I2P traffic can be enough to set off alarm bells deep in the National Security Agency or FBI. And as you might guess, this Deep Web is crawling with feds. In 2011, the feds turned LulzSec hacker Sabu within a few hours and had him spend the next months collecting evidence on his cohorts, which I suspect provided some of the inspiration for the Gavin Orsay plot.
If you’re just trying to gain more privacy, these tools are certainly an asset. The feds may put a flag on you but will be less able to get access to the content of your activity. On the other hand, if you use Darknet to negotiate any sort of offline transaction (drugs, murder, whatever), you cease being anonymous the minute you make any sort of offline contact. And despite the distribution of anonymizing tools like the Tor Browser, you have to be meticulous in securing every link in the chain. One mistake is all it takes, and the head of Darknet drug marketplace Silk Road made many. Only a well-informed security whiz is likely not to leave enough of a trail to be found. Otherwise, you’re just playing the odds.
Sometimes playing the odds works: Edward Snowden didn’t get caught stealing massive numbers of internal NSA files in part because NSA security was stunningly incompetent. But you want to minimize risk whenever possible. In House of Cards, Orsay takes over Goodwin’s computer with a flashy disintegrating screen, then delivers him a custom iPad where the hacker speaks to him via distorted voice through an animated Hieronymus Bosch avatar. Orsay then has Goodwin steal a co-worker’s phone to get the two-factor passcode for the Washington Herald intranet—only to reveal that it was just a test! It makes for showy drama, but 1) it’s as subtle as a brick wall, and 2) the hacker would want to minimize the amount of tech the reporter has to engage with, lest the reporter screw it up. (Reporters aren’t the most tech-savvy group.) When anti–revenge porn activist Charlotte Laws was being stalked and harassed by the operators of revenge porn sites, the high-minded hacker group Anonymous, who loathe bullies and trolls almost as much as they loathe oppressive regimes, contacted her by Twitter and then by phone and relied on the assumption that the people going after her were not geniuses (which they weren’t—the ringleader was soon arrested).
On the other hand, even comprehensive risk management may not be enough. The FBI commandeered an entire Tor provider notorious for hosting child pornography and added a clever bit of malware to it that identified Tor users to them. Anonymous also polices Darknet, and its Operation Darknet has gone after child pornography distributors as well. Anonymous and the feds do agree on one thing: Child pornography is evil.
(You may wonder: Am I active on Darknet? Yes, I go on Darknet constantly and do all sorts of illegal dealings, and then I write a tech column about it to throw people off the track.)
So how believable is the whole House of Cards storyline? There are no egregious technical howlers, thanks to the technical advice of Internet activist Gregg Housh, whose participation can be seen part of a trend toward better technical accuracy since the days of Sneakers and Independence Day (in which the remarkably hackable alien computer features a giant status dialog that reads “UPLOADING VIRUS”). The Fifth Estate had more detail, but on purely technical terms, House of Cards holds up pretty well. As for the actual storyline, let me put it this way: It’s just as believable as House of Cards’ politics.
You may be left with one last question: “Wow, this Tor/I2P thing sounds really cool. How do I get on it?” No problem. Please send me your name, address, and Social Security number, and I’ll get right back to you just as soon as I make some very important business calls to my associates at Flowers By Irene and No Such Agency.
