Most lawyers have no idea that the internet is made up of several different areas, some of which are extremely difficult to access. When they use a browser to search for information or purchase products, they generally are accessing what is called the surface web. It is the information that is freely available with little or no restriction and accessible via search engines such as Google.
However, most internet information resides in what is sometimes referred to as the deep web. Essentially, anything accessed using a password is considered the deep web. Examples include email, bank accounts, medical records, and the like. Think of the deep web as the portion of an iceberg that is below the surface and is not indexed by the search engines. Some reports put the amount of deep web data at 97% or more of the total internet.
Before we jump into the subject of dark web monitoring, let’s discuss the dark web to set the stage.
Dark Web Access
The dark web and the deep web are related but not identical. The dark web is a subset of the deep web, and content on the dark web uses encryption software to provide additional security.
Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a coauthor of 18 books published by the American Bar Association.
John W. Simek is vice president of Sensei Enterprises Inc. He is a Certified Information Systems Security Professional, a Certified Ethical Hacker, and a nationally known expert in the area of digital forensics. He and Sharon Nelson provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia firm.
Michael C. Maschke is the CEO and director of cybersecurity and digital forensics of Sensei Enterprises Inc. He is an EnCase Certified Examiner, a Certified Computer Examiner (CCE #744), a Certified Ethical Hacker, and an AccessData Certified Examiner. He is also a Certified Information Systems Security Professional.
The dark web contains sites that are associated with illegal activities such as child pornography, fraudulent services, drug trade, and trafficking. It is a very small portion of the deep web. Like content in other areas of the deep web, dark web content is not indexed nor is it accessible via search engines.
The URLs for websites on the dark web end with “.onion” (and possibly a slash). The site address is a collection of scrambled text that isn’t even close to identifying the site itself. As an example, the dark web URL for the CIA is http://ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion/. (At least it starts with ciadotgov.)
Special software is used to access sites on the dark web. The Tor (derived from “The Onion Router”) browser is most often used to access dark web data. Many lawyers are curious about the dark web and what evidence may be available there for their cases.
Lawyers might think of the dark web as a “sexy” place to explore and want us to tell them how to safely access it. And yes, it can be intriguing in many ways, but our recommendation to attorneys is clear: Don’t access the dark web. Even if you have the technical knowledge to install and configure the Tor browser, securely accessing the dark web is simply beyond the skill level of most attorneys. In other words, to reverse Nike’s slogan … Just Don’t Do It!
The first thing that might come to mind when the term “dark web” is used is criminal activity, for example, sex crimes, drugs, weapons, or cyberattacks. However, by design, the dark web also is an excellent place to protect privacy. Journalists use the dark web to send and receive messages anonymously and to protect the identity of news sources. The dark web is also used to access information in countries where internet access is restricted. So, dark web content is not all negative or illegal, although much of it is – and thus it is best to avoid the dark web as a destination.
Dark Web Marketplace
As noted above, the dark web is mainly used for illegal activity. It is also a repository for stolen personal information, which often is put up for sale by cybercriminals. The discussion here focuses on marketplaces used to sell personal information such as stolen credit cards, bank account logins, medical records (medical records are quite valuable in relation to other records), and other items for which financial gain is the motive. Concerns about personal information being disclosed on the dark web have spurred much of the interest in monitoring services. This is particularly true for lawyers, who are ethically mandated to protect client confidential data.
Dark Web Information
A key question for many people is the following: “How did my personal data get on the dark web?” Here are some ways cybercriminals gain access to personal information.
One common method is to infect computing device(s) with malicious software designed to capture a computer user’s activity by stealing passwords and user IDs.
Phishing scams are another way to gain access to private information. A computer user might end up on a web page on which the user freely enters requested information, which is then transmitted to a cybercriminal. In another popular phishing scam, a pop-up warning appears and the computer user is directed to call a phone number (typically toll free) to get technical assistance or to dispute a purported credit card charge for a service or item the person did not purchase.
Commonly, individuals’ data ends up on the dark web because of a data breach. In other words, the information is held by another party (such as a law firm) and the firm is breached. Since the start of the pandemic in 2020, ransomware attacks have significantly increased. Many ransomware attackers capture a target’s data first and then take various steps to entice the target to pay a ransom, in return for which the attacker will return the data to the target. Commonly, the data includes client information, which may end up on the dark web.
You may have seen ads for services that monitor for identity theft. The cost of such services tends to start at around $100 per year. The services promise to monitor various aspects of an individual’s life and alert individuals to suspicious activity. Basically, they monitor your credit score, as well as online and financial activity. Dark web monitoring is typically part of the service too.
We are not big fans of any of the monitoring services. Individuals who use these services will probably end up giving them all sorts of personal information so that the service knows what to look for when engaged in monitoring. They can’t scan for release of a Social Security number if they don’t know what the number is. They need to know credit card numbers to scan the dark web to see if the numbers are available for sale.
Do you trust the monitoring company to have robust security in place to protect all the personal data you have entrusted to them? It seems to us that a monitoring service is very similar to a law firm in that it provides a “one-stop shop” for cybercriminals.
What about dark web scans? We think many security and monitoring companies use dark web scans as the fear, uncertainty, and doubt factor to scare you into paying them money. Some companies charge law firms hundreds of dollars per month for dark web scans. The vendors will produce a report showing that your email address, Social Security number, password, and more were found on the dark web. So what? The discovered data is usually stale (several years old) and of very little value. You’ve probably already changed your password for the discovered sites and implemented multifactor authentication, too.
Get Value for Your Money!
One worthwhile benefit of a dark web scan is awareness. It should be possible to obtain an initial dark web scan free of charge, that is, without paying an ongoing monthly monitoring fee. If done for a law firm, the initial report will help identify if law firm employees tend to reuse the same password across multiple sites. It might even identify sites that employees are using but not aware of so that individuals can immediately change their passwords. Use the dark web scan to educate employees at your next cybersecurity awareness training session. If you’re not teaching your employees about cybersecurity, at least annually, you are missing a very significant part of cyber resilience! A human element is involved in data breaches 82% of the time.
Whether or not you obtain a free dark web scan, do take control of your data and don’t give it to a monitoring service. Individuals should use a password manager and a unique password for each website or application. Individuals might also want to put a freeze on their credit files at the three major credit bureaus. Freezing a credit file is free. It makes little sense to pay someone to monitor your credit score when freezing your credit file will stop a huge amount of identity theft opportunities. A lot of credit cards offer free credit score reports, too.
If fear is the force encouraging you to sign up for dark web monitoring (and it usually is), stop throwing your money away and take the advice above instead. You’ll save money, and your information will be safer.
Also of Interest
State Bar of Wisconsin Member Benefits Help Protect Your Data
Your State Bar of Wisconsin membership entitles you to many services, benefits, and discount programs. Here are just a few. Discover the benefits of membership, visit wisbar.org/memben.
Cybersecurity: BobaGuard Turnkey Cybersecurity Suite
Built with legal professionals in mind, BobaGuard Turnkey Cybersecurity Suite offers eight services, including cybersecurity training, phishing simulation, AI-based advanced email protection, and more.
BobaGuard gives you:
- proactive security tools that work behind the scenes to strengthen your security;
- training and ongoing phishing simulations that help you identify and stop threats;
- a contingency strategy in case of a breach;
- a streamlined onboarding process.
Visit www.bobaguard.com/sbw for more information.
Cyber Insurance: HSB Total Cyber
HSB Total Cyber™ offers comprehensive coverage for six types of cyber-attacks: data breach, fraud, identity theft, computer attack, system failure, and cyber liability. The options are customizable, so you pay for only what you need. In addition, it is possible to get coverage by the next business day via a quick application process.
HSB policyholders have access to resources that can help prevent or prepare for a cyberattack or data breach. Policyholders also receive one hour of free cybersecurity risk consulting, as well as one hour of free consulting from one of HSB’s partner law firms.
Questions about the new HSB comprehensive cybersecurity coverage? Contact Corrine Bultman of Bultman Financial Services, at (262) 782-9949, and visit hsbtotalcyber.com/sbw for further information.
» Cite this article: 96 Wis. Law. 37-39 (March 2023).