Dutch Police Investigation & Tor Spike: Correlation Or Also Causation?

UPDATE 2012-01-21: let me emphasize that the Dutch investigation and the spike are probably only correlated; there is no evidence for any causal relation.

UPDATE 2011-09-12: new spike in bridge connections occurring as we speak. For better information than my speculative thoughts, see the tor-talk mailinglist. I know hidden services and bridge connections are orthogonal; I’m considering the scenario where Dutch govt and Fox-IT are attempting some Tor-level attack — I don’t know whether expected benefit of successful attack would justify its cost though. Also see this and this response to my question on tor-talk — the latter mentions simpler / more likely explanations for the spike. I don’t oppose Ockham’s razor 🙂
On September 3rd 2011, Cryptome published Massive Automated Tor Bridge Requests: Why?  from the Tor-talk mailinglist. Some believe (credits to @ly_gs for enlightening me) that the August 2011 spike in Tor users via bridges may be related to the Dutch police investigation on Tor hidden services hosting child pornography, which also took place during that month. Wire Update News has an English-language article here, but I decided to translate myself the full August 31st press release from the Dutch Public Prosecutor (see below). Any ‘unnatural’ use of the English language is due to me translating as literal as possible, avoiding (mis)interpretation. Hyperlinks and parts between […] are mine.

Child porn on anonymous, deeply hidden websites
August 31st, 2011, National Office of the Dutch Public Prosecutor

During an investigation on the internet, the Dutch National Crime Squad stumbled upon large amounts of child pornography on anonymous meeting places and deeply hidden websites.

The reason for the investigation is the Amsterdam child porn case in which Robert [Mikelsons] is a prime suspect [Al Jazeera, CBS]. The National Crime Squad of the Dutch National Police (KLPD) started a multidisciplinary investigation team to map [Mikelsons]’s (international) network.

During the investigation, it was found that [Mikelsons] used hidden places, so called ‘hidden services’, on internet. He used the Tor-network, a worldwide network that enables anonymous surfing on the internet.

The investigated ‘hidden services’ comprised websites, forums and other hidden meeting places where child pornography images are exchanged. Visitors also communicate in chat channels about the abuse of children and the production and distribution of child porn.

Under responsibility of the National Office (“Landelijk Parket”) of the Dutch Public Prosecutor and with permission of the examining judge of the Rotterdam Court the investigators entered twelve ‘hidden services’ by breaking their security.

Images erased
The investigative team was able to gain administrative privileges to four websites. The two servers hosting the websites turned out to be located in the United States. The National Office of US Department of Justice was consulted about the investigation in advance. All images, userlists and chats containing personal data that were found on the child porn sites are handed over to the FBI. It involves tens of thousands of images of abused children. After securing [a copy of] the images [as evidence and/or for further investigation], the servers were completely erased.

On the other eight entered ‘hidden services’ the investigators were not able to gain administrative privileges. They were, however, able to erase the images, after copies were downloaded and secured for further investigation. One of these sites, “Violent Desires”, contained besides child pornography also a discussion forum, where visitors chatted about the kidnapping, abusing and killing of children. On all erased websites, the Dutch police team informed visitors about the investigation.

The police has not gained access to all hidden child pornography websites. On 11 websites the investigators registered themselves as visitor and left behind warnings containing the Dutch police logo. It remains unclear from which countries these ‘hidden services’ were hosted. In total, more than 220,000 child pornographic images and videos were found throughout the investigation.

A first comparison of the photo’s and video’s to material confiscated by police earlier showed that the findings partially contain new and unknown child pornography. It involves recent photo’s and video’s that are no more than five years old. The images will be made available internationally to police services if necessary. On the websites in the United States, investigators found two images that are already known from the Amsterdam case. The involved parents have been informed.

The most important aim in combating child porn is tracing and ending the abuse of children and arresting producers of child pornography. In this investigation the police also wants to make clear that anonymity inside the Tor-network nor national borders are in the way of the investigation of child porn.

The investigative team was made up of digital experts of the National Crime Squad, the Specialist Investigation Applications Service (DSRT), police Amsterdam-Amstelland, vice experts of IPOL Service and investigators of other KLPD services. Internet security company Fox-IT provided the team with technical advice, infrastructure and support.

Freedom of expression
The police investigation, which took place during the whole month of August, did not target the Tor-network itself, but the ‘hidden services’ hosting child porn within this anonymous, underground part of the internet. The Tor-network makes internet users anonymous by sending their IP address [sic] via various servers. Originally, Tor was a project of the US Navy.

The network primarily exists of private persons who enable Tor to function with their computers and internet connection. The use of the Tor-network is not by definition criminal. In countries without freedom of expression, for example, Tor is used by journalists and opponents of the ruling regime.

Both the Dutch investigation and the spike in the number of Tor users connecting via bridges happened in August 2011. Correlation, or also causation? [Update: Probably just correlation.] I don’t know what activities were performed during the investigation, but exploring de-anonymization attacks against Tor may fit the Dutch investigators’ aim of identifying those involved in child porn. The press release does not state that Tor hidden services (.onion sites) were the only lead from the Amsterdam case. Failure of Tor-level attacks may be irrelevant to mention in the press release, or preferred not to be disclosed because that would strengthen offenders’ confidence in relying on Tor for criminal purposes. Success might deliberately not be disclosed for the sake of ongoing investigations, or out of fear that criminals will then move to I2P or other systems perhaps less well-studied in digital forensics than Tor. This is all very speculative, of course.

I will update this post to reflect advancing insight, e.g. state “ONLY CORRELATION” if that turns out to be the case. Comment below, or contact me by e-mail (koot=>uva.nl) or Twitter (@mrkoot).

2 thoughts on “Dutch Police Investigation & Tor Spike: Correlation Or Also Causation?

    1. Mind that the correlation was probably only that: correlation. On the [tor-talk] mailinglist, Andrew responded [1]: “How do these two things go together? Hidden services are unrelated to bridges. And we’re seeing massive bridge queries, and huge spikes of bridge useres [sic] in European countries.”

      Any answer I could dream up only involved even more unverifiable speculation, so I decided to shut up. In other words: the Dutch investigation and the spike are probably unrelated.

      [1] https://lists.torproject.org/pipermail/tor-talk/2011-September/021331.html

Leave a Reply

Your email address will not be published. Required fields are marked *