Article Lead Image

With Tor Mail gone, how will the Dark Web communicate?

Whichever method you choose, make sure you encrypt your senstive messages.

 

Patrick Howell O'Neill

IRL

Posted on Aug 8, 2013   Updated on Jun 1, 2021, 9:35 am CDT

In the recent fall of Freedom Hosting, a hosting service used by much of the Dark Web, the list of casualties is long. One death in particular has already cast the widest shadow of all: Tor Mail is gone.

Long considered the most trustworthy and popular email service on the Dark Web, users have rapidly fled since Freedom Hosting, which maintained Tor Mail’s previously hidden servers, was compromised and destroyed, and its alleged owner, Eric Marques, was arrested in Ireland.  Now, many wonder if Tor Mail’s servers are sitting in a National Security Agency (NSA) office, their contents being read and documented at this very moment.

Dissidents, whistleblowers and journalists have long used Tor Mail. Edward Snowden and Julian Assange are major Tor cheerleaders. But alongside them are some of the most prominent pedophiles and most profitable drug dealers on Web. Nothing about Tor Mail’s demise is certain at this point. We don’t know if its servers have fallen into the hands of criminals or the U.S. government. 

Here’s the catch: In theory, it shouldn’t even matter if an NSA agent is browsing through each email at this very moment. Smarter, more careful users of Tor Mail have never sent a clear text email. Software such as PGP (Pretty Good Privacy) takes 15 minutes to master and provides virtually unbreakable encryption, placing emails out of even the NSA’s reach. It’s a breeze. Any cybercriminal worth his weight in stinky California marijuana would take the time to use it, right?

Wrong. 

“I post my PGP key everywhere and beg my customers to use it but the majority don’t….. including for some pretty big orders!,” wrote popular ecstasy vendor DrMDA.

“Something like 80 percent of SR users don’t use PGP,” wrote astor, a longtime Silk Roader.

Some vendors, such as prescription drug salesman RxKing, explicitly refuse to deal in PGP, saying it gives a false sense of security.

Sometimes it’s not laziness or complacency, it’s simply a giant mistake.

If you have ever purchased GHB (known as liquid ecstasy or, more commonly, the date rape drug) from the popular Silk Road vendor BlueGiraffe, you may have a bit of worrying to do

BlueGiraffe’s newly hired assistant—yes, top vendors have assistants and entire teams behind their operation—mistakenly emailed the address of every single customer he’s had in over a year of business in clear text. It’s not encrypted, it’s imminently readable, and it’s potentially in the hands of law enforcement right now. Keeping such records is against the rules on Silk Road.

“Though I will never meet any of you in person, you are like a great family that I love and care for very much,” wrote an extremely apologetic BlueGiraffe. “And I have done the worst thing and compromised your safety. I am so sorry.”

Now, despite easy-to-use technology that would have rendered them virtually immune to oversight, thousands of Tor Mail users are perspiring, wondering when the knock on their door will come.

The big question across the Dark Web is what will succeed Tor Mail. Here are the early contenders:

  • BitMessage is a decentralized, encrypted and peer-to-peer messenger. This program has seen a surge in popularity since the Snowden leaks.
  • TorChat is an easy-to-use anonymous messenger designed to fit nicely into the Tor environment. It has been widely used across the Dark Net spectrum since before Tor Mail’s fall.
  • PrivNote is a Clear Net messenger service that deletes notes once they’re read. Silk Road vendor RxKing prefers this service, but others refuse to use it, citing multiple security concerns.
  • SMS4TOR is a Tor-friendly version of PrivNote that has gained considerable traction thanks to its base a Tor hidden service.
  • I2P-Bote uses the I2P anonymizing software to provide a decentralized, encrypted, verified email service. The service is only in alpha and, due to its reliance on I2P, will probably not be widely adopted.
  • Privatdemail is an email service with a focus on privacy (as opposed to anonymity). Here’s a fun fact: You apparently can’t email Israel because the servers are located in an Arab country that forbids it. That policy will not inspire confidence, but even so, Privatdemail is already in use.
  • RiseUp is an email service built for “liberatory social change.” Users must apply and be approved for accounts, proving that they are activists fighting for positive change, which is whatever RiseUp’s founders deem it to be. In exchange, RiseUp keeps minimal logs, encrypts your data and defends your communications unlike many corporate email services.
  • Nym is a remailer that allows you to send encrypted emails without them being traced back to you, the sender.
  • Mixmail is a remailer similar to Nym but is much easier to use. It strips out identifying factors like an IP address, making a quick, anonymous email an easy proposition.
  • Jabber is a popular open-source, decentralized messaging system. It’s widely used by journalists already, particularly in the Middle East.
  • Tox.im is a currently-in-development tool that promises to allow encrypted and decentralized video and text chat reminiscent of Skype—only without Microsoft allowing the American government to listen in as they do.

Even when Tor Mail was the de facto king of Dark Web communication, it was not ubiquitous. Now that trust is in short supply, other services have seen an influx of users in the past week. 

Many people have wondered if and when another simple and trustworthy Tor email service will pop up. It’s a major market opportunity that comes with serious risk. Hushmail, a Canadian service that was once upon a time the encrypted email darling of the Dark Web, came under immense pressure from the American government and eventually turned over clear text emails to law enforcement in 2007.

What comes next is anyone’s guess. The only sure thing is that any smart user wishing to maintain privacy ought never to fully trust any service and should always encrypt their communications. Anything less is asking for trouble.

Illustration by Jay Hathaway

Share this article
*First Published: Aug 8, 2013, 2:26 pm CDT