“The truth is that the internet is its own evil twin – you can find people doing heinous shit everywhere on the internet, dark web or open web, it doesn’t matter, it’s just a reflection of society at large,” adds Hyperion Gray’s co-founder Amanda Towler.

Hyperion Gray was founded by A. Towler and Alejandro (Alex) Caceres almost a decade  ago. A team of professional hackers, developers, engineers security researchers, data scientists, and intel analysts, as they put it, aims to solve “hard problems” and make a positive impact in the process.

Hyperion Gray is already very well-known in the security community. In 2015, the company won a role on the DARPA’s (Pentagon’s Defense Advanced Research Project Agency) Memex program to help catch human traffickers on the dark web. Last year they dominated the headlines again after publishing the Dark Web Map – an astonishing visualization of 6.6k Tor onion websites.

Though Hyperion Gray is on an important mission, they never lack humor and manage to creatively put things into perspective, revealing both – the beauty and the horror of the dark web. So, of course, when we decided to explore the topic, we contacted them, and Hyperion Gray’s Amanda and Alex agreed to enlighten us.

– So let’s get to the dark web, I’m really curious! Why was the dark web created?

– I don’t think the “dark web” as it’s commonly referred to has a single discrete point of creation, but I think it’s generally accepted that the major movements, such as Freenet and The Tor Project (here’s a brief history of onion routing), centered on protecting users’ digital privacy in the face of internet surveillance. Unfortunately, this has become a bit of a cat-and-mouse cycle.

– Dark web is considered as the evil twin of the web as we use every day. Is that true?

– This is a common misconception that prevents a lot of people from understanding and using things like Tor browser for legitimate, privacy-preserving purposes (say, to prevent your every click from being tracked for the rest of your life…). The truth is that the internet is its own evil twin – you can find people doing heinous shit everywhere on the internet, dark web or open web, it doesn’t matter, it’s just a reflection of society at large.

– What does the dark web affect the most?

– I would say that it provides news media with a lot of catchy, spooky headlines. 🙂

– Is it legal to be on the dark web? Even if you don’t engage in criminal activities?

– The “dark web” is a nebulous concept so it’s hard to say whether one is “on it” or not; but, it’s not illegal to use the Tor browser or to visit Tor hidden services, generally. What matters is whether you are engaging in illegal behavior on any given site. I’m not a legal expert so I digress on the finer points of digital legality, but just having and using the Tor browser or visiting a hidden service is not in itself illegal; there is a Facebook hidden service, for example.

– You’ve been researching the dark web, what would be the key findings? And why did you start it at all?

– Well, there is already enough of the “is the dark web good or bad” debate, and rather than simply pick a side we wanted to use some simple data science, let the data speak for itself and let people make their own decisions. This was the motivation behind our Dark Web Map project.

One of the most interesting findings was how many sites were just mirror images of each other, indicating that either there are many copies of these same few sites, or that there are a lot of scam versions of these sites, or maybe a little of both.

– Have you ever been threatened for what you do?

– Nope! Although our dark web research has apparently made us a target for a lot of very weird, unsettling requests. About once or twice a week I get an email asking if we can hack someone’s Facebook account, or something equally strange and non-sequitur. For the record – NO! WE WILL NOT HACK SOMEONE’S FACEBOOK ACCOUNT FOR YOU AND THIS HAS NOTHING TO DO WITH DARK WEB RESEARCH! SO PLEASE STOP ASKING. Thanks.

hyperion gray

Hyperion Gray’s Alex

– How difficult is it to map activity on the dark web?

– The main challenge is that there is no single, full list of all Tor hidden services, and this is by design. So, we can only map what we can find. The other challenge is that it takes some time to scrub the images to remove sexual violence and depictions of children, anything that might be illegal in the US.

– How big is the dark web?

– The Tor Project keeps the best stats on this, see here and here and here.

– Tor project is closely related to the deep (and dark included) web. But some serious people, academics, privacy enthusiasts are behind it (e. g. Schneier), is it fair to relate it to criminal activities only?

– No, definitely not. That being said, there are some fairly compelling arguments, including this one from a former Tor Project director, that hidden services specifically do more harm than good. It’s important to distinguish between the anonymity that a Tor browser provides and the anonymity a Tor hidden service provides. The browser allows people to, uh, browse anonymously, while the hidden services allow people to host content anonymously. You can see how the latter is a bit more problematic than the former… The debate makes for some interesting Twitter banter.

– It is said that it’s almost impossible to catch criminals acting on the dark web. But can somebody be 100% anonymous online?

– First, it’s definitely not impossible to get caught, it happens all the time. Just look at the front page of DeepDotWeb. At the end of the day, humans make mistakes. Second, it’s extremely difficult and a complete pain in the ass to be fully anonymous online, and it’s my opinion that, in the long run, everyone will take shortcuts, you eventually have to.

– Is it possible to get rid off of all the sick things going on the dark web? And make it a safe place for people who are there purely for privacy and security, but aren’t engaging in any criminal activities?

– The “dark web” didn’t create criminality, so treating crimes at this level can only be so effective. I’m not a criminal justice expert so I won’t comment too much more on this, except to say that I personally favor preventive over reactive approaches to reducing criminality. I don’t think the internet ever has or ever will be a safe place, unfortunately, but neither are roads and we use those every day, so it’s a calculated risk.

– What about people who are not criminals and use the dark web for their security? I’m talking about whistleblowers, journalists, people living under oppressive regimes, etc.

– Yes, there’s a sort of self-propagating privacy “arms race,” these mechanisms are made necessary by the realities of conducting journalism and activism in oppressive regimes. I’m glad that there exists technology that lets people fight for meaningful change where they must risk their lives to do so. That’s a form of bravery and courage that I will never know.

My partner Alex and I were interviewed for this documentary, Down the Deep Dark Web, and while my quote was taken slightly out of context, the gist of it was that, if I happened to be born under an oppressive regime, I would want something like the Tor project to exist.

– What do you think about the current level of internet security, what concerns you the most?

– Oh boy! Well, I think it’s safe to say that the general sense from the security community at large is that internet security is in perpetually pretty rough shape. It’s not because all security teams are dumb and all malicious hackers are smart – let’s be clear that some of the brightest minds on the planet are focused on improving information and internet security, not to mention the nearly $100 billion dollars being thrown at the problem in the US alone. It’s more that there’s an impossible amount of surface area to try to secure; it’s tantamount to trying to defend the Milky Way galaxy, it’s just such a massive, massive landscape that we have trouble even wrapping our minds around and quantifying.

The other challenge is that so many of the tools that are vital to protecting privacy or to conducting security assessments are double-edged swords; that is, they can be used just as effectively for destructive purposes as for constructive purposes.

With regard to what concerns me (just speaking for myself here) most, I’d have to say the willingness with which people are adopting early smart home assistant technologies, like Amazon Echo and Google Home and Facebook Portal, into their homes. I mean, we have near-constant headlines about the degree to which these companies just absolutely abuse consumer privacy, and our response is to get all indignant but then bring a listening device right into our living room or bedroom and give them even more access to our private lives. What?! It makes absolutely no sense to me. The trade-off doesn’t seem nearly worth it for me, but then again I may have a biased perspective…

– Having in mind what’s going on, how do you think the internet will look like in 5 years?

– In 5 years? Probably much the same, although I did see an article the other day about an increase in smaller, regional networks; how this affects security or privacy, I don’t know, but it’s an interesting development nonetheless.

I think we’ll continue to see many of the problems with “the internet” that dominate the popular narrative now – consumer privacy and social media, false or misleading information and social media, the erosion of civil discourse and social media, the increasing polarization of society and social media… OK, I’m sensing a theme here… hm, so perhaps we’ll see some major changes to the role social media plays in our lives and the shifting of responsibility from the government to the platforms for protecting users?

– Talking about governments, it seems like many democratic countries have been learning from authoritarian regimes. Australia’s new encryption law is just one example. What is your opinion about that?

– I’m conflicted about this, as someone who both works with law enforcement and values fundamental privacy rights. As I mentioned, there’s almost a self-propagating nature to it, the more our fundamental privacy is at risk from technology, the more sophisticated our privacy-preserving technology will get, and the harder it will become to identify and stop those who use it destructively, so the more invasive law enforcement will have to get, the more our fundamental privacy will be at risk, rinse and repeat. It becomes a bit of an arms race.

I think there’s a very delicate balance to be struck and I think generally both sides – the privacy zealots and the rule of law zealots – need to espouse more nuanced perspectives on issues of privacy. Life is not black and white, these things are a gray area at best, and anyone who’s worked on both sides of the fence can attest to that.

– Is there anything you’re excited about?

– Yes! The global rise of veganism as a lifestyle choice! 😀 Oh, you probably meant security-related. So I thought about this question for a long time, actually. I’d say I’m excited about the trend toward the broad legalization of marijuana and what this means for the number of people who would become eligible for high-level security work in the government. We leave a lot of talent on the cutting room floor at the exact time when we need all the help we can get, not to mention all the other ways that the criminalization of marijuana has disenfranchised countless valuable members of society. This, plus the growing availability of technology-focused education, means that we could have many, many more people joining the fight to protect our citizens on the digital front. The same goes for all the advancements in accessibility and assistive technology that enables people with audio-visual or other physical impairments to perform technical engineering and security research. Everything that we do to bring more people into the fold is a positive development, in my opinion.

– Thank you, that put a lot of things in a different perspective. Finally, what is Hyperion Gray working on? What are your plans?

– We take it day by day, baby! Our plans are to continue performing software and security research and development and having fun, as long as the universe sees fit to allow it. We have an amazing, small and highly specialized team, and we get to be creative and solve hard problems and hopefully have a positive impact on the world in the process. So, I think we’ll just keep doing that! 🙂