[tor-talk] Dutch Police Investigation & Tor Spike: Correlation Or Also Causation?

Matthijs R. Koot koot at uva.nl
Sun Sep 4 16:03:35 UTC 2011

Hi tor-talk,

In response to the "Massive Automated Tor Bridge Requests: Why?" message
on Cryptome [1] wrote the following on my blog [2]. I'd love to hear you
take on the likeliness that Dutch police activities caused (or didn't)
the spike Roger observed [3]. I apologize for not replying in-thread to
this list, I'm only subscribed yesterday.

---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ----
Dutch Police Investigation & Tor Spike: Correlation Or Also Causation?

On September 3rd 2011, Cryptome published Massive Automated Tor Bridge
Requests: Why? [1] from the Tor-talk mailinglist. Some believe (credits
to @ly_gs for enlightening me) that the August 2011 spike in Tor users
via bridges may be related to the Dutch police investigation on Tor
hidden services hosting child pornography, which also took place during
that month. Wire Update News has an English-language article here, but I
decided to translate myself the full August 31st press release [4] from
the Dutch Public Prosecutor (see below). Any 'unnatural' use of the
English language is due to me translating as literal as possible,
avoiding (mis)interpretation. Hyperlinks and parts between [...] are mine.

    "Child porn on anonymous, deeply hidden websites
    August 31st, 2011, National Office of the Dutch Public Prosecutor

    During an investigation on the internet, the Dutch National Crime
Squad stumbled upon large amounts of child pornography on anonymous
meeting places and deeply hidden websites.

    The reason for the investigation is the Amsterdam child porn case in
which Robert [Mikelsons] is a prime suspect [Al Jazeera, CBS]. The
National Crime Squad of the Dutch National Police (KLPD) started a
multidisciplinary investigation team to map [Mikelsons]'s
(international) network.

    During the investigation, it was found that [Mikelsons] used hidden
places, so called 'hidden services', on internet. He used the
Tor-network, a worldwide network that enables anonymous surfing on the

    The investigated 'hidden services' comprised websites, forums and
other hidden meeting places where child pornography images are
exchanged. Visitors also communicate in chat channels about the abuse of
children and the production and distribution of child porn.

    Under responsibility of the National Office (“Landelijk Parket”) of
the Dutch Public Prosecutor and with permission of the examining judge
of the Rotterdam Court the investigators entered twelve 'hidden
services' by breaking their security.

    Images erased
    The investigative team was able to gain administrative privileges to
four websites. The two servers hosting the websites turned out to be
located in the United States. The National Office of US Department of
Justice was consulted about the investigation in advance. All images,
userlists and chats containing personal data that were found on the
child porn sites are handed over to the FBI. It involves tens of
thousands of images of abused children. After securing [a copy of] the
images [as evidence and/or for further investigation], the servers were
completely erased.

    On the other eight entered 'hidden services' the investigators were
not able to gain administrative privileges. They were, however, able to
erase the images, after copies were downloaded and secured for further
investigation. One of these sites, “Violent Desires”, contained besides
child pornography also a discussion forum, where visitors chatted about
the kidnapping, abusing and killing of children. On all erased websites,
the Dutch police team informed visitors about the investigation.

    The police has not gained access to all hidden child pornography
websites. On 11 websites the investigators registered themselves as
visitor and left behind warnings containing the Dutch police logo. It
remains unclear from which countries these 'hidden services' were
hosted. In total, more than 220,000 child pornographic images and videos
were found throughout the investigation.

    A first comparison of the photo's and video's to material
confiscated by police earlier showed that the findings partially contain
new and unknown child pornography. It involves recent photo's and
video's that are no more than five years old. The images will be made
available internationally to police services if necessary. On the
websites in the United States, investigators found two images that are
already known from the Amsterdam case. The involved parents have been

    The most important aim in combating child porn is tracing and ending
the abuse of children and arresting producers of child pornography. In
this investigation the police also wants to make clear that anonymity
inside the Tor-network nor national borders are in the way of the
investigation of child porn.

    The investigative team was made up of digital experts of the
National Crime Squad, the Specialist Investigation Applications Service
(DSRT), police Amsterdam-Amstelland, vice experts of IPOL Service and
investigators of other KLPD services. Internet security company Fox-IT
provided the team with technical advice, infrastructure and support.

    Freedom of expression
    The police investigation, which took place during the whole month of
August, did not target the Tor-network itself, but the 'hidden services'
hosting child porn within this anonymous, underground part of the
internet. The Tor-network makes internet users anonymous by sending
their IP address [sic] via various servers. Originally, Tor was a
project of the US Navy.

    The network primarily exists of private persons who enable Tor to
function with their computers and internet connection. The use of the
Tor-network is not by definition criminal. In countries without freedom
of expression, for example, Tor is used by journalists and opponents of
the ruling regime."

Both the Dutch investigation and the spike in the number of Tor users
connecting via bridges happened in August 2011. Correlation, or also
causation? I don't know what activities were performed during the
investigation, but exploring de-anonymization attacks against Tor may
fit the Dutch investigators' aim of identifying those involved in child
porn. The press release does not state that Tor hidden services (.onion
sites) were the only lead from the Amsterdam case. Failure of Tor-level
attacks may be irrelevant to mention in the press release, or preferred
not to be disclosed because that would strengthen offenders' confidence
in relying on Tor for criminal purposes. Success might deliberately not
be disclosed for the sake of ongoing investigations, or out of fear that
criminals will then move to I2P or other systems perhaps less
well-studied in digital forensics than Tor. This is all very
speculative, of course.

I will update this post to reflect advancing insight, e.g. state "ONLY
CORRELATION" if that turns out to be the case. Comment below, or contact
me by e-mail (koot=>uva.nl) or Twitter (@mrkoot).
---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ----

Kind regards,
Matthijs R. Koot
University of Amsterdam

[1] http://cryptome.org/0005/tor-bridge-why.htm
[3] https://metrics.torproject.org/users.html#bridge-users

More information about the tor-talk mailing list