Election Security Spotlight – The Surface Web, Dark Web, and Deep Web

What it is

To most users, the internet is what they experience through their email client and web browser every day, but there are a number of expansive services that operate in the background and the “web” is just one part of it. Behind that web browser, there are multiple layers that the average user may encounter tangentially or never. The three parts commonly used to divide the web are the Surface Web, the Dark Web, and the Deep Web.

  • The Surface Web is what users access in their regular day-to-day activity. It is available to the general public using standard search engines and can be accessed using standard web browsers that do not require any special configuration, such as Mozilla Firefox, Microsoft’s Internet Explorer or Edge, and Google Chrome.
  • The Deep Web is the portion of the web that is not indexed or searchable by ordinary search engines. Users must log in or have the specific URL or IP address to find and access a particular website or service. Some pages are part of the Deep Web because they do not use common top-level domains (TLDs), such as .com, .gov, and .edu, so they are not indexed by search engines, while others explicitly block search engines from identifying them. Many Deep Web sites are data and content stored in databases that support services we use every day, such as social media or banking websites. The information stored in these pages updates frequently and is presented differently based on a user’s permissions.
  • The Dark Web is a less accessible subset of the Deep Web that relies on connections made between trusted peers and requires specialized software, tools, or equipment to access. Two popular tools for this are Tor and I2P. These tools are commonly known for providing user anonymity. Once logged into Tor or I2P the most direct way to find pages on the Dark Web is to receive a link to the page from someone who already knows about the page. The Dark Web is well known due to media reporting on illicit activity that occurs there. Malicious actors use the Dark Web to communicate about, sell, and/or distribute illegal content or items such as drugs, illegal weapons, malware, and stolen data. However, just like the Surface Web, there are several legitimate activities on the Dark Web as well, including accessing information, sharing information, protecting one’s identity, and communicating with others. Many news organizations operate on the Dark Web to protect confidential sources.

Why does it matter

Understanding the difference between the Surface Web, Deep Web, and Dark Web provides context for election officials as they build both proactive and reactive cybersecurity programs. For instance, data such as voter lookup information is stored on the Deep Web in many states. A user can only access their information using the voter lookup tool available on the Surface Web. Misconfiguration that exposes sensitive data intended for the Deep Web to the Surface Web is one of the most common sources of data breaches. Context on the various levels of the web is also valuable when responding to an incident affecting an election office or reading media or intelligence reporting regarding malicious cyber activity. By understanding the differences, election officials and their staff can more effectively determine the right course of action in remediating an incident or identifying information belonging to their organization that has been compromised and leaked.

What you can do

Considering the many facets of the web, there are a number of actions election offices can take to secure themselves. At a minimum, election offices should review their own data and information stored on the web to ensure it is properly configured and only accessible to authorized users. Election offices interested in identifying the illegal posting of election information on the Deep and Dark Web should do so with caution. There are several services available for mature, proactive organizations to collect information from the Dark Web for situational awareness and threat intelligence. When gathering information from the Dark Web, please consider the following:

  • Prior to directly accessing the Dark Web or responding to malicious activity involving the Dark Web, election offices should consider engaging with their law enforcement partners. Many law enforcement organizations have experience with investigating and communicating on the Dark Web.
  • Be aware of the potential for your computer to be compromised while browsing the Dark Web. Use a virtual machine (VM) to reduce the risk of infection or compromise. VMs provide a virtual layer between the system you are using and the physical network you are operating on. This can act as an additional layer of security and be erased if the VM is infected with malware.
  • Do not assume that information posted to the Deep or Dark Web is secure simply because it is difficult to locate.
  • Do not assume that you cannot be identified, even when using software and visiting websites that promise anonymity.
  • If you identify information belonging to your organization on the Dark Web, do not attempt to communicate with the source of that information or share that information widely. In the past, malicious actors have posted such communications publicly and they may use details of those communications to conduct additional malicious cyber activity.


The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].