Pseudonymity

Following on from the fantastically interesting FOCI workshop last year, I am co-chairing this year’s FOCI workshop along with Roger Dingledine of the Tor Project. The workshop will again be co-located with USENIX Security, which is being held this year in Bellevue, Washington in August.

Although FOCI revolves around USENIX Security, and therefore by default falls on the more technical side of research, we are actively encouraging submissions from any field with something interesting to say on internet censorship. Social science, political science, law, economics, ethics, psychology — if you have something to say then send us your work!

The call for papers is here: https://www.usenix.org/conference/foci12

I hope to see you there!

I was recently approached by the Observer to take part in an email-based discussion with Tom Chatfield about online privacy and the direction that companies like Facebook and Google are taking us.

It was a lot of fun to write, over the course of a day, and there were some interesting points raised. 1000 words each isn’t enough to explore very much, but I found it surprisingly useful for clarifying my thoughts on the subject, and quite inspiring for some of the future work that is constantly buzzing around my head.

The original story on the Observer is here.

I recently presented my work on censorship mapping to my colleagues at the OII, including a couple of maps with early analysis of DNS manipulation in Chinese cities.

The analysis is very preliminary, and there are considerable caveats even for the early results, but here’s the presentation:

This year saw the first workshop on Freedom of Communications on the Internet, co-located with USENIX Security in San Francisco. My contribution, co-authored with Ian Brown and Tulio de Souza, focused both on the means for mapping censorship in greater detail as well its legal and ethical implications.

The paper was inspired by the realization that censorship at the national level need not, and clearly often is not, applied equally across a country. The riots in Ürümqi, in Xinjiang, resulted in a blanket internet ban for that region that was not extended to the rest of China. The widely-reported shutdown of Egyptian internet service for several days during the 2011 Egyption revolution was not experienced, at least at first, on the ISP that provided service for important financial services. The ability to filter selectively is clearly, in the view of a censor, very useful.

Even when censorship is intended to apply equally, practical considerations can cause localized discrepancies. In large-scale or complex censorship regimes total centralization may be infeasible, resulting in censorship being delegated to local authorities or organizations. These may, in turn, make different choices in how to implement filtering at the local level, with varying results.

All previous major studies of internet censorship have considered filtering at the national level, without investigating the potential for local variation. It is therefore valuable to consider what local and organizational variations in censorship can reveal about how filtering is implemented and how it affects users.

The goal of this research, then, is in determining what filtering is being applied to a given remote computer, identified by its IP address. This IP can then be geolocated with a reasonable level of accuracy using the freely-available MaxMind GeoIP Cities Lite. To this end, we wish to view of the internet as seen by that computer. Tools such as Tor, psiphon and open virtual private networks (VPNs) provide exactly this functionality, but are unfortunately few and far between.

This problem is exacerbated when researching censorship, as redirection services are typically offered specifically to allow users to bypass censorship by routing their connections outside of a filtered area. There seems little incentive for people to offer anti-censorship tool exit points in known filtered locations. Tor, as an example, did not appear to offer any exit relays in mainland China when we conducted our experiments.

Without available services such as Tor, we began to investigate common services that allow connections to be bounced in a similar fashion. We are not interested in using these connections for any significant data transfer, and so even fragmentary information can be useful. With this perspective, DNS, IRC, FTP and others all offer potential informations sources to learn how remote systems see the internet.

It was shortly after beginning to consider these systems, however, that we became concerned with the ethical issues surrounding this type of research. Ignoring more technical approaches, the simplest way to learn how an individual computer’s connection is filtered is by contacting a remote user and asking them to run censorship detection code themselves. Whilst it can be difficult to scale such an approach, a great deal of information can be gained from each experiment run in this way. Unfortunately, probing censorship on the internet almost inevitably involves deliberately triggering a censorship mechanism, by attempting to access a blocked website, by searching for a banned term, or by transmitting data containing filtered keywords. When these attempts are made through a third party’s connection, potentially without their informed consent, consideration must be given as to the level of risk to which that user is exposed.

The nature of the risk can, however, be more subtle than simply coming to the attention of government censors. The Herdict project, a web-based censorship mapping tool, functions by loading potentially blocked pages as an HTML iframe embedded in their webpage, and users report whether the embedded page is visible or not. This embedded page, which loads on screen without warning and which can involve topics such as sexuality and political or religious expression, could cause anything from minor embarrassment to serious social or legal consequences if an unsuspecting user were observed viewing it in certain cultures.

Without an easy answer to these problems, we have limited ourselves to exploring DNS-level censorship. DNS servers are widespread on the internet, are often open to the general internet, and are public services run, in general, by organizations rather than individuals. This allows us to query for sites we believe to be blocked without exposing individuals to any form of risk. Obtaining a reasonable list of DNS servers in China was simple via a request to APNIC. It would also be simple to scan known Chinese IP blocks for open DNS servers, but we felt this to be unnecessary.

With a reasonable list of several hundred DNS servers, we retrieved a list of known blocked domain names from the Herdict project and automated the process of requesting the domain name to IP mapping from the remote DNS servers, comparing the results to those we could obtain from our own unfiltered connections.

Initial results demonstrate a fair amount of DNS poisoning, with fake results reported by several servers for known blocked sites such as facebook.com, twitter.com and wujie.net (the Chinese domain for the UltraSurf anti-censorship product), as well as many others. In a number of cases, DNS servers simply reported fake IP addresses that, on scanning, did not appear to offer any services. In other cases we observed DNS servers forwarding requests to alternate DNS servers, often located in Beijing, that then returned either fake results or no results at all. A number of servers returned no results at all for well-known blocked sites. Despite this, in a good number of cases we did receive genuine, correct responses from DNS servers.

The most interesting result, at a first glance, is the range of responses from the various servers. All possible behaviours, from genuine responses through faked results to no results at all were observed. There does not, from initial examination, seem to be an obvious pattern to the distribution of these different result types. This is doubly interesting in light of the various other methods of censorship, such as deep-packet inspection and TLS resets, that are known to be employed in China and which could be expected to make DNS poisoning unnecessary.

We currently have the raw data gathered from across China and are analyzing it for interesting patterns, we will also be re-running the experiment at regular intervals in order to observe how the patterns of blocking change over time. Of current interest is whether there are significant correlations between the types of filtering employed and the geographical or organizational distribution of the servers; those DNS servers that chose to redirect our requests are also a very interesting avenue of enquiry. Of the faked results received, we have already observed that these are often redirected to a small pool of “sink” IP addresses; whether these sinks are consistent across regions or organizations is not known.

There are many interesting questions to be answered from this line of research, and China is by no means the only country worth investigating. A more general point of interest is how to learn which sites to test for filtering. We have relied, to a large extent, on both the Herdict project’s list of sites, gathered through manual reporting from users around the world, and on our own knowledge of blocked sites. Automating this process of detecting filtered sites is certainly a problem worthy of further attention.

While there are serious legal and ethical limitations to researching censorship directly in this way, means to do so are available and allow scope for much interesting work. I look forward to sharing our results in the future.

Paper: Fine-Grained Censorship Mapping: Information Sources, Legality and Ethics

I was recently invited to speak at Dalian Technical University, in Liaoning Province in Northern China, and took the opportunity afterwards to spend three weeks travelling around China with my family. (Finally putting several years of studying Mandarin into practice, with a reasonable level of success, and having a fantastic time.)

Being in China, I couldn’t help but poke a little at the limitations imposed on my connection. Travelling with 14-month old twins is a full-time job, albeit one that I can highly recommend, which did not leave me a great deal of time to analyse connections. I will therefore only report on my personal experiences and impressions, although the data that I did gather will hopefully be useful for a future paper based on work that I presented at FOCI’11. As such, anyone who knows a little about Chinese state-level internet censorship is unlikely to find anything new here.

In my time in China, I ran simple filtering tests on all the Internet connections to which I had access, covering locations in Beijing, Dalian, Shanghai and Hangzhou. I also took the chance to run code to test local nameservers for DNS manipulation when requesting known blocked sites.

The most notable observations from my own experiences were:

I’m on my way back from the Workshop on Free and Open Communication on the Internet (FOCI) that was held in the last few days at Georgia Tech in Atlanta. Hosted by Nick Feamster, FOCI brought together a number of computer scientists, activists, lawyers and policy makers to discuss the impact of anti-censorship technologies and to think about future directions from a number of angles.

It’s always interesting to see experts on the same topic from different fields together, and FOCI was no exception. Despite occasional diversions into policy-speak or tech-talk that left half the room baffled, I came away more impressed with how often we had managed to cross that barrier.

The technical side of the crowd seemed to have the benefit of more time to present, and so there were thorough discussions on the nature of filtering mechanisms and their technical capabilities as well as details of anti-censorship technologies, particularly Tor. Roger Dingledine gave some interesting, if slightly statistically questionable, numbers regarding Tor usage in various countries during the recent events in the Middle East.

An estimate from Hal Roberts, based on surveys of activist bloggers, was that 3% of worldwide internet users employed some form of anti-censorship tool, including web-based proxies. Tor’s own estimated usage figures, hampered by the difficulty of monitoring use of an anonymising tool, showed usages ranging from the tens of thousands in Egypt down to tens in Yemen. Within the Tor project, active research is focusing on more effectively calculating real usage data. (See https://metrics.torproject.org if you’re interested.)

(Tor’s ongoing efforts to bypass filtering and to improve their system of bridges, as well as to improve the performance and security of their network, remain a seemingly endless source of interesting technical challenges.)

On the legal and policy side it was useful to see the international perspective given substantial time, rather than predicating discussions on the First Amendment and SafeHarbor.

What the discussion highlighted is that, despite the existence of tools such as Tor and their increasing use, censorship is a complex and multi-faceted issue. Tor has done an excellent job on the technical side in combating censorship at many levels of the stack, and has extended that to user education, social awareness and discussions with policy makers. In general, though, it seems that it is at the social level that both filtering and anti-filtering will begin to move.

One observation that I’ve heard elsewhere is that “hard” filtering, such as China’s Golden Shield, are being extensively supplemented or replaced with “softer” filtering that aims to drowns out dissenting views with waves of government-sponsored information. This can take the form of sponsored pro-government views, such as China’s 50 Cent Party posting on blogs, to legitimate pro-government sites. Approaching this from a technical angle is relatively ineffective, although technologies such as authentication and private access still have their role. Means to combat the resources of a major player, such as a state or government, in order to level the playing field of online debate will be an important question in the future.

For me, one of the most important facts to come out of the day is that we need more effective ways of measuring censorship around the world, in terms of methods used, type and extent of filtering and usage of circumvention tools. Existing approaches to measuring censorship require significant human effort, and often report only relatively crude results. Improving and automating the gathering of this information raises some interesting, and very useful, open questions.

FOCI was a good starting point for interdisciplinary work in this area, and I hope it will lead on to similar events in the future.

I have a comment piece in the Guardian today about network neutrality and BT’s Content Connect service. The online version is here.

I’ll let the article stand largely by itself, whilst pleading the difficulty of putting the net neutrality debate across in 800 words whilst simultaneously linking in BT’s Content Connect.

One point I would like to add, for anyone who finds this, is that the term “net neutrality” can be, and often is, very misleading; if you’re new to the subject then “neutrality” almost certainly means something different to what you think it means! Common terms combined with complicated technical subject matter are a recipe for disaster. Tim Wu’s excellent “Network Neutrality FAQ” should be required reading for this subject.

The Guardian article in full:

The desire for high-bandwidth internet services, such as internet TV is placing ever greater demands on the internet’s infrastructure. New technologies are being developed to meet these demands, but companies are increasingly considering new business models. With its Content Connect service, BT has brought itself into conflict with a fundamental design principle of the internet, raising concerns that the drive for profit could lead to changes that will harm consumers and content producers.

The principle in question is that of net neutrality, which broadly states that data passing over the internet should be treated equally regardless of whose data it is. From a user’s perspective this means that your ISP should not, for example, prioritise Google’s traffic to you over Facebook’s. Net neutrality is the cause of much debate and confusion. It is accepted that prioritising one type of data over another is necessary for the internet to function. An ISP will therefore give preference to voice or streaming video data, as these rely on swift delivery to be useful; however, preferentially treating one content provider’s videos over another is considered unacceptable. Differentiation of service should therefore be made solely for engineering or quality-of-service considerations, and not for commercial exploitation.

Proponents of net neutrality, such as the UK’s Open Rights Group, argue that, by treating all content providers equally, the internet provides a level playing field that stimulates innovation and competition. If Google could pay to have their content delivered more quickly than Facebook’s they would have a significant advantage, and smaller companies could be squeezed out of the market. This could result in a higher level of market domination by large companies, and in a “tiered” internet in which access to certain content requires extra payment for premium services.

BT’s Content Connect service is a direct response to a demand for internet TV, and works by reducing the amount of data transferred across the internet by temporarily storing popular content close to end users. From a technical perspective, this is an excellent way to improve content delivery. The controversy is the business model that drives the service. Rather than agnostically storing popular content, such as the latest digital episode of Coronation Street, access is offered by ISPs to content providers such as Google, who must pay to have their content delivered at higher speeds and qualities. This allows those providers that can afford the service a significant advantage over those who cannot, these being relegated to the slower traditional network.

The US has recently passed legislation supporting net neutrality, although the EU has indicated that it views such laws as unnecessary “at this time”. But is net neutrality, as a principle, necessary or even desirable? Opponents have argued that, given the essentially democratic nature of the internet, market forces should be sufficient to regulate companies. If ISPs choose not to carry certain content then their customers will leave them for more content-rich providers. Indeed, by preventing commercial differentiation of services, opponents argue innovation by companies seeking profit will be stifled. BT itself has claimed to support net neutrality as a principle, but stated that “service providers should also be free to strike commercial deals should content owners want a higher quality or assured service delivery”.

As the debate continues, there is increasing pressure from companies to maximise profit while meeting the increasing demands of users. We can hope, and must ensure, that the factors driving the development of the internet sustain it as a free and open medium of exchange, and that the drive for profit is not allowed to override this ideal.

I had been studiously avoiding writing about Wikileaks. I’ve been interviewed a couple of times in the last few days on various aspects of the ongoing saga, though, and it has highlighted some points that I think are worth mentioning. (Slightly misquoted in BBC News online here, and brief comments about digital activism on BBC Radio 4′s World at One, about 25 minutes in, here.)

One of the most interesting aspects of the Wikileaks saga, from the point of view of research into privacy-enhancing technologies, is how totally uninteresting it is. Given that we have spent years researching means for sender- and recipient-anonymous communications and censorship resistant access to content, a hugely subversive and risky site like Wikileaks is nothing more than a website with an encrypted submission form. Use of Tor is advised, but for the highest levels of security postal submission is still considered the gold standard.

In a similar vein, both the attempts to block Wikileaks and Wikileaks’ response to those attempts have been brutally practical and theoretically unexciting. Rather than firewalls and DNS or IP blacklists, we see political and economic pressure on hosting companies and DNS registrars. Rather than untraceable distribution of content and proxying of blocked connections we see Wikileaks’ hosting hopping between countries and companies, and appeals to the community to mirror content widely. Rather than mixes and onion routing, we see reliance on just how difficult it is to track even normal Internet connections in a real-world environment.

For Wikileaks, the danger is largely for contributors rather than the consumers. Viewing Wikileaks is, in most cases, unlikely to have serious consequences for the average reader. Even if it were, the chances of being singled out amongst the millions of hits is protection enough for all but the most paranoid. Submitting documents, however, potentially puts users at great risk. A practical tradeoff between security and usability has been made, though: standard web access is “anonymous enough” even for such potentially dangerous content.

Rather than being concerned with theoretically strong security, privacy or anonymity, Wikileaks’ success has stemmed from the social issues of getting access to information and distributing it. It has developed and promoted a brand, ensuring that it is the market leader for leaks, if not an outright monopoly. The current media storm, involving issues far beyond the original leaked content, is advertising beyond Wikileaks’ wildest dreams, and all but guarantees that the next person who finds themselves holding a potentially explosive set of revelations will be knocking on Wikileaks’ door. Certainly from the point of view of research into censorship-resistance, there are lessons to be learnt here.

Of course I don’t think that technical research is of no use, or that we should stop developing interesting and useful new privacy technologies. Wikileaks is a single scenario with given goals, and there are many cases where we would require different or stronger guarantees of various forms of privacy. What I feel is that, as a community, we need to recognise and interact with the wider issues that surround our technologies. This has been known for a number of years in the security community, where research into security economics and security psychology have produced significant results. When we think about new developments in privacy-enhancing technologies, we need to start thinking in the same terms.

Another media story on China and the Internet has been widely reported today, although with a somewhat depressing lack of detail and excess of hysteria. I was interviewed today on the BBC about the story (my comments start around 01:34) and so spent a while digging into the particulars. I’ll attempt here to present a slightly more balanced and fact-based version of the story as I understand it. A good technical analysis of this incident can be found at BGPmon here, and probably the best I’ve seen so far is at Renesys here.

A recent report to the US government by the US-China Economic and Security Review Commission contains, amongst other reports of potential national security threats to the US from China, mention of an incident in April 2010 in which a significant minority of Internet traffic was briefly and erroneously routed through China. The incident lasted approximately 18 minutes, and affected 15% of Internet destinations.

The headlines report that “China hijack 15% of the Internet”, whilst somewhat breathlessly informing us that US military and government traffic was affected. The original report[1] points out that there is no evidence that this occurred intentionally, but the term “hijack” leaves the interpretation of malicious intent which, of course, makes for a more exciting story.

While the obvious question to be answered is: “how did this happen?”, we might also wonder what exactly is meant by “15% of the Internet”. Luckily, the answer to the former helps with answering the latter.

Without going into too much detail on exterior gateway protocols such as BGP, this situation came about due to a fundamental design issue in one of the underlying protocols that controls the Internet. Simply speaking, when data passes over the Internet it travels across a number of networks en route to its destination, with the precise route being determined according to which networks can most efficiently pass data to that destination at a given moment. This simple approach provides reasonably high levels of performance and robustness.

Unfortunately, from a security point of view, the information used to plan the best path comes from servers belonging to individual telecommunication companies, and is largely taken on trust by other servers. The servers provide authoritative routing information for certain networks, defined by IP prefixes, or ranges of IP addresses.

In the case of the April 2010 incident it appears that servers operated by [2], affecting approximately 100,000 prefixes, making that a much larger incident. In 2008 a provider in Pakistan, in attempting to block YouTube internally, caused Internet-wide routing to route YouTube through Pakistan and thus blocked the system for the entire Internet.

[1]: http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdf
[2]: http://en.wikipedia.org/wiki/IP_hijacking
[3]: http://www.ripe.net/news/study-youtube-hijacking.html

There’s been quite a media buzz in the last few days regarding the ability of Amazon’s new 3G Kindle to bypass China’s Great Firewall[1]. I was recently interviewed on BBC World News about how the Kindle does this, and what some of the implications are. As I had about two minutes to put that across in the interview, I’ll expand slightly on the story here.

In brief, the latest generation of Amazon’s Kindle has a web browser along with its free integrated 3G connection. The Kindle isn’t officially available in China, but is easy to find on the grey market and is apparently quite popular. One user recently noticed that browsing to blocked websites, such as Twitter and Facebook, appears to bypass the firewall.

Why does this work? When I heard the story I had an immediate suspicion, and a quick play with my own Kindle confirmed the answer. Amazon have, apparently unintentionally, implemented a common anti-censorship technology in the way that the Kindle handles web requests: it bounces its connection through a proxy server located outside of the censorship zone.

The Kindle is mainly designed to download books from Amazon via their Whispernet service. It appears that when you browse the web, the same connection is used; rather than connecting directly to website, you connect to Amazon’s servers first, which then forward the request to the website.

The result of this is that the Great Firewall, and presumably any national filter such as those implemented in Turkey, only see a perfectly legitimate connection to Amazon. This approach is very similar to that used by Tor, Psiphon and other intentionally censorship-resistant systems.

How easy would this system be to block? Given that the Kindle is not officially available in China, the simplest and most cost-effective approach would seem to be blocking access to the entire Whispernet network. This would prevent legitimate Kindle users from accessing the system in China, but that hardly seems a great concern from China’s point of view.

Another approach would be for China to request that Amazon route all Whispernet connections originating in China through a server behind the Great Firewall. Requiring Amazon to filter requests themselves according to a list provided by the Chinese government would also be possible, but seems an unnecessarily complicated approach.

Enforced filtering, along with a number of other factors, eventually caused Google to leave the Chinese market. It seems unlikely that Amazon would be quite so willing to leave if forced into a similar situation. Google, at their best, were a relatively small presence on the Chinese Internet alongside major players such as Baidu. Amazon, however, through amazon.cn have a much more significant presence, and investment, in the Chinese market.

Realistically, however, China are unlikely to invest significant effort in blocking the Kindle. Despite reports of its popularity the device is not on general sale, and the numbers sold currently seem to be in the low thousands. With a population of over 1.3 billion, there are much more significant targets.

Practically speaking, the Kindle is also expensive in Chinese terms. Searching on taobao.com, China’s equivalent to eBay, shows Kindle 3G prices around 1,099RMB (around £105 or $165), which is out of the range of most Chinese. Additionally, the Kindle’s e-ink screen is monochrome and slow to refresh, making it unsuitable for normal web browsing. Compared with direct anti-censorship technologies, such as Tor or Psiphon, running on a standard PC, the Kindle is very much a poor third option.

Censorship, such as that in China, is most important through its effects on the society as a whole, where access is blocked to the vast majority of the general populace. It would be futile, and ultimately unnecessary, for the Chinese government to expect their system to be absolutely effective. Whether the Chinese government, or indeed any government that engages in broad-scale filtering, would share that viewpoint is another matter. Regardless, blocking the Kindle seems unlikely to be high on the list of priorities.

One potential risk to Amazon is how effectively they restrict access to Whispernet for non-Kindle users. If it were feasible for a normal user to proxy their web requests via Whispernet then it would provide a significant and, presumably, high capacity uncensored relay. In that, perhaps unlikely, scenario Amazon could find themselves in the unenviable position of unwittingly providing corporate sponsorship to anti-censorship activists all over the world. If that were to happen it is almost certain that both China and Amazon would take much more significant notice of this technical curiosity.

In a wider sense, this discovery highlights just how difficult it is to control absolutely the flow of information. China’s firewall is a massive engineering project, and is largely successful in its goals of regulating the content available to the Chinese public. That the Kindle has, entirely by accident, bypassed such a well-funded and pervasive government-level system is worrying for the designers of such systems, and encouraging for those that oppose them.

[1]The Great Firewall of China is officially referred to as the “金盾工程” (jīndùn gōngchéng), or “Golden Shield” within China.