Nart Villeneuve

“I do intend to carry out a clear exploring exercise with the private sector … on how it is possible to use technology to prevent people from using or searching dangerous words like bomb, kill, genocide or terrorism,” Frattini told Reuters.

Wow.

Searching for such words brings up quite a number of non-bomb-making-instruction sites, forcing search engines to not allow searches for such generic terms is ridiculous. The top results for a Google search for “genocide” for example returns a Wikipedia entry, a site dedicated to stopping genocide in Darfur among others. That much is obvious.

Perhaps EU Justice and Security Commissioner Franco Frattini meant that specific sites, such as sites with instructions on how to make a bomb, should be removed from search engines. In this scenario it is not that a user cannot search for the word “bomb” but if such a designated web site were to appear in the results it would not be shown to the user. This is what is already done by search engines in regard to copyright violations, hate speech, libel/defamation an any other “legal” request (such as news & politics websites that the Chinese government deems illegal). It would be fairly simple for the EU to request that search engines de-list certain sites, but of course, this comes with all the baggage of filtering systems (over-blocking, under-blocking & circumvention).

The above concerns aside the proposal is actually even more misguided. It assumes that search engines are the only way to access information. Such a policy would not take into account direct access to such sites, links fro other sites, especially forums, chat rooms, IM’s and so on. It is a shortsighted policy that appears to be mostly for show in the same vein as Seth Finkelstein argues about the deployment of censorware:

…governments end up giving money to these companies for the political benefits of being able to Do Something About The Problem (no matter the flaws).

The “wanting to do something” sentiment appears strong in this case as does the lack of careful consideration.

Media coverage of Internet censorship is usually framed through one of two lenses: The “1984″ approach overstates censorship capabilities claiming that legions of internet police monitor everything in “real time” and are just one kick away if you make the wrong click. The “technoptimist” approach understates censorship capabilities and claims that circumvention technology is proliferating and the internet is a democracy-battering-ram chipping away at the crumbling walls of oppressive regimes.

Recent coverage of the protests in Myanmar/Burma have generally been falling into the latter camp. Noting that, according to ONI, Myanmar/Burma has one of the most restrictive Internet filtering systems in place this article wonders why information about the protests is getting out. It claims that “the cyber-reality in Myanmar is actually much less restricted than ONI’s research indicated” because circumvention technologies are available to citizens.

Filtering technologies seek to keep citizens inside Myanmar/Burma from have access to sites hosted outside — it does not say much about keeping information from moving in the opposite direction. Why? Because sites are filtered when they are contextually important, become well known, and/or can reach a large audience. For information to flow from a few to these sites if far harder to control than the information from these few sites to the many.

Similarly, while there are censorship circumvention technologies readily available these are used by the few not the many for a variety of reasons including fear of being caught, lack of technical ability, or just now knowing (or caring) about them.

Internet censorship regimes, such as Myanmar/Burma’s, are effective not because they can filter out all the content they want but because their filtering systems are backed up by other forms of repression that force users into a condition of self-censorship where they will not seek out banned content (the filter is just a reminder) let alone seek to violate their countries laws and put themselves at risk by using circumvention technologies.

So the reality is actually somewhere in between. While the majority are kept in line by the filtering matrix, there is a still resistance. Determined Internet users can use a variety of methods to bypass censorship while others speak out publicly and risk repression. All of this slowly widens the scope of accepted speech within these confined spaces — not cataclysmic event.

wordpress.com — a blog hosting service which hosts nearly 1.4 million blogs — is now blocked in Turkey and Thailand.

Wholesale blocking of blog hosting services is unfortunately becoming more common place. Ethiopia, Pakistan, Iran, Syria and China block all of blogspot, for example, and India, Tunisia and UAE selectively block some blogspot blogs.

So, I was doing some searching in google and baidu and noticed two sites (that appeared to be the same) voanews.cn and voanews.com.cn. Upon visiting voanews.com.cn I was surprised to find myself end up at google. voanews.com.cn, like voanews.cn should resolve to 218.25.59.214, not google.

The other thing that stood out was that these sites did not appear to be the Voice of America. And they are not. You can lookup the registrar here. The Registrant Name is 慢速英语 which babel translates as “Slow English” which gave me a chuckle.

I did some more tweaking and voanews.com.cn is being subjected to a form of DNS tampering because it has “voanews.com” in it. It looks like China is bringing back an improved version of their old DNS spoofing. Rather than messing around with individual DNS servers, China has implemented a system which appears to operate like the RST/Keyword filtering system (see this paper for technical details).

DNS lookups for voanews.com (or voanews.com.cn) will return one or more of the following 4 IP’s:

voanews.com has address 213.169.251.35
voanews.com has address 209.36.73.33
voanews.com has address 72.14.205.99
voanews.com has address 72.14.205.104

The last two by the way are google IP addresses. Weird.

But if you sniff the connection you’ll see that what happens is after the request is made 4 spoofed results are received although eventually the correct result is received. But by the time the true result is received applications relying on a dns lookup (e.g. a web browser) have already accepted the initial spoofed result.

ME	->	CN	DNS	Standard query ANY voanews.com
CN	->	ME	DNS	Standard query response A 72.14.205.99
...
CN	->	ME	DNS	Standard query response SOA auth00.ns.uu.net MX 20 ibb2.ibb.gov MX 30 ibb1.ibb.gov MX 10 voa2.voa.gov A 128.11.143.113 NS auth00.ns.uu.net NS auth100.ns.uu.net

Domain Name System (response)
        voanews.com: type SOA, class IN, mname auth00.ns.uu.net
        voanews.com: type MX, class IN, preference 20, mx ibb2.ibb.gov
        voanews.com: type MX, class IN, preference 30, mx ibb1.ibb.gov
        voanews.com: type MX, class IN, preference 10, mx voa2.voa.gov
        voanews.com: type A, class IN, addr 128.11.143.113
        voanews.com: type NS, class IN, ns auth00.ns.uu.net
        voanews.com: type NS, class IN, ns auth100.ns.uu.net

ME	->	CN	ICMP	Destination unreachable (Port unreachable)

A variety of other domain names are affected, not just voanews.com.

For the most part* the GFW blocks in two ways:

1) IP blocking
2) Keyword in url blocking

IP blocking is pretty easy to spot, traceroute will fail at the backbone level in China, and there will only be outgoing syn packets to the IP, the 3-way tcp handshake will never be established. (Note: all domains hosted on that IP are affected).

“Keyword-in-URL” blocking is different and sometime s a bit awkward. First, the keyword-in-url filtering is bi-direction so you can trigger it from outside -> to -> China or from China -> to -> outside.

Second, “keywords” can be domains themselves, I’ve even seen URLs used as a “keyword”. If these keywords appear in the HTTP Host header or in the GET request they will be “blocked”.

Third, the way the blocking works is that the 3-way TCP handshake will be established but when the GET request goes through the GFW sends RST packets to both the requester and the host (spoofed to appear as if they were from one another) to tear down the connection then host and the requester respond to each other with more RST packets. (There is some additional variation, but thats the basic version, see Steven Murdoch et al’s paper http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf for more details).

The tricky part is that depending on the GFW (maybe related to the load) some of the transaction will go through. So for example, you may get half (or more!) of the html before the RST packet. Also, part of the page may load because, for example, it is not until an image with a keyword in its file name is loaded that the RST packet is sent.

Finally, the most tricky part. Because of the combination of additional RST packets from the GFW (and then the RST from the requester and host in response) further connections between the requester and host (not the internet as often reported) are disrupted for sometime. This means that if you are in China and you connect to Google (hosted outside of China) and you search for a banned keyword (the keyword goes into the GET request) you’ll be blocked. If you hit the back button in your browser and get the cached copy of Google and then search for a NOT blocked keyword it will appear to be blocked because your connection to Google is still being subjected to RST packets. This sometimes results in reports that certain keywords are blocked when in fact they are not.

Another important point to recognize is that this is dependant upon IP address. So, if the site you connect to has multiple IP addresses the behaviour may seem even more consistent and you requests may be being server by different IP addresses. For testing purposes it is best to connect directly to an IP rather than a domain name to ensure that you are always connecting to the same IP.

On June 27 2007, I captured traffic between myself and yahoo.cn (hosted in China, as well as some other hosts in China) using “.yahoo.com” (yes, that starts with a period, e.g. if affects all *.yahoo.com domains including mail.yahoo.com) and can confirm that it was subjected to the “keyword-in-url” blocking behaviour with “.yahoo.com” as the keyword.

However, and this is my opinion, the RST packet were quite slow to respond. In some cases the RST did not come until after the page loaded successfully (future connection were subjected to RST’s). It is possible that many requests for “.yahoo.com” were causing the GFW to slow down, anecdotaly the RST packets were not being received as fast as they usually are.

On June 28 2007″.yahoo.com” is no longer blocked by China.

Tunisia uses commercial filtering software called SmartFilter , which is produced by the U.S. company Secure Computing, to filter Internet access in Tunisia. This software is configured to blocked pre-defined categories of content – content classified by SmartFilter – including at least four SmartFilter categories: Anonymizers, Nudity, Pornography, and Sexual Materials.

Tunisia’s Internet filtering is done in a non-transparent way. When users attempt to access a blocked page, they are not informed that the page is filtered, but instead merely receive a standard error message, a 404 “File Not Found” error. However, the actual HTTP header, is not a 404, but a 403 Forbidden error generated by the filtering system SmartFilter, in conjunction with NetCache caching servers. SmartFilter can be configured with a blockpage that indicates to users that the site has been blocked and why, however, unlike other countries using this exact same filtering system, Tunisia has copied the text from the Internet Explorer 404 page, and used this as a blockpage to make the filtering appear to be an error.

(See Astrubal’s detailed explanation here).

Recently, the video-sharing web site dailymotion.com was blocked in Tunisia. It was blocked because SmartFilter categorized the web site as pornography, and, since Tunisia blocks the pornography category the web site was blocked. Some time bewteen April 4, 2007 and April 9, 2007 SmartFilter removed dailymotion.com from the pornography category.

It is being reported that access to the site is available through at least one ISP in Tunisia. Depending on how frequently the various filtering and cache server’s update there wil likely be some variation acroos ISPs for sometime. Eventually, full acess should be restored. (Tunisia could, as they do with a varity of other content including humrn rights information, add the website as a custom url on top of their SmartFilter categories and intentionally block the site if they choose to do so).

This is a very significant case as it demontrates how the decisions made by filtering companies affect Internet access in entire countries.

As someone who tests Internet censorship for a living I receive a lot of requests such as “is my website blocked in country x” or “why is my website blocked in country x, I don’t have anything on my site that country x would want to block” and so on. Determining that a website is inaccessible is different than determining if it is being deliberately blocked. And even when it is blocked there are often mundane, alternative explanations. There is also the country’s filtering infrastructure to account for. In countries that deploy a centralized filtering system blocked content is generally uniform. But other countries delegate filtering responsibilities to individual ISPs, in those cases there can be considerable differences.

In places such as Saudi Arabia, which has centralized filtering, when you visit a blocked site you receive a “block page” that informs you that the site has been deliberately blocked. Pretty straightforward. Still, there is one additional factor to consider. Saudi Arabia, Tunisia and several other Middle eastern and North African countries, use the commercial product SmartFilter (by U.S. company SecureComputing) to filter. Some of the sites are blocked because they appear on SmartFilter’s proprietary block list while others have been added by the Saudi authorities.

To account for this one can lookup a site in SmartFilter’s database and see how it is categorized. In countries that block the category pornography, for example, sites that are classified — or incorrectly classified — as porn will be blocked. (In Saudi Arabia specifically, they have added a tag to the blockpage that differentiates between SmartFilter blocked sites and sites the Saudi’s have added — it is reasonably accurate).

Although Tunisia deploys the same filtering software as Saudi Arabia they attempt to disguise their blockpage as a generic “Internet Explorer” 404 error. In the past ONI/HRW identified,tested and confirmed that misclassified sites — categorized as porn — were blocked in Tunisia because they filter SmartFilter’s pornography category.

The website http://www.dailymotion.com/ reported to be blocked in Tunisia. Although there are political videos hosted on the site that are critical of Tunisia the site is also categorized by SmartFilter as pornography. It is very easy to add websites — including specific URLs — to SmartFilter to block. This is what countries do when they add their own content to block — usually political content — on top of SmartFilter. If Tunisia added the block (they have to unblock it first because it is blocked as part of the pornography category) they could have just added the specific URLs, however, countries often do not care about collateral blocking. (See Thailand’s blocking of YouTube.) Still, I think that the more mundane — over-blocking as a result of SmartFilter categorization — applies to the Tunisian case.

In other countries, such as China and Pakistan, they block IP addresses. This causes all other sites hosted on that IP address to be blocked. If your site is hosted on a huge server farm it is quite possible that it is sharing a single IP with tens of thousands of other sites. If one of those sites is targeted, and they block the IP, your site will be blocked too. (A corollary of this is that if the host changes the IP your hosted on you will be accessible (sometimes mistaken for unblocking).

A recent report notes that the site www.communication-sensible.com is blocked in China. It is blocked in China, the IP address it is hosted on is blocked. However, It is hosted on a massive server farm. According to domaintools.com there are 39140 domains hosted on this IP address (213.186.33.19).

This IP has been flagged as hosting phishing sites and hosts porn sites (the IP is on squidguard’s block list and the IP is also on ProtectiveParenting’s proxy host list, proxies are used to circumvention censorship.)

In addition to blocking IP addresses China also uses uses tcp reset packets to terminate connections based on keywords. (See Richard Clayton, Steven J. Murdoch, and Robert N. M. Watson’s paper “Ignoring the Great Firewall of China“)After triggering the filtering mechanism further connections between the two hosts will also be blocked for a varying period of time. The filtering is bi-directional — it affects in-bound traffic to China as well as outbound traffic from China.

I’ve found that for sites that are of particular concern, the domain itself (sometimes even a url path!) are added as keywords. It is important to remember that the keywords in the body content of a page do not trigger filtering, keywords that appear in a url path (get request, host header) trigger the filtering. By adding the domain name itself searches that contain the domain, unencrypted/unencoded proxies, search engine cache links, mirror sites that have the domain in the url and so forth are also all blocked. The domain www.communication-sensible.com is not blocked in this way.

Here is a post from 2005 showing that a traceroute request to 213.186.33.19 does not go past the Chinese backbone/gateway (where the filtering takes place). It is possible that this IP has been blocked since 2005.

Sometimes things are a bit more complicated than they seem, but hey, other times they are not.

Recently Google changed the IP address of its blogspot blogging service. This caused the site to become accessible in all countries that blocked the site by its IP address –including Pakistan and China. China and Pakistan did not unblock blogspot, rather it became available because of actions taken on Google’s part. Well, the new blogspot IP is now blocked in China, but it is still accessible in Pakistan.

Iran has, however, unblocked Baztab, a conservative news website. Hoder wrote about this case about a month ago:

The Iranian cultural ministry has now ordered all major ISPs to block Baztab, a news website close to moderate conservatives and linked to an influential former commander of the elite revolutionary guards. It has also demanded the website to stop its activities.

But the well-connected editors of Baztab have hit back. They have refused to stop publishing new articles, have called the order illegal and illegitimate, and have also said they are going to bring the case to court.

They have argued that it is only the judiciary has the constitutional authority to decide weather a website has violated laws. They have also disputed the legality of a set of regulations passed in the governemnt cabinet last month to be executed by the ministry of culture.

Hoder argued that “by pushing for the judiciary to take up the responsibility of internet filtering, Iranian internet users can slow down the process of filtering, hold the authorities accountable, and force them to make the behind-the-scenes process transparent.”. When I linked to this article a while back, a comment was posted which stated that “[i]n Iran it is the judiciary that has spearheaded the arrest and torture of bloggers.”

This is an interesting case. One of the recommendations of the HRW report on China is:

Create formal, well-documented and legally transparent processes by which content censorship requests are made to companies, formal written procedures by which companies can challenge or respond to censorship requests, and formal, transparent legal procedures by which members of the Chinese public can safely and fairly challenge the legality of any act of censorship without fear of reprisal.

HRW reccomends that Iran “should further seek to pass new laws that affirmatively protect the right to freely access or disseminate information or opinions and clarify the narrow circumstances in which government interference would be warranted according to international standards.”.

The unblocking of one website — one run by well connected people — is a small victory but it could be very significant. If the procedures for determining content to block become transparent, if there is an appeals process and some level of accountability I believe it becomes increasingly difficult for governments to justify censorship. I believe, as recommended by HRW, that this process needs to be accompanied by movements to affirmatively protect freedom of expression as well.

FT has recently run a series of articles on internet censorship. Each touches on an interesting theme.

• Dissidents find ingenious ways to hide digital traces

TOR can be used for both anonymity and censorship circumvention, but while “anonymous” proxies can be used for censorship circumvention they not really anonymous. A “proxy” may sheild your identity from the website you are visiting but it does not hide you or anything you are doing from the owner of the proxy. And if the proxy is not encrypted — most of the “open” proxies are not — then anyone monitoring Internet traffic can also see everything you do through the proxy. TOR, on the other hand, encrypts your traffic and hides what you are doing from the TOR network itself, it is hardly comparable to “open” proxies. I have not looked closely at GPass, but it appears to be an encrypted Socks proxy, and if so, is not anonymous — all traffic through it can be viewed by the owners of GPass. (And you don’t have to use Swedish Google, Google just redirects you to the localized version, you can always click the google.com link and use google.com).

• Repressive governments widen stifling techniques

It is not only “repressive” governments that are increasing their level of filtering and employing new techniques (new techniques for the country, not for filtering in general), countries such as India and Thailand are filtering as well. There is a tendency to analyze all regulations and restriction in particular countries, such as China and Iran, out of context. For example, there is a tendency to think of China’s Internte cafe’s as places teeming with cyberdissdents and therefore when China closed many and instituted restrictions after a deadly fire in an unlicensed cafe many interpretted it as a crackdown on free expression. I think that the Iranian bandwidth limitation story may prove to go this way as well — it’s more likely to do with porn than with politics. But, hey, I could be wrong.

Human rights groups and NGO’s worldwide have long protested that they are often the victims of state surveillance, computer breakins and denial of service attacks. ONI has documented an attack on Kyrgyz opposition newspaper websites during that countries elections in 2005 and there have been reports of such Denial of Service attacks during elections in Belarus as well. What is new is not the technique but the correlation between the target — important opposition website — and the time period — during an election. Denial of Service disrupts access to a website for everyone — as opposed to filtering which would only block it from the affected location. It also provides deniability on the part of the government. In the Kyrgyz case, the attacks appear to have been conducted by a “botnet for hire” leaving the conection to the government circumstantial. This is a trend we will probably see more of especially in countries that don’t have a national filtering system (or officially filter very little content).

• Web censorship spreading globally

A good article about the forthcoming ONI study, however, some instances listed as “new censorship techniques” are not really new at all. They may be new to certain countries, but they are standard filtering techniques. And there is not yet evidence that Zimbabwe is censoring the Internet, let alone using the same techniques as China. I have heard reports about this, but even if they are true, it has not been implemented.

Athough Blogspot is currently accessible in Pakistan the block has not been lifted.

In the past the blogs at *.blogspot.com were on one IP — blocked in Pakistan — while the interface to update your blog at blogger.com was on a different IP — unblocked in Pakistan. So you could update you blog, but you could not access it at the *.blogspot.com address (or any other blogs on blogspot). Google recently upgraded Blogspot — it is no longer “beta”. This resulted in several changes including the ability to login to all your Google services including Blogspot from one account. Quite simply, the IP address of *.blogspot.com has been changed. the new IP address is accessible, the old IP address is still blocked.

Global Voices reports that Dr Awab Alvi from the co-founder of the Pakistani “Don’t Block The Blog” campaign suggests that he “would not be surprised to see some blocking to come again.” The authorities have also stated that they are “are still filtering the websites”.

I have been wanting to build something monitor this for quite some time, especially after reading about the availability issues of wikipedia in China.

More… »

Not content to block Yahoo’s hosting service causing tens of thousands of websites to be blocked, it is now being reported that the Pakistan’s ITI is now blocking some Akamai servers. Because they block by IP address, all other content hosted on the server will also be blocked. This has resulted in massive overblocking.

The PTCL starting blocking Internet Protocols at its key gateway—ITI Karachi—(technically termed Router) which handles 95 per cent or more of Pakistan’s Internet traffic passes. The Internet-users have been facing problems intermittently in accessing websites of CNN, BBC, Yahoo, Microsoft, download.com, Symantecs, etc.

In other words, the PTCL has blocked some sites of www.akamai.net at their Karachi gateway exchange. Akamai.net has hundreds of servers, hosted across the globe, to provide content to a myriad of websites.

I’ve found that when a handful of sites are blocked, (the number of officially blocked websites is fairly low the orders sent to ISP’s here, here and here) many people don’t really care. What they don’t realize is that inevitably sites that were never intended to be blocked will be blocked and once in place it is far too tempting for governments not to extend the use of filtering regardless of the original justification for implementing it.

Overblocking tends to create a significant backlash, especially from non-activist Internet users. While people can often tolerate the blocking of some sites (often extremist, or offensive etc…) it does not significantly impact the experience of everyday users. But when people’s regular browsing and blogging is interrupted they quickly become aware of censorship’s impact and campaign against it. An excellent example has been the “Don’t Block the Blog” campaign in Pakistan which was started after Pakistan blocked access to Blogspot. pkblogs.com offers an alternate means of accessing Blogspot, bypassing the ITI’s filtering.

However, in response the authorities will often seek to implement filtering techniques that better target the specific sites they want to blocking while minimizing the overblocking. We’ve seen the case in India, for example, where public outcry about overblocking led the authorities to send out instructions on DNS tampering so that IP blocking could be avoided. Hopefully, even when Pakistan refines its filtering techniques and does not block all of Blogspot, Yahoo’s hosting, and Akamai the movement against Internet censorship will be strong enough to continue the struggle against it.

I just noticed that Yahoo now provides a link at the bottom of their China (search.cn.yahoo.com) search engine in their generic “censor message” that links to a page that lists the URL’s t

雅虎搜索结果均来自相关来源网站，根据有关法律法规和政策，部分搜索结果可能未予显示。
根据《信息网络传播权保护条例》未予显示的结果，请点击这里查看。

The page appears to list sites that have been removed due to copyright violation. It does not list, for example studentsforafreetibet.org which simply contains zero results.

An AP report suggests that many anti-government sites are blocked in Cuba.

He defended Cuba’s “rational and efficient” use of the Internet, which puts computers in schools and government computer clubs while prohibiting home connections for most citizens and blocking many sites with anti-government material.

Now, it is a bit unclear if the Cuban Communications Minister, Ramiro Valdes, said that “many sites” are blocked in Cuba or if it is AP editorializing but its been my limited experience with the Cuban Internet that in fact very few sites are blocked.

This is also backed up by an RSF report:

At the Correos de Cuba and the hotels, you have access to practically all news websites such as emonde.fr, bbc.com, El Nuevo Herald (a Miami-based Spanish-language daily) and even to dissident sites. This is also the case for government employees with a computer and Internet access.
…

There is hardly any censorship of the Internet in Internet cafes. Tests carried out by Reporters Without Borders showed that most Cuban opposition websites and the sites of international human rights organisations can be accessed using the “international” network. In China, filtering for key-words makes it impossible to access webpages containing “subversive” words. But, by testing a series of banned terms in Internet cafes, Reporters Without Borders was able to established that no such filtering system has been installed in Cuba.

There is evidence of systems of control and surveillance but a massive filtering system does not seem to be one of them.

The Toronto Star reports:

Canada’s biggest Internet service providers have agreed to block hundreds of offending websites in an effort to stamp out child pornography.

Telecom companies such as Bell Canada, Rogers, Shaw, SaskTel, Telus, Videotron and MTS Allstream are partnering with Cybertip.ca to launch “Project Cleanfeed Canada” that will block between 500 and 800 offending websites.

Cybertip.ca, a national child sexual exploitation hotline, will provide the names of sites to be blocked. The hotline relies mostly on tips from the public.

Some good discussion over at Michael Geist’s blog.

RSF has released a new report on Cuba. The report reflects experiences I have had testing the Cuban Internet, very few sites are blocked. The report notes that expensive, restrictive access and slow speed (lack of fibre optic cables due to the US embargo) are the main issues.

This, however, is the first time I’ve heard of the local software installed on PC’s. The software described appears to be some sort of key logger.

One of the things I noticed a lot of people are doing, and it is noted in this RSF report is saving emails in a “draft” folder instead of sending them thinking that it will protect them from electronic surveillance. In most cases it is either irrelevant or not protecting you at all..
More… »