Lessons On Censorship From Syria's Internet Filter Machines

from the https-matters dept

Norwegian writer Mette Newth once wrote that: "Censorship has followed the free expressions of men and women like a shadow throughout history." As we develop new means to gather and create information, new means to control, erase and censor that information evolve alongside it. Today, that means access to information through the internet, which motivates us to study internet censorship.

Organizations such as Reporters Without Borders, Freedom House, or the Open Net Initiative periodically report on the extent of censorship worldwide. But as countries that are fond of censorship are not particularly keen to share details, we must resort to probing filtered networks, that is, generating requests from within them to see what gets blocked and what gets through. We cannot hope to record all the possible censorship-triggering events, so our understanding of what is or isn't acceptable to the censor will only ever be partial. And of course it's risky, even outright illegal, to probe the censor's limits within countries with strict censorship and surveillance programs.

This is why the leak of 600GB of logs from hardware appliances used to filter internet traffic in and out of Syria is a unique opportunity to examine the workings of a real-world internet censorship apparatus.

Leaked by the hacktivist group Telecomix, the logs cover a period of nine days in 2011, drawn from seven SG-9000 internet proxies. The sale of equipment like this to countries like Syria is banned by the US and EU. California-based manufacturer Blue Coat Systems denied making the sales but confirmed the authenticity of the logs – and Dubai-based firm Computerlinks FZCO later settled on a US$2.8 million fine for unlawful export. In 2013, researchers at the University of Toronto's Citizen Lab demonstrated how authoritarian regimes in Saudi Arabia, UAE, Qatar, Yemen, Egypt and Kuwait all rely on US-made equipment like those from Blue Coat or McAfee's SmartFilter software to perform filtering.

This technology is extremely powerful as it can perform deep-packet inspection, that is, examining in detail the contents of network traffic. They provide censors with a simple interface to fine-tune filtering policies, practically in real time.

Inside a censor's mind



At the recent ACM Internet Measurement Conference, we presented our paper detailing the relatively stealthy but targeted censorship system that we'd found from examining the logs.

Internet traffic in Syria was filtered in several ways. IP addresses (the unique addresses of web servers on the internet) and domain names (the URL typed into the address bar) were filtered to block single websites such as badoo.com or amazon.com, entire network regions (including a few Israeli subnets), or keywords to target specific content. Instant messaging, tools such as Skype, and content-sharing sites such as Metacafe or Reddit were heavily censored. Social media censoring was limited to specific content and pages, such as the "Syrian Revolution" facebook page.



The appliances were sometimes misconfigured, meaning the filter caused some collateral damage – for instance, all requests with the keyword "proxy" were blocked, probably in an effort to curb the use of censorship-evading proxies, but this also had the effect of blocking adverts and certain plug-ins that had no relation to banned content.

We found that Syrian users did try to get around the filters, using tools such as Tor, or virtual private networks (encrypted tunnels between two computers using the public internet), and that these were fairly effective. We also noticed that some tools not necessarily designed with circumventing censorship in mind could also be used to access blocked content – for example using peer-to-peer programs such as BitTorrent to download blocked software (such as Skype) and using Google Cache to access (over HTTPS) cached and mirrored versions of blocked web pages.

Avoiding the censor's knife



What emerges is the importance of encrypting web traffic by using secure (HTTPS) rather than standard (HTTP) web browsing. Many requests caught by the filter were only possible because keywords in the content of unencrypted network traffic could be read by the appliances. If traffic is encrypted, the page requested from the target domain, or a specific keyword in the request are not accessible. Through their efforts to enforce HTTPS by default, providers like Google and Facebook are taking steps in the right direction. They also serve a double purpose: protecting users' privacy against mass-surveillance, while also making it harder to implement fine-grained censorship policies.

We did consider that our work might help organizations on both sides of the censorship line. But we decided to publish because we believe that evidence-based analysis of censorship practices can help understand the underlying technologies, policies, strengths and weaknesses – and can inform the design of tools designed to evade the censor's knife.

While Western countries rely on export regulations and sanctions to restrict the worldwide availability of surveillance and censorship technologies – while apparently deploying them for their own use, as the Snowden files have revealed – it is time we had an open debate about their effectiveness and what can be done to limit their proliferation.

The Conversation

Emiliano De Cristofaro does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations. This article was originally published on The Conversation. Read the original article.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: censorship, https, syria, telecomix


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Marak, 27 Nov 2014 @ 1:07am

    That was an interesting read, thanks for the crosspost. I do wonder if we switch to https what the next fine grained blocking system is and how it will be implimented.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 27 Nov 2014 @ 1:56am

    Re:

    I can give you a partial answer/guess to that.

    It'll be done inside so-called "social media". The corporations running those sites will be told that if they wish to do business in country X, they will need to cooperate with country X's censorship/espionage requirements...and they'll do it because of course they don't give a damn about the privacy or security of their users: they care about profit, always profit and only profit.

    The UK is already doing this: https://firstlook.org/theintercept/2014/11/26/campaign-shame-social-media-companies-acting-spy-agent s-national-security-state/

    They're not the only one, of course. And most of it will happen in private and never be reported. But quietly, over time, the infrastructure will be built to allow countries to monitor and control the activities of their citizens on "social media" sites. So it won't matter how they reach those sites: https, VPN? Irrelevant. Everything will be dutifully logged and compiled, then reported back to the country in question.

    Publicly, those companies will continue to prattle -- as they have -- about "respecting users" and "improving the experience" and so on. Privately, they will give any country anything they want -- particularly if they get paid for it -- because they lack both the ethics and the courage to say no.

    And countries will be, as always, silent about where they get their information from. (Parallel construction is not a uniquely US thing, you know.) And the idiots, the profoundly stupid and incredibly naive idiots, who think they can organize a "Syrian revolution" or whatever on Facebook, will actually be surprised when they're rounded up and shot -- because every single thing they've ever done on Facebook has been transmitted to the Syrian government's intelligence agencies in real time.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 27 Nov 2014 @ 2:00am

    Re: Re:

    These days the only people who want the "revolution" in syria are working with either al-quaida or IS. I agree with you, blocking its facebook is not the best thing to do. They should do it like the US does, allow people to talk about it and put them on watchlists.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 27 Nov 2014 @ 3:14am

    Re: Re: Re:

    These days the only people who want the "revolution" in syria are working with either al-quaida or IS.

    and if they succeed then they will inherit this technology and use it to censor any reasonable criticism of (their brand of?) Islam. Come to think of it several of the other states mentioned already do this - which is a big part of the problem.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 27 Nov 2014 @ 3:29am

    Re: Re: Re:

    They should do it like the US does, allow people to talk about it and put them on watchlists.

    Extreme authoritarianism defines what people can think, and so use censorship to try and control what ideas are in circulation. A watchlist approach does NOT prevent banned ideas from being circulated.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 27 Nov 2014 @ 4:42am

    Re: Re: Re: Re:

    No it doesnt, but it makes it easier to monitor those extremists and identify their leaders. So if those extermists would want to change something then all the government has to do is put away the leaders, who are dumb enough to discuss their things in public.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 27 Nov 2014 @ 5:45am

    i hope Cameron in the UK doesn't see this. he's on a 'censorship trip' there, but strangely enough, it's to cater for the (mostly) USA entertainment industries. i wonder what encouragement he's had to make him pull such a shit trick on the people of the UK?

    link to this | view in thread ]

  8. identicon
    Aaron, 27 Nov 2014 @ 7:46am

    The top allowed sites

    So just for giggles, I looked at what IS allowed in Syria - as far as URLs that we're not censored. Google- ok I know that one. xVideos.com - probably just another YouTube clone- DOH! It's a pretty graphic porn site. Glad they allow porn, but not Facebook.
    Gstatic- doesn't come up. Ok XVideos again..just kidding.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 27 Nov 2014 @ 9:42am

    Re: The top allowed sites

    This isn't surprising. While the overt purpose of the filters might be cultural or religious or legal, the covert purpose is of course to address anything perceived as a danger to the state. Thus news, education, communication, science, politics -- anything that creates a more informed citizenry and allows them to communicate (especially with outsiders) is a potential target.

    So while they may make public noises about the horrors of exposed boobies, they don't really care. That's just a smokescreen for the real agenda.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 27 Nov 2014 @ 1:31pm

    Re: Re: The top allowed sites

    "a more informed citizenry"
    Oh please, people will always just ignore things that arent in line with their opinions. #GG is a great example of this, despite the massive censorship and hypocrisy there are still people who fail to see what its about and actually want to ruin peoples life for wanting a non-biased press. Even jimbo of wikipedia weighted in on the issue...

    Even if people have access to all the information, they will still refuse to use it and will just parrot the same bullshit they hear from their favorite celebrities.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 28 Nov 2014 @ 3:45am

    Re: Re: Re: The top allowed sites

    I presume you're referring to the "crusade" called "GamerGate", for which I have zero sympathy. (And not, by the way, because I pay attention to media or celebrities: because I've read the original source material and decided for myself.) If you want to advocate for unbiased journalism, it would probably be best NOT to do it under the same banner waved by bigots, misogynists and rapists. (e.g., if tomorrow you discover an actual real live working cure for cancer, you probably shouldn't try to promote it with a swastika.)

    link to this | view in thread ]

  12. icon
    Richard (profile), 28 Nov 2014 @ 4:30am

    Re: Re: Re: Re: The top allowed sites

    ) If you want to advocate for unbiased journalism, it would probably be best NOT to do it under the same banner waved by bigots, misogynists and rapists.

    That can be a difficult balancing act - especially when your opponents will try very hard to conflate your opinions with those of people who are easy targets for an ad hom.

    Disclaimer; I'm talking in general terms here - and not specifically (in fact specifically NOT) about #GG - about which I only have "wikipedia" knowledge.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 28 Nov 2014 @ 5:06pm

    NONe of the big media companies respect their users.

    Hell twitter was caught scanning peoples hard-drives for 'unlicensed' software but then tried pathetically to claim it was doing this for the good of it's users...and NOT because it receives hefty monthy fees from various governments for the data...

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 29 Nov 2014 @ 1:26pm

    You will be assimilated,
    resistance is futile...

    link to this | view in thread ]

  15. icon
    Kevin (profile), 30 Nov 2014 @ 1:46pm

    Re: twitter was caught?

    twitter was caught scanning peoples hard-drives for 'unlicensed' software but then tried pathetically to claim it was doing this for the good of it's users.

    That's news to me. I know Steam was caught scanning users HDs for cheat tools, maybe that's what you are thinking of?

    Specifically, I've never heard of any social platform that scanned user hard-drives for 'unlicensed' software, only gaming platforms.

    link to this | view in thread ]

  16. icon
    Kevin (profile), 30 Nov 2014 @ 2:01pm

    Re: SSL

    The same BlueCoat Proxy technology that Syria was caught using can Man-In-The-Middle (MITM) SSL interception, so https everywhere is not a panacea against hostile regimes! Even without breaking SSL, a firewall can still detect the website being accessed (through lookup tables or TLS+SNI), so when everything goes to https, blocking by domain will still succeed.

    For more granular blocking, Syria would need to break SSL/TLS through MITM. Browsers detect these privacy breaking proxies, so for users to not see warning messages, the "attacker" needs a Certificate Authority (CA) signing certificate that the user trusts, either control of a CA that is in the default key set shipped with the OS or browser, or the ability to push a key down to the client.

    As a measure of security, the latest Firefox includes "Public key pinning" which limits which signing certificates will be trusted for a small set of very popular and often-targeted HTTPS sites, including Twitter.

    Realistically, hostile environments with no need to stealth will just force MITM on all sessions and block anything that looks like encrypted traffic (e.g. Tor). It's not like Syria has to worry about their reputation getting any worse.

    link to this | view in thread ]

  17. identicon
    William O. B'Livion, 30 Nov 2014 @ 5:27pm

    Made in the US? I doubt it.

    ...all rely on US-made equipment like those from Blue Coat or McAfee's SmartFilter software.


    The hardware might be designed in the US, and certain more technical parts of the OS (IIRC Bluecoat is owned by sidewinder, and last time I ran one Sidewinder was running on top of BSDI) and filtering layers might be written in the US, but most of the hardware is built and assembled in China, and large bits of the application layer are (probably) written in India.

    Not that this changes things much--other than "we" have found counterfeit cisco gear running hacked IOS (the original IOS, not this Johnny come lately on your cellphone), so it's not impossible that some of these dirtball regiemes are buying either QA rejects or "second shift" hardware.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.