By: Johan Pouwelse
Date: October 6, 2012
Internet censorship was the focus of an initiative proposed in Vancouver at an informal bar birds-of-a-feather (BoF) meeting. In this article Johan Pouwelse discusses his motivations for organizing the meeting. An initial draft discussion document is available.1
Bits moving across the Internet are vulnerable to surveillance and censorship on an unprecedented scale. Today, both Internet providers and governments possess the ability to monitor the moves of their digital citizens from central infrastructure points—an ability that creates significant potential for abuse, and a threat that goes beyond the scope of mere monitoring or filtering.
Lessons Learned from the Arab Spring
Although Internet kill switches do not exist, governments have demonstrated their ability to disable communications networks in times of crisis. During the 2011 Arab Spring, Egyptian authorities demanded that telecommunication companies sever their broadband connections and mobile networks—both local and European operators were forced to comply, and, as a result, digital Egypt vanished. Despite the country’s decentralized infrastructure, an Internet blackout was relatively easy to carry out.
The roles—and consequences—of social media (e.g., Facebook and Twitter) during that same period further illustrate the capacity governments have for Internet censorship and the challenges activists face in combating it. The April 6 Youth Movement from Egypt committed digital dissent in full public view. According to The New York Times,2 the movement “provided a structure for a new generation of Egyptians, who aren’t part of the nation’s small coterie of activists and opinion makers, to assemble virtually and communicate freely about their grievances.”
But moving protest organizations to social media not accessible to the public-at-large can hold surprising risks. On the ground, the movement’s strike organization and protests in Facebook groups, many with thousands of followers, triggered arrest and imprisonment. Protesters in other countries quickly took note of Egypt’s lesson and disabled their public Facebook profiles. In response, one government initiated social media searches on incoming, young, plane travelers by forcing them to login to Facebook upon arrival, thereby revealing online activities and any antigovernment sympathies.3
Is there a Role for the IETF?
What happened in Egypt underscores how essential it is that IETF participants fully and comprehensively understand the entire Internet ecosystem when considering the question of a censorship-free Internet. Both government-regulated Internet and public discussions have risks.
Should the IETF engage in this very political aspect of the Internet? Or are there other organizations better equipped to deal with it?
Room consensus quickly moved toward the importance of documenting censorship models and assessing the need for new technology—using the Arab Spring scenario as inspiration. At IETF 85 in Atlanta we hope to present an improved Internet Draft detailing the scenario and how social networks, microblogging, and camera phones proved essential for a new generation of Internet users.
Getting Around Censorship
The onion routing technology in Tor has proved itself over the past 10 years as an effective tool against censorship. The technology’s anonymity, unlinkability, and unobservability have made it popular—numerous users are willing to accept it’s slower browsing experience in exchange for it’s privacy-enhanced web access.4 But onion routing alone cannot overcome the threat of government-imposed Internet shutdown. The challenge is to design a censorship-free Internet sustainable even when an adversary controls the underlying infrastructure.
As early as 2006 it was reported that individuals in wide swathes of the Arab world were using Bluetooth technology to bypass police restrictions. According to news reports,5 communication between men and women in this region, in extreme cases referred to as dating, had been made possible by cellphone technology. When Bluetooth-capable phones are in close proximity, they can engage directly in digital and social chatter—no other infrastructure is needed. Moreover, when sharing photos or bandwidth-hungry videos with friends it also pays to be close. Government provided cellphone networks might not be filtering you, but can still be dreadfully slow. It therefore pays to use cell phones’ Bluetooth-based, direct file-transfer features—and it comes as no surprise that wireless-transfer apps have seen millions of installs.
A query of Google Trends for the phrase Bluetooth transfer reveals a geographical spread of this interesting social phenomenon. Below is a list of countries ranked according to search volume.6
- United Arab Emirates
- Hong Kong
- South Africa
It seems millions of mobile phone owners are already employing the social practice of wireless data exchange.
The Musubi smartphone app represents another key, censorship-free, technology advancement. Developed at Stanford University, it offers instant messaging service and media sharing capabilities similar to WhatsApp, Ping, and Blackberry Messenger. What makes it unique is that all data and processing resides on the smartphones, not in the cloud. This decentralization removes the need for central processing and provides significant decoupling from the underlying infrastructure. Exchange of cryptographic keys is integrated in the friending process—Musubi essentially builds a decentralized social graph. But Musubi is also limited—all data transfers go through central servers, as it lacks NAT-traversal capability.
A more general solution is found in delay-tolerant networking (DTN) technology, which uses a simple store-and-forward primitive to communicate over heterogeneous links. Mobile ad hoc networks have been studied within the Internet Research Task Force (IRTF) since 1997 and we hope that much of that knowledge can be reused, despite our scenario differing slightly from DTN (as being investigated by the IRTF [RFC4838]). The DTN focus is on finding routes to an explicitly given destination, usually by maintaining routing tables. As our earlier Bluetooth-based filesharing example showed, dissemination in the Arab Spring scenario is likely to involve an explicit copy between people who trust each other.
Microblogging proved to be a vital tool in the Arab Spring. Several research groups investigated Twitter-like services without the need for central servers. According to one Twitter investor and former engineer, “Done right, a decentralized one-to-many communications mechanism could boast a resilience and efficiency that the current centralized Twitter does not. Decentralization isn’t just a better architecture, it’s an architecture that resists censorship and the corrupting influences of capital and marketing. At the very least, decentralization would make tweeting as fundamental and irrevocable a part of the Internet as email.”7
The Twimight project by ETH-Zurich university shows that decentralized microblogging already exists. Researchers developed an Android application that uses Twitter servers in normal conditions, but switches to a Bluetooth-based disaster mode when Internet connectivity is lost.
Censorship-free technology also have arisen from within the IETF
A voice-over-IP protocol using peer-to-peer technology and using a distributed hash table (DHT) for scalability has been standardized. Unfortunately, DHTs are notoriously difficult to secure.
The peer-to-peer streaming protocol (PPSP) working group in the transport area developed a serverless video streaming protocol, using Bittorrent-like swarming. Pioneer Research UK showed a fully functional set-top box using this new draft protocol with support for both live streaming of BBC feeds and video-on-demand playback at the IETF’s recent meeting in Paris.
Currently an open source PPSP implementation is available for Android which integrates with Twitter. By tweeting links such as ppsp://2b2fe5f1462e5b7ac4d7, it is now possible to augment a Tweet with eyewitness video footage. This architecture has interesting anti-censorship properties, as it is free from DNS, HTTP, or any other server infrastructure. The SHA1 hash part of this URI is used to find peers in a low-latency DHT, which are then used to stream video in peer-to-peer fashion.
A Powerful Adversary
We must assume from the Arab Spring scenario the existence of a powerful adversary. The following threats8 have been identified for similar circumstances:
- The adversary can observe, block, delay, replay, and modify traffic on all underlying transport. Thus, the physical layer is insecure.
- The adversary has a limited ability to compromise smartphones or other participating devices. If a device is compromised, the adversary can access any information held in the device’s volatile memory or persistent storage.
- The adversary can choose the data written to the microblogging layer by higher protocol layers.
- The adversary cannot break standard cryptographic primitives, such as block ciphers and message-authentication codes.
The advances listed previously indicate the wealth of experience, related technologies, and available building blocks that an IETF initiative could use to work toward a censorship-free Internet.