October 23, 2017

Routing Detours: Can We Avoid Nation-State Surveillance?

Since 2013, Brazil has taken significant steps to build out their networking infrastructure to thwart nation-state mass surveillance.  For example, the country is deploying a 3,500-mile fiber cable from Fortaleza, Brazil to Portugal; they’ve switched their government email system from Microsoft Outlook to a state-built system called Expresso; and they now have the largest IXP ecosystem in the world.  All of these measures aim to prevent the country’s Internet traffic from traversing the United States, thereby preventing the United States from conducting surveillance on their citizens’ data.  But Brazil isn’t the only country that has concerns about their Internet traffic passing through the United States.  Deutsche Telekom lobbied for tougher privacy protection by keeping German traffic within its national borders.  Canadian traffic has been found to routinely pass through the United States, which is a violation of Canadian network sovereignty.  Russian president Putin has called for “better protection of communication networks” and passed a law that requires foreign companies to keep Russian users’ data on servers inside the country.  

To quantify which countries Internet traffic traverses and measure how successful any particular country might be at detouring its traffic around known surveillance states, we actively measured and analyzed the traffic originating in five different countries: Brazil, Netherlands, Kenya, India, and the United States.  

  • First, to understand the current state of transnational routing (the “status quo”), we measured the country-level traffic paths for the Alexa Top 100 domains in each respective country using RIPE Atlas probes and the MaxMind geolocation service.  
  • Next, we measured how successful clients in Brazil, Netherlands, Kenya, India, and the United States might be at avoiding other countries of interest using open DNS resolvers and using an overlay network.  

The rest of this post summarizes these two parts of the study and highlights some of the results.

The Status Quo: Even Local Traffic Can Detour through Surveillance States

Despite the extreme efforts of certain countries to “keep local traffic local”, and in particular to avoid having traffic traverse the United States, our measurement study indicates that these goals have not yet been reached, for two reasons: 1) lack of domain hosting diversity and 2) lack of routing diversity.

Lack of Hosting Diversity. We find that hosting for many popular websites lacks diversity. We found that about half of the Alexa Top 100 domains are hosted in a single country; in these cases, a user cannot avoid the domain’s hosting country when accessing it.  In many cases, even popular local websites are hosted outside the country where citizens are trying to access them.  For example, more than 50% of the top domains in Brazil and India are hosted in the United States; in total, about 50% of the .br domains are hosted outside Brazil. More hosting diversity, as could be enabled with CDNs, would allow for the potential to avoid more countries more often.

Lack of Geographic Diversity. Internet paths also lack geographic diversity: about half of the paths originating in Kenya to the most popular Kenyan websites traverse the United States or Great Britain.  Much of this phenomenon is due to “tromboning,” whereby an Internet path starts and ends in a country, yet transits an intermediate country; for example, about 13% of the paths that we explored from RIPE Atlas probes in Brazil to the top domains in Brazil trombone through the United States. More than 50% of the paths from the Netherlands to their top domains transit the United States, and about half of Kenyan paths traverse the United States and Great Britain.

Towards User-Controlled Routing Detours

We next asked whether clients could take advantage of the fact that many popular websites are georeplicated, coupled with a client’s ability to selectively “bounce” packets through overlay nodes, might give some users opportunities to avoid certain countries. We studied whether users could exploit open DNS resolvers to discover hosting diversity, and overlay network relays to intentionally introduce routing detours. Previous work in overlay networks, such as RON, tries to route around failures, whereas our work tries to route around countries.  Our results show that in some cases, users can select paths to specifically avoid certain countries; in cases where local traffic leaves the country only to return (a phenomenon sometimes called “tromboning”), the use of local relays can sometimes ensure that local traffic stays within the country.  For example, without these techniques, Brazilian traffic transited Spain, Italy, France, Great Britain, Argentina, Ireland (among others). Using even a modest overlay network deployment of 12 relays across 10 countries (Brazil, United States, Ireland, Germany, Spain, France, Singapore, Japan, South Korea, and Australia), clients in Brazil could completely avoid these countries for the top 100 domains.  The overlay network can also be used to keep local traffic local; the percentage of tromboning paths from Brazil decreases from 13.2% of domestic paths to 9.7%.

Unfortunately, some of the more prominent surveillance states are also some of the least avoidable countries.  Most countries depend highly on the United States for connectivity to other locations on the Internet.  Neither Brazil, India, Kenya, nor the Netherlands can completely avoid the United States with the country avoidance techniques.  The inability of these techniques to successfully avoid the United States typically results from the lack of hosting diversity for many websites, which are solely hosted in the United States. Using the overlay network, both Brazilian and Netherlands clients were able to avoid the United States for about 65% of sites; even in these cases, the United States is completely unavoidable for about 10% of sites.  Traffic from Kenya can avoid the United States for only about 40% of the top domains.  On the other hand, the United States can avoid every other country for all sites, with the exception of France and the Netherlands which the United States can nonetheless avoid for 99% of the top 100 domains.  

More Information and Next Steps

A more detailed writeup is available on the RANSOM project website (https://ransom.cs.princeton.edu/). Encouraged by the ability to use overlay networks to avoid surveillance states in certain cases, we are in the process of designing and building a RANSOM prototype. We welcome feedback on this project as we embark on the next steps.

Comments

  1. TheTester says:

    Somehow related: https://blog.cloudflare.com/bandwidth-costs-around-the-world/
    Monopolists want more money and block changes.

  2. Eduardo Nogueira says:

    From a user perspective this changes nothing, as the Brazilian and Russian governments (arguably, any government) are just as likely to spy on their citizens as is the United States government. Actually, nationalizing data storage changes things for worse, at least in the models of the Russian law, as it makes it impossible for the average user to have his data stored only in a country more privacy friendly (a similar law was proposed in Brazil in the earlier sketches of Marco Civil, but was dropped). This is only beneficial for governments themselves.

  3. Andrew McConachie says:

    I certainly want my traffic to arrive at its destination as quickly as possible. But I’m not certain it matters if it transits through a ‘surveillance state’. We cannot know who is snooping on our traffic, so I’d rather just rely on encryption.

    Another way to put this is if I assume everyone is snooping on my traffic I stop caring who can read it on the way to its destination. I’ll put my trust in math and peer reviewed encryption code. Not some observer’s opinion on how paths should work. There could be reasonable explanations for what you call ‘tromboning’, and let’s not assume that the best logical path follows the best physical path.

    The implication of caring about paths is that users can somehow reduce their potential surveillance surface by keeping traffic local, or by minimizing transnational border hopping. Maybe, but even if that is true then you should still rely on encryption, so I don’t really see the point in placing too much focus on this type of analysis. Like Eduardo says this changes nothing for the average user.

    • Unfortunately, relying on encryption isn’t sufficient.

      In many countries VPNs are blocked.

      Even with HTTPS, the SNI header reveals the domain, and in specific settings website fingerprinting is quite effective at revealing which sites (and even pages) a user may be visiting.

      The interested parties could be “average users”, but they may also be nation states who would prefer their traffic avoid certain other countries. This is precisely why Brazil has been aggressively building out its national infrastructure—to reduce the amount of traffic that traverses countries such as the US. Unfortunately, it’s not working out (yet).

  4. Anonymous says:

    Passing through surveillance states still offers up metadata to those surveillance states regardless of use of encryption.

    • Andrew McConachie says:

      Putting packets on a wire offers up metadata to anyone who’s listening. I’m not sure this has anything to do with whether you define a country as a surveillance state.

      Another way to ask this is: What state is not a surveillance state? And for these states, when domestically initiated traffic stays domestic, can we prove that this traffic is not being surveilled? I don’t think we can. I doubt we can even proffer a decent prediction.

      • Perhaps “surveillance state” is a bit of a red herring. Suppose you are a user in some country; or, suppose that you are a government who wishes to avoid your citizens’ traffic traversing a certain foreign country. In these situations, the findings are still relevant.

      • Anonymous says:

        The premise behind localizing data is that fewer entities will be able to collect your metadata without your consent, not that *no* entities will be able to collect it without your consent.

  5. Vesna Manjlovic says:

    Very interesting work! Thank you for using RIPE Atlas for it!

    For others who would like to access more data, do their own measurements, of contribute to this community project, please find more information here: https://atlas.ripe.net

    “RIPE Atlas is a dynamic, global network of thousands of probes that have been measuring Internet connectivity and reachability in near real time since 2010. Anyone can directly access the data collected by RIPE Atlas, as well as Internet maps, graphs, tools and analyses based on the aggregated results, at https://atlas.ripe.net. RIPE Atlas was developed and is operated by the RIPE NCC, along with the help of thousands of volunteers. The RIPE NCC is one of five Regional Internet Registries (RIRs) that support the global operation of the Internet.”

  6. This is great. It’s time for people to start fighting back against the biggest threat to privacy and human rights in the world, the american government.

    Routing national traffic through international routers seems pretty much absurd on purely engineering terms. I don’t need to route my LAN traffic through the US spying networks. The same principle should apply to bigger networks connecting people in a given area outside the US.

  7. Show me just one first world nation that isn’t a surveillance state and I’ll happily move there. Doesn’t matter where you go in the first world anywhere, Big Brother is everywhere.

    • The fallacy is assuming there’s only one Big Brother or that each Big Brother shares everything they collect with each other Big Brother.

      Limiting the number of Big Brothers that get full take access is a meaningful goal.