December 15, 2024

Zuckerberg Goes to Russia as the Global Network Initiative Turns 4

The Global Network Initiative (GNI) was founded in October 2008 to help technology firms navigate the political implications of their success. Engineers at the world’s leading technology firms have been incredibly innovative, but do not always the global dynamics of their innovation. Moreover, they do not always acknowledge the ways in which politicians get involved […]

Brazil is the only BRIC country standing ground on Internet Freedom. Here is why.

A few weeks ago, the New York Times published a piece covering a new report launched by OECD calling member-countries to “promote and protect the global free flow of information”. The article lists three BRIC-members, China, India and Russia, as examples of countries taking actions harmful to online freedom. One BRIC member is missing from the list: Brazil. Despite hiccups, Brazil has been taking a strong position for protecting freedom and other civil rights online. Why is that?

One reason is that Brazil is a rather young democracy. From 1964 to 1985 the country was governed by a military regime, which imposed strict censorship rules. Major artists, newspapers, and tv networks had to submit their activities to prior approval by a censorship board. When democracy was reestablished in 1986, censorship was eliminated, but the trauma of 20 years of repression had been painfully imprinted in the Brazilian society. This trauma has made Brazil very sensitive to new threats of censorship, in its many forms.

Another landmark was a decision taken by the country’s Supreme Court in 2009. The court struck down the Press Law, adopted in 1967 by the military government (the same law that had established censorship). When the country was re-democratized, the censorship articles were revoked. Nonetheless, other parts regulating libel, defamation and the “right of reply” survived. The court decided to strike everything down (in spite of a heated debate claiming that the remaining articles were reasonable), stating the law was incompatible with the freedom of expression clause of the Brazilian constitution.

Another factor is that president Dilma Rousseff has been taking a public stance in favor of freedom of expression. It makes sense. In the 1960s, she was imprisoned and tortured during the military regime for participating in a dissident group. Unswervingly, she declared at a recent human rights conference that she “prefers the noise of the press to the silence of the dictatorship”.

Moreover, Brazil has a vigorous civil society, which emerged especially with the country’s new democratic constitution in 1988. Many civil society organizations are concerned with online freedom issues, including consumer associations, artists groups, newspapers and journalists associations, NGOs for education, free and open source software organizations, the academia, lawyers and judges associations, to name a few. Their claims have been taken into account by the political system. Government and Congress in Brazil remain permeable to the civil society. Even if lobbying and special interests do exist and exercise strong influence, it is rather difficult for politicians to save face for policies flagrantly against the public interest.

The strength of civil society reinforced Brazil’s commitment to internet freedom and also led to concrete policy-making. One example is the Marco Civil (“Civil Rights Framework for the Internet”), a draft bill seeking to protect civil rights online, such as freedom of expression and privacy, and to create balanced rules for the liability of internet intermediaries.

The bill is the result of a two-year online debate open to the public at-large. The process was put together by the Ministry of Justice and the Center for Technology & Society, a research center in Rio de Janeiro (full disclosure – I am the director of the Center for Technology & Society, and was involved in the Marco Civil process). The bill was sent to Congress by the Federal government in 2011, with co-sponsorship of five Ministries. Marco Civil has become a well-known issue in the Brazilian public sphere, and it has gathered strong public support. Approval is expected sometime in 2012.

Internationally, some view Marco Civil as an alternative approach to SOPA (Stop Online Piracy Act), the bill currently in discussion in Congress in the US, under strong criticism. While SOPA tilts the balance of the law in the direction of expedite enforcement, by-passing the judiciary in favor of a private notice-and-takedown system, Marco Civil supports a more balanced approach. It seeks to translate the principles established by the Brazilian Constitution into online practices, paying especial attention to due process, freedom of expression, and the protection of an environment favorable to innovation. Because of that, some also view Marco Civil as a counterpoint to ACTA, the controversial Anti-Counterfeiting Trade Agreement, criticized for potentially harming fundamental rights.

Of course the situation in Brazil is not all roses. The Brazilian Ministry of Culture has changed its policies in the beginning of 2011. Under the guidance of the new Minister Ana de Hollanda (claimed to have close ties to the controversial copyright collecting society in Brazil – ECAD – which is currently under investigation for fraud by by a special Congressional Inquiry Commission) has been trying to introduce legislation in Congress for creating a private systems for removing online content, inspired in part by the DMCA. This effort and other actions of the Ministry have raised vast waves of criticism, both by civil society and also by many sectors in the government´s party.

These hiccups, nevertheless, do not change the fact that, for now, Brazil seems to be committed to protect internet freedom against all odds. That is a good way of taking the recommendation of the OECD seriously, and also of setting a good example for the BRIC colleagues.

Stopping SOPA's Anticircumvention

The House’s Stop Online Piracy Act is in Judiciary Committee Markup today. As numerous protests, open letters, and advocacy campaigns across the Web, this is a seriously flawed bill. Sen. Ron Wyden and Rep. Darell Issa’s proposed OPEN Act points out, by contrast, some of the procedural problems.

Here, I analyze just one of the problematic provisions of SOPA: a new “anticircumvention” provision (different from the still-problematic anti-circumvention of section 1201). SOPA’s anticircumvention authorizes injunctions against the provision of tools to bypass the court-ordered blocking of domains. Although it is apparently aimed at MAFIAAfire, the Firefox add-on that offered redirection for seized domains in the wake of ICE seizures, [1] the provision as drafted sweeps much more broadly. Ordinary security and connectivity tools could fall within its scope. If enacted, it would weaken Internet security and reduce the robustness and resilience of Internet connections.

The anticircumvention section, which is not present in the Senate’s companion PROTECT-IP measure, provides for injunctions, on the action of the Attorney General:

(ii)against any entity that knowingly and willfully provides or offers to provide a product or service designed or marketed by such entity or by another in concert with such entity for the circumvention or bypassing of measures described in paragraph (2) [blocking DNS responses, search query results, payments, or ads] and taken in response to a court order issued under this subsection, to enjoin such entity from interfering with the order by continuing to provide or offer to provide such product or service. § 102(c)(3)(A)(ii)

As an initial problem, the section is unclear. Could it cover someone who designs a tool for “the circumvention or bypassing of” DNS blockages in general — even if such a person did not specifically intend or market the tool to be used to frustrate court orders issued under SOPA? Resilience in the face of technological failure is a fundamental software design goal. As DNS experts Steve Crocker, et al. say in their Dec. 9 letter to the House and Senate Judiciary Chairs, “a secure application expecting a secure DNS answer will not give up after a timeout. It might retry the lookup, it might try a backup DNS server, it might even restart the lookup through a proxy service.” Would the providers of software that looked to a proxy for answers –products “designed” to be resilient to transient DNS lookup failures –be subject to injunction? Where the answer is unclear, developers might choose not to offer such lawful features rather than risking legal attack. Indeed, the statute as drafted might chill the development of anti-censorship tools funded by our State Department.

Some such tools are explicitly designed to circumvent censorship in repressive regimes whose authorities engage in DNS manipulation to prevent citizens from accessing sites with dissident messages, alternate sources of news, or human rights reporting. (See Rebecca MacKinnon’s NYT Op-Ed, Stop the Great Firewall of America. Censorship-circumvention tools include Psiphon, which describes itself as an “Open source web proxy designed to help Internet users affected by Internet censorship securely bypass content-filtering systems,” and The Tor Project.) These tools cannot distinguish between Chinese censorship of Tiananmen Square mentions and U.S. copyright protection where their impacts — blocking access to Web content — and their methods — local blocking of domain resolution — are the same.

Finally, the paragraph may encompass mere knowledge-transfer. Does telling someone about alternate DNS resolvers, or noting that a blocked domain can still be found at its IP address — a matter of historical record and necessary to third-party evaluation of the claims against that site — constitute willfully “providing a service designed … [for] bypassing” DNS-blocking? Archives of historic DNS information are often important information to legal or technical network investigations, but might become scarce if providers had to ascertain the reasons their information was being sought.

For these reasons among many others (such as those identified by my ISP colleague Nick), SOPA should be stopped.

Telex and Ethan Zuckerman's "Cute Cat Theory" of Internet Censorship

A few years ago, Ethan Zuckerman gave a talk at CITP on his “cute cat theory” of internet censorship (see also NY Times article), which goes something like this:

Most internet users use the internet and social media tools for harmless activities, like looking at pictures of kittens online. However, an open social media site is open to political content as well as pictures of kittens. Repressive governments might attempt to block this political content by blocking access to, say, all of Blogspot or all of Twitter, but in doing so they also block people from looking at non-political content, like pictures of cute kittens. This both brings more attention to the political causes the government is trying to suppress through the Streisand effect, and can politicize users who previously just wanted unfettered access to cute kittens.

This is great for Web 2.0, and suggests that activists should host their blogs on sites where a lot of kittens would be taken down as collateral damage should they be blocked.

However, what happens when a government is perfectly willing to block all social media? What if a user wants to do more than produce political content on the web?

Telex (blog post) can be seen as a technological method of implementing the cute cat theory for the entire internet: the system allows a user to circumvent internet censorship by executing a secret knock on potentially any web site outside of the censor’s network. When any web site, no matter how innocuous or critical to business or political infrastructure, can be used for a political goal in this fashion, the censorship/anti-censorship cat-and-mouse game is elevated beyond single proxies and lists of blockable Tor nodes, and beyond kittens, to the entire internet.

Anticensorship in the Internet's Infrastructure

I’m pleased to announce a research result that Eric Wustrow, Scott Wolchok, Ian Goldberg, and I have been working on for the past 18 months: Telex, a new approach to circumventing state-level Internet censorship. Telex is markedly different from past anticensorship efforts, and we believe it has the potential to shift the balance of power in the censorship arms race.

What makes Telex different from previous approaches:

  • Telex operates in the network infrastructure — at any ISP between the censor’s network and non-blocked portions of the Internet — rather than at network end points. This approach, which we call “end-to-middle” proxying, can make the system robust against countermeasures (such as blocking) by the censor.
  • Telex focuses on avoiding detection by the censor. That is, it allows a user to circumvent a censor without alerting the censor to the act of circumvention. It complements anonymizing services like Tor (which focus on hiding with whom the user is attempting to communicate instead of that that the user is attempting to have an anonymous conversation) rather than replacing them.
  • Telex employs a form of deep-packet inspection — a technology sometimes used to censor communication — and repurposes it to circumvent censorship.
  • Other systems require distributing secrets, such as encryption keys or IP addresses, to individual users. If the censor discovers these secrets, it can block the system. With Telex, there are no secrets that need to be communicated to users in advance, only the publicly available client software.
  • Telex can provide a state-level response to state-level censorship. We envision that friendly countries would create incentives for ISPs to deploy Telex.

For more information, keep reading, or visit the Telex website.

The Problem

Government Internet censors generally use firewalls in their network to block traffic bound for certain destinations, or containing particular content. For Telex, we assume that the censor government desires generally to allow Internet access (for economic or political reasons) while still preventing access to specifically blacklisted content and sites. That means Telex doesn’t help in cases where a government pulls the plug on the Internet entirely. We further assume that the censor allows access to at least some secure HTTPS websites. This is a safe assumption, since blocking all HTTPS traffic would cut off practically every site that uses password logins.

<!– –>

Many anticensorship systems work by making an encrypted connection (called a “tunnel”) from the user’s computer to a trusted proxy server located outside the censor’s network. This server relays requests to censored websites and returns the responses to the user over the encrypted tunnel. This approach leads to a cat-and-mouse game, where the censor attempts to discover and block the proxy servers. Users need to learn the address and login information for a proxy server somehow, and it’s very difficult to broadcast this information to a large number of users without the censor also learning it.

How Telex Works

Telex turns this approach on its head to create what is essentially a proxy server without an IP address. In fact, users don’t need to know any secrets to connect. The user installs a Telex client app (perhaps by downloading it from an intermittently available website or by making a copy from a friend). When the user wants to visit a blacklisted site, the client establishes an encrypted HTTPS connection to a non-blacklisted web server outside the censor’s network, which could be a normal site that the user regularly visits. Since the connection looks normal, the censor allows it, but this connection is only a decoy.

The client secretly marks the connection as a Telex request by inserting a cryptographic tag into the headers. We construct this tag using a mechanism called public-key steganography. This means anyone can tag a connection using only publicly available information, but only the Telex service (using a private key) can recognize that a connection has been tagged.

As the connection travels over the Internet en route to the non-blacklisted site, it passes through routers at various ISPs in the core of the network. We envision that some of these ISPs would deploy equipment we call Telex stations. These devices hold a private key that lets them recognize tagged connections from Telex clients and decrypt these HTTPS connections. The stations then divert the connections to anti­censorship services, such as proxy servers or Tor entry points, which clients can use to access blocked sites. This creates an encrypted tunnel between the Telex user and Telex station at the ISP, redirecting connections to any site on the Internet.

<!– –>

Telex doesn’t require active participation from the censored websites, or from the non-censored sites that serve as the apparent connection destinations. However, it does rely on ISPs to deploy Telex stations on network paths between the censor’s network and many popular Internet destinations. Widespread ISP deployment might require incentives from governments.

Development so Far

At this point, Telex is a concept rather than a production system. It’s far from ready for real users, but we have developed proof-of-concept software for researchers to experiment with. So far, there’s only one Telex station, on a mock ISP that we’re operating in our lab. Nevertheless, we have been using Telex for our daily web browsing for the past four months, and we’re pleased with the performance and stability. We’ve even tested it using a client in Beijing and streamed HD YouTube videos, in spite of YouTube being censored there.

Telex illustrates how it is possible to shift the balance of power in the censorship arms race, by thinking big about the problem. We hope our work will inspire discussion and further research about the future of anticensorship technology.

You can find more information and prototype software at the Telex website, or read our technical paper, which will appear at Usenix Security 2011 in August.