Censorship and the Net
Understanding how the Internet is controlled in practice can help to relate the sources of Internet censorship to the possible threats. Internet controls and censorship can be wide-ranging. A national government might not only block access to content, but also monitor what information people in its country are accessing, and might penalize users for Internet-related activities that the government deems unacceptable. Governments may both define what to block and carry out the blocking, or they may create legislation, regulations, or extra-legal incentives to compel the staff of nominally independent companies to carry out blocking and surveillance.
Who controls the Internet?
The full story of Internet governance is complicated, political and still being actively disputed. Governments often have the authority and resources to implement their preferred schemes of Internet monitoring and control, whether Internet infrastructure is owned and operated by governments themselves or by private telecommunications companies. So a government that wants to block access to information can often readily exercise direct or indirect control over points where that information is produced, or where it enters or exits the country.
Governments also have extensive legal authority to spy on citizens, and many go behind what the law allows, using extra-legal methods to monitor or restrict Internet use and reshape it according to their own rules.
The Internet was developed by U.S. government-sponsored research during the 1970s. It gradually spread to academic use, then to business and public use. Today, a global community is working to maintain the standards and agreements that attempt to achieve world-wide open connectivity and interoperability without any geographical distinction.
However, governments are not compelled to implement Internet infrastructure in accordance with these goals or related recommendations about Internet architecture. Some governments design their national telecommunications systems to have single "choke points" where they can control their whole country's access to specific sites and services, and in some cases prevent access to their section of the Internet from outside.
Other governments have passed laws or adopted informal controls to regulate the behavior of private ISPs, sometimes compelling them to participate in surveillance or blocking or removing access to particular materials.
Some of the Internet's facilities and coordinating functions are managed by governments or by corporations under government charter. There is no international Internet governance that operates entirely independently. Governments treat the ability to control Internet and telecommunications infrastructure as matters of national sovereignty, and many have asserted the right to forbid or block access to certain kinds of content and services deemed offensive or dangerous.
Why would governments control the net?
Many governments have a problem with the fact that there is only one global Internet with technically no geographic or political borders. For the end-user, it makes (apart from a delay of a few milliseconds) no difference if a Web site is hosted in the same country or on the other side of the world a reality often delightful for Internet users and deeply alarming for states. Internet censorship, inspired by hopes of re-imposing geography and geographic distinctions, can occur for many reasons.
Adapting a classification from the Open Net Initiative (http://opennet.net), we can describe some of these reasons as:
- Political reasons
Governments want to censor views and opinions contrary to the respective country's policies including topics such as human rights and religions.
- Social reasons
Governments want to censor Web pages related to pornography, gambling, alcohol, drugs and other subjects that might seem offensive for the population.
- National security reasons
Governments want to block content related to dissident movements, and anything threatening national security.
In order to ensure that information controls are effective, governments may also filter tools that enable people to bypass Internet censorship.
In the extreme case, governments can refuse to provide Internet service to the public, as in North Korea, or can cut off the Internet throughout their territory during periods of public protest, as happened briefly in Nepal in 2005, and in Egypt and Libya in 2011.
Control can be aimed at both access providers and content providers.
Governments can submit access providers to strict control, in order to regulate and shape Internet traffic, and enable surveillance and monitoring upon Internet users within the country. This is also a means to block global content that has been made available from abroad. For example, the Pakistani government asked local ISPs to block access to Facebook in May 2010 in order to block access to caricatures of the Prophet Muhammad that had been made available on the social networking site, as they had no control over the content provider Facebook.
Governments can request content providers, such as in-country Web site editors, Webmasters or search engines to forbid and block access to certain kinds of content and services deemed offensive or dangerous. For example, local Google subsidiaries have been requested to remove controversial content in a couple of countries (such as in China, before March 2010, when it redirected search engine activities towards Google Hong Kong).
Am I being blocked or filtered?
In general, it can be difficult to determine whether someone is preventing you from accessing a Web site or from sending information to others. When you try to access a blocked site, you may see a conventional error message or nothing at all. The behavior may make it look like the site is inaccessible for technical reasons. The government or the ISP may deny the fact that censorship is in place and even blame the (foreign) Web site.
Some organizations, most notably the OpenNet Initiative, are using software to test Internet access in various countries and to understand how access may be compromised by different parties. In some cases, this is a difficult or even dangerous task, depending on the authorities concerned.
In some countries, there is no doubt about government blocking of parts of the Internet. In Saudi Arabia, for example, attempting to access sexually explicit material results in a noticeable message from the government explaining that the site is blocked, and why.
In countries that block without notification, one of the most common signs of censorship is that a large number of sites with related content are apparently inaccessible for technical reasons or seem to be out of order (for example, "Page Not Found" errors, or connections timing out often). Another potential indication is that search engines appear to return useless results or nothing at all about certain topics.
Filtering or blocking is also done by entities other than governments. Parents may filter the information that reaches their children. Many organizations, from schools to businesses, restrict Internet access in order to prevent users from having unmonitored communications, using company time or hardware for personal reasons, infringing copyrights, or using excessive networking resources.
Many governments have the resources and legal ability to control large portions of a country's network infrastructure. If the government is your adversary, keep in mind that the entire communications infrastructure from the Internet to mobile and landline phones can be monitored.
Users in different places may have widely varying experiences of Internet content controls.
- In some places, your government may be legally constrained from filtering or decide not to filter content. You may be monitored by your ISP so the information can be sold to advertisers. The government may have required ISPs to install monitoring (but not blocking) capabilities in their networks. The government may make a formal request for your browsing history and chat logs, or may store information for later use. It will try not to attract attention as it does this. You face threats from non-government actors, such as computer criminals who attack Web sites or steal personal financial information.
- In some places, ISPs may use technical means to block some sites or services, but the government doesn't currently appear to track or retaliate against attempts to access them, or appear to operate a coordinated Internet content control strategy.
- In some places, you may have access to local services that are a fair match for foreign services. These services are patrolled by your ISP or government agents. You may be free to post sensitive content, but it will be removed. If this happens too often, however, the penalties may become more severe. Restrictions may only become obvious during politically charged events.
- In some places, your government may filter most foreign websites, especially news. It exercises tight control over ISPs to block content and keep track of people creating content. If you use a social networking platform, efforts will be made to infiltrate it. The government may encourage your neighbors to spy on you.
Governments have a range of motivations for monitoring or restricting different kinds of people's online activity.
- Activists: you may want to improve your government or are seeking a new one. Perhaps you want to reform a particular segment of society or work for the rights of minority groups. You may want to expose environmental issues, labor abuses, fraud, or corruption at your place of work. Your government and employers are going to be unhappy about this no matter the time of year, but they may put more effort into monitoring you if they suspect that there will be protests in the streets soon.
- Bloggers: you may want to write about everyday life, but some people are silenced because of ethnicity or gender. Regardless of what you have to say you're not supposed to be saying it. You may be in a country with mostly unrestricted users, but your opinions are not popular in your community. You might prefer anonymity or need it to connect with a support group.
- Journalists: you may have some of the same concerns as activists and bloggers. Organized crime, corruption, and government brutality are dangerous subjects to cover. You may need to protect yourself and any activists who become sources of information.
- Readers: you may not be politically active, but so much content is censored that you need circumvention software to get to entertainment, science, and industry periodicals. You may want to read a Web comic or browse the news about other countries. Your government may ignore this until it has some other reason to monitor you.
The most commonly blocked Internet resource used to be sexually explicit material; today, it is social networking platforms. The growing international popularity of social networking sites has turned millions of Internet users around the world into potential victims of censorship.Some social networking sites are popular at a global level, such as Facebook, MySpace or LinkedIn, while others have a large number of users in a given country or region: QQ (Qzone) in China, Cloob in Iran, vKontakte in Russia, Hi5 in Peru and Colombia, Odnoklassniki in CIS countries, Orkut in India and Brazil, Zing in Vietnam, Maktoob in Syria, Ameba and Mixi in Japan, Bebo in the UK, and others.
How censorship works
[This is adapted in part from Access Denied, Chapter 3, by Steven J. Murdoch and Ross Anderson.]
The techniques described in this chapter are some of the methods employed by censors that try to prevent Internet users from accessing particular content or services. Network operators can filter or manipulate Internet traffic at any point in a network, using a wide variety of technologies, with varying levels of accuracy and customization. Typically, these maneuvers involve using software to look at what users are attempting to do and to interfere selectively with activities that the operator considers forbidden by policy. A filter could be created and applied by a national government or by a national or local ISP, or even by the operator of a local network; or software-based filters could be installed directly onto individual computers.
The goals of deploying a filtering mechanism vary depending on the motivations of the organization deploying them. They may be to make a particular Web site (or individual Web page) inaccessible to those who wish to view it, to make it unreliable, or to deter users from even attempting to access it in the first place. The choice of mechanism will also depend upon the capability of the organization that requests the filtering what access and influence they have, the people against whom they can enforce their wishes, and how much they are willing to spend. Other considerations include the number of acceptable errors, whether the filtering should be overt or covert, and how reliable it is (both against casual users and those who wish to bypass it).
We will describe several techniques by which particular content can be blocked once the list of resources to be blocked is established. Building this list is a considerable challenge and a common weakness in deployed systems. Not only does the huge number of Web sites make building a comprehensive list of prohibited content difficult, but as content moves and Web sites change their IP addresses, keeping this list up-to-date requires a lot of effort. Moreover, if the operator of a site wishes to interfere with the blocking, the site could be moved more rapidly than it would be otherwise.We first describe technical measures used against end users, and then briefly discuss measures used against publishers and hosting providers, as well as non-technical intimidation.
Please note that the list of methods is not exhaustive, and more than one of these tactics might be applied in a particular case.
Technical measures against end-users
On modern communications networks like the Internet, censorship and surveillance (the monitoring of people's communications or activities) are intimately connected in practice.
Most ISPs in the world monitor some aspects of their users' communications for accounting purposes and to combat abuse such as spam. ISPs often record user account names together with IP addresses. Unless users employ privacy-enhancing technologies to prevent it, it is technically possible for an ISP to record all the information that flows over its cables, including the exact contents of users' communications.
This surveillance is also a prerequisite for technically-based network censorship. An ISP trying to censor communications that its users want to send has to be able to read those communications in order to determine which ones violate its policies. Hence a core approach to reducing Internet censorship is hiding the detailed content of communications from ISPs, both in individual cases and by encouraging widespread use of pro-privacy technologies that hinder surveillance.
This means that technical counter-measures to network censorship often rely on using obfuscation or encryption wherever possible in order to make it impossible for the ISP to see exactly what content has been transferred.
This section discusses some of the specific ways that censors block content and access by technical means.
One way for countries and other entities to block access to information on the Web is to prevent access based on the URL either the entire URL or some part of it. Internet censors often want to block specific domain names in their entirety, because they object to the content of those domains. One of the easiest ways to block Web sites is by blocking the complete domain name. Sometimes, authorities are more selective, blocking only certain subdomains in a particular domain, while leaving the rest of the domain accessible. This is the case for Vietnam, where the government blocks specific sections of a Web site (such as the Vietnamese-language versions of the BBC and Radio Free Asia) but rarely censors content written in English.
Censors, for example, might filter only the subdomain news.bbc.co.uk, while leaving bbc.co.uk and www.bbc.co.uk unfiltered. Similarly, they might want to filter out pages containing specific types of content while allowing access to the rest of the domain hosting those pages. One filtering approach is to look for a directory name, such as "worldservice" to block only the BBC foreign-language news service at bbc.co.uk/worldservice, without blocking the BBC's English-language Web site as a whole. Censors can sometimes even block specific pages based on page names, or search terms in queries, that suggest offensive or undesired content.
URL filtering can be performed locally, through the use of special software installed in the computer that you are using. For example, computers in an Internet caf may all be running filtering software that prevents certain sites from being accessed.
URL filtering can also be performed at a central point in the network, such as a proxy server. A network can be configured not to allow users to connect directly to Web sites but instead to force (or just encourage) all users to access those sites via a proxy server.
Proxy servers are used to relay requests, as well as temporarily storing web pages they retrieve in a cache and delivering them to multiple users. This reduces the need for an ISP to frequently retrieve a popularly requested page, thus saving on resources and improving delivery time.
However, as well as improving performance, an HTTP proxy can also block Web sites. The proxy decides whether requests for Web pages should be permitted, and if so, sends the request to the Web server hosting the requested content. Since the full content of the request is available, individual Web pages can be filtered, based on both page names and the actual content of the page. If a page is blocked, the proxy server could return an accurate explanation of the reason why, or pretend that the page didn't exist or produced an error.
DNS filtering and spoofing
When you enter a URL in a Web browser, the first thing the Web browser does is to ask a DNS (Domain Name System) server, at a known numeric address, to look up the domain name referenced in the URL and supply the corresponding IP address.
If the DNS server is configured to block access, it consults a blacklist of banned domain names. When a browser requests the IP address for one of these domain names, the DNS server gives a wrong answer or no answer at all.
When the DNS server gives a meaningless answer or no answer, the requesting computer fails to learn the correct IP address for the service it wanted to contact. Without the correct IP address, the requesting computer cannot continue, and it displays an error message. Since the browser does not learn the Web site's correct IP address, it is not able to contact the site to request a page. The result is that all of the services under a particular domain name, such as all of the pages on a particular Web server, are unavailable. In this case, deliberate blocking may wrongly appear as a technical problem or random failure.
Similarly, a censor could force a DNS entry to point to an incorrect IP address, thus redirecting Internet users to incorrect Web sites. This technique is called DNS spoofing, and censors can use it to hijack the identity of a particular server and display forged Web sites or reroute the users' traffic to unauthorized servers that could intercept their data. (In some networks, the wrong answer would lead to a different Web server that clearly explains the nature of the blocking that has occurred. This technique is used by censors who don't mind admitting that they are engaged in censorship and who don't want users to be confused about what has taken place.)
When data is sent over the Internet, it is grouped into small units, called packets. A packet contains both the data being sent and information about how to send the packet, such as the IP addresses of the computer it came from and the one it should go to. Routers are computers that relay packets on their way from a sender to a receiver, determining where they go next. If censors wants to prevent users from accessing specific servers, they can configure routers that they control to drop (ignore and fail to transmit) data destined for IP addresses on a blacklist or to return an error message for them. Filtering based solely on IP addresses blocks all services provided by a particular server, such as both Web sites and e-mail servers. Since only the IP address is inspected, multiple domain names that share the same IP address are also blocked, even if only one was originally meant to be prohibited.
IP address filtering can only block communication on the basis of where packets are going to or coming from, not what they contain. This can be a problem for the censor if it is impossible to establish the full list of IP addresses containing prohibited content, or if an IP address contains enough non-prohibited content to make it seem unjustifiable to totally block all communication with it. There is a finer-grained control possible: the content of packets can be inspected for banned keywords. As network routers do not normally examine the entire packet contents, extra equipment may be needed; the process of examining packet contents is often called deep packet inspection.
A communication identified as containing forbidden content may be disrupted by blocking the packets directly or by forging a message to both of the communicating parties advising them that the other party has terminated the conversation. Equipment that performs all of these censoring functions and others is readily available on the market.
Alternatively, the censor can use a forced HTTP proxy, as described earlier.
Traffic shaping is a technique utilized by network managers to make a network run smoothly by prioritizing some kinds of packets and delaying other kinds of packets that meet certain criteria. Traffic shaping is somewhat similar to controlling vehicle traffic on a street. In general, all vehicles (packets) have the same priority, but some vehicles are temporarily delayed by traffic controllers or stop lights to avoid traffic jams at certain points. At the same time, some vehicles (fire trucks, ambulances) may need to reach their destination faster, and therefore they are given priority by delaying other vehicles. Similar logic is applicable to Internet packets that need low latency for optimal performance (such as voice over IP, VoIP).
Traffic shaping can also be used by governments or other entities to delay packets with specific information. If censors want to restrict access to certain services, they can easily identify packets related to these services and increase their latency by setting their priority low. This could give users the misleading impression that a site is inherently slow or unreliable, or it could simply make the disfavored site unpleasant to use relative to other sites. This technique is sometimes used against peer-to-peer file-sharing networks, such as BitTorrent, by ISPs that disfavor file sharing.
Blacklisting individual port numbers restricts access to individual services on a server, such as Web or e-mail. Common services on the Internet have characteristic port numbers. The relationships between services and port numbers are assigned by IANA, but they are not mandatory. These assignments allow routers to make a guess as to the service being accessed. Thus, to block just the Web traffic to a site, a censor might block only port 80, because that is the port typically used for Web access.
Access to ports may be controlled by the network administrator of the organization that hosts the computer you're using whether a private company or an Internet caf, by the ISP that is providing Internet access, or by someone else such as a government censor who has access to the connections that are available to the ISP. Ports may also be blocked for reasons other than pure content censorship to reduce spam, or to discourage disfavored network uses such as peer-to-peer file sharing, instant messaging, or network gaming.
If a port is blocked, all traffic on this port becomes inaccessible to you. Censors often block the ports 1080, 3128, and 8080 because these are the most common proxy ports. If this is the case, you won't be able to directly use any proxies that require use of those ports; you'll have to use a different circumvention technique or else find or arrange for the creation of proxies that are listening on an uncommon port.
For example, in one university, only the ports 22 (SSH), 110 (POP3), 143 (IMAP), 993 (secure IMAP), 995 (secure POP3) and 5190 (ICQ instant messaging) may be open for external connections, forcing users to use circumvention technology or access services on nonstandard ports if they want to use other Internet services.
Shutting down Internet connectivity is an example of extreme censorship perpetrated by governments in response to sensitive political and social events. However, complete network disruption (i.e. from both domestic and international networks) requires intense work, since it is necessary to shut down not only the protocols that connect the country to the international network but also the protocols that connect ISPs with one another and with users. Countries have shut down Internet access completely (Nepal in 2005, Burma in 2007 and Egypt and Libya in 2011) as a means to quell political unrest. These shutdowns lasted from a few hours to several weeks, though some people managed to connect through dial-up to an ISP abroad or by using mobile connections or satellite links.
Breaking international connections, therefore, does not necessarily destroy connectivity among domestic ISPs or communication among various users of a single ISP. It would take further steps to completely isolate users from an internal network. For this reason, it is harder to disrupt local interconnectivity in countries with several ISPs.
Attacks on publishers
Censors can also try to suppress content and services at their source by attacking the publishers' ability to publish or host information. This can be accomplished in several ways.
Sometimes, legal authorities can induce service operators themselves to perform or cooperate with censorship. Some blog hosts or e-mail providers, for example, may decide to perform keyword filtering within their own servers perhaps because governments told them to. (In this case, there's little hope that any sort of "circumvention" will counteract these services' censorship; we generally conceive of circumvention as an effort to reach desired network services somewhere else, such as in a different country or jurisdiction.)
Denial of service
Where the organization deploying the filtering does not have the authority (or access to the network infrastructure) to add conventional blocking mechanisms, Web sites can be made inaccessible by overloading the server or network connection. This technique, known as a Denial-of-Service (DoS) attack, could be mounted by one computer with a very fast network connection; more commonly, a large number of computers are taken over and used to mount a distributed DoS (DDoS).
As mentioned earlier, the first stage of a Web request is to contact the local DNS server to find the IP address of the desired location. Storing all domain names in existence would be unfeasible, so instead so-called "recursive resolvers" store pointers to other DNS servers that are more likely to know the answer. These servers will direct the recursive resolver to further DNS servers until one, the "authoritative" server, can return the answer.
The domain name system is organized hierarchically, with country domains such as ".uk" and ".de" at the top, along with the nongeographic top-level domains such as ".org" and ".com". The servers responsible for these domains delegate responsibility for subdomains, such as example.com, to other DNS servers, directing requests for these domains there. Thus, if the DNS server for a top-level domain deregisters a domain name, recursive resolvers will be unable to discover the IP address and so make the site inaccessible.
Country-specific top-level domains are usually operated by the government of the country in question, or by an organization appointed by it. So if a site is registered under the domain of a country that prohibits the hosted content, it runs the risk of being deregistered.
Servers hosting content must be physically located somewhere, as must the administrators who operate them. If these locations are under the legal or extra-legal control of someone who objects to the content hosted, the server can be disconnected or the operators can be required to disable it.
Intimidation of users
Censors may also try to deter users from even attempting to access banned material in various ways.
The above mechanisms inhibit the access to banned material, but are both crude and possible to circumvent. Another approach, which may be applied in parallel to filtering, is to monitor which Web sites are being visited. If prohibited content is accessed (or attempted to be accessed) then legal (or extra-legal) measures could be deployed as punishment.
If this fact is widely publicized, it could discourage others from attempting to access banned content, even if the technical measures for preventing access are inadequate by themselves. In some places, censors try to create an impression that their agents are everywhere and that everyone is constantly being watched whether or not this really is the case.
Social mechanisms are often used to discourage users from accessing inappropriate content. For example, families may place the PC in the living room where the screen is visible to all present, rather than somewhere more private, as a low-key way of discouraging children from accessing unsuitable sites. A library may situate PCs so that their screens are all visible from the librarian's desk. An Internet caf may have a CCTV surveillance camera. There might be a local law requiring such cameras, and also requiring that users register with government-issued photo ID.
Stealing and destroying communications equipment
In some places, censors have the ability to prohibit some kinds of communications technology entirely. In that case, they may conspicuously confiscate or seek out and destroy prohibited communications equipment in order to send the message that its use will not be tolerated.