The Dictator's Guide to Internet Surveillance and Censorship
Knowledge is power – and in the age of internet, information is power. Authoritarian states throughout the ages have sought to control the flow of information in an effort to maintain their grip on power. You might well think that the internet has been a liberating technology, one that makes such control of information impossible. You’d be wrong.
Find the choke points
To understand how you might lock down the internet across an entire country, first you have to understand what the internet is and how it works.
At its most simplistic level, the internet infrastructure is fairly centralized from the nation-state perspective: data travels across a backbone through central routing systems. This infrastructure can be thought of in terms of a big pipe taking electricity from one country to another. Each country will then tap into that supply using a myriad of smaller pipes to deliver the electricity to sub-stations in different cities and regions, and each of those sub-stations will then use even smaller pipes to get the electricity into individual homes.
At various points in these journeys, there are choke points where the flow of internet traffic can be controlled. Exerting control over these choke points is key to any dictatorial strategy.
Choke point #1: A dummy Border Gateway Protocol route
At the heart of how the internet flows is something known as the Border Gateway Protocol (BGP), which manages the routes data takes when it travels across the internet, and ensures it gets to its destination in the quickest time by using the shortest possible path.
A internet-savvy dictator, however, can prevent his or her citizens accessing unwanted sites by creating dummy BGP routes that force internet traffic to bypass those sites.
“Controlling all the internet routing for your country using BGP at the core routers [would be] the scorched earth approach,” says technology journalist Simon Bisson, who built one of the UK’s first national ISPs, UK Online, and spent several years developing network architectures for large online services.
This technique is not particularly difficult to pull off if one has unhindered access to the internet – but you could end up blocking unintended swathes of internet. “We’ve seen this happen when Pakistan accidentally took down YouTube in 2008, when a set of blocking BGP routes were broadcast to the entire world rather than just inside national ISPs,” Bisson says.
As it turns out, it’s not actually that hard for nation states to control internet access when there are so few of these major routes that move data between countries. “Internet protocols grew up in academia and so are unsurprisingly fragile,” Bisson points out. “They were designed by idealists and it’s easy for ideologues to subvert them.”
Choke point #2: Hijack DNS servers
One of the easiest protocols to subvert is the domain name system (DNS), which is the internet’s equivalent of your smartphone contacts list – or if you’re feeling nerdy, a hierarchical naming system for computers and services connected to the internet.
DNS translates the website addresses that us human beings type into the internet protocol (IP) addresses that machines can understand. On your smartphone you select the name of the person to contact and the device resolves that request into an email address or telephone number. On the internet you enter a domain such as www.google.com into your browser to reach Google, but DNS servers might resolve that into an IP address such as 188.8.131.52 (or one of many other IP addresses that are used to balance the heavy traffic load between search servers).
Exerting control over internet choke points is key to any dictatorial strategy.
By configuring DNS servers to resolve to a different IP address than the ones actually requested, our unfriendly dictator can point internet users to any site the state likes instead of the one asked for – and do so with relative ease and at little cost.
“DNS poisoning (also known as hijacking) prevents end systems from actually contacting a requested service,” explains Kevin Curran, professor of cybersecurity at Ulster University and a senior Institute of Electrical and Electronics Engineers (IEEE) member. “Simple blocking of IP addresses such as both Google’s 184.108.40.206 and Cloudflare’s 220.127.116.11 used for DNS also works.”
If you’re doing all that, Bisson points out, then you might as well go the whole hog and ensure you have visibility into any encrypted traffic within this now state-controlled, firewalled “internet”. The logical next step is to set up your own cryptographic protocol and decrypting tools on the edge of the network, allowing you spy on any communications between anybody on your internet.
“Use your own certificates and intercept then decode traffic in transport layer security (TLS)/secure sockets layer (SSL) accelerator hardware on your national firewall,” advises Bisson.
Some countries have replaced all such certificates with a global controlled certificate to make it easier to decrypt traffic. DNS hijacking is relatively common as a cybercrime technique, and has been used by Iranian hackers for cyber-espionage purposes, as well as in China as part of its censorship tactics. “After all, when you own the keys all the locks are open,” Bisson says.
Choke point #3: Individual sites
For a dictator wanting to be more selective in their censoring, there’s hypertext transfer protocol (HTTP) blocking which would allow a censor to block particular pages of a website. “This is becoming less popular in recent times since it’s made ineffective by HTTPS,” says Arturo Filastò, project lead and engineer at the Open Observatory of Network Interference (OONI), a free software project under the Tor Project to increase the transparency of internet censorship around the world.
Still, there are plenty of sites kicking around on HTTP, and the HTTPS (or hypertext transfer protocol secure) protocol – which the majority of the world’s million most-visited sites use – can also be blocked at a region known as the server name indication (SNI) field. However, there is work being done to encrypt the SNI field that will render this less effective as well.
“Internet protocols grew up in academia and so are fragile. They were designed by idealists and it’s easy for ideologues to subvert them.”
Instead, should you have a team of loyal censors at your disposal, you might instead block the transmission control protocol (TCP). The most common transmission protocol on the internet, TCP connects two hosts such as someone’s device and the server they’re trying to reach – but implementing something called a TCP reset (RST) injection can throw a spanner into those works.
If your nation-state is monitoring the traffic flow in the country, you can inject RST packets to stop dead any connections to sites that are deemed unsuitable for your citizenry.
The technicality is relatively simple with unfettered access to internet infrastructure, but this approach requires tracking of the entire internet data flow, and enough visibility to be able to know which connections are to be selectively blocked. Which makes this a more expensive approach to the problem of internet control, requiring both human and technological resources – and therefore it is not a commonplace solution for a smaller, emerging authoritarian state.
“This is a very sophisticated technique which generally requires changes to the infrastructure itself,” says Filastò. “It can, however, be done on a big country scale like China effectively.”
Redesigning an entire internet
If any country can be credited with writing the playbook on internet censorship and surveillance, then it must be the People’s Republic of China.
According to the Freedom on the Net 2018 report from Freedom House, an independent watchdog dedicated to the expansion of freedom and democracy around the world, China remains the worst abuser of internet freedom globally. “Over the past year, its government hosted media officials from dozens of countries for two- and three-week seminars on its sprawling system of censorship and surveillance,” the report says. “Digital authoritarianism is being promoted as a way for governments to control their citizens through technology, inverting the concept of the internet as an engine of human liberation.”
In 2003, China began its Golden Shield Project, which took just three years to complete, and spanned technologies that today have become known as the Great Firewall of China. The Great Firewall uses all of the methodologies already mentioned in order to block access to certain sites and reroute certain site requests.
In addition, the Chinese government apparently employs at least 50,000 people in order to enforce its extreme level of censorship, blocking sites and filtering search engine requests for ‘harmful’ content.
China has the resources to monitor its entire internet flow and selectively censor all the links it deems ‘harmful’.
The China model isn’t exactly a plug-and-play model for internet censorship, however. The problem for other countries wishing to follow the Chinese lead is one of infrastructure, according to Filastò.
The likes of China, Cuba and Iran have a very centralized internet, as a result of having either a few government-run internet service providers or because the regime forces independent providers to route all traffic through government-managed infrastructure. This enables censors to be consistent in implementing their blocks across networks, and those blocks can be rolled out very efficiently.
(If an authoritarian state already has an existing and more distributed infrastructure, it would require require ISPs to independently implement site and service blocking ad hoc and varied basis. “Often countries of this sort will have checks and methods in place to validate if ISPs are implementing the blocks adequately,” Filastò says. Russia is one such example.)
Dictators with a very ambitious plan to monitor and censor the internet like China – blocking mention of political and cultural content deemed harmful, hobbling foreign services like Facebook, essentially exerting near-absolute control – are therefore looking at implementing a bespoke centralized internet infrastructure.
Though costly and resource-intensive, this could be the solution for a dictator who calculates the political risk of a free internet is so high that it would be too much of a threat not to throw more time, money and people at the problem.
Write laws against attempts to access censored internet
All said, perhaps the most powerful weapon in the Chinese internet control arsenal, and one that any authoritarian state worth the label will also employ, is the legislature.
The Cybersecurity Law of the People’s Republic of China was formally adopted on June 1st, 2017, and brought together numerous rules and regulations that apply not only to information security but also information control. One of the first things noted by observers outside of China was the VPN compliance law. This allows businesses to use VPNs for internal work purposes, but only if they were purchased from licensed suppliers. Controlling the use of VPNs is paramount for any authoritarian state, and while this may have little impact on visitors to that country, the very real threat of fines and imprisonment can make it hard for the local population to use them.
Indeed, Freedom House reports that in China this led to Apple deleting hundreds of VPN apps from its local app store. The longtime requirement for network operators and social media companies to register users under their real names is stricter under the Cybersecurity Law, while all companies are required to immediately stop the transmission of banned content.
Centralized internet control is the solution for a dictator who calculates the political risk of a free internet is too much of a threat.
The law also insists all data concerning Chinese users is hosted within the country, where it can be easily accessed by the authorities. China has even recently introduced regulations that prevent blockchain providers from producing, duplicating, publishing and disseminating content that is prohibited under Chinese law – mainly in response to such things as the #MeToo activists saving content on the Ethereum blockchain to bypass censorship controls.
Unfortunately – or fortunately for the censors that be – these measures are for the most part successfully curtailing the Chinese internet.
“It’s difficult to know what percentage of people in China routinely jump the Great Firewall to access the global internet, but studies have shown that it’s very low, around two percent,” says William Nee, a Business and Human Rights Strategy Analyst at Amnesty International. “To some extent, the Chinese approach relies not only on the hardware and technical capabilities of the censorship system, but it also relies on creating commercial incentives to comply with its strict internet control.”
On the whole, China appears to have managed the balancing act between information control and economic growth remarkably well. Part of that can be attributed to its protection of homegrown tech companies that have subsequently flourished. “I would argue that they have been able to reach their censorship goals quite effectively,” Filastò says. “Most people in China rely on national online services such as Baidu and Weibo instead of their international counterparts.”
Countries censoring like China
China’s legislative playbook for controlling the internet can be observed in many an authoritarian regime.
In Venezuela, law changes have declared government sovereignty over the internet and introduced the concept of ‘content security’ to ‘ensure political order and counter hate’. President Maduro recently proposed a Constitutional Law of Cyberspace of the Bolivarian Republic of Venezuela which would see the formation of a new Maduro-sponsored authority to police the online world and hand it the power to decide what information can and cannot be allowed online. For example, this authority could require messaging services to censor content without judicial order, take discretionary control over loosely defined ‘critical infrastructure’, and further enforce the Anti-Hate Law for Tolerance and Peaceful Coexistence, which currently carries a 20 year prison term for those found ‘instigating hate’ on social media.
Russia is another example of how internet control can be enforced through repressive legislation rather than a purely technological approach. The Russian Internet Restriction Bill was passed in 2012 and enables the government to block pretty much any site it wants so. While the federal law was introduced on a wave of patriotism and citizen protection, enabling the shutdown of sites that contain content pertaining to child pornography, drug abuse and suicide, it actually has far more oppressive overtones. This bill gives the government power to close sites that advocate ‘extremism’ or are ‘harmful’ to the health and development of children; both of which are open to very subjective determination. Social networks and messaging services with data on Russian citizens are required to store that data on servers located in Russia, for example, which leaves them open to state surveillance. LinkedIn has been banned from operating in Russia, as has the Telegram secure messenger.
Saudi Arabia wraps its internet controlling laws up under a blanket ban of anything that is deemed immoral. This means it is able to convict bloggers who criticize the regime’s clerics or royal family. One such blogger, Raif Badawi, was sentenced to 10 years’ imprisonment in 2012 along with 1,000 lashes for insulting Islam. New laws have been added recently that mean anyone distributing online content that “disturbs public order, religious values and public morals through social media” can be considered a cybercriminal, with a punishment of five years in prison and a fine of three million Saudi riyals (£600,000). Unlike China’s Great Firewall with tens of thousands of staff behind the operation, the Saudi Arabia censorship bureau is apparently staffed by fewer than 25 – but they’re supported by a country-wide network of citizen informers who submit more than a thousand reports every day. Perhaps surprisingly, the most active informers can be found amongst the student population as well as religious groups.
Human or machine censors?
While punitive laws can hold content providers responsible for ensuring content doesn’t breach state regulations for ‘illegal’ material, ultimately the larger share of censoring will need to be done by state employees.
At least for now. Both censorship and surveillance human resourcing is set to be revolutionized by advances in artificial intelligence (AI), or more accurately its subset of algorithms collectively known as machine learning (ML). In much the same way that modern enterprises across the world have turned to big data technology such as ML in order to make sense of the sheer volume of information generated, so our authoritarian state can use ML to analyze vast swathes of browsing data to determine what content should be automatically censored.
This could potentially put a small-time dictator on equal footing with a China-sized power with thousands of human censors at their disposal.
Kevin Curran, professor of cybersecurity at Ulster University, is fairly certain that AI will play a large role in future internet surveillance systems. “Building static filtering systems for monitoring is not enough to detect the increasing traffic on networks,” he says. “More sophisticated techniques such as pattern recognition to discover previously unknown traffic can be used.”
While Amnesty International’s William Nee expects the reliance on human censors to remain for some time yet, he reckons that “companies are probably making advances in using AI to engage in censorship.” Nee gives the example of China-based Tencent, currently developing artificial intelligence technology that is increasingly able to censor political images through algorithms.
AI could be a game-changer for trawling through vast amounts of browsing data, but with targeted surveillance, it’s likely to be less of a help. JJ Guy is the CTO at JASK, a company which has developed an AI-driven security system that can intelligently separate false alarms from real breaches. You’d think this same technology would be perfect for our dictator, but Guy isn’t convinced. “The advance of AI is unlikely to have a material impact on the efficacy of algorithmic surveillance systems anytime soon,” he says. “Government activities often referred to as internet surveillance have narrowly focused goals that are precise and surgical: a lot of data from a very specific person in the case of law enforcement or intelligence activities.” In other words, data-intensive AI systems would be overkill – and indeed unnecessary – for searching out someone who’s already a person of interest.
The Saudi Arabia censorship bureau is staffed by fewer than 25 – but citizen informers submit more than a thousand reports every day
The cost of internet control
Whether you are talking people-powered surveillance centers or AI-driven developments, the dictator wanting to take control of internet content better had deep pockets.
In the UK, home to one of the world’s most extreme surveillance laws – the Investigatory Powers Act 2016, known colloquially as the Snoopers’ Charter – costs of implementing the new law have been estimated as much as £1.2 billion, while official UK government projections suggest running costs of up to £5.6 million over 10 years.
Smaller states building a censorship regime from scratch are likely to face higher costs when startup costs are factored in, along with the additional costs of running daily censorship operations. As an example representing a single, localized element of a much bigger operation, it has been reported that in St. Petersburg alone there are hundreds of full-time, state employed trolls who are each paid $800 (£600) per month just to write and seed pro-Kremlin propaganda.
AI-driven surveillance systems could put a small-time dictator on equal footing with a China-sized power with thousands of human censors at their disposal.
Where you purchase your surveillance technology will impact the bottom line. China is actively exporting its surveillance technology and analytics tools, supplying countries with poor human rights records such as Belarus, Cuba, Vietnam and Zimbabwe amongst others. This export of technology and know-how also serves to export internet control ideology that well serves China’s global economic ambitions by spreading the authoritarian love, as it were.
The Chinese government has been pursuing security and surveillance deals across sub-Saharan Africa, for example, where such strategic goals hide behind altruistic intent. Freedom House reports suggest that these deals help China to extract much-needed raw materials and open markets for their goods as well as gaining “economic and political leverage with local leaders by selling them on an authoritarian model of development.” In Ethiopia, where China secured a $800 million (£600 million) contract to supply telecommunications kit to strengthen the Ethiopian censorship regime, Freedom House notes that “Ethiopia has shown its gratitude by helping to block United Nations resolutions that are critical of Beijing, and by supporting China’s repressive policies in Tibet.”
Not that you have to be in a back-scratching situation with China, or any regime whose political aspirations do not match your own, for that matter; you could buy most of the kit required right off the shelf. Indeed, some would argue that this is your only realistic option.
“The hardware unfortunately has to come from the standard suppliers such as Ericsson, Huawei and CISCO,” says Curran. “This is because the hardware needs to be standards-based in order for compatibility with the outside world, and industrial networking equipment is not something that can easily be created.”
Where the additional help, and cost, enters the equation is when it comes to overlaying the censorship functionality on top of this kit. To that end, there are a myriad of ‘security solution providers’ at dozens of security fairs that cater for military and government clients.
The balkanization of the internet?
This dictator’s guide to internet surveillance and censorship might well have left the ordinary internet user, with decidedly democratic intent, feeling somewhat depressed by how relatively easy it could be to balkanize the online world. Nation-state firewalling, Orwellian levels of surveillance and politically motivated censorship are, without doubt, realities in the 21st century – but this doesn’t mean that the individual cannot fight back against the authoritarian machine.
Whether the thought police playbook is implemented by way of technology, law or fear, one trace of hope remains and that is the internet itself. Ian Thornton-Trump, AmTrust International’s EMEA head of cybersecurity told Top10VPN that the “truth rides on the shoulders of the internet, and internet access is a hard beast to completely control.” And he is right.
Tools such as The Onion Router (Tor) browser and VPNs can overcome all but the most determined of would-be censors. A colleague of mine recently went to China on a press visit to one of the biggest technology companies in the country. Within minutes of landing he was posting social media updates on Facebook courtesy of his smartphone and a VPN.
Of course, the use of varied VPNs over the course of a working week is a different kettle of fish to ongoing use for a resident of the country, especially when the state controls which VPN apps can be downloaded.
But though it might be relatively easy to implement an internet control regime, the global network was built upon the principle that information will be free – and overcoming that is technically complicated, financially exhausting and doesn’t come with any 100 percent guarantee of success.
As a future saying might go, you can censor all of the people some of the time, or some of the people all of the time…
Header image by tiburi on Pixabay