[liberationtech] On the politics of the circumvention debate

Thu Sep 23 11:55:07 PDT 2010

Katrin and everybody, 

Greetings - I just joined this list last week. I believe I know a lot of people on this list already, but for those who don't know me see: http://rconversation.blogs.com/about.html

FWIW, I discussed some potential areas beyond circumvention in Senate testimony earlier this year, drawing primarily from my experience studying Chinese Internet censorship and control mechanisms which go far beyond filtering. Links/excerpts below.

For additional discussion of Internet controls beyond filtering I also recommend reading the ONI's new book, "Access Controlled," particularly chapters 1 and 2 (which discusses the Russian model of Internet control without filtering). You can download everything for free at: http://www.access-controlled.net

Best,
Rebecca

Web version of my testimony is here: 
http://rconversation.blogs.com/rconversation/march-2-2010-senate-testimony-on-internet-freedom.html

Downloadable PDF:
http://rconversation.blogs.com/files/rm_sjc_2march2010.pdf

Excerpts: beyond filtering, the major challenge areas I listed are:  

<snip>
Deletion and takedown of content by Internet companies: Filtering is the primary means of censoring content over which an authority has no jurisdiction. When it comes to websites and Internet services over which a government does have legal jurisdiction – usually because at least some of the company’s operations and computer servers are located in-country – why merely block or filter content when you can delete it from the Internet entirely? The technical means for deleting content, or preventing its publication or transmission in the first place, vary depending on the country and situation. The legal mechanism, however, is essentially the same everywhere. In Anglo-European legal systems we call it “intermediary liability.” The Chinese government calls it “self-discipline,” but it amounts to the same thing, and it is precisely the legal mechanism through which Google’s Chinese search engine, Google.cn, was required to censor its search results.[1] All Internet companies operating within Chinese jurisdiction – domestic or foreign – are held liable for everything appearing on their search engines, blogging platforms, and social networking services. They are also legally responsible for everything their users discuss or organize through chat clients and messaging services. In this way, much of the censorship and surveillance work in China is delegated and outsourced by the government to the private sector – who, if they fail to censor and monitor their users to the government’s satisfaction, will lose their business license and be forced to shut down. It is also the mechanism through which China-based companies must monitor and censor the conversations of more than fifty million Chinese bloggers. Politically sensitive conversations are deleted or blocked from being published at all. Bloggers who get too influential in the wrong ways can have their accounts shut down and their entire blogs erased. That work is done primarily not by “Internet police” but by employees of Internet companies.[2]
Cyber-attacks:  The sophisticated, military-grade cyber-attacks launched against Google were targeted specifically at the GMail accounts of human rights activists who are either from China or work on China-related issues. This serves as an important reminder that governments and corporations are not the only victims of cyber-warfare and cyber-espionage. Human rights activists, whistleblowers and dissidents around the world, most of whom lack training and resources to protect themselves, have over the past few years been victim of increasingly aggressive cyber attacks.[3] The effect in some cases is either to bring down dissident websites at critical political moments or for frequent short periods of time, putting a great strain on the site’s operators just to keep the site running and preventing them from doing their main work. Targets range from Chinese human rights defenders to an independent Russian newspaper website, to Burmese dissidents, to Mauritanian opponents of military dictatorship.[4]  On December 17, 2009, the home page of Twitter – which was instrumental in spreading world about protests in Iran – was hacked by a group calling itself the “Iranian cyber army.” Twitter was back up after a couple of hours.  An Iranian Green Movement website Mowjcamp.com was attacked on the same day but – lacking the same resources and clout as Twitter and hampered by U.S. laws that forbid American web hosting companies from doing business directly with Iranians – remained offline for more than six weeks.[5] 
In other cases cyber attacks compromise activists’ internal computer networks and e-mail accounts to the point that it becomes too risky to use the Internet at all for certain kinds of organizing and communications, because the dissidents don’t feel confident that any of their digital communications are secure. 

Likewise, journalists who report on human rights problems and academics whose research includes human rights issues have also found themselves under aggressive attack in places like China, exposing their sources and making it much more risky to work on politically sensitive topics. Like the activists, these groups are equally unprepared and unequipped to deal with such attacks.[6]

Compliance with political “law enforcement”: In countries whose governments define “crime” broadly to include political dissent, companies with in-country operations and user data stored locally can easily find themselves complicit in the surveillance and jailing of political dissidents. This committee is of course very familiar with the most notorious example of law enforcement compliance gone wrong: between 2002 and 2004 Yahoo’s local China-based staff handed over to the Chinese police e-mail account information of journalist Shi Tao, activist Wang Xiaoning, and at least two others engaged in political dissent.[7] There are other examples. Skype partnered with a Chinese company to provide a localized version of its service, then found itself being used by Chinese authorities to track and log politically sensitive chat sessions by users inside China.[8] This happened because Skype delegated law enforcement compliance to its local Chinese partner without sufficient attention to how the compliance was being carried out.
Device-level and local controls: In late spring of 2009 the Chinese Ministry of Industry and Information Technology (MIIT) mandated that by July 1st of that year all computers sold in China must be pre-installed with a specific software product called “Green Dam – Youth Escort.”[9] While the purpose of “Green Dam” was ostensibly for child protection, researchers inside and outside of China quickly uncovered the fact that it not only censored additional political and religious content, it also logged user activity and sent this information back to a central computer server belonging to the software developer’s company.[10] The software had other problems that made it easy for U.S. industry to oppose: It contained serious programming flaws which increased the user’s vulnerability to cyber-attack. It also violated the intellectual property rights of a U.S. company’s filtering product. Faced with uniform opposition from the U.S. computer industry and strong protests from the U.S. government, the MIIT backed down on the eve of its deadline, making the installation of Green Dam voluntary instead of mandatory.[11]  The defeat of Green Dam, however, did not diminish other efforts to control and track Internet users at more localized levels inside the national “Great Firewall” system – for instance at the level of a school, university, or apartment block as well as at the level of a city-wide Internet Service Provider (ISP). It was reported in September last year that local governments were mandating the use of censoring and surveillance products with names like “Blue Shield” and “Huadun.” The function and purpose of these products appeared similar to Green Dam, though they had the benefit of involving neither the end user nor foreign companies.[12] The implementation of these systems has received little attention outside of China.
</snip>

In addition to specific recommendations on corporate social responsibility and export control/sanction reform, other recommendations for technical support included: 

<snip>

Technical support for free expression: People in repressive regimes require support in a broad range tactics and technologies – along with the training and education in their use – to reflect the growing sophistication with which governments are stifling and silencing peaceful speech. In addition to helping people around the world to circumvent Internet blocking, we need to help people fight cyber-attacks, counter-act content removal by companies, fight deployment of device-level spyware and censorware, and educate each other quickly about new forms of technical control as new methods and technologies emerge.
Circumvention technologies: Congress deserves great praise for its allocation of funds over the past few years to support the development of tools and technologies that help Internet users in repressive regimes circumvent Internet filtering. Support for a healthy range of circumvention tools –        in a manner that fosters competition, innovation, accountability, and user choice – is important and must continue. The problem is that circumvention tools only address Internet filtering: they don’t address other methods of control that repressive regimes now use to censor Internet content and silence dissent. Thus, an effective Internet freedom strategy cannot focus on circumvention alone. 
Anonymity and security:  In my interactions with journalists, human rights activists, civil liberties lawyers, bloggers, and academics in authoritarian countries around the world, I have found that a shockingly large number are uninformed about how to evade online surveillance, how to secure their e-mail, how to detect and eliminate spyware on their computers, and how to guard against even the most elementary cyber-attacks.  Local-language, culturally appropriate technologies, accompanied by robust education and training, is desperately needed. The recent cyber-attacks against Chinese GMail users only highlights the urgency.
Preservation and re-distribution of deleted content: In the course of my research about the Chinese Internet, I have noticed that quite a lot of people around Chinese blogosphere and in chatrooms make a regular habit of immediately downloading interesting articles, pictures, and videos which they think those materials could get deleted or taken offline. They then re-post these materials in a variety of places, and relay them to friends through social networks and e-mail lists. This is done in an ad-hoc way. Thus, it is often difficult for people to locate and spread this material. The United States should support the creation of searchable, accessible, and secure repositories of censored materials from countries where companies are systematically required to delete and take down politically sensitive material. Combined with robust circumvention tools, such repositories could do much to counter-act the effects of widespread content deletion and takedown within authoritarian countries.
Distributed “opposition research”: After the Chinese government mandated the nation-wide installation of the “Green Dam” censorware last year, loosely organized “opposition research” networks sprang into action. A group of Chinese computer programmers and bloggers collectively wrote a report exposing Green Dam’s political and religious censorship, along with many of its security flaws. They posted the document at Wikileaks.[1] This information was then used by domestic and foreign opponents of Green Dam in a successful campaign to reverse the government’s mandate. Another anonymous group of Chinese netizens have collected a list of companies and organizations – domestic and foreign – who have helped build China’s Internet censorship system.[2] Opposition research has also helped to expose the Tunisian government’s use of cutting-edge “deep packet inspection” techniques for censorship and surveillance. In 2008 Global Voices Advocacy Director Sami Ben Gharbia – a Tunisian exile – conducted tests that demonstrated DPI being used in Tunisia to block certain emails, or even alter certain contents of emails like attachments.[3] If people in repressive regimes had better mechanisms through which to        collect and share information about how their governments are stifling free expression, it would be easier for activists around the world to help each other develop effective technologies and tactics to fight back.
</snip>

Note: Whether it is appropriate for the U.S. government to support any or all of these things - or whether it is better that such initiatives be supported by civil society or foundations - is in light of recent developments and debates well worth further exploration. My testimony ended as follows:

<snip> 
Continued executive branch leadership. Secretary of State Clinton’s landmark speech on Internet freedom made it clear that this is a core American value. She has placed the United States squarely in a leadership position by identifying a range of threats to Internet freedom, as well as the range of tools and policies that can be brought to bear. In reviving the Global Internet Freedom Task Force (GIFT), the Administration now has a mechanism to coordinate between government and industry to ensure that U.S. companies play a constructive role around the world. GIFT will also need to tackle the challenging job of coordinating between all the different U.S. government agencies whose work touches upon the Internet in various ways. If we are serious about promoting global Internet freedom, it is important that U.S. foreign policy, trade, commerce, and national security all be consistent in advancing Internet freedom.
Conclusion

There is no “silver bullet” for global, long-term and sustainable Internet freedom. Offline physical freedom here in the United States - or anywhere else for that matter - was not won easily, and cannot be expanded, preserved or protected without constant struggle and vigilance. Internet freedom is no different. A global struggle for freedom and control of cyberspace is now underway. As with our physical freedom, Internet freedom will not be possible without a supportive ecosystem of industry, governments, and concerned citizens working together.
</snip>

I'm presently putting finishing touches on a paper for next month's liberation technology conference at Stanford which focuses in greater depth on China's emerging model of "networked authoritarianism", and what this means for the battle for free expression on the Internet globally. Happy to share it with the list if people are interested.

Best,
Rebecca

[1] “A technical analysis of the Chinese “Green Dam Youth Escort” censorship software,” posted June 2009 on Wikileaks.org at: http://wikileaks.org/wiki/A_technical_analysis_of_the_Chinese_%27Green_Dam_Youth-Escort%27_censorship_software (At time of writing the page cannot be reached due to bandwith and funding problems at Wikileaks.org)

[2] “GFW Engineering Team Name List,” posted to Google Documents in January 2010 at: http://docs.google.com/View?docid=0Ae8NBXfKeGvqZGR0am1yeGRfMWhyZDljcWY4  

[3] “Silencing online speech in Tunisia,” by Sami Ben Gharbia, Global Voices Advocacy, August 20, 2008, at: http://advocacy.globalvoicesonline.org/2008/08/20/silencing-online-speech-in-tunisia/ 

[4] “Protectionism Online: Internet Censorship and International Trade Law,” by Brian Hindley and Hosuk Lee-Makiyama, ECIPE Working Paper No. 12/2009, at: http://www.ecipe.org/protectionism-online-internet-censorship-and-international-trade-law/PDF

[1] See Race To the Bottom: Corporate Complicity in Chinese Internet Censorship by Human Rights Watch (August 2006), at http://www.hrw.org/reports/2006/china0806/. Also “Search Monitor Project: Toward a Measure of Transparency,” by Nart Villeneuve, Citizen Lab Occasional Paper, No.1, University of Toronto (June 2008) at http://www.citizenlab.org/papers/searchmonitor.pdf  

[2] For more details see “China’s Censorship 2.0: How companies censor bloggers,” by Rebecca MacKinnon, First Monday (February 2006) at: http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/2378/2089

[3] See Tracking Ghostnet: Investigating a Cyber Espionage Network, by Information War Monitor (March 2009) at http://www.nartv.org/mirror/ghostnet.pdf

[4] “Chinese human rights sites hit by DDoS attack,” by Owen Fletcher, ComputerWorld, January 26, 2010, at: http://www.computerworld.in/articles/chinese-human-rights-sites-hit-ddos-attack;  “Russia's Novaya Gazeta Web site hacked, paralyzed” by David Nowak, Associated Press, February 1, 2010 at: http://www.washingtonpost.com/wp-dyn/content/article/2010/02/01/AR2010020102424.html ; “Web Sites Back Online, but Fears of Further Attacks Remain,” by Min Lwin, Irawaddy, September 22, 2008, at:  http://www.irrawaddy.org/article.php?art_id=14294 ; “Dictators Prefer Botnets,” Strategy Page, November 18, 2008, at: http://www.strategypage.com/htmw/htiw/articles/20081118.aspx

[5] “Yahoo!, Moniker: why is Mowjcamp.com still offline 6 weeks after hack attack?” by Ethan Zuckerman, My Heart’s in Accra, February 1, 2010, at: http://www.ethanzuckerman.com/blog/2010/02/01/yahoo-moniker-why-is-mowjcamp-com-still-offline-6-weeks-after-hack-attack/   

[6] “National Day triggers censorship, cyber attacks in China,” Committee to Protect Journalists, September 22, 2009 at: http://cpj.org/2009/09/national-day-triggers-censorship-cyber-attacks-in.php

[7] See “Shi Tao, Yahoo!, and the lessons for corporate social responsibility,” working paper presented at presented December 2007 at the International Conference on Information Technology and Social Responsibility, Chinese University, Hong Kong, at: http://rconversation.blogs.com/YahooShiTaoLessons.pdf

[8] Breaching Trust, by Nart Villeneuve, Information Warfare Monitor and ONI Asia Joint Report (October 2008), at: http://www.nartv.org/mirror/breachingtrust.pdf 

[9] “China Squeezes PC Makers,” by Loretta Chao, The Wall Street Journal, June 8, 2009, at: http://online.wsj.com/article/SB124440211524192081.html

[10] China's Green Dam: The Implications of Government Control Encroaching on the Home PC, Open Net Initiative bulletin (June, 2009) at: http://opennet.net/chinas-green-dam-the-implications-government-control-encroaching-home-pc; Analysis of the Green Dam Censorware System, by Scott Wolchok, Randy Yao, and J. Alex Halderman, Computer Science and Engineering Division, The University of Michigan, June 11, 2009, at: http://www.cse.umich.edu/%7Ejhalderm/pub/gd/.

[11] “After the Green Dam Victory,” by Rebecca MacKinnon, CSIS Freeman Report, June/July 2009, at: http://csis.org/files/publication/fr09n0607.pdf

[12] “China Clamps Down on Internet Ahead of 60th Anniversary,” by Owen Fletcher, IDG News Service, September 25, 2009 at: http://www.pcworld.com/article/172627/china_clamps_down_on_internet_ahead_of_60th_anniversary.html ; and “China: Blue Dam activated,” by Oiwan Lam, Global Voices Advocacy, September 13, 2009 at: http://advocacy.globalvoicesonline.org/2009/09/13/china-blue-dam-activated/

On Sep 21, 2010, at 10:56 AM, Katrin Verclas wrote:

> Evgeny -
> 
> What do you see as the major areas of discussion and policy focus (and funding) beyond circumvention? Some are touched upon in Ethan's piece that you reference below, but I am curious but your priority list would be?
> 
> Katrin 
> 
> On Sep 17, 2010, at 4:54 PM, Evgeny Morozov wrote:
> 
>> At the risk of steering this debate away from Haystack, I'd like to reflect on something that Mehdi ementioned in one of his recent emails to the list - namely his suggestion that my questioning of the US government's involvement with Haystack may somehow shift policy debate around circumvention tools in Washington and might thus damage the prospects of obtaining more government funding for such tools.
>> 
>> I think Mehdi's are valid concerns but I don't think that a shift in the policy debate around circumvention is necessarily a bad thing. Those who have not been following the field very closely may benefit from knowing that there are a lot of people - me included - who have been asking for precisely this kind of policy debate to occur for a very long time. (For a good summary of recent arguments on this issue see Ethan Zuckerman's essay Beyond Circumvention.) 
>> 
>> Another person who has consistently spoken out about the need to go beyond circumvention is Rebecca MacKinnon and I hope she can chime in here as well. I also know that there are plenty of people who take the exact opposite side in this debate. I wish I could say that this is an issue on which there is consensus within the community - but I can't. 
>> 
>> I certainly understand Mehdi's interest in ensuring that the web-sites that he runs - as well as many other Internet resources - are accessible to users in Iran. But I don't think that this alone justifies not taking a broader view of the field and trying to figure out whether there has been too much focus - including on the funding front - on supporting circumvention tools at the expense of not funding/discussing/designing appropriate responses to other, more "liquid" types of Internet control like the intimidation of bloggers or DDoS attacks. 
>> 
>> I do understand the concerns of Iranian and Chinese Internet users over their firewalls - but we should also remember that there are plenty of users in a country like Russia, who are still suffering from Internet control - just of a different kind (see the recent Microsoft story in NYT as an example). Just because so much of Washington's focus is on circumvention, Russians do not really get as much help in their own struggles. Thus, as far as I am concerned, if the Haystack controversy could help to finally start that debate in Washington, this would be great news.  There is no way to get it right without having a proper debate on these issues as well as understanding the regional differences in how governments choose to exercise control over the Internet. 
>> 
>> So I'd like to dispute Mehdi's claim that somehow I am not aware of the potential consequences of my criticism; I am. In almost every post that I published about Haystack, I made it pretty clear that I'm not interested in their code as much as I'm interested in the broader environment in which this unfortunate project got started/survived for so long. And while I wouldn't want to see major funding cuts to important and effective circumvention tools, I do think that we need a much better/holistic understanding of the objectives/priorities facing the field. 
>> 
>> I'm clearly in favor of continuing this debate - and certainly in favor of extending it to Washington, where the lobbyists working for organizations behind some of these tools - especially the folks from the Global Internet Freedom Consortium - have done their best to suppress it. 
>> 
>> Evgeny
>> 
>> P.S. full disclosure: I sit on the sub-board of the Information Program at the Open Society Institute and we have funded work in the circumvention space in the past. 
>> _______________________________________________
>> liberationtech mailing list
>> liberationtech at lists.stanford.edu
>> 
>> Should you need to change your subscription options, please go to:
>> 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> Katrin Verclas
> MobileActive.org
> katrin at mobileactive.org
> 
> skype/twitter: katrinskaya
> (347) 281-7191
> 
> A global network of people using mobile technology for social impact
> http://mobileactive.org
> 
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

Rebecca MacKinnon
Schwartz Senior Fellow, New America Foundation
Co-founder, GlobalVoicesOnline.org
Cell: +1-617-939-3493
E-mail: rebecca.mackinnon at gmail.com
Blog: http://RConversation.blogs.com
Twitter: http://twitter.com/rmack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20100923/4dbe5660/attachment.html>