[liberationtech] Monitoring Information Controls in Iraq

[Collin Anderson]

Ron,

Congratulations on the report, I wonder if Citizen Lab or other colleagues
might be able to develop a militant/security domain testing list, similar
to the LGBT and religious lists that are used for testing censorship. Iraqi
ISPs appear to have blocked hanein.info, a Jihadist forum, which I don't
believe falls within the scope of previous testing efforts -- I imagine
there are others that don't happen to fall within Alexa top lists though
that we are missing.

Cordially,
Collin


On Fri, Jun 20, 2014 at 5:46 PM, Ronald Deibert <r.deibert at utoronto.ca>
wrote:

> HI LibTech
>
> I am pleased to announce a new Citizen Lab report "Monitoring Information
> Controls in Iraq in reaction to ISIS Insurgency."
>
> The full post is here:
> https://citizenlab.org/2014/06/monitoring-information-controls-in-iraq/
>
> and pasted below.
>
> Daily Beast has a story about it here:
>
>
> http://www.thedailybeast.com/articles/2014/06/20/iraq-s-internet-blockade-doesn-t-touch-isis-sites.html
>
> Regards
> Ron
>
>
>
> Monitoring Information Controls in Iraq in reaction to ISIS Insurgency
>
> *June 20, 2014*
>
> Tagged: Internet Filtering
> <https://citizenlab.org/tag/internet-filtering/>, Iraq
> <https://citizenlab.org/tag/iraq/>
> Categories: Reports and Briefings
> <https://citizenlab.org/category/research-news/reports-briefings/>, Research
> News <https://citizenlab.org/category/research-news/>
> Share on facebook
> <https://citizenlab.org/2014/06/monitoring-information-controls-in-iraq/#>Share
> on twitter
> <https://citizenlab.org/2014/06/monitoring-information-controls-in-iraq/#>Share
> on email
> <https://citizenlab.org/2014/06/monitoring-information-controls-in-iraq/#>Share
> on pinterest_share
> <https://citizenlab.org/2014/06/monitoring-information-controls-in-iraq/#>More
> Sharing Services
> <https://citizenlab.org/2014/06/monitoring-information-controls-in-iraq/#>
> <https://citizenlab.org/2014/06/monitoring-information-controls-in-iraq/#>
> 0
> <https://citizenlab.org/2014/06/monitoring-information-controls-in-iraq/#>
>
> In this report, we document the results of network measurement tests we
> ran to determine how the Internet is being filtered in Iraq in reaction to
> ongoing insurgency in the country. The results identify 20 unique URLs that
> are blocked on three Iraq-based Internet Service Providers. These websites
> include social media platforms (such as Facebook and Twitter), proxy /
> circumvention tools (such as Psiphon), and the websites of mobile messaging
> apps (such as WhatsApp and Viber). Notably, none of the 7 websites we
> tested that are affiliated with, or supportive of, the jihadist insurgent
> group the Islamic State in Iraq and Greater Syria (ISIS) were found to be
> blocked.
> Background
>
> The ongoing insurgency within Iraq continues to escalate. In recent weeks,
> the jihadist group, the Islamic State in Iraq and Greater Syria (ISIS) seized
> control
> <http://www.theguardian.com/world/2014/jun/18/iraq-request-us-air-strikes-isis-baiji-oil> of
> the northern provincial capitals Mosul and Tikrit and Iraq’s largest oil
> refinery. The conflict has led Iraqi Prime Minister, Nouri al-Maliki, to formally
> request <http://www.bbc.co.uk/news/world-middle-east-27905849> the U.S.
> military to engage in air strikes to limit the ISIS advances.
>
> Following the seizure of Mosul and Tikrit, the government of Iraq
> implemented restrictions on Internet accessibility as means of limiting the
> ability of ISIS to mobilize and communicate their message.  On June 13,
> 2014, reports emerged
> <http://www.washingtonpost.com/business/technology/iraq-tries-to-censor-social-media-but-its-success-is-limited/2014/06/13/19e1e918-f325-11e3-bf76-447a5df6411f_story.html> that
> numerous social media platforms, including Facebook, Twitter, and YouTube,
> had been blocked. By June 16, reports suggested that Ministry of
> Communications officials had ordered a complete Internet shutdown in
> certain regions. These reports are confirmed by BGP data from Renesys
> <http://www.renesys.com/2014/06/amid-raging-violence-iraq-orders-internet-shutdowns/>
> :
> [image: Figure 1: Renesys BGP Data showing reduction in reachable networks
> as a result of the shutdown.]
> <https://citizenlab.org/wp-content/uploads/2014/06/IQ-timeline.png>
>
> Figure 1: Renesys BGP Data showing reduction in reachable networks as a
> result of the shutdown. SOURCE
> <http://www.renesys.com/2014/06/amid-raging-violence-iraq-orders-internet-shutdowns/#update01>
>
> Similarly, traffic from the content delivery network Akamai dropped off
> substantially following the reported shutdown and blocks:
> [image: Figure 2: Traffic from Akamai content delivery network to Iraq in
> June 2014. SOURCE]
> <https://citizenlab.org/wp-content/uploads/2014/06/akamai-iraq-disruption.png>
>
> Figure 2: Traffic from Akamai content delivery network to Iraq in June
> 2014. SOURCE
> <https://twitter.com/akamai_soti/status/478517658326167552/photo/1>
>
> A letter allegedly leaked
> <http://www.independent.co.uk/news/world/middle-east/iraq-government-orders-total-internet-shutdown-in-25-of-country-rest-left-with-limited-access-9542778.html> from
> the Ministry of Communications details these outages, indicating the
> ISIS-held provinces in which Internet access was to be blocked completely.
> In addition the letter lists  websites and platforms (which included
> Facebook, Twitter, YouTube, Viber, Skype, and others) to be blocked.
>
> More recently, on the morning of June 20, measurements from the RIPE
> Network Coordination Centre  showed 4 of the 38 networks in Iraq went
> offline
> <http://www.itproportal.com/2014/06/20/iraq-suffers-internet-outage-amid-turmoil-iraqi-isis-crisis-mosul-baghdad/#ixzz35C0ltwhN>,
> including Earthlink, as shown in Figure 3:
> [image: Figure 3: RIPE NCC measurements of ASNs in Iraq. SOURCE]
> <https://citizenlab.org/wp-content/uploads/2014/06/ripe-iraq-asn.png>
>
> Figure 3: RIPE NCC measurements of ASNs in Iraq. SOURCE
> <https://stat.ripe.net/IQ#tabId=routing>
>
> Renesys reported that these networks were restored several hours later:
> [image: renesys-june20-iraq]
> <https://citizenlab.org/wp-content/uploads/2014/06/renesys-june20-iraq.png>
>
> Figure 4: Renesys BGP and Traceroute data showing June 20th outage. SOURCE
> <https://twitter.com/renesys/status/479999294838439937/photo/1>
>
> ISIS actively uses social media to spread its messaging. For example, the
> group introduced an Android app in April 2014, called The Dawn of Glad
> Tidings, which leverages Twitter users’ accounts
> <http://www.theatlantic.com/international/archive/2014/06/isis-iraq-twitter-social-media-strategy/372856/> to
> share ISIS-related tweets. The application was removed
> <http://www.itv.com/news/story/2014-06-18/google-play-store-isis-app/> from
> the Google Play store for violating community guidelines.
> [image: Figure 5: ISIS Android app Dawn of Glad Tidings. SOURCE]
> <https://citizenlab.org/wp-content/uploads/2014/06/isis-app.jpg>
>
> Figure 5: ISIS Android app Dawn of Glad Tidings. SOURCE
> <http://www.ibtimes.co.uk/iraq-crisis-isis-launch-twitter-app-recruit-radicalise-raise-funds-1453154>
>
> The group also uses well coordinated hashtag campaigns
> <http://www.thewire.com/global/2014/06/should-twitter-have-suspended-the-violent-isis-twitter-account/372805/> to
> spread their message, and had their Twitter account shut down
> <http://www.thewire.com/global/2014/06/should-twitter-have-suspended-the-violent-isis-twitter-account/372805/> after
> a number of graphic photos of victims attacked by ISIS were shared.
>
> Complete shutdown of the Internet during political crises have been seen
> in numerous other countries in recent years, including Egypt and Libya
> during the 2011 Arab Spring
> <https://opennet.net/blog/2011/01/egypt%E2%80%99s-internet-blackout-extreme-example-just-time-blocking>and
> in Syria <http://www.renesys.com/2012/11/syria-off-the-air/> during the
> ongoing conflict in the country. We have documented the ways in which
> sensitive political events, ranging from violent conflict
> <https://citizenlab.org/2013/06/a-call-to-harm/> to elections
> <https://opennet.net/sites/opennet.net/files/ONI_Belarus_Country_Study.pdf>and
> the hosting of international events
> <https://citizenlab.org/2013/12/igf-2013-islands-control-islands-resistance-monitoring-2013-indonesian-igf-foreword/>,
> lead to changes in the application of information controls.
> Methodology
>
> We used two methods to determine if and how filtering is being applied in
> Iraq. The first method performs remote lookups of DNS records to identify
> suspicious results which could be indicative of filtering. The second
> method undertakes remote testing of website accessibility through proxies.
> We wrote a script that performs a GET request of a list of websites through
> six different publicly accessible proxies located in Iraq. We then compare
> the results of these GET requests with attempts to access the same URLs
> from the University of Toronto network to identify instances of blocking.
>
> Early reports from Iraq suggested that blocking was performed on some ISPs
> through DNS tampering. DNS converts domain names (such as “citizenlab.org
> <http://www.citizenlab.org/>”) to an IP address (74.208.36.253). If the
> information in DNS records is tampered with, domain names can resolve to an
> incorrect IP address, which can lead visitors to a blockpage. In some
> cases, it is possible to perform lookups of the DNS records used by
> Iraq-based ISPs remotely, without being connected to that ISP directly.
> After performing these DNS lookups, we are able to compare the results for
> a given domain name with what we would expect to see to identify
> aberrations.
>
> We performed a lookup of a list we compiled of 1,358 URLs to identify
> suspicious DNS results. We also did GET requests for the URLs on this list
> on the publicly accessible proxies we found in Iraq. This list contains
> content ranging from international news sites, social media platforms, and
> content specific to Iraq’s domestic political, social and cultural context.
> A full list of URLs tested can be found in the Data section.
> Results
>
> From June 16-20, 2014, we tested a list of 1,358 URLs remotely through
> eight name servers that correspond to the following ISPs:
> *ISP**Hostname**IP address**Suspicious result?*IQ Netnserver3.iqnet.com
> 62.201.201.201YesIQ Netnserver4.iqnet.com62.201.201.202YesEarthlink
> Telecommunications n/a37.239.34.206YesEarthlink Telecommunicationsn/a
> 37.236.154.55YesScopeSkyns1.itc.iq 185.23.153.242YesScopeSkyns2.itc.iq
> 185.23.153.243YesNewroz Telecomns1.newroztelecom.com 93.91.200.200NoNewroz
> Telecomns2.newroztelecom.com93.91.200.201NoEarthlink Telecommunications
>
> Remote tests of these nameservers showed a number of URLs resolved to the
> IP address 192.168.222.66, which is a private, non-routable IP address. See
> this example for a DNS lookup of psiphon.ca:
>
> ; <<>> DiG 9.7.0-P1 <<>> psiphon.ca;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38318
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
>
> ;psiphon.ca.INA
>
> ;; ANSWER SECTION:
>
> psiphon.ca.300INA192.168.222.66
>
> From our testing list, the following domains resolve to this IP address:
> ec2-174-129-26-64.compute-1.amazonaws.com
> hidemyass.com
> instagram.com
> www.softlayer.com
> openvpn.net
> plus.google.com
> psiphon.ca
> twitter.com
> ultrasurf.us
> www.dmoz.org
> www.facebook.com
> www.hotspotshield.com
> www.skype.com
> www.strongvpn.com
> www.tango.me
> www.viber.com
> www.whatsapp.com
> www.xroxy.com
> www.youtube.com
>
> This result is unexpected. It is abnormal for a domain name to resolve to
> an IP address that is not publicly routable.
>
> We tested the same list of sites through six Earthlink proxies from June
> 16 to 20, 2014.  When accessing some sites we are redirected to the same IP
> address (192.168.222.66) and presented with the blockpage pictured in
> Figure 6.
>
> Although there was some variability between sites found blocked on the six
> proxies, the following list of domains were found blocked at least once on
> one of the proxies, over the four day period.
> hidemyass.com
> instagram.com
> openvpn.net
> twitter.com
> ultrasurf.us
> www.dmoz.org
> www.facebook.com
> www.hotspotshield.com
> www.skype.com
> www.softlayer.com
> www.strongvpn.com
> www.tango.me
> www.viber.com
> www.wechat.com
> www.whatsapp.com
> www.xroxy.com
> www.youtube.com
> www.gayhealth.com
>
> In addition, when accessing this IP address (192.168.222.66) directly in a
> web browser, we also see the blockpage pictured in Figure 6.
> [image: Figure 6: Blockpage seen using proxy on Earthlink
> Telecommunications]
> <https://citizenlab.org/wp-content/uploads/2014/06/iq-earthlink-blockpage.png>
>
> Figure 6: Blockpage seen using proxy on Earthlink Telecommunications
>
> One interesting result is the block of the URL:
> ec2-174-129-26-64.compute-1.amazonaws.com.  This domain naming scheme is
> consistent with servers hosted on the Amazon EC2 hosting service (a large
> and popular cloud hosting provider based in the United States).  During
> subsequent testing we find that any domain in the *.compute-*.
> amazonaws.com domain namespace is blocked on this ISP.  For example, this
> URL http://ec2-174-129-212-31.compute-1.amazonaws.com which is hosting no
> content other than the default placeholder content of a webserver is
> blocked on Earthlink:
>
> [image: Figure 7: A side-by-side comparison of accessing the same Amazon
> EC2 URL in Canada and Iraq.]
> <https://citizenlab.org/wp-content/uploads/2014/06/image09.png>
>
> Figure 7: A side-by-side comparison of accessing the same Amazon EC2 URL
> in Canada and Iraq.
>
> Given that the content of this URL is benign it is likely not being
> targeted for blocking. This block is more likely to be the result of an
> overzealous filtering pattern used in the configuration of the domain name
> server.
>
> This block also results in the collateral filtering of any URL that both
> hosts their website on the Amazon EC2 service and configures their DNS to
> use the compute-*.amazonaws.com domain, such as through a common name
> (CNAME) record.  Examples of sites that are filtered as result of this
> configuration include:
>
> http://www.virtuefitness.com/ – Fitness site
>
> http://www.gayhealth.com/ – Defunct gay health information site
>
> http://www.exoplatform.com/ – Social platform for companies
> ScopeSky
>
> From our testing list, five domains resolved to the IP address
> 185.23.153.235, as shown in this example of a lookup of twitter.com:
>
> ;; QUESTION SECTION:
> ;twitter.com.INA
>
> ;; ANSWER SECTION:twitter.com. 86400INA1 85.23.153.235
>
> ;; AUTHORITY SECTION:twitter.com. 86400INNS ns1.itc.iq.
>
> 185.23.153.235  is an IP address hosted on the ISP ITC in Iraq:
> 60929   | 185.23.153.235   | ITC Investment and technology group of
> companies limited,IQ
>
> When visiting this IP address in a web browser, we are presented with the
> following blockpage:
> [image: Figure 8: Blockpage seen on ScopeSky Communications]
> <https://citizenlab.org/wp-content/uploads/2014/06/iq-scopesky-blockpage.png>
>
> Figure 8: Blockpage seen on ScopeSky Communications
>
> On this ISP the following domains were found to resolve to this IP address
> and are blocked:
> twitter.com
> www.facebook.com
> www.viber.com
> www.whatsapp.com
> www.youtube.com
> IQ Net
>
> During the course of testing our list through IQ Net, the nameserver gave
> responses that delegated the nameserver itself (nserver3.iqnet.com) as
> authoritative for a number of domains by altering the start of authority
> (SOA) record. See an example of this in a response for a DNS lookup for
> www.viber.com:
>  $ dig +short @62.201.201.201 viber.com SOA
> nserver3.iqnet.com. firas.iqnet.com. 2014061301 10800 900 604800 86400
>
> Compare this result to one using a public DNS resolver instead:
> $ dig +short @8.8.8.8 viber.com SOA
> a1.verisigndns.com. dnssupport.verisign-grs.com. 1384964559 28800 7200
> 1209600 300
>
> While this result is not itself evidence of deliberate filtering (for
> example, we may see such a result if a company such as Google were to host
> servers on the ISP), the list of domains with altered SOA is suspicious and
> is likely indicative of blocking. The following list of domains returned an
> altered SOA record when resolving through IQ Net name servers:
>  google.com
> viber.com
> whatsapp.com
> youtube.com
> Newroz Telecom
>
> There were no suspicious results found in tests of the nameservers of this
> ISP. This result  was expected, because this ISP serves the Kurdistan area,
> and reports have indicated <http://insm-iq.com/archives/213> that the
> shutdown and social media blocking orders did not include Kurdistan.
> Summary of results
>
> The websites our tests found to be blocked represent a small number of
> content categories, and generally correspond with the list of sites ordered
> to be filtered by the Iraqi Ministry of Communications. We also tested the
> accessibility of 7 URLs of sites which are affiliated with or supportive of
> ISIS. We did not find any evidence, through both DNS lookups and proxy
> testing, that any of these URLs are blocked.  Given that the insurgency was
> cited as the rationale for the shutdown and filtering, this finding is
> curious.
>
> The following table summarizes the domains we found blocked in Iraq:
> *Domain**Description*ec2-174-129-26-64.compute-1.amazonaws.com Hosting
> Providerhidemyass.comCircumvention/Anonymizationinstagram.com Social media
> www.softlayer.comHosting Provideropenvpn.netCircumvention/Anonymization
> plus.google.comSocial mediapsiphon.caCircumvention/Anonymization
> twitter.comSocial mediaultrasurf.usCircumvention/Anonymization
> www.dmoz.orgWeb Portalwww.facebook.comSocial mediawww.hotspotshield.com
> Circumvention/Anonymizationwww.skype.comVoice-over-IPwww.strongvpn.com
> Circumvention/Anonymizationwww.tango.meMobile Messaging Appwww.viber.com Mobile
> Messaging Appwww.whatsapp.comMobile Messaging Appwww.xroxy.com
> Circumvention/Anonymizationwww.youtube.comVideo Sharingwww.wechat.com Mobile
> Messaging AppCircumvention usage in Iraq
>
> In many cases Internet filtering implemented by DNS tampering is
> straightforward to circumvent. Users can simply select an alternate DNS
> service that will perform name resolution correctly. However this
> circumvention method can also be manipulated by censors, as seen recently
> in Turkey
> <http://googleonlinesecurity.blogspot.ca/2014/03/googles-public-dns-intercepted-in-turkey.html> where
> providers intercepted requests to Google’s public DNS servers in order to
> prevent censorship circumvention. We have received anecdotal reports from
> users located in Iraq that using Google’s public DNS servers did not
> circumvent censorship, suggesting that DNS requests are being hijacked.
> However, circumvention services have reported increased usage from users
> based in Iraq.
>
> The circumvention service Psiphon reports
> <http://www.bbc.com/news/technology-27869112> a significant increase in
> users connecting from Iraq starting from June 13 after social media
> platforms were blocked, as seen in Figure 9. Note that 97% of these users
> are connected to Psiphon through their mobile phone using the Psiphon
> Android application.
> [image: Figure 9: Daily users of circumvention tool Psiphon in Iraq in
> June 2014.]
> <https://citizenlab.org/wp-content/uploads/2014/06/PsiphonIraqDailyUsers.jpg>
>
> Figure 9: Daily users of circumvention tool Psiphon in Iraq in June 2014.
>
>
> Similarly, usage of Tor, a popular anonymization tool which can circumvent
> censorship, has also increased significantly in June:
> [image: Figure 11: Directly connecting users of Tor in Iraq in June 2014.
> SOURCE]
> <https://citizenlab.org/wp-content/uploads/2014/06/tormetrics-iraq.png>
>
> Figure 10: Directly connecting users of Tor in Iraq in June 2014. SOURCE
> <https://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2014-03-22&end=2014-06-20&country=iq&events=off#userstats-relay-country>
> Conclusion
>
> Given the volatile situation in the country, it is uncertain how Internet
> accessibility will be further affected. The Citizen Lab will continue to
> monitor the situation and post updates to our findings.
> Data
>
> A full list of data from these tests can be found at our GitHub repository
> <https://github.com/citizenlab/web-censorship/tree/master/2014-Iraq>.
> Acknowledgements
>
> This report is by Jakub Dalek, Adam Senft, Helmi Noman, and Masashi
> Crete-Nishihata.
>  Ronald Deibert
> Director, the Citizen Lab
> and the Canada Centre for Global Security Studies
> Munk School of Global Affairs
> University of Toronto
> (416) 946-8916
> PGP: http://deibert.citizenlab.org/pubkey.txt
> http://deibert.citizenlab.org/
> twitter.com/citizenlab
> r.deibert at utoronto.ca
>
>
>
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>



-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140620/5eb8e6e3/attachment-0001.html>