Leaping Over the Firewall: Circumvention Studies

By Katherine Maher | April 12, 2011

Photo
Leaping Over the Firewall

Yesterday I attended the release of a new Freedom House report on circumvention, "Leaping over the Firewall". I still haven't had the chance to read the whole report, but the abstract is as follows: 

Internet censorship poses a large and growing challenge to online freedom of expression around the world. Numerous countries filter online content to hinder the ability of their citizens to access and share information. In the face of this challenge, censorship circumvention tools are critical in bypassing restrictions on the internet, thereby protecting free expression online.

We've seen these challenges in NDI's own Internet Freedom work, as well as in the recent events in the Middle East. Tunisia in particular was a notorious censor of information online--by some measurements, behind only Iran and China. Outside the Middle East, NDI partners have had websites attacked and blocked, and we've seen individual users compromised through the use of sophisticated surveillance and brute-force hacking. As governments grow increasingly apprehensive in the aftermath of the Egyptian and Tunisian revolutions, these threats will only multiply.

Given these trends, this report is timely. The content of the report itself is structured with how Freedom House defines Internet Freedom, an overview of how malicious actors block and censor, how circumvention tools work, and how activists choose tools. There is a 15-page section on specific tools, such as purpose-built and well known applications like Tor, along with creatively repurposed channels, like Google Reader. This is then followed with an in-depth look at circumvention in Azerbaijan, Burma, China, and Iran, and overall findings and recommendations.

The authors emphasized that the primary report audience is not academics, but end-users. In contrast to reports such as the 2010 Circumvention Tool Usage Report by the Berkman Center, which measured adoption of circumvention tools, the Freedom House report is intended be a survey of tools use factors, aimed at activists making choices about the most appropriate tool for their environment and use case. The authors of the report evaluated the tools based on categories of usability, performance, support and security. The review did not look at issues such as the quality of the cryptography or the codebase. These categories were assessed first through an lab-based technical review, and then through qualitative feedback from users in country. 

So what did they find? Well, the lesser-known Psiphon, originally funded by OSI and now a standalone Canadian corporation, comes in first on the basis of lab testing. However, when lab testing is combined with user feedback, it turns out that ordinary Google tools--like Cache, Reader, Translate, and Buzz--beat the purpose-built competition, despite well-known security gaps, such as lack of HTTPS support.

One of the reasons? It turns out that many survey respondents prioritize speed and agility over security and anonymity. As one of the authors pointed out, its hard for us in the West to find fault with this priotization, as in-country users are the best determinants of their own needs and priorities. Speculating here, I'd wonder if the popularity of Google also derives from the fact that users are comfortable with other tools in the Google suite, and that the familiar user experience and integration with mainstream products like Gmail makes the action of accessing blocked content less like oppositional circumvention or illegal activity, and therefore feel like a lower risk activity.

The authors stressed that although the report does rank tools, it is not intended to offer guidance as to the most appropriate tool--rather, each user must determine that for themselves based on their intent. When asked a direct question about choosing a tool for circumvention in Iran, one of the panelists drove the point home, suggesting the only way to know that would be to read the report, get a Masters in computer science, and move to Tehran to conduct network analysis. He pointed out that circumvention is in no means security--security requires things like encryption, anonymity, and perfect forward deniability.

Point taken.

At NDItech, we also believe that the best tool may change based on circumstances, but that security is so much more than a proxy server. Communications security--and secure communications--is a way of life, not just a set of tools.

Share