Thursday 26 March 2015

“C” is for Chinese Censorship

In case there was any confusion, China wants you to know that the Great Firewall of China—the censorship of internet content potentially critical of the government—is alive and well.

In January, VPN users in China suddenly found they could not access the services they relied upon to reach blocked content such as Google, Facebook, and the New York Times. (We know some of you SumRandos are experiencing this pain. We’re working on it.)

By February, real-name registration was announced, requiring social media users to register accounts with their true identities. Although users could still represent themselves online with a pseudonym, any impersonations of others was banned. Think: no pretending to be Xi Jinping.

Which brings us to March.  

Just last week, the Chinese anti-censorship organization GreatFire experienced a distributed denial of service (DDoS) attack, in which an attempt was made to shut down the website by overwhelming its servers with 2.6 billion requests per hour. According to GreatFire co-founder Charlie Smith, “This kind of attack is aggressive and is an exhibition of censorship by brute force. Attackers resort to tactics like this when they are left with no other options.” Although the source of the attack has not been identified, Smith all but named the Cyberspace Administration of China (CAC) as a prime suspect. 

In his blog post immediately prior to the DDoS attack, Smith was boastful in explaining why the Chinese government did not pose a threat to GreatFire: “We believe that the Chinese authorities would not dare block all websites and apps being served by CDNs because they understand the economic implications of this action…Recognizing that the authorities have been hesitant to crackdown on our method of circumvention, we have accelerated our expansion of the development of collateral freedom…”

“Collateral freedom” is GreatFire’s response to Chinese censorship: GreatFire creates mirrors of blocked websites, which are delivered through major content delivery networks (CDNs). The government is given a choice: shut down all websites and apps associated with CDNs that Chinese businesses have come to rely upon (such as Amazon) and watch the economy flounder, or let GreatFire be.

The approach worked well, until last week. If March 17's DDoS attack were orchestrated by the Chinese authorities, it is clear that GreatFire underestimated the government as a worthy opponent in the game of exploiting loopholes. GreatFire survived the attack, but the war is far from over.

So, what’s next for the Chinese censors?*

April 1 brings controversial new banking regulations to China: by this date banks must have an initial plan for sharing all source code with the government and ensuring all encryption complies with Chinese standards. Rather than hand over source code and see their encryption broken or be run out of China altogether, the United States, the European Union, and Japan have been pushing for further discussion for months; the Chinese government, however, has continued with its characteristic steamroll ahead.

The Chinese government has repeatedly described the new banking regulations as necessary for security. In truth, they are a method for the government to continue to monitor content while also protecting domestic business, perhaps at the expense of the economy overall. And a China that puts nationalism ahead of economic prosperity is a dangerous place for Charlie Smith’s GreatFire to be.

*This article has overlooked last week’s man-in-the-middle (MITM) attack on Google, Microsoft and Mozilla. While undoubtedly linked to the China Internet Network Information Center (CNNIC) and, in turn, the CAC, the attack, which issued unauthorized digital certificates, was ultimately in the hands of MCS Holdings, an Egyptian company. Rather than use this incident as an opportunity to point fingers directly at China, we see this as demonstrative of a need for reform of the conditional access system. And that is a topic for another day.

Thursday 19 March 2015

Online Anonymity is Here to Stay, According to the UK's Parliamentary Office of Science and Technology

“There is widespread agreement that banning online anonymity systems altogether is not seen as an acceptable policy option in the UK.”

The UK Parliament's Palace of Westminster
One line says it all when it comes to the findings of a March 9 research briefing published by the UK’s Parliamentary Office of Science and Technology. “The darknet and online anonymity” closely examines the good versus evil of anonymous internet use—the last bastion of personal security or a cybercrime nexus?—and weighed unequivocally on the side of privacy. The study focused on Tor, a system trafficked by 2.5 million users daily that protects the identity of journalists, drug dealers, law enforcement, and individuals alike. 

Throughout the report, researchers’ support of online anonymity came down to practicality:

  • We have the technology needed to secure the data of whistleblowers, journalists, and those with information about the Mafia. We can read the news when our governments choose to censor it and remain unseen to our cyberstalkers. Why wouldn’t we?
  • Online anonymity cuts the middleman out of illegal activity, making us safer and criminals fewer: “It has been argued that online drug markets like Silk Road transfer parts of the drug dealing business from the streets to the internet and may shorten the supply chain from drug producers to consumers. Some say this can reduce the number of drug-related crimes like robbery and shoplifting, and thus lower the social and economic costs of drug misuse." 
  • And finally, try as David Cameron might, we simply cannot undo technological advances: “Computer experts argue that any legislative attempt to preclude THS [Tor Hidden Services, i.e. hidden websites] from being available in the UK over Tor would be technologically infeasible.”

The report concludes with a reminder and perhaps a warning: people want the user-friendly privacy that companies are increasingly striving to provide; if people feel their privacy is threatened, they will turn increasingly to methods of protecting their anonymity, such as Tor and VPNs (as we are currently witnessing in Australia).

Although “The darknet and online anonymity” is a report and not law, parliamentary research briefings such as last week’s tend to be heeded by the powers that be. Let’s hope that this one is heard.

Thursday 12 March 2015

De-Mail Encryption: 1990s Technology Meets 2015 Reality

Thomas de Maiziere

SumRando applauds the German government’s decision to make its state-supported email service, De-Mail, capable of end-to-end encryption by April 2015. The Bundestag’s approach to the change acknowledges a desire to meet industry standards of security without inconveniencing individuals: De-Mail clients need only to download a plug-in in order to access Pretty Good Privacy (PGP)-level encryption. 
Although this is clearly a step in the right direction, there are elements of De-Mail’s encryption that even David Cameron would support. According to The Associated Press, the Interior Ministry has already announced that, “When necessary to fight crime, German security services would aim to intercept messages before they are encrypted or after they have been decrypted.” Even if a message’s content remains hidden, there is no guarantee that the sender or receiver of an email would, given that De-Mail accounts require a verified ID at setup.   

Despite these threats to privacy and anonymity, Thomas de Maiziere, Germany’s Interior Minister, appears to believe that De-Mail’s encryption will move Germany to the forefront of the digital world: “Germany wants to take a leading role in the use of digital services. Encryption is an important precondition for this.” De Maiziere’s statement proves that he is yet another politician who simply doesn’t understand that privacy most of the time is as good as no privacy at all—and, therefore, will not enable a country to build the consumer trust necessary to provide reliable digital services.  

Just days before Germany’s announcement, the BBC interviewed the man behind PGP, Phil Zimmermann, at the 2015 Mobile World Congress. As if in direct warning to de Maiziere, David Grossman’s interview contrasted Zimmermann of the 1990s, a man who believed encryption equaled security, with Zimmermann today, a man cognizant of the workarounds government has found to encryption: “The NSA shifted their emphasis to being able to take over your computer. They can inject malware into your computer. And, if they can do that, it doesn’t matter how good the crypto is. They can exfiltrate the cryptographic keys…They can do all kinds of things if they can take over your computer and that’s where the intel companies are putting their energy now.”

The German government maintains that De-Mail’s end-to-end encryption will make the nation a global leader in digital services. In the 1990s, it might have. Today, however, Germany’s simultaneous promise to use malware—the very malware that Zimmermann warns renders encryption useless—to fight unspecified crime, shifts Monday’s news to yet another shiny but insubstantial announcement.

Thursday 5 March 2015

Special Rapporteur David Kaye Wants to Hear From YOU

This June, Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression David Kaye will present the United Nations Human Rights Council with the results of his findings on “the relationship between freedom of expression and the use of encryption to secure transactions and communications.”

Right now, Kaye needs your help to complete his research.

The Special Rapporteur has issued a call for submission of Information regarding the intersection of freedom of expression, encryption and anonymity; particularly, he is interested in hearing from nongovernment actors with a vested interest in the topic—you. 
To date, Kaye has received and made available 24 submissions of Information. The recommendations thus far—if heeded in June—will improve cybersecurity worldwide.

According to ARTICLE 19, a London-based human rights organization in defense of freedom of expression and information: “Weak encryption standards or ‘backdoors’—whether mandatory or otherwise—undermine people’s trust in the Internet and constitute a serious interference with fundamental rights.”

The California-based Electronic Frontier Foundation (EFF), a defender of digital civil liberties, “recommend[s] that Internet intermediaries should not block or limit the transmission of encrypted communications, and recommend[s] that Internet service providers be encouraged to design systems for end-to-end encryption.”

The Karisma Foundation, a Colombian digital rights NGO, explains: “Finally, we believe it appropriate to emphasize that national security, while important, is not absolute; thus, it is not sufficient reason to prohibit both encrypted communication and anonymity on the Internet. On the contrary, it is a way we as ordinary citizens have of protecting our communications and identity from abuses or threats that can be caused by third parties, including the State.” 

Marco Kuhnel, Sebastian Schweda, and Steffen Harting, of Germany, write: “Encryption standards are not only vital to maintain fundamental rights—hence the free use of encryption constitutes a derived universal right--, but by Art. 12 UDHR (and also Art. 19 and Art. 27) the state members of UN are obliged to ensure the availability of encryption techniques whenever personal data are sent or received electronically inside their territory.”

Special Rapporteur David Kaye can be reached at or Palais des Nations/CH-1211 Geneva 10/Switzerland. Take advantage of the opportunity to be one of the many voices reminding the United Nations that internet anonymity and encryption are universal human rights.