Cat & Mouse: Evading the Censors in 2018

Video thumbnail (Frame 0) Video thumbnail (Frame 1115) Video thumbnail (Frame 2951) Video thumbnail (Frame 4933) Video thumbnail (Frame 6249) Video thumbnail (Frame 7799) Video thumbnail (Frame 8878) Video thumbnail (Frame 10875) Video thumbnail (Frame 12024) Video thumbnail (Frame 13083) Video thumbnail (Frame 15140) Video thumbnail (Frame 16223) Video thumbnail (Frame 18816) Video thumbnail (Frame 21096) Video thumbnail (Frame 23058) Video thumbnail (Frame 25604) Video thumbnail (Frame 27292) Video thumbnail (Frame 29306) Video thumbnail (Frame 30456) Video thumbnail (Frame 31988) Video thumbnail (Frame 33152) Video thumbnail (Frame 34853) Video thumbnail (Frame 39493) Video thumbnail (Frame 41034) Video thumbnail (Frame 42859) Video thumbnail (Frame 44017) Video thumbnail (Frame 48069) Video thumbnail (Frame 49347) Video thumbnail (Frame 50562) Video thumbnail (Frame 51675) Video thumbnail (Frame 53687) Video thumbnail (Frame 55962) Video thumbnail (Frame 60302) Video thumbnail (Frame 61573) Video thumbnail (Frame 63604) Video thumbnail (Frame 65433) Video thumbnail (Frame 67043) Video thumbnail (Frame 70490) Video thumbnail (Frame 74981) Video thumbnail (Frame 78275) Video thumbnail (Frame 79382) Video thumbnail (Frame 81992)
Video in TIB AV-Portal: Cat & Mouse: Evading the Censors in 2018

Formal Metadata

Cat & Mouse: Evading the Censors in 2018
Preserving access to the open Internet with circumvention technology
Title of Series
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The deepening of global Internet infrastructure comes accompanied with an invigorated capacity and intent by adversaries to control the information that flows across it. Inextricably, political motivations and embedded power structures underlie the networks through which we interpret and understand our societies and our world - censorship threatens the integrity of the public sphere itself. The increasing technical sophistication of information controls deployed by censors in adversarial network environments around the world can be uniquely viewed and researched by circumvention tool providers, whose work continues to preserve access to the open Internet for all communities. Through this presentation, we endeavour to share insights gained from the front lines of this technical contest.
Keywords Resilience

Related Material

Video is cited by the following resource
Multiplication sign Musical ensemble Semiconductor memory
Android (robot) Software Open source output Circle Streaming media Freeware Trans-European Networks Window
Point (geometry) Dynamical system Game controller Information Divisor Sampling (statistics) Shape (magazine) Twitter Content (media) Software Integrated development environment Internetworking Different (Kate Ryan album) output Cycle (graph theory) Local ring
Event horizon Object-oriented programming Integrated development environment Internet service provider Game theory Computer-assisted translation Event horizon Frame problem Twitter
Game controller Arm Computer Digital library Control flow Digital library Internetworking Internetworking Different (Kate Ryan album) Computer network Directed set Communications protocol Intercept theorem Form (programming)
Game controller Group action Injektivität Direction (geometry) Spyware Sound effect Uniform resource locator Computer network Network topology Directed set Series (mathematics) Communications protocol Form (programming) Shift operator Electric generator Information Digital media Domain name Computer Computer network Digital library Mechanism design Category of being Content (media) Internetworking Series (mathematics) Intercept theorem Fingerprint Address space
Gateway (telecommunications) Scaling (geometry) Information Computer-generated imagery Internet service provider Computer network Software maintenance Connected space Power (physics) Type theory Internetworking Internetworking Different (Kate Ryan album) Internet service provider Kolmogorov complexity Quicksort Kolmogorov complexity Spacetime
Socket-Schnittstelle Frame problem OSI-Modell IPSec Cartesian coordinate system IP address Neuroinformatik Data model Telecommunication Synchronization Bridging (networking) Website Diagram Endliche Modelltheorie Block (periodic table) UDP <Protokoll> Fiber (mathematics) Data structure Address space Pressure Wireless LAN Address space
Content delivery network Mobile app Block (periodic table) Mereology IP address Connected space Content (media) Uniform resource locator Personal digital assistant Website Website Error message Vulnerability (computing)
Point (geometry) Web page Block (periodic table) Image resolution Web page Domain name Spyware IP address Revision control Uniform resource locator Direct numerical simulation Uniform resource locator Process (computing) Personal digital assistant Square number Website Intercept theorem Process (computing) Block (periodic table) Address space
Web page Domain name Digital filter Server (computing) Transport Layer Security Spyware Entire function IP address Content (media) Latent heat Internetworking Intercept theorem Process (computing) Information Error message Address space Exception handling Email Block (periodic table) Web page Domain name Bit Price index Term (mathematics) Connected space Uniform resource locator Personal digital assistant Internet service provider Website Block (periodic table) Address space
Email Email Interior (topology) Parameter (computer programming) Usability Web 2.0 Uniform resource locator Content (media) Latent heat Uniform resource locator Word Process (computing) Repository (publishing) Term (mathematics) Internet service provider Circle Process (computing) Communications protocol Communications protocol
Web page Email Domain name Multiplication sign Shape (magazine) Rule of inference IP address Perspective (visual) Uniform resource locator Mathematics Latent heat Virtuelles privates Netzwerk Encryption Process (computing) Configuration space Fingerprint Vulnerability (computing) Rule of inference Block (periodic table) Structural load Web page Interior (topology) Sound effect Electronic signature Software Encryption Block (periodic table) Fingerprint
Point (geometry) Domain name Proxy server Block (periodic table) Domain name Open set Direct numerical simulation Content (media) In-System-Programmierung Googol Virtuelles privates Netzwerk Personal digital assistant Internetworking Internet service provider Website Energy level Circle Proxy server Resolvent formalism
Virtuelles privates Netzwerk Software Server (computing) Moment (mathematics) Computer network Client (computing) Shape (magazine) Regular graph Communications protocol Perspective (visual)
Randomization Block (periodic table) Decision theory Generic programming Morley's categoricity theorem Insertion loss Calculus Subset Web 2.0 Mathematics Process (computing) Different (Kate Ryan album) Configuration space Quicksort Communications protocol Computer-assisted translation Communications protocol Identical particles Fingerprint
Content delivery network Domain name Mobile app Proxy server Distribution (mathematics) Transport Layer Security Connectivity (graph theory) Web service Telecommunication Internetworking Diagram Communications protocol Website Content delivery network Vulnerability (computing) Distribution (mathematics) Multiplication Server (computing) Software developer Domain name Transport Layer Security Client (computing) Enumerated type Cartesian coordinate system Connected space Database normalization Data center Fingerprint
Server (computing) Email Computer file Link (knot theory) Distribution (mathematics) Server (computing) Data storage device Generic programming Enumerated type IP address Number Subset Software Vector space Website Point cloud Communications protocol Fingerprint Address space
Server (computing) Statistics Overhead (computing) Transportation theory (mathematics) Distribution (mathematics) Multiplication sign Client (computing) Plastikkarte IP address Scalability Number Virtuelles privates Netzwerk Term (mathematics) Internetworking Different (Kate Ryan album) Computer network Communications protocol Proxy server Address space God Fingerprint Computer architecture Overhead (computing) Multiplication Email Information Server (computing) Internet service provider Plastikkarte Login Instance (computer science) Enumerated type Cartesian coordinate system Trans-European Networks Peer-to-peer Database normalization Software Integrated development environment Internet service provider Computer network Communications protocol Fingerprint Geometry Address space
Dynamical system Digital media Divisor Multiplication sign Cloud computing Internet service provider Login Real-time operating system Plastikkarte Twitter Facebook Software Virtuelles privates Netzwerk Computer network Communications protocol Computing platform Address space
Facebook Dependent and independent variables Dialect Digital media Personal digital assistant Telecommunication Video game Computing platform Twitter
Server (computing) Block (periodic table) Multiplication sign Incidence algebra Mereology Scalability Connected space Peer-to-peer Frequency Type theory Content (media) Goodness of fit Web service Software Internetworking Personal digital assistant Computer network Authorization Point cloud Quicksort Physical system
Statistics Internet service provider Order (biology) Client (computing) Rule of inference Library (computing)
Torus Type theory Multiplication Group action Transportation theory (mathematics) Software Bridging (networking) Multiplication sign Chemical equation Communications protocol Connected space Computer architecture
Mobile app Information Multiplication sign Data storage device System call 19 (number) 19 (number) Frequency Virtuelles privates Netzwerk Different (Kate Ryan album) Order (biology) Videoconferencing Quicksort Communications protocol
Point (geometry) Scale (map) Electric generator Scaling (geometry) Lattice (order) Entire function 2 (number) Twitter Number 19 (number) Web 2.0 Content (media) Virtuelles privates Netzwerk Internet service provider Cuboid Quicksort Block (periodic table) Physical system
Content delivery network Domain name Server (computing) Open source Digital media Transport Layer Security Multiplication sign Web browser Mereology Rule of inference Web 2.0 Internetworking Energy level Partial derivative Source code Block (periodic table) Software developer Database transaction Cartesian coordinate system Entire function Internetworking Software Internet service provider Telecommunication Partial derivative Freeware Library (computing)
Facebook Algorithm Focus (optics) State of matter Stress (mechanics) Musical ensemble Acoustic shadow Disk read-and-write head Perspective (visual) Metropolitan area network Twitter
Shift operator Group action Game controller Mobile app Electric generator Information System administrator Multiplication sign Physical law Twitter Web 2.0 Facebook Content (media) Mechanism design Quicksort Intercept theorem Computing platform Local ring Form (programming)
Algorithm Implementation Open source Client (computing)
Server (computing) Mobile app Pay television Scaling (geometry) Open source Code Connectivity (graph theory) Closed set Client (computing) 2 (number) Broadcasting (networking) Content (media) Web service Software Internetworking Internet service provider Business model Quicksort
Statistics Observational study Device driver Open set Mereology Number Content (media) Goodness of fit Machine learning Internetworking Position operator Fingerprint Scaling (geometry) Military base Sound effect Cartesian coordinate system Measurement Trans-European Networks Type theory Software Personal digital assistant Calculation Universe (mathematics) Freeware Resultant
Domain name Group action Scaling (geometry) Connected space 2 (number) Band matrix Degree (graph theory) Content (media) Message passing Latent heat Software Personal digital assistant Internetworking Internet service provider Computer network Website Circle Quicksort YouTube Exception handling
Filter <Stochastik> Domain name Touch typing Self-organization Sound effect
Point (geometry) Domain name Mobile app Email Perfect group Scaling (geometry) Key (cryptography) Software developer Semiconductor memory Mereology Trans-European Networks Googol Personal digital assistant Different (Kate Ryan album) Cartesian closed category Musical ensemble
[Music] so and without stealing for the time from Keith McManaman who's coming here from Toronto who's working at siphon a censorship circumvention NGO and speaking about evading the censors in 2018 now so censorship your roundup I'm very happy to have you here and to yeah
see your talk now on the last day of Congress thank you [Applause]
hello thanks everyone for coming this
afternoon hope you had a fantastic Congress this year I know I did thanks for sticking
around to the final sessions for many of you this will be the last talk you see until next year so I hope it's worthwhile and to everyone watching the stream online hello and welcome my name is Keith McManaman I'm an analyst at Saipan where we operate a circle mention network that's used worldwide by tens of millions of people and we provide free open source circumvention tools for Windows Android and iOS yes there is a
circumvention tool that's running a whole device VPN or iOS it's psyphon due to its accessibility freeness localization and overall network resilience that has that has made psyphon a widely adopted circumvented tool which provides a decent sample size of Internet users and therefore a reasonable barometer of circumvention
tool usage and a country which makes it an apt vantage point from which to analyze the impacts of Internet censorship in my work the kinds of questions that I'm interested in are how the social and political dynamics of information controls in different places for example the trends in the censorship legislative environment political cycles social unrest and social movements emerging discourses in the media and online how do these factors add up and determine what content is accessible and how does that shape people's online behavior and their use of circumvention tools including psyphon
oops this is an overview of what we'll
be talking about today I'm gonna go over the basic basics of censorship technology and how its deployed I'll talk about some of the circumvention methods and technologies that are in use today I'll recap some notable events from the past year and and then talk about some notable trends that we've observed in this environment just a
short note on framing and metaphors the cat and mouse game is a terminology that's kind of widely used to describe the interplay between the sir excuse me the circumvention tool providers and the
censors sometimes you'll hear like militaristic kind of framing like the battle for the free internet or the technological excuse me the technological arms race I just want to say that there's nothing really there's no Sylvester & Tweety there's no there's nothing that gap or wacky about it as
you will see so what is internet censorship it's a control they're suppression of what can be accessed published or viewed on the Internet I just took this definition from the Wikipedia it comes in many different manifestations and floor and forms I'm gonna be focused on the digital interceptive forms of of censorship which is what circumcircle mention tools are designed to deal with but as you can see there are other very important there
are other very important categories that have increased in their prevalence every in recent years specifically the shift from direct interceptive forms of censorship sometimes referred to as the first generation of it information controls to the second and third generation which is characterized in
this excellent series of called the access series by Roddy Burt and the citizen lab and his colleagues which really is which is really the seminal work on on that transition so this is
what we'll focus on for this talk
censorship is preventing you from treading all of these fascinating wonderful paths and it does that by it does that by taking advantage of certain features in the way the internet works how they're able to do that is the
sensors control all connections across the international gateway to the
respective country through the information ministries they control the Internet service providers and they possess powerful methods of detection increasingly the internet censorship space is enabled by private sector actors the cost of purchasing and running those technologies that allow you to maintain national blacklists sort of filter different types of traffic have become much more accessible for national governments and to deploy at scale the methods that we're going to go over vary in their complexity and their resource intensity
this is something called the OSI model of basically computer and telecommunication systems suffice to say that censorship can happen at all layers from the application layer all the way down to the physical infrastructure so
one of the lower-level tactics is IP address IP address blocking sensors can learn the IP addresses of the sites that they want to block and add those to a blacklist of forbidden IPS so requests to those addresses will be discarded this is a simple diagram of how that looks so when you attempt to visit a
site that's blacklisted you'll either get a connection to either a connection reset or a 404 error the weakness of IP address based blocking is that a lot of IP fees are not static in many cases they're hosted on content delivery networks which are ephemeral in a way they ship from place to place and people's IP address could constantly be migrating to a new location so it's not effective and it's a lot of work to maintain oftentimes it also comes with a high risk of collateral damage like
you'll tend to block other parts of content that are hosted on the same IP and generally this this kind of works better for blogging either specific apps basically rather than specific content in the same vein URL blocking involves a
blacklist of forbidden URLs and when you attempt to visit that or a keyword than or a blacklisted keyword then your your request will similarly be rejected port blocking also works the same way so the sensor can choose a certain port that they don't want to allow any traffic through and similarly you would not be able to connect to those endpoints ok Deanna's hijacking or sometimes called DNS poisoning DNS spoofing this involves basically the DNS lookup process so how how are you RL is resolved into an IP address because that's controlled from a highly centralized vintage point the sensor can actually intercept your dns
resolution requests and and deliver up a page of their choosing basically instead of the page that you've requested typically that involves a block page of some kind saying that you know the site you've requested to visit is forbidden but they can also even deliver a malicious page pretending to be the page that you've requested but actually isn't there was a case in China before Wikipedia was HTTP enabled or SSL enabled if you requested the page for tiannamen square if they are at Wikipedia article they're actually delivering a kind of sanitized version of that of that site instead of the
legitimate article of course it's HTTP adoption kind of prevents blocking specific sub pages or nowadays so if you're in Iran for example this is a page that you might see that says you can't go to this site but here are some great other sites that you can visit in Saudi Arabia this is a block page if you would see that you would see that's put there by the Information Ministry so in both cases there's a clear kind of accountability someone someone that you can contact an email address someone that you can contact about your inability to access that content but oftentimes your request will just fail to complete you might get a 404 error and there's not a clear indication of is a site being content is there a problem with my with the content provider or server problem with my own internet connection so some kind of ambiguity as to why you're not able to visit that content keyword filtering is kind of an escalation because it allows the center to filter URLs based on keywords anywhere in the path name again pre HTTPS that was a bit more relevant because TLS or SSL enabled connections you can't see into the path into the bath name except for the top-level domain and it also allowed them to block new or unknown pages that are related to
that type of content rather than having to discover the domain and the IP address and add it to the blacklist manually
they also have the ability to blacklist or whitelist entire protocols say HTTP if they can't see into it this is something that happened in Iran in the 2013 elections it's a gradual escalation between the circle circumvention providers and the censors there which culminated in eventually only HTTP traffic being whitelisted and obviously I'll come back to the term collateral damage that really is something that can break a lot of other essential Internet services and make that essentially unusable deep packet inspection this is a word that some may have heard spoken about through the Congress earlier in the week this is basically a high-level processing method that allows the censors to look throughout the content of a web request in the header in the inner traffic as well as the URL for certain keywords and other specifications that pertain to a repository of blacklist arguments and choose to block that traffic so with the keyword filtering and deep packet inspection the censors need to process a
lot more data it's very very much more resource intensive and it really depends how deep they want to dig and as I
mentioned at the beginning the technology has gotten much more widely available cheaper and easier to implement and more effective traffic fingerprinting is something that's enabled by that because even without knowing the domain or the IP address or being able to see it through encryption the sensor can record what a browsing session looks like and create rules for how the user sees that page or if they do because encryption doesn't doesn't change that technical configuration and so they can block a page based on its size load time and other kind of technical details which would even allow them to blocks say specific sub pages of Wikipedia that are HTTPS enabled they might incidentally block some other page that follows that specification but that's kind of the trade-off that's being made and I will come back to this but just to mention
VPN traffic SSH traffic though they are encrypted they have a very obvious signature a size and shape that's identifiable what a network perspective that can be fairly easily fingerprinted which is definitely a vulnerability
now I'm gonna switch tracks and talk about some circumvention methods so to each of the censorship methods that I discuss there's kind of a circle mention it's herb and it escalates from there so if your dns is being poisoned then you could switch to an Open DNS resolver or a third-party DNS resolver you've often heard of people switching their dns to eight eight eight eight to the Google which is the Google DNS or 1 1 1 1 the CloudFlare dns it's like Google and CloudFlare maybe aren't gonna censor us you could argue or it's at least better than trusting your ISP if you're in China or Iran or something like that if you're a content provider and you think that your domain is blacklisted or your if the IP of your domain is blacklisted you can migrate or mirror your block block domain to a new one I mean you're always racing the censors in that case like chances are they can discover your new site at just as fast as your readers can but that's another way of kind of evading the lower level censorship techniques another circumvention method you can use is by connecting to a web proxy so first you connect to some other website that's not on the blacklist and
from there you use that as your vantage point to kind of browse the open Internet of course you can use a VPN and you can use other circumvention tools like siphon or tor which I'll tell you more about so that's a sage this is a a
protocol that's used to communicate with servers and administrate them it's it's great because it's encrypted anyone any man-in-the-middle that's trying to look at this request they're only going to see something that they can interpret but again because of its regular size and shape on a network perspective SSH can be fingerprinted using the off-the-shelf technology same thing with VPN and so for most censorship regimes it's easy enough to block VP all VPN traffic in the country just by flicking the switch that says we're not going to allow VPN and increasingly this year we've seen during say politically politically
important moments like elections or public demonstrations that the sensors will utilize this ability and and leverage that over the networks they control so which brings me to ossh ossh
is an obfuscated protocol it stands for obfuscated SSH there's basically ways that you can innovate on the existing SSH tunnel to make it as much as possible indistinguishable from random bytes of generic web traffic so rather than looking like this strange strange encrypted thing that the sensors can pick out a block it's designed to blend in with all the rest of the web traffic that's that's going on and there are a lot of different things that you can do to sort of change the exact configuration that it follows so that it's as random as possible and some of the things that you can do are insert random packets alongside the tunnel like random web traffic both ways you can vary the packet size is the packet interval and other kind of ways of making that as amorphous as possible again back to the concept of collateral damage a sensor that's going to endeavor
to block something that's indistinguishable from random web traffic based on certain features that they identify probably caused them to block incidentally block some generic web traffic as well which is a calculus that they're always going to have to make what Deepak couldn't what deep packet inspection is doing is it's scanning deep into every web request but that process as I mentioned is quite resource intensive so generally the sensor can only look at the first subset of packets try to make a decision based on what cat what their categorization of that traffic might be and decide to either let it pass or filter it so what circumvention technology is
trying to do is make that more computationally intense for them and it really depends how deep they want to dig and they do risk kind of slowly slowing down general internet performance in the country if they do that this is another technique called meek or domain fronting basically involves routing traffic through what's referred to as high-value domains so typically large infrastructure pieces of the internet and hiding the real requests inside the encrypted the TLS encrypted connection for example forcing traffic through CDN data centers that typically get a different blocking treatment because they are large infrastructure components of the internet that a lot of essential services require to run on this is a diagram just showing how that request is passed along and if you're interested in
learning more I'd encourage you to refer to the paper David Highfield and colleagues worked on including some psyphon developers what are some vulnerabilities of circa mentioned tools the sensor can attempt to disrupt your distribution if people can't get your apps then they can't use them so one thing that we do is we have multiple redundant kind of distribution methods the sensor can always block website where you have your applications available for download
they might even blacklist the Play Store or the Apple App Store or some countries that's embargoed and not available anyway so one of one of the innovations that we use it's iPhone it's email autoresponders basically you can request a number of generic email addresses and the return email you will get has links to secure cloud hosted download sites and even the apk or Exe file as an attachment the censors might also be able to enumerate your servers one by one even if you have thousands and thousands of servers if they have enough people running enough discrete copies of your software you have to make sure that they can't catch up with all your all your endpoints before you roll them over so on the psyphon network it's fairly ephemeral like no IP addresses are really static and the servers are constantly turning over really protects us against that that vector of attack
another thing is no individual copy of the software is ever gonna know more than a very very very small subset of the servers like maybe 1% or less
protocol based attacks are interesting psyphon is using what we call a multi protocol architecture basically protects against the blacklisting of one or even a few protocols because there's always redundant transport methods that the traffic can can use and then as I mentioned we do various traffic often methods to be resilient to traffic fingerprinting as well in terms of transports what makes a protocol relevant so one is it effective does it work does traffic get through is it able to actually transport enough data like through actual throughput secondly resilience for how long is it going to work before it gets figured out and blocked another thing is it should have low overhead you can't insert too much extra data into the tunnel and lastly not placing too much demand on users for instance peer-to-peer traffic requires users to actually do something to run themselves as a proxy node in a network and that could affect scalability and even performance the reason I say that is because even though some circumvention methods experimental new methods that have been discovered and worked on are excellent but they're not they're not as easy to scale from tens or hundreds of people to tens of millions of people especially god especially not rapidly and some of the examples I'm gonna show will show you how this network has really the availability the ability to rapidly scale itself in critical events and that keeps people connected to the open Internet just a small note on Network data as well I'm sure everyone in this crowd has at one time or another or regularly uses a VPN and not all VPN providers are created equal not all of them are to be trusted so I want to just make a note on how to be privacy conscious as a VPN provider you're not technically anonymous from your VPN provider because at the end of the day you are agreeing to tunnel all the traffic from your device across some third party servers that you don't know them and you don't really know what they're doing with your traffic and you have to click that button that says I trust this provider so with syphon we
make sure that we don't want get log anything the only data that we're privy to is statistics that come from the network aggregated network statistics and no personally identifying information on any users you can know where people are without collecting their IP addresses because you can do the geo IP lookup on the client side and discard their IP address without it ever having to leave their device and another great feature that psyphon offers is you just download an application you don't have to register you don't have to provide your email address your phone number credit card etc so what this data allows us to do is make some conclusions about the censorship environment that's being faced in different places and try and make sense of how how our our
network protocols are being affected by those dynamics it allows us to see how the software is performing and how that could be improved and it also allows us to ensure that we stay one step ahead of the censors this is a map in real-time
of just showing where Saipan users are in the world there are at least some users in
every country I've highlighted have highlighted Sudan in the center there because the recent blocking event that
occurred starting December 19th it involved basically centrally orchestrated blocking of all the major social media platforms Facebook Twitter whatsapp and within a matter of days as you can see we've gone up to half a million users a day there interestingly a lot of VPN tools are not available in sedan because of the sanctions economic sanctions so I think that's another another factor driving adoption and it worked it's not the first time that
we've seen a rapid spike in psyphon usage in response to social social media blocking there was a case earlier this year in the summer starting about
mid-july in Iraq where there were protests in Basra and salary' southern regions and again the government reacted by blocking Facebook Twitter whatsapp basically essential social media and communication platforms that people rely on like anyone from the MENA region like you know whatsapp is what's up is life a lot of other regions too and we were
above 4 million users a day over that time period this is a snapshot of the protest period
that began near the end of December last year in Iran where thanks to I guess like overall good Network performance in the country where sometimes VPN connections or other circumvention methods like the Tor network aren't as reliable psyphon has a fairly good reputation there and we reached a peak of 14
million users a day after they blocked a telegram that basically the only essential incident mentioning instant messaging service you could argue that was already like left on the sensor but by the authorities there as well as Instagram same case and so basically there was a countrywide demand for ways to stay connected with that and that kind of represents almost a fifth or even a quarter of all Internet users in Iran we're using psyphon during this time period another note on scalability is that the network is pushing at the peak like 1.4 petabytes of data per day on a couple on networks that are known to be like average average speed of 2 Mbps connection or something like that it's pretty pretty impressive and again I did mention the sort of the challenges of scaling peer to peer type circumvention services I did one of the advantages of having a kind of cloud cloud-based centrally managed system is that we are able to provision servers rapidly when there are incidents like this Iran has been some of the most challenging some of the most sophisticated some of the most aggressive censorship that we've encountered over the past year and that comes from their motivation not just a block content but also to block the methods that people use to get around the filtering there which is become in in the past decade or so a regular part of going on the internet telegram was
finally banned by a court order which also stated that telegram must be blocked in such a way that no Iranian can access it not even with circumvention tools and so that there was a push from the internet providers err which are so some countries you might see a lot of heterogeneity in the BLA the buggy enforcement as say the talk that was about the telegram blocking in Russia which was given by landed yesterday his research showed that there was some varied compliance or delayed compliance from some internet providers there in Iran the eyes Pete's seemed to be very centrally controlled and so the blocking rule was basically
implemented countrywide so these statistics are showing daily users of psyphon and a telegram client that was deployed integrated with our library called telegram dr which within the first day or was like art already up to close to a million users
this is a shot of Tory usage during the same time you notice toward the REC connections start to drop off in favor of bridges but that's maybe 10,000 users a day compared with 10 times a hundred
times this is an example of the
advantage of the multi protocol architecture that psyphon is using for transports they protect these are just by protocol group showing hourly connections and you can see when one or two types of protocols get knocked out the balance of connections is picked up by by the other transports that we use so effectively without blocking of all the protocols the network will remain resilient
this is another example showing China during the 19th Party Congress which happened last October basically beginning in in July of that summer whatsapp voice and video calls were beginning to be blocked and only messaging was working sort of drove the adoption of lots of different
circumvention tools but there was simultaneously in order to ban VPNs in China as well which which was slowly being orchestrated and even complied with by parties like say Apple which removed VPN apps from the App Store finally in about mid-september whatsapp was bought completely and you can see that our usage there started to increase a lot then at the beginning of the party Congress actually an attempt to filter psyphon based on protocols and actually the protocols that were targeted were not connecting successfully or we're taking a long time to connect but nonetheless we were able to sustain usage through the time period to make sure that people had open access to information okay so just a recap of some
of the trends that have been noticed over the past year for sure deep packet inspection is getting cheaper and easier to implement possibly even able to look deeper into web traffic without sacrificing performance aspect that I saw it was an article from Radio Free europe/radio Liberty which was about a meeting of the basically dpi filtering providers in Russia the the newest spec was they wanted these systems to be able to run at scale at scale on a one terabyte per second feed of data which it's really shocking a shockingly high number so but that's possibly the next generation of this technology that we're going to see as I mentioned a crackdown not just on content but on on circumvention tools and VPNs VPNs especially becoming a lot more easy to block not just for the sort of notoriously notoriously sophisticated censoring nations like China and Iran but anyone any government can really afford a dpi box nowadays and it really has just a switch that you can turn off VPNs if you want to another good point
is collateral damage is becoming less reliable so the example that I showed from Iran we observed that so just this is just an anecdote on the same story basically even when you have encrypted communication on the internet some part of that transaction happens unencrypted it's called the TLS handshake so basically when you're gonna communicate encrypted to that server you are gonna say hey their server I'd like to talk encrypted with you the server is gonna say okay like I can talk TLS 10.1 1.2 1.3 and then you agree and then you talk encrypted so Iran blocked traffic based on some TLS handshakes that were suspected to be being used the the TLS handshakes that psyphon was using at that time we're emulating some of the most ubiquitous and common TLS handshakes that are used online like Google Chrome Firefox Chrome Android was like most widely used kind of web browsers in in the country and when this filtering rule was implemented users reported problems with using those essential Internet services your web browser started starting to break because of filtering rules that were deployed to target one specific thing but not surgically enough that said it seems that censors in 2018 oops yeah sorry about that sensor in 2018 are willing to sustain large amounts of collateral damage or block unreasonable amounts of benign web traffic going in and out of the country just in an effort to enforce their blacklist rules another thing that we've seen not in 2018 but in previous years is the willingness to even block entire CD ends so using kind of critical infrastructure pieces as a way of concealing or obfuscated of skating circumvention traffic may not be the most reliable method going forward another thing that that has been observed is sensors are beginning to block only certain IP ranges at the sub level of the CDN as well that are suspected to be involved in circumvention traffic and kind of like being able to block just part of a CDN instead of the entire domain so that's something to look out for in the coming year so by way of conclusion what can
you do one don't settle for partial internet anything less than the entire open Internet is not the World Wide Web secondly you can't blow the whistle on censorship if it's safe for you to do so thirdly you should use free open-source circumvention software and support it fourthly come work with us if you're a researcher if you're a developer if you're a media provider we can work together and we'd love to call out collaborate and lastly especially app developers you can use our open source libraries they're all on our github if you want to add some censorship resilience to applications that you're
working on then that's something that's highly encouraged and we'd love to speak more about that and we have about 10 minutes for questions so I will leave it at that thank you very much [Music]
and I already see people lining up at
the microphones and we also have questions from the signal angels so we just hurry to your questions Michael from one place I didn't mention like I see the biggest stress the censorship is from big tech giants like Google Facebook and their manipulative algorithms so this is like the biggest stress a new kind of didn't man I think this this would be like I think this should be the focus like how do we bypass this because this tech giant's become more powerful than any like head of any state and they're like really you know I experienced just days ago we started petition you know which was totally shadow banned on Twitter and Facebook so this is the biggest threat from from censorship even bigger than a state parties I mean what you haven't mentioned I think what's your perspective on that I think I did
mention at the very beginning kind of a shift from first generation that's interceptive forms of censorship to the second and third generation of information controls which is like one being able to have legal mechanisms that enforce the blocking of content and even the takedowns of content from say major social networks like Facebook and Twitter and and other apps to telegram has kind of administrators on on their channels and groups now that are
accountable to sort of local laws that's something that circumvention technology doesn't expressly deal with at this time we are more concerned with maintaining access to the sort of the web platform itself when it gets blocked but sure that's definitely a concern I would say an even greater and more difficult concern in this day and age then then simply being able to access content it's being able to preserve content that's up there so that's not something that I have an easy solution for but definitely something that that I'm gravely concerned with sure democracy can be
pre-programmed by the they are algorithms and censorship so this is like kind of the biggest strike from San
Shiva is here thank you Thanks so next one from the signal angel place as far as I know it's implemented
in Saipan I'm not aware of any other clients that that use it but I believe it's an open source transport so probably there are some people out there using it and I should add to that it's not always guarantee be guaranteed to be the same thing like it doesn't stay it doesn't stay the same for long and probably other implementations of it have different ways of obfuscating the traffic specifically hey we have more
questions on microphone - thanks for your talk I am after questions one is as I understand right the end-user software is open source how about these server components can I run my own VPN provider
and do you plan to to open-source the the software from the server-side second question would be like I can imagine that running a infrastructure that serves so many users at this scale is pretty costly so what is the the business model if you don't need to register and the donation based where do you get the money to pay the bill at the end of the month ok first question - thank you for the question first question first psyphon is open source the clients client software server software or server code it's all in our github theoretically you could compile your own circumvention client run your own network if you have like some servers at your disposal that you want to do that then there's nothing stopping you from doing that second question sure that it's definitely a challenge maintaining user a user base this large on on a free on a free service so some of the ways that that's supported is one we we have an app that allows you to subscribe for premium service for like these sort of not explicitly censored countries like the United States or European Union whatever people that feel conscious enough that they want to support Internet freedom for others by supporting the network that that's really encouraged we also work with international broadcasters that have a mandate to support Internet freedom around the world and we can work with them to basically provide circumvention technology that helps them deliver content into closed societies and in exchange we have a way of supporting the free users ok thank you I would take the
signal angel again because the others can also come in front then later have you seen countries with surprising amount of users who which I'm not usually consider too
heavily restricted internet access part of me could you repeat the question have you in your statistics do you have countries where the amount of users in that country surprised you because that country is not usually considered too heavily restrict Internet access yeah absolutely plenty of Western countries have pretty significant saipan
user bases maybe tens maybe hundreds of thousands of users but even here in Germany or in the UK it's not to say that like countries that are known to be free internet open Internet countries it's not to say that every network in that country is free and open plenty of institutions workplaces universities maintain a pretty aggressive blacklist of some types of content or some applications so that's that's something that I see is a key driver of circumvention usage in those countries thank you microphone for please answer and who likes to use traffic fingerprinting to censor and I wonder how efficient is that if I want to keep a number of false positives low and other any Studies on the effectiveness of traffic fingerprinting I want to filter the bad traffic but to keep good traffic safe thanks for your question traffic fingerprinting is is known to be fairly imprecise there's a there's a I mean I I don't have any studies I can reference but anecdotally within the kind of Internet freedom community what people are saying is that it's it's becoming better but yeah collateral damage is the calculation that every sensor needs to make and in some cases they don't mind in some cases they don't know what other traffic is being filtered as a result of the measures that they're implementing and it is it remains in many ways a kind of a whack-a-mole approach there was a there was a study last year that was on specifically like machine learning enabled censorship which was extremely imprecise I had a lot of false positives it was like something like 80 percents it's successful they claimed that the researchers claimed which obviously that's not enough to deploy at internet scale okay I'm going from question at
microphone one hi hello Lulu hello so sometimes I wear your hats and sometimes I put on another hat where I'm your enemy I won't go into the reasons why I
sometimes find that throttling it can be more effective than blocking because you know user might get bored downloading and waiting for a YouTube video to load and go away and do something else which leaves the bandwidth available for other people so I'm wondering if you've ever seen that tactic being used where rather than you would actually block a website and give up a message saying you know 404 or second action reset or something where you just actually make it unusable slow are you assistant min thanks for your question yes that's definitely a tactic I think also trying to defuse the accountability for censorship is is another reason that they do that because there's sort of no guarantee that it's not a problem with the content providers site or something there there have been lots of examples that I mean I can share with you afterwards of internet throttling used on specific domains to sort of like in China for example famously kind of not exactly blocking your connection but just throttling you too a completely unusable degree I would say when that's deployed on specific domains circumvention tools still still work effectively when it's deployed on a network scale then there's not too much that we can do or like an Internet shutdown that's one case where that doesn't matter how robust and resilient this circum engine software that you're using is if no one has an internet connection with one exception notably in in psyphon history then where somehow we kept networks online in in case of anything that shut down oh yeah does that answer your question Thanks thank you and we have one more
question from the signal angel have you had governments or other organizations try to fight you legally for enabling their users to circumvent the content filters no that is a nice short answer so we have one more question here of three more in the audience I take microphone two please
you mentioned domain fronting as as an effective way for high-value domains when Google and Amazon stop tolerating domain fronting have you news organization been in touch with them we
were part of some discussions on the issue since we notably do use that as a technique psyphon has never done domain fronting through Google or Amazon I mean to go back to the example of like a circumvention method that works for tens or hundreds of users but may not work for tens of millions of users this is this is a perfect case in point I think for that it's like sure it's a cool trick maybe it doesn't require a lot of technical sophistication to put in the header of all the traffic that I said but if I have tens of millions of users then that's potentially gonna like sabotage the person's domain that I'm using so any any domain fronting that's done on a scale that like the Saipan Network uses it's done under close collaboration and and a formal agreement not not in the informal way that it was that it was being done by so many different app developers which i think is the reason that it was eventually cracked down upon its it does violate the Terms of Service of those domains so yeah does that answer your question so the person on microphone four is now disappeared coming back okay so thanks a lot keys for your presentation and for answering all those questions and you are still here for a few of lying questions that's really nice so thanks you all that you were here [Applause]
[Music] [Music]