Internet privacy and security course
About translation
Previous Next
Internet censorship

Chapter 22

Internet censorship

When speaking about Internet censorship, I’d like to point out that censorship by itself is not a threat and does more good than harm. As a lot of people out there, I don’t want a neighbor holding a grudge against me to one day anonymously hire a killer to murder me. I also wouldn’t like the idea of another neighbor accessing some propaganda materials issued by ISIL and plotting a jihad in my city. For this purpose the government (at least some governments) resorts to blocking dangerous websites.

But censorship abuse, when the authorities use this tool to limit freedoms and rights, is the real threat this chapter dwells on in detail.

Let me give you an example of my view of what a censorship abuse is. At the end of 2017, Iran saw the largest anti-government protests that were instigated, among other reasons, by the growing prices. In an effort to curb dissent, the authorities blocked access to the Telegram messaging application for the majority of Iranians.

Telegram is the main messaging application for Iranians, with many of them using it to make a profit, while just as many use it as a corporate messaging service. Practically all the citizens of this country see it as the main tool to communicate with friends and family. The Iranians who were unable to circumvent the block could pay dearly for the authorities’ drastic move as, basically, they were cut off from the most important communication channel.

Responding to anti-regime unrest in the East with a move to block access to the Internet is a common thing. For instance, in 2011 during the protests, the Egyptians were cut off from the Internet altogether. However, these coercive measures instantly backfired against the government: the lack of Internet access provoked mass protests and tumult that brought down the President Hosni Mubarak after nearly three decades of his rule.

Full Internet disconnection is a special case, and such censorship can’t be circumvented using common software. However, in the event of limited access to websites, there are two main ways to go around the block: through IP address and DNS.

DNS blocking

You are probably used to typing in a website’s address into your web browser like www.google.com. In reality, the data you enter is just a domain name. The website is located on the server and the real address of the website is an IP address. But since users would rather type in google.com instead of a string of random numbers like 128.14.124.56, the inventors of the Internet came up with the Domain Name System, or DNS.

It works quite simply: there are root DNS servers that know what domain name corresponds to what IP address, and there are local servers that receive information from them. For instance, your ISP has a local DNS server too.

When you have typed in www.google.com in your web browser, your computer asks the ISP what the IP address for the website www.google.com is.

If this website is blocked, the DNS server of the ISP will respond with the IP address of the web page saying that the website has been blocked in response to the requests of the authorities.

Similar censorship tools are circumvented by a mere replacement of the DNS server for Google’s DNS server (you will learn how to do it in this course) or by using a VPN where, as a rule, you would use the DNS server specified in the VPN’s settings.

Website’s IP address blocking

When your computer receives from the DNS server the information about the IP address of the requested website’s server, it starts exchanging data with it that translates into the website you see in your browser.

All queries come from your computer through your ISP and can be blocked by it. However, a single IP address can contain several websites, and thus they will all get blocked. And that has happened a lot of times at least in Russia.

Proxying Internet traffic is the way to deal with this type of attack. It may be performed through a VPN, proxy, Tor, SSH, but the most important thing is to have the server you use to access the Internet located in a different jurisdiction.

A lot of users think that this would be a full bypassing of blocks. When in reality, when accessing the Internet using a remote server, for instance, a VPN, you can find yourself facing restrictions of local ISPs, for instance, Swedish, if your exit server is located in Sweden.

In the event of using a tunnel, your ISP sees the connection to a VPN or proxy server but doesn’t block the data exchange since this is not forbidden.

Application blocking methods

We have so far dealt with website blocks. When it comes to applications, for instance, messaging apps, everything happens in a similar manner. A messaging application connects to the controlling servers, and during the connection it gets blocked.

In Russia, Roskomnadzor’s ordered ISPs to cut service to instant messaging app Telegram’s own IP addresses blocking over 18 million IP addresses belonging to Amazon, Google, Hetzner, Microsoft, Digital Ocean. The move also inadvertently affected a number of other businesses disrupting the services of such companies as Battle.net, EA Games, Steam, Skyeng, anti-DDoS service Google Shield, Evernote, Spotify, Gett, Volvo. Telegram’s legitimate competitor Viber also suffered collateral damage from Roskomnadzor’s outage repercussions while Telegram continued running.

Sometimes you would come across port blocking. Every application that needs to access the Internet uses a port to connect to the network. For instance, TeamViewer uses port 5938, Steam - from 27015 to 27030. If your Internet traffic gets blocked through these ports, the application will be unable to connect to the server.

As a rule, this is practiced at companies. For instance, at the company my girlfriend used to work for, the system administrator blocked port 5190 that was used by then hugely popular ICQ messaging app. The port blocking prevented the employees from using ICQ at work.

Many modern applications protect themselves from port blocking. For instance, TeamViewer will try to connect over ports 443 and 80 (they can’t be blocked since they are required for working with websites) if it can’t connect over port 5938. Some applications allow you to specify a proxy server for connection in the settings or choose a port independently.

There is another way to block a mobile application – by using mobile app stores AppStore and Google Play. An application can be removed from a store and even blocked on a user’s device without permission.

This method was used by the Russian authorities to block LinkedIn that disappeared simultaneously from Russian App Store and Google Play. In China a host of applications including the apps that provide VPN services and even the New York Times app were blocked similarly.

How do you get around such censorship? Apple is not the best choice in this case, to bypass this type of censorship, you should switch to Android or jailbreak your device and install the application on your own. If you shift to an Android device, you can download the application from an alternative app store – you will learn about them as you progress through this course.

There’s an alternate way to circumvent the block in app stores: change the region in the settings. This way the blocks of the selected region won’t affect you, but that doesn’t always work out in practice: in China the authorities are cracking down on this circumvention method making it impossible to perform on some smartphones. Besides, if you want to change the region in App Store, you will have to give up all your subscriptions.

However, censorship is just as applicable to the tools that allow you to bypass these restrictions: the ports used during VPN connection can be blocked, your Internet traffic can be analyzed for any VPN use and get blocked if a VPN is detected, finally, the websites offering VPN services or the instructions on how to bypass blocks can also get filtered.

China, for instance, is stepping up its clampdown on VPN sellers by meting out severe sentences. In autumn 2017 a Chinese citizen Wu Xiangyang was sentenced to five and a half years in jail for running his VPN service for businesses and foreign customers. He was also fined 75,000 dollars, an amount equal to his profits since he started his business.

Still, an informed user won’t have much trouble circumventing such massive censorship network like the Great Chinese Firewall, let alone common IP address or DNS blocks.

Testing your network for Internet censorship

 As a rule, a user can test his network for any Internet restrictions by attempting to access the resource or application he or she wants to use. However, you don’t have to do this yourself, a program dubbed ooniprobe was designed to automate this task. It is a free software project by the Open Observatory of Network Interference (OONI), under the Tor Project, “a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet”. 

 You can run ooniprobe to probe your network for censored popular websites, instant messaging services including Telegram and WhatsApp. It allows to detect HTTP headers manipulation, intermediate nodes, and this falls under surveillance more than censorship. Currently the project is under development, and the developers constantly extend its functionality. The code of the application can be accessed on GitHub.

You won’t need a guide on how to use ooniprobe as this is a very easy-to-use and intuitive application.

Previous
11452
Next