EFF: Using Technology to Overcome Censorship
Posted by onehundredflowers on August 19, 2009
Kasama has not independently verified the reliability of the information presented below, but we are posting this because we think it may be of interest to our readers.
This is slightly modified from the original. For the full piece, go to eff.org.
6 Ideas For Those Needing Defensive Technology to Protect Free Speech from Authoritarian Regimes and 4 Ways the Rest of Us Can Help
Introduction: The Internet remains one of the most powerful means ever created to give voice to repressed people around the world. Unfortunately, new technologies have also given authoritarian regimes new means to identify and retaliate against those who speak out despite censorship and surveillance. Below are six basic ideas for those attempting to speak without falling victim to authoritarian surveillance and censorship, and four ideas for the rest of us who want to help support them.
I. Ideas for Activists and Others Facing Authoritarian Regimes
1. Understand Risk Assessment
The first step in trying to defend yourself against digital surveillance and censorship is to understand the concept of risk assessment. Risk assessment is the process of deciding what threats you face, how likely and serious they are, and how to prioritize the steps you can take to protect yourself. EFF’s section on risk assessment in Surveillance Self-Defense can help you with this assessment.1
2. Beware of Malware
Malware is a catch-all term for computer viruses, worms, trojan horses, keystroke loggers, spyware, rootkits and any other kind of software that makes a computer spy on you or act against your interests.
If a government is able to install malware on the computer you are using, then it doesn’t matter what other steps you take: your files and communications will be subject to surveillance.
If you have your own computer, you need to be sure to install security updates and run anti-virus or rootkit scanning software. You also need to understand that these measures only offer limited protection. For one guide to anti-virus and firewall software, see the Tactical Technology Collective’s “Security in a Box” guide.
It is important to note that if you are using a shared computer, such as a computer at an Internet cafe or a library, the risk of surveillance by malware may be greater. If you need to use a public computer for sensitive communications, you should use a bootable USB device or CD (such as Incognito) to mitigate the risks posed by malware.
You can use a bootable USB or CD for the most sensitive things you do with your own computer, too.
3. Choose the Least-Risky Communications Channels
You should be careful in choosing the channels through which you communicate with other individuals and activists.
Talking in person is usually the safest way to speak (unless others are watching you, or your location is bugged).
Understand the risk associated with phone calls. Most governments are able to record who calls whom, and when, all of the time. Currently, most governments outside the US/EU have a more limited, albeit unknown ability to record and listen to the phone calls themselves. For instance, it is believed that they will be able to tap phones, but only a limited number (perhaps a few thousand) at any given moment. You should always assume that a call to or from a phone belonging to an activist, or regularly used for activism, may be bugged.
Avoid SMS text messages. These pass unencrypted through major telecommunication providers and are easy for a government to harvest and analyze on a massive scale.
Protect Internet communications by using encryption2 and by choosing (preferably offshore) service providers that are trustworthy and unlikely to cooperate with your government.
Here are two channels which are easy to use and which offer some protection:
Use the OTR instant messaging plugin. This is easy if you and the people you communicate with can install the Pidgin or Adium X instant messaging programs on your computers. Details on how to do this are available here. Disable logging to ensure that if your computer is seized, your communications aren’t on it.
Use a webmail provider that supports https encryption. Services like RiseUp.net place a premium on their users’ privacy. Gmail supports encryption, but you must enable it in your settings and consider whether you can trust Google not to hand your communications to your government.3 Make sure every that time you send or receive an email, the pages uses https — otherwise, your messages could be intercepted.
There are many other ways to arrange for secure communications, although many require more technical expertise. See SSD for further detail with respect to securing email.
Encrypted Voice-over-IP is possible, but many VoIP services do not support it. Two exceptions are ZPhone and Skype. Unencrypted VOIP is very easy to tap, including most telephone cabinets at Internet cafes.
The level of security afforded by the popular commercial VoIP service Skype is unknown. We believe that countries with sophisticated intelligence services will find ways to defeat Skype’s security, while less sophisticated intelligence services may be confounded by it. China is known to have produced its own trojan-infected version of Skype. It is also known that there are weaknesses in Skype’s security architecture.4 You should assume that the intelligence services of countries like the U.S., Israel, Russia, or Cuba could defeat Skype’s encryption. But as far as is known, most less developed countries are unlikely to be able to decrypt Skype’s communications in the near future.
4. Use Encryption to Prevent Surveillance and Censorship of your Web Usage
Censorship and surveillance of Internet connections are intimately connected: it is difficult to censor communications without at the same time being able to watch and understand them, because it is difficult for the censorship system to tell the difference between the communications it intends to block and those it does not.
There are many ways to use encryption to protect your communications against surveillance and censorship. You can use some Internet services with their own encryption built-in (see above for instant messaging, or webmail using https). But if you want to use encryption to protect all of your web browsing, try one of the following:
Use Tor. Tor will encrypt your communications and bounce them around the planet before sending them on to their destination. It offers a high level of protection against eavesdropping by your government5 and is not hard to use. The greatest challenge with using Tor is that it often slows browsing down a great deal; expect page loads to be slowed down by ten seconds or more.
If you live in a country where the very fact that you use Tor might be seen as grounds for singling you out for arrest, further surveillance, or other unwelcome scrutiny, you should only use Tor in combination with a Tor Bridge. See section 6 below.
Use an encrypted proxy or Virtual Private Network (VPN) to tunnel your traffic overseas. This approach offers slightly less protection than Tor but tends to be faster. There are many ways you can try this:
Use a public, SSL-encrypted proxy server. Understand that unless you know who runs a proxy, there is a chance that it is run by your adversary.
If you have access to a Linux or Unix account overseas, you can instantly create your own encrypted proxy server using the ssh program (which comes installed on Mac OS X and Linux computers, and can be easily installed on Windows). Here are two pages discussing how to do that.
Use a service like Hotspot Shield.
Use an overseas VPN service. Companies such as Relakks sell access to services of this sort.
5. Be Careful of What and Where You Publish
Avoid publishing material under your own name, or including facts that might be clues to your identity, unless you are willing to take the risk that authorities will target you for reprisals.
Avoid publishing material through hosting services that have a commercial presence in your country, or which are likely to cooperate with your country’s government. Be aware that some countries have treaties which lead them to assist other countries’ law enforcement requests.
Only publish material through services that use https. You should see the https prefix in the browser address bar, and an unbroken lock icon in your browser window: not just during login, but the entire time you are using the site.
6. Should I use a Tor Bridge?
Tor Bridges are a more discreet way to connect to the Tor network. Normally, if you use Tor, someone watching the network could observe that your computer was connected to the Tor network.6 If you use a Tor Bridge instead, it will be much harder to tell that you are using Tor.
If you use Tor and live in a country with a strong tradition of Internet censorship, your government might suddenly start blocking connections to the public Tor network. In that case, you should have a Tor Bridge address ready for use if that happens.
If you live in a country where the mere fact of using Tor might expose you to unwelcome attention or worse, you should never use Tor without configuring it to connect through a bridge.
You can find information about how to configure Tor to use a bridge at: https://www.torproject.org/bridges
You can find some addresses of Tor bridges at https://bridges.torproject.org/, or by sending email to bridges@torproject.org with the line “get bridges” by itself in the body of the mail.
II. How Can I Help Others Around the World Escape Surveillance and Censorship?
Perhaps you don’t live under an authoritarian regime, but you’d like to help people who do. At the moment, here are our main suggestions:
1. Run a Tor Relay
Donate some of your bandwidth by relaying encrypted traffic between Tor nodes. Follow the instructions at the Tor Project’s website, but be sure to disable exiting from your machine, unless you intend to run an exit node (see section 3 below).
2. Run a Tor Bridge
Act as a bridge, to help people in countries with extreme Internet-censorship and surveillance practices. If you aren’t sure whether you should run a relay or a bridge, read the Tor Project’s advice on the subject.
3. Consider Running a Tor Exit Node
Unlike running Tor relays and bridges, running a Tor exit node requires significantly more care, organization, and commitment. Tor exit nodes are the machines which pass traffic out of the Tor network and on to its final destination on the Internet.
Exit nodes are vital to the operation of the Tor network. But, unlike the rest of the network, much of the traffic they carry is unencrypted. Tor exit nodes are the machines that will be fetching websites for dissidents in Iran or Burma to read; they are the machines that will be sending blog posts on behalf of those dissidents; they are the machines that will leave digital logs behind on the websites and servers they visit. But because Tor can be used for any purpose, it is also possible that Tor exit nodes will generate complaints about copyright infringement, web-spamming or other forms of antisocial network activity – and those would be associated with the exit node’s IP address.
If you decide to run a Tor exit node, it is important to anticipate the possibility of such complaints, and ensure that you don’t get blamed for antisocial things that a few of the hundreds of thousands of Tor users do. You should therefore read the Tor project’s advice on running exit nodes.
4. Run a Proxy for Friends
If you have friends in a country where Internet censorship is a problem, you could run a private proxy for them. Unfortunately, in order to do this securely you will need to obtain an SSL certificate for the proxy; this is quite an involved process.
If you run a Unix-like operating system, understand what shell access is, and trust your friends, you could give them shell accounts to use to create a personal proxy with ssh -D.
——————————————————————————–
observer said
What I am a bit surprised the article does not mention are some of the anonymizer tools available on the web which fairly easily disguise your IP address at websites you visit. One such is at:
http://anonymouse.org/
and you simply type in the web address you want to go to and the redirection indicates a false IP address, making it much more difficult to track you.
(There ar4e many more such things. A google search reveals a bunch of them).
garyt said
observer, because sites like that scream “PROXY!!!” and are easily blocked… like how it’s blocked at my work.
then there’s the fact that many shady proxy sites are popping up that a lot of people don’t feel comfortable doing their private web browsing through — ie, all information is being passed through this persons web server you found on a google search. not very safe.
nadahima said
in my country, indonesia, all telecommunication company has been inserted recorder system to record any people whom suspected to any crime
this is making us more carefully to say something on the phone
thanks
http://telecomandinternet.com/?p=39
Freddy said
“You should assume that the intelligence services of countries like the U.S., Israel, Russia, or Cuba could defeat Skype’s encryption. But as far as is known, most less developed countries are unlikely to be able to decrypt Skype’s communications in the near future.”
Really? US, Israel, Russia… and Cuba? Or it’s thrown in just to make the whole thing look “impartial” ?
Fuck, because of the embargo, the best computer allowed into Cuba by the terms dictated by Fascist States of America is something like a 800Mhz Pentium 3 with 256Mb RAM (obviously second hand). It can barely run Skype without any real-time voice encryption…
As for GMail: “The biggest problem with Gmail is that Google might be compelled by your country’s laws to disclose your email to the government”
Yes, because Google is so awesome and cool and would never do anything “evil” so, even if they do, Bush/Obama “compelled” them to. Because corporations make lots of money by working hard while taking into account their social, moral and environmental consequences…
As for the proxi and crap… You people seem to lack some very basic knowledge about “The Internets”: It is literally OWNED by western corporations. All the connections and nodes between countries, continents etc are managed by a handful of corporations. You behave as if Internet is air and email is talking. There’s nothing “natural” or “implicit” about it. If push comes to shovel they can track you from Tire 1/2 nodes, they can track you from you local ISP which is a for-profit corporation and has absolutely no interest interest in your well being, only money. And so on…
Jesus doesn’t carry your email, fiber channels from western corporations does.
Right.
zerohour said
@Freddy -
The author refers to intelligence services, not the general population. Even though Cuba’s security apparatus isn’t on a par with the US’s, it has better resources than the average Cuban.
Corporate morality has nothing to do with it. Google, like other communications companies, has privacy regulations as a matter of pragmatic business etiquette. If it’s known that they voluntarily provide governments with your information, they could lose a great deal of business. They are not the only search engine or free e-mail service in the world. Of course there is the possibility that they are just providing the information without legal compulsion but you shouldn’t assume that corporate and government interest always coincide, or that the public has no options. The third world may faces different obstacles with the internet than the first, but people have always found a way to use communications technology in their struggles.
One of the contradictions in play is the sheer size of the internet, and the volume of traffic that’s generated. To accommodate this, ISP’s are always exploring new technologies to enhance speed, which will only generate even more traffic. It’s largely due to the internet that we have gained even more access to all sorts of crucial information that may otherwise have been difficult to obtain, including information about technological standards and practices. Many of us can now understand the technology we are working with, particularly how information is formatted, transmitted and stored, how networks are structured, etc.,. In the more liberalized Western countries, we can Google [ironically] “encryption” and pull up a plethora of websites telling us how to protect our e-mail and IM communications from intrusion. I’m not a techno-utopian and I share your belief that we cannot fundamentally trust corporations or governments, but there are is some room to maneuver and we’d be irresponsible not to see and use this.
Any international communications apparatus is owned and run by corporations. No one should be naive about that. There is no such thing as 100% internet security – or phone, or mail. As soon as you’ve gone beyond face-to-face contact, you’ve subjected yourself to potential tracking by an outside entity – and even then, that involves some exposure too. For radicals who want to make alliances, establish broad contacts, engage in critical discussion, publicize events, avoiding such a powerful medium is not an option. What we need to do is to better understand the risks involved and make informed decisions, reconciling the needs of openness, timeliness and security.
jp said
The reference to Cuba may very well be intended as a compliment – by necessity, they have developed well-respected intelligence capabilities.
Karl Marx said
One concern I’d like to share pertains to an article written by Tom Burghardt “COINTELPRO 2.0: Mukasey Loosens Guidelines on Domestic Spying”. It painted a picture of website content being a target for PSYOPS tampering.
A workaround could be the use of md5 checksums by both authors and readers. After an author posts his/her content, a checksum could be produced for that page. Serious readers would validate that checksum and let the author and other users know the info has been tampered with. This could lead to some interesting insights into the compromises as well.
I think it would be smart functionality if CMS/browsers offered authors/readers md5 checksum calculators do this simple excercise.
km
Censored said
This is true. But it is NOT true that it is feasible for radicals to maintain secure anonymous communications on the internet. Some third world intelligence agencies may be unable to track encrypted communications through proxies but NSA and associated agencies certainly can.
Consequently the only informed decision reconciling the needs of openness, timeliness and security is that ANY communication through the internet should be regarded as open, public activity. Anything that is NOT open, public activity should NOT be communicated through the internet. NO exceptions.