Pharos - Technical Capabilities

From Identifying Difficult Problems in Cyberlaw
Jump to navigation Jump to search

Pharos will require three core technical capabilities: navigating media through state-imposed Internet censorship, sanitizing media for safe publication, and widely distributing media online. The following sections detail each capability.

Censorship Circumvention

A number of authors have reviewed existing Internet circumvention techniques. This section crystallizes on-the-ground experience into a series of high-level challenges for circumvention tools, reviewing how existing tools respond to each and proposing improvements that Pharos could undertake. The section closes with a sketch of a complementary asynchronous system for exfiltrating media from behind Internet censorship.

Rendezvous

To a rough approximation, censorship circumvention tools all follow the same template: connect the censored user to an uncensored intermediary who relays the user’s network traffic. For the model to function, the user must be able to access an uncensored intermediary–a substantial feat when a state actor is attempting to cut off such access. A number of strategies have been deployed in response to this “rendezvous” problem.

Central Directory

Whether a website, directory protocol, mailing list, or Twitter hashtag, most censorship circumvention resources are distributed through a centralized mechanism. While this approach is simple for users and volunteers, it is also easy to block–a censoring state need only block access to the directory and the resources it lists.

Decentralized Lookup

Several systems employ a distributed hash table to locate network resources. This approach avoids outright blocking of the directory, but a state could still easily discover and block a sizeable proportion of network resources.

Selective Disclosure

Some censorship circumvention tools have incorporated mechanisms that selectively disclose network resources to users. Tor, for example, selectively discloses bridges by time and user IP address. Such selective disclosure delays and raises the difficulty of state blocking efforts.

Leverage Existing Anti-Automation Systems

Large online service firms have a sizeable commercial incentive to prevent automated use of their systems. Linking access to a censorship circumvention tool to access to an account with such a firm provides free protection against automated state attempts to discover and block network resources. Tor does just this with its email-based selective disclosure: only Gmail and Yahoo! Mail users receive bridge addresses.

Trusted Groups

Anecdotes suggest it is not uncommon for individuals in censoring countries to rely on relatives and friends overseas to host private circumvention tools. This approach should be fostered, though recognizing it does not scale.

As of yet, there is no silver bullet for the rendezvous problem. All of the solutions above merit pursuing, and Pharos could make a significant contribution to censorship circumvention by studying and providing technical tools for each. There are also several promising research avenues Pharos could explore:

Reputation-based Selective Disclosure

Conditioning access to network resources on participating in a pseudonymous reputation and traitor tracing system could aid in guarding against state censors. Preventing determined states from registering and abusing large numbers of seemingly legitimate accounts would be a challenge.

In-Country Rendezvous

Current approaches to the rendezvous problem essentially turn on whether circumvention tool providers can provision uncensored resources faster than a state can block them. One possible exit from this arms race is adding an extra in-country step to the rendezvous problem. A sketch: a tech-savvy individual in a censoring country would negotiate a stable network path past the country’s censorship, then anonymously route traffic on that path without disclosing it. Substantial research would be required to validate and scale this approach.

Usability

Both anecdotal experience from recent Internet crackdowns and longitudinal back-of-the-envelope calculations strongly suggest simple web proxies are the predominant tools for censorship circumvention. This should come as no surprise: using a web proxy is straightforward for the lay user, and hosting a web proxy is trivial for even a novice IT aficionado. Dedicated censorship tools require both users and volunteers learn of, locate, and install niche software.


If ease of use and ease of hosting are fundamental constraints for a popular censorship circumvention tool, there remains much room for improvement. Establishing PPTP VPN’s as the de facto censorship circumvention standard would enable applications other than the web and encrypt traffic within the censoring country–preventing snooping and content-based filtering.


Performance

The performance of non-commercial censorship circumvention systems is notoriously terrible. Not much can be done for volunteered one-off proxies, which quickly become oversaturated. For dedicated censorship circumvention technologies, technical improvements and increased funding and incentives for network resources are essential.

Asynchronous Communication

Nearly all work on Internet censorship circumvention is focused on providing unfiltered Internet access. Given the importance of ensuring human rights media is published, the time may be ripe for reviving asynchronous communication: a secure sneakernet for exfiltrating human rights media. Here’s a sketch of how the system might work:

  • An individual records media pertaining to human rights and decides to publish it.
  • The person locates a copy of Pharos’ sneakernet software. In the interest of usability and security, the software could be a web app contained in an HTML file.
  • Pharos’ software saves a padded and encrypted copy of the media.
  • The person distributes the encrypted file and web app to trusted friends and relatives.
  • Friends and relatives launch the web app, which attempts to upload the encrypted file to Pharos.
  • If an upload is unsuccessful, the file’s timestamp is reset and the user is prompted to pass the file on further.
  • Eventually the file reaches Pharos, which decrypts and publishes it.

The sneakernet would not only provide circumvention, but also anonymity (a human Tor of sorts) and deniability (since the file’s encrypted).

Network Trust

Save commercial censorship circumvention tools, none protect against a malicious volunteer tapping or tampering with user traffic. This is far from a theoretical concern: in multiple public episodes sensitive information has leaked from anonymization or circumvention tools.

There are several steps Pharos could take to alleviate the trust problem. First, it could pre-emptively vet volunteers in circumvention tools. If a volunteer appears to be an agent of a censoring government, for example, Pharos could report them for exclusion. Second, Pharos could attempt to detect man-in-the-middle attacks with a variety of honeypots. In the event a government is repeatedly interfering with user traffic, Pharos could recommend against using circumvention resources located in that country. Third, Pharos could strongly advocate for encrypted circumvention solutions, especially when traffic will make multiple hops. The overhead is low, and it protects users against deep packet inspection (DPI) filtering and intermediate man-in-the-middle-attacks. Finally, Pharos could encourage or host centralized, secure last-hop proxies (see Psiphon) so users do not have to be concerned about a last-hop man-in-the-middle.

Software Verification

Malware infection, whether by state or private actors, poses a significant privacy and security threat to executable circumvention tools. Worms are also a concern: circumvention tools are often passed among social groups, coming into contact with many computers. While the basic cryptography for authenticating software is straightforward, user-friendly tools are scarce. Worse, the tools themselves are executables–reintroducing all the same risks.

Pharos could break the circular dependency of untrusted executables authenticating untrusted executables by developing a web app for verification. With nothing more than a modern browser and a single HTML file, a user could ensure the software they’ve received is authentic.

Education and Distribution

Owing to limited budgets and political considerations, several major censorship circumvention efforts have refrained from widely advertising themselves in countries imposing Internet censorship. Prominent NGO’s have to some measure filled the education and distribution void, but in most cases this has not been a priority.

Pharos could establish itself as the reliable, authoritative source for censorship circumvention information and software. And since Pharos is by design isolated from many of the political pressures imposed on other entities in the space, it would be in an extraordinary position for promoting censorship circumvention. For example, Pharos could place ads for censorship circumvention software on local ad networks without much fear of reprisal.

Media Sanitization

Having received human rights media, Pharos would have three primary sanitizing responsibilities. First, to protect the sender’s identity, Pharos would clear all network logs related to the upload. Second, to protect the media recorder’s identity, Pharos would scrub metadata from the media to prevent identifying the sender. A variety of free, consumer, and professional media editing tools provide straightforward access to metadata. Third, Pharos would blur faces as necessary for the safety of individuals depicted in the media. Many of the same media editing tools also include this functionality. To faster process uploads Pharos could employ well-known techniques for automated face recognition.

Media Distribution

The major social media platforms all support automated content uploads. With some up-front engineering Pharos could trivially push new media to all the top platforms.