Pharos - Technical Capabilities
Pharos will require three core technical capabilities: navigating media through state-imposed Internet censorship, sanitizing media for safe publication, and widely distributing media online. The following sections detail each capability.
Censorship Circumvention
A number of authors have reviewed existing Internet circumvention techniques.[1] This section crystallizes on-the-ground experience into a series of high-level challenges for circumvention tools, reviewing how existing tools respond to each and proposing improvements that Pharos could undertake. The section closes with a sketch of a complementary asynchronous system for exfiltrating media from behind Internet censorship.
Rendezvous
To a rough approximation, censorship circumvention tools all follow the same template: connect the censored user to an uncensored intermediary who relays the user’s network traffic. For the model to function, the user must be able to access an uncensored intermediary–a substantial feat when a state actor is attempting to cut off such access. A number of strategies have been deployed in response to this “rendezvous” problem.
Central Directory
Whether a website,[2] directory protocol,[3] mailing list,[4] or Twitter hashtag,[5] most censorship circumvention resources are distributed through a centralized mechanism. While this approach is simple for users and volunteers, it is also easy to block–a censoring state need only block access to the directory and the resources it lists.[6]
Decentralized Lookup
Several systems employ a distributed hash table to locate network resources. This approach avoids outright blocking of the directory, but a state could still easily discover and block a sizeable proportion of network resources.[7]
Selective Disclosure
Some censorship circumvention tools have incorporated mechanisms that selectively disclose network resources to users. Tor, for example, selectively discloses bridges by time and user IP address.[8] Such selective disclosure delays and raises the difficulty of state blocking efforts.
Leverage Existing Anti-Automation Systems
Large online service firms have a sizeable commercial incentive to prevent automated use of their systems. Linking access to a censorship circumvention tool to access to an account with such a firm provides free protection against automated state attempts to discover and block network resources. Tor does just this with its email-based selective disclosure: only Gmail and Yahoo! Mail users receive bridge addresses.[9]
Trusted Groups
Anecdotes suggest it is not uncommon for individuals in censoring countries to rely on relatives and friends overseas to host private circumvention tools.[10] This approach should be fostered, though recognizing it does not scale.
As of yet, there is no silver bullet for the rendezvous problem. All of the solutions above merit pursuing, and Pharos could make a significant contribution to censorship circumvention by studying and providing technical tools for each. There are also several promising research avenues Pharos could explore:
Reputation-based Selective Disclosure
Conditioning access to network resources on participating in a pseudonymous reputation and traitor tracing system could aid in guarding against state censors. Preventing determined states from registering and abusing large numbers of seemingly legitimate accounts would be a challenge.
In-Country Rendezvous
Current approaches to the rendezvous problem essentially turn on whether circumvention tool providers can provision uncensored resources faster than a state can block them. One possible exit from this arms race is adding an extra in-country step to the rendezvous problem. A sketch: a tech-savvy individual in a censoring country would negotiate a stable network path past the country’s censorship, then anonymously route traffic on that path without disclosing it. Substantial research would be required to validate and scale this approach.
Usability
Both anecdotal experience from recent Internet crackdowns[11] and longitudinal back-of-the-envelope calculations[12] strongly suggest web and HTTP proxies are the predominant tools for censorship circumvention. This should come as no surprise: using a web or HTTP proxy is straightforward for the lay user, and hosting a web proxy is trivial for even a novice IT aficionado. Dedicated censorship tools require both users and volunteers learn of, locate, and install niche software.
If ease of use and ease of hosting are fundamental constraints for a popular censorship circumvention tool, there remains much room for improvement. Establishing PPTP VPN’s as the de facto censorship circumvention standard would enable applications other than the web and encrypt traffic within the censoring country–preventing snooping and content-based filtering.
Performance
The performance of non-commercial censorship circumvention systems is notoriously terrible.[13] Not much can be done for volunteered one-off proxies, which quickly become oversaturated. For dedicated censorship circumvention technologies, technical improvements[14] and increased funding[15] and incentives[16] for network resources are essential.
Asynchronous Communication
Nearly all work on Internet censorship circumvention is focused on providing unfiltered Internet access. Given the importance of ensuring human rights media is published, the time may be ripe for reviving asynchronous communication: a secure sneakernet for exfiltrating human rights media. Here’s a sketch of how the system might work:
- An individual records media pertaining to human rights and decides to publish it.
- The person locates a copy of Pharos’ sneakernet software. In the interest of usability and security (see below), the software could be a web app contained in a single HTML file. (Recent web standard[17] and encryption library[18] developments make browser-based file encryption possible.)
- Pharos’ software saves a padded[19] and encrypted copy of the media.
- The person distributes the encrypted file and web app to trusted friends and relatives.
- Friends and relatives launch the web app, which attempts to upload the encrypted file to Pharos and updates its timestamp.[20]
- If an upload is unsuccessful the user is prompted to pass the file on further.
- Eventually the file reaches Pharos, which decrypts and publishes it.
The sneakernet would not only provide circumvention, but also anonymity (a human Tor of sorts) and deniability (since the file’s encrypted).
Network Trust
Save commercial censorship circumvention tools, none protect against a malicious volunteer tapping or tampering with user traffic. This is far from a theoretical concern: in multiple public episodes sensitive information has leaked from anonymization or circumvention tools.
There are several steps Pharos could take to alleviate the trust problem. First, it could pre-emptively vet volunteers in circumvention tools. If a volunteer appears to be an agent of a censoring government, for example, Pharos could report them for exclusion. Second, Pharos could attempt to detect man-in-the-middle attacks with a variety of honeypots. In the event a government is repeatedly interfering with user traffic, Pharos could recommend against using circumvention resources located in that country. Third, Pharos could strongly advocate for encrypted circumvention solutions, especially when traffic will make multiple hops. The overhead is low, and encryption protects users against deep packet inspection-based filtering and other intermediate man-in-the-middle-attacks. Finally, Pharos could encourage or host centralized, secure last-hop proxies[21] so users do not have to be concerned about a last-hop man-in-the-middle.
Software Verification
Malware infection, whether by state or private actors, poses a significant privacy and security threat to executable circumvention tools.[22] Worms are a particular concern: circumvention tools are often passed among social groups, coming into contact with many computers. While the basic cryptography for authenticating software is straightforward, user-friendly tools are scarce. Worse, the tools themselves are executables—reintroducing all the same risks.
Pharos could break the circular dependency of untrusted executables authenticating untrusted executables by developing a web app for verification. With nothing more than a modern browser and a single HTML file, a user could ensure the software they’ve received is authentic.[23]
Education and Distribution
Owing to limited budgets and political considerations, several major censorship circumvention efforts have refrained from widely advertising themselves in countries imposing Internet censorship. Prominent NGO’s have to some measure filled the education and distribution void, but in most cases this has not been a priority.[24]
Pharos could establish itself as the reliable, authoritative source for censorship circumvention information and software. And since Pharos is by design isolated from many of the political pressures imposed on other entities in the space, it would be in an extraordinary position for promoting censorship circumvention. For example, Pharos could place ads for censorship circumvention software on local ad networks without much fear of reprisal.
Media Sanitization
Having received human rights media, Pharos would have three primary sanitizing responsibilities. First, to protect the sender’s identity, Pharos would clear all network logs related to the upload.[25] Second, to protect the media recorder’s identity, Pharos would scrub metadata from the media to prevent identifying the sender. A variety of free, consumer, and professional media editing tools provide straightforward access to metadata or means of re-encoding media to erase metadata.[26] Third, Pharos would blur faces as necessary for the safety of individuals depicted in the media. Many of the same media editing tools also include this functionality.[27] To faster process uploads Pharos could employ well-known techniques for automated face recognition.[28]
Media Distribution
The major social media platforms all support automated content management.[29] With some up-front engineering Pharos could trivially push new media to all the top platforms and monitor whether it has been removed.
References
- ↑ E.g., Roger Dingledine, Ten Things to Look for in a Circumvention Tool (2010), available at https://www.torproject.org/press/presskit/2010-09-16-circumvention-features.pdf; Peter Eckersley, Surveillance Self-Defense International (2009), available at https://www.eff.org/files/eff-surveillance-self-defense.pdf; Global Internet Freedom Consortium, New Technologies Battle and Defeat Internet Censorship (2007), available at http://www.internetfreedom.org/files/WhitePaper/TechnologiesBattleAndDefeatInternetCensorship70920.pdf; Hal Roberts et al., 2010 Circumvention Tool Usage Report (2010), available at http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2010_Circumvention_Tool_Usage_Report.pdf; Hal Roberts et al., 2007 Circumvention Landscape: Methods, Uses, and Tools (2009), available at http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2007_Circumvention_Landscape.pdf; Sesawe, http://www.sesawe.net/ (last visited Feb. 5, 2011).
- ↑ For example, the aptly-named Hide My Ass! list of HTTP, HTTPS, and SOCKS proxies. Free Proxy Lists, Hide My Ass!, http://hidemyass.com/proxy-list/ (last visited Feb. 5, 2011).
- ↑ E.g., Roger Dingledine et al., Tor: The Second-Generation Onion Router (2004), available at https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf.
- ↑ Ryan Dube, 4 Sites That Will Send New Proxy Server Lists to Your Email, MakeUseOf, http://www.makeuseof.com/tag/4-services-that-will-send-fresh-proxy-lists-to-your-email/ (last visited Feb. 5, 2011).
- ↑ E.g., Andrew LaVallee, Web Users in Iran Reach Overseas for Proxies, The Wall Street Journal Digits Blog (June 15, 2009 5:43PM), http://blogs.wsj.com/digits/2009/06/15/web-users-in-iran-reach-overseas-for-proxies/.
- ↑ For example, in late 2009 the Chinese government blocked all public Tor resources. Tor Partially Blocked in China, The Tor Project (Sept. 27, 2009), https://blog.torproject.org/blog/tor-partially-blocked-china.
- ↑ E.g., Threat Model: Harvesting, I2P, http://www.i2p2.de/how_threatmodel.html#harvesting (last visited Feb. 5, 2011).
- ↑ Roger Dingledine, Tor and Censorship: Lessons Learned (2009), available at http://freehaven.net/~arma/slides-26c3.pdf.
- ↑ Roger Dingledine & Nick Mathewson, Design of a Blocking-Resistant Anonymity System (2007), available at http://www.freehaven.net/~arma/slides-23c3.pdf.
- ↑ Id.
- ↑ E.g., Austin Heap, How to Setup a Proxy for Iran Citizens (June 15, 2009), http://blog.austinheap.com/how-to-setup-a-proxy-for-iran-citizens/.
- ↑ Hal Roberts et al., 2010 Circumvention Tool Usage Report 7-8 (2010), available at http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2010_Circumvention_Tool_Usage_Report.pdf.
- ↑ See Hal Roberts et al., 2007 Circumvention Landscape: Methods, Uses, and Tools (2009), available at http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2007_Circumvention_Landscape.pdf.
- ↑ E.g., Roger Dingledine & Steven J. Murdoch, Performance Improvements on Tor or, Why Tor is Slow and What We're Going to Do About It (2009), available at http://www.torproject.org/press/presskit/2009-03-11-performance.pdf.
- ↑ The FY 2010 State Department appropriations act allocated nearly $30M for "Internet Freedom" grantmaking. Joint Request for Statements of Interest: Internet Freedom Programs, United States Department of State, http://www.state.gov/g/drl/p/127829.htm (last visited Feb. 5, 2011). Pharos could play a role in encouraging similar federal efforts in future.
- ↑ E.g., Tsuen-Wan Ngan et al., Building Incentives into Tor, Proc. Fin. Cryptography (2010), available at http://freehaven.net/anonbib/papers/incentives-fc10.pdf; Elli Androulaki et al., PAR: Payment for Anonymous Routing, Proc. Eighth Int'l Symp. on Privacy Enhancing Tech. (2008), available at http://www.cs.gmu.edu/~astavrou/research/Par_PET_2008.pdf.
- ↑ File API, The World Wide Web Consortium (W3C), http://dev.w3.org/2006/webapi/FileAPI/ (last visited Feb. 5, 2011).
- ↑ Stanford Javascript Crypto Library, http://crypto.stanford.edu/sjcl/ (last visited Feb. 5, 2011).
- ↑ Padding prevents identification of an encrypted file simply by inspecting its size.
- ↑ If the file's timestamp were not adjusted, an adversary with the original might be able to identify the encrypted file by simply comparing timestamps.
- ↑ The Psiphon censorship circumvention system uses a trusted last-hop design. Psiphon, Psiphon Design Overview 1.1 (2010), available at http://psiphon.ca/wp-content/uploads/Psiphon_Design_Overview_1_1.pdf.
- ↑ In 2007, for example, the Storm Worm began masquerading as Tor. Ian Whiteside, sTORm worm, F-Secure Blog (Sept. 6, 2007 7:02PM)
- ↑ See supra notes 17 and 18 and accompanying text.
- ↑ For example, Reporters Without Borders has established a small censorship circumvention training center in Paris. Press Release, Reporters Without Borders, Reporters Without Borders Unveils First-Ever "Anti-Censorship Shelter" (June 25, 2010), available at http://en.rsf.org/reporters-without-borders-unveils-25-06-2010,37809.html.
- ↑ The Electronic Frontier Foundation maintains a set of best practices for protecting user privacy. Electronic Frontier Foundation, Best Practices for Online Service Providers (2008), available at https://www.eff.org/files/eff-ospbp-whitepaper.pdf.
- ↑ Apple Final Cut Pro, Adobe Premiere Pro, Apple iMovie, Avid Media Composer, and OpenShot are but a few popular examples. See Wikipedia:Non-linear_editing_system.
- ↑ See supra note 26.
- ↑ The popular OpenCV image processing library, for example, comes with a pre-trained implementation of the Viola-Jones face detection algorithm. Face Detection with OpenCV, OpenCV Wiki (2011), http://opencv.willowgarage.com/wiki/FaceDetection.
- ↑ For example, YouTube, Facebook, and Flickr.