Pharos - Technical Capabilities

From Identifying Difficult Problems in Cyberlaw
Revision as of 21:46, 5 February 2011 by Np (talk | contribs)
Jump to navigation Jump to search

Pharos will require three core technical capabilities: navigating media through state-imposed Internet censorship, sanitizing media for safe publication, and widely distributing media online. The following sections detail each capability.

Censorship Circumvention

A number of authors have reviewed existing Internet censorship techniques[1] and circumvention technologies.[2] This section crystallizes recent critiques into a series of high-level challenges for circumvention tools, reviewing how existing tools respond to each and proposing improvements that Pharos could undertake. The section closes with a sketch of a complementary asynchronous system for exfiltrating media from behind Internet censorship.

Rendezvous

To a rough approximation, censorship circumvention tools all follow the same template: connect the censored user to an uncensored intermediary who relays the user’s network traffic. For the model to function, the user must be able to access an uncensored intermediary—no small feat when a state actor is intent on cutting off such access. A number of strategies have been deployed in response to this “rendezvous” problem.

Central Directory

Whether a website,[3] directory protocol,[4] mailing list,[5] or Twitter hashtag,[6] most censorship circumvention resources are distributed through a centralized mechanism. This approach is simple for users and volunteers, but it is also easy to block—a censoring state need only deny access to the directory and the resources it lists.[7]

Distributed Directory

Several circumvention systems, including I2P, employ a distributed hash table to locate network resources. This approach avoids outright blocking of the directory, but a state could still easily discover and block a sizeable proportion of network resources.[8]

Selective Disclosure

Some censorship circumvention tools have incorporated mechanisms that selectively disclose network resources to users. Tor, for example, doles out network access points by time and user IP address.[9] Giving each user only a partial view of the circumvention system delays and raises the difficulty of state blocking efforts.

Leverage Existing Anti-Automation Systems

Large online service firms have a sizeable commercial incentive to prevent automated use of their systems. Linking access to a censorship circumvention tool to access to an account with a major online service provides free protection against automated state attempts to discover and block circumvention resources. Tor does just this with its email-based selective disclosure: it will only correspond with Gmail and Yahoo! Mail users.[10]

Trusted Groups

It is not uncommon for individuals in censoring countries to rely on relatives and friends abroad to host private circumvention tools.[11] This approach should be fostered, albeit with the recognition that it does not scale.

As of yet, there is no silver bullet for the rendezvous problem. All of the solutions above merit pursuing, and Pharos could make a significant contribution to censorship circumvention by studying and providing technical tools for each. There are also several promising research avenues Pharos could explore:

Reputation-based Selective Disclosure

Conditioning access to circumvention resources on participation in a pseudonymous user reputation and traitor tracing[12] system could aid in guarding against state censors. Preventing determined states from registering and abusing large numbers of seemingly-legitimate accounts would be a challenge.

In-Country Rendezvous

Current approaches to the rendezvous problem essentially turn on whether circumvention tool providers can provision circumvention resources at a scope and pace beyond what a state can block. One possible exit from this arms race is adding an extra in-country step to the rendezvous problem. Here's how it might work: a tech-savvy individual in a censoring country would negotiate a stable network path past the country’s censorship, then route traffic on that path without disclosing either the path or her identity.[13] Substantial research would be required to validate and scale this approach.

Usability

Both longitudinal back-of-the-envelope calculations[14] and experience from recent Internet crackdowns[15] demonstrate that web and HTTP proxies are the predominant tools for censorship circumvention. This should come as no surprise: using a web or HTTP proxy is straightforward for the lay user, and hosting either is trivial for even a novice IT aficionado. Dedicated censorship tools require both users and volunteers learn of, locate, install, and update niche software.

If ease of use and ease of hosting are fundamental constraints for a popular censorship circumvention tool, there remains much room for improvement. Establishing PPTP VPN’s as the de facto censorship circumvention standard would enable applications other than the web and encrypt traffic within the censoring country—preventing state snooping and content-based filtering.

Performance

The performance of non-commercial censorship circumvention systems is notoriously terrible.[16] Not much can be done for volunteered one-off proxies, which quickly become oversaturated. For dedicated censorship circumvention technologies, technology improvements[17], increased funding[18], and incentives for volunteering network resources[19] are essential.

Network Trust

Wholly volunteer-based censorship circumvention tools cannot protect against a malicious volunteer tapping or tampering with user traffic.[20] This is far from a theoretical concern: sensitive information has leaked from anonymization or circumvention tools on numerous occasions.[21]

There are several steps Pharos could take to alleviate the trust problem. First, it could pre-emptively vet circumvention resource volunteers. If a volunteer appears to be an agent of a censoring government, for example, Pharos could report them for exclusion. Second, Pharos could attempt to detect man-in-the-middle attacks with a variety of honeypots. In the event a government is repeatedly interfering with user traffic, Pharos could recommend against using circumvention resources located in that country. Third, Pharos could strongly advocate for encrypted circumvention solutions, especially when traffic will make multiple hops. The performance penalty is slight, and encryption protects users against content-based filtering and other intermediate man-in-the-middle attacks. Finally, Pharos could encourage or host centralized, secure last-hop proxies[22] so users do not have to be concerned about a last-hop man-in-the-middle.

Software Verification

Malware infection, by state or private actors, poses a significant privacy and security threat to executable circumvention tools.[23] Worms are a particular concern: circumvention tools are often passed among social groups, coming into contact with many computers. While the basic cryptography for authenticating software is straightforward, user-friendly tools are scarce. Worse, software verification tools are themselves executables—reintroducing all the same risks.

Pharos could break the circular dependency of untrusted executables authenticating untrusted executables by developing a web app for verification. With nothing more than a modern browser and a single HTML file, a user could ensure the software they’ve received is authentic.[24]

Education and Distribution

Owing to limited budgets and political considerations, several major censorship circumvention efforts have refrained from widely advertising themselves in countries imposing Internet censorship. Prominent NGO’s have to some measure filled the education and distribution void, but in most cases this has not been a priority.[25]

Pharos could establish itself as the reliable, authoritative source for censorship circumvention information and software. And since Pharos is by design isolated from many of the political pressures imposed on other entities in the space, it would be in an extraordinary position for promoting censorship circumvention. For example, Pharos could place ads for censorship circumvention software on local ad networks without much fear of reprisal.

Asynchronous Communication

Nearly all work on Internet censorship circumvention is focused on providing unfiltered Internet access. Given the importance of ensuring human rights media is published, the time may be ripe for reviving asynchronous communication: a secure sneakernet for exfiltrating human rights media. Here’s a sketch of how the system might work:

  • An individual records media pertaining to human rights and decides to publish it.
  • The person locates a copy of Pharos’ sneakernet software. In the interest of usability and security (see below), the software could be a web app contained in a single HTML file. (Recent web standard[26] and encryption library[27] developments make browser-based file encryption possible.)
  • Pharos’ software saves a padded[28] and encrypted copy of the media.
  • The person distributes the encrypted file and web app to trusted friends and relatives.
  • Friends and relatives launch the web app, which attempts to upload the encrypted file to Pharos and updates its timestamp.[29]
  • If an upload is unsuccessful the user is prompted to pass the file on further.
  • Eventually the file reaches Pharos, which decrypts and publishes it.

The sneakernet would not only provide circumvention, but also anonymity (a human Tor of sorts) and deniability (since the file’s encrypted).

Media Sanitization

Having received human rights media, Pharos would have three primary sanitizing responsibilities. First, to protect the sender’s identity, Pharos would clear all network logs related to the upload.[30] Second, to protect the media recorder’s identity, Pharos would scrub metadata from the media to prevent identifying the sender. A variety of free, consumer, and professional media editing tools provide straightforward access to metadata or means of re-encoding media to erase metadata.[31] Third, Pharos would blur faces as necessary for the safety of individuals depicted in the media. Many of the same media editing tools also include this functionality.[32] To faster process uploads Pharos could employ well-known techniques for automated face recognition.[33]

Media Distribution

The major social media platforms all support automated content management.[34] With some up-front engineering Pharos could trivially push new media to all the top platforms and monitor whether it has been removed.

References

  1. E.g., Access Controlled (Ronald Deibert et al. eds., 2010), available at http://www.access-controlled.net/contact/; Access Denied (Ronald Deibert et al. eds., 2008), available at http://opennet.net/accessdenied.
  2. E.g., Roger Dingledine, Ten Things to Look for in a Circumvention Tool (2010), available at https://www.torproject.org/press/presskit/2010-09-16-circumvention-features.pdf; Peter Eckersley, Surveillance Self-Defense International (2009), available at https://www.eff.org/files/eff-surveillance-self-defense.pdf; Global Internet Freedom Consortium, New Technologies Battle and Defeat Internet Censorship (2007), available at http://www.internetfreedom.org/files/WhitePaper/TechnologiesBattleAndDefeatInternetCensorship70920.pdf; Hal Roberts et al., 2010 Circumvention Tool Usage Report (2010), available at http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2010_Circumvention_Tool_Usage_Report.pdf; Hal Roberts et al., 2007 Circumvention Landscape: Methods, Uses, and Tools (2009), available at http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2007_Circumvention_Landscape.pdf; Sesawe, http://www.sesawe.net/ (last visited Feb. 5, 2011).
  3. For example, the aptly-named Hide My Ass! list of HTTP, HTTPS, and SOCKS proxies. Free Proxy Lists, Hide My Ass!, http://hidemyass.com/proxy-list/ (last visited Feb. 5, 2011).
  4. E.g., Roger Dingledine et al., Tor: The Second-Generation Onion Router (2004), available at https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf.
  5. Ryan Dube, 4 Sites That Will Send New Proxy Server Lists to Your Email, MakeUseOf, http://www.makeuseof.com/tag/4-services-that-will-send-fresh-proxy-lists-to-your-email/ (last visited Feb. 5, 2011).
  6. E.g., Andrew LaVallee, Web Users in Iran Reach Overseas for Proxies, The Wall Street Journal Digits Blog (June 15, 2009 5:43PM), http://blogs.wsj.com/digits/2009/06/15/web-users-in-iran-reach-overseas-for-proxies/.
  7. For example, in late 2009 the Chinese government blocked all public Tor resources. Tor Partially Blocked in China, The Tor Project (Sept. 27, 2009), https://blog.torproject.org/blog/tor-partially-blocked-china.
  8. See, e.g., Threat Model: Harvesting, I2P, http://www.i2p2.de/how_threatmodel.html#harvesting (last visited Feb. 5, 2011).
  9. Roger Dingledine, Tor and Censorship: Lessons Learned (2009), available at http://freehaven.net/~arma/slides-26c3.pdf. The system is available at https://bridges.torproject.org/.
  10. Roger Dingledine & Nick Mathewson, Design of a Blocking-Resistant Anonymity System (2007), available at http://www.freehaven.net/~arma/slides-23c3.pdf.
  11. Id.
  12. See, e.g., Amos Fiat & Tamir Tassa, Dynamic Traitor Tracing, J. Cryptogology (2001), available at http://www.cs.tau.ac.il/~fiat/dyntt.pdf.
  13. For a similar proposal in the usage anonymization context, see Michael K. Reiter & Aviel D. Rubin, Crowds: Anonymity for Web Transactions, ACM Transactions on Info. & Sys. Security (1998), available at http://avirubin.com/crowds.pdf.
  14. Hal Roberts et al., 2010 Circumvention Tool Usage Report 7-8 (2010), available at http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2010_Circumvention_Tool_Usage_Report.pdf.
  15. E.g., Austin Heap, How to Setup a Proxy for Iran Citizens (June 15, 2009), http://blog.austinheap.com/how-to-setup-a-proxy-for-iran-citizens/.
  16. See Hal Roberts et al., 2007 Circumvention Landscape: Methods, Uses, and Tools (2009), available at http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2007_Circumvention_Landscape.pdf.
  17. E.g., Roger Dingledine & Steven J. Murdoch, Performance Improvements on Tor or, Why Tor is Slow and What We're Going to Do About It (2009), available at http://www.torproject.org/press/presskit/2009-03-11-performance.pdf.
  18. The FY 2010 State Department appropriations act allocated nearly $30M for "Internet Freedom" grantmaking. Joint Request for Statements of Interest: Internet Freedom Programs, United States Department of State, http://www.state.gov/g/drl/p/127829.htm (last visited Feb. 5, 2011). Pharos could play a role in encouraging similar federal efforts in future.
  19. E.g., Tsuen-Wan Ngan et al., Building Incentives into Tor, Proc. Fin. Cryptography (2010), available at http://freehaven.net/anonbib/papers/incentives-fc10.pdf; Elli Androulaki et al., PAR: Payment for Anonymous Routing, Proc. Eighth Int'l Symp. on Privacy Enhancing Tech. (2008), available at http://www.cs.gmu.edu/~astavrou/research/Par_PET_2008.pdf.
  20. See, e.g., FAQ: Can Exit Nodes Eavesdrop on Communications? Isn't That Bad?, The Tor Project, https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#CanexitnodeseavesdroponcommunicationsIsntthatbad (last visited Feb. 5, 2011).
  21. In one embarrassing episode, a security researcher monitoring a Tor exit node observed plaintext logins for dozens of foreign embassy workers. Kim Zetter, Rogue Nodes Turn Tor Anonymizer into Eavesdropper's Paradise, Wired, Sept. 10, 2007, available at http://www.wired.com/politics/security/news/2007/09/embassy_hacks.
  22. The Psiphon censorship circumvention system uses a trusted last-hop design. Psiphon, Psiphon Design Overview 1.1 (2010), available at http://psiphon.ca/wp-content/uploads/Psiphon_Design_Overview_1_1.pdf.
  23. In 2007, for example, the Storm Worm began masquerading as Tor. Ian Whiteside, sTORm worm, F-Secure Blog (Sept. 6, 2007 7:02PM)
  24. See supra notes 17 and 18 and accompanying text.
  25. For example, Reporters Without Borders has established a small censorship circumvention training center in Paris. Press Release, Reporters Without Borders, Reporters Without Borders Unveils First-Ever "Anti-Censorship Shelter" (June 25, 2010), available at http://en.rsf.org/reporters-without-borders-unveils-25-06-2010,37809.html.
  26. File API, The World Wide Web Consortium (W3C), http://dev.w3.org/2006/webapi/FileAPI/ (last visited Feb. 5, 2011).
  27. Stanford Javascript Crypto Library, http://crypto.stanford.edu/sjcl/ (last visited Feb. 5, 2011).
  28. Padding prevents identification of an encrypted file simply by inspecting its size.
  29. If the file's timestamp were not adjusted, an adversary with the original might be able to identify the encrypted file by simply comparing timestamps.
  30. The Electronic Frontier Foundation maintains a set of best practices for protecting user privacy. Electronic Frontier Foundation, Best Practices for Online Service Providers (2008), available at https://www.eff.org/files/eff-ospbp-whitepaper.pdf.
  31. Apple Final Cut Pro, Adobe Premiere Pro, Apple iMovie, Avid Media Composer, and OpenShot are but a few popular examples. See Wikipedia:Non-linear_editing_system.
  32. See supra note 26.
  33. The popular OpenCV image processing library, for example, comes with a pre-trained implementation of the Viola-Jones face detection algorithm. Face Detection with OpenCV, OpenCV Wiki (2011), http://opencv.willowgarage.com/wiki/FaceDetection.
  34. For example, YouTube, Facebook, and Flickr.