Pharos - Technical Capabilities
Pharos will require three core technical capabilities: navigating media through state-imposed Internet censorship, sanitizing media for safe publication, and widely distributing media online. The following sections detail each capability.
A number of authors have reviewed existing Internet censorship techniques and circumvention technologies. This section crystallizes recent critiques into a series of high-level challenges for circumvention tools, reviewing how existing tools respond and proposing concrete improvements that Pharos could undertake. The section closes with a proposal for a novel asynchronous system for exfiltrating media from behind Internet censorship.
Promising as many of the improvements discussed below are, sobering context is required: a minute proportion of individuals subject to Internet censorship use circumvention tools. Significant advances in censorship circumvention technology may not translate into much increased usage.
Both longitudinal back-of-the-envelope calculations and experience from recent Internet crackdowns demonstrate that web and HTTP proxies are the predominant tools for censorship circumvention. This should come as no surprise: using a web or HTTP proxy is straightforward for the lay user, and hosting either is trivial for even a novice IT aficionado. Dedicated circumvention tools require both users and volunteers learn of, locate, install, and update niche software.
This status quo is far from desirable. Both web and HTTP proxies are vulnerable to state monitoring and tampering, including content filtering, and neither supports non-web applications. Pharos could have a sizable impact by simplifying the hosting and use of encrypted, transport-level proxies and more sophisticated circumvention tools.
The performance of non-commercial censorship circumvention systems is notoriously terrible. Not much can be done for volunteered one-off proxies, which quickly become oversaturated. For dedicated censorship circumvention systems, technology improvements, increased funding, and incentives for volunteering network resources are essential. Pharos could assist with any of these improvements.
Education and Distribution
Owing to limited budgets and political considerations, several major censorship circumvention efforts have refrained from widely advertising themselves in countries imposing Internet censorship. Prominent NGO’s have to some measure filled the education and distribution void, but in most cases circumvention has not been a priority.
Pharos could establish itself as the reliable, authoritative source for censorship circumvention information and software. And since Pharos is by design isolated from many of the political pressures imposed on other entities in the space, it would be in an extraordinary position for promoting censorship circumvention. For example, Pharos could place ads for censorship circumvention software on local ad networks without much fear of reprisal.
To a first approximation, censorship circumvention tools all follow the same template: connect the censored user to an uncensored intermediary, who relays the user’s network traffic. For the model to function, the user must be able to access an uncensored intermediary—no small feat when a state actor is intent on cutting off such access. A number of ad hoc strategies have been deployed in response to this “rendezvous” problem.
Whether a website, directory protocol, mailing list, or Twitter hashtag, most censorship circumvention resources are distributed through a centralized mechanism. This approach is simple for users and volunteers, but it is also easy to block—a censoring state need only deny access to the directory and the resources it lists.
Several circumvention systems, including I2P, employ a distributed hash table to locate network resources. This approach avoids outright blocking of the directory, but a state could still easily discover and block a significant proportion of the circumvention network.
Some censorship circumvention tools have incorporated mechanisms that selectively disclose network resources to users. Tor, for example, doles out network access points by time and user IP address. Giving each user only a partial view of the circumvention system delays and raises the difficulty of state blocking efforts.
Leverage Existing Anti-Automation Systems
Large online services have a sizeable commercial incentive to prevent automated use of their systems. Linking access to a censorship circumvention tool to access to an account with a major online service provides free protection against automated state attempts to discover and block circumvention resources. Tor does just this with its email-based rendezvous: it will only correspond with Gmail and Yahoo! Mail users.
It is not uncommon for individuals in censoring countries to rely on relatives and friends abroad to host private circumvention tools. This approach should be fostered, albeit with the recognition that it does not scale.
As of yet, there is no silver bullet for the rendezvous problem. All of the solutions above merit pursuing, and Pharos could make a substantial contribution to censorship circumvention by studying and providing technical tools for each. There are also several promising research avenues Pharos could explore:
Reputation-based Selective Disclosure
Conditioning access to circumvention resources on participation in a pseudonymous user reputation and traitor tracing system could aid in guarding against state censors. Preventing determined states from registering and abusing large numbers of seemingly-legitimate accounts would be a challenge.
Current approaches to the rendezvous problem essentially turn on whether circumvention tool providers can provision resources at a scope and pace beyond what a state can block. One possible exit from this arms race is adding an extra in-country step to the rendezvous problem. Here's how it might work: a tech-savvy individual in a censoring country negotiates a stable network path past the country’s censorship, then routes traffic on that path without disclosing either the path or her identity. Substantial research would be required to validate and scale this approach.
Wholly volunteer-based censorship circumvention tools cannot protect against a malicious volunteer tapping or tampering with user traffic. This is far from a theoretical concern: sensitive information has leaked from anonymization and circumvention tools on numerous occasions.
There are several steps Pharos could take to alleviate the trust problem. First, it could preemptively vet circumvention resource volunteers. If a volunteer appears to be an agent of a censoring government or otherwise untrustworthy, Pharos could report them for exclusion. Second, Pharos could attempt to detect man-in-the-middle attacks with a variety of honeypots. In the event a government is repeatedly interfering with user traffic, Pharos could recommend against using circumvention resources located in that country. Third, Pharos could strongly advocate for encrypted circumvention solutions, especially when traffic will take multiple hops. The performance penalty is slight, and encryption protects users against content-based filtering and other intermediate man-in-the-middle attacks. Finally, Pharos could encourage or host centralized, trusted last-hop proxies so users do not have to be concerned about a last-hop man-in-the-middle.
Malware infection, by state or private actors, poses a significant privacy and security threat to executable circumvention tools. Worms are a particular concern: circumvention tools are often passed among social groups, coming into contact with many computers. While the basic cryptography for authenticating software is straightforward, user-friendly tools are scarce. Worse, software verification tools are themselves executables—reintroducing all the same risks.
Pharos could break the circular dependency of untrusted executables authenticating untrusted executables by developing a web app for verification; recent web standard and encryption library developments make browser-based file authentication possible. With nothing more than a modern browser and a single HTML file, a user could ensure the software they’ve received is authentic.
Nearly all work on Internet censorship circumvention is focused on providing unfiltered Internet access. Given the importance of ensuring human rights media is published, the time may be ripe for reviving asynchronous communication—a secure sneakernet for exfiltrating human rights media. Here’s a sketch of how the system might work:
- An individual records media pertaining to human rights and decides to publish it.
- The person locates a copy of Pharos’ sneakernet software. In the interest of usability and security, the software could be a web app contained in a single HTML file.
- Pharos’ software saves a padded and encrypted copy of the media.
- The person distributes the encrypted file and web app to trusted friends and relatives.
- Friends and relatives launch the web app, which attempts to upload the encrypted file to Pharos and updates its timestamp.
- If an upload is unsuccessful the user is prompted to pass the file on further.
- Eventually the file reaches Pharos, which decrypts and publishes it.
The sneakernet would not only provide circumvention, but also anonymity (through indirection) and deniability (through encryption).
Having received human rights media, Pharos would have three primary sanitizing responsibilities. First, to protect the sender’s identity, Pharos would clear all logs related to the upload. Second, to protect the recorder’s identity, Pharos would scrub metadata from the media. A variety of free, consumer, and professional media editing tools provide either access to metadata or means of re-encoding media to erase metadata. Third, Pharos would blur faces as necessary for the safety of individuals depicted in the media. Many of the same media editing tools also include this functionality. To faster publish uploads Pharos could automate the sanitization process.
The major social media platforms all support automated content management. With modest engineering Pharos could trivially push new media to all the top platforms and monitor whether it has been removed. As for its own site, Pharos could deploy it on a cloud computing platform, such as Amazon Web Services, to minimize costs and provide DDoS resiliency.
- E.g., Access Controlled (Ronald Deibert et al. eds., 2010), available at http://www.access-controlled.net/contact/; Access Denied (Ronald Deibert et al. eds., 2008), available at http://opennet.net/accessdenied.
- E.g., Roger Dingledine, Ten Things to Look for in a Circumvention Tool (2010), available at https://www.torproject.org/press/presskit/2010-09-16-circumvention-features.pdf; Peter Eckersley, Surveillance Self-Defense International (2009), available at https://www.eff.org/files/eff-surveillance-self-defense.pdf; Global Internet Freedom Consortium, New Technologies Battle and Defeat Internet Censorship (2007), available at http://www.internetfreedom.org/files/WhitePaper/TechnologiesBattleAndDefeatInternetCensorship70920.pdf; Hal Roberts et al., 2010 Circumvention Tool Usage Report (2010), available at http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2010_Circumvention_Tool_Usage_Report.pdf; Hal Roberts et al., 2007 Circumvention Landscape: Methods, Uses, and Tools (2009), available at http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2007_Circumvention_Landscape.pdf; Sesawe, http://www.sesawe.net/ (last visited Feb. 5, 2011).
- Hal Roberts et al., 2010 Circumvention Tool Usage Report 12-13 (2010), available at http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2010_Circumvention_Tool_Usage_Report.pdf.
- Id. at 7-8.
- E.g., James Cowie, The Proxy Fight for Iranian Democracy, Renesys Blog (June 22, 2009, 6:30 AM), http://www.renesys.com/blog/2009/06/the-proxy-fight-for-iranian-de.shtml; Austin Heap, How to Setup a Proxy for Iran Citizens, austinheap (June 15, 2009), http://blog.austinheap.com/how-to-setup-a-proxy-for-iran-citizens/.
- Establishing PPTP VPN’s as the de facto censorship circumvention standard would be one avenue. PPTP is far from ideal—but it has shipped with Windows for over a decade, and with modest effort the pptpd server could be made much easier to host as a circumvention tool.
- See Hal Roberts et al., 2007 Circumvention Landscape: Methods, Uses, and Tools (2009), available at http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2007_Circumvention_Landscape.pdf.
- E.g., Roger Dingledine & Steven J. Murdoch, Performance Improvements on Tor or, Why Tor is Slow and What We're Going to Do About It (2009), available at http://www.torproject.org/press/presskit/2009-03-11-performance.pdf.
- The FY 2010 State Department appropriations act allocated nearly $30M for "Internet Freedom" grantmaking. Joint Request for Statements of Interest: Internet Freedom Programs, United States Department of State, http://www.state.gov/g/drl/p/127829.htm (last visited Feb. 5, 2011). Pharos could play a role in encouraging similar federal efforts in future.
- E.g., Tsuen-Wan Ngan et al., Building Incentives into Tor, Proc. Fin. Cryptography (2010), available at http://freehaven.net/anonbib/papers/incentives-fc10.pdf; Elli Androulaki et al., PAR: Payment for Anonymous Routing, Proc. Eighth Int'l Symp. on Privacy Enhancing Tech. (2008), available at http://www.cs.gmu.edu/~astavrou/research/Par_PET_2008.pdf.
- For example, Reporters Without Borders has established a small censorship circumvention training center in Paris. Press Release, Reporters Without Borders, Reporters Without Borders Unveils First-Ever "Anti-Censorship Shelter" (June 25, 2010), available at http://en.rsf.org/reporters-without-borders-unveils-25-06-2010,37809.html.
- For example, the aptly-named Hide My Ass! list of HTTP, HTTPS, and SOCKS proxies. Free Proxy Lists, Hide My Ass!, http://hidemyass.com/proxy-list/ (last visited Feb. 5, 2011).
- E.g., Roger Dingledine et al., Tor: The Second-Generation Onion Router, Proc. 13th USENIX Security Symp. (2004), available at https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf.
- Ryan Dube, 4 Sites That Will Send New Proxy Server Lists to Your Email, MakeUseOf (Feb. 4, 2010), http://www.makeuseof.com/tag/4-services-that-will-send-fresh-proxy-lists-to-your-email/.
- E.g., Andrew LaVallee, Web Users in Iran Reach Overseas for Proxies, The Wall Street Journal Digits Blog (June 15, 2009 5:43PM), http://blogs.wsj.com/digits/2009/06/15/web-users-in-iran-reach-overseas-for-proxies/.
- For example, in late 2009 the Chinese government blocked all public Tor resources. Tor Partially Blocked in China, The Tor Project (Sept. 27, 2009), https://blog.torproject.org/blog/tor-partially-blocked-china.
- See, e.g., Threat Model: Harvesting, I2P, http://www.i2p2.de/how_threatmodel.html#harvesting (last visited Feb. 5, 2011).
- Roger Dingledine, Tor and Censorship: Lessons Learned (2009), available at http://freehaven.net/~arma/slides-26c3.pdf. The system is available at https://bridges.torproject.org/.
- Roger Dingledine & Nick Mathewson, Design of a Blocking-Resistant Anonymity System (2007), available at http://www.freehaven.net/~arma/slides-23c3.pdf.
- See, e.g., Amos Fiat & Tamir Tassa, Dynamic Traitor Tracing, J. Cryptology (2001), available at http://www.cs.tau.ac.il/~fiat/dyntt.pdf.
- For a similar proposal in the usage anonymization context, see Michael K. Reiter & Aviel D. Rubin, Crowds: Anonymity for Web Transactions, ACM Transactions on Info. & Sys. Security (1998), available at http://avirubin.com/crowds.pdf.
- See, e.g., FAQ: Can Exit Nodes Eavesdrop on Communications? Isn't That Bad?, The Tor Project, https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#CanexitnodeseavesdroponcommunicationsIsntthatbad (last visited Feb. 5, 2011).
- In one embarrassing episode, a security researcher monitoring a Tor exit node observed plaintext logins for dozens of foreign embassy workers. Kim Zetter, Rogue Nodes Turn Tor Anonymizer into Eavesdropper's Paradise, Wired, Sept. 10, 2007, available at http://www.wired.com/politics/security/news/2007/09/embassy_hacks.
- The Psiphon censorship circumvention system uses a trusted last-hop design. Psiphon, Psiphon Design Overview 1.1 (2010), available at http://psiphon.ca/wp-content/uploads/Psiphon_Design_Overview_1_1.pdf.
- In 2007, for example, the Storm Worm began masquerading as Tor. Ian Whiteside, sTORm worm, F-Secure Blog (Sept. 6, 2007 7:02PM), http://www.f-secure.com/weblog/archives/00001272.html.
- File API, The World Wide Web Consortium (W3C), http://dev.w3.org/2006/webapi/FileAPI/ (last visited Feb. 5, 2011).
- See supra notes 27 and 28 and accompanying text.
- Padding prevents identification of an encrypted file simply by inspecting its size.
- If the file's timestamp were not adjusted, an adversary with the original might be able to identify the encrypted file by simply comparing timestamps.
- The Electronic Frontier Foundation maintains a set of best practices for protecting user privacy. Electronic Frontier Foundation, Best Practices for Online Service Providers (2008), available at https://www.eff.org/files/eff-ospbp-whitepaper.pdf.
- Apple Final Cut Pro, Adobe Premiere Pro, Apple iMovie, Avid Media Composer, and OpenShot are but a few popular examples. See Wikipedia:Non-linear_editing_system.
- See supra note 33.
- To automate face blurring, Pharos could use a face detection algorithm. The popular OpenCV image processing library, for example, comes with a pre-trained implementation of the Viola-Jones face detection algorithm. Face Detection with OpenCV, OpenCV Wiki (2011), http://opencv.willowgarage.com/wiki/FaceDetection.
- For example, YouTube, Facebook, and Flickr.