State of the arms race between repressive governments and anti-censorship/surveillance Tor technology (and why American companies are on the repressive governments' side)

Last night's Chaos Computer Congress (28C3) presentation from Jacob Applebaum and Roger Dingledine on the state of the arms race between the Tor anti-censorship/surveillance technology and the world's repressive governments was by turns depressing and inspiring. Dingledine and Applebaum have unique insights into the workings of the technocrats in Iranian, Chinese, Tunisian, Syrian and other repressive states, and the relationship between censorship and other human rights abuses (for example, when other privacy technologies failed, governments sometimes discovered who was discussing revolution and used that as the basis for torture and murder).

Two thirds of the way through the talk, they broaden the context to talk about the role of American companies in the war waged against privacy and free speech -- SmartFilter (now an Intel subsidiary, and a company that has a long history of censoring Boing Boing) is providing support for Iran's censorship efforts, for example. They talked about how Blue Coat and Cisco produce tools that aren't just used to censor, but to spy (all censorware also acts as surveillance technology) and how the spying directly leads to murder and rape and torture.

Then, they talked about the relationship between corporate networks and human rights abuses. Iran, China, and Syria, they say, lack the resources to run their own censorship and surveillance R&D projects, and on their own, they don't present enough of a market to prompt Cisco to spend millions to develop such a thing. But when a big company like Boeing decides to pay Cisco millions and millions of dollars to develop censorware to help it spy on its employees, the world's repressive governments get their R&D subsidized, and Cisco gets a product it can sell to them.

They concluded by talking about how Western governments' insistence on "lawful interception" back-doors in network equipment means that all the off-the-shelf network gear is readymade for spying, so, again, the Syrian secret police and the Iranian telcoms spies don't need to order custom technology that lets them spy on their people, because an American law, CALEA, made it mandatory that this technology be included in all the gear sold in the USA.

If you care at all about the future of free speech, democracy, and privacy, this is an absolute must-see presentation.

Iran blocked Tor handshakes using Deep Packet Inspection (DPI) in January 2011 and September 2011. Bluecoat tested out a Tor handshake filter in Syria in June 2011. China has been harvesting and blocking IP addresses for both public Tor relays and private Tor bridges for years.

Roger Dingledine and Jacob Appelbaum will talk about how exactly these governments are doing the blocking, both in terms of what signatures they filter in Tor (and how we've gotten around the blocking in each case), and what technologies they use to deploy the filters -- including the use of Western technology to operate the surveillance and censorship infrastructure in Tunisia (Smartfilter), Syria (Bluecoat), and other countries. We'll cover what we've learned about the mindset of the censor operators (who in many cases don't want to block Tor because they use it!), and how we can measure and track the wide-scale censorship in these countries. Last, we'll explain Tor's development plans to get ahead of the address harvesting and handshake DPI arms races.

How governments have tried to block Tor


    1. I’m certainly aware of that – should we stop our work? I don’t think so. We must not turn a blind eye to these crimes against humanity nor to the machines that enable those very crimes.

  1. “Western governments’ insistence on “lawful interception” back-doors in network equipment means that all the off-the-shelf network gear is readymade for spying”

    That may be but policing and enforcement are proper functions of the government. A state’s ability to intercept unlawful activity is not the problem. It not being accountable to and fairly representative of the people is. What places like China, Iran and Syria need is more democracy. States have the duty and right to enforce the law and to do that they need to be able to monitor illegal activity.

    It’s not the routers in China and Iran that need to be changed, it’s their governments.

    1. The routers need changed too, because the temptation to use those backdoors will always be there and it’s not really democracy if the people have to live with the assumption the government is spying on them.

      Claiming it’s necessary to catch bad guys is not justification enough, because innocent people have rights that need to be respected.

      1. “routers need changed too, because the temptation to use those backdoors will always be there”

        The government *should* be able to regulate illegal activity. The alternative is anarchy (no government) which, contrary to it’s advocates, is undesirable. I think it is a false choice to say that I have to choose between no government at all and repressive ones.

        The argument that governments should not have the ability to monitor and intercept illegal activity because innocent people’s rights must be respected is false because they are not mutually exclusive. Law enforcement in democratic states can do both and they have a history of respecting individual rights while simultaneously going after law breakers. That totalitarian states choose not to is not an argument against the tools they use, it’s an argument against those governments.

        1. “More democracy” isn’t the answer; look how well that’s worked out for the USA.  Law enforcement in democratic states also has a history of breaking individual rights and pursuing innocent people in the name of witch hunts.

          I think the answer you’re actually looking for is “more transparency and accountability”, which makes for better leaders no matter which political philosophy they adhere to.

          The mere presence of known back-doors into network equipment (and OSes) is a temptation that the sort of people who abuse their power cannot resist.  Does this mean that those doors shouldn’t exist?  Maybe.  Maybe not.  If they’re going to exist, however, they need to be locked and only able to be opened by the manufacturer, and even then only after a formal request is made by the LEO/government of the land.

          1. “”More democracy” isn’t the answer” — I’m pretty sure it is and the problems we have in the US are attributable to us having *less* democracy by virtue of wealthy individuals and powerful corporations distorting democracy to their benefit.

            That’s what the Occupy movement (and even the Tea Party somewhat) is all about; demanding more democracy and denying the special privileges that wealth and power have accumulated for themselves.

            “Law enforcement in democratic states also has a history of breaking individual rights” — Those are isolated incidents that are not typical of the whole. On the whole and in the long run free democratic states respect individual rights far more than authoritarian states. If they fail to there is a means of removing the administration where in non-democratic states there is no such mechanism.

            “I think the answer you’re actually looking for is “more transparency and accountability”” —- Well yes, being held accountable is what defines a democracy. Accountability is not separate from democracy. It is what it *is*.

            “The mere presence of known back-doors into network equipment (and OSes)
            is a temptation that the sort of people who abuse their power cannot
            resist.”  —  But the solution to those who abuse their power is not to remove the means or tools at their disposal. It’s to remove them by giving the people the power to hold their representatives to account.

            We don’t eliminate prisons because despotic regimes abuse them by jailing their political enemies. We remove the regime, keep the jails and use the power to imprison people justly and fairly and through due process.

        2. You’re not wrong, but I have serious problems with any government being able to snoop on a citizen with a button press. Without a system of oversight or full disclosure, the government should not have the privilege to access whatever they want, whenever they want. 

          Mandating mechanisms to enable surveillance under the premise of eliminating crime (or the current catchphrase, national security) isn’t good enough on its own. There has to be a way for the people to monitor the monitors, and there isn’t a single government on the planet enabling it.

          1. “the government should not have the privilege to access whatever they want, whenever they want.”

            They don’t. In the US there is a special court the government must go through before it can spy on a citizen. I think the gov. should have the ability to do that if they have reason to suspect that person is involved in illegal activity.

            National security is not a catch phrase. It is a real daily concern. Nine men brought down the World Trade Center murdering 3,000 people and costing us trillions. One disgruntled scientist released weapons grade anthrax, murdered several people, caused millions in damage and terrorized an entire nation.

            The conspiracy theories are false. The reality is there are many people who seek every day to cause untold damage to the US and to other nations. Al-Qaeda really would like to release anthrax, or a dirty nuke, or a real nuke or any of a number of other threats. Oklahoma was not a government false flag. 911 was not an inside job. They were real events by organizations outside of the US gov who succeeded in causing real harm. There are others who would like to do the same or more. We need to balance security and privacy and if you don’t like how it’s being done you should vote accordingly. But the solution is not to remove the very tools needed to make us secure. The solution is more better government.

          2. The governments is using the same network surveillance enabled technology, as we citizens are using, to monitor us.

            So we could monitor the monitors.

          3. Noen, the special courts in U.S is gone. NSA and the others don’ t ask for permission.

            And the perfect human doesn’ t exist. Power is always corrupting our mindset. Thats the reason we have laws.

      1. Not sure I see what you’re getting at. If your state is unaccountable to you then yes, it’s your duty to replace it. Ask the people of Egypt or Libya. ALL governments exist with the consent of the governed. (but people will put up with a lot)

        If your democratically elected government is doing things you don’t like then vote accordingly. If you feel that’s not enough then you should convince enough of your fellow voters to make changes you like.

        Your choices are: leave, agitate for change, vote, or rebel. You cannot chose to opt out because by doing so you give the status quo legitimacy.

  2. Fortunately, that system of disclosure and laws is (one of the many) things that distinguishes the US from China/Syria/the rest.

    One thing I was struck by is that we Appelbaum’s comparison to regulations in arms trafficking.  We already have a procedure in place to regulate this kind of behavior;  how is it that surveillance equipment does not fall into this bucket?  I would suggest that the first stop NOT be the manufacturers as he suggests, but the State department.

  3. reply function seems to be pooched.

    From noen: We need to balance security and privacy and if you don’t like how it’s being done you should vote accordingly.

    Right. And which major party is it that respects our rights to privacy? Neither, that’s the one.

    1. The idea that we need these protections for our safety is a misinformed one. How many terrorists has the TSA caught? Yes, sometimes bad people want to hurt you, but that doesn’t mean you should be paranoid.

  4. The trouble is that if the putative good guys have access to a back door, then everybody has access to the back door.

    Merely because something is incredibly difficult and only one in a billion people could figure it out, as soon as one of those six people lets someone know how to do it , then everybody can do it.When I worked at cisco , you could find a lot of what should have been secret stuff just by looking up interesting words in the bug database.Who the good guys are is outside the scope of this argument.

    1. That is exactly the point missed by many people who believe that law and policy somehow relates to actual ability, control or even discovery of past activity. Take a look at the Greek Vodafone case as a good example of something we will see more and more of – when we’re lucky enough to have it come to light:

      Policy and law outline what kind of world we’d like to have and how we’ll try to steer the ship. Code is law – it defines where the ship can go – if the code is there, we’re at best reacting to some power mad fools crashing the ship, at worst, we never find out the full scope – as we know from the EFF/NSA cases:

      In an ideal world, we’d see that the law and policy would provide a balance. However, it simply isn’t possible when machines replace humans. We do not know how to secure machines and I assure you, the police/telecom CALEA/wiretapping machines are not the cutting edge example of a secure machine design.

      The trade-offs are simple not worth it and the feedback loop isn’t available to the public. This kind of secrecy ends very badly, especially for those targeted by the machine itself.

      No conspiracy theory, just history repeating – read Stasiland for a view into the kind of world we’re building in the name of “national security” and other related topics:

Comments are closed.