Security, Privacy and Circumvention


Internet Freedom Festival

Valencia Feb 29/02/16 - 06/03/16

Put on by the good people at IREX and OTF the Internet Freedom Festival (IFF) is a conference / un-conference that brings together people from the worlds of information security, circumvention and Internet human rights for a week of knowledge sharing and collaboration.


Here’s a summary of some of the key points from the festival, noted down by News Labs’ Rob Cochran.

Circumvention: why is it necessary?

Some governments around the world are establishing tighter controls on access to content on the Internet. They use it to control the feed of information that residents can receive and restrict access to independent points of view.

According to IFF speakers the three biggest players in the game at this point in time are Iran, China and Russia, but other nations are also beginning to invest in these technologies.

In 2015 Putin said “anarchy and complete anonymity” are the biggest threats posed by the Internet so Russia’s Roskomnadzor requires any website with more than 3000 visitors per day to register as a mass media outlet. This means the editors must take responsibility for any content and comments. If content is seen as “criticism of the federal government or local administration” the site may be black-listed. This can take months to have amended and can ruin a company.


China uses Deep Packet Inspection (DPI) to block content on a more personal level, for instance if the BBC publishes a story about flooding in Yorkshire, it may be OK, but if we publish a different story mentioning domestic human rights abuses in China, it is likely to be blocked.

Iran is at the forefront of the world in censorship technology and does all of the above while also reportedly blocking entire Content Delivery Networks (CDNs) like AWS Cloudfront at politically sensitive times, such as the recent legislative election. Some services randomise IP and DNS values to avoid blocking, but if they are using only one CDN, these values will still fall into a known range and may fall under the blanket ban.

North Korea is arguably more strict, but their technology is not as cutting edge, they rely more on the ‘air gap’ method of Internet censorship where they simply do not allow any external Internet content to be viewed, in effect creating a country-wide intranet utilising its own DNS.

Circumvention: how?


Tools and techniques exist to help people access restricted content, but government digital services constantly monitor and adapt their filtering strategies, causing the circumvention tool makers to alter their approach again and again as the cat-and-mouse game continues.

Virtual Private Networks (VPNs) are popular, but as they often use fixed IP addresses they are prone to blocking.

Applications such as Telegram and Whatsapp use encrypted traffic and may not be specifically targeted by government filters, but there is no guarantee that this will always be the case and reports of blocking exist.

Randomising IP addresses, DNS records, encrypting traffic and bouncing packets through multiple proxies is the basic recipe for tools such as Tor, Psiphon and Lantern.

Lantern also helps to keep the information alive inside restricted areas using Peer 2 Peer (P2P) networks. A P2P network creates nodes on the computers that have successfully downloaded the content and allows other users to download it directly from them.

Getting content to be visible anonymously via Tor requires setting up a site with an anonymous .onion top level domain. Propublica has recently created a .onion version of their site in the hopes of it being more readily accessible inside blocked states.

Too valuable to block

Some traffic is considered too important by the government and may not be blocked. Email is such an important resource for domestic economies blocking it is regarded as a last resort.

Obfuscation proxies, where you hide your IP traffic inside another protocol, may be used via channels that governments are loathe to block. Protocols such as email or Playstation network may be used. However it is expensive and time consuming for the toolmakers to develop adaptors for each new protocol.

Mesh networks help people on the ground to establish and maintain connectivity in the face of the usage of an Internet killswitch. This is a tool that allows an internet provider or country to ‘switch off’ access to the Internet. Whether it stops governments doing it or not, the UN and human rights group Article 19 have helped bring killswitches to the attention of the global community as a violation of basic human rights.

Keep yourself safe


Many of the attendees of the IFF were more focused on data security. For agencies working with valuable data in exposed locations it is important to protect information such as identity, member lists, sources and internal communications.

One administrator of a free information bulletin board-type website reported at the conference that she would never attempt to access the website in her country without using Tor to avoid being arrested and charged with “incitement of debauchery”. Unfortunately, this is all too common in some countries.

In a large organisation like the BBC, security best practice is undeniably important to implement. While it might be difficult to protect the sources of more than 7000 journalists there are tools available to help. The festival had plenty of examples of new tools, which I’m currently evaluating.

Subgraph OS is an operating system designed for maximum security and impenetrability. It comes bundled with a collection of ‘safe’ applications such as Tor and CoyIM and runs encrypted on a modified linux kernel. It runs all processes in compartmentalised memory spaces with locked down rights. This means that if an application tries to access a command it’s not meant to, such as ‘curl’ the OS will block and report this to the user. It also means that applications running in the background have no knowledge of what the user is doing to prevent keystroke / mouse tracking.

Another product that could be useful is Netaidkit. This is a USB powered router that sets up instant VPN access for the user and also creates a WiFi network allowing nearby colleagues to connect securely. Any VPN configuration file may be used and the integrated USB port will soon allow network connection via a 3G mobile data network dongle.

Honourable mentions

Securepost is an Android application with a Chrome extension that facilitates anonymous group twitter accounts and allows verification of the content the users post using a neat bit of image cryptography meaning the message is already downloaded but encrypted, making the network footprint and chance of discovery of this application smaller.

Tespack are lightweight solar smartpacks that charge as you go and allow you to power your devices in the field. They also manufacture a small clip-on solar charger with a 5000 mAh battery and a 5V output.