Community Updates 2019 Part 1
- Protests in Hong Kong continue, but no major updates to share. Next big one is July 1.
- Russia to get back to CoE Parliamentary Assembly
- the Roskomnadzor had been threatening to block major VPNs
- protest against concentration camps on July 12 in front of the US embassy in Berlin. https://www.lightsforliberty.org/
There has been an Internet blackout in Myanmar
- Stand in solidarity by posting to social media at 5:00pm MMT / +6.30 UTC every day
- You can also find post ideas here: https://pad.riseup.net/p/keepMMon-keep
- graphics here: http://bit.ly/keepmmon
- Relaynet is a computer network to circumvent Internet blackouts.
- Relaynet is an overlay network, so you'd normally want to use it on top of the Internet where possible, but when the Internet is down, you could switch to other networks, like a meshnet or sneakernet.
- There is a PoC where I simulated a scenario where you could use Twitter offline via a sneakernet
- A sneakernet is a "network" where the data is physically transported from A to B using USB flahsdrives, hard disks, etc. They're very common in places like Cuba and North Korea, although they tend to be very basic: They're only used to share movies, documents, software. They aren't used to actually transport Internet traffic. *With Relaynet, you could transport tweets, Facebook posts, etc., on a sneakernet.
This Glitter Meetup is divided in three sections:
1. UPDATES IN HONG KONG PROTEST
- The Hong Kong government proposed a bill that would allow the government to accept extradition requests from governments with which it does not have specific mutual assistance treaties in place. This bill would have allowed extradition to China, which would blow a hole in the judicial firewall between Hong Kong and China.
- The government has been trying to bulldoze this through the legislative council, cutting short public consultation periods and skipping committee readings.
- Extradition affects us all, including visitors and those in transit, could be extradited to China if this bill passes.
- Opinion polls show that HKers are widely opposed. Other governments, business chambers, legal societies, etc all spoke out but the government kept barreling ahead so HKers took to the streets.
- First on Sunday, June 9, which saw roughly 1 million HKers (7.4 million total) turn out to protest. The end of the protest was at the government and legislative council headquarters, and many decided to stay there late into the night and occupy neighboring streets. Late into the night, police cracked down on this with batons and pepper spray, eventually clearing everyone out by force.
- Still, the government said it would proceed with the second reading of the bill as scheduled, on Tuesday June 11. So protestors attempted to prevent the legislative council for holding its meeting by occupying the building and surroundings. This went on all Tuesday and was eventually labeled a riot by the police. They cracked down indiscriminately with rubber bullets, beanbag bullets, pepper spray, and tear gas. They arrested people, both on site and later on (including at hospitals when people sought emergency treatment).
- The legislature ended up not being able to hold meetings for the rest of the week, but did not commit to withdrawing the bill. On Sunday, HKers took to the streets again, this time turning down in greater numbers: 2 million.
- Groups of protestors organizing online made four demands:
- Withdraw the bill
- Remove the “riot” designation (as HK law has very strict sentencing guidelines for people participating in a riot, up to 10 years)
- Release the arrested protestors (30+)
- Independent investigation of police brutality
(And for some, 5. Chief executive (head of government) Carrie Lam should step down)
- The Chief Executive held a press conference yesterday where she apologized for “causing division in society” and said the bill would be “suspended indefinitely” and wouldn’t be resumed until divisions were resolved. She declined to address any of the demands directly, though the police have said they would only be charging 5 people with riot-related charges.
- Something that happened on the digital front is that protestors are using Telegram to stay up to date, and one of the admins of a Telegram group with 30k or so members was detained by police last week and intimidated into handing over his phone so they could export all the group data. China also appears to have DDoSed Telegram.
- And also there have been questions about how police knew which patients to arrest, and the legislator representing the medical sector has shown that there is a separate, credential-less area of the patient record system for providing police information.
| Links to cookbooks:
| Links that explain deeply the contexts of Hong Kong protests:
| Official Hashtags:
2. BLACKOUTS AND SHARING CONTENT STRATEGIES
- Cuba - El paquete
- While not Internet Blackout because there was just wasn't internet, in Cuba, they use something called El paquete, where content is brought in to the island via USB key....this content is copied, and then shared with others during that week.
- it translates to "the package" and every week there maybe different packages. Each package has like different types of content. One package can be entertainment, another can be like news
- it can be distributed either via USB, CD, the way its carried is not so important as creating a distribution system.
- it uses the satellite to transmit from one place to another basically as a stick or cd as well
- it is a package and will be trough a dish be transmitted to radio broadcast
- satellite connections require satellite receivers on the other end, which is why they’re hard to scale. But once someone is on a satellite internet connection, they should be able to access anything.
- In Vietnam satellites there used to be frequent radio broadcasts from media outlets including Radio Free Asia but it was jammed here and there and also quite costly
- USBs and Foreign SIMs
- Offline organization is really important
- Tweet to SMS
- Neds a short code and prior setup: https://help.twitter.com/en/using-twitter/create-twitter-account-mobile
3. COLLABORATION AND UPDATES FROM RIGHTSCON
- Civicert took a step to become real.
- Access Now is developing a spam/phising email plugin.
- Safe Sisters project will start in Myanmar
- There was a Southeast Asia meet up where they discussed possibilities of collaborating and engaging within ASEAN mechanisms.
This Glitter Meetup has as featured guest Melissa, from Mozilla. We discussed several topics around Mozilla and the internet freedom community.
- As many of you might know, one of the cornerstones of Mozilla’s mission is using the language of “Internet Health” as a way of breaking the larger concept of a representative open web into areas that directly impact people’s lives.
- They are also going through a process to focus this even further, and have landed on "better machine decision making." What role can Mozilla and the community that it is part of play in pushing AI in a better direction for humanity? What approaches to AI will make it more likely that we create a healthier digital world?
- Mozilla is mostly likely to have an impact if it focuses its efforts on the consumer tech space, including the development and use of AI by the large tech platforms. From there, they are working to narrow down areas where they might have an impact.
Mozilla's focus on better AI and their future plans
- Mozilla is trying to understand how AI could be used for the public interest -- holistically, collectively, and definitively -- and not just for capitalist gain.
- Mozilla's current Awards program is all about ethics, starting from the "pipeline," and their current advocacy efforts are about pressuring companies to do and be better.
- Mozilla focus on a healthier internet is constant. Their 5 pillar issues (privacy & security, decentralization, digital inclusion, web literacy, and openness) are always core to what they do. The AI focus is new, and is interwoven into the 5 issues for the next few years -- it's not separate from, or simply in addition to, if that makes sense.
- Is there any support from Mozilla to the fellows/project after the fellowship period ends? Like how Mozilla can help the fellows to sustain the project, or continue to do it etc
- yes, and we are working on building more opportunities for continued support. But it depends on how you look at sustainability and support. If it's about community and connections, then yes! Absolutely. If it's about financial support, then it's more about connecting folks to funders or other opportunities, rather than Mozilla sustaining the project financially.
- What about the time of the fellowship?
- Mozilla's fellowships are within a specific time period, usually 10-12months. It's not meant to be long-term employment for anyone, but rather to give space -- opportunity for creativity -- to do something (hopefully) game-changing for both the sector and for the individual. And then they go on to either continue and grow the thing they did during the fellowship, or onto something similar within the context of fighting/building for a healthier internet.
- Fellowships don't offer career stability (though they usually offer pay), and they're definitely not for everyone. Mozilla is hoping that fellowships for this type of work don't have to exist in the future, and that the ethics/digital rights are baked into tech products.
- How transparent is the selection process?
- Mozilla try to share what they are looking for and the criteria online, via blogs and the fellowship website. Sometimes the projects are awesome but people are asking for visas, etc which they don't support, since they are hoping to uplift local/regional talent within that region.
- Regarding full transparency, they don't share the contents of the applications publicly, and the actual review process is not open. However, they bring in external reviewers from the community who are knowledgeable about the space and content to help guide the process.
- it's as a celebration of the good bits, with space for serious conversation and problem-solving for the bad.
We discussed about the big representatives and recognized faces of our community, that are capable of moving crows and be the voice of a lot of groups.
Here are some great profiles from the Internet Freedom Community:
- Nighat Dad
- Eva Galperin
- Yoani Sanchez
- Bruce Schneir
We talked to about fundraising: the environment of this area, fundraising plans and tips:
- First thing is that the funders duplicate existing power structures that we fight against, it's just that the people with money don't like this. discussion so we rarely have it publicly.
- Some review boards don't have your expertise - whether about your local political context or the tech you're using /developing.
- So explain it simply in the intro, then go into more detail later.
- Do your project plan first, for yourself. It's easier to cut down your detailed internal docs.
- OTF has an alternative funding source list.
- You can look at governments (not recommended for small organizations) and NGOs that could offer a sub-grant, and foundations as Knight, Ford, Open Society or Prototype Fund
- Some donors understand that most of the presenters have English as their second language. If your points are accurate and doable, they will not consider your grammar or proper writing.
- A good way to prepare your presentation is to look at the request for proposal and mirror their language. You can look for interviews, conferences, and press releases to get a sense of their political priorities and language.
- Established NGOs need to do a lot more to help smaller organizations and independent activists.
- In SEA, they try to apply those big funding, get some established NGO to host the big moneys, and do sub-granting to small NGOs and independent activists. Also because in SEA is kinda strange, some local acts not allow certain funding to the NGO because of the registration. So, with sub-granting (smaller funds by batch), we're able to transfer to non-registered organization.
- Never forget to take care of yourself during the previous work of the presentation and get a great treat-your-self after the deadline.
- Turkey is having an election crisis
- We discussed the best way to stay updated on vulnerabilities like the incident with Whatsapp
- It's hard to check if there's misinformation in this kind of news
- RareNet: https://www.rarenet.org/
- CiviCERT: https://www.civicert.org/
- Discourse: https://www.discourse.org/
In this Glitter Meetup, we discussed the latest Vietnam Cyber Dialogue report, with two Viet Tan members.The Vietnam Cyber Dialogue is a space convening frontline and civil society activists, journalists, technologists, policy makers and allies who are working within the Vietnamese landscape or would like to know more to better support activists. It's a safe space for people to share knowledge and resources while finding ways to collaborate and work together. The VCD is hoted by Viet Tan.
Challenges and highlights from Viet Tan
- The Vietnam government have been cracking down on activists for years. it's becoming increasingly hard for activists to leave the country. we've been in a major crackdown for yearrrrs now, with raids, device seizures, arrests, etc
- Viet Tan have acted as an interlocutor, to bring people together
- Viet Tan was inspired by the Iran Cyber Dialogue (hosted by ASL19), which had their first ICD at the first Internet Freedom Festival edition (known as the Circumvention Tech Festival)
Two thirds of Vietnam’s population are on the Internet, and 95% of these users are on Facebook. Why so many people have connected?
- There's a bit of a yearning to head online and find out what's out there. Lots of people live in rural areas and there's an increased need to be connected. Others are also starting to find out that you can get lots of different information online... which is slightly different or not reported by heavily controlled state media
Talking about the infiltration of Google or usage of it, does everybody have a gmail account for example?
- Google has more than 90% market share in Vietnam, as a search engine. Gmail accounts are widely used, given that it's been touted to have more security features. Close to a decade ago, there were more Yahoo users, given that we loved yahoo360 and kept that blog going
The average user spends nearly 7 hours online every day, and about 2.5 hours on social media. Their time on social media is primarily spent on Facebook, connecting with friends, shopping, and meeting new people
- Lots of time state media stays silent on hot button topics so social media becomes the place to find out what's happening.
- Like many developing nations, Facebook is the internet, so their first interaction with the outside world.
Google and Facebook with the Vietnam goverment
- This means that Google and Facebook are in process of complying, especially with the implementation of the new cyber security law.
- Google has taken down thousands of youtube videos based on government requests.
- Facebook censored articles from Viet Tan's facebook page, based on government requests. the posts were not made available to users in Vietnam but viewable elsewhere around the world.
- Viet Tan published a letter to Facebook regarding government censorship, co-signed by 10 other organizations.
- Bloggers and citizen journalists in Vietnam initially jumped onto Facebook in the to prevent the government from blocking their sites and pages. But now the government is requesting Facebook to place country restrictions on certain posts.
How can you share the censored content? Do activists organize on facebook?
- Facebook live is now the most used function within Facebook, for mobilizing people or when one is about to be arrested they usually then go on Facebook and broadcast live. But there are many cases of accounts suspended in the middle of Facebook live, especially at the height of the coverage of activists trials.
- Account suspensions and content takedown is a huge problem in Vietnam (along with hacking, device seizurse). We have our own helpdesk, which works with Access Now's Helpline to support primarily activists in Vietnam on these issues.
How the Vietnam Cyber Dialogue listed how activists were prosecuted
- 1) threaten and demand activists to stop using social media to post anti-government content
- 2) prepare documents to fine activists from 200,000 to 1,000,000 VND ($9 to $44 USD)
- 3) temporarily detain the activists from 3 to 9 days.
- Based on their findings, the police may then prosecute the activists, which allows them to detain activists from 2 to 4 months as they investigate the case. After the police conclude the investigations, the defendant is often put on trial. No activist has ever been acquitted at a political trial. Human rights activists are generally arrested and sentenced according to one of the following articles of the 2015 Penal Code.
- When activists are held in detention during the "investigation period," we're talking about prisons. Where they have no access to laywers or their family members, beatened and tortured. When they are then sentenced, they are often moved to prisons in rural regions, too far away from their family members to travel to visit them. Activists sometimes have to go to the extreme of going on days-long hunger strikes in order to get access to food and medicine.
- Sadly the "investigation period" can be also renewed up to three times so you can be held in detention for 16 months before going to trial
What support, needs, or asks do you have from the broader community, if any. What can we do to help?
- With Facebook being one of the only tools for collaboration used by the wider Vietnamese activist community and a more controlled online space, the broader community can really help urge Facebook not to be comply to some of the vague laws used to censor content
Do you also share similar content on websites & how has the government reacted to those? Or its the same reaction on any digital platform?
- Before the popularity of Facebook, Vietnam users used many of the popular blogging platforms. but that is subjected to hacking attacks. websites have been routinely DDOSed and attacked. that's why many folks moved to Facebook. in fact, citisen journalists, bloggers, activists use Facebook as a publishing platform
- There's a very popular Vietnamese blogger currently based in Germany who's published breaking news and scandals before who's also had some of his Facebook content censored.
- Being a part of the larger coalition (like the Next Billion Network) and working with international groups is key. the facebook problem is not unqiue to just vietnam. we know many countries are tackling this as well, and advocating together gives us more leverage with Facebook as a whole
- Vietnam Cyber Dialogue Report: https://viettan.org/en/vcd2019-report/
- Viet Tan letter to Facebook: https://viettan.org/en/facebook-open-letter-wpfd/
- Viet Tan Dear Mark Letter: https://viettan.org/en/open-letter-to-facebook/
- One of our participants wrote an article in Russian talking about the Internet Freedom Festival: https://te-st.ru/2019/04/30/internet-freedom-festival-2019/
What can be done to help better support specific initiaitves that the community has going on
- Legal analysis and communication with local partners to push for needed changes.
- Pro-active spirit
- Financial Support
- China blocked the entire wikipedia site: https://chinadigitaltimes.net/
- In Russia, Putin signed the weird law on how to separate the Russian internet from the rest of the world
- Singapore urged to make changes to proposed bill against online falsehoods:
We keep talking about DNS:
Who actually assigns a URL its IP address?
When someone host their website to a server. The web server assigns an ip address for the domain but the web server does not produce IP address but the Internet Assigned Numbers Authority (IANA) does. Web hosting service provider get unused IP from them and distribute among the server users.
Let's learn about the Internet Assigned Numbers Authority (IANA):
- Here is a description of IANA: "We are responsible for coordinating some of the key elements that keep the Internet running smoothly. Whilst the Internet is renowned for being a worldwide network free from central coordination, there is a technical need for some key parts of the Internet to be globally coordinated, and this coordination role is undertaken by us."
- ICANN is the owner of IANA. As IANA owned by ICANN All the domain and IP addresses are controlled by the same organisation.
And what about the Public Technical Identifiers?
- Public Technical Identifiers (PTI) was incorporated in August 2016 as an affiliate of ICANN, and, through contracts and subcontracts with ICANN, began performing the IANA functions on behalf of ICANN in October 2016.
- The PTI was founded in August 2016 as part of the implementation of the IANA Stewardship Transition. It's formation was designed to meet the ICG's recommendation to form a new legal entity to perform the IANA Functions, which was included in the proposal submitted to the NTIA on 10 March 2016. It began performing the IANA Functions on behalf of ICANN in October 2016, immediately after the IANA function contract with the NTIA expired.
- Why It Matters That Your ISP May Control Your DNS And What If I Use Encrypted DNS? https://www.privatetunnel.com/news/why-it-matters-that-your-isp-may-control-your-dns/
- How DNS works: https://www.theguardian.com/technology/2010/dec/03/dns-ip-ddos-explained
- A Comic of how DNS works: https://howdns.works/
- Understanding DNS- https://www.networkworld.com/article/3268449/what-is-dns-and-how-does-it-work.html
- IANA: https://www.iana.org/about
- PTI: https://pti.icann.org/
- PTI board: https://pti.icann.org/pti-board-of-directors
- ICANN and the 7 Keys to the Internet: https://www.youtube.com/watch?v=LRAmeZCLBZE
After the 2019 Internet Freedom Festival, we focused the Glitter Meetup on the feedback, experiences and feelings of the participants!
- the expo table worked for us, we could direct people to it and had visitors all the time, the jojo's were a success as well
- IMO the expo table needs to be a little organized. as well as the mentor and digisec table
- One participant said that they really, really loved the birthday party. even though they missed the majority of it -- the cakes, the photos, the photobooth [because they was busy helping some folks ] but by the time they arrived, there was so much love pulsing through. it was great to see old-timers and new folks celebrating the iff love
- it was great that you scheduled the dev meetup at the very start of the week as it meant we knew people for the rest of the week
- the Rapid Response Meeting was very useful
- it was nice doing the tool showcase in the library, it was warm and quiet!
- Dev meetup worked great
- One participant pointed that all the people they met were very friendly and helpful. They feel like they were with their friends
- Once participant said that they really loved this year's edition, specifically because of the number of African countries represented & African centred sessions led by africans.
- for the vietnamese crew, it was a chance to bring newer communities into this space. they always love the IFF experience
- They also love the themed music nights danced to alot of new music
- One participant said that they really didn't see alot of Academics in the space or maybe their presence was just low key
met some really good people. seemed to be a nice mix of new and existing people
- They also loved just the sub theme of gratitude, they took time to really hang out with people they first met at the IFF since it began and did an evaluation on the progress we have done over the years too. Some folks they also posted selfies with
- the Greenhost drinks were great too
- it felt the focus of the program moved away from tools this year and (despite being a dev) that was actually nice
- people didn't really pay attention to the roles in the sessions, some sessions got a bit derailed
- two session was ruined. the speaker didn't come.
- please make a better schedule page. or maybe an Android app.
- For future schedule: subscribe to session/mark as interested so that the participants get notifications before the sessions
- There were some sessions which they really left would have been nicer if merged but the thing is there were from different themes hence maybe making it hard to merge?
- it will be great for people to have trainings on specific things of interest in half a day too
Code of Conduct
- the code of conduct stuff was nice this year (last year it was kind of scary)
- wifi didn't work very well & it would have been simpler if the password was the same across all access points
- why were there limited refreshments and coffee areas?
- the internet connection was terrible
- They wish any telco sponsor all participants a sim card with data
What do people understand "UX" means? What are the challenges to making tools more accesible?
UX is an acronym for user experience. When we are talking about UX, we're talking about anywhere where users (of any type) are interacting with technology or tools.
- MailChimp: https://styleguide.mailchimp.com/
- Atlassian Style: https://atlassian.design/guidelines/voiceAndTone/language-grammar
- Simple Secure guidelines: https://simplysecure.org/tags/how-to-user-research/
- Meedan guide: https://meedan-ui-guide.meedan.com/
- Presentator: https://presentator.io/
- Microsoft Manual of Style: http://gen.lib.rus.ec/book/index.php?md5=881E9F18F9EA3665771923A2DF8EB061
- The Federal Plain Language Guidelines: https://www.plainlanguage.gov/
- Let's Encrypt is a big infrastucture project that helps people to get HTTPS on their websites. It is a Certificate Authority, which is part of HTTPS. HTTPS encrypts the communication between your browser and your web server, so the government can't see it. They also can't modify it!
How does Let's Encrypt work?
- For instance, the site we are on now, Mattermost, uses HTTPS.
- That means your ISP can't see what you're typing, because it's sent over HTTPS to Mattermost, so it's encrypted.
- In addition, they can't change what you are typing or the other is typing.
- The tricky thing with HTTPS, like all encryption, is how your computer gets the encryption keys it needs in order to talk to the web site.
- Your computer needs to get those keys from someone it trusts. Operating systems pick a group of Certificate Authorities to be trusted.
- So Let's Encrypt can tell you "the keys for community.internetfreedomfestival.org are XYZ"
- And because your computer trusts Let's Encrypt, it will accept those keys and use them for communication.
Is it easy to set up?
- It is very easy
- If you use whm/cpanel for web server then it'll come by default now. just need to activate it with some clicks.
Differences between DNSSEC and Let's Encrypt
- Let's Encrypt is an authority that helps you be sure that community.internetfreedomfestival.org has XYZ encryption keys
- DNSSEC allows the owner of community.internetfreedomfestival.org to publish statements that anyone can verify. So they can publish the address for community.internetfreedomfestival.org as 184.108.40.206, and we can verify that statement really came from them.
- DNSSEC doesn't do any encryption. It just ensures you have the right IP address. But your DNS lookup and the DNS response are still spyable.
- DNSSEC can't encrypt websites, since it only affects the DNS lookup.
If an isp poisons DNS records and also those of dnssec to include fake signatures our devices will notice?
- The answer is it depends~ TLS currently depends on trusting authorities like Let's Encrypt. DNSSEC depends on trusting owners of the DNS namespace, in a way!
- Report of DNS hijacking: https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
- Dashboard tool built as part of standardization work at IETF where you can test DNS-over-HTTPS: https://netblocks.org/tmp/doh/
News & Updates
- Tor Global South Online Meetup March 1st
- Information about the Localization Lab Summit happening right before the Internet Freedom Festival
The Summit is a chance to identify challenges and opportunities in tool adoption and localization. It's an event for anyone invested in making digital security and circumvention tools accessible for a global audience, promoting local content creation, and supporting more linguistic diversity in the digital sphere is welcome to apply. We are looking for folks working on Internet Freedom technologies or content for a diverse, global audience, like journalists, funders, human rights defenders, digital security trainers, community organizers, UX experts, and developers. We especially welcome communities that use or or are in need of digital security and circumvention resources that are translated, adapted, or created for their unique linguistic, cultural, and technical needs.
If you will be in town early and would like to join, you can send us an RSVP using this link: https://www.localizationlab.org/blog/2019/1/22/invitation-to-apply-2019-localization-lab-summit-amp-sprint
Anyone who doesn't sign up for the national ID scheme by March 31 will have their tax ID cancelled. Aadhaar is a national biometric-based identity scheme in India with over 1 billion enrollments. You submit your fingerprints and iris scans to enroll, and get a 12 digit random number for life. The government insists this is as invasive as applying for a visa to America or Europe, so if it's fine in the rest of the world, it should be fine in India.
From 2009 to 2016, Aadhaar operated without a law, by executive order. The bill was repeatedly rejected until 2016 when the government forced it through the lower house of parliament as a money bill, meaning that Aadhaar did nothing more than control spending from the consolidated fund of India.
This of course prompted even more petitions in the Supreme Court, which finally found time to hear the matter. In 2017, the attorney general informed the court that Indians had no fundamental right to property. The court responded with 9 judge bench judgement asserting that the Constitution of India did indeed have a fundamental right to privacy. Nine judges is pretty epic. The only way the government can overturn that is if a 10+ judge bench agrees, and that's not going to happen.
In 2018, the court turned its attention to Aadhaar itself. They opened with a statement that they will not accept a fait accompli argument, meaning no "too big to fail". If Aadhaar violates the constitution, it should go. The hearings ran from January and the judgement came out in September in which they accepted that the government's powerpoint presentation that the data was secured behind 13 foot walls with commandos guarding it (not kidding) was good enough, so Aadhaar could stay. 4 of five judges in favour, 1 in scathing dissent, and the only one treating it as a constitutional matter.
Of course they can't take away the tax id. Not in law, and not one month before national elections. India has a government that keeps trying to get away with strong arm tactics. They've clearly bent the court. So their threat will be eventually overturned, but life will be hell for those who resist.
You can find more information here: https://medium.com/karana
Venezuela has been experiencing social media censorship. The phishing campaign happened on the 22nd of Feb during the live aid concert. At the end of the concert Richard Branson mentioned the social media blockages during his closing speech and invited people to shout 'libertad' which was very powerful https://twitter.com/NoticiasRCN/status/1099086785555152896
Now Maduro's goverment has a habit of blocking social media platforms whenever Juan Guaidó appears on TV. Yesterday for the first time they blocked Twitter. We are %100 sure of the reason, related to his tweet which includes an audio file uploaded on Soundcloud. https://netblocks.org/reports/twitter-blocked-in-venezuela-noy9d4B3
How would we define DNS and DNS spoofing?
DNS Spoofing is a technique use to confused users, with the outcome usually trying to trick users into going to a malicious website. Basically DNS turns domain names into IP addresses. If you can interfere in that process you can redirect people and their information to malicious IP addresses. Is used for blocking websites, lying, or stealing data.
- One participant pointed that DNS is a network of servers ran by different companies and governments. Usually when you connect to the Internet your ISP will provide you with a DNS server, but you can have others. That means that you can choose your own DNS and you dont depend on the one the company gives you.
- Other participant also added that, apart of what others said, a DNS could be the technology that help us reach places on the internet with just a name (domains)
- It is made easier by the fact that the DNS queries are mostly unencrypted and unsafe, that is why there are a lot of projects trying to make DNS better
DNS Spoofing Cases
- Article explanning in simple words and draws what is DNS and how the attacks work: https://www.derechosdigitales.org/12841/venezuela-cuando-el-atacante-es-el-gobierno/
- A case where entire DNS services are blocked, to encourage using state-run ones: https://turkeyblocks.org/2018/04/02/new-cloudflare-dns-service-filtered-turkey/
- When Wikipedia first started being blocked in Turkey, DNS poisoning was used first, then the SNI filters kicked in for full cover: https://turkeyblocks.org/2017/04/29/wikipedia-blocked-turkey/
- IIRC, Turkey in 2016 also filtered 8888: https://labs.ripe.net/Members/emileaben/internet-access-disruption-in-turkey
- during the catalan referendum they were also messing with DNS https://www.independent.co.uk/news/world/europe/catalan-independence-referendum-spain-websites-blocked-spanish-constitution-votes-a7971751.html https://www.theguardian.com/world/2017/sep/27/catalans-compare-spain-to-north-korea-after-referendum-sites-blocked
- situation in Thailand during IETF103 Bangkok. A lot of work happened there to strengthen secure DNS (DoH and DoT), you can see our public interest hackathon: https://netblocks.org/news/rights-and-privacy-next-generation-internet-protocol-stack-ietf103-WRAeVWBg
DNS spoofing in Venezuela and why we should be worried about it from a technical perspective
The biggest (public) ISP used DNS spoofing to redirect people looking for an oposition volunteer registry to a fake cloned site. The worst part is that even DNS requests to other trusted DNS servers where intercepted and also altered. And the people running the fake site captured some data and published it maybe to persecute those people registered in the fake site targeted as oposition activists.
DNS spoofing prevention
- Use Tor!
- The community has to act fast
- Advocacy and a public outcry is useful when the attack is done
- Use VPN with Firefox with DNS-over-HTTPS enabled, so you make sure you're not using misconfigured VPNs with DNS Leaks (VPNs are sometimes non-trivial to set up and some setups may have bugs that send DNS queries to ISPs without VPN)
- Push technical community to use DNSSEC
Since all participants agree that the best way to solve DNS spoofing is through outcrying, we start to talk about the outcry strategy:
- the noise make other people in this community to share experiences and to vpn companies for example to research more and help us to access in an easier way to their service
- part of the problem of creating outcry is difficulty explaining DNS and the attack, without confusing folks. Lack of coordination to reach journalists, and lack of coordination to reach users.
- using networks of your communities in other countries
- In Venezuela helped a lot to create a network of internet research activist group to agree on actions and to share responsability reaching certain actors:
- report fake websites
- monitor social media and report trolls
- talk with affected site admins
- make basic security assessments to websites
- find contacts in providers (hosting, browsers, etc.) to enable comm channels
- a long etc
After advocacy and outcrying, we founded that the best practices is using DNSEEC:
- For consumers, DNS-over-HTTPS and DNS-over-TLS may be more practical options than DNSSEC.
- It's like https for DNS severs(!): it helps to guarantee authenticity to those who verify it.
- Queens successfully kicked out Amazon - the largest corporation in the world! It was a beautiful campaign win led by women of color activists. Learn more here: http://gothamist.com/2019/02/15/who_killed_amazon_deal.php
Venezuela context: The latest presidential elections were widely regarded as illegitimate, in Venezuela and the rest of the world. The date of the new term came, and the opposition-led National Assembly (Congress) declared Maduro to be illegitimate and per our constitution the president of the Assembly, Juan Guaidó, was declared interim president of Venezuela. Maduro didn't recognize that, so Venezuela, in a manner of speaking, currently has 2 presidents. Guaidó has been recognized by most of the international community and controls several international accounts and assets, but Maduro controls the assets inside Venezuela including the military
Connecting with the technical issue: One of the first things the Guaido-led government did was to accept international humanitarian aid (the Maduro government has been refusing that for years). They also released a website, voluntariosxvenezuela.com, to gather volunteers for the process of receiving and distributing that humanitarian aid
There's a lot of confusion to what is happening in Venezuela, and some of the lastest updates are:
- Since some time ago we are seeing selective blocks to sites of social media and other interesting critic sites
- A couple of days ago there was a big concentration about "youth day" and Juan Guaido announced that the humanitarian aid will enter the country on feb 23
- There is a website of registration of volunteers, this site wass cloned by people related to the regulatory organism (Maduro administration), and apparently tousands of volunteers where redirected there and they gave their data to the Nicolas Maduro regime. They also have a structure in place that would allow them to do phishing on a lot of other websites, including google and social media. They have a lot of .ve domain names that are very similar.
Has there been any attempt to block VPNs and/or use of DNS over TLS / HTTPS? (this is actually an interesting use case for Google's Intra app)
Historically, they blocked Tunnelbear. But there're not signs of other common vpns blocked currently. VSF has pcaps proving DNS injections and responses from the servers.
Do we know anything about the technical people doing the blocking? Have you seen the techniques become more sophisticated?
The techniques are becoming way more sophisticated. Years ago, there were only basic DNS blocks and since last year, we have seen blocks on Tor and now this. They started SNI filtering last year. This year, they started presionly-timed short SNI blocks in a very tactical way. And started blocking some ooni servers to try to stop croudsourced ooni measurements campaings we ran.
It would be interesting to know if the people doing this are home grown talent, or imported.
At the moment everything points to local staff but we don't know yet for sure. They do use foreing companies like DigitalOcean and GoDaddy for this.
In regards to communication, how is the new president (Guaido) communicating with the people curerntly?
Social media is definitely the way. Youtube/Instagram/Twitter have been blocked when Guaido livestreams or has big announcements.
Do you people there in Venezuela have sort of any "national" or "local" social network which is mostly popular in the country (or the area)?
Not really. Facebook, Twitter and Instagram are the most used. And A LOT of Whatsapp
What is the connectivity/internet penetration rate like?
It used to be good, through cellphones, but it's getting progressively worse because of the economic situation. Internet infrastructure is terribly, and by many metrics Venezuela has one of the worst internet services in the region and the world.
It's a bit worrying that most people still get news from TV and radio, which is mostly controlled directly or indirectly by the Maduro government. People often don't know if the errors are just faillues or censorship. That's why for years we have been documenting this, so that the poeple actually realize the level of censorship they live under.
And - apart from blocking of websites - are there any negative legal consequences in Venezuela for speaking in public (online) against the Maduro's regime? For example, these activists who run the website on humanitarian aid / volunteers - do they face any legal threats specifically for their online activity?
Yes. VSF is currently in record territory regarding political prisoners. Is random but historically people got arrested (since 2 years ago at least for tweeting things). The courts, the police and the military are still controlled by Maduro. Until that changes, things actually get worse because they feel cornered and need to crack down on dissent
There is a case of a person who just tweet publicly availabel information form flightradar.com (or similar) and was held incommunciated, tortured and charged with treason beacuse he included publicly available information on the flight path of the presidential plane.
What do you think is going to happen in the next year?
A big difference, and a good one, is that there is hope now. Up until recently there was only resignation. This gives people a light at the end of the tunnel. There are may scenarios of what might happen, it's a very difficult and sensitive situation
- Report on the phishing incident in Venezuela
- Report on the phishing incident for folks following along in English: https://securelist.com/dns-manipulation-in-venezuela/89592/
- Detailed evidence of SNI filtering was published http://vesinfiltro.com/noticias/wikipedia_2019-01/
- 989 political prisoners right now https://twitter.com/ForoPenal/status/1095670524703854592
- What is going on in Venezuela: https://www.youtube.com/watch?v=bEvHwiJWgAY
- Today, we have a special guest: Xeenarh, she has been one of the most impactful digital security trainers in our space. Last year, she recently got hired as ED of Nigeria's The Initiative for Equal Rights (TIERs) wwww.theinitiativeforequalrights.org which protects and supports sexual minorities in Nigeria and surrounding areas.
- TIERs are open 7 days of the week till 8pm and run a clinic with 2 doctors and a nurse so that even folks who have long working hours can stop by to see a physician that is emphatic and they can be open and honest with. They provide free legal services for protection of rights (against state or non state actors) and they do a lot of work in the media (books, movies, series, documentaries) so that they can change hearts and minds while changing the law. Now they have a Safety and Security department to run that here at TIERs.
- One of the greatest shifts they have seen within the region and in the movement is the embrace of new technologies, and the acceptance that it comes with certain risks that people should take precautions on. Where in 2013 organisations were reluctant to adopt some changes, its a lot different now. People are less surprised about capabilities of states, corporations and technologies, and are always open to learning what they can do to minimise harm.
Questions & Answers
- What do you think is the biggest challenge orgs like yous have in regards to digitsec?
- I think the biggest challenge for holistic security for orgs is taking time out to implement existing policies. Things move so fast and is usually life and death (or a stint in jail) for folks we respond to that people will push back so they can do 'more important' stuff. But some organisations are better than others and the biggest difference is size. The smaller the team, the faster they adapt and the longer the change in attitude lasts.
- With the upcoming elex and the world watching is there an opportunity to shed light on underrepresented issues? Will potential conflict and partisanship put the LGBTIQ+ community at particular risk? What can we do to help?
- Elections are always a good time to shed light on marginalised communities (disability, homelessness, LGBT folks). LGBT people were front and centre a couple of months ago when presidential aspirants were asked their position on criminalisation on same sex love and they all had to find moderate positions as opposed to the antagonisms of the past. And although the rhetoric of homosexuality being a western import and being 'unafrican' has been reducing greatly in the past 4 years (the decriminalisation in Angola and the pro lgbti judgements in Kenya have really helped) we are still nervous a public partisan position would be the excuse evangelicals need to rehash that line. As for what can help, giving tools and tactics to groups and frontline activists on how to deal with issues. Fake news is really big here (I curse the day whatsapp groups became a thing, sigh) and there is a likelihood that there might be violence if the sitting president loses. Keep talking and writing about Nigeria and marginalised groups as our country often bows to international pressure and embarrassment. There's also a teeny tiny possibility that the internet could be shut down (as with other elections on the continent) so talking ahead of time to ensure that doesn't happen would be helpful (I should send the handles to tag soon). We are also working on what to do IF that happens...
- what responses have you seen around the group running a project called Una Hakika(https://www.unahakika.org/) which was an attempt to evaluate rumours within Nigeria, in terms of tools, approaches or groups working on pushing back on propaganda?
- So there are tons of people who started working on this in 2018, like verify, dubawa, election fact check, Africa check.
- TIERs award winning book She Called Me Woman: https://www.amazon.com/She-Called-Me-Woman-Nigerias-ebook/dp/B07BH96DQL
- Season 1 of their show Everything In Between: https://www.youtube.com/watch?v=4NBbxEP4pOs
- Documentary Veil Of Silence: https://www.youtube.com/watch?v=wR5dOIUOUjs
- Repeal162: https://www.repeal162.org/
- 1984 is a web hosting company in Iceland that hosts a lot of activist sites, and is linked to security trainers, the Icelandic Pirate Party, and lots of people at IFF
- What can we do in particular instances to help strengthen solidarity,maybe using the Glitter Meetups as a tool in that?
- On of the first things we have to think of is what do these local communities expect as international support and what are their particular needs. We always have to keep in mind that each community is different and they'll need their own specific help or resources.
- One participant pointed that crowfunding specific resources or networks could work.
- A Canadian internet company called Netsweeper is censoring LGBTQ web content and other content protected under international conventions on behalf of numerous regimes with atrocious human rights records.
- Citizen Lab’s latest report used a suite of detection tools to uncover Netsweeper installations in 30 different countries, including 10 that have “raised systemic human rights concerns”: Afghanistan, Bahrain, India, Kuwait, Pakistan, Qatar, Somalia, Sudan, the United Arab Emirates, and Yemen.
- According to Citizen Lab’s findings, Netsweeper filtering solutions blocked media sites in Yemen, political campaigns in the UAE, and religious content in Bahrain. But particularly troubling is Netsweeper’s “alternative lifestyles” blocking category, “which appears to have as one of its principal purposes the blocking of non-pornographic LGBTQ content, including that offered by civil rights and advocacy organizations, HIV/AIDS prevention organizations, and LGBTQ media and cultural groups,” the report states.
Questions for next speaker:
- Can you introduce yourself and your organization?
Pablo is part of the team at R3D. Red en Defensa de los Derechos Digitales or The Network in Defense of Digital Rights (R3D, is a Mexican organisation dedicated to the defence of human rights in the digital environment . R3D focuses on defending and promoting human rights in the digital realm through a combination of applied research, advocacy, and litigation strategies. Its work cuts across the themes of privacy, surveillance, freedom of expression, access to the internet, and access to knowledge.
Adam is the Operations Manager at the Citizen Lab at the University of Toronto and Miles is the Communications Specialist at the Citizen Lab. Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.
- What is Netsweeper? What does it do and how does it work?
Netsweeper is an Internet filtering product developed by Netsweeper, Inc., who are based in Waterloo, Ontario, Canada. It's used by network administrators and ISPs to control access to content on their networks. It inspects the traffic of users on the network, and if a user requests content that belongs to a prohibited category, it will block it. One of the key features of the product is a web categorization database, where the company assigns websites to a set of content categories. The company posts 'live stats' on the number of web pages here: https://www.netsweeper.com/live-stats/
- What are the Citizen Lab findings that were so troubling?
Citizen Lab published a number of reports on the use of Netsweeper to block protected speech, and in countries which raise human rights concerns. You can read all of our research on this topic here: https://citizenlab.ca/tag/netsweeper/
They found that this technology was being used to filter a range of content, including critical political websites, independent media, and religious content. In five of those countries, we found instances of LGBTQ-related content being blocked.
In some cases, custom block lists were created that prevented access to LGBTQ news websites, critical health information on HIV/AIDS and advocacy organizations like the International Lesbian, Gay, Bisexual, Trans and Intersex Association (ILGA). In other instances, non-pornographic LGBTQ content was miscategorized as pornographic by Netsweeper.
Maybe most troubling, they found that in UAE LGBT content was blocked because it was categorized as belonging to the ‘Alternative Lifestyles” category. Netsweeper describes that category as: “This includes sites that reference topics on habits or behaviors related to social relations, dress, expressions, or recreation that are important enough to significantly influence the lives of a sector of the population. It can include the full range of non-traditional sexual practices, interests and orientations. Some sites may contain graphic images or sexual material with no pornographic intent.”
Their testing in UAE found a variety of websites blocked because they were categorized as ‘Alternative Lifestyles” - GLAAD, the Human Rights Campaign, ILGA, the Gay Men’s Health Centre, and Queerty, just as examples. There are likely many, many more examples which could be included here. It’s obviously quite problematic that they’re using the term ‘alternative lifestyles’ to describe LGBTQ identities, and that they’ve facilitated the easy blocking of LGBT content by allowing administrators to simply click a single box.
Censorship cuts deep many Human Rights that are crucial to guarantee the wellbeing of every human being, but even more of those communities that remain underserved, especially in authoritarian regimes.
In the case of Netsweeper, it’s especially alarming because in many of the countries in the MENA region LGBTQI+ populations are criminalized; not having access to life saving information or to communicate to organizations that can support LGBTQI+ folks in case of emergency.
Citizen Lab has identified Netsweeper in 30 countries. In their "Planet Netsweeper" report, thei focused on 10 case studies of concern. You can see them here: https://citizenlab.ca/2018/04/planet-netsweeper-section-2-country-case-studies/
- Your org R3D has launched a campaign with All Out. Can you explain what are the demands?
R3D found that if they wanted to highlight issues from the LGBTQI+ communities they required to work together with LGBT-led organizations. They also collaborated with Citizen Lab in the past, so bringing the campaigning experience from All Out was that extra push R3D required.
They see that it is time to bring Digital Rights to other movements, to support each other and top working in sylos.
R3D has a Github repository that helps them to collect contributions, and outline the participation process, as well as needs from the group. It's still in development process. https://github.com/TecnoQueers/OutintheOpen/blob/master/README.md
What was really upsetting to R3D and All Out is that Netsweeper has received investements in mutiple occasions from Canadian governement; that they are seen as a good company to invest, and that the Canadian government is not really that interested in holding their accountable for providing this kind of services.
So once more R3D is seeing a case on which governments promote companies that develop software and provide services that are not aligned with the international Human Rights legal framework.
R3D and Citizen Lab know that the Canadian government has offered a variety of different types of support - funding grants, support on trade missions, etc., to Netsweeper.
Both have tried to highlight the contradiction between the Trudeau government's foreign policy which supports LGBT rights globally, and their support of a Canadian company which is selling a tool that facilitates the easy blocking of LGBT websites.
In August, Canada and Chile co-hosted the Equal Rights Coalition (a group of states and civil society organizations that addresses issues related to LGBTQ2+ equality). In the lead-up to this, Citizen Lab sent the ERC and relevant Canadian politicians-- including the Prime Minister and his LGBTQ2+ advisor-- a letter urging them to: condemn LGBTQ2+ censorship; commit to taking specific and measurable action to prevent and address the censorship of LGBTQ2+ content; and affirm that Internet filtering technology providers have a responsibility to respect the human rights of LGBTQ2+ persons by ensuring their products and services do not facilitate censorship of LGBTQ2+ content, and to provide a remedy when such censorship occurs.
The letter can be found here: https://citizenlab.ca/wp-content/uploads/2018/07/citizen_lab_open_letter_erc_sm.pdf
As a part of the UN Guiding Principles on Business and Human Rights, all governments, including Canada, have an obligation to protect against human rights abuse by the private sector, including to “set out clearly the expectation that all businesses enterprises domiciled in their territory and/or jurisdiction respect human rights throughout their operations”, including extraterritorially.
Citizen Lab described all the different types of support the Canadian government provided in section 3.4 of this: https://citizenlab.ca/2018/04/planet-netsweeper-section-3-discussion-conclusions/
- How can other organizations and individuals working on digital rights get involved?
Out in the Open emerged from the need of creating local partnerships to share knowldge, campaign together, and build the capacity of LGBTQI+ orgs on digital related matters. It is a partnership to share knowledge, campaign togeteher and build capacity.
Out in the Open is now in an early stage, making needs assesments and understanding how much work there is on LGBT and Digital Rights.
- If someone use VPN, what will happen? Netsweeper blocks it as well?
Netsweeper does have a content category for "Web Proxies", but to our knowledge in most cases if you already have a VPN configured it will let you circumvent the blocking.
- How can individuals communicate why bringing light to technologies like Netsweeper is important, particularly for LGBTQI communities?
The first step is helping the general public understand that human rights and digital freedoms go hand-in-hand. We are seeing a growing understanding of this as people develop more robust digital lives and as media sheds light on how technologies used can be abused.
The next step is highlighting the inequalities when it comes to HOW these technologies are abused and WHO are most likely to be impacted.
A good rule of thumb is: people don't care about reports; people care about people. So putting a human face on these technical issues is paramount to galvanizing support.
- Is there anything folks in the IFF community do to help improve this research, help collect data, or anything at all to help?
Citizen Lab used a variety of data sources in their Netsweeper reports, and one of the most important is OONI. So run OONI if you can! That might be an obvious suggestion to the people in this meetup, but that data is exceptionally important for informing reports, and Citizan Lab thinks advocacy work is strengthened when it can point to empirical research and data.
- Digital Resources and Recommendations on LGBTQI communities:
DIY Feminist Cybersecurity kit: https://hackblossom.org/cybersecurity/
VPN released an online safety manual for LGBTQI communities: https://www.vpnmentor.com/blog/lgbtq-guide-online-safety/
NYC Anti Violence Project released a Safety Tips for Dating apps here: https://avp.org/resources/safety-tips/
- New report and findings by one of the participants & Aspiration Tech: https://aspirationtech.org/humanrights/reports/practitionersustainabilitysurvey#findings
- How apple is censoring the app store in 150 markets around the world - https://applecensorship.com/
- In Privacy LX they are starting having cryptoparties and Privacy events every month: https://privacylx.org
- Just Associates built this feminist glossary: https://justassociates.org/sites/justassociates.org/files/feminist-movement-builders-dictionary-jass.pdf