Press and Internet censorship in Turkey

Article 26 paragraph 2 of the Turkish constitution guarantees freedom of the press and expression. At the same time, it legitimizes a regulatory system for “publications by radio, television, cinema or similar means”. Finally, in paragraph 2, the above mentioned rights of freedom are again undermined by a large number of arbitrarily applicable exemptions. At the same time, a vague formulation about the protection of “the reputation or rights of others and their private or family life” opens the door to restrict freedom of the press and expression. Nevertheless, the government often uses the argument “support of a terrorist organization” as justification for any repression. Accordingly, many journalists find themselves behind bars: at the end of December 2018, there were 68 in jail – no other country (followed by China, Egypt, and Saudi Arabia) imprisoned so many journalists. On average, jailed Turkish journalists spend more than a year in detention awaiting trial, and after that, imposing long prison sentences is the norm. In some cases, even sentences of life without parole have been handed down (“Turkey: Massive Purge“, Reporters Without Borders, 2018).

Cartoon by Tjeerd Royaards.

While Turkey has never been a model for guaranteeing freedom and human rights, the situation has worsened in stages after 2006, 2013, and 2016. The EU has criticized Turkey from early on, and the relationship is often strained not the least because of apparent shortcomings in freedom and human rights. Despite an association agreement in 1963 and a customs union at the end of 1995, the EU renounced accession negotiations in 1997 (to the annoyance of Turkey in contrast to the Eastern European countries and Cyprus), which in the short term led to a break in talks between the EU and Turkey. Quasi for reconciliation, at the end of 1999, Turkey was categorized as an “applicant country” by the European Council. At the same time, the European Council stated that the fulfillment of the Copenhagen criteria would be a prerequisite for the opening of accession negotiations or entry to the EU. The Copenhagen criteria include “institutional stability, democratic and constitutional order, respect for human rights and respect for and protection of minorities”.

In fact, at the beginning of the 2000s, Turkey was trying to meet these criteria. For example, a comprehensive reform of Turkish civil law was undertaken, the death penalty was abolished even in times of war, torture was forbidden, the freedom of assembly and demonstration expanded, and the rights of the Kurds were strengthened. Ironically, today’s Turkish President Recep Tayyip Erdoğan and his Justice and Development Party (Adalet ve Kalkınma Partisi, AKP) were behind many of these reforms. Nevertheless, the new standards were often paper tigers, because, in practice, it proved lacking. For instance, in its report last year, Amnesty International stated that torture is still occurring among people in police custody and that public authorities do not effectively prevent it (“Turkey 2017/2018“, Amnesty International).

Amnesty International activists ride a boat on the Spree, Berlin. They demand the release of Taner Kılıç, founder and president of the Turkish section of Amnesty International. Kılıç was detained by Turkish authorities on 6 June 2017 and charged with use of the smartphone program ByLock and membership of a terrorist organization. One of Turkey’s supreme courts declared in September 2017 that having ByLock installed on the phone of an accused person was sufficient to establish that person’s membership of the Gülen movement. He remained in detention until 15 August 2018.
Amnesty International activists ride a boat on the Spree, Berlin. They demand the release of Taner Kılıç, founder and president of the Turkish section of Amnesty International. Kılıç was detained by Turkish authorities on 6 June 2017 and charged with use of the smartphone program ByLock and membership of a terrorist organization. One of Turkey’s supreme courts declared in September 2017 that having ByLock installed on the phone of an accused person was sufficient to establish that person’s membership of the Gülen movement. He remained in detention until 15 August 2018.
The limited successes of the reform efforts were short-lived. As early as 2006, an intensification of the anti-terrorist legislation led to an increase in journalist arrests. There were also restrictions on the use of the Internet. In May 2007, Law No. 5651 on the regulation and the fight against crime on the Internet came into force. This law was initially promoted to combat sexual exploitation and abuse of children, prostitution, and gambling, but over the years it has increasingly been used as a basis to block all kinds of content the government finds disagreeable. Based on this law, in addition to blocking websites, access to Facebook, Twitter, YouTube, Instagram, WhatsApp, and Skype is repeatedly temporarily blocked, the connection speed is throttled, or access to the Internet is completely blocked (Burcu Selin Yılmaz, Hümeyra Doğru, and Volkan Bahçeci, “What If You Cannot Access the Internet in the Surveillance Society? Individuals’ Perceptions Related to The Internet Censorship and Surveillance in Turkey“, Journal of Media Critiques, vol. 3, no. 11, 10 September 2017, p. 74f). This law has been used as the basis for completely blocking all content on Wikipedia since the end of April 2017. However, the Internet is not only partially blocked: since November 2011, there is also a nationwide filter system. Finally, for the first time, in September 2012, an Internet user was sentenced to one year in prison for insulting the Turkish President Abdullah Gül on Facebook. The increasing censorship of Internet content is also reflected in the evaluation by Freedom House: since 2009, this rating has steadily worsened and has been rated as “not free” since 2016.

A further sustained restriction of freedom of the press and expression – both in the classical sense as well as on social media – took place in 2013. This was due to several events, which, together with social media and conventional reporting had a negative impact on the then-Prime Minister Erdoğan, his political environment, and the AKP. Starting in 2012 and particularly in 2013, several hundred Turkish officers were jailed for past or suspected coups or attempted coups. Overlapping, the conflict with the Kurdistan Workers’ Party (PKK) flared up from October 2011 to March 2013 (and later again from 2015). However, the most influential were the demonstrations starting in late May 2013 in Istanbul against a planned construction project on the grounds of Gezi Park. These demonstrations increasingly became a nationwide, anti-government protest and culminated in December 2013 with the publication of massive allegations of corruption against the AKP government.

The Turkish media have embarrassed themselves. While the whole world was broadcasting from Taksim Square, Turkish television stations were showing cooking shows. It is now very clear that we do not have press freedom in Turkey. — Koray Çalışkan, a political scientist at Istanbul’s Boğaziçi University, cited in Constanze Letsch, “Social Media and Opposition to Blame for Protests, Says Turkish PM“, The Guardian, 3 June 2013.

Because of the lack of coverage by pro-government media, social media played a decisive role in organizing the demonstrations and protests for the Occupy Gezi movement (Erkan Saka, “Social Media in Turkey as a Space for Political Battles: AKTrolls and Other Politically Motivated Trolling“, Middle East Critique, vol. 27, no. 2, 3 April 2018, p. 161). As a result, access to social media and anti-government content on the Internet has been severely restricted. When incriminating recordings of the corruption scandal were published on YouTube and Twitter, the government reacted by temporarily blocking these services entirely. Erdoğan described social media as “the worst menace to society” and the government arrested Turkish Twitter users for the first time. Despite Erdoğan’s negative attitude towards social media, in the fall of 2013 the AKP announced that it wanted to build a 6,000-strong team of young, tech-savvy party members, which would silence government-critical voices on social media (like a Troll army; Erkan Saka, “The AK Party’s Social Media Strategy: Controlling the Uncontrollable“, Turkish Review, vol. 4, no. 4, 7 August 2014, p. 418–23).

2011 protests against internet censorship in Turkey.
2011 protests against internet censorship in Turkey.
The press in Turkey can hardly be called free. Almost all media companies are owned by large holding companies that have connections to political parties. Around a dozen journalists, who had reported positively about the demonstrators during the protests in 2013, were fired. After facing massive amounts of pressure in their media companies in 2014, hundreds of journalists who had previously investigated corruption cases quit their jobs. Law No. 5651, which was strengthened by the AKP in February 2014, expanded state monitoring capabilities. Internet service providers (including Internet cafés and free Wi-Fi providers) were required to keep their users’ activity data up to two years instead of the original one year. This data had to be provided at the request of the authorities without requiring any judicial order (Bilge Yesil and Efe Kerem Sozeri, “Online Surveillance in Turkey: Legislation, Technology and Citizen Involvement“, Surveillance & Society, vol. 15, no. 3/4, 9 August 2017, p. 545). However, parts of the strengthening, such as the two-year retention period, were reversed in December 2016 by a Turkish Constitutional Court ruling.

Starting in 2014, charges against journalists and students for insulting government officials increased. From the beginning of Erdoğan’s presidency at the end of August 2014 until the failed coup attempt in mid-July 2016, 1,845 people were charged with insulting the Turkish president – a criminal offense punishable by up to four years in jail under Turkish law. As a gesture of national solidarity Erdoğan dropped almost all the charges after the failed coup attempt (except for pro-Kurdish parliament members and the German satirist Jan Böhmermann). Since then, however, there have been new charges.

A Turkish soldier who took part in the attempted coup is kicked and beaten by the crowd (Photo: Selcuk Samiloglu).
A Turkish soldier who took part in the attempted coup is kicked and beaten by the crowd (Photo: Selcuk Samiloglu).

After the failed coup attempt in mid-July 2016, repression has once again noticeably increased. To date, more than 96,000 people (including 319 journalists) have been arrested, and around half a million have been investigated (including more than 2,000 young people under the age of 18), more than 150,000 people have been fired (including more than 6,000 academics and nearly 4,500 judges). In addition, 189 media outlets were closed during this period (“Monitoring Human Rights Abuses in Turkey’s Post-Coup Crackdown“, Turkey Purge, 19 April 2019). As of November 2016, 114,000 websites were blocked for political or social reasons. These include news agencies as well as online forums reporting on LGBTI issues, ethnic minorities (especially pro-Kurdish content), and social unrest or show anti-Muslim content.

Page views of the Turkish Wikipedia https://tr.wikipedia.org/ in 2017.
Page views of the Turkish Wikipedia https://tr.wikipedia.org/ in 2017.
Since December 2016, a large number of VPN providers and Tor entry nodes have been blocked. Public censorship can be bypassed with a reasonably stable connection if the Tor client uses OBFS4 bridges. However, this approach only works if web pages are blocked; there is no solution if the overall connection to the Internet is throttled or the connection is blocked entirely (Yılmaz, Doğru, and Bahçeci, p. 78f). Offiziere.ch is aware of a case in which a relatively reliable, permanent connection was made with 15 bridges. In TorBox version 0.2.3, the possibility to use bridges is experimentally implemented, but not yet in a user-friendly way (there is a well-documented configuration file for savvy users). A more user-friendly implementation will be provided with the pre-version 0.2.4 – planned for the middle of this year. Currently, the following VPN providers are available in Turkey: ExpressVPN, NordVPN, AstrillVPN, PrivateVPN, and CyberGhost. Like Tor with OBFS4, they also rely on obfuscated protocols. In any case, the VPN user is well advised to additionally use Tor over VPN so that the VPN provider can only recognize an encrypted, target-anonymized data stream.

Also, in mid-March 2018 ProtonMail was blocked. ProtonMail is an email provider located in Switzerland, which specializes in the free or cost-effective offering of user-friendly encrypted email communication. According to information from ProtonMail customer service the service was accessible again after a few days for users located in Turkey, but based on the information available to offiziere.ch there were at least repeated temporary restrictions. Particularly piquant is that the blocking was carried out by Vodafone Turkey, which is part of the British Vodafone Group. Once again there are companies in democratic states supporting censorship in authoritarian states.

China: The Emergence of Probably the World’s Largest Data-Mining Giant

by Ypsilons 378

The Chinese government plans to monitor its people with a comprehensive social credit system.” The goal is to promote honesty and sincerity in order to promote economic and social progress. In the process, those who betray trust are to be severely punished.

China is currently busy creating a digital data monster with tentacles extending into every aspect of life. This is causing concerns about the rampant frenzy to collect data and how it will be handled. The Chinese social credit system is officially scheduled to go into operation in 2020. From then on, not one of the country’s approx. 1.5 billion inhabitants will be able to escape the state’s rating system.

Education in “goodness”
Zhang Zheng, director of the China Credit Research Center at Peking University, is an important thought leader and theoretician of the Chinese social credit system. His mindset is rooted in his socialization because the economics professor had initially studied mathematics and natural sciences, which requires a rational and analytical way of thinking. However, dealing with human beings and the problems of society requires a broader, more differentiated approach, which is often difficult for dedicated natural scientists. Social sciences are more than just ones and zeros, black and white, right and wrong, good and evil, but the Chinese social credit system is based precisely on this simplified dualistic way of thinking.

There are two kinds of people in this world: good people and bad people. Now imagine a world where the good ones are rewarded and the bad ones are punished — Zhang Zheng zitiert in Martin Maurtvedt, “The Chinese Social Credit System: Surveillance and Social Manipulation: A Solution to ‘Moral Decay’?“, Department of Culture Studies and Oriental Languages, University of Oslo, 2017, p. 1.

Zheng is convinced that the Chinese social credit system, i.e., socialization as a “good” person with the help of digital tools, will become a sustainable cornerstone for the moral order of Chinese society. This system is intended to improve the morals of society. Whether the everyday morals of the people or the business ethics of companies, the system is supposed to that the rules are followed. This has particularly obvious consequences on individuals: good citizens would be rewarded and favored, while bad ones would be sanctioned with severe restrictions in daily life.

Structure and function
The Chinese social credit system is based on centralized databases containing such records as medical and court files, online shopping, posts on social networks, internet search queries, travel plans, and purchases with credit cards or payment apps. These records are then analyzed and weigh this cluster of data to come up with a single score. Companies and institutions will have no choice but to make their data available to the system. However, there won’t be much need to put pressure on Chinese companies, since there are already voluntary systems in place such as Alibaba’s Sesame Credit (with over 450 million active users), Tencent (operator of the successful Chinese messaging, social media and mobile payment app WeChat), and Baidu. China’s private internet companies have indicated that the Communist Party may use their compiled data and cutting-edge technologies because, in return, they will gain access to previously inaccessible government databases.

Looking at Sesame Credit, not only payment behavior but also “habits or preferences” and “personal networks” can influence creditworthiness. According to Li Yingyun, head of development at Sesame Credit, someone who plays video games ten hours a day is classified as a sluggish person, but those who buy diapers frequently are likely to be a parent and are therefore willing to accept a higher degree of responsibility. Ambitious gamers risk a lower score, while those who are responsible get a higher one. It’s also worthwhile to pick friends with high scores because these can help increase your score. However, if your friends have low scores, you risk losing points. If you are looking for a partner, you can advertise with a high score, because Sesame Credit cooperates with Baihe, China’s largest online dating agency. This means, however, that people with low scores will inevitably remain single.

Moral role models: Roncheng's "civilized families" can be admired on such public display boards. (Foto: Simina Mistreanu).
Moral role models: Roncheng’s “civilized families” can be admired on such public display boards. (Foto: Simina Mistreanu).

Pilot operation already running
Companies are not the only ones that are already heavily collecting, processing, and evaluating data. Some three dozen Chinese cities are already experimenting with different social credit systems. For example, Rongcheng, a city of about 670,000 inhabitants on the east coast, has been operating a social credit system since 2014 regarded as a showcase project for a China-wide system. With their Honest Shanghai App, Shanghai operates another popular system, which has also implemented facial recognition. To register, the individual’s is captured with the mobile camera and compared and verified with the electronic identity card. A short time later, users get their first score. This score is updated at the end of each month. The criteria and factors used for a high or low rating are confidential. However, the system takes into account about 3,000 pieces of data per person from almost a hundred government data sources (Rob Schmitz, “What’s Your ‘Public Credit Score’? The Shanghai Government Can Tell You“, NPR.org, 03.01.2017).

Even if individual factors evaluated in the pilot projects are confidential, the Chinese social credit system generally concentrates on the evaluation of four key parameters:

  • Commercial activities: commercial activities form the basis of the system, because one of the goals of the Chinese government is to use the system to improve the trust in the commercial sector among citizens, but also between citizens and business. So if you pay your bills on time, you will have a clear advantage. Incidentally, such credit rating systems are also common in the West (for example, Schufa in Germany and FICO in the US). The Chinese, however, go one step further: those who travel without a ticket or who get into debt with spending are, in many cases, no longer allowed to travel by express train or plane. Last year alone, this penalty was imposed about 6.7 million times, according to the official figures of the Supreme Court.
  • We have had the social credit system in our village for several years now. No matter what we do, we think about our credit points. We support the village where we can. We clean a lot and sweep the public areas. Putting garbage or even grass in front of your own door is not allowed. If someone doesn’t follow these rules, they’re considered dishonest. If the village head asks for anything, we do it. Those who keep everything clean and in order are regarded as role models. — cited in Axel Dorloff, “Sozialkredit-System: China auf dem Weg in die IT-Diktatur“, Deutschlandfunk, 09.09.2017.

  • Social behavior: whether online or off, social behavior plays an important role in the assessment. With a reward and punishment mechanism, the system aims to train residents to behave positively, at least as the government sees it. In Rongcheng, whoever helps others or gets involved in city projects will, for example, get 5-10 additional points. A similar system is in place in Shanghai: those who help older inhabitants or the poor can earn additional points, too, but whether this represents moral progress remains questionable.
  • Administrative activities: the system will also simplify administrative procedures, as unauthorized requests for public assistance will result in a deduction of points. This applies in particular to the submission of petitions critical of the government. Those who criticize the Communist Party in the social media should not be surprised if they end up on the blacklist. Requests from people below a certain score will be postponed or even ignored. On the other hand, people with above-average scores already enjoy preferential treatment.
  • Criminal prosecution: law enforcement is already integrated in Rongcheng. If you run a red light, you will immediately lose 5 points; if you drive drunk or are involved in a brawl, you will immediately be blacklisted. The score serves as a kind of criminal record: the inhabitants of Rongcheng have to regularly present their score for job promotions, for membership in the Communist Party, when applying for a bank loan. Nothing happens anymore without a good score.

Rewards and punishments
The rewards and punishments for high or low scores currently vary from system to system. In Rongcheng, everyone starts with 1,000 points, which then increases or decreases depending on the behavior of the person concerned. The highest rating is AAA, which is at least 1,050 points; at the other end of the scale is D, which is fewer than 600 points. Persons with at least an A rating are on a red list, while those below are on a blacklist. Those on the red list are given preferential treatment for admissions to schools, for social benefits, or even when purchasing insurance. Those in the C Group are checked regularly and are subject to certain restrictions. This could, for example, result in the reduction of welfare payments. Those who appear in the lowest D Group no longer qualify for management positions, lose certain benefits and lose their creditworthiness. Another important aspect is the public emphasis on ethical role models or the condemnation of those who “betray trust”. Usually, names, photos, identity numbers, and in some cases even private addresses are published. The majority will hardly be bothered by this at the moment because about 90% of the inhabitants in Rongcheng have an A (Simina Mistreanu, “China Is Implementing a Massive Plan to Rank Its Citizens, and Many of Them Want In“, Foreign Policy, 03.04.2018).

At Alibaba, a score of over 600 leads to the possibility of taking out a small loan of around 5,000 yuan (around $700) when making purchases in its online shop. For scores 650 and higher, one no longer needs a deposit to rent a car, and you might enjoy the benefits of VIP treatment at certain hotels and airports. From 700 points, additional documents can be dispensed with on a trip to Shanghai, and for a person with at least 750 points, the procedure for applying for a Schengen visa is faster on the Chinese side. Currently, Sesame Credit does not yet seem to be imposing penalties (Rachel Botsman, “Big Data Meets Big Brother as China Moves to Rate Its Citizens“, Wired, 21.10.2017).

I’m being punished for issuing a credit guarantee for someone else. The loan wasn’t repaid and I was punished. When I wanted to buy a plane ticket, I couldn’t get one. As a result, I found out that I can no longer buy tickets. That was in November 2016. I can’t buy plane tickets or express train tickets. — cited in Axel Dorloff, “Sozialkredit-System: China auf dem Weg in die IT-Diktatur“, Deutschlandfunk, 09.09.2017.

Conclusion
The wide range of rewards should not deceive readers about the immense risks of this system. A totalitarian surveillance system is currently being established in China, which, depending on political needs, could quickly turn China into a huge prison. People on blacklists and with travel restrictions report that it is very difficult to be removed from these lists (also read Simina Mistreanu, “China Is Implementing a Massive Plan to Rank Its Citizens, and Many of Them Want In“).

However, the impact may not be limited to China. Even if a politically flavored social credit system is rather unlikely in democratic states, this does not mean that companies operating in democratic states do not want to adopt such a business model. Although China is the salient example of such a system, similar approaches can be seen elsewhere in the world. Companies have been assessing individual creditworthiness for a long time. For example: are you wondering why you can no longer get an Uber? Well, chances are you have a dismal passenger rating. By the way, Uber knows who among their customers has had a one-night-stand (Bradley Voytek, “Rides of Glory“, Uber Blog, 12.03.2012). The Danish company Deemly demonstrates how a “light” social credit system could also be marketed in Western countries. It evaluates the trustworthiness of individuals based on the evaluation of their activities on social platforms. In this context, the “Nosedive” episode in the “Black Mirror” series, a popular critique of technology and its social impact, seems to be right on the money. Besides, it should not be forgotten that internationally active Chinese companies such as Alibaba collect data not only from Chinese citizens but from all their customers (including geodata). With the rewards offered, customers are even voluntarily submitting their data.

The State of Internet Censorship in Egypt

This post and the full report have been published by OONI, a censorship measurement project under the Tor Project, and Egypt’s Association for Freedom of Thought and Expression (AFTE).

Throughout the testing period, between January 2017 to May 2018, more than 1,000 URLs presented network anomalies. 178 of which consistently presented a high ratio of HTTP failures, strongly suggesting that they were blocked. Rather than serving block pages (which would have provided a notification of the blocking), Egyptian Internet Service Providers (ISP) appear to primarily block sites through the use of Deep Packet Inspection (DPI) technology that resets connections.

In some cases, instead of RST injection, ISPs drop packets, suggesting a variance in filtering rules. In other cases, ISPs interfere with the SSL encrypted traffic between Cloudflare’s Point-of-Presence in Cairo and the backend servers of sites (psiphon.ca, purevpn.com and ultrasawt.com) hosted outside of Egypt. Latency measurements over the last year and a half also suggest that Egyptian ISPs may have changed their filtering equipment and/or techniques, since the latency-based detection of middleboxes has become more challenging.

The chart at the right illustrates the types of sites that presented the highest amount of network anomalies and are therefore considered to more likely have been blocked.

More than 100 URLs that belong to media organizations appear to have been blocked, even though Egyptian authorities only ordered the blocking of 21 news websites last year. These include Egyptian news outlets (such as Mada Masr, Almesryoon, Masr Al Arabia and Daily News Egypt), as well as international media sites (such as Al Jazeera and Huffington Post Arabic). Various Turkish and Iranian news websites were blocked (such as turkpress.co and alalam.ir), suggesting that politics and security concerns may have influenced censorship decisions. In an attempt to circumvent censorship, some Egyptian media organizations set up alternative domains, but (in a few cases) they got blocked as well.

To examine the impact of these censorship events, AFTE interviewed staff members working with some of the Egyptian media organizations whose websites got blocked. They reported that the censorship has had a severe impact on their work. In addition to not being able to publish and losing part of their audience, the censorship has also had a financial impact on their operations and deterred sources from reaching out to their journalists. A number of Egyptian media organizations have suspended their work entirely, as a result of persisting internet censorship.

Many other websites, beyond media, appear to have been blocked as well. These include human rights websites (such as Human Rights Watch, Reporters without Borders, the Arabic Network for Human Rights Information, the Egyptian Commission for Rights and Freedoms, and the Journalists Observatory against Torture) and sites expressing political criticism (such as the April 6 Youth Movement), raising the question of whether censorship decisions were politically motivated.

 
“Defense in depth” tactics for network filtering
Security experts are probably familiar with the “defense in depth” concept in which multiple layers of security controls (defense) are placed throughout an IT system, providing redundancy in the event that a security control fails. In Egypt, ISPs seem to apply “defense in depth” tactics for network filtering by creating multiple layers of censorship that make circumvention harder.

This is particularly evident when looking at the blocking of Egypt’s Freedom and Justice Party (FJP) site. Our testing shows that different versions of this site (http://www.fj-p.com and http://fj-p.com) were blocked by two different middleboxes. In doing so, Egyptian ISPs added extra layers of censorship, ensuring that circumvention requires extra effort.

Not only were numerous circumvention tool sites (including torproject.org and psiphon.ca) blocked, but access to the Tor network appears to be blocked as well. Measurements collected from Link Egypt (AS24863) and Telecom Egypt (AS8452) suggest that the Tor network is inaccessible, since the tests weren’t able to bootstrap connections to the Tor network within 300 seconds. In recent months, more than 460 measurements show connections to the Tor network failing consistently. Similarly, measurements collected from Etisalat Misr (AS36992), Mobinil (AS37069) and Vodafone (AS36935) indicate that access to the Tor network is blocked. The Tor bootstrap process is likely being disrupted via the blocking of requests to directory authorities.

“Defense in depth” tactics also seem to be applied in relation to the blocking of Tor bridges, which enable Tor censorship circumvention. Vodafone appears to be blocking obfs4 (shipped as part of Tor Browser), since all attempted connections were unsuccessful (though it remains unclear if private bridges work). All measurements collected from Telecom Egypt show that obfs4 works. Given that bridges.torproject.org is blocked, users can alternatively get Tor bridges by sending an email to [email protected] (from a Riseup, Gmail, or Yahoo account).

Ad campaign
Back in 2016, OONI uncovered that state-owned Telecom Egypt was using DPI (or similar networking equipment) to hijack users’ unencrypted HTTP connections and inject redirects to revenue-generating content, such as affiliate ads. The Citizen Lab expanded upon this research, identifying the use of Sandvine PacketLogic devices (Sandvine is a company based in Waterloo, Ontario, Canada) and redirects being injected by (at least) 17 Egyptian ISPs.

Over the last year, hundreds of OONI Probe network measurements (collected from multiple ASNs) show the hijacking of unencrypted HTTP connections and the injection of redirects to affiliate ads and cryptocurrency mining scripts. A wide range of different types of URLs were affected, including the sites of the Palestinian Prisoner Society and the Women’s Initiatives for Gender Justice, as well as LGBTQI, VPN and Israeli sites. Even the sites of the United Nations, such as un.org and ohchr.org, were among those affected by redirects to ads.

To learn more about this study, read the full report here.

Mass surveillance and security on the Internet

Not five years ago, as Edward Snowden unveiled thousands of classified and secret documents, the world became shockingly aware of a covert, suspicion-independent and global mass-surveillance of the Internet and telecommunication networks, which had been operated by the so-called “Five Eyes” (Australia, Canada, New Zeeland, UK and the USA) at least since 2007. This surveillance relied on monitoring programs such as PRISM (with the more or less voluntary participation of Microsoft, Yahoo!, Google, Facebook, Paltalk, YouTube, AOL, Skype und Apple), XKeyscore (a system to perform virtually unlimited monitoring of anyone around the world using metadata and content), and Tempora (skimming and caching almost all Internet traffic directly from the network hubs and transatlantic data links). While the public outrage after Snowden’s revelations was unprecedented, this has since largely subsided, and Intelligence Services enjoy once again nearly unhindered ability to siphon off, evaluate and store data on a large scale. With all probability, the methods of the “Five Eyes” and those of their larger partners are even more sophisticated today. What is more, initial sporadic protests had little if any effect: in the US, for example, the legal basis for PRISM and the like was not even challenged at the time, hence it remains firmly in place. Not even the US President, Donald Trump, seems inclined to curtail the powers and behaviour of US intelligence agencies in this respect.

But does global mass surveillance help prevent terrorism? To date, there are no facts that support this thesis. In fact, most attack perpetrators over the last 15 years were already known to the authorities. And very often, intelligence services focus on completely unrelated people and interests. For example, the legal framework in the US allows interception of foreign officials, as well as the gathering of economic and decision-making information with undue purposes such as predicting the future price of oil, or gaining a favourable position in international negotiations – and the NSA is not the only organisation with a political and economic agenda (Emmanuel-Pierre Guittet, “Is Mass Surveillance Effective in the Fight against Terrorism?“, Mapping Security, 11.12.2015).

Access to a website without anonymisation and without encryption: Potential data identification and interception. Everyone can potentially read (click to enlarge) Potentiell liest jeder mit.
Access to a website without anonymisation and without encryption: Potential data identification and interception. Everyone can potentially read (click to enlarge).

To make matters worse, various intelligence services and law enforcement agencies make unrestricted use of the same data pool (Sam Adler-Bell, “10 Reasons You Should Still Worry About NSA Surveillance“, The Century Foundation, 16.03.2017). This creates the prerequisites for undermining the presumption of innocence. And we can hardly understand its relevance: It is nothing less than a human right (Article 11 of the General Declaration of Human Rights), and a basic principle, which distinguishes proceedings based on the rule of law from a witch hunt. For example, it is much harder for a person to prove why research on terrorism was only meant to gather necessary knowledge, and not to prepare for an attack, than it is for state authorities to prove not just vague evidence, but a concrete offence (one or two students can sing a song about it – see here or here). At the same time, another fundamental human right is utterly disregarded: the right to privacy (Article 12).

The mass accumulation of data, regardless of whether an actual suspicion exists, not only places each individual under a disproportionate general suspicion, but also disrespects fundamental human rights. All in all, Snowden’s revelations have not eroded the data gathering voracity of the major intelligence agencies. For example, the NSA Data Centre in Utah is seemingly operative since 2014, after some initial difficulties. This facility is responsible for evaluating and storing data collected by PRISM and other monitoring programs. According to William Binney, former senior technical director at the NSA, this data centre alone holds at least 5 zettabytes (5,000,000,000,000,000,000,000 bytes) of data, which should be enough for the next 100 years.

We kill people based on metadata. — General Michael Hayden, ehemaliger Direktor der NSA und der CIA in “The Price of Privacy: Re-Evaluating the NSA“, The Johns Hopkins Foreign Affairs Symposium, 2014, ab 18′.

For all their power, the “Five Eyes” are not the only organisations that massively siphon off network and telecommunications data. The German Federal Intelligence Service (BND) collects around 220 million metadata records per day, and stores them for up to 10 years (as of 2014; see also: Kai Biermann, “BND speichert jeden Tag 220 Millionen Metadaten“, Die Zeit, 06.02.2015). Of these, the BND submits 1.3 million data records to the NSA on a monthly basis. Another example: Switzerland’s Federal Intelligence Service (NDB) monitors satellite, telecommunication and relating thereto internet connections. Under the name ONYX, the NDB runs a smaller version of the global ECHELON interception system. True to the bartering nature of the intelligence services business, the NDB cooperates with other foreign intelligence services. As a matter of course, Switzerland would not receive any key information from the Americans without some form of trade-off; this was the case, for example, in September 2014 (see: Thomas Knellwolf, “Terrormiliz IS plante Anschlag in der Schweiz“, Tagesanzeiger, 23.09.2014). Ironically, on the very day when Federal Councillor Ueli Maurer publicly stated the “lack of contact” between the NDB and the NSA, documents leaked by Edward Snowden explicitly mentioned Switzerland as a cooperation partner (see picture below).

In spite of all criticisms, every constitutional state establishes political control bodies of varying power, whether this is weak (USA) or strong (Switzerland). And the fact remains that this situation is notably more unpleasant in countries with little respect for the rule of law, let alone in authoritarian regimes, regardless of whether a person lives, does business, or spends his holidays there. In such regions, it is safe to assume that, without protection, all network and telecommunication traffic will be recorded, evaluated and stored. What is more, boundaries between state intelligence services and criminal or violent groups could be fluid. In this type of state, open criticism can swiftly lead to long-term prison sentences (or even worse). Whilst locals develop a certain sensitivity to protect – or censor – themselves, business people and tourists make an easy target for such often shady organisations. Open wireless networks in Internet cafes and hotels invite to work and surf. Are all data really encrypted at all times? Who knows who is sniffing around or actually operating these wireless networks (and do not be misled by the “Starbucks” network name – this says nothing about the actual network operator – see video below).

Or might it be that you have nothing to hide? If so, feel free to disclose all your passwords, emails, credit card details, bank statements, pay slips, tax returns, political orientation, health status, sexual preferences, etc. (see here, here, here ).

But this goes far beyond the rights and safety of each individual. Surveillance exerts a sustained influence on society’s behaviour. The Chinese government (and the Alibaba Group) already endeavour to reap the “benefits” of this social effect: By 2020, a social credit system – already partially implemented – will become binding for the Chinese citizens. Among other things, the allocation of social credit points depends on the individual’s online behaviour – needless to say, always from the point of view of the government. But the system does not stop there: the evaluation and corresponding rating will also factor in offline information. For example, the acquisition of domestic goods may have a rather positive impact on the rating, while favouring imports from certain countries may drag it down significantly. The “social rating” is not only influenced by the own actions, but also by social network i.e. friends and their actions, etc. For example, strong ratings may improve creditworthiness and access to jobs, as well as the celerity in dealing with your bureaucratic processes; conversely, poor ratings might have an adverse effect on all those areas (Stanley Lubman, “China’s ‘Social Credit’ System: Turning Big Data Into Mass Surveillance“, Wall Street Journal, 21.12.2016). It seems obvious that this sort of system implements social control mechanisms that put people straying from the norm under considerable pressure. Indirectly, this enacts a social re-education program to enforce state-compliant behaviour, without any apparent government involvement.

Although China is the salient example of such a social credit system, similar approaches are internationally recognisable. In fact, companies assessing individual creditworthiness have been around for a long time. And are you still wondering why you cannot get an Uber cab anymore? Well, chances are you have a dismal passenger rating (in any case, Uber knows if their customers had a one-night-stand). If you have your eyes open, you will spot such rating systems in many services and apps. In the long run, however, these systems may prove problematic, as increasingly independent social aspects are considered and evaluated. The Danish company Deemly is a good case in point. In this context, the “Nosedive” episode in the “Black Mirror” series, a popular critique of technology and its social impact, seems to have a prophetic nature.

Such long-term trends and their social effects can only be tackled through legally guaranteed protection of privacy and personal data (including the resulting metadata). In doing so, the state plays a pioneering role and sets an example. However, since we are not ready yet, and the current development provides no reason for exuberant optimism, it is worthwhile to build up a certain, minimum self-protection.

But aren’t such protective measures technically complex and expensive to implement? This argument cannot be completely dismissed, as privacy protection and data security do not by improve by themselves. The exchange of encrypted emails between Edward Snowden and the journalist Glenn Greenwald failed initially due to the complexity of the PGP encryption program – despite or possibly because of Snowden’s 12-minute explanatory video (Andy Greenberg, “The ultra-simple App that lets anyone encrypt anything“, Wired, 07.03.2014). We would like to present a few examples and references to show that achieving certain protection level is not rocket science. Of course, the extent of protective measures and their complexity also depends on one’s risk assessment. If, for example, someone in an authoritarian state writes an article for offiziere.ch criticising government policy, or publicly disclosing intelligence information, the author should at least consider an encrypted connection. This also explains why, after a long testing phase, offiziere.ch enforces encrypted connections (recognisable by the “https://” in the address bar of the browser or by the closed lock) – effort for the user: Zero. But that’s not all: If possible, all links included on offiziere.ch are delivered in the encrypted version. This means that a link to Wikipedia – regardless of how it was originally linked in an article – is called in the encrypted version (which is of course only possible where such a variant is actually offered).

Access to a website without anonymisation but using encryption: Contents are protected but meta-data are available and visible to all (click to enlarge)
Access to a website without anonymisation but using encryption: Contents are protected but meta-data are available and visible to all (click to enlarge)

With the above-described measure, in which the user himself is not even involved, the content data is encrypted, which increases the security against eavesdropping. And coverage can be increased significantly with little extra work: the add-on https-everywhere is available for almost every web browser. It ensures that users always reach the encrypted version of a website — if available. However, this does not prevent the accumulation of metadata. Unfortunately, it is still plain to see who communicates with whom and for how long (and much more). Let’s face it: Real anonymity is much harder to achieve, and encryption is but a first step.

The anonymisation effort also depends on the person or organisation from which we wish to conceal our identity. For example, concealing meta-data provides scant protection when the author points to the recently published system-critical article on Facebook. Logging in to Facebook can jeopardise anonymity. This is acceptable as long as the user recognises this authentication. However, there are also applications where this happens automatically (for example with a Google Account for all sorts of things), or where the user remains unaware. One of these hidden methods is so-called “fingerprinting“, whereby the browser inherently transmits metadata, such as the location of the user, if this is not prevented by appropriate measures. If somebody accesses website A and then tries to access content from website B anonymously, an organisation with access to data streams on both websites can use the browser’s “fingerprint” to determine that both websites have been accessed by the same user. Preventing such fingerprinting is very time-consuming for users (preventing cookies is not enough), unless they use the Tor Browser or Tails exclusively.

The Tor Browser encrypts and anonymises the entire web data stream and overcomes Internet censorship, with a negligible effort on the part of the user. As for Tails, it consists of a operating system designed to protect users’ privacy and anonymity. Nevertheless, the effort required from users is slightly higher in this case, because they are limited to a specific operating system, with a certain selection of applications. An interesting yet still budding project is TorBox, which may require some extra effort in the future to provide full anonymisation functionality. In particular, TorBox creates its own wireless network to which desktop, laptop, tablets and smartphone can connect, and their data is encrypted via the Tor network. Still, responsibility for keeping anonymity safe from methods such as “fingerprinting” lies with the user (but the website has some good tips).

Anonymised (with Tor) access to a website and using encryption: Contents are protected and meta-data concealed (click to enlarge).
Anonymised (with Tor) access to a website and using encryption: Contents are protected and meta-data concealed (click to enlarge).

Of course, the above measures are only the beginning of a comprehensive security concept. Additional measures include encrypting disks, ensuring strong passwords (which, however, need not be memorised due to the availability of good password managers), using a secure email environment, transferring encrypted data, and more. Whilst all of these measures are beyond the scope of this article, there is extensive, additional information available. The Tactical Technology Collective offers a comprehensive selection of How-Tos under the project name “Security in-a-Box“. If the account has already been hacked, the smartphone already stolen, trapped by malware, or you are exposed to a denial of service attack, Digital Defenders offers first aid with their “Digital First Aid Kit“. For journalists, in particular, there is the “Journalist Security Guide” recommended by the Committee to Protect Journalists.

Comments or further tips? Contribute to the comment section below!