Category Archives: Internet censorship

The Internet and Elections: the 2006 Presidential Election in Belarus

On Thursday, the OpenNet Initiative released their report, to which I contributed, studying Internet Censorship in Belarus during the 2006 Presidential Election there. It even has managed a brief mention in the New York Times.

In summary, we did find suspicious behaviour, particularly in the domain name system (DNS), the area I mainly explored, but no proof of outright filtering. It is rarely advisable to attribute to malice what can just as easily be explained by incompetence, so it is difficult to draw conclusions about what actually happened solely from the technical evidence. However, regardless of whether this was the first instance the ONI has seen of a concerted effort to hide state censorship, or simply an unfortunate coincidence of network problems, it is clear that existing tools for Internet monitoring are not adequate for distinguishing between these cases.

Simply observing that a site is inaccessible from within the country being studied is not enough evidence to demonstrate censorship, because it is also possible that the server or its network connection is down. For this reason, the ONI simultaneously checks from an unrestricted Internet connection. If the site is inaccessible from both connections, it is treated as being down. Censorship is only attributed if the site can be reliably accessed from the unrestricted connection, but not by the in-country testers. This approach has been very successful at analysing previously studied censorship regimes but could not positively identify censorship in Belarus. Here sites were inaccessible (often intermittently) from all Internet connections tried.

Ordinarily this result would be assumed to simply be from network or configuration errors; however the operators of these sites claimed the faults were caused by denial of service (DoS) attacks, hacking attempts or other government orchestrated efforts. Because many of the sites or their domain names were hosted in Belarus, and given the state strangle-hold on communication infrastructure, these claims were plausible, but generating evidence is difficult. On the client side, the coarse results available from the current ONI testing software are insufficient to combat the subtlety of the alleged attacks.

What is needed is more intelligent software, which tries to establish, at the packet level, exactly why a particular connection fails. Network debugging tools exist, but are typically designed for experts, whereas in the anti-censorship scenario the volunteers in the country being studied should not need to care about these details. Instead the software should perform basic analysis before securely sending the low-level diagnostic information back to a central location for further study.

There is also a place for improved software at the server side. In response to reports of DoS and hacking attacks we requested logs from the administrators of the sites in question to substantiate the allegations, but none were forthcoming. A likely and understandable reason is that the operators did not want to risk the privacy of their visitors by releasing such sensitive information. Network diagnostic applications on the server could be adapted to generate evidence of attacks, while protecting the identity of users. Ideally the software would also resist fabrication of evidence, but this might be infeasible to do robustly.

As the relevance of the Internet to politics grows, election monitoring will need to adapt accordingly. This brings new challenges so both the procedures and tools used must change. Whether Belarus was the first example of indirect state censorship seen by the ONI is unclear, but in either case I suspect it will not be the last.

BBC article on new Chinese TLDs

Since my blog post last week, discussion continues on what has actually happened with the new Chinese TLDs and what the consequences will be. Rebecca MacKinnon’s posting on CircleID triggered an interesting discussion. It has also been mentioned on a few blogs including My Heart’s in Accra, Joho the Blog, China Digital Times, Shanghaiist, Virtual China, the LINX public affairs news and even in a Czech blog which I can’t understand. The ICANN Generic Names Supporting Organization (GNSO) mailing list has a thread discussing the move, as does the DomainState forum.

Michael Geist wrote an article for the BBC, which was also featured in Toronto Star. It includes the quote:

The Chinese development is also noteworthy because it works. Researchers at Cambridge University report that Chinese ISPs recognize the new domains.

I presume this is based on my blog posting, since I am not aware of anyone else in Cambridge having looked into this.

Also in the news is a statement from CNNIC, and reported in People’s Daily Online. CNNIC say that reports of new TLDs are inaccurate, but does not explain what the actual situation is. CNNIC’s DNS servers resolve the new TLDs and claim to be authoritative, but perhaps CNNIC means that they are still only experimental, or simply that the press release did not announce any change. CNNIC are accepting registrations under the new TLDs, which does suggest they consider them official.

As for the discussion about whether what China has done is technically “splitting the root”, in the GNSO thread, Karl Auerbach gives a very succinct description:

It’s a somewhat pointless game of semantics about whether this circumstance is a “split” root or not. However, it has most of the characteristics that ICP3 [link mine] wails about – most particularly names not being globally visible.

I’d say that this situation quacks like a duck and walks like a duck: it’s a non-ICANN approved addition to the top level names of the DNS which is visible to some internet users and not to others.

(And this appearance of a new TLD is true without benefit of plugins or internet exploders.)

It may be an experiment, but if so it’s a rather large one.

New Chinese TLDs

On 28 February, People’s Daily Online published an article entitled “China adds top-level domain names”. This suggested that China was going to take over .com and .net and split off from the conventional domains managed by ICANN and operated by Verisign. This appears to be not the case, rather the result of a mis-translation. As pointed out by Rebecca MacKinnon, the new top level domains (TLDs) are .中国 (meaning “China”) .公司 (meaning “company”), and .网络 (meaning “net”), which do not conflict with any ICANN managed TLDs.

The normal way to create new TLDs without ICANN’s permission is known as “splitting the root” since it involves creating a new root name server and replacing the root zone file distributed by IANA with your own. For some background on the role of the root zone file there is a short introduction and a slightly longer version by Daniel Karrenberg. Alternative roots are not new, but what makes the current situation different is that the new TLDs have a (powerful) government’s backing, and with around 100m Internet users (second only to the US) has the potential to have a far larger user base than any that have come before it.

There is still some uncertainty on how the new TLDs have been implemented. i-DNS produces a plugin for Microsoft Internet Explorer which allows it to access internationalised domain names as until version 7, IE cannot do this natively. In March 2005 they announced a partnership with the Chinese Ministry of Information Industry to develop the new TLDs and add support to their plugin. Some commenters have assumed that this is the only mechanism used to implement the new TLDs, but as mentioned in the press release, it seems that ISPs have also modified their servers, allowing access to these TLDs from within China without the user having to install any additional software. I do not know when this change was made and how complete the implementation is, but James Seng describes the TLDs as being in operation for 3 years.

It appears that technically China has not “split the root” since there seems to be no new root server. Instead, each ISP might have manually added the three new TLDs to their DNS server configuration. When a domain name under the ICANN TLDs (.com, .net, .uk, etc…) is resolved, the server would go to an ICANN root server to find out which organisation is responsible for allocating second level domains. However, when a domain name under one of the new TLDs is requested, the DNS server already knows the nameserver it needs to ask next and can skip the root server lookup. The advantage of this approach for China is that it avoids the cost and difficulty of setting up a new root server, but the disadvantage is that to add another TLD in the future they would have to ask all the ISPs again, rather than adding it to their root.

Despite this technicality, what China appears to have done is externally almost indistinguishable from splitting the root and carries the same consequences. The primary problem is that a link using one of the new TLDs will work in China but not outside (without a user installing the plugin, or their ISP making a configuration change). This breaks the universality of the Internet and while I will not go into further detail here, the Internet Architecture Board discusses the effects of a split root in RFC 2826, which is in addition to problems of the landrush resulting from any new domain.

I am not familiar with the ISP landscape in China, but I have tried to do some tests to better understand how these changes have been implemented. For testing I am using a DNS server (ns4.bta.net.cn) which I understand to be one used by the customers of a Chinese ISP, but which also allows access from outside. As an example, I used “北京大学.中国” which I think means Peking University in the new “.China” TLD. As Unicode cannot be used directly with DNS, it needs to be translated into Punycode. This gives xn--1lq90ic7fzpc.xn--fiqs8s.

When I ask the Chinese DNS server to resolve this domain name, I get this answer:

$ dig xn--1lq90ic7fzpc.xn--fiqs8s @ns4.bta.net.cn A
...
;; ANSWER SECTION:
xn--1lq90ic7fzpc.xn--fiqs8s. 3600 IN CNAME www.pku.edu.cn.
www.pku.edu.cn. 47863 IN CNAME tulip.pku.edu.cn.
tulip.pku.edu.cn. 85892 IN A 162.105.129.12
...

This means that according to ns4.bta.net.cn, the domain 北京大学.中国 is another name for www.pku.edu.cn and its IP address 162.105.129.12.

If this nameserver was configured only with the IANA distributed root zone file, this request would have failed (as it does on my UK DNS server). Instead, it looks like this ISP has somehow added these three new TLDs. To find out more I asked the server for its root zone, i.e. where it will send requests for TLDs it has not encountered before:

$ dig . @ns4.bta.net.cn NS
...
;; ANSWER SECTION:
. 36996 IN NS A.ROOT-SERVERS.NET.
...
. 36996 IN NS M.ROOT-SERVERS.NET.
...

It returned only the 13 IANA root servers ([A-M].root-servers.net). These do not list the new Chinese TLDs but the server still knows about them.

Here I ask the server which nameserver it thinks is authoritative for .中国 (.China and in Punycode — xn--fiqs8s):

$ dig xn--fiqs8s @ns4.bta.net.cn SOA
...
;; ANSWER SECTION:
xn--fiqs8s. 3600 IN SOA hawk2.cnnic.net.cn. root.cnnic.cn. 2006030104 3600 900 604800 3600

This means that when this server wants to resolve a domain under .中国 is will ask hawk2.cnnic.net.cn. I get the same result with .公司 (“company”), and .网络 (“net”). hawk2.cnnic.net.cn will also resolve domains under these TLDs and considers itself to be authoritive.

Several questions still remain. It is possible that the name server I used is not representative of Chinese ISPs. Also, despite it not listing any alternate roots, it is still conceivable that the server is using one. It may also be acting differently because I am outside of its customer network. However, I think it does demonstrate that there is something happening in addition to the i-DNS plugin.

I did briefly try this plugin and examine some aspects of how it works. Internet Explorer 6 and below do not support internationalised domain names (IDNA) at all. Even though Firefox does, as my DNS server in the UK only uses the IANA root servers, only the ICANN defined TLDs will work. So http://北京大学.cn/ (Peking University) will work in Firefox in the UK and China, as the TLD is .cn, but http://北京大学.中国/ will only work in China, as the TLD is one of the new non-ICANN domains.

Installing the i-DNS plugin adds IDNA support to Internet Explorer but also adds support for the new TLDs. I am not aware of all the details, but when I visit domain-name.中国 it redirects the user to domain-name.cn, domain-name.公司 redirects to domain-name.xn--55qx5d.aced.net and domain-name.网络 to domain-name.xn--io0a7i.aced.net. The nameserver for aced.net is controlled by i-DNS and, as with the DNS server in China, uses hawk2.cnnic.net.cn for further lookups.

It seems that these new TLDs are more complicated than it might first have looked, and this post by no means explains everything. I hope that others will be able to find out more. It remains to be seen what the consequences of this move will be. In their advertisement, i-DNS states that 50m users already have access to these TLDs and if the 4 ISPs which provide access to 95% of China’s Internet users add the TLDs then the remaining 5% will inevitably follow.

Also non-Chinese ISPs with a significant number of Chinese-speaking users will be under pressure to add these TLDs, and have very little incentive to not do so. While previous alternate roots have languished in the obscurity of a narrow user-base, the potential of 100m (and growing) users will make this TLD hard to ignore. Perhaps in an attempt to avoid a split Internet, ICANN will adopt the TLDs and so roll them out to the standard root servers. Whatever they choose, I hope the disruption to the Internet from the resulting politics will not be too severe.

Chinese website registration

The OpenNet Initiative has released a bulletin on China’s website registration policy. This mandates that all non-commercial websites hosted in China be registered with the Ministry of Information Industry (MII), whereas previously this applied only to commercial sites.

Failure to register a site by July 2005 was punishable by a ¥10 000 fine (about €1 000 and 2/3 of an average urban Chinese annual income) as well as removal the website. Sites are required to put their registration number at the center-bottom of the homepage. Failure to comply makes the owner liable for a ¥5 00010 000 fine.

Enforcement is not only by the MII, but also by the hosting ISPs. This is encouraged by a ¥10 000 fine for hosting unregistered content. ISPs are also responsible for cutting off sites in violation of these rules, however IP/port blocks have also been reported, along with the consequent over-blocking of virtual hosts. The MII also operates the “Night Crawler” which searches for sites not displaying a registration number.

Rebecca MacKinnon suggests that this move might shift Chinese bloggers on to commercial sites such as MSN Spaces, Blogbus, Bokee or Sina, which implement their own keyword filtering to prevent themselves being blocked (as Typepad and Blogsome have been). This shifts the cost and accountability of censorship away from the government and to the edges, as has been done for registration enforcement. The remaining bloggers who maintain their own site will be required to register and so are more likely to self-censor.

The registration process is entirely online, and consists of the owner entering personal information (name, address, etc…) as well as the site description, an email address and mobile phone number. The registration request must then be reviewed by the MII and after a few days the owner is notified of the result and given the registration number if successful.

Interestingly, only the mobile phone number and email address are verified by sending a code to them, which ties in well to the compulsory mobile phone registration in December. Criminals in the UK have been known to steal mobile phones to give untraceable communication in the course of committing offences. Perhaps stolen phones will be used in China to produce fraudulent website registrations for people who would like to keep their anonymity?