The Difficulty of Routing around Internet Surveillance States

Interesting research: "Characterizing and Avoiding Routing Detours Through Surveillance States," by Anne Edmundson, Roya Ensafi, Nick Feamster, and Jennifer Rexford.

Abstract: An increasing number of countries are passing laws that facilitate the mass surveillance of Internet traffic. In response, governments and citizens are increasingly paying attention to the countries that their Internet traffic traverses. In some cases, countries are taking extreme steps, such as building new Internet Exchange Points (IXPs), which allow networks to interconnect directly, and encouraging local interconnection to keep local traffic local. We find that although many of these efforts are extensive, they are often futile, due to the inherent lack of hosting and route diversity for many popular sites. By measuring the country-level paths to popular domains, we characterize transnational routing detours. We find that traffic is traversing known surveillance states, even when the traffic originates and ends in a country that does not conduct mass surveillance. Then, we investigate how clients can use overlay network relays and the open DNS resolver infrastructure to prevent their traffic from traversing certain jurisdictions. We find that 84% of paths originating in Brazil traverse the United States, but when relays are used for country avoidance, only 37% of Brazilian paths traverse the United States. Using the open DNS resolver infrastructure allows Kenyan clients to avoid the United States on 17% more paths. Unfortunately, we find that some of the more prominent surveillance states (e.g., the U.S.) are also some of the least avoidable countries.

Posted on July 7, 2016 at 6:47 AM • 21 Comments

Comments

Who?July 7, 2016 7:04 AM

Routing around Internet surveillance states is not the way to go on a world where most backbones and network operators are compromised. The key concept here should not be "around" but "under".

AlexT July 7, 2016 7:21 AM

In other news it is now proven that staying under the rain incurs a significant risk of being wet.

Clive RobinsonJuly 7, 2016 7:41 AM

Hmm,

    Then, we investigate how clients can use overlay network relays and the open DNS resolver infrastructure to prevent their traffic from traversing certain jurisdictions.

Unfortunately, unless you control all the upstream points, this may be a pointless excercise.

There are ways you can "divert" traffic without actually directly getting some kind of admistrator level control. The old way used to be by sending false route advertising etc.

But again it is not that difficult to "splice in at level 0" in some way and in effect make a tee down which you send a copy of every bit.

Once you are on the otherside of a router you do not control, it could tell you anything and you would have no way of knowing it it was true and what was happening if it was false.

Unfortunately there are few solutions to prevent divertion or copying, thus other protective measures must be used to mitigate it.

A VPN of high quality can hide the data but only sometimes the traffic flow. To limit traffic analysis you need a mix-net with delay / store-n-forward capability in the nodes which unfortunatly increases latency. You also need to have an encrypted "ring" style communications between nodes where each node changes every packet that goes through it so that it's not posible for an external only observer to determine the flow of traffic.

You then need further protections such that even controling a node does not reveal anything about routing or other information. Whilst they do exist such methods have significant issues.

Avoiding surveillance is hard and needs to be considdered at many levels.

WinterJuly 7, 2016 9:18 AM

"Avoiding surveillance is hard and needs to be considdered at many levels."

Send encrypted CDs in the mail (surface mail). It is very unlikely such surface mail will make detours involving different continents.

TatütataJuly 7, 2016 10:19 AM

Interesting story. If the Brazilians can't manage it, how could Canadians ever hope to avoid blanket surveillance, if this was even a policy objective (which I doubt)?

Theoretically, the five-eyes agreement should protect them, but in practice?

To my knowledge, the two overseas cable currently touching Canadian shores are either dedicated to brokerage firms, designed to shave off milliseconds from transaction orders, or to provide connectivity to Groenland.

Otherwise the overwhelming majority of CA foreign traffic must be routed through the US. A non-negligible portion of domestic inter-ISP traffic must also go through US nodes, even when both endpoints are in the same city.

It wasn't always so.

English-Canadian nationalism and British Imperial designs gave the All-Red phone line in the 1930s, and the microwave transcontinental system in the 1950s.

From 1915 to the 1930s there weren't yet any quality facilities for east-west phone calls, and it was expedient to route calls south.

By technical necessity, early overseas cables touched land, and Canadian telcos had on these their own group of circuits they could use. But when fiber optics came and cable losses became less of an issue, cables just bypassed Canada and landed directly where the real money was...

Even if there was a political will, too many connections land either in the UK, or terminate in places where the US are (or were) also capable of siphoning off the pipes, like apparently in Frankfurt.

The paper is interesting... One hundred years ago the US were very concerned by the British virtual monopoly in submarine cables, and bothered by the (ab)use of it in geographical areas they considered theirs by virtue of the Monroe doctrine, including Brazil. To pry loose the situation, from memory, US operators were encouraged to build their own facilities, radio technology was encouraged, and cable landing rights in the US were leveraged to provide gains elsewhere. I think there still traces of those policies visible today.

(And there was the case of the Zimmermann telegram, when the US discovered that their private communications weren't so private after all.)

If a country rented dark fibers routed through the US, but decided that all traffic on these was to be bulk-encrypted, how would the US react? Is it even possible under US law?

TatütataJuly 7, 2016 10:28 AM

(I forgot to add... And that's assuming that Canuck spooks aren't spying on their own citizens, either by itself or with the complicity of its five-eyes partners).

GooseJuly 7, 2016 11:36 AM

7 Codes You’ll Never Ever Break ( https://www.wired.com/2012/12/codes/ )

We've asked Kevin Knight – the University of Southern California computer scientist who recently helped crack the 250-year-old Copiale cipher – to walk us through seven of the most confounding codes and give us an idea of what makes these things so tough to break.
THE VOYNICH MANUSCRIPT (1400-1500S)
Few encrypted texts are as mysterious – or as tantalizing – as the Voynich manuscript, a book dating to either 15th- or 16th-century Italy and written in a language no one understands, about a subject that no one can figure out, and involving illustrations of plants that don't exist. Plus it's got Zodiac symbols, astrological charts, illustrations of medicinal herbs, and drawings of naked women bathing while hooked up to tubes. The manuscript's 246 calfskin pages were perhaps meant for alchemy or medieval medicine, but no one knows for sure.
What we do know is that it's written in a language distinct from any European language, and follows a pattern unique to its own. The alphabet ranges from 19 to 28 letters, with an average word length consistent with Greek- or Latin-derived languages, but is missing two-letter words while repeating words at a much higher rate than other European languages. All told, the book has 170,000 characters in it, written from left to right, and there are no punctuation marks.

Bumble BeeJuly 7, 2016 11:39 AM

Routing "around" internet surveillance isn't or shouldn't be that hard. IPsec was invented for IPv6 (and backported to IPv4) to provide true military-grade encryption. It is freely available for all common operating systems including Windows, Apple, GNU/Linux, and BSD, and as far as I know it is not broken.

IPsec provides two main protocols for transporting data across potentially hostile regimes: the Authentication Header protocol for authenticating IP packets and making them tamper-proof, and the Encapsulating Security Payload protocol that provides encryption as well as authentication. Either protocol can be used in either transport mode (for point-to-point connections) or tunnel mode (for network-to-network connections.)

The main weakness of IPsec is the snooping of secret keys at the endpoints of the connection; my main point in posting this is that adequate encryption is available for transporting data through hostile regimes, provided that hardware and software implementations and secret keys at the endpoints can be adequately secured.

WoJuly 7, 2016 7:14 PM

Bumble Bee -

IPSec also has a weakness in that it's overly complicated and is often implemented incorrectly.

I could've sworn I saw documents about this several years ago explaining why. I just can't place my finger on who exactly was the chiefly responsible party......

65535July 7, 2016 9:28 PM

This resolves back to my question in the “Interview with a NSA Hacker” question:

“We know the NSA has been playing “send the packets around the world” game to bypass privacy laws. Exactly how is this done? Is it bribes paid to peering partners to game the BGP routers? Is it NSA ownership of DNS servers with poisoned entries? Or is it some other method? It would appear uneconomical for ISP’s or others involved in routing of data packets to provide less than optimal routes for sheer economic reasons. “ -65535

https://www.schneier.com/blog/archives/2016/06/interview_with_.html#c6727335

[and]

“Best bet: Exploitation of lawful interception capabilities. Its just not lawful if they abuse them outside US jurisdiction.” –Grauhut

https://www.schneier.com/blog/archives/2016/06/interview_with_.html#c6727369
[and]

“A Cisco ASR 1000 Series Lawful Intercept license for $691.74 On HelpFindit(dot)com. I will not post the link.” -65535

[This for sale to Anybody with 691.74 US dollars]

https://www.schneier.com/blog/archives/2014/01/schoolmontana_n.html

[and]

“…you can "divert" traffic without actually directly getting some kind of admistrator level control. The old way used to be by sending false route advertising etc. But again it is not that difficult to "splice in at level 0" in some way and in effect make a tee down which you send a copy of every bit. Once you are on the otherside of a router you do not control, it could tell you anything and you would have no way of knowing it it was true and what was happening if it was false.” -Clive

https://www.schneier.com/blog/archives/2016/07/the_difficulty_.html#c6727743

DNS tricks are numerous [including URL scams]. Once a major country starts to game the system through back-doors, “lawful intercepts.” fake route advertising, DNS games and so on, it spreads to other countries. This will end badly.

DennisJuly 8, 2016 1:10 AM

@ 65535, "“We know the NSA has been playing “send the packets around the world” game to bypass privacy laws. Exactly how is this done? Is it bribes paid to peering partners to game the BGP routers? Is it NSA ownership of DNS servers with poisoned entries? Or is it some other method? It would appear uneconomical for ISP’s or others involved in routing of data packets to provide less than optimal routes for sheer economic reasons. “ -65535"

If there's no oversight, then there's no such requirement. I don't believe they are doing that.

StephanieJuly 8, 2016 8:36 AM

It’s true that the more laws are, the more ways for bypassing them. The government tries to put under control all the spheres of people life. Just a while ago when the Internet appeared we couldn’t imagine that surveillance would be a part of daily routine. Now we can’t just open the webpage without using special services. Nobody couldn’t imagine how difficult it would be secure. That’s why there’re so many services providing such an opportunity using special encryption.
http://www.theregister.co.uk/2016/04/21/come_get_your_free_opera_vpn/
https://www.bestvpnrating.com/vpnrating/best-vpns-encryption
Using vpn services you can bypass some restricted sites and have free access anywhere you want. But there’s some drawback, as the data is being encrypted all the time, the connection speed is sometimes low. But it’s not so important if your priority is to hide the data. But I can’t understand that if the government controls strictly how it allows to use such services?

rJuly 8, 2016 12:12 PM

@Stephanie,

First and foremost you catch more flies with honey than you do vinegar, second the US is a reasonably open market. Services like that make good targets for both the MIC I suppose and public domain researchers, it's a good melting pot... If you outlawed encryption or services like that you wouldn't have public researchers studying services that may mirror military or criminal solutions I think. You would probably only have available to you the research granted by more costly endeavors.

Considering what happened to lavabit, it was likely properly setup for the time. Snowden probably knew that from the time he spent inside whatever organizations he was with prior.

Maybe I'm wrong, who knows.

Fantasies Are Good To HaveJuly 9, 2016 1:54 AM

@BB

The main weakness of IPsec is the snooping of secret keys at the endpoints of the connection;

Well, the _main_ weakness of ipsec is that it can be filtered, firewalled, and stopped by any government or network that doesn't wish the relevent internet users to have the ability for private encrypted communications.

Given the state of things in the U.S.A., let alone Russia these days... It's a joke. You'll be able to tell in many years when a solution is actually a viable method. It won't be obviously a joke in contrast with the local government's policies and rhetoric.

But of course what you said is a critically relevent part of the picture as well, and why you should calibrate your rhetoric radar for all the obviously important parts of the equation.

Freezing_in_BrazilJuly 11, 2016 11:06 AM

It is sad to see the US, the UK and others [which I love and admire as if they were my own land] listed as surveillance states. How did we get to this point? I am myself taking steps to transfer my businesses from US providers to Brazilian ones.

I see the job being done down here. Brazilians abhor surveillance and are acting actively through politics to remain as free as can be achieved in this day and age.

In recent years the opinion public has managed to keep the government under leash. There's a legislation called "Marco Civil da Internet" [Internet civilian framework of laws] that prohibits blanket surveillance and establishes net neutrality. I hope we can keep it this way in the next decades.

TatütataJuly 11, 2016 6:00 PM

But there’s some drawback, as the data is being encrypted all the time, the connection speed is sometimes low.

The connection speed has essentially nothing to do with encryption, but a lot more with how oversold the VPN server was. With a good VPN connection I practically get the same speeds as over the underlying internet connection.

My essential use for VPNs to circumvent geolocation and access special content (not the football game). But my real worry is that I don't know who the operators are, despite my best attempts, and where they are actually domiciled. For all I know, they could all be fronts for sh*tty three-letter agencies and log every single byte I send and receive.

I should rent a linux server in some place I relatively trust, and set up my own private VPN (or VPPN) on it. Cost wise it would be advantageous, especially that I'm really interested in one country anyway. It would also be interesting cost wise, and as an added bonus I could run other applications on it.

cqretJuly 14, 2016 7:46 AM

mr obvious
"Unfortunately, we find that some of the more prominent surveillance states (e.g., the U.S.) are also some of the least avoidable countries."

808August 3, 2016 12:41 AM

The security of regional ISP's is still affected by many other things, such as hardware implants in commercial routers. As disclosed by whistleblowers like John Perkins, corporations can also be hijacked by threats and blackmail or the use of black budget funds, so-called foreign aid, and CIA front investment firms. Warrantless mass surveillance was going on for many years before it was legalized, and the threat to democracy can only be understood in the context of the knowledge that the people behind the surveillance state are the covert sponsors of the terrorism which justified it. The world is being hijacked by a protection racket that has no loyalties to any nation, and this was the price of government secrecy. If a nation wants to keep domestic traffic within its borders the only solution might be some kind of wireless mesh network that integrates encryption at the protocol level, with trunks operated by municipal governments rather than national telecom giants. The centralisation of any power or service will naturally attract a criminal element, and that is why the criminal element thrives where centralisation of anything significant is achievable.

@stephanie
Opera VPN is just a proxy, not an encrypted tunnel. It also uses super cookies in the form of a sticky device ID and the privacy policy allows the sale of your data.

@goose
Voynich manuscript appears to be an elaborate hoax and thus cannot be deciphered

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.