Back in October of 2011, just as the Syrian revolution was in full swing, the Telecomix hacking group obtained 600 gigabytes of data logs from proxies that the Syrian government was using to monitor and censor the country's internet usage. It's taken a few years to sift through the data, but a group of researchers led by Abdelberi Chaabane (Inria) recently published a paper on Syria's real-time censorship program. It is, to the researchers knowledge, the first detailed look at internet censorship in Syria.
In the paper, titled Censorship in the Wild: Analyzing Web Filtering in Syria and published on arXiv, researchers explained that 7 Blue Coat SG-9000 proxies were designed to perform “filtering, monitoring, and caching of Internet traffic,” and are typically “placed between a monitored network and the Internet backbone.” In the Telecomix data set, researchers found that the Syrian government used “transparent proxies” to “seamlessly intercept traffic (i.e., without clients noticing it)," as opposed to explicit proxies, which requires the configuration of a user's browsers.
According to Blue Coat's documentation, filtering can be done on keywords, browser type, website categories, content type, and date and time of day. The proxies can also cache content to save bandwidth. The data collected in this way amounts to over 750 million requests over a period of nine days from July to August of 2011. Chaabane and the other researchers were only able to analyze about 4 percent of the requests, or about 32 million.
Since not all traffic was censored, researchers said this made it hard to determine exactly what was censored or surveilled.
What they discovered in their analysis is that the Syrian government was only filtering about 1 percent of traffic. But, the filtering mostly occurred on instant messaging services and social networks; sites and apps critical to rebel communication and organization. The research noted that censorship reached peaks when users tried to access instant messaging software websites such as Skype. The main triggers for censorship were URL categories (denied or redirected web pages), strings (blacklisted phrases in the URL), keywords, and IP addresses in very specific geographical areas, particularly Israel.
Five keywords in particular triggered censorship when found in the URL—proxy, hotpotshield, ultra-reach, israel, and ultrasurf. A search for “proxy” would provide users with a list of various proxy servers to avoid censorship, although the researchers state that “a large number of requests containing the keyword proxy are actually related to 'non sensitive' content” such as online ad content. Hotspot Shield is a technology that protects user identities, while Ultrareach is the company behind Ultrasurf, a suite of free anonymity and security tools originally designed for Chinese dissidents.
Most censored domains on August 3, 2011. Image: arXiv
While the Syrian government didn't censor Facebook itself, it did block politically sensitive Facebook pages. (Access to the Syrian Electronic Army Facebook page was not blocked.) When users attempted to access these pages, they were redirected to unknown websites. The destination of these redirects is still a mystery. The top two Facebook social plugins blocked by the Syrian government were the “Like” button and “Login Status.” These two plugins also accounted for the lion's share of censorship requests, though they aren't related to “censorship circumvention tools or political content," according to researchers.
Twitter, on the other hand, remained almost completely free of censorship. Indeed, researchers found that of the 28 “major online social media networks” they reviewed, most went uncensored, unless they contained blacklisted words. Since not all traffic was censored, researchers said this made it hard to determine exactly what was censored or surveilled.
On a more positive note, researchers found that Syrian protesters used Tor, VPNs (Virtual Private Networks), web proxies, peer-to-peer networks, Google Cache (which allows access to censored content), and even BitTorrent to circumvent vent censorship and surveillance. In looking at Tor usage, they found that only a small percentage of Tor traffic was censored (1.38 percent), with 99.9 percent of that occurring on a single proxy (SG-44). That is, until Syrian internet service providers began blocking Tor relays in December 2012, according to the researchers.
Protesters' adroit usage of censorship circumvention tools like Tor and VPNs suggests that government censorship isn't some monolithic, all-conquering force. The news that dissidents aren't at some severe disadvantage is also encouraging given the civil strife in the Ukraine and Venezuela, where protesters probably learned a thing or two from their Syrian counterparts.
