The State of Internet Censorship in Egypt (original) (raw)
Leonid Evdokimov (OONI), Maria Xynou (OONI), Mohammad El-Taher (AFTE), Hassan Al-Azhary (AFTE), Sarah Mohsen (AFTE) 2018-07-02
The report uncovers anomalies on Egyptian networks, including censorship and the hijacking of unencrypted HTTP connections for advertising and cryptocurrency mining.
Read full report in English Read full report in Arabic
Read the summary of the report in Arabic
Last year, Egypt ordered the blocking of 21 news websites.OONI, a censorship measurement project under the Tor Project, responded by publishing areport on the blocking of (at least) 10 media websites, including Mada Masrand Al Jazeera. In an attempt to identify the remaining blocked sites, Egypt’sAssociation for Freedom of Thought and Expression (AFTE) ran OONI Probe across multiple networks in Egypt. They subsequently published two research reports, uncovering the blocking of hundreds of URLs (which expand beyond media sites).
OONI and AFTE joined forces. Today, we publish a joint research report on internet censorship in Egypt, based on our analysis of OONI network measurements collected between January 2017 to May 2018.
Our research report is available**here**.
Below we share some of the key findings.
More than 1,000 URLspresented network anomalies throughout the testing period,178of which consistently presented a high ratio of HTTP failures, strongly suggesting that they were blocked. Rather than serving block pages (which would have provided a notification of the blocking), Egyptian ISPs appear to primarily block sites through the use of Deep Packet Inspection (DPI) technology that resets connections.
In some cases, instead of RST injection, ISPs drop packets, suggesting a variance in filtering rules. In other cases, ISPs interfere with the SSL encrypted trafficbetween Cloudflare’s Point-of-Presence in Cairo and the backend servers of sites (psiphon.ca,purevpn.comandultrasawt.com) hosted outside of Egypt. Latency measurements over the last year and a half also suggest that Egyptian ISPs may have changed their filtering equipment and/or techniques, since the latency-based detection of middleboxes has become more challenging.
The chart below illustrates the types of sites that presented the highest amount of network anomalies and are therefore considered to more likely have been blocked.
More than 100 URLsthat belong to media organizations appear to have been blocked, even though Egyptian authorities only ordered the blocking of 21 news websiteslast year. These include Egyptian news outlets (such as Mada Masr,Almesryoon,Masr Al Arabiaand Daily News Egypt), as well as international media sites (such as Al Jazeeraand Huffington Post Arabic). Various Turkish and Iranian news websites were blocked (such asturkpress.coandalalam.ir), suggesting that politics and security concerns may have influenced censorship decisions. In an attempt to circumvent censorship, some Egyptian media organizations set up alternative domains, but (in a few cases) they gotblockedas well.
To examine the impact of these censorship events, AFTE interviewed staff members working with some of the Egyptian media organizations whose websites got blocked. They reported that the censorship has had a severe impact on their work. In addition to not being able to publish and losing part of their audience, the censorship has also had a financial impact on their operations and deterred sources from reaching out to their journalists. A number of Egyptian media organizations havesuspendedtheir work entirely, as a result of persisting internet censorship.
Many other websites, beyond media, appear to have been blocked as well. These include human rights websites (such as Human Rights Watch,Reporters without Borders, the Arabic Network for Human Rights Information, the Egyptian Commission for Rights and Freedoms, and the Journalists Observatory against Torture) and sites expressing political criticism (such as the April 6 Youth Movement), raising the question of whether censorship decisions were politically motivated.
“Defense in depth” tactics for network filtering
Security experts are probably familiar with the “defense in depth” concept in which multiple layers of security controls (defense) are placed throughout an IT system, providing redundancy in the event that a security control fails. In Egypt, ISPs seem to apply “defense in depth” tactics for network filtering by creating multiple layers of censorship that make circumvention harder.
This is particularly evident when looking at theblockingof Egypt’s Freedom and Justice Party (FJP) site. Our testing shows that different versions of this site (http://www.fj-p.com andhttp://fj-p.com) were blocked by two different middleboxes. In doing so, Egyptian ISPs added extra layers of censorship, ensuring that circumvention requires extra effort.
Not only were numerous circumvention tool sites (includingtorproject.organdpsiphon.ca) blocked, but access to the Tor network appears to be blocked as well. Measurements collected from Link Egypt (AS24863)and Telecom Egypt (AS8452)suggest that the Tor network is inaccessible, since the tests weren’t able to bootstrap connections to the Tor network within 300 seconds. In recent months, more than 460 measurements show connections to the Tor network failing consistently. Similarly, measurements collected fromEtisalat Misr (AS36992),Mobinil (AS37069)and Vodafone (AS36935)indicate that access to the Tor network is blocked. The Tor bootstrap process is likely being disrupted via the blocking of requests to directory authorities.
“Defense in depth” tactics also seem to be applied in relation to the blocking of Tor bridges, which enable Tor censorship circumvention. Vodafone appears to be blocking obfs4(shipped as part of Tor Browser), since all attempted connections were unsuccessful (though it remains unclear if private bridges work). All measurements collected from Telecom Egypt show that obfs4works. Given that bridges.torproject.org isblocked, users can alternatively get Tor bridges by sending an email tobridges@torproject.org (from aRiseup, Gmail, orYahoo account).
Ad campaign
Back in 2016, OONIuncoveredthat state-owned Telecom Egypt was using DPI (or similar networking equipment) to hijack users’ unencrypted HTTP connections and inject redirects to revenue-generating content, such as affiliate ads. The Citizen Lab expanded upon this research,identifyingthe use of Sandvine PacketLogic devices and redirects being injected by (at least) 17 Egyptian ISPs.
Over the last year, hundreds of OONI Probe network measurements (collected from multiple ASNs)showthe hijacking of unencrypted HTTP connections and the injection of redirects to affiliate ads and cryptocurrency mining scripts. A wide range of different types of URLs were affected, including the sites of the Palestinian Prisoner Societyand the Women’s Initiatives for Gender Justice, as well asLGBTQI,VPNandIsraelisites. Even the sites of the United Nations, such asun.organdohchr.org**,**were among those affected by redirects to ads.
Expand upon our research
This study is part of an ongoing effort to monitor internet censorship in Egypt and around the world. Since this research was carried out through the use of free and open source software, open methodologies and open data, it can be reproduced and expanded upon.
Anyone can run OONI Probe on Android, iOS, macOS, Linux, and on Raspberry Pis. Tens of thousands of OONI Probe users from more than 200 countries do so every month. Thanks to their testing, millions of network measurements have beenpublished, shedding light on information controls worldwide.
But censorship findings are only as interesting as the types of sites and services that are tested. We therefore encourage you to contribute to the review and creation of test lists, to help advance future research in Egypt and beyond.
To learn more about this study, read the full report here.