This year, we have seen an array of different ways governments around the world have tried to alter basic security on the web for users. Much of this was attempted through legislation, direct network interference, or as a request directly from a government to internet governance authorities. On the other hand, we have also seen new anti-censorship mechanisms assist people so that they can regain access to the wider world, providing hope in really dark times.
EU’s Digital Identity Framework
While the European Union’s eIDAS (electronic IDentification, Authentication and trust Services) framework and law is not new and has been in effect since 2014, there were several amendments proposed in the European Parliament that have struck new conversations, and concerns. As a top example, there is a proposed amendment to Article 45 that we believe could fundamentally alter the web trust model as we know it. The amendment would require that web browsers trust third parties designated by the government, without necessary security assurances.
EFF went over the implications and concluded that it is a solution in search of a problem. The proposal would enforce expensive Qualified Web Authentication Certificates (QWACs) for websites, instead of cheaper or free certificates as the safest option for communication on the web; and it could potentially make users vulnerable to malicious activity by government-based Certificate Authorities (or Qualified Trust Service Providers/QTSPs) in a worse case scenario.
December 6th 2022, The Council of the European Union adopted the original amendment language despite the proposals from several committees in the European Parliament that would allow browsers to protect users in light of a security threat by a QTSP. The ultimate decision lies with the Industry, Research and Energy committee (ITRE), and we urge the final vote to ensure that browsers can continue to block certificate authorities that don’t meet security standards, especially when the EU itself is facing member states’ various issues around democracy.
With the Russian invasion of Ukraine came multiple issues around government blocking, censorship and security risk within and outside of Russia. Inside the country, various VPNs and anonymity protocols like Tor have been getting blocked, which we can speculate is most likely to deter dissent and to keep an eye on people’s traffic.
Heavy foreign sanctions were another layer that contributed to the fragmentation of the Russian internet. As businesses cut ties, services like certificate authorities had cut off issuing new certificates to any website with a Russian top-level domain (like .ru). This created space for the Russian government to step in and create its own “Russian Trusted Root CA” to fill the gaps for these websites, paving the way for a lasting “Splinternet” Russia ultimately aspires to. Lastly, requests came from the Ukrainian government to the Internet Corporation for Assigned Names and Numbers (ICANN) to completely cut off Russia’s top-level domains from the rest of the internet. ICANN is the US-based international non-profit that oversees the global system of internet domain names and IP addresses. We explained why this request would not just impact those in the wrong, but negatively affect security on the web for everyone. Thankfully, ICANN declined the request.
Uprising in Iran
On 13th September 2022, Mahsa Amini, a 22-year-old Kurdish woman who visited Tehran with her family was arrested by “morality” police officers, and died in custody three days later. Since then, protests in Iran have been sustained by large swathes of the Iranian people, and in response, the government has blocked many online services within the country. Like in Russia, Iran’s efforts to filter domestic online traffic are not new, and are part of an ongoing effort to deter dissent and lock out important information from the outside world. Back in March, EFF signed a letter to the Iranian government with more than 50 other organizations to urge it to rescind the draconian “Regulatory System for Cyberspace Services Bill”. This bill violates basic rights to privacy and freedom of expression. While it has not been ratified, it has already been suspected that some of its parts have been implemented already. With more recent proven incidents of internet censorship, the government has already crossed that bridge toward a host of human rights violations.
Anti-Censorship Tools Progress
With Iran as an example, we have seen new forms of internet blocking of modern protocols and popular endpoints that support them; such as encrypted DNS and HTTP/3. While we are worried about how governments are evolving to creatively block network traffic, we are also optimistic about developments to help activists get their message out and communicate with others.
One tool that has seen major popularity is Snowflake. This tool helps connect those in countries where Tor is blocked by helping user traffic appear innocuous. You can learn how to “become a Snowflake” and support people under censorship to connect to the open web with our post. Speaking of Tor, the Tor browser has also added a new automatic Connection Assist feature that connects to Tor bridges in case Tor is blocked in your region. This feature ensures that you can now seamlessly connect to Tor Bridges, including with Snowflake.
As reports came in that Signal was being blocked in Iran, the call for Signal Proxies from the president of Signal, Meredith Whittaker, gave a very easy guide on how to create and host a Signal proxy and help people reconnect to the platform securely. While there are reports that these can be blocked if discovered by government censors, there are ways of discretely sharing the address of these proxies, as explained in the guide.
Lastly, this year the Open Observatory of Network Interference (OONI) also rolled out a new online class with the human rights training platform Advocacy Assembly to use OONI’s tools to measure censorship and the real-time data of various frequently blocked websites and services like WhatsApp. This effort could aid in the effort for the open research of more granular cases around the world that could be getting missed.
While internet censorship on a governmental level is tough to combat, we hope to see innovations continue to keep these technologies open and available to the public around the world. Part of that is by keeping internet security strong in places everywhere, not just in those countries traditionally thought of as authoritarian. Promoting and defending end-to-end encryption and ubiquitous encryption on the web even where internet security is strongest in the world will help aid where it is at its weakest.