Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Activists aim to punch holes in online shields of authoritarian regimes (Jim Youll)

Gabe Gossett Gabe.Gossett at
Fri Feb 26 16:59:46 PST 2010

Before getting in too deep into my reply I just want to say that I think we are mostly in agreement on a lot of points.  We, and probably most folks on this list, agree that technology developers should not make false claims of security.  People who do that are likely to come away with egg on their face, if not blood on their hands.  The people who develop censor hole punching technology and market it to people under oppressive regimes should be aware the risks they may expose their users to.  I'm all for a clearer understanding of the risks of using certain technologies under oppressive regimes.  I, myself, assume that it is very likely someone is monitoring my communications somehow, my own United States government or otherwise.  And I also assume that users of these technologies will realize there are risks.

Moving on:

I will respectfully disagree on two points because as assumptions they lead to faulty conclusions.  Digital information is not forever, necessarily ubiquitous, or even compatible across systems.  It is lost all the time to corruption and obsolescence.  It is diluted by forgeries, cruft, and information that is just plain wrong.  There is no reason for us to think that the digital information we produce now will be preserved in 50 years, much less 5.  The further out you go, the less likely information will be preserved in any form.  It is constantly lost and poorly organized so as to render the information useless or nearly so (as a librarian I encounter iterations of this every day).  If I were to hedge my bets I would go with the posterity of paper over digital mediums.  Preservation will be a major drawback for digital information until we develop archival quality systems.  Don't get me wrong, I'm not trying to disparage digital information.  I'm just pointing out that the hardware storing the information is incredibly delicate over long periods of time.

On to my second point:  There is a strange trend to assume that nothing from history parallels the advent of the Internet.  It is true that there is no equivalent, but there are parallels.  There is in fact a lot from history that we could look to in order to understand how communications circuits in the past relate to communications on the Internet today, but we have to get past fundamental misunderstandings.  Let me point out a few from our exchange about the anti-slavery movement:

>The anti-slavery movement in the US succeeded under cover of darkness and private communications.

This is far from true.  The movement very much succeeding through its success and putting information out into the open and challenging the values and assumptions of white in the North and South.  Of course there was a component that operated in darkness with private communications out of necessity, but a huge and overlooked aspect of the movement was their ability to widely disseminate information through modern steam presses and a cheap and reliable mail system and their ability to publish information drawn from the South about the horrors of slavery for Northern whites to see.  Communications were often publicly published in pamphlet form.  This technology helped move and spread information more easily than in the past, much as Internet technologies do today.

>Messages, purchases, travels, and communication habits were not logged and stored forever.

I encourage you to visit your local archives. All of the above still exist in archives around the world.  They exist as ticket stubs, journals, letters, etc.

My point is that parallels from the past are worth examining.  They can be more telling than some might think.

Gabe Gossett

From: Jim Youll [mailto:jyoull at]
Sent: Friday, February 26, 2010 1:11 PM
To: Gabe Gossett
Cc: Justin Reedy; liberationtech at
Subject: Re: [liberationtech] Activists aim to punch holes in online shields of authoritarian regimes (Jim Youll)

There is am important place for optimism in the world. But too often, notes of concern about technology are shot out of the sky as fun-killers.

I hope not to be remembered as a fun-killer. I am worried about vulnerable people who trust well-meaning others because all hope for a desired outcome.

Again, this is not about "outwitting." Techies used to look for subtle ways to subvert laws by reading laws as if they were code. But laws don't work that way.
Paul Ohm had a nice post about this problem last year:

The anti-slavery movement in the US succeeded under cover of darkness and private communications. Messages, purchases, travels, and communication habits were not logged and stored forever. There was little back-trail to trip participants up at any moment via data mining, no computers to seize, scan, and give up their secrets and the identities of everyone they'd talked to. Anti-slavery activists had the ability to free themselves of many past ("criminal") deeds the moment those deeds were concluded. Repudiation of past deeds is nearly impossible today when communication, travel, or money are involved even incidentally in those deeds.

There is no equivalent in a world where our movements are tracked by following cell phones and credit card charges, where even this message will be archived forever and could be called up in a data mining search that will correlate it with my telephone calls, online habits, flight itineraries, and god knows what else. I'm a citizen of a "free"(-ish) country.


It is exceedingly hard - and may be impossible right now - to communicate, plan, or publish through online technology without creating unknown and unknowable risks. I would never "assume" that those who might trust a piece of software to keep them or their loved ones from being imprisoned, tortured, or killed, are wholly aware of the risks involved, because they cannot be.  We are at an ugly watershed moment in which it is simply not possible to credibly and completely understand the risks involved in using a computer for risky activities. We haven't even figured out how to make online banking completely safe, and now we're talking about lives and organizations that could be taken down by one "investigation." Forget the stealth surveillance - what happens when they just grab a person's computer or cell phone and start reading?

When surveillance meant guys in black coats and hats hanging around outside the apartment of a suspected troublemaker, at least a social misfit had a chance to know something was up.

Technology may present the appearance of privacy or safety, but cannot completely deliver it. No technology can, today. None will for some time. This is dangerous because it masks the real security condition (unknowable) and merely asserts one of many possible security conditions - the one hoped-for by the developer. When software is deployed into an unknown environment that could have already been compromised, we cannot say whether it is safe to use or not.

Governments are pretty clever when they choose to be.  They just don't advertise it.

Here's an apparent Chinese government effort to keep an eye on the Dalai Lama:


... and Google, a company full of smart people that presumably spends a lot of time and money keeping its secrets safe. Google was successfully attacked by (apparent) agents of government. Google also has loads staff with the skills to discover such an attack. Ordinary people don't have comparable resources.


I regret that my note evoked the word "deride" in your post today.  Feeling good about safety is not the same as living in safety. Even if one accepts the concept of "less safe," I wonder if there is any useful measure of "how risky" a given online action may be. The ecosystem is made of vulnerable operating systems on vulnerable hardware on monitored networks and I think we may find that there are only two possible answers in many situations: "completely safe," and "not safe at all." For many, "somewhat less safe" may have no meaning. What would "half as safe as not posting to the blog," mean?

It is assuredly the case that some people running "safety" software are using computers or network that are so completely compromised that the software provides no benefit whatever, and the false sense of security actually leaves them more vulnerable, not less, than if they assumed the computer was not safe. In other cases, we must consider the unknowable risks to an individual and many others - perhaps entire movements - if a single computer (not necessarily an "important" computer) is seized and its memory dumped.

When the risks of technologies cannot be plainly known, privileged developers - and hopeful people everywhere - must be extraordinarily careful not to make things worse.

While the abundance of hopeful thinking in the "freedom through technology" movement is helpful to keep the movement alive, we must consider unintended consequences, even when those consequences make it plain that some "hoped for" property of technology cannot safely deliver what is promised.

I'm saddened that these concerns are considered derisive. I have the highest regard for human life. Technologists claim they can protect strangers in unknown environments from agents of government. This is an extraordinary claim. We must be very careful not to implement "hopeful" technologies. Both oppressive and freedom-seeking technologies exist wholly in the cold worlds of data, networks, policy, and surveillance. Computers that serve the state do not feel hope. They will not be swayed by hope, nor by outrage. They could, in fact, help an oppressive state kill people, stop movements, monitor troublemakers, and solidify its strength by leaking information that - kept apart from technology - might have instead helped disassemble it.

- jim

On Feb 26, 2010, at 11:33 AM, Gabe Gossett wrote:

I do think that the point about people's lives being on the line is a very important one to take into consideration.  I also think, however, that that folks living under oppressive regimes are fairly aware that they are never entirely safe from being discovered by government Internet goons.  It would be surprising to me if they had too much confidence in any one piece of software to keep their communications private.  Can we really think anyone in opposition to the government in Iran has a false sense of security ever?  So I would actually claim that is naïve to think that the users of these hole punching technologies don't have some idea of what they are risking.

One point that I find a little irritating in the article being referenced here are claims that we've never seen something like this before.  Yes, it is true we have never seen the Internet "arms race" (an inaccurate way to phrase it-more like cat and mouse) exactly like this, but the basic movements look an awful lot like many of the information circuits in defiance of oppressive regimes in times past.  For example, the anti-slavery movement in the United States South was also very much a deadly game of cat and mouse focused on technological advances and state governments trying to control the new information circuits created by those advances.  The people on the front lines in the past working to subvert oppressive governments usually knew the risks of seeking and disseminating forbidden information, I think that it is safe to assume the same for modern folks.

It is a good idea to make users aware of the risks they are incurring by letting them know that the applications aren't perfect.  It's not very useful to deride the noble endeavor.

One last point I'll make is that government goons are notorious for lacking creativity.  We might not be able to count on it, but it is possible for a few creative folks to confound large, well-equipped, systems.

Gabe Gossett

From: liberationtech-bounces at<mailto:liberationtech-bounces at> [mailto:liberationtech-bounces at] On Behalf Of Justin Reedy
Sent: Thursday, February 25, 2010 4:16 PM
To: liberationtech at<mailto:liberationtech at>
Subject: Re: [liberationtech] Activists aim to punch holes in online shields of authoritarian regimes (Jim Youll)

Hi all,

Sorry to be posting a response about this a few days late, but since I hadn't seen any replies about it yet, I wanted to say many thanks to Jim Youll for that interesting and thought-provoking post about Internet programs trying to get around authoritarian regimes. Fascinating stuff, Jim. It's all to easy to think that every bit helps -- that it is beneficial to take any possible steps to help people get around Internet monitoring and blocking in repressive regimes. It is sobering to realize that lives and livelihoods may rest on the success or failure of programs like Tor and Haystack, and that governments have capabilities (online and off-line) that we may not fully understand.

I'm a newbie to this list and this research area in general, so forgive me if this was painfully obvious to everyone, but I thought Jim's points served as a helpful reminder that technology needs to be combined with many other efforts to help people living under repressive regimes.


Justin Reedy
Doctoral student
Department of Communication
University of Washington
jreedy (at)<> or jsreedy (at)<>

On Fri, Feb 19, 2010 at 9:26 AM, <liberationtech-request at<mailto:liberationtech-request at>> wrote:

---------- Forwarded message ----------
From: Jim Youll <jyoull at<mailto:jyoull at>>
To: Yosem Companys <companys at<mailto:companys at>>
Date: Fri, 19 Feb 2010 09:11:32 -0800
Subject: Re: [liberationtech] NEWS: Activists aim to punch holes in online shields of authoritarian regimes
I've joined your group virtually before I've had a chance to meet any of you in person, so I hope I'm not speaking out of turn. If I am, I ask a one-time indulgence.

The forwarded article does a better job of voicing concerns about the real-world risks of these technologies than most, but unfortunately pushes them down in significance.  Jon Zittrain's comment at the top sounds low-key but I believe it is not. He's polite to call uninformed technologists "naive."

It's well and good to be a 'cyber warrior' on the sidelines, building "shields" (governments consider them weapons) for those who will put their lives on the line trusting your tech. But it's not an arms race. The battle is asymmetrical because governments have powers that citizens do not.

When the goal is the provision of government-evading technology for the masses, technology cannot overcome one basic problem: that the "good guys'" strategies must be wide open to all - friends and enemies alike - and on the Internet nobody knows who's who. But government countermeasures are nearly always secret, and they stay secret. I'm not talking about open vs. closed source, but about the real-world implementation requirements that turn technology that's good in theory, into technology that's risky in practice.

Tor and other routing protocols are not panaceas. I have worried for a long time that Tor is going to get people killed, if it hasn't already. There's no way to know, is there? A governments' playbook and actions are secrets and stay that way.

Internet technologists in particular have for too long believed - wrongly - that "if only the information could get out" then the world can be fixed. In practice, that doesn't work very well as a general rule. In limited situations, absolutely - I've been involved in projects that went both ways. It's dangerous to ignore the limits to efficacy and safety of new inventions that are a consequence of the asymmetric power relationship between governments and citizens. Experimenting on the non-expert and hopeful without informed consent is at least irresponsible, and in some cases immoral. Is a click-through notice sufficient to create truly "informed consent" given the stakes for those with the greatest need for the believed benefits of these technologies?

Even if you're not trying to evade Chinese death-vans, merely attempting to end-run a blockade (perhaps in a friendly place, Australia, let's say) there are risks, including the risk of being the operator of an end-node that emits a few plaintext packets of something that arouses the interest of your government. I'm not a lawyer, but am I wrong to believe that the "Open WiFi" isn't particularly effective these days?

Finally, how many compromised Tor nodes are required on a network before Tor is wholly ineffective? How much traffic does a government allow - rather than blockade - in order to mask both counter-capabilities and scope of surveillance? These aren't paranoid questions - these are the kinds of questions serious cryptographers study every day in their own work over the implementation of products and protocols that are orders of magnitude simpler and easier to manage than something as big and "for the world" as Tor or Haystack.

- jim

On Feb 18, 2010, at 8:05 AM, Yosem Companys wrote:

Activists aim to punch holes in online shields of authoritarian regimes

By John Boudreau

<mailto:jboudreau at>

jboudreau at<mailto:jboudreau at>
Posted: 02/15/2010 07:32:00 PM PST

It is the Internet version of David vs. Goliath - computer savvy activists who launch guerrilla tech attacks to punch holes in online shields erected by governments to control what their citizens do online.

One of the newest cyber-warriors is Austin Heap, a 25-year-old San Francisco software developer who helped launch Haystack, a program to help Iranians wiggle past government filters as tensions between authorities and the opposition movement surge.

"It's an arms race," said Rebecca MacKinnon, an expert on Chinese censorship who is familiar with efforts to open up the Internet in Iran as well as other authoritarian countries. "There is no precedence for this."

Heap is not alone. He's one of a growing number of online activists building software tools designed to serve as virtual slingshots to take on government censorship. Experts in the field, though, caution that programs devised to assist dissidents and others trying to elude authorities online are not fail-proof in the never-ending battle of wits and technology between authoritarian regimes and savvy geeks.

"There is no silver bullet," said Jonathan Zittrain, co-director of Harvard's Berkman Center for Internet & Society. Anyone who purports otherwise, he added, risks sounding naive.

Call to action

The tension between online free speech and government crackdowns hit the headlines again last week. During the 31st anniversary of Iran's Islamic Revolution, the government reportedly shut down phone and Internet services, though videos of protesters still made their way onto YouTube. The Iranian government also said it was shutting down Google's Gmail service and would roll out its own e-mail service.

Heap's call to action, though, came last summer after the disputed Iranian presidential election triggered mass protests.

Heap, who was working for a San Francisco nonprofit at the time, joined netizens around the country working to help Iranians report on what was happening on the ground through the social-networking sites Twitter and Facebook. He posted online instructions on how to use "proxy servers" - such as routing an Internet request through another computer to access a blocked Web site. "Thousands and thousands of people around the world turned their computers at home into proxy servers for people in Iran," Heap recalled.

"Somebody had to make a more sustainable and scalable method of getting around the Iranian censorship,'' he said. "These proxy servers weren't going to cut it. We couldn't do this on a massive scale."

By August, Heap and others eventually launched a nonprofit to support their work of making and maintaining the Haystack program aimed specifically at Iranians trying to maneuver around the authorities online. The co-founder and executive director of the group sees his mission as providing a basic human right - unfettered freedom of expression online.

Liberties in U.S.

"We never wake up in the morning and wonder if our cell phones will work, what will happen when I load Gmail, whether or not I can send a text message," he said. "I do not have a lot of respect for an organization that is trying to control people violently and telling them what they can and can't do online."

His desire to provide the help others have unimpeded access to the Internet is deeply personal.

The Internet expanded his world as a teen growing up in Ohio, where he lived in a small town in which students could get "time off to show off a pig at the county fair."

"That was not my thing," Heap said. "The Internet was a way for me to connect to smart people. It was my way to connect with the world."

He moved to San Francisco about two years ago and joined the ranks of those devoted to liberating the Internet from authoritarian interference full time some seven months ago. He quickly garnered the attention of others engaged in the cause.

'Eye of hurricane'

"Austin happened to find himself at the center of a human network and became a clearinghouse of information about what was going on (in Iran) and information about how to get information," Zittrain said. "For people who come forward and find themselves in the eye of a hurricane - there is no other feeling like it: 'Wow, I made a difference.' And that, of course, is what we all want to say.''

Haystack, Heap said, works on two levels. It encrypts online communication and then cloaks it to appear like normal Web traffic.

Jacob Appelbaum, a San Francisco programmer with the longtime open source Tor Project, a cloaking program used by corporations and free speech activists alike, said closed systems like Haystack concern him. He said it has no peer review the way the Tor Project does, which has been created and vetted by programmers around the world over many years.

"He has not opened it up for research," Appelbaum said. "No one has seen a copy of his specifications. There is no way we can understand if the claims that are made (by Haystack) are true."

At worst, a faulty program could put its users in Iran at risk, he said. "That very much concerns me," Appelbaum added. "When people's lives are at risk, it's not a good idea to be arrogant."

But Heap countered that worries about Haystack are part of the larger debate between those who advocate open-source development as a way to pick the brains of a worldwide community and others who embrace a private source code for faster development and security.

Chess match

But many experts say this ever-changing chess game - a deadly one, at that - requires many different tools to combat increasing sophistication of governments determined to clamp down on what citizens can access and not online.

"These tools are essential," MacKinnon said. "It's very good that more and more groups are working on these tools."

In fact, it can be perilous to rely on a small, though trusted, technology.

"It wouldn't be good if people had to depend on just one or two tools," MacKinnon said. "What if something happens to the developers? What if it goes down or a government figures out a way to block it or disable it? It's important to have alternatives."

For those on the front lines, another cyber-weapon is more than welcome.

Haystack is a "great tool," said Mana Mostatabi, online community manager for United 4 Iran, an organization that promotes human rights in the Persian country. However, she added that her group will "wait and see how it develops."

The online free-speech movement is relatively young, she added. The more tools available for activists, the better, Mostatabi said.

"It's not that one is right and one is wrong," she said. "You are going to see more and more of these."

Contact John Boudreau at 408-278-3496.
liberationtech mailing list
liberationtech at<mailto:liberationtech at>

Should you need to change your subscription options, please go to:

liberationtech mailing list
liberationtech at<mailto:liberationtech at>

Should you need to change your subscription options, please go to:

liberationtech mailing list
liberationtech at<mailto:liberationtech at>

Should you need to change your subscription options, please go to:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list