Blocking The Pirate Bay

Swedish website The Pirate Bay (TPB), the world’s largest BitTorrent site, has been in the news over the years for everything from copyright lawsuits and a raid by Swedish authorities, to tangles with powerful organizations like the Motion Picture Association of America. In February 2012, TPB was found guilty of sharing copyrighted material on a massive scale in a case brought by the British Phonographic Industry. Despite these setbacks and perhaps because of the attention, the peer-to-peer network has garnered millions of users (3.7 million in the UK alone) who use it to download and distribute copyrighted content (including music, films and television shows, games, and publications).

On April 27 the UK High Court ruled that the nation’s largest ISPs (serving 94% of UK citizens) would be required to block access to TPB. On May 10 a court in The Hague ordered Dutch ISPs to do the same. None of the five British ISPs (Sky, Everything Everywhere, TalkTalk, O2, and Virgin Media) contested the order, though a sixth, British Telecom, requested more time to consider its position. In the Netherlands, T-Mobile, UPC, KPN, and others will be required to block the site within ten days or face a fine of 10,000 euros per day.

In the UK, the ISPs were required to begin blocking access within weeks, and Virgin Media was the first to act. Its subscribers were unable to access TPB as of May 2. That said, the blockage has proved quite porous despite the fact that the order includes blocking common alternate URLs and numeric IP addresses. An analyst at TechSpot reported on May 4 that “multiple domains… aren’t yet on the block list… I’m able to access the site through my Virgin Media internet connection by simply using a different URL…”

By May 7, TPB rebranded itself The Hydra Bay, displaying as its new logo the mythical nine-headed creature which grew two new heads for every one cut off. This came after the site had announced a traffic boost of 12 million visitors. A TPB insider told TorrentFreak, “we now have time to teach even more people how to circumvent Internet censorship,” and recommended commonly used censorship circumvention methods including VPNs and proxy sites. (View Herdict’s recent primer on Resources for Online Anonymity, Encryption, and Privacy.) A new site, PirateReverse.info, was also launched to provide techniques on accessing TPB from within the UK. On May 8, hacker collective Anonymous appeared to successfully force the Virgin Media site offline for an hour in retaliation for blocking of The Pirate Bay.

The British and the Dutch are not the first to block their citizens’ access to TPB. Previously the site has been blocked with various levels of success in Belgium, Denmark, Finland, Germany, Greece, Ireland, Italy, Malaysia, Norway, and Sweden. In 2009 Wired reported that Facebook was disallowing links to TPB within its platform. Furthermore, it appears that India has also blocked TPB at the ISP level in recent days, informing people who try to visit the site that it has been “blocked as per instructions from Department of Telecom.” A few reports on Herdict have confirmed some of these blocks.

Although much of the recent press has focused on legislative approaches to reducing copyright infringement (SOPA, PIPA, CISPA), the courts have proven to be a potent tool for rights-holders even the absence of such legislation. The British Phonographic Industry succeeded in getting Newzbin 2 blocked in 2011, “the first time that an ISP has been ordered to block access to such a site,” according to the BBC. In the United States the Department of Justice successfully shut down MegaUpload, while Germany successfully convinced a court to place onerous restrictions on RapidShare.

Open Rights Group executive director Jim Killock summed up much of the Internet community’s reaction to the UK ruling in a statement on April 30:

“Blocking the Pirate Bay is pointless and dangerous. It will fuel calls for further, wider and even more drastic calls for Internet censorship of many kinds, from pornography to extremism. Internet censorship is growing in scope and becoming easier. Yet it never has the effect desired. It simply turns criminals into heroes.”

Resources for Online Anonymity, Encryption, and Privacy

There are many tools available to help Internet users reach the content they seek more securely, safely, anonymously, and reliably. But the thicket of acronyms and technological terms can be intimidating to many people. What’s a VPN? How is that different than a proxy? Does “private browsing” stop my ISP from looking at my data? The complexity can cause people to throw up their hands and do nothing.

We put together this primer because inaction born out of confusion is the worst outcome. In the cat-and-mouse game against censors and snoops, there are many tools that can help, but they do very different things and they aren’t perfect. Although, there is no wholly foolproof and undetectable manner of anonymous, encrypted, private browsing, the resources we describe below are better than nothing.

Below we will map out the basics of several options available to users—including proxies, VPNs, and Tor—as well as future emerging technologies like Telex. This is meant to be an introduction to the types of tools that are available, as well as an introduction to the limitations and risks of each. We have not tested all of them, so as always, do your own research before trusting a third party with your data.

“Private Browsing” Mode in Web Browsers

How It Works: All of the major web browsers offer a “Private Browsing” function. When this function is activated, everything that the browser usually stores on the local computer—browser history, caches, cookies, download lists, form data, passwords, and other temporary files—is deleted when the browser is closed or the function is turned off. Private browsing limits what files are saved to your system so that it is more difficult for someone with physical access to your computer to trace your steps. It also makes it harder for sites to track you because their cookies are deleted.

Limitations: People mistakenly believe that “private browsing” anonymizes them to the websites they visit and makes their communications private. Unfortunately, that’s not true. Even with private browsing mode on, anyone intercepting or handling your traffic can see what you’re doing. For instance, ISPs can still record what sites you visit. And if you log into a site like Gmail, Google will still be able to associate all your actions on the site with your username, even if private browsing is enabled. Moreover, private browsing may not even stop sites from tracking you. A 2010 Stanford study determined that some sites can both determine information about visitors as well as leave behind traces on users’ systems. For instance, plug-ins installed in the browser can still track users through an independent system of cookies and temporary files. Thus, private browsing only protects you against someone who is using your computer and snooping through your browsing history. And someone with that kind of access to your computer could install a keylogger or other hidden program that records your keystrokes. Despite these limitations, private browsing can be a helpful way of reducing the amount of information that is recorded on your computer when browsing.

Resources:

Your Guide to Private Browsing | HuffPost Tech: menu commands and keyboard shortcuts to launch a private browsing session in IE, Firefox, Chrome, Safari, and Opera.
Private Browsing: Activating Private Browsing Mode in Your Favorite Browser | About.com: graphic tutorials on launching private browsing sessions in IE, Firefox, Chrome, Safari, Opera, and Flock; tips for private browsing on iPad, iPhone, and iPod touch.

Secure Browsing (through HTTPS)

How It Works: HTTPS is a way for users to protect the content of their communications from eavesdropping. When browsers don’t use HTTPS and transmit data openly, anyone along the path between the browser and the destination can view what is transmitted (that includes the ISPs that carry your traffic, or individuals surreptitiously intercepting the data). By encrypting the data, you make it much harder for anyone other than the intended recipient to see the content. Most major sites that require you to log-in (Google, Facebook, Twitter) and sites that transfer sensitive information (banking sites) now offer an encrypted connection. (Instead of http://www.google.com, your address bar will read https://www.google.com).

Limitations: Many sites don’t offer HTTPS, and some that do default to unencrypted HTTP or go back to unencrypted pages after the log-in process. Because of that, users must keep an eye on when they are encrypted and when they are not. Using a resource like HTTPS Everywhere can at least ensure that you connect using HTTPS for those sites that have that option. It’s important to remember that even if you connect to a site like Gmail using HTTPS, you are not hiding the destination only the content; an ISP or a government can still know you’re visiting Gmail. HTTPS is also not foolproof, as it is possible for a determined party to pretend to be the destination, in what is a called a man-in-the-middle attack.

Resources:

HTTPS Everywhere is a Firefox and Chrome extension from the Electronic Frontier Foundation. It will automatically switch sites from HTTP to HTTPS whenever possible and warn users about web security holes.

Circumvention & Anonymity

Among the greatest threats to Internet freedom are filtering and surveillance. These related issues either prevent you from accessing the content you want or allow third parties to keep track of what content you do access, respectively. Many of the tools to evade one also help with the other, so we discuss them together below. In most cases, these tools will help disguise your IP address, the sites you’ve visited, and technical information about your device, while possibly helping you access censored content.

Proxy Servers

How They Work: A proxy server is a machine that stands as an intermediary between your machine and the content you are trying to reach. Proxies can help evade censorship or filtering when connections to the proxy aren’t filtered but the desired content is. When you connect to censored content through a proxy, the censor will see only your connection to the proxy, not the verbotten content. Proxies also provide some anonymity because to the destination server, you look like you’re coming from the proxy server, not your actual origin. Web-based proxies are the easiest way to use a proxy server. Simply visit a proxy website with your prefered browser, enter your target URL, and the proxy site will then relay the request and deliver the site content back to you. There are also a number of downloadable clients for both Mac and Windows that connect your system to a proxy server.

Limitations: There are several downsides to using proxies, ranging from annoyances to serious security threats. On the annoyance side, because your data is passing through a single, fixed (and likely overloaded) point, it is not uncommon to experience slow load times and connection errors. On the security side, because all of your data is passing through a single, fixed point, it is easy for nefarious individuals to intercept any unencrypted data (using HTTPS or VPNs in addition to a proxy may address these concerns, but they have their own limitations described elsewhere in this post). In fact, sometimes hackers set up proxies with the express purpose of collecting user details, so it is important to carefully choose a trusted proxy. Using proxies can often be a game of cat and mouse; countries that filter sites often block known proxies, forcing users to move to a new, lesser known proxy. In some cases these same governments may create proxies specifically so they can monitor all the traffic and identify users.

Resources

Web-based proxies (via Techlicious):

• Anonymouse
• HideMyAss

Downloadable proxy clients:

• Alkasir (Windows – English, Arabic) Learn more about Alkasir.
• Freegate (Windows – English, Chinese, Persian, Spanish) Learn more about Freegate.
• JonDo (Mac, Windows, Ubuntu, Linux, Android – English, German, Czech, Dutch, French, Russian) Learn more about JonDo.
• proXPN (Mac, Windows, and iPhone – English)
• Psiphon (Various configurations, including a lightweight web proxy that runs on Windows and Linux plus a cloud-based solution) Learn more about Psiphon.
• SabzProxy (Mac, Windows, Linux – Persian) Learn more about SabzProxy.
• Simurgh (Windows – English) Learn more about Simurgh.
• Ultrasurf (Windows – English) Learn more about UltraSurf. Also note Tor’s recent report detailing Ultrasurf security holes and Ultrasurf’s response.
• Your-Freedom (Mac, Windows, Linux – 20 languages) Learn more about Your-Freedom.

VPNs

How They Work: Like proxy servers, Virtual Private Networks (VPNs) route users’ traffic through their own servers. What makes VPNs different from a standard open proxy is that VPNs authenticate their users and encrypt data. Additionally, because of how VPNs are configured, they are more likely to work with software on your computer that you use for email, instant messaging, and “Voice over IP” (VoIP).

Limitations: VPNs share some of the same risks as proxy servers. Because all of your traffic is passing through a single point, your security is only as good as that of your VPN. Some VPN services keep traffic logs, and free services in particular may be disposed to sell your information to advertisers or turn it over under pressure from authorities. Free ad-supported VPNs may limit your bandwidth; paid VPN services are generally more reliable and come with a much higher bandwidth. It is important to keep in mind that the VPN provides a secure connection between you and the VPN, but not between the VPN to your ultimate destination. The use of HTTPS and other standard measures are still necessary to secure your connection your destination.

Resources

There are hundreds of VPN services online. What follows is a list of several popular services, both free and paid (via AnonymissExpress, How to Bypass Internet Censorship, and Techlicious.) View this wiki for a longer list of free and paid VPN providers, including monthly fees and technical characteristics. Note that some services are known to log IPs.

Free VPN Services:

• CyberGhost (English, French, Italian, German, Spanish)
• Hotspot Shield (English) Learn more about Hotspot Shield.
• VPN Reactor (English)

Paid VPN Services:

• AirVPN (English)
• Anonine (English, Swedish)
• Anonymizer (English)
• Banana VPN (English)
• IPREDator.se (English, Swedish)
• IVPN (English)
• LogMeIn Hamachi (12 languages)
• Perfect Privacy (English, French, German)
• Relakks (Chinese, English, Swedish)
• SecretsLine (English, French)
• SecurStar (English, German, Italian, Portuguese, Romanian)
• Steganos Internet Anonym VPN (English, French, German)
• StrongVPN (English)
• SwissVPN (English, French, German)
• Tiggerswelt (German)
• UnblockVPN (English)
• VPN Accounts (12 languages)
• VPN Gates (English)
• VPNod (English)
• Vpntunnel.se (English, French, German, Swedish)
• WiTopia personalVPN (English)
• XeroBank (English)

Tor

Tor (“The Onion Router”) is free, downloadable encryption software for online anonymity, recommended by the Electronic Frontier Foundation (EFF).

How It Works: Like proxies, Tor hides your IP address and location by routing your requests through another server. Tor, however, goes through multiple intermediary servers, a series of machines operated by volunteers all around the world. To the destination site, it looks like you are coming from the computer that was the last stop in the Tor journey, not from your computer. The Tor Browser Bundle works with Firefox and is available for for Mac, Windows, or Linux. It can also be stored on a memory stick for use on public computers.

Limitations: As with proxies, using Tor can be rather slow due to the number of servers between you and your destination. Furthermore, while data is encrypted between servers, it is unencrypted when the final server communicates with your destination. Those operating this “exit node” can see your log-ins, passwords, and other data (unless you have a secure “HTTPS” connection with the website you’re visiting), and it is “widely speculated that various government agencies and hacker groups operate exit servers to collect information” (Techlicious).

Emerging Technologies

Telex is a work-in-progress that is intended “to help citizens of repressive governments freely access online services and information.” The concept is this: when you request a website blocked in your country, Telex software on your computer changes your request to an allowed, decoy site. At the same time, it adds a hidden cryptographic tag to your request that only Telex can see. Telex will deploy boxes to locations along the Internet backbone and these boxes will use deep packet inspection to locate the cryptographic tag. The box will decode the tag to get your original intended destination, and will route your request to that site. Using that approach, Telex would enable people to access blocked content by making it appear that they are trying to access allowed content instead.

Sources and Further Reading

• Circumventing Internet Censorship from Open Security Research
• Five smart ways to keep your browsing private from CNET
• How to Browse the Web Anonymously from Techlicioius
• How To Bypass Internet Censorship from AnonymissExpress
• How to Bypass Internet Censorship (an ebook from howtobypassinternetcensorship.org)
• How to Surf the Web Anonymously from How Stuff Works
• Operation Encrypt Everything
• Protecting Your Security Online from Access
• The Surveillance Self-Defense Project from EFF
• Which VPN Providers Really Take Anonymity Seriously? from TorrentFreak

Tracking Censorship Openly

On Monday, Andy Greenberg with Forbes wrote a blog post about the Open Observatory for Network Interference (OONI).  OONI is a new tool for helping to identify Internet censorship.  As I recently wrote on Google’s policy blog, identifying censorship, filtering, and other web blockages is a difficult challenge, and addressing it requires obtaining data from all different sources.  To that end, we’re glad to have OONI and the great minds behind the Tor Project working on this.

I wanted to clarify, however, some inaccuracies about Herdict from the article.  Arturo Filasto said of OONI:

This came from a bit of disappointment over the fact that all the existing tools out there for monitoring censorship were either not using open methodologies or not making their data available.

While I can’t speak for other projects, this certainly isn’t true for Herdict.  As a crowdsourced project, our methodology is both open and simple: when people can’t reach the content they want, they report it to us through our site, our browser add-on, Twitter, or e-mail.  Our data is open, too.  Those reports are immediately made available on our site, and we even have a query API for researchers to pull out as much of our data as they want or need.

We are and have always been strongly committed to openness.  Our mission is to bring transparency to Internet accessibility, and that requires being transparent about our data and methodology.  We look forward to working with OONI and others in bringing additional transparency and openness to the web.