 My name is Kaustubhai. Well, I'm a technologist and a researcher. And I work for an organization, a small NGO called Tactical Tech, based in Berlin, which primarily works with rights activists, helping them use digital technology and information more effectively in advocacy work. But I also spend chunks of my time in India, where for the last few years I've been doing some research around the current state of internet censorship and mass surveillance that the government of India has been implementing in that country. Today I'm going to be discussing a specific incident that happened earlier this year, which was a censorship order or a censorship order that the government of India issued, which brought down a bunch of really popular websites for several days in the country. And I'm going to talk about what prompted this order, how it was issued by the government, the Ministry of Communications and Information Technology of India, how the ISPs reacted to it and implemented these blocks, and what they could have done differently. And also some of the research we did about how these blocks were implemented in terms of what technology was used by the internet service providers and how users could circumvent these specific blocks. So last year, around the 17th of December, there was a censorship order issued by the Ministry of Communications and IT, which asked every single internet service provider in the country to block access to 32 websites. We saw a bunch of websites going down every now and then across different ISPs in the country didn't quite understand what was going on until the 31st of December, which was a day after last Congress when I woke up in a hotel room in Hamburg to a copy of the secret order that was leaked, which revealed that there was a ban implemented by the MCIT, which was issued to every single ISP and asked the ISPs not to disclose that this order was issued or what was in that order. That's not sure how legible that is on the screen, but basically what this said was block 32 URLs that are listed in this letter immediately and that no ISPs allowed to actually disclose the contents of this letter or reproduce the names of the URLs in the letter. This was done using the Section 69A of the Information Technology Act, which the IT Act is from the year 2000, but it was amended in 2008, right after the Mumbai terrorist attacks, and now is this draconian law, which is used by the government of India to conduct enormous amounts of mass surveillance, but also censorship in the country. We've had some wins to get rid of specific sections of this act, one of which was called the 66A, which in the face of it existed to prevent online harassment, but was well mostly used by powerful politicians to go after innocent citizens trying to criticize governance in the country. 69A still exists. Unfortunately, it's something that gives them a lot of control over being able to block any internet resource without having to go to the courts. And this is what was used. And what this does not state, however, is that these orders have to be secret. That was something that they said in that order and then said that any ISP who refused to keep that order secret could be, well, they could take action against them. Now what were, what was the reason? This is something we learned a little bit later. The reason that they sent the secret order out turns out was because the Mumbai police, the anti-terrorism squad of the Mumbai police on the 15th of November went to the Ministry of Communication and IT and said that we've found instances of jihadi propaganda on, by international groups, on specific websites. Therefore, we would like you to pass an order requesting ISPs to block access to these websites. Some of the URLs that were affected were, I'll give you a second to process that. Yeah, github.com, vimeo.com, pastebin, sourceforge, archive.org, amongst others. Turns out they found some objectionable content on gist.github.com and on pastbin.com, which prompted them to, say, block these. We have no idea why vimeo was blocked. Something that I find disturbing and hilarious at the same time was, sourceforge, a specific URL that was, that was blocked on sourceforge was an open source project, which was a clone of pastbin. So they were not blocking content in this case. They were actually blocking access to open source code, which they did not want people to download. That's the complete block list. Probably not very legible again. But it's mostly basebin and similar services. It also has some free web hosting services, which are blocked, and popular media services, such as vimeo.com and dailymotion.com and archive.org, which is basically the largest internet archive on the internet. So yeah, this was New Year's Eve. I was at a party with a few friends, a bunch of geeks, like we do on New Year's, hang out with our friends. And I started talking to a few people. A couple of them are in this room right now. And we thought it may be a good idea to conduct some investigation about how these blocks were being implemented and how people could circumvent these blocks. So between the 1st and the 3rd of January, we spent several hours trying to collect censorship measurements across multiple ISPs in India. We were able to do this across seven different ISPs, including the state-run Mahanagar Telecom Nigam Limited, which is one of the largest ISPs in India, and Tata Communications, again one of the larger internet service providers in the country. And we realized, well, the block order specified what to block, but did not actually say how this block should be implemented. I'm not surprised about that. And unsurprisingly, this led to different ISPs using various different techniques to block these URLs. In some cases, the same ISP was using different techniques to implement these blocks. And we collected this data over a period of a few days and realized that there were multiple different techniques being used. And the most common ways we found were either, well, MTNL in this case was using a combination of DNS hijacking, where basically their name resolvers just point you to a different IP and not the IP address of the actual host that you're requesting. In some cases, they were basically blocking any direct access to the IP or the host requested. In some scenarios, they were only blocking HTTP URLs. Therefore, you could just access something that was blocked by going to the HTTPS, the secure version of that website. The most invasive method that was being used, definitely by Tata Communications and a few others, was the packet inspection, which is an ISP actively dissecting users' traffic and denying access to any unauthorized content. We used a few different ways to try and collect this data. One of the ways was to use a popular open source censorship measurement toolkit called UNI, the open observatory of network interference. And we also relied on a lot of friends who were in India. We were all in Berlin. We did not actually have access to machines connected to networks in India. So we remember waking up a bunch of friends in the middle of the night going, hey, what's going on? If you try to access this, can you tell us what's going on? Can you try and run these tests for us? And some people actually did stay up really late at night in India and helped us do this, which was great. We also did a lot of two people who were very, very helpful doing this were Leif, Riga, and Aaron Gibson, who are right here in this room. And Aaron happens to be one of the developers of the UNI project. And thanks. So we documented all of this in a couple of articles, which I have links to in a later slide if you want to read more about the specific forms of specific techniques used by the ISPs and how we could circumvent these bands. And yeah, to circumvent them, like I said, some ISPs are only blocking HTTP versions of the website. And we were just able to get to them using the HTTPS version. Irrespective of that, I highly recommend that everyone just use HTTPS everywhere in their web browsers at all times, which is a plugin developed by EFF, which for a lot of websites will present you with an HTTPS version of the website, even if you make a request to the HTTP version. DNS-based, DNS hijacking could be circumvented by just using a different name server. There's a lot of public name servers out there, most popular ones, a couple of really popular ones, being the Google's public DNS and OpenDNS. There were a few others. Basically, any public DNS server that was outside of India helped us circumvent DNS hijacking. We realized that at no point were we not able to access any of these 32 blocked URLs using Tor and or most VPNs, virtual private networks that we used or some proxies. So it wasn't really very difficult to get around these blocks. And it's just that we had to understand how different ISPs were doing it and what the most efficient way of getting around it was. And so that's what we did between the first and third and we wrote about it. But since then, one of the things that we did was set up a server in India where we started collecting reports using UNI. And we've just left that running and we've been collecting that data continuously. And something that I've been starting to work on of late is trying to make sense of all the data that we've collected over the year and publish it in a sensible way and maybe visualize it in ways. And we've been doing this not just for the 32 URLs that were in that censorship order, but using a couple of different lists, including those 32, but also a web developer in India called Tejas GN who has been compiling a list of URLs that have been reported as being censored in India. We also have always welcomed any help that anyone wants to give us in terms of reporting censorship or software developers, technologists who want to help run a censorship measurement using UNI or other methods to help us. So there is an email address out there which if you want to get in touch with us to help us continue these efforts. Another thing that I recently started working on is turning that website chaos lab dot in into something that could be a continued effort on measuring censorship in India and publishing all this data there. So hopefully that will happen some point soon. Just to talk about what the ISPs could have done slightly differently here. Or what ISPs should do when they are dealing with censorship orders issued to them. No ISP actually informed any of their customers until that order was leaked to us that they were asked to censor any of these URLs. I think every ISP should take this really seriously. They should be more transparent about censorship orders and whenever possible inform their customers as promptly as they can that they have received an order to block access to an internet resource. Also there's especially in India there is no law that requires any internet service provider to deploy any kind of invasive technology such as doing deep packet inspection such as technology that helps them do deep packet inspection amongst other things. Therefore I would like all of us to appeal to our internet service providers and say don't deploy unnecessary invasive technology in your infrastructure when you don't need to. That just makes it a lot more difficult for people to act for garments to actually pressure you into using technology like this to block access to the internet and use legal means as an ISP to fight for your customer's freedom to access of information and expression. A good example we saw earlier this year was when in the Netherlands access for all and as a go went to the courts, proved that a ban that was issued on the pirate bay two year well in 2012 was not necessary because there was no proof that them banning the pirate bay actually led to fewer copyright infringements because people were getting around it. Therefore the ISPs didn't need to block it. But yeah, point here is they did actually use the legal measures to fight for the right to freedom of access of information for their customers. And yeah, I think it's also important that as consumers we put more pressure on the providers when you see something that is blocked right to your ISP or call them and say hey, this is blocked, why tell us now and tell us what you're doing about it. Also tell them that your customers aren't happy that they cannot access or they're paying you to access and pass that on to the authorities who are asking you to block access to these internet resources. I'm just gonna mention some things that we recommended in the articles we wrote to people who were being affected by these blocks and how they could circumvent it. The TOR project, I think the TOR project is probably one of my favorite inventions of our times and it's probably the most important tool that's working towards defending our internet freedoms today. So yeah, just use TOR all the time. And everybody. Security in a Box is a toolkit that tactical tech, the organization I work for develops which is a set of tactics and tools that helps users protect their data and their communications using various different tactics and encryption tools and has a few sections on how you can circumvent censorship or use, how you can install and use tools such as the TOR browser to stay anonymous and protect your identity and be able to circumvent censorship if you are being affected by it, where you are. And I'd like to plug the EFF here, EFF who develop HTVPS everywhere which I mentioned in the talk earlier, also have been publishing something called the Self-Surveillance Defense Toolkit which is similar to the kind of work we do has some very useful guides about how you can use tools to protect your internet freedoms. I'm gonna slowly move towards trying wrapping this up. These are the two articles. I couldn't fit the whole URLs in there. I don't know how to use a Libre Office Impress very well. And so those are the tiny URLs. These slides I will publish online and tweet about it. But I guess if you watch the video you'll be able to find them too. But that's an article that Leif, Aaron, Claudio, Garneri and I wrote in the Huffington Post right after we did this research last year and also Claudio followed up with an article in Global Voices where he actually talks about how we should be asking our ISPs to defend our freedoms and what we can do as customers of these internet service providers to make the internet a better place for everybody. And yeah, thank you. That's how you can find me. I'm Houndby on Twitter and that's my email address. Thank you. Thank you so much. So we have some time for some questions. There's any. Please forward to the microphone. So I have a question. So you mentioned that TataCon probably used DPI, right? And it sounds like they had DPI deployed before the order was given out. So could you speculate on why it was kind of deployed and maybe it might be in use? Well, it's not uncommon for ISPs to get orders which are asking them to block a specific internet resource in India at all. In fact, when we were doing this research we found a bunch of other lists that we could throw into the scripts we were using including the uni stuff. And we found that there was a lot of different kind of stuff that was being censored. Most commonly file sharing websites to prevent piracy but also a lot of pornography and a few other things. So and this is not the first time that we've seen something that is really popular being blocked in India. We saw a whole of groups.yahu.com go down a few years ago because again the Ministry of Communications and IT sent out an order to the ISPs. This time not a secret order, fortunately for us. Therefore, we knew what was going on. But they found something that they thought was inciting violence in the country and asked every ISP to block it. So and it's something that's very common. The ISPs are dealing with censorship orders quite often in the country. Therefore, they have been investing in technology that helps them. Do you think that they're using DPI for data collection on their citizens? Well, I can, well I would only speculate if I were to answer that question. Therefore, I would say I am not certain if they're doing that and we have no evidence that they are actually doing that. Thanks. Thank you so much. There's any question, please forward to one of the mics. Two questions. The first is, does some national or specialized media ever wrote an article about that censorship happening in India, within India? And the second is, there were a spike in the usage in the amount of tort users in India after that censorship order has been implemented? To answer the first question, yeah, there was massive coverage of the two really large incidents. One of them being this and the other one, I mentioned earlier when groups.yahoo.com was blocked for I think over a week, a few years ago. And yeah, it has been covered by large news media outlets. It has been reported. This one was also reported after, maybe like us and the Center for Internet and Society in India made a lot of noise on Twitter and social media about these blogs. Sorry, Fabio, what was your second question? Yeah, I think Leif tried to look into this right after and I don't remember if we saw anything that, maybe it was, I don't think we saw anything. We talked about it, maybe we didn't pay a lot of attention but I think that's something we probably should actively monitor every time something like this happens and I'll put that on my checklist. There is also a question from someone from the internet. Okay, the question is, did the Indian government or the ASP have any advice or assistance from external, for example, meaning foreign companies or agencies to implement these blogs? So like the hacking team or three data agencies? We did find evidence of some invasive deep packet inspection technology that was being used by a company called CIFI Connect. I cannot remember where they were from but I'm pretty certain that they were not Indian. And actually if you read the Huffington Post article that I linked to earlier, we have all the different block pages that we saw across different ISPs and they varied and one of them is actually a lot big advertisement for this company that was selling technology to the ISP that was using their tech to conduct this block. And the second question is about virtual private networks. Are there any virtual private networks provided in India that were not affected by these requests? So we weren't able to do a lot of testing with virtual private networks in India. We did, however, notice. So yeah, the answer to that question is, I don't know, I'm not certain. We did, however, notice that the blocks were very extremely inconsistent. We were able to access certain things on specific ISPs at times which subsequently were blocked using the same network connection. Some ISPs were not blocking all 32 URLs. We were able to access a specific set of those 32 URLs on some ISPs at all times with no interruptions. So yeah, but we did not actually get around to testing using VPNs in India. We have a question. I was wondering in the light of your talk, what you're thinking of the latest revelations with the free basics. Yeah, you're probably expecting this. What am I expecting? No, I thought you expected a question about this. No, I was just wondering what you were... What I think about what's happening with... So this is something that we've been fighting with the government and the telecom regulatory authority of India for a little while now for over a year. They put out basically a consultation call about a year ago asking people to respond and several civil society organizations in India, amongst others, actually responded saying, you know, no, we do not want internet.org as it was known then adopted by any ISP in India. And now there is a second call by the TRAI which is a follow up to that first consultation call where it's pretty much the same thing. Basically, there was a judgment like a week ago which basically asks reliance communications which is actually the only telecom service provider which has partnered with Facebook to provide free basics in India and ask them to temporarily suspend this service to all their users. So that is a good sign and we will hopefully have some good news at the end of this process after this consultation comes to, well, conclusion, if I may say, yeah. Thank you so much. I think if there is no further questions, we will conclude this very interesting talk. Thank you again.