 Center for Internet Society. We're having us here it's our first time in Bangalore so I'm really excited and thanks to all of you for being our audience so as we're going to do it today we'll talk about kind of the general program areas for the Citizen Lab and also some of our current research on censorship and surveillance around the world. So the Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto. We're founded in 2001 by our director Ron Beaver and at a high level we focus on three main areas research which we'll primarily talk about today capacity building and policy engagement so I'll just briefly I'll just briefly go over our programs in capacity building and policy engagement we'll get into research. So throughout the history of the Citizen Lab we have engaged in capacity building by helping form and support research networks based in the Global South and the collaboration with these partners is really crucial for the research that we do. One primary example of that is a project that we helped start called the open-ed initiative which is an inter-university consortium that was started in the early 2000s between ourselves at the University of Toronto, ourself at the University of Toronto, Harvard University and University of Cambridge and the objective of the open-ed initiative is to document the internet to turn around the world and to do that properly we really depend on expertise from researchers and advocates in the regions and countries that we're looking at. So to help create that collaboration with those kinds of individuals we hope to support two networks. The first network is called open-ed Eurasia that includes a diverse range of lawyers, researchers, practitioners from across the common wealth of independent states region and that network was really started at the beginning of the open-ed initiative around 2003. Another network that we started in 2007 with the support of the International Development Research Centre in Canada is called open-ed Asia and similar to open-ed Eurasia that includes researchers and advocates from across the Asian region working on surveillance and censorship. So the interaction with these networks is really complementary they add important context and expertise into the research we're doing and we collaborate with them to help build capacity on research in advocacy in those regions. Recently again with the support of the International Development Research Centre we started a new network called the Cyber Stewards Network and this name plays on the concept of stewardship and explores what an ethic of responsible behavior is and a shared communication space like the internet. So unlike our previous networks which were regional this network is global and includes partners from Asia, Africa, Middle East and North Africa, Latin America and Centre for Internet Society is one of the partners in that network and together what we're trying to do is articulate what cybersecurity means for the partners from the context of their country and region and try to build out a dialogue and a conversation about it that is coming from the global south rather than a transatlantic dialogue which really dominates a current discourse around cybersecurity. So that's our policy or sorry that's our capacity building area. On policy engagement we're doing a number of things just briefly tell about one of our most important aspects of that program which is an annual conference we have every March in Toronto we're just going into next year to have our fourth installment of it called the Cyber Dialogue and the purpose of the Cyber Dialogue is to have a forum where stakeholders from government, private sector, academia and civil society can come together to discuss pressing issues around internet governance and security and helps create a trusted space for we can exchange ideas and dialogue around these issues. So the focus today is our research on surveillance and censorship and I kind of signature of the lab that I think makes our research stand out a bit from other groups is our approach to this research area which we consider kind of mixed methods approach that combines rigorous technical investigations with methodologies from social science and also analysis legal and policy areas and we combine all of this together to get a more holistic sense of what's happening on the internet and other information communication technologies. So one of the prime focuses for us with this method is information controls and we define information controls as actions conducted in and through information communication technologies that seek to deny, disrupt, manipulate or monitor information for political ends. So to better capture what we mean by that, just a selection of some information controls and each one of these categories of them have a different objective. So some information controls are designed to deny information. Perhaps one of the most common examples of information denial is internet censorship. So in many countries around the world, when you try to access certain content online, you're greeted with a block page. These are some examples of block pages around the world and countries differ in what they put on their block pages or how they implement filtering. So this is an example from Saudi Arabia that I think is interesting. So it says access to this URL is not allowed, but then it gives a kind of ability for the user to interact with the authorities around the censorship. So it says please fill out the form below if you believe the requested page should not be blocked and then there's a link for doing that. Then underneath that it says please send other sites you feel should be blocked using the following form. So this is kind of interesting because it gives some level of transparency and some way for users to get feedback to authorities. In other countries, users may not even see a block page and when they try to access filtered content, the pages have to hang. It might get what appears to be a 404 error or other indications that don't give any real sense that this page has been intentionally blocked by authorities and may appear to be some kind of conventional network error. So as I mentioned before, we've been doing a lot of research on internet filtering for early the past decade as part of the open net initiative and within our group. And when we started the open net initiative with our partners and first started our research in this area, really only a handful of countries were conducting internet filtering. Since that time, we've tested for internet filtering in over 74 countries around the world and have found that 42 states, including importantly both democratic and authoritarian states, have some level of filtering present. And that's just within our sample. There may be more countries beyond that. So what we feel we've witnessed in the past 10 years of doing this research is a steady increase of filtering around the world and really see internet censorship as becoming a growing and pervasive global norm. So just as there's many different ways of implementing filtering technically and many different ways of communicating that filtering to users, there's also many different reasons why states may implement filtering with their motivations for it are. These are some of the most common ones we see, appeals to national security, appeals to public morality, can also be based on economic interests, concerns around copyright, and also in some cases to control political dissent in the country. So internet filter is just one example of information denial. There's many others, just kind of two that we're very interested in. One is denial of service attacks and just at a basic level. This is when your website is flooded with more requests that it can handle and which effectively disrupts access to that website at that point period. And this has been used as a tactic for cyber crime and in other instances that are not politically motivated. What we're interested in is when a website will become under these attacks and what period that is happening. So for example, it might be the website of an opposition political party during an election. So at a period when their information is the most valuable, when they're trying to reach the greatest audience and most users, and all of a sudden their website comes under a denial of service attack they're not able to distribute that information anymore. Or it might be the website of an activist group around the sensitive anniversary of a clinical event and right when they're doing their heightened amount of campaigning will want to reach the wide audience and their website is not able to serve content. Importantly, information can be denied in ways that are non-technical. So the use of law and regulation to censor content online, broad use of libel and slander law aren't just examples of how that can be done. So that's kind of the information denial category. Other kinds of information controls seek to manipulate information or to project a message that might be counter to what a user or an organization is trying to convey on the internet. So these are just two examples. One's called a defacement attack. In a defacement attack, a website is compromised, it's broken into, and the visual content of the site is changed. And again, we've seen this tactic used in cyber crime. We've seen it used as a kind of digital graffiti on the internet. Sometimes attackers will compromise a site and put up a humorous message to show you know, we popped your website and you know this is my handle. But increasingly we've seen it being used politically motivated attacks. So this is an example from 2008. The website of Seren Wusser is a prominent Tibetan blogger. It was compromised and defaced by attackers based in China and they left this image behind instead of her usual website content. And the headline of this defacement reads, along with the People's Republic of China down with all Tibetan independence elements. So in this case you can see how the website of a prominent blogger and activist is fandalized essentially with a message that goes against what her website is trying to convey. Recently we've been tracking the activities of a group called the Serian Electronic Army, which is a group active online which is pro Assad regime in Syria and they've been very active during all the events in Syria. Some of their activities include defacing websites and leaving messages that are pro regime. So this is one of the more high profile websites that they're able to break into and do the message on of Harvard University and we've been tracking these for a couple of years. Another thing that this group does is spread pro regime messages on social media. So this is an example of President Obama's Facebook page and a stream of messages that are pro regime coming in that the group claims they organized. So that was the information manipulation category and then we moved to another category that we really have a lot of research going on and it's an object of concern for us which is information monitoring. So information to be monitored in a number of different ways. Passive surveillance, which you see there, refers to the mass collection of information. So the recent leaks around the NSA's prison program of mass surveillance is a good example of this kind of monitoring. Our research in the past years has been focused on another kind of surveillance which is in the form of targeted malware. So what is targeted malware? Targeted malware is malware attacks that are designed to target specific individuals or groups. Usually this is done through an email. It can be addressed specifically to the individual or to the group. It has content that is relevant for what they're doing. For example, if you're a spent activist you might reference a current campaign around the Tibetan movement or an event of interest and what the message is trying to make you do is open a document or a link that contains malware. So what does the malware do? So if you compare targeted malware to other more routine malware attacks that are going after, say your banking information or your password to your bank account. This malware is different. The objective of targeted malware is essentially to steal files, spy on users through their peripheral devices, through their webcam, through their microphones, to record your keystrokes, and to do this over a long period of time and to maintain persistent presence on networks and do it silently. So really the objective of targeted malware is to spy on users, spy on your computer, spy on the networks of your organization. Importantly, these kinds of attacks are not isolated. They're campaigns. And if you are an individual user or belong to a group that is under attack from a targeted malware campaign, you are getting consistent attempts to compromise your network all the time. These kind of attacks affect governments, they affect big business, and they affect civil society. So our interest in targeted malware and its effects on civil society and the greater effects on international relations really peaked with this report tracking GhostNet from 2009, which was led by our colleagues that are filming with Craig Walton. And this report started here in India in Dharmasala with the Tibetan community. And Craig Walton, our colleague, had been working with that community for a number of years. And for this report he conducted the collection of technical samples from Tibetan institutions that had concerns regarding computer security. These institutions included the private office of His Holiness the Dalai Lama, the Tibetan government in exile and a number of Tibetan non-governmental organizations. So through this fieldwork and loud investigations conducted by Narvillian, we uncovered a massive cyber espionage network with a reach that went beyond the Tibetan community. So the way that this network worked was enabled through targeted malware. And what the attackers did is they used socially engineered emails to lure target victims into clicking on attachments that contained malware and then gaining control over the compromise system. So what you see here is a real example that was used in one of the attacks. You can see the message is professionally written. It's related to issues in the Tibetan community. And if you're working within this community and on these issues it might click a message that you would click. If a user then clicked the attachment, it would compromise the computer and download a remote access trojan called GhostRat, which gives the attacker real-time control over the compromise system. So this is the user interface that the attacker would see for GhostRat. GhostRat is actually an open source program. You can download it right now. Probably Google for it. And it's what's referred to as a remote access trojan, which essentially gives a remote user full control over a target computer. So you can see the commands that the attackers could do. They could steal files. They could do screen captures. They could run a key logger to record all of the keystrokes. They could turn on the microphone. They could turn on the webcam. So they essentially turn the computer of the user into a feature-rich spying tool for them. So as I noted, the institutions in the Tibet community were compromised by this balmer. But what we're able to find through our technical investigation is that actually 1,295 computers were infected by this malware in over 103 countries. Significantly, close to 30% of the infected computers can be considered high-value targets. And this included ministries of foreign affairs for countries around the world, including Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados, embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, what goes on. So the malware used in these attacks communicated back to servers based in China. However, we're not able to conclusively determine the identity of the attackers behind this campaign or what their link may or may not be to the government of China. But given the high-value targets that you see this here, a selection of them and the capabilities that they had through the program I just showed you, we definitely concluded that the objective of this network was political espionage. So that was in 2009. We've been continuing this work since then. And what we really are focusing on are what is the impact of these kinds of attacks on civil society. And civil society is very much under threat from targeted power and the whole list of other information and controls that I listed there. So we've been running a study for the past two years where we've been enrolling a diverse range of human rights groups and other groups from civil society communities and collecting technical samples from them of targeted malware attacks that the one I just showed you, running interviews with them and surveys to understand the context behind these attacks, how do they use technology in their everyday workflow and how did these kind of threats affect what they're doing, affect the campaign they're doing, what impact does it have on the organizations. And so we're trying to analyze the technical, social and political dimensions of the threats and really address the kind of lack of a research attention to civil society. These kinds of attacks have hit really big targets from Google, RSA, governments around the world, entities that have a lot of resources and financial capability to run investigations to higher companies to do incident response. Whereas on the other side of the spectrum you have civil society groups, some of these groups may not have a physical office, they may not have a system administrator, they might be literally five people with laptops working out of their homes and yet they're as targeted or perhaps even more targeted than groups with much more resources. So what we're trying to do in this work is raise awareness of these threats, put out information that we hope can be used both within civil society communities and help inform a broader community outside of them. So we'll have a comprehensive report on the last two years of this work coming out by the end of the summer. So another kind of dimension to all of those threats that I showed you, that selection of them, is the market and use of commercial filtering and surveillance products that can enable it. And I'll turn now to Jacob who's doing a lot more particularly on commercial products that enable internet filter. Thanks. So this is just a sample of some of the companies that we've been looking at in the last five or so years of doing this sort of work that provide filtering products to be used worldwide. Fortinet's from Germany, BluCo WebSense is from America and NetSweeper is actually based out of Canada. And so I'd like to go through some of the general methodology that we use to fingerprint and find different filtering devices all across the world. The first is the most straightforward, which is just a straight scan for signatures. So I have some idea. We look at installations of the products in other places. We have a look at how they would look like from the outside and we just look for it by just scanning. There's a lot of problems with this sort of methodology. For one, it doesn't scale at all if you don't have a good idea about where to look. The chances of you finding it are very slim. It takes a long time and again, if it's not narrowed down, it might take days, weeks, months. And the other one is you also have to sort through a lot of false data because you basically have to scan computers that have nothing to do with filtering in order to get to that sort of thing. So it's a problem that this is one of the things that we've done. But we've actually yielded some interesting results doing targeted scanning based on information that we receive from in country. An example of this is this, which is a traffic graph interface that was installed on the ISP of the Syrian Computer Society, which was an ISP which was linked to the Assad regime. And in late 2011 to early 2012, this was found by network scans in Syrian computer space. And you can see here this shows the names of the devices or blue code which coincides with one of the filtering products that are used. And if we take a look here, we actually see in the last bit the number of scale is much, much higher indicating that a large amount of traffic that would not coincide with say an office or an educational facility where the installation of this might be to prevent employees from accessing certain sites. So this is a case of scanning with being used to find something. Because a lot of these devices, they don't indicate that the regime is being used to filter content because these devices have dual uses. There's a lot of legitimate reasons why somebody would buy a blue code device and put it in their place of business, for instance. So that's an example of just scanning websites and scanning networks to try to find this sort of information. We can kind of, you know, address these problems by using a scanning service. So one that we've used in past research is Shodan, which is a search engine, not unlike Google, where you can search for fingerprints of devices that are just connected to the internet. And here's an example of a search done on Shodan yesterday, which looks for the product NetSweeper, which was found in different countries. And you can see we already have 301 installations in different countries including the United Arab Emirates, where and the another way that we can try to find these devices is using public data. So this example is the Internet Census 2012, which is a public dataset that was undertaken by an anonymous researcher that sought to scan every single public facing internet device on the internet. He did so by using a botnet. And the anonymous researcher had stated that even though the method that this was undertaken was by a botnet, that they had taken steps such as rate limiting and non-permanence so that an infected device upon restart wouldn't serve the actual botnet code when restart, but actually provides a unique source of research data because in the late 2012 it shows all the internet connected devices and it kind of addresses again one of the problems with scanning individual hosts, because we wouldn't have to scan individual hosts, we have something that we can search by entirely. Other uses of public data that might be a little less common is this. So I mean this is a block page that was found in the country of Oman. The ISP is Omentel, which is the state-owned ISP. And the URL is block.om, and it shows the site's been blocked to content that's contrary to the laws of the Sultanate. And if we take a look at Alexa, Alexa is a web information company that shows most popular content by countries. So if we look at the top sites in Oman, we see number one is YouTube, number two is Facebook, but if we go down a little bit, just a little bit below Wikipedia, we actually see the block site, block.om is one of the most popular sites in Oman. So it's a little interesting and another example of where we can use public information to corroborate and find evidence of the filtering. So here is a sample of websites that have been blocked in this country in India. And the majority of these sites have been blocked because they were related to file sharing and the distribution of hindi music and that sort of thing. And I wanted to use this example to kind of highlight that a lot of the filtering that we see has a lot of unintended consequences. So if we take a look at this, all the URLs are more or less related to file sharing content, and I wanted to highlight this one, which is ndbay.org. ndbay.org, if you had visited in late 2012, you would get something like this, which says the URL has been blocked until further notice pursuant to court orders at the directions of the issued by the Department of Telecommunications, which is something I'm sure everybody of us has seen. I just checked it yesterday and you actually get a blank page. If you kind of look the source, it doesn't have anything at all. So even the very sparse information that you were given in late 2012, you don't get any longer. The interesting thing about ndbay.org is that it's not a file sharing site at all. Actually, it's a activist kind of site based in the San Francisco Bay region. And I've always thought that the reason they blocked it is they kind of thought it was the Indian pirate bay, like ndbay, but it's not at all. If you visit it yesterday, it's a proxy, it's just a regular site. And so that's an example of completely unintended consequences of filtering. Another one is related to a report that we put out last year, which is we found evidence that ndbay block pages were seen in the country of Oman. And after researching this a little bit, we actually found that if you trace route, or if you try to look at the path that a user in Oman would do to access content, that is block. So in this case, he's trying to look for a site that's related to file sharing. You'll see that the file runs through Airtel. So we found that Varti Airtel was providing upstream internet service to Oman Tel. And as a result, users in Oman were subject not only to the filtering and controls imposed by their own government, but also that of India. So quite recently, the kind of work that we've been doing is we've been trying to identify commercial filtering devices. So a common problem we'll run into is we have some idea that proxies are blocked in a given country, right? And what can we do to determine which product is being used? So in the past, this was actually really easy. We would just go to the site, the block page, and it would just tell you right there. It's like MacAfee Smart Filter, that's being used for filtering. But nowadays, your block page is more likely to be like this. Where it doesn't actually tell you which product it is. And it tries to obfuscate the actual thing that's being used. They customize the block pages to be for a particular thing. So one of the methods we've been playing around with is we create in this block, in this instance, 10 domains and 10 proxy websites, completely different. And we check if they're blocked in Country X. Since these are newly created sites, these would not be blocked. So we take five of those domains and we would submit them for classification. A lot of these filtering products have websites that you can submit information in order to, so that they can analyze the contents of the website and give them a category. Since these are, in this instance, it's proxy sites, we would hope that eventually, after some time, these would be classified as proxies. And then we don't do anything with the remaining five, which kind of uses a control group. And then we compare the two results. And if we see that for some, when it hasn't started, nothing was blocked, now all of a sudden, only five of those are blocked, but the rest have remained. We know for certain, or we have a very good indication, that this product is being used in this country. So we use these kind of techniques to try to determine which products are being used in which country. So as a result of this, we had a few results. We have a Canadian company, NetSweeper, was found to be in Qatar, United Arab Emirates, and Yemen. McCarthy Smart Filter had used to be involved in Saudi Arabia. And Blue Coat was present in the networks of Syria, Burma, as well as the current aid in Saudi Arabia. And we actually put this out recently on a map. So this map was done by using data from the Shredan search engine to find installations of Package Shaper, which is a surveillance product and proxy SG, which is a filtering product, and to try to find the intersection between installation locations and where it's present. So these are the kind of techniques we've been doing recently. So that's on the use of products for filtering and looking at that market. And another market we've been really interested in is for surveillance technology. So this is a poster of ISS World, which is the premier conference for vendors providing surveillance technology. And it's put on by a company called Teles Strategies. And recently in the New York Times article, Jerry Lucas, who's the president of Teles Strategies, set the market for these technologies, has grown to $5 billion a year from almost nothing 10 years ago. So this is a really booming area. And you can see some of the topics that are covered in this conference, like effective spyware, cell phone investigations, social network surveillance, monitoring crypto traffic, and so on. Here's a slide from the conference showing what talks are about and one of the tracks, which is encrypted traffic, monitoring, and IT intrusion products. So for the past year, we've been really interested in this particular area of these so-called lawful intercept tools. So these are tools that are extensively used by law enforcement agencies and other government agencies in investigations of criminals or terrorist behavior. And they're provided by a number of companies. Here you see some of the companies giving talks on this area, including Gamma Group and Hacking Team, which are two companies that we've been looking at closely. So as I said, we've been looking at this for the past year. This research is led by our colleagues, Morgan Markey Biore, Bill Marziak, John Scott Railton, and a number of others who helped out along the way. So I'll just give a high-level overview of what we found by both looking at these companies, their products, and this wider market for surveillance. So this is the website for FinFisher, which is a suite of tools provided by Gamma Group, which is based in the UK. And they describe these tools as governmental IT intrusion and remote monitoring solutions. And you can see some of their graphics there. So this company really came into the spotlight following the Egyptian Revolution when protesters came control of the Office of State Security and were able to retrieve a number of confidential documents. So amongst these documents was this, an offer from Gamma Group to the Egyptian State Security Investigation Department for the FinFisher suite. And there you can see some of the unit prices for their tools, one of their products called FinSpy. And there's been a number of brochures and other information that's been circulated about FinFisher by WikiLeaks and an organization called Privacy International. That's given a sense of what the capabilities are. So you can see in the corner there discussions of being able to intercept covert communications, full spike monitoring, tracking targets, extracting files, etc. So essentially this is the commercialization of the kind of target malware that I discussed before. So a lot of attention suddenly came on to the company after this revelation that the Egyptian government was at least been giving an offer of the product. It's not clear if they ever went beyond this offer stage. At this point in time, no one had a sample of this product in their research community. So there's still a lot of questions around its capabilities, how it worked, and so on. So in May 2012, Vernon Silver, who's a journalist with Bloomberg News, shared some pieces of malware with our lab. And these samples were emails with malware attachments that specifically targeted granny activists. So you can see above there is an example of what the typical message content was of these emails that was sent to me attacks. And the files that were attached to them had malware and that provided remote access to the victim's systems and allowed attackers to exfiltrate data from those systems. So Morgan and our colleagues, I did a thorough analysis of this malware and we're able to determine that this malware was likely a fin fissured for a number of different reasons, specifically the fin spy product. So in debug streams and the effective processes, you can see a reference to fin spy in the malware. And they were also able to compare the samples that we had been shared with from the journalist to other samples that had a lot of similar characteristics. And those samples communicated to domains belonging to Gamma Group. So we also did some research on a competitor to Gamma Group called Hacking Team. They're based in Italy. They sell a similar product called Remote Control System. And you can see their promotional material here explaining what the product can do. So very similar to the fin fissure suite. So like Gamma Group, Hacking Team claim that their products are for governmental law enforcement agencies and other agencies only. You'll see this with a number of these kinds of companies. They claim their products are only for those clients that conference that I showed you the slide from. You're only allowed to attend if you're government representative from the law enforcement community. Some companies have even gone a bit further and claim they only sell to the United States or allies of the United States. But this is the claim that these companies have for the sale of these tools. And they're used by various law enforcement agencies around the world. So this man pictured here, his name is Alfred Mansour. And he is a democracy activist in the United Arab Emirates on the 23rd of July 2012. He received this message here, which purportedly is from Arabic WikiLeaks. And is urging him to open a very important message. So the attachment with this message was malicious. And again, Morgan, our colleagues analyzed it and found that it matched the characteristics of the remote control system product made by Hacking Team. Importantly, that product samples of it had been previously discovered in the wild on the internet by other security researchers that gave us an opportunity to compare them. So this was another example of these products being used in countries with questionable human rights records and specifically being used to target activists. So we've also seen a campaign of the Finspy tool, part of the finfisher suite, that uses pictures of a Jim Lott 7. This is the picture that it uses, which is an Ethiopian opposition group, which has been classified by the Ethiopian government as a terrorist organization. So this picture and content around this organization was used as a lure in the message to have users open an attachment that would contain the Finspy malware. So this again is another example of Finspy deployments being used as strong indications that they're politically motivated. In this example, the instance of Finspy communicated with a server based in Ethiopia. This is a more recent example that we found through a service called VirusTotal, in which users can upload files to the service and then it checks how many antivirus vendors can detect the file as malicious. And it also collects all of these samples that security researchers can then use. So our colleagues found this file, which is a document that contained finfisher and the content of this document is in Malay and has information on the 2013 Malaysian general election. In this case, we don't know who made this lure or who was circulating it. We also don't know who was being targeted specifically by it or how many users may have been infected by it. But given the content of the document, it's in Malay, it's about the Malaysian election, we can conclude that the targets of this campaign were probably Malay speakers who had an interest in the 2013 Malaysian election. So other work our group has done on finfisher is scanning the internet and data sources like the internet census data that Jacob mentioned for identifiers of finfisher. So this is somewhat similar in methodology to how we try to scan for identifiers of commercial filtering products. So this map shows our most recent results of that scan and we've identified finfisher command and control servers in over 36 countries. So the command and control servers, the server that would then send the commands to the infected host. Our most recent results include finding servers in Pakistan, Nigeria, South Africa, Panama, Turkey, along with other countries. So it's important to note with these results that just because there's the presence of a finfisher command and control server in a country does not necessarily imply that the country's law enforcement security or intelligence services are operating that server or are indeed a client of finfisher and gamma group. But this kind of gives you a sense of some open questions around why are there servers in some of these countries, who is using them and for what means are they using them. And as we have uncovered through this research we've continuously seen examples of these tools being used in countries with poor human rights records and to target activists. So that was a really quick overview of over a year of research. If you go to this URL you can download this report. For their eyes only the commercialization of digital spy which is over 100 pages of technical details of what I just described. This is a very active research area for us. So just to kind of review what we covered in the talk our main research area right now is trying to understand this spectrum of information controls confronting civil society and whether these be controls that are designed to deny information to users to manipulate the content of information that is circulated to users or to surveil what users are doing on the internet. They all have serious implications for civil society for international relations and a lot of open legal policy and technical questions about how these things are operating. One of the things that we find concerning is a civil society group could have all of these things happen at once. You could have your website filtered when you're trying to reach a jurisdiction that's important for you for your campaigning. You could have your social media account compromise and have some messaging on it that's embarrassing to your group or trying to ruin your reputation. You could have your site come under the now service attack when you're trying to get information out to your audiences. You could be under pressures of legal and regulatory authorities and you can also be having your networks and your computers actively spied on by attackers so we're trying to understand this full spectrum and raise awareness around it and have information that we hope can be helpful for those communities. And to add another layer around it there's this whole political economy and commercial market for products that enable these kinds of controls and increasingly we're seeing evidence of them used around the world and countries with problematic human rights records. So I was just kind of a high level overview of what we're working in the lab right now and really invite questions or comments from all of you so thanks for your attention. You talked about the implication of a militarized internet on the future of a civil society. Now how are civil society organizations countering these? How are private organizations like Google and non-profit organizations like Mozilla or W3C how are they countering these happenings? Yeah so that's a great question. I think there's different levels of it like there's things that individual users are doing to bypass censorship for example or like creative use of language to evade sensors so all kinds of technical and non-technical things people are doing at a user level. I think one of the positive implications of having more of this information available and just the scale of it more visible to general audiences is that it gives an opportunity for civil society actors and also government and private sector to really have a conversation around what's happening and you know for us a big touch point in our research was the discovery of the ghostnet network in 2009 but since then it feels like every week there's a new story of a cyber-eshmaz network that is targeting government or civil society or private sector actors or all of them all together. So this kind of escalation is both concerning but I think provides a good opportunity to have a dialogue around what's happening which is you know something that we try to facilitate in some of our programming. What role do backdoors in software implementation have? Do they work together or do they happen separately or is it all synchronized? Sorry, you mean like intentional backdoors and products? Yes, yes. Again, I mean I think it depends on the context of the company providing it and in which countries so for example we've done a lot of research on domestic products and services provided by Chinese companies and they are under obligation to implement controls like surveillance and censorship. For example in 2008 my colleague Nardigan discovered that Tom Skype which is the Chinese version of Skype was there were suspicions that it was implementing censorship so if you typed in certain keywords like say Tibet, Tiananmen Square, username on the other side wouldn't see it. But Nardigan was able to find that actually when he typed in certain keywords not only was it censoring but it was also uploading entire chat logs to a server based in China. So that can be a kind of example of a backdoor and recently we've been working with colleagues at the University of New Mexico who are able to reverse engineer the Tom Skype client and for the past almost two years now we've been downloading the keyword list that triggers surveillance or censorship on that client every day. So that's just an example of a product that has been known to be doing these controls since 2008 and is continuing to do it and is updating these keywords to keep up with current events. And you know in other jurisdictions and other companies there might be similar controls happening and you know that's something that can definitely have a huge impact on users and speech online and all kinds of other people and policy questions around it. Have you found any correlation between the kind of countries which use these products? Let us say for example countries are quite high on economic freedom or political freedom or countries which are authoritarian with one-party role or which have a track record of cracking down dissent. Is there some kind of relationship which you've found between the country's political or economic freedom and then the usage of the software or those things become independent of the usage? So that's a really interesting question. I think one of the takeaways from our research is that both authoritarian and democratic countries are using these products and you know when we do scans of them we find them around the world. One of the challenges for us as Jacob explained is understanding how a product that can be used for censorship but may also have a legitimate use on a network for efficiency and other aspects whether or not it's being used for censorship and then we can hone in on countries that have authoritarian regimes or other issues around human rights to see if they're using it for censorship. For the surveillance products I mean they're used by everyone. They're definitely used by democratic states. They're definitely used by authoritarian regimes as well. So one of the issues for us is when these companies claim that these products are being used by law enforcement agencies if they're in a country with a proper rule of law then they'd be using it under the auspices of warrants and then in other kinds of accountability and transparency around it one would hope. But if they're being used in countries where the rule of law is problematic that can be a big issue or if they're being used in countries where speaking out against the government or vocalizing dissent is considered criminal activity then that's another issue as well. So that's the kind of nuance around it that we're trying to explore in this research. Well earlier this year if I remember correctly there were some articles that came out online talking about the markets for zero-day vulnerabilities and how a lot of governments and government contractors were sort of buying them up and gearing up for cyber work and what have you. But I was wondering if this is and might have done any research on those and if so whether it had evaluated the use of those sort of marketized vulnerabilities to target civil society and activist groups as well. Yeah it's a really interesting question. So in the study I briefly described where we've been doing this collection of samples from civil society groups for over the past two years I think in that we've seen maybe two zero days it hasn't been a big feature in the samples we've been getting. Interestingly for the majority of targeted malware that we see affecting those groups the effort on the part of the attackers is on the social engineering. So they're tracking what the groups are doing they know what they care about they have that kind of mapped out their networks of groups that they contact with and they're putting a lot of effort on that. The technical sophistication of the malware is usually lower. So for us again like Fin Fisher is kind of on top these kinds of tools that you can tell are being developed by a professional group and a lot of effort on that and the samples that we see from that the majority of samples that we see targeting civil society don't have a lot of effort into obfuscating what the code is doing or protecting it from analysts with the exception of people like Fin Fisher. But it's definitely an area that we're interested in I think you know this market for zero days and so forth definitely is a key part of trying to understand the greater surveillance market out there and all of these questions of who the clients are what they're being used for what that impact is for the greater security of the internet and other policy questions is definitely something we're interested in. What do you think are some of the stuff done by the ISPs here other than bandwidth capping that really hampers everyone? Oh particularly for ISPs in India? Yeah. Well I don't know Jacob do you have any comments on that? We haven't actually done tests in India since 2011 so I'm going to get some more information and learn from all of you of what some concerns might be there but that hasn't changed so I mean we're really keen to learn from all of you of what's happening here and what issues you're concerned about. Questions, concerns, comments, ideas okay then we can wrap it up okay thank you very much for coming here thank you very much for your time thank you for all of you for attending and there's a guest book which I think is going around somewhere if you can please take like a few seconds just to let it in that will be really great and thanks a lot any feedback just tend to say as what it says in that