Making Sense of Internet Censorship A New Frontier for Internet Measurement Sam Burnett - PDF document

Analyzer Backend (OONIB) Consumer(Website) Consumer(Browser Extension) Consumer(Web API) (HTTP) (OONIB TestHelper) (Tor) Probe(Home gateway) Probe(Python script) Probe(Browser extension) Volume 43, Number 3, July 2013 84 ACM SIGCOMM Computer Communication Review MakingSenseofInternetCensorship:ANewFrontierforInternetMeasurementSamBurnettNickFeamsterGeorgiaTechGeorgiaTechsburnett@cc.gatech.edufeamster@cc.gatech.eduThisarticleisaneditorialnotesubmittedtoCCR.IthasNOTbeenpeerreviewed.Theauthorstakefullresponsibilityforthisarticle'stechnicalcontent.CommentscanbepostedthroughCCROnline.ABSTRACTFreeandopenaccesstoinformationontheInternetisatrisk:morethan60countriesaroundtheworldpracticesomeformofInternetcensorship,andboththenumberofcoun-triespracticingcensorshipandtheproportionofInternetuserswhoaresubjecttoitarelikelytoincrease.Wepositthat,althoughitmaynotalwaysbefeasibletoguaranteefreeandopenaccesstoinformation,citizenshavetherighttoknowwhentheiraccesshasbeenobstructed,restricted,ortamperedwith,sothattheycanmakeinformeddeci-sionsoninformationaccess.Wemotivatetheneedforasystemthatprovidesaccurate,veri\fablereportsofcensor-shipanddiscussthechallengesinvolvedindesigningsuchasystem.WeplacethesechallengesincontextbystudyingtheirapplicabilitytoOONI,anewcensorshipmeasurementCategoriesandSubjectDescriptorsC.2.3[Computer-CommunicationNetworks]:NetworkOperations|networkmonitoring,publicnetworksGeneralTermsMeasurementsKeywordsCensorshipmeasurement,OONI1.INTRODUCTIONInternetcensorshipisbecomingincreasinglypervasive:TheOpenNetworkInitiativereportsthatnearly60coun-triesaroundtheworldrestrictInternetcommunicationsinsomeway,anditislikelythatfarmoreentitiesmanipulatecontentorcommunicationsinsomefashion.ThenumberofcountriesthatinterferewithInternetcommunicationsisalsolikelytoincreaseasmorecountrieswithhistoricallyrepres-sivegovernmentsbecomebetterconnected.Organizationsorcountriesmayrestrictaccesstoinformationusingtech-niquesthatrangefromblockingcommunicationsentirelytodegradingperformance(sometimestothepointwhereaser-vicemightbeunusable)tomanipulatingcontenttospreadmisinformation.Alternatively,anorganizationmightnotblockorthrottleaservice,butinsteaduseittospreadfalseinformationorotherwisein\ruencepublicopinion.Censorsarecontinuallydevelopingnewtechniquestoblockormanipulatecommunications,whilecitizensandactivistscontinuetodevisemechanismsforcircumventingthesetech-nologies.Organizationsthatwishtocensorcontentoroth-erwisemanipulateinformationhaveavarietyofadvancedtechniquesandtechnologiesattheirdisposal,andnewcir-cumventiontechniquesarecontinuallymetwithattemptstothwartthem.InternetusersshouldknowwhentheirInternetaccesshasbeenobstructed,manipulated,ortamperedwith;theyneedanindependent,third-partyservicethathelpsthemdeter-minewhethertheirInternetserviceproviderisrestrictingaccesstocontentorspeci\fcprotocols,orotherwisedegrad-ingInternetservice.Despiteourattemptstodesignavarietyofcensorshipcircumventiontools,wehaveverylittleunder-standingofthetechniquesthatcensorsusetorestrictorotherwisemanipulateaccesstoonlineinformation.Citizensneedatoolthatcontinually(1)monitorstheextentofcen-sorshipandmanipulationincountriesaroundtheworld;and(2)evaluatestheeectivenessofvarioustechnologiesthatattempttocircumventcensorshipinreal-worldsettings.Monitoringcensorship(andtheeectivenessofcensorshipcircumventiontools)presentsseveralnuancedchallengesbe-yondsimplymonitoringInternetperformanceoravailability,duetotheinherentlyadversarialenvironmentinwhichthemeasurementsareperformed.Themeasurementproblemin-troducesseveralnewchallenges.The\frstsetofchallengesinvolvedeterminingtomeasureinthe\frstplace:Internetcensorshipisnotwell-de\fned,andisshift-ingtowardsmanipulationandpropaganda.censorshipclearlyisrathernuancedinpractice,sinceformsof\softcensorship"rangingfrompartialob-structiontodistortionofsearchresultstointentionalperformancedegradationtocontentmanipulation,arealsoemerging.Thereisnogroundtruthagainstwhichtovalidatemea-surementtoolsandtechniques.UnlikeconventionalInternetmeasurementtools,whichcanbevalidatedagainstanotionofgroundtruth,itisdiculttode-terminetheaccuracyofcensorshipmonitoringwithoutknowingwhattheuncensoredanduntamperedcontentisinthe\frstplace.Evenifweunderstoodtomeasure,determiningmeasurecensorshipalsopresentsauniquesetofchallenges,sinceacensorcouldattempttodisruptorconfusethemea-surements.First,acensormightblockortamperwithmea-surementsfromamonitoringtool,ordisruptcommunicationtopreventthetoolfromreportingmeasurements.Second, Volume 43, Number 3, July 2013 85 ACM SIGCOMM Computer Communication Review runningatoolthatmonitorscensorshippracticescouldbeincriminating.Finally,usersmaybehesitanttoprovidere-portsaboutsitestheyvisit.Usersofsuchatoolmayalsowishtodeterminethecauseofunreachability(,whethertheunreachabilityisduetokeyword\fltering,blockingofadomainname,etc.),andattributingtheunreachabilitytoaparticularcausemayintroduceadditionalchallenges.ThispaperexploresthesechallengesinmoredetailandadvocatesanewdirectionforInternetmeasurementresearch:wide-areamonitoringofInternetcensorshipandcontrol.InSection2,weexplainwhymonitoringInternetcensorshipentailsanadditionalsetofconcernsfromconventionalInter-netmeasurement.Section3outlinesseveraldesignprinci-plesthatmayhelpcensorshipmonitoringsystemssurmounttheseadditionalchallengesandSection4studieshowtheseprinciplesapplytoOONI,anascentcensorshipmeasure-mentframework.Section5surveysrelatedwork,andSec-tion6presentsaresearchagendaforthisemergingarea.2.CHALLENGESINMONITORINGThissectiondetailssomeofthenewchallengesforde-signingacensorshipmonitoringsystem.WebelievethesechallengeshighlightanimportantsetofconcernsthataredistinctfromconventionalInternetmeasurement.2.1OverviewandContextcensormightinhibitcommunicationinseveralways;weconsiderthefollowingattacks,inincreasinglevelsofsophis-Blocking(completeorpartial).Completelyblockingaccesstoadestination(orblockingtheuseofapro-tocol)iscertainlythemostwidelypracticedformofcensorship.Existingtools(,Herdict)essentiallyreportcompleteblocking.Acensormayalsopractice\partial"blocking,whichmaybesigni\fcantlymorediculttodetect|forexample,aWebpagemightbereachable,butacensormightstillblockcertainobjectsreferencedwithinthatpage.Performancedegradation.Althoughacensormightnotblockaserviceorsiteoutright,wehavepersonallyexperiencedandmeasuredcaseswhereacensor(oranISPthatisactingonbehalfofacensor)degradesperformance(,byintroducingpacketloss)tosuchanextentastomakeaserviceunusable.Contentmanipulation.Acensormightnotblockcon-tent,butinsteadmanipulateinformationasitprop-agatesamongdierentWebsitesorbetweenusers.Oneexampleofthistypeof\softcensorship"mightbetoremovesearchresultsfromauser'ssetofre-sults.Anotherexamplemightbetopropagatever-sionsofanewsstorythatomitormodifykeyportionsofthestory.Athirdexampleofmanipulationmightbetouse\sockpuppet"techniquestocreatethefalseappearanceofindependentopinionsinanattempttopersuadeorin\ruencepublicopinion.2.2Challenge:WhattoMeasureWenowenumerateanddescribevariouschallengesasso-ciatedwithcensorshipmonitoringsystemsthataredistinctfromconventionalInternetmeasurement.Censorshipisinherentlyill-de\fnedOneofthemostdicultaspectsofmeasuringInternetcensorshipisde\fn-ingitsmetrics.Becausecensorshipisrootedintheagendasandactionsofpoliticalactors,itisdiculttoformalizethethreatsorexpressthemquantitatively.Additionally,unlikemanyconventionalnetworkmeasurementproblems,censor-shiphasnosingleaxisormetricalongwhichitmightbemonitoredormeasured;aswedescribedintheprevioussec-tion,censorshipcantakemanyforms,andtechnicalandpo-liticalthreatsarecontinuallyevolving.Finally,thereislittletono\groundtruth"informationavailableabouttheexis-tenceorextentofcensorshippracticesinanygivenenviron-ment,sodeterminingtheeectivenessofvariouscensorshipmonitoringtoolscanbedicult.Ratherthanconstructingtoolsformeasuringcensorshipingeneral,wenarrowlyscopespeci\fctypesofcensorshipandmonitorcensorshipbehaviorinthecontextofeachmore-limiteddomain.ContentmanipulationmaybediculttodisambiguatefrompersonalizationorregionalizationUltimately,weaimtomonitornotonlycasesofoutrightblocking,butalsoinstanceswhereanorganizationhasmanipulatedcontenttosuititsinterests.Webelievethatthistypeof\softcen-sorship"maybethenextwaveofInternetcontrol.Gov-ernmentsthataresavvyaboutinformationcontrolmayul-timatelynotblockservicessuchasTwitter,Facebook,orpopularnewssites,butrathermanipulatethecontentfromtheseservicestobetteradvancetheirownagendasandservetheirowninterests.Similarly,recentcasesof\\flterbubbles"mayalsoemerge,whereacertainuserorgroupofusersseesdierentinformationfromanothergroup.Whetherthesourceofa\flterbubbleispersonalizationortheresultofcontentmanipulationbyagovernmentmaybediculttodisambiguate,but,foramonitoringsystem,thisdistinctionmaynotmatter:ultimately,thesystemcouldreportdif-ferencesincontentretrievedfromvariouslocations(andasvarioususers)andallowtheuserstodrawtheirownconclu-sionsaboutthecauseofthesedierences.PreservinguserprivacyisdicultwhendetectingmorenuancedformsofcensorshipSomeformsofsoftcensorshipmightinvolveintentionalperformancedegrada-tionorcontentmanipulation.Detectingthistypeofbehav-iorwouldrequirecomparingperformanceorcontentacrossgroupsofusers,butsuchacomparisonalsoimpliesthateachusermustrevealtheirbrowsinghistory.Thisstrongrequirementandconcernforuserprivacyalsoconstitutesasigni\fcantdierencefromconventionalnetworkanalysis,whichtypicallytakesplacewithinasingleorganization.Accuratedetectionmayrequirealotofdatathoughnearlyallnetworkmeasurementsencounterthisprob-lem,itholdsheightenedimportanceinanadversarialenvi-ronment.Severalfactorsin\ruencetheamountofdatare-quiredforaccuratecensorshipdetection.Detectingmoregranularcensorshiprequiresmoredata;forexample,tar-getedcontentmanipulationofafewunpopularWebpagesrequiresmoredatathenwholesalecountry-wideblocking.Faultyormaliciousmonitors,spuriousaccesslinkfailures,andmomentarycongestionalladdnoise,whichincreasestheamountofdatarequired.Finally,moresophisticatedcen-sorshipschemesrequiremoredatapermeasurement;forex-ample,detectingcontentmanipulationonaURLmightre-quirerecordingentiredocuments,butdetectingblockingofthesamedocumentwouldonlyneedasinglebooleanvalue. Volume 43, Number 3, July 2013 86 ACM SIGCOMM Computer Communication Review 2.3Challenge:HowtoMeasureMeasurementsmustcontendwithanadversarylikeconventionalInternetmeasurementtools,thosethatmeasureInternetcensorshipmaybesubjecttocensorshipthemselves,particularlyiftheprotocolsormonitoringau-thorityareeasilyidenti\fable.Toremainrobusttoblocking,suchamonitoringsystemmightthusrelyonasystemthatprovidesarobustandcovertchannelforcircumventingcen-sorship,suchasInfranet[9]orCollage[2].Bothofthesetoolsrequirebothcommunicatingpartiestoexchangese-cretkeysthatformthebasisofthecommunicationchannel;thesekeyscouldbedistributedwiththesoftwareitself.(Wediscusschallengesofsoftwaredistributionbelow.)Othercircumventiontoolsthatfocusonanonymitybutnotdenia-bility(,TorwithoutPluggableTransports[8])maynotbesuitableforthispurpose,asthepresenceofencryptedcommunicationmightbeincriminatingandcouldalsobeblocked(asacaseinpoint,IranblockedallSSLcommuni-cationsearlierthisyear.)Monitoringagentsmaythemselvesbeadversarial.Be-causeeachagentperformsindependentmeasurementsfromauniquevantagepoint,itmaybediculttoverifytheac-curacyofthesereports.Tosurmountthischallenge,thesys-temmustcorrelatedatafrommultipleindependentsources,aswediscussinSection3.Evenifmeasurementsthemselvesareaccurate,users'ac-cesstoreportsmaybeblocked.Usersshouldhavearobustanddeniablemeansforaccessingreportsaboutthecensor-shipofvariousInternetdestinationsandservices.Ifthesystemrequiresuserstoqueryinformationaboutcensors'attemptstodisruptcommunication,thensuchqueriesfromtheusershouldbebothrobust(,itshouldbedicultforthecensortoblocktheserequests)anddeniable(itshouldbedicultforacensortodeterminethatauserisinquiringaboutcensorship).Similarconcernsapplyifthisinformationisinsteadpassedtousersviaacontinu-ousfeed,althoughthesheervolumeofsuchafeedmightbeprohibitiveorarousesuspicion.Inlightoftheserequire-ments,systemsthatprovidedeniabilitytotheparticipantswhoexchangemessages,suchasCollageorInfranet,maybeappropriateforservicingthesetypesofqueriesorperi-odicallydisseminatingupdatestotheuseraboutsitesthathavebeenblocked.Usersmustacquireandinstallmonitoringagentscauseaccurate,robustreportingofreachabilityinformationentailsreachabilitymeasurementsfrommanyindependentvantagepoints,usersmustbeabletoeasilyacquireandin-stallmonitoringagentsoftware,andtheymustbewillingtodosowithoutfearofincrimination.Dualuse,whichwoulddesignthemonitoringsoftwareforpurposesotherthancen-sorshipmonitoring,mightmitigatethischallenge.Onepos-sibilityfordualuseinthiscaseistohaveusersdeploymon-itoringagentsthatperformreachabilitytestsfornetworkmanagementortroubleshootingpurposes.Censorshipisjustoneofmanypossiblecausesforunreachabilitythatsuchatoolmightobserve(,ifthetoolhelpedpinpointothersourcesofproblems,suchascongestion,DNSfailure,ornet-workcon\fgurationproblems),andsuchatoolmightneverevenexplicitlymentionthatasitewas\blocked".Ausermightdrawhisorherownconclusionsaboutwhethercen-sorshipisalikelycausefortheobservedreachabilityprob-lemsorotherartifactssuchasperformancedegradationordierencesincontent.Operatingthemeasurementtoolorperformingcer-tainmeasurementsmaybeincriminatinginformationaboutcensorshiprequiresmakingobservationsfromuservantagepoints,eitherbymeansofsoftwarein-stalleddirectlyonclientmachinesorperhapsfromanet-workrouterorswitchpositionedatthenetworkedge(aBISMarkrouter[1]).Ineithercase,performingthesemea-surementsmightservetoincriminateauser,particularlyifthesoftwareperformsactivemeasurementsofreachabilityfroma\targetlist"thatincludesdestinationsthatausermightnotordinarilyvisit.Concealingthesemeasurementspresentsachallenge,becauseanyattempttoconcealthemeasurementsmayalterthenetworktracinawaythataf-fectsthecensor'sdecisionaboutwhetherthattracshouldbeblocked,disrupted,ortamperedwith.3.MEASUREMENTPRINCIPLESWeintroduceandmotivateseveralprinciplesthatcanhelpguaranteerobust,accuratemonitoringofcensorship.Correlateindependentdatasources.Accurate,robustmonitoringofcensorshiprequiresveri\fablereportsabouttheavailabilityofvariousdestinationsandser-vices.Inatypicalsettingwheretheidentityofasenderistrusted,theinformationthatanagentreportscouldbever-i\fedbycheckingthemessage'ssignature.Unfortunately,thesemonitoringagentsmayberunbyavarietyofun-trustedsources(possiblyevenbythecensorsthemselves);thissituationcreatesthepossibilitywherebyanyindividualmonitoringagentmightproduceinaccurateorintentionallyfalsereports.Toaccountforthispossibility,weadvocateamonitoringsystemthatincorporatesinformationfromavarietyofindependentsources,ratherthanusingonlyonetypeofdatatoinfercensorship.Forexample,reachabilityinformationmightcomefromthefollowingsources:Webserveraccesslogsatvariousdestinationscanpro-videinformationaboutwhichclientsareabletoaccessthesite,andfromwhere(,geography,ISP,etc.).Asuddendecreaseinaccessesfromanyparticularre-gionofIPaddressspace,ISP,orcountrymightsuggestClient-sideloggingaboutuserdownloads,fromtheAlextoolbar)canobservethereachabilityofvari-ousdestinationsfromclients,and,whenmeasurementsfail,thelikelycauseofthosefailures(,TCPcon-nectionreset,DNSlookupfailure).Homeroutersarealwaysonandcandirectlymeasureconnectivityissues,sincetheycanmeasurereachabil-itydirectlyfromanaccesslink,independentlyofthehostorlocalnetworkcon\fguration.DNSlookupsvisiblefromrecursiveresolvers(,attheaccessISP)oratthetop-leveldomain(,atanauthoritysuchasVerisign)canprovideinformationaboutwhetherDNSrequestsarebeingsuccessfullyissuedfromhostsordownstreamrecursiveresolvers.SimilarlytomonitoringWebaccesslogs,monitoringDNSlookupbehaviorcanexposeanomalies,suchasa Volume 43, Number 3, July 2013 87 ACM SIGCOMM Computer Communication Review suddendropinlookupstoaparticulardomain,orasuddendropinlookupsfromaparticulargeographicregionorISP.Separatemeasurementsfromanalysis.Thisprinciplesuggeststhatmeasurementsbeconductedseparatelyfromtheanalysisthatdeterminesthelikelycauseofproblems.Theprimaryreasonforseparatingthesetwocomponentsistoallowtheanalysistoincorporatemea-surementsfromavarietyofsources,includingsourcesthatareoutsidethereachofthecensor.Thisseparationmayalsohelppreservethedualuseproperty:monitoringagentswhoperformmeasurementsaboutavailabilitycanplausi-blyclaimtheyareperformingthemeasurementsforthepurposesofnetworktroubleshootingormanagement.Mea-suringtheavailabilityofservicesanddestinationsisanin-nocuousactivitythatcanbeattributedtoeverydaynetworkmanagementorperformancemonitoring,thusmakingtheprocessofperformingmeasurementslesssuspicious.Forexample,ausermightrunamonitoringagentonahomenetworkgatewayorasabrowserextensiontoprovideinfor-mationabouthighpacketlossratesorlatencies;thatmon-itoringagentwouldlikelynotbeabletoattributecausethepoorperformance,butratherwouldreportthosemea-surementstoacoordinatingauthority,whichmightthenperformcorrelationstobetterattributethecauseoftheper-formancedegradation.Separateinformationproducersfrominfor-mationconsumers.MeasuringthereachabilityofvariousInternetdestinationsandservicescanbeseparatedfromreceivingaggregatedin-formationorstatisticsaboutthereachabilityofdierentsites.Usersthatmeasurereachabilityofvariousdestina-tionsneednotbethesamesetofuserswhoaccessthatinfor-mation.Separatingthechannelsthatmeasurereachabilityfromthosethataccessthatinformationmakesitmoredi-cultforacensortodisruptthesechannels.Italsofacilitatesgatheringinformationfromavarietyofsources(,homerouters,browsertoolbars,userreports,andothermeasure-mentservices),sincetheprocessofgatheringinformationisdecoupledfromtheprocessofreportingittousers.Finally,thisseparationmayalsoimprovedeniabilityforusers.Employ\dual-use"scenarioswhereverpos-sible,toimproverobustness.Atoolthatexclusivelymonitorscensorshipmaybemoredif-\fculttodeploythanonewhichservesanotherpurpose,suchashelpingnetworkoperatorsperformnetworktroubleshoot-ing.Asanexample,atoolmightrunperiodicthroughputteststodierentdestinations,orexecutedownloadstopop-ularWebsites,tomonitordownloadorpagerendertimesandalertauserornetworkoperatorwhenthesetimesex-ceedacertainthreshold;certainnetworkmonitoringplat-forms(,SamKnows)alreadyperformregulardownloadteststotopWebsites.Suchtestsnaturallyservetomonitoraccessnetworkperformance,butanomaliesinreachabilitytothesesitescouldalsosuggestmalfeasance.Ifcensorshipmonitoringisasecondarypurpose(or,betteryet,asideef-fect)ofthemonitoringagent'sfunctions,usersmaybemorewillingtodeployitandcensorsmay\fnditmorediculttojustifyblockingthetooloritsreports.Therefore,weshould,totheextentpossible,collectmonitoringdatafromdeployedperformancemonitoringandtroubleshootingtools.Adoptexistingtechniquestoproviderobustchannelsformeasuring,reporting,andaccessingreports.Acensormaystillattempttoinhibitacensorshipmonitor-ingsystem,inspiteofthefactthatthetoolservesotheruse-ful,innocuouspurposes.Assuch,suchasystemmayneedtouseexistingcircumventiontoolsforcommunication,par-ticularlywhendisseminatinginformationaboutavailabil-ityproblemsandtheirpossiblecausestousers.Manyofthesechannels(,Collage)mightbeextremelylowband-width,sothesystemcouldperiodicallypushinformationaboutsitesthathavebeenblockedortamperedwithtousersratherthanhavingtheusersrequestthatinforma-tiononasite-by-sitebasis.Ontheotherhand,designingacommunicationchanneltosendmonitoringreportsoranal-ysisresultsthroughacensorship\frewallmaybeeasierthancircumventingcensorshipinthegeneralcase,sincewecanmakemoreassumptionsabouttheformat,size,ortimelinessofthedata.Heedandadapttocontinuallychangingpo-liticalandtechnicalthreats.UnlikeconventionalInternetmonitoring,thepracticeofmon-itoringInternetcensorshipisacontinuallymovingtarget,sincegovernmentsandorganizationscontinuallydevisenewtacticsfordisruptingcommunication.Hence,webelievea\plugandplay"censorshipmonitoringsystemwillneverexist:anymonitoringsystemwillquicklyberenderedinef-fectivebyrapidlyevolvingattemptstoblockordisruptit.Maintaininganeectivecensorshipmonitoringsystemwillrequireexpertiseinavarietyofdomains,including,butnotlimitedto,publicpolicy.4.CASESTUDY:OONITheTorProjectrecentlyproposedtheOpenObservatoryofNetworkInterference(OONI),aframeworkforobservingblocking,performancedegradation,contentmanipulation,andotherformsofnetworkinterference[10,15].Figure1illustratesOONI'sconceptualarchitecture.Inspiredbyunittestingframeworks,developersuseOONItowriteenceteststhatrunonmanyindependentprobesdeployedatthenetworkedge.Thesetestsmeasureinformationaboutavarietyofservices.ExamplesofprobesareWebbrowserextensions,homerouters,andstandaloneprogramsrunningonclients.Monitoringcanbeactive,inwhichcaseitistriggeredbya\targetlist"ofdestinationsprovidedbyacentralauthority,otheruserreports,oreventheoperatoroftheprobeitself;activetestscanuseOONITestHelpers,whichareservicesoperatedspeci\fcallytoassistOONImea-surements.Measurementscanalsobepassive,whereprobescollectinformationaboutusers'normalinteractionswithservices.TheOONItestauthordecidesthetypeandextentofinformationcollectedbasedonthekindsofinterferencehewantstodetect.Forexample,detectingblockingrequiresreachabilityinformation,detectingperformancedegradationrequires\fnergrainedperformancestatistics,anddetectingcontentmanipulationrequiresdocumentcontents. Volume 43, Number 3, July 2013 88 ACM SIGCOMM Computer Communication Review Figure1:OONI'sconceptualdesignandpossibleat-tackpoints.Bothmeasurementsandmeasurementresultsmustcontendwiththreatsfromadversaries.Webrie\rystudyOONI'sadherencetotheprinciplesweintroducedinSection3:Principle1(Correlateindependentdatasources):OONIdeveloperswriteteststhatcollectdatafromanynum-berofsources,andrunonanynumberofendhosts.Al-thoughOONItestsareenvisionedtorunatthenetworkedge,theycouldtheoreticallyoperateoncentralizeddatalikeserverlogs.Principle2(Separatemeasurementsfromanalysis):OONIProbessendmeasurementstoanOONIbackend,whichstoresallmeasurementsinapublicdatarepository,M-Lab[14]).Third-partyresearcherscandownload,analyze,andinterprettheserawmeasurements.Principle3(Separateproducersfromconsumers):ThirdpartyresearchersconsumeOONImeasurementsfromacentralrepositorythatisdecoupledfromdatacollection.Principle4(Employ\dual-use"scenarios):OONIisaframeworkforwritingnetworkinterferencetestsbutspec-i\fesnothingabouthowthosetestsarepresentedtousers.OONItestdeveloperscouldemploytheirowndual-usesce-nariostodriveadoptionoftheirtests.Principle5(Useexistingsecuritytechniques):ProbessendtheirmeasurementstotheOONIbackendus-ingTLSoverTor.Thisnotonlyassurescon\fdentialityandintegrityoftestmeasurements,butalsoshieldstheIPad-dressoftheProbe;testdevelopersmuststillbecarefulnottocompromisetheProbeidentitiesinthemeasurementdataitself.IfTorisinaccessibleusersmayuseacovertchanneltoaccesstheTornetwork(,StegoTorus[19]).Atthebackend,measurementsarestoredinasecuredatacenterandcanbeaccessedwithTLSorthroughTororanothercensorshipcircumventiontool.Principle6(Adapttoevolvingthreats):OONIplacestheonusofadaptingtonewthreatsontestdevelopersbygivingthemsigni\fcant\rexibilityintestauthorship.Ulti-mately,humansmustmonitorandrespondtotheglobaltechnicalandpoliticallandscape.5.RELATEDWORKAlongwithOONI,TheTorProjecthoststheTorCensor-shipDetector,whichmonitorscensorshipoftheTornetworkitselfandoftenobservesnation-widecensorshipasasideef-fect[5].DatafromthedetectorcouldcorroborateOONI'smeasurementsoftheTornetwork.OONIgrewfromadesiretoexpandonearlierstudiesofcensorship[11,6,7].SeveralprojectsattempttomeasuretheextentofvariousformsofInternetcensorship.Perhapsthemostwell-knownprojectisGoogle'sTransparencyReport[12],whichshowsaccesspatternstovariousGoogleservices(,search,mail,news)fromaroundtheworld.Unfortunately,therawinfor-mationregardingreachabilitytotheseservicesisnotpub-liclyavailable,andtheinformationislimitedtoGoogleser-vices.TheReportalsolacksanautomatedmechanismforinferringoutagesfromthedataitreports.Shouldanyin-formationfromtheTransparencyReportbecomepubliclyavailable,itwouldstillneedtobecombinedwithinforma-tionfromotherindependentdatasources,forthereasonsdiscussedinSection3.TheBerkmanCenter'sHerdictprojectgathersreportsfromusersaboutthereachabilityofvarioussitesusingman-ualreportsfromusers[13].ThemanualnatureoftheseuserreportsandthelackofindependentsourcesofreachabilityinformationrequirestheoperatorsoftheHerdictservicetomanuallyverifyeachreport;hence,themonitoringeortcannotbeparticularlylarge-scale.Severaleortsfocusspeci\fcallyonChina.CrandallperformedInternetmeasurementstostudythekeyword\flteringimplementedbytheGreatFirewallofChina,andfoundthateectivecensorshipdoesnotrequiretheblockingofeveryillicitword,butmustsimplyblockenoughtopro-moteself-censorship[4];theyalsoproposedanarchitectureformaintaininga\weatherreport"aboutthekeywordsthatare\flteredovertime.Claytonetal.studiedtheChinese\frewall'simplementationof\flteringbasedonTCPconnec-tionresetsusingmeasurementstoasingleWebserverforeachborderAS[3];suchatoolcouldbeausefulinputtoourproposedsystemifappliedacrossawidervarietyofdes-tinationsandclients.SeveralprojectsstudycensorshiparoundtheworldfromPlanetLabvantagepoints.CensMonprobesforDNS,IP,andHTTP\flteringfromPlanetLabandpresentscompellingpreliminaryevidenceofcensorshipinChina[16].VerkampandGuptaobservecensorshipoutsideChinathroughacom-binationofPlanetLabnodesandcase-by-caseedgemeasure-ments[18].PlanetLabmeasurementsareconvenientforre-searchers,butitsvantagepointsarehostedonuniversitynetworksthatmaynotbeaectedbycensorshipinthesamewaysashomeusers.TruthyanalyzesandvisualizeshowinformationspreadsacrossTwitterandtriestoidentifyburstsofactivityaroundmemes[17];itsmemedetectionalgorithmscouldserveasa Volume 43, Number 3, July 2013 89 ACM SIGCOMM Computer Communication Review usefulstartingpointforhelpingtracktheemergenceofsockpuppetsorastrotur\fngcampaigns.Althoughourproposedmonitoringsystemfocusesonmon-itoring,notcircumvention,arobust,accuratemonitoringsystemcouldhelpdeterminetheeectivenessofexistingcir-cumventiontools[8,9,2,20].6.SUMMARYANDRESEARCHAGENDAThechallengesandopportunitiesweoutlinedinthispo-sitionpapermakethecaseforanewclassofInternetmea-surement,focusedonmeasuringInternetavailabilityinthefaceofadversaries.Perhapsoneofthemostsigni\fcantdierencesofcensorshipmonitoringfromconventionalIn-ternetmeasurementisthatthetechnicalaspectsofper-formingthemeasurementsarenotthemostdicultchal-lenge.Speci\fcally,determiningthataparticularsitehasbeenblocked|orevenwhattechnologyacensorisusingtoexecutecensorship|isdoable;determiningwhichpartofasite'scontenthasbeentamperedwithishardbutstilldoablegivensucientmeasurementdata;whatismoredif-\fcultisdeterminingaparticularsiteisbeingblocked,and,speci\fcally,whatcontent(,keyword,topic,domain,author)triggeredthecensortoblockit.Theresearchcom-munityshouldachievethislevelofunderstandingthroughdeeperinference,andbyincorporatinginformationfromawidevarietyofsources,includingusers,ISPs,Websiteop-erators,companies,universities,andadvertisers.Animmediatenextstepintheresearchagendaforcensor-shipmonitoringistoexploredierentinformationsourcesanddeterminethetypeofinformationtheymightprovideforhelpingusersinferavailabilityproblemsandtheircauses.Forexample,inthispaper,wehaveroughlyoutlinedhowserverlogs,clientrequestresults,homerouters,DNSlookups,andwide-areameasurementsmighteachcontributetoabetterunderstandingofcensorshippractices,butthelion'sshareoftheworkwillbetoanalyzeeachofthesesources(andpossiblyotherdatasources)morethoroughlytoun-derstandwhatinformationtheycanprovideindependently,howreliablethatinformationmightbe,andhowtheseinfor-mationsourcesmightbecoalescedtoproducemorerobust,reliablereports.Ultimately,asgovernmentsandorganizationsbecomein-creasinglysavvy,theymayvariouscommunicationme-diaastoolsforin\ruenceandpersuasion,ratherthansimplyblockingthem.Forexample,\sockpuppet"and\astro-tur\fng"behaviorarewell-known,buttherehasbeenlittleattempttomonitororquantifytheseeectsonalargescale,andtodayauserhasnowayofknowingwhetherthecon-tenttheyreceiveispartofasock-puppetorastrotur\fngcampaign.Additionally,citizensmaybesubjecttocasesofcontentorinformationmanipulationwherebycontent(anewsstory)isalteredasitistranslated,paraphrased,orcopiedtoadierentWebsite.Ascensorshipandinfor-mationcontrolbecomemoresophisticated,techniquesformonitoringcensorshipwillalsoneedtoevolvetoexposenewformsof\softcensorship".AcknowledgmentsThisworkwasfundedinpartbyNSFawardCNS-1111723andaGoogleFocusedResearchAward.WethankHansKleinforvaluablefeedbackonthiswork.7.REFERENCES[1]BISMark:BroadbandInternetServiceBenchmark.[2]S.Burnett,N.Feamster,andS.Vempala.Chippingawayatcensorship\frewallswithuser-generatedcontent.InProc.19thUSENIXSecuritySymposiumWashington,DC,Aug.2010.[3]R.Clayton,S.Murdoch,andR.Watson.IgnoringtheGreatFirewallofChina.InPrivacyEnhancingTechnologies,pages20{35.Springer,2006.[4]J.Crandall,D.Zinn,M.Byrd,E.Barr,andR.East.ConceptDoppler:AWeatherTrackerforInternetCensorship.InProceedingsoftheACMConferenceonComputerandCommunicationsSecurity(CCS)Arlington,VA,Oct.2007.[5]G.Danezis.Ananomaly-basedcensorshipdetectionsystemforTor.papers/detector-2011-09-09.pdf,Sept.2011.[6]R.Deibert.Accessdenied:Thepracticeandpolicyofglobalinternet\fltering.MITPress,2008.[7]R.Deibert.Accesscontrolled:Theshapingofpower,rights,andruleincyberspace.TheMITPress,2010.[8]R.Dingledine,N.Mathewson,andP.Syverson.Tor:Thesecond-generationonionrouter.InProc.13thUSENIXSecuritySymposium,SanDiego,CA,Aug.[9]N.Feamster,M.Balazinska,G.Harfst,H.Balakrishnan,andD.Karger.Infranet:CircumventingWebcensorshipandsurveillance.InProc.11thUSENIXSecuritySymposium,SanFrancisco,CA,Aug.2002.[10]A.FilastoandJ.Appelbaum.Ooni:Openobservatoryofnetworkinterference.InUSENIXFOCI,Aug.2012.[11]P.Gill.Characterizingglobalwebcensorship:Whyisitsohard?PresentedattheWorkshoponActiveInternetMeasurements,Feb.2013.[12]GoogleTransparencyReport.[13]HerdictWeb:TheVerdictoftheHerd.[14]MeasurementLab.,Jan.[15]Openobservatoryofnetworkinterference.[16]A.Sfakianakis,E.Athanasopoulos,andS.Ioannidis.Censmon:Awebcensorshipmonitor.InFOCI,Aug.2011.[17]Truthy.[18]J.-P.VerkampandM.Gupta.Inferringmechanicsofwebcensorshiparoundtheworld.InProceedingsofthe2ndUSENIXWorkshoponFreeandOpenCommunicationsontheInternet,Aug2013.[19]Z.Weinberg,J.Wang,V.Yegneswaran,L.Briesemeister,S.Cheung,F.Wang,andD.Boneh.Stegotorus:acamou\rageproxyforthetoranonymitysystem.InProceedingsofthe2012ACMconferenceonComputerandcommunicationssecurity,pages109{120.ACM,2012.[20]E.Wustrow,S.Wolchok,I.Goldberg,andJ.A.Halderman.Telex:AnticensorshipintheNetworkInfrastructure.InProc.20thUSENIXSecuritySymposium,SanFrancisco,CA,Aug.2011.