May 4, 2013
In the last week in April, users on select ISPs found they could not access certain websites critical of the ruling government. These ISPs include (but are not limited to) Unifi, TM, Celcom, Digi, and Maxis; however services offered by Time and YTL did not appear to be affected.
At the time, staff at one of the country’s most popular independent news sites, Malaysiakini, complained to the country’s media regulatory body, the Malaysian Communications and Multimedia Commission (MCMC), and interference ceased. But days later, users were experiencing new difficulties accessing select content, again on the same five ISPs: Unifi, TM, Celcom, Digi, and Maxis.
Unlike before, the second time around, filtering was far more specific. Initially entire domains (and therefore whole websites) were being blocked. This time around, the filtering seemed to target specific content, such as YouTube videos with political content that could be deemed embarrassing to the ruling government.
And instead of blocking content outright, the block was implemented in the traffic stream coming back from the content provider, such as YouTube. Users were able to open a connection to YouTube, but were not receiving any data back. Their connection would ‘hang,’ or fail to complete bidirectionally, in a manner that resembled a problem on the sending server side (YouTube), rather than outright blocking.
Evidence of Network Interference
Working with local partners, Access was able to determine that unencrypted communications seeking political content on those five ISPs, whether directly with YouTube, or via proxies to YouTube experienced this failure in the return data stream, including when a proxy was configured to use non-standard transmission ports, indicating that the interference was being triggered via either deep packet inspection (DPI) or on the HTTP path in the request to the server, rather than more ‘standard’ IP address and port blocking.
When Access’s partners attempted to use an encrypted tunnel out of Malaysia, YouTube returned data downstream per usual, further indicating the use of either DPI or HTTP path based interference, as neither the HTTP path nor packet content is available to the ISP when users transmit requests via an SSH encrypted tunnel.
Packet capture testing demonstrated that requests using proxies always dropped return packets between the proxy server and the end user, indicating that the interference was happening in the ‘near’ network, i.e., their local ISP, rather than in the ‘far’ network, near the YouTube server request.
Further experiments that appended some junk bytes to the URL path of a YouTube request resulted in the video being available via normal downstream provision, suggesting a transparent proxy or DPI device at the ISP level dropping return packets directed to the user, based on the trigger mechanism of HTTP Path.
Further testing also indicated that when the HTTP request was sent fragmented from the user, it defeated the interference mechanism, and the YouTube video was again streamed back as per normal to the user. This behavior points to the likely use of DPI or proxy devices at the ISP level, with custom (if poorly) written rules to first trigger off the HTTP path portion of the URL, and subsequently drop packets on the server to user return path.
There is evidence of content at both YouTube (e.g. hHTz22bTBRw and uVWxB4AWOxc) and specific pages on Facebook (e.g. /DAPMalaysia) being affected. Facebook content is available to users using encrypted channels, but unavailable using plaintext HTTP–which is consistent with other evidence of interference.
It is worth noting that as of yesterday, May 1st, the CitizenLab at University of Toronto’s Munk School released its latest report, For Their Eyes Only: The Commercialization of Digital Spying, which identified the presence of a sample of FinSpy, the surveillance software manufactured by UK-based Gamma Group, that “appears to be specifically targeting Malay language speakers, masquerading as a document discussing Malaysia’s upcoming 2013 General Elections.” This Malay-language sample presents “as Mozilla Firefox in both file properties and in manifest;” Mozilla, long an advocate for user rights, this week announced its intention to sue Gamma for “offensive” trademark violation.
This is not the only form of ‘network interference’ occurring in Malaysia in the lead-up to the elections this weekend. There is evidence of jamming of radio stations critical of the government, as well as Distributed Denial of Service (DDoS) attacks and hacking attempts against independent media, blogs, and opposition party websites, and efforts to compromise social media accounts publishing content favorable to the political opposition.
Malaysia’s legally mandated Open Internet
Despite the interference currently in evidence on Malaysia’s networks, the country has a legal mandate to defend a free and open internet, as per the Malaysian Communication and Multimedia Act of 1998. This mandate is overseen by the MCMC, an independent regulator tasked with oversight of mobile and internet providers.
Malaysiakini, the independent news site, filed another request with the MCMC, asking the agency to station it’s people at local ISPs to ensure uninterrupted access on Sunday’s polling day. The publication’s CEO and co-founder, Pramesh Chandran, emphasized the need for free and unfettered communications as a fundamental need in democratic practice, and expressed concern that if networks were to be restricted, the inability for citizens to access information about the electoral outcomes could be dangerously destabilizing.
Meanwhile, Human Rights Watch has issued a statement condemning pre-election violence, as well as the online attacks. Access will continue to run network analysis and report on the data over the coming days.
To help keep the internet open in Malaysia, click here.
Georgetown University graduate Aasil was also the young man who got me started on blogging in 2007 when we both were part of the team in Anwar Ibrahim’s Office. He showed me how I could be an effective human rights, justice and democracy advocate via my own blog. He now resides in Washington DC. I hope I have done justice to him and others around the world who are passionate about, and are putting their careers and lives on the line for, these great causes by having my own blog http://www.dinmerican.wordpress.com