The Web Unravels
September 17, 2019 by
On June 6, 2019, China Telecom forced vast swathes of European mobile phone traffic to be re-routed through Chinese servers for more than 2 hours. This was not the first time this had occurred, and such Border Gateway Protocol leaks are usually caused by mistake.
The duration of this leak, affecting 70,000 routes from France, The Netherlands and Switzerland was, however, deemed to be highly suspicious. This incident was only the latest in an expanding series of attempts by the Chinese and the Russians to explore ever more intrusive ways to conduct cyber campaigns against other countries, while at the same time seeking to control what their own citizens can and cannot access on the internet. Concerns about these efforts in the West have led to an escalation of efforts to deter what many security experts believe is a full scale effort to use technology to access and manipulate a wide range of systems from elections to utilities and transportation. The threat by the USA to name Chinese telecommunications company Huawei a “restricted entity,” thereby making it a crime to do business with it, has focused the world’s attention on the increasingly problematic nature of doing business in a “platform” economy. If this is the end of the “world-wide” Web as we have known it, it will become critical for global companies to establish clear protocols of what is becoming a distinct and disconnected internet. The challenge to global trade created by threatened tariff wars is already having an impact on global supply chains. The “polynet” threatens at least as much if not greater disruption.
While democratic societies are only beginning to grapple with attempts to undermine their electoral processes, some authoritarian regimes, notably China, have spent more than a decade ensuring that the internet poses no challenge to control of thought and speech. The “Great Firewall of China” will never be completely impermeable, but within the past two years the consolidation of power by Xi Jin Ping has led to renewed efforts to make “forbidden” content impossible to post by and invisible to see for mainland Chinese citizens. By 2019, China had purportedly increased the number of state employees monitoring citizens’ use of the internet to two million, approximately the size of Houston’s population. Established in 1999, the Chinese firewall was established very early in the evolution of the internet, enabling its censorship ecosystem to grow organically as the internet grew. China’s almost complete control of the domestic internet is enabled by the fact that all telecommunications are licensed by the state Ministry of Industry and Communications Technology and also through the domination of the Chinese market by a handful of fiber optic cable companies who control the ten access points to the internet backbone, all of whom are fully compliant with Chinese state requirements.
In addition to this control at the core, China’s enforcement of its prohibition of banned content has led to widespread self-censorship by internet service providers, ensuring that most Chinese never see anything related to historical events such as the Tiananmen Square massacre or even the #MeToo movement. Self-censorship is backed up by the technically straightforward blocking of IP addresses through a black list of sensitive or undesirable URLs. This process is reinforced by a range of Domain Name System (DNS) tricks including hijacking DNS requests with “banned” keywords, injecting forged replies to DNS requests and falsifying the responses, effectively blocking any access to undesirable sites.
Virtual Private Networks (VPNs) have, up to now, been the only way for Chinese citizens in China to access forbidden content but even this approach is now under threat. In 2017, China began to prosecute VPN providers and in 2019, fined a Chinese citizen for using a VPN. Experienced Chinese users of VPNs note that the Chinese Government tends to harden its response to VPNs in advance of key dates such as government summits but has exercised some caution in attempting to enforce an outright ban, understanding perhaps that such a ban would result in considerable chaos for corporations as much as individuals, leading to exactly the kinds of unrest and opposition Chinese state censorship is designed to suppress.
While the evolution of the Russian internet has taken a different path from that of China and was, in its early years, significantly less controlled by the state apparatus, it is clear that Vladimir Putin’s Government is attempting to chart a new more tightly controlled path. Since the public Russian protests of 2011-2013, involving culture warriors such as the popular band, Pussy Riot, the Russian Government has gradually ratcheted up its level of censorship, with a comprehensive blacklist of URLs and the banning of VPNs. It is probably not a coincidence that its attempts to do so paralleled the now widely understood efforts by the Kremlin to distort and undermine elections in democratic countries in Europe and in the USA through the dissemination of fake news, troll bots and even fake social media-driven events purporting to be genuine “Black Lives Matter” protests.
In 2019, in an alleged response to the US reaction to Russian cyber warfare, the Russian parliament passed legislation that initiates a process whereby Russia develops an alternate DNS that could be brought on line if the internet were ever disabled, or if it were to become politically desirable for the Russian Government to disconnect the country from the global Web. The bill, which goes into force in November 2019, would compel all internet traffic to flow through servers controlled by Roscomnadzor, the Kremlin internet censor, as the Financial Times reports. Viewed in combination with other Russian controls such as the banning in 2018 of Telegram, the popular messaging app, it is clear that the Putin Government see a different future for the internet in Russia than in the rest of the world.
Not surprisingly, the third country that has taken major steps to isolate its local country internet is Iran. It already shares similar systems to block IP addresses and ban social media sites such as Facebook and Twitter, but Iran has been developing its own so-called “halal” internet for a number of years. Formally known as the Iran National Information Network, the system is apparently close to testing its ability to disconnect although its plans to do so in May 2019 were allegedly delayed. These efforts have all been portrayed as a way to protect Iranian youth from external corruption and the Iranian economy from cyber-attacks. According to the Iranian Minister of Information and Communications Technology, Mohammad Javad Azari Jahromi, the country’s cyber protection is 50 times more powerful than before, repelling 33 million cyber-attacks in 2019 so far.
However, not all the attempts to significantly alter the way the internet works can be traced to the world’s most authoritarian regimes. The European Union’s General Data Protection Regulation also placed new controls on the sharing and retention of private personal information, imposing significant new restrictions on companies doing business in Europe. As the New American Foundation’s research shows, there are at least 50 countries, which they call “digital deciders” that have not yet come down unequivocally on the side of “global and open” vs “sovereign and controlled” internets. Tellingly, the annual survey of internet freedom by international watchdog organization Freedom House shows that this is the eighth year running that the internet has become less free. Based on an analysis of data from 2017 to 2018, Freedom House reports that of the 65 countries surveyed in their report, “26 have been on an overall decline since June 2017, compared with 19 that registered net improvements. The biggest score declines took place in Egypt and Sri Lanka, followed by Cambodia, Kenya, Nigeria, the Philippines, and Venezuela.” India led the world in sporadic internet shut downs in 2017-2018, in response, for example to a fake WhatsApp posting and audio message purporting to describe a mass invasion of child kidnappers in Tamil Nadu.
The other development of note is the increasing tendency to try to outsource the responsibility of internet monitoring to social media companies. Spurred on by Germany’s Social Media Enforcement Law, which imposes significantly civil penalties on social media platforms for failing to eliminate “obviously illegal content,” the European Union is considering a law that would punish companies for failing to remove content that violates any of the laws of the 28 members states. We are not suggesting that the internet in general and social media in particular are not in dire need of better ways to eliminate hate speech and identify and delete fake news and deep fake videos. Fortunately, in addition to the increase in restrictions on the internet taking place around the world, there is a range of initiatives under way to improve the security and transparency of this now critical global forum. Some of these involve consumer education, such as the work WhatsApp is doing with a variety of organizations in India to improve digital literacy. In other countries, such as Argentina and Brazil, organizations of journalists are working with Google and Facebook to create better tools to identify fake news.
While these efforts are praiseworthy, they are somewhat piecemeal and, are likely to continue to lag new and insidious ways in which internet distortion and controls will diminish freedom and be used to damage human rights around the world. What we believe is needed is something akin to a universal declaration embodying a set of standards companies can agree to adhere to prevent the continued erosion of this vital global tool for communication and shared global citizenship. It should embody the following three principles.
Although technology companies that design and market new technologies are most vulnerable to this abuse, all companies that acquire, retain and manage data about employees and customers need to abide by a clear commitment that they will not permit the use of these technologies or data to infringe human rights in the countries in which they do business or seek to do business.
Data ownership rights
Similarly, companies that acquire data about individuals need to be transparent about the data they are collecting and what they are retaining or passing on to third parties, whether governmental or other commercial institutions. More importantly, they should commit to abiding by the wishes of the individual data source as to what is retained or deleted and with whom any data is shared.
Companies that maintain content platforms should also be transparent about how they manage this content and explain clearly in language comprehensible to regular users what rules they will apply to content taken down for violating platform standards. This commitment must be accompanied by transparent record keeping so that all users can understand what was taken down and why. This is especially important in respect to the content that governments have requested be removed. We believe it is somewhat unrealistic to expect that content platform companies will resist all requests that violate human rights of free speech, but we do believe there should be a track record of these removals.
We believe that if corporations can align on these principles in collaboration with civil organizations and sympathetic governments on an ongoing basis, we will able to prevent or at least slow down the continued splintering of the internet. This is an important goal because if internet widely becomes “sovereign and controlled” it will vastly increase the complexity of reputation management in the internet era. Without uniform standards and technology, every communication, language by language, country by country, will need to be assessed for alignment with localized laws and cultural expectations. In such an environment, the world will lose what is, all things being equal, a great leveler and source of global awareness that will be critical if we want to solve the world’s most intractable problems.