Hacking for Free Speech:
|By CHRIS SPRIGMAN|
|Tuesday, Jun. 24, 2003|
The free exchange of information over the Internet has proven to be a threat to the social and political control that repressive governments covet. But rather than ban the Internet (and lose valuable business opportunities), most repressive governments seek to limit their citizens' access to it instead.
To do so, they use specialized computer hardware and software to create firewalls. These firewalls prevent citizens from accessing Web pages - or transmitting emails or files - that contain information of which their government disapproves.
U.S. Internet users may be familiar with the kind of firewalls that limit unauthorized access to confidential information kept on personal, business, or government computers. But the type of country-wide firewalls this article will look at are broader, and more pernicious. In countries like Saudi Arabia, Iran, China, Myanmar, Singapore, and at least 20 others, the only way to access the Web is through a firewall.
Fortunately, however, this kind of wholesale Internet censorship now faces a serious challenge. Hacker groups such as Hacktivismo are determined to poke holes in firewalls used for repression.
An Example: Saudi Arabia and The Internet
To understand what motivates the "hacktivists," it's important first to understand how serious the situation is in some countries.
Imagine, for example that you're a Saudi Arabian citizen, surfing the Internet to find information on converting to Christianity. You'd desperately like to keep your surfing secret from the government; in Saudi Arabia, apostasy from Islam is punishable by death. But it may prove difficult for you either to find the information you're looking for, or to keep your search confidential.
To begin, many of the sites you are seeking will be blocked. Citing a passage from the Qur'an as justification, the Saudi government significantly restricts the types of information Saudi citizens can access on the Web.
As researchers at Harvard's Berkman Center for Internet and Society have documented, the Saudi government blocks not only pornography, but also a wide range of relatively benign information about religion, health, education, reference, humor and entertainment. In particular, it blocks sites deemed to be proselytizing against Islam, or containing information hostile to Islam - even sites such as religioustolerance.org that merely advocate religious tolerance as a human right.
Meanwhile, web surfing is not only restricted, but also recorded. All Internet traffic in Saudi Arabia is routed through servers operated by the government's Internet Services Unit, and the Saudi government admits that it keeps logs of Internet traffic flowing through its servers.
The government denies any spying on individual users' browsing habits, but no one surfing for information deemed illicit will want to take its word on that.
How Repressive Regimes Censor the Net, and How U.S. Companies Help
How do these "country-wide" firewalls work? First, a user enters a URL - the address of a Web page - into his or her browser. This URL gets passed to the firewall, which checks to see if it is on a list of Web sites banned by the government. If so, then the firewall refuses to forward the user's request, and may instead send a message back to the user indicating that access is denied.
Firewalls may also be configured to filter Web sites for banned content; to log the IP addresses of users who have requested access to banned sites; and even to snoop on email communications. The consequences of detection by a firewall can be severe - China has jailed dissidents for downloading Internet articles critical of China and executed hackers for committing cyber-theft.
Ironically, some of the largest U.S. software companies - firms that have built their fortunes on open access to the Internet - have helped the efforts of China, Iran, and other repressive regimes to build and improve their firewalls. (A law preventing the companies from exporting firewall software wouldn't do much good, though: censorious governments would simply get their software elsewhere.)
Defeating Net Censorship Through "Hacktivism"
Enter Hacktivismo - an international group of programmers, some of whom sport nommes de guerre like "Oxblood Ruffin" (its principal spokesman), "Mixter" and "MrHappy." It practices "hacktivism", which it defines as "using technology to advance human rights through electronic media." (As its Declaration makes clear, the group's aims do not include providing access to materials, such as child pornography, that are properly restricted).
Hacktivismo takes its inspiration from the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights - both of which declare freedom of opinion and freedom to seek, receive and impart information through media to be basic human rights. To vindicate these rights, the members of Hacktivismo have dedicated themselves to writing and disseminating software tools that interfere with governments' efforts to censor the Internet.
Hacktivismo's first project is Camera/Shy, a software application that helps Internet users transmit banned content across firewalls by hiding the content within ordinary .gif images. (This practice, hiding information within other information, is referred to as steganography). For example, Camera/Shy can hide information about the murder of a Chinese democracy activist within a contemporary Chinese painting by Liao Bang Ming.
Steganography, when done well, offers an important advantage: Censors may not even realize that encrypted information is being exchanged. Hacktivismo distributes Camera/Shy as an Internet Explorer-based Internet browser that leaves no trace on a user's system. The software has been downloaded hundreds of times from Hacktivismo's servers, and has been used by activists in China and Iran to evade those countries' firewalls.
Now, Hacktivismo has released a new software tool aimed at allowing access to any type of information anywhere on the Internet. It is named "Six/Four" in commemoration of the June 4, 1989 date of the Tiananmen Square massacre.
Six/Four allows users to access a peer-to-peer network composed of many small "virtual private networks" that are secure because they administered by "trusted peers" - network participants who apply to Hacktivismo for permission to handle routing. It is thus an instance of what Hacktivismo refers to as H2H - hacktivist-to-hacktivist - architecture.
Oxblood Ruffin explains it this way: "H2H networks are like nuclear families living in large communities. Everyone may live in the same area, but each family has its own home where the doors open, close, and lock. And occasionally, a family member will bring someone new home. Everyone will sit around the living room, and if all goes well, the guest will be shown the library, perhaps, and maybe even someone's bedroom. All of this is based on earned trust."
Once a user has tapped into an H2H network, he or she can exchange encrypted files, send emails, or request Web pages, by using, as proxies, network nodes located outside the government firewall. Thanks to Six/Four, the firewall sees only certain IP addresses belonging to computers in a constantly shifting "cloud" of proxies. As a result, it is difficult for the firewall to block data transfer to and from these computers.
The Six/Four network is still in its infancy. And, like Camera/Shy, it is, in theory, subject to counterstrategies by government censors. Nonetheless, the software promises, at a minimum, to substantially raise the cost of Internet censorship.
The Hacktivismo "Enhanced" Software License
In addition to its code-writing, Hacktivismo - working with their pro bono lawyer, Eric Grimm of CyberBrief, PLC - has also come up with a new form of software license aimed at preventing human rights abuses.
The license - called Hacktivismo's Enhanced-Source Software License Agreement, or HESSLA - governs the Six/Four software. It will also govern future versions of Camera/Shy, as well as new types of hacktivist software still on the drawing board.
Like a typical traditional "open source" software license, HESSLA grants users the freedom to redistribute copies of Six/Four, and to access, improve, or otherwise modify Six/Four's source code. But it also contains some novel terms.
The license forbids use of the software in a malicious manner, or to introduce harmful changes to the software's source code. A government might violate HESSLA, for instance, by seeking to invade the Six/Four network by setting up a node, and then writing a tool to identify the source of traffic through its part of the network.
In the event of such a government violation, the license says that Hacktivismo and Six/Four's end users - who may be citizens of any country in the world - may sue in any court of competent jurisdiction. (The license requires waiver of sovereign immunity, in a provision that, like all of HESSLA, has yet to be tested in court.) Meanwhile, if a private citizen uses Hacktivismo software to violate human rights, he or she can also be sued, but only by Hacktivismo.
These new license provisions may or may not stand up in court. If they do - and especially if they are emulated by some larger open source projects and perhaps even an idealistic commercial software company or two - they may work in tandem with hacktivist technologies in the fight against Internet censorship, bringing the battle into courts the world over.
Pro-Censorship and Anti-Censorship Technologies
Hacktivism's approaches raise a number of interesting questions. Can hacktivism really work? That is, can a technology successfully complement, supplant, or even defy the law to operate either as a source of enhanced freedom (or, for that matter, social control)? On balance, will technological innovation aid or hinder Net censorship?
Consider, for instance, the U.S.'s Child Internet Protection Act (CIPA). CIPA requires federally-funded public libraries to install filters to block Internet pornography. In a decision yesterday, the Supreme Court upheld the Act, despite a First Amendment challenge - and despite evidence that the mandated filtering blocked information about breast cancer, homosexuality and other legitimate subjects. The Court relied heavily on users' ability to request that the filters be turned off, despite the privacy sacrifice such a request entails.
Meanwhile, censorious governments in other countries are hardly likely to accede to such user requests (indeed, they're much more likely to blacklist those who make them). In those countries, therefore, we are likely to witness a simple arms race between the governments who seek to control information, and the hacktivists who wish to free it.
Interestingly, groups like Hacktivismo argue in favor of hackers' voluntarily limiting their own arsenal in this battle. They disapprove of destructive techniques like Website defacements, viruses, or denial of service attacks that tend to give hackers a bad name.
Instead, Hacktivismo's Oxblood Ruffin favors a strategy of "disruptive compliance," which he defines as the dissemination of innovative technology that nudges the Internet back toward its original spirit and intent. ("Innovative compliance" might be more accurate: "disruptive" might wrongly suggest illegal means.) Originally, the Internet was meant to serve as a vehicle for fast, cheap, and unfettered communication across borders and cultures, Oxblood Ruffian points out, and it should continue to do so.
In the end, who's likely to win the battle - the censoring government, or the hackers who oppose them? The hackers make clear that they expect their own ultimate victory:
"Hacking is a contact sport. We're trying to maintain contact with as many people as possible. The world is far too small a place to disconnect millions of people from one another. And governments that attempt to separate and divide the world rather than bring it together are on a collision course with the inevitable. There's an arrogant and misguided notion that somehow dictators will be able to exploit the Internet to improve their economies, yet put a chokehold on content they don't like. Good luck, nitwits."