Friday, January 14, 2011

Age of surveillance: the fish is rotting from its head

On 19th of December, 2010 elections were held in Belarus, my dear home country. The apparent popularity of opposition candidates was met with a crackdown. Seven out of nine presidential candidates were thrown to jail, some of them maimed in the process. A peaceful street protest of tens of thousands was brutally dispersed, with many hundreds beaten and arrested. All NGOs and political parties shut down, with human rights activists dragged to courts.

While none of it really was new for this long abused nation, some things surfaced for the first time. The Great Belarussian Firewall debuted, shutting down SSL connections, blocking major social media websites and replacing opposition news outlets with fake dummies. Traditional wiretapping of phone networks was combined with GSM location services: thousands of people are now getting subpoenas and are dragged to police stations for being on streets in the vicinity of protests.

Similar things were happening throughout Iran elections, and are becoming increasingly more common with oppressive regimes. Unlike North Korea they don't block communications access to their citizens outright, but keep hand on the vital parts of infrastructure in order to censor or selectively bring the access down.

In case of Belarussian nation-wide firewalling, there was a combination of port filtering, to block secure access to genuine services, and DNS/IP spoofing, to introduce fake services. It is unknown whether deep packet inspection was taking place, but it is not implausible to assume so: some services allow to downgrade from SSL gracefully, thus enabling the state to collect unencrypted traffic of the victims. Ministry of Communications retains full control of backbones in the country, so events certainly occurred at that level in hierarchy. On a national scale, such an operation requires hardware of a certain performance capacity, which was probably procured long ago.

Phone tapping has long history in the country, dating back at least to young Soviet Rebublic days. The tapping is traditionally done at branch exchange service level, where law enforcement has immediate and direct access. Cell-tower triangulation services, however, were employed for the first time to locate and identify protesters with mobile phones on such scale.

None of the intervention into phone networks required consent or assistance of network operators. The equipment used provides prefab controls out of the box.

Now let us pause and let it sink a bit. Communications equipment, procured from the West, provides built-in controls for totalitarian states to monitor its citizens. How come?

Wiretapping becomes increasingly more common and accessible to law enforcement of the First World. Terrorism scares allow legal safeguards to be removed, placing the access to the cops' fingertips. As their citizenry becomes increasingly watched, Big Brother features creep into equipment specs. The equipment, produced by Alcatel, Siemens, Cisco and others is then sold to Iran, Myanmar, Belarus and other repressive regimes, as part of normal network operator procurements.

While the liberty movements in the West are busy enough doing good job fighting off the surveillance wave at home, the totalitarian customer segment remains steadily serviced, by the virtue of civil opinion there being discarded and silenced. After the crackdowns, there been much talk in EU and the USA about various sanctions against the repressive officials of Belarus. While this is an important act of solidarity, personal sanctions were not able to achieve much before, and are not going to be efficient now either. What can be done, however, is attacking the problem from communications end, curbing Lukashenko's capability to monitor and choke people of Belarus. Such steps could be:

  • Introducing CoCom-like embargo on import of equipment with surveillance capabilities. If a backbone switch has inspection capability that can't be crippled in firmware, it shouldn't be shipped to totalitarian regimes. As simple as that.
  • Banning service contracts involving Belarus for existing line of equipment with surveillance capabilities.

This may sound hard in a globalized world, but this kind of stuff is made by just a handful of corporations worldwide, with headquarters mainly in the U.S. and EU jurisdictions. Unlike token sanctions, they will involve some (relatively minuscule) loss of corporate profit, but will greatly enhance opposition's capability to organize and stay out of prison. It is a moral choice that the West can easily follow and I believe will pay back manyfold.


  1. Interesting concept, but I don't think it will work. Any vendor of communications equipment must have provisions for "lawful intercept". Whether this power is abused or not depends not on the technology but on the society using it.

  2. That's exactly the point! Don't ship the technology to societies where it is going to be abused.

    I would argue that wiretapping capabilities in most of equipment would be rather trivial to disable, right in firmware. After all, it is not developing any new features. Besides, crippleware is something done regularly by vendors anyway, e.g. for marketing differentiation purposes.

  3. Eugene, there are two issues with your arguments.

    First is that wiretapping in one flavor or the other is required by almost every government. There are a couple of ways to to it, like mirroring your port on the access switch (would you boycott any company offering port mirroring?). It's also pretty easy to do passive tapping in the back-bone, like using Wireshark, but more selectively and in a larger scale. There is no way to disable that, since it's not in your equipment at all.

    The second one is that people are often hypocrits when it comes to such delicate arguments. We at Sipwise are a start-up fighting for every big account against players like Cisco etc. Would YOU pass on a million-dollar-deal because of the pressure to offer an interception interface, knowing well that your opponents will do without any qualms?

  4. Andreas, both are very valid points.

    I think you would agree that if you try to do DPI with port mirroring and wireshark, your setup will choke pretty quick before you get anywhere close to traffic levels of a 10 mln nation during a major event. Similarly, implementing a national firewall on a stock Linux box, no matter how beefy, with iptables would be a daunting task. Sure you can always improvise with ordinary network admin tools, but it is conventional to employ some specialized solutions, which have more throughput, reliability and convenience in data mining.

    Your second point is spot on. That's why I propose to regulate it with legal embargo rather than being accusatory to individual businesses. Certainly there will still be rogue players (or not bound by sanctions like Huawei), but this will complicate procurements to state bureaucracy tremendously, drive costs of enforcement up and quality of it down.

  5. Very good article, unfortunately I think the world is itself headed towards a global dictatorship.

  6. I am with you "Scuba" Steve. Thing is == there are more of us than there are of THEM, and people are getting pretty fed up with eating dirty gruel for brekkie and mud biscuits for lunch ... and then going to bed HUNGRY after glasses of filthy water ...