Responsible Research with Anti-Censorship Technologies

Joseph Lorenzo Hall (joehall@berkeley.edu)
Postdoctoral Researcher
UC Berkeley School of Information
Princeton Center for Information Technology Policy

(16 Feb 2011 (v1.1); prepared for DARPA/NSF meeting in Arlington, Virginia on Ethical, Legal and Social Issues of Personally Identifiable Information)

Summary

Given recent efforts to degrade, intercept or thwart internet communications in repressive societies, more people in these countries will be drawn towards using tools to circumvent such censorship measures to communicate freely. Researchers and funders will also spend more of their time and grant resources to investigate, improve and develop novel anti-censorship projects. This short note highlights a number of privacy-problematic activities in which researchers may engage, intentionally or not, and attempts to recommend some guidelines.

What Are Anti-Censorship Tools?

Anti-censorship tools represent a broad swath of different types of technology. Basic techniques used by anti-censorship technologies include:

Many tools practically available for anonymous communication or circumvention of censorship technologies combine a few of these techniques. For example, the "onion-routing" network, Tor, uses clients that encrypt communications in layers of encryption ("onion skins") that they then pass through a number of proxy server "nodes" in the Tor network that can only decrypt the outer-most layer of each communication before finally sending a given message to its destination.

Research Efforts

There has been a lot of academic research into these kinds of tools, including efforts to improve/degrade tool performance, improve/defeat anonymity guarantees, detect/hide malicious nodes in the network and mask/profile tool users and the uses to which these tools are put. There is an active community of academic researchers in anonymous communications and they tend to congregate annually at the Privacy Enhancing Technologies Symposium. A good bibliography of the literature is at: http://freehaven.net/anonbib/

Continued research into improving these tools is needed to improve their resistance to profiling, filtering, blocking, etc. That is to say, like any adversarial security game, the adversaries are working hard to upset anonymous communication and if research and development efforts stop, there will be no truly anonymous communication capability. Ideally, a repressive regime will have to use the Egypt option, of completely "turning off the internet" or perhaps blocking all encrypted traffic in order to thwart the ability of people to communicate freely. (Of course, steganographic methods can be used in unencrypted communications, but they tend to be less efficient, requiring dramatically more bandwidth per message size.)

Preserving Privacy in Research (Or, At Least, Minimizing Harm)

Research using these tools must walk a very fine line. These tools are actively being maintained by people who care dearly about the continued availability of free communications and they are being used by real people who may very well be risking their lives and freedom to communicate.

There are a number of concerns that researchers need to take care to avoid altogether or, if that is impossible, minimize as much as possible:

  1. Disruption: Activities can bring parts of the network down or degrade its performance.

  2. Interception: Sniffing actual communications contents and routing information can identify users and put researchers at risk of prosecution for violating wiretapping and "pen register" laws.

  3. Dependency: Removing research resources that the system has come to rely upon can manifest as inconsistency to users and put sudden loads on non-research elements of the tool.

  4. Profiling: Fingerprinting end users and their devices and associating them can identify users, behavior and associational patterns.

  5. Reidentification: Data that has been effectively "scrubbed" or "anonymized" can in certain circumstances be unanonymized in the presence of other types of data.

  6. Exposure to Future Capability: Some technologies, such as encryption, base their security models on assumptions about the resources an attacker can bring to bear on defeating protections. Of course, an attacker's resources or capabilities may change dramatically in the future.

Recommendations

Of course the potential benefits into a particular piece of research always need to be balanced against risks of human subjects that might be affected by research activity. The simplest recommendation we can make is when a research effort doesn't need actual humans to demonstrate its goals, it shouldn't do so.

There will be cases where a research project is deemed sufficiently important and in need of real world user data, activity or interaction or simply needing aspects of a system that are substantially more rich and varied than what could possibly be created in the lab with reasonable resources. In these cases, it seems important to follow a few guidelines:

References

A couple papers talk about the need to conduct research on anonymity tools, notably Tor, in an ethical manner (see their references for very good, more general, work on conducting cybersecurity research legally and ethically):

Papers, discussed in Soghoian (above), that arguably cross the line in terms of ethical research practices:


This file resides on the net:
http://josephhall.org/papers/elsi-022011.html (HTML)
http://josephhall.org/papers/elsi-022011.text (Markdown)