Ukraine’s digital frontline: The critical fight for privacy amidst existential threats

Digital Freedom Index heat map

In Ukraine, there isn’t a dire crisis of direct and intentional oppression of people’s rights and freedoms. On the contrary, Ukraine is often cited as a beacon of will and liberty. However, the nation isn’t without its challenges in digital security and privacy. Moreover, the spectrum of issues, much like the lives of Ukrainians, has bifurcated into two phases — pre and post the full-scale invasion. In the latter phase, digital privacy and security have transformed from mere concerns to matters of survival.

In my previous article, I outlined the overarching issues and the current state of privacy in Ukraine. Let’s delve into the existing privacy challenges and assess the degree of protection available in specific areas. Covering every facet within the confines of this article is unfeasible, so I’ll provide an overview, complemented by a set of references for those keen on a deeper exploration. I’ll endeavor to bypass the most evident cases that have been extensively discussed elsewhere.

The Main Privacy & Digital Security Challenges in Ukraine

According to data from Freedom House and the Proton VPN’s Digital Freedom Index Report, the situation in Ukraine might not seem as dire as one might assume at first glance.

Digital Freedom heat map. Source: Digital Freedom Index Report

Here are a few key issues:

Battling the Spread of Disinformation

Following the Russian military incursion into Ukraine, a surge of propagandistic narratives emerged. Claims such as President Zelensky fleeing the country were rife, and even a fabricated video suggesting Zelensky’s surrender surfaced. However, these false narratives were swiftly debunked. Ukrainian state campaigns had prepared citizens for digital misinformation, enabling them to quickly counter such rumors and fake news.

The very same Deepfake Psy-Ops. Source: The Next Web

Safeguarding Military and Civilians from Intrusions

Ukrainians face threats from Russian intelligence, special services, and hackers attempting to breach infrastructure, inflict harm, access personal data, and extract confidential information.

VPNs and other circumvention tools have become popular among Ukrainians for protection and access to the resources they need.

While the military employs specialized means and communication channels for critical tasks (see What is Military Grade VPN Encryption?), attempts to find weak links in defense and digital chains persist.

A recent incident involving Spec-Ops targeting the Ukrainian military and some civilians via Signal app (considered one of the most secure messengers), is also noteworthy. The exact cause remains undetermined, but suspicions range from leaked provider and cellular operator databases to social engineering tactics targeting military personnel with “promotions and discounts.”

For a detailed case study, refer to the Telegram channel “About Communication from Sergey Flash.”

Important note:
In the chain of defense systems, vulnerabilities often emerge, ranging from social engineering and phishing to breaches of the most unprotected data streams before they enter security systems.
For instance, through a software vulnerability on a phone, an attacker can access a victim’s data before it even reaches the VPN. Additionally, analyzing data at the VPN’s entry and exit points can often trace an individual trying to remain anonymous.
In these scenarios, neither VPNs, Tor, Signal (for communications), nor crypto mixers (for concealing financial transactions) offer protection.

Cyberattack Defense

According to a Cloudflare report, the intensity of cyber threats and privacy breaches in Ukraine has significantly increased. Key statistics include:

• A 1,300% surge in application-layer cyber attacks in early March 2022 compared to pre-war levels.
• Government administration, financial services, and media were the primary targets.
• Between June and October, traffic from several networks in Kherson was diverted through Russia, exposing it to Russian content restrictions.
• 12.6% of network-layer traffic in Q1 2022 was attributed to DDoS activity.
• In the war’s initial days, Cloudflare noted mitigation spikes for news services, TV channels, government websites, and banks.

Source:blog.cloudflare.com

DDoS traffic peaks in early March were elevated compared to pre-war levels, but they soared even higher in June and August.

Source:blog.cloudflare.com

Source: Fog of war: how the Ukraine conflict transformed the cyber threat landscape

Digitalization Challenges

Back in 2021, the “Razumkov Center” conducted an expert survey on the dangers of widespread smart infrastructure implementation and detailed their findings in a report.

The flagship government digital service, DIIA, showcases successful digitalization and the concept of a “state in a pocket.” However, it faces criticism from cybersecurity experts who note that citizens’ personal data becomes vulnerable due to suboptimal practices in building such systems and their infrastructure (VPNs can’t remedy this, but still…).

There’s a detailed report titled ‘Що не так з Дією’ (What’s Wrong with Diia) available as a Google Doc, authored by the Ukrainian Cyber Alliance.

The report outlines 22 issues. Some of these can be mitigated through encryption and security tools, while others can only be resolved by not using the DIIA application itself.

Cases of privacy issues and their solutions using VPN & cybersec tools for protection in Ukraine

It’s noteworthy that the Ukrainian government actively promotes cybersecurity literacy among its citizens. For instance, the “Державна служба спеціального зв’язку та захисту інформації України” (State Service for Special Communications and Information Protection of Ukraine) offers a guide on the thoughtful use of VPNs.

The guide even lists the top use cases for when to utilize a VPN:

1. When using unprotected public Wi-Fi networks to safeguard your data.
2. When secure access to internet networks and systems is required during remote work setups.
3. To protect oneself from websites, apps, and services aiming to track your actions.
4. To prevent your internet service provider or operator from monitoring your online activities.
5. To access information resources blocked by occupiers.

Protection of Volunteers, Investigators, Journalists, and Activists in Ukraine

While Ukraine doesn’t face broad challenges to freedom of speech, especially when compared to countries like Russia, Belarus, or North Korea, specific instances arise when investigating corruption schemes involving officials or businessmen. In such cases, the lives and safety of those involved can be under severe threat. To protect their privacy and obscure their digital footprint, these individuals often turn to VPNs and other essential cybersecurity tools.

Since Russia’s initial territorial aggressions in Ukraine in 2014, most Russian online resources have been blocked in Ukraine.

See the Detailed analysis with primary sources and legislative framework: Blocking of Russian internet services in Ukraine (Wikipedia)

However, for comprehensive work and understanding of the enemy’s information landscape, accessing these blocked resources becomes essential.

Dangers to Journalists

Ukrainian journalists have faced heightened physical dangers, especially since the onset of the Russian military invasion. While online activities can be shielded to some extent using digital tools, the physical threats are very real and immediate.

The situation has deteriorated since the invasion, with journalists being targeted, tortured, kidnapped, attacked, killed, or denied safe passage from cities under Russian siege. For instance, Maks Levin, a renowned Ukrainian photojournalist, was reportedly executed by Russian soldiers outside Kyiv, as per Reporters Without Borders (RSF). The Institute of Mass Information (IMI) noted that by the end of May 2022, Russian forces had committed 280 crimes against journalists and media in Ukraine.

Historical Context:
Even before the recent escalation, there were glaring cases of journalists facing threats and violence. Notable examples include Georgiy Gongadze, Pavel Sheremet, and others, who faced dire consequences for their work.

In this digital age, while VPNs and cybersecurity tools can shield online activities, they cannot protect against physical harm. The bravery of journalists and activists in Ukraine, who continue their work despite these threats, is commendable.

Volunteers and Economic Frontline Activists

Many volunteers, especially those involved in streamlining procurement processes and financial operations for critical needs, have shared personal accounts of receiving threats, both from those attempting to hinder aid to the army and from local “bosses” whose interests might be disrupted by such activities. Ensuring the privacy and anonymity of these individuals is of utmost importance.

Intelligence and OSINT Experts

The need for privacy in this category is evident. Russian “cyber activists” and intelligence agencies aim to de-anonymize and, if possible, physically eliminate those they perceive as threats or those who might expedite Ukraine’s victory. Comprehensive security measures are essential here, including the use of virtual protected machines, isolating different devices and activities from one another, and employing VPNs and advanced cybersecurity solutions.

Access to Ukrainian and Global Resources in Russian-Occupied Territories

After Russia’s occupation of regions like Crimea, parts of Donetsk and Luhansk, and territories seized in 2022, there’s been an effort to isolate residents from the outside world. However, thanks to cybersecurity tools, including VPNs, these attempts often fail. This is one of the most alarming use cases, as residents caught engaging in such activities could face dire consequences, including execution by the occupiers. To understand the gravity of the situation, consider the following resources (Ukrainian language):

• How to use the internet during the occupation? Tips for residents of Kherson region.
• VPN, Tor, and messaging. How to maintain communication in occupied territories. Detailed instruction.
• How to safely use the internet under occupation.
• Data security in Ukraine using VPN technology.

Protection of citizens’ personal data from surveillance

Ordinary citizens turn to VPNs to ensure the confidentiality of their personal data and to bypass potential tracking or censorship by government entities or third parties.

Comparing the Freedom House reports from 2021 and 2022, it’s evident that the situation hasn’t improved. While there are no global restrictions on encryption tools, the government’s surveillance of internet activities has infringed on users’ privacy rights.

Source: Freedom House report

The introduction of the Law on Electronic Communications in January 2022 and its amendment in March 2022 have raised concerns about data retention and sharing.

Moreover, in response to the invasion, the Ukrainian government imposed martial law, which understandably limits freedom of expression.

However, even before the full-scale invasion, there were numerous instances of abuse by law enforcement agencies. Tracking without a warrant is undoubtedly illegal (Were there any warrants? Not always). For instance, the Cyber Police’s proposal to de-anonymize users and their use of open JavaScript libraries (FingerprintJS and ClientJS) for tracking resonated pretty loudly.

Here’s just a glimpse of the issues highlighted by cybersecurity expert Sean Townsend, the press secretary of the Ukrainian Cyber Alliance, in his Telegram channel back in 2022. At the time he wrote his post, a new, more covert version of the tracking script from the Cyber Police was detected on over 40 Ukrainian websites. As of the writing of this article, it’s found on 27 sites.

Source: webtechsurvey.com

Other cases in a nutshell

• Business and remote work: Companies employ VPNs to ensure secure remote work and protect corporate data from leaks and breaches. The global shift to remote work, especially since the COVID-19 lockdowns in 2020, emphasized the need for secure corporate channels and tunneling, all while being budget-conscious
• Combating Internet censorship: Censorship is a global issue, even when implemented with good intentions (as I mentioned above). It’s crucial for those who need to stay informed about the enemy’s actions to access blocked resources. Simple VPN browser extensions can bypass IP-based blockages. However, if you’re doing something that might get you in trouble, your metadata and digital fingerprint can still expose you, and a VPN alone won’t save you.
• Blockages by foreign platforms and providers: Various platforms, for example, from the US or UK, may restrict access to their platforms for users from certain countries due to legislative restrictions or different subjective reasons. In such cases, VPNs become indispensable.

In conclusion, while these are just a few examples of privacy threats and the measures taken against them, they provide a comprehensive understanding of the current landscape. The challenges are many, and they continue to evolve, but understanding them is the first step towards crafting effective solutions.

The Rise of Mixnet: Unmasking the Limitations of VPNs

Using a VPN often results in a decline in speed, and to maintain optimal speeds, users usually have to pay a premium. However, this isn’t the primary concern. Relying solely on VPNs, as traditionally understood, can give users a false sense of security.

VPNs have their drawbacks:

• They’re not always as secure as they seem. Technical data might be stored somewhere, accessible to third parties.
• They can significantly reduce internet connection speeds.
• Free VPNs come with their own set of issues: intrusive ads, limited data allowances, slow connections, and instability.
• Some VPN clients (apps) can also double as malicious software.
• Certain VPN apps, when downloaded, might unjustifiably request access to user data or ask for excessive system privileges (e.g., Yoga VPN, proXPN VPN, Hola Free VPN, Seed4.Me VPN, OvpnSpider, SwitchVPN, Zoog VPN, among others — source: CIP)

Moreover, VPNs can be compromised. For instance, in 2019, it was revealed that one of the world’s largest VPN providers, NordVPN, had a security breach at its data center in Finland.

Besides, researchers from vpnMentor discovered the personal data of 20 million users of free VPN services on an unprotected server, available to the public.

VPN Vulnerabilities: The Hidden Pitfalls and Shortcomings

While many have attempted to elucidate the shortcomings of current VPNs and anonymity tools, Nym offers a particularly clear and thorough perspective (see the slides below). Recognized for its defense against formidable passive adversaries that can observe every packet of one’s internet connection, Nym underscores the importance of truly private internet browsing.

Source:nymtech.net

The Financial Strain on Privacy Tools

Amid the COVID-19 crisis and reduced funding, privacy networks like Tor have faced significant financial challenges, leading to staff reductions. Signal’s survival, on the other hand, was bolstered by a timely donation from Brian Acton, highlighting the precarious funding situation of such essential privacy tools.

Why Nym Stands Out

You might wonder, what sets Nym apart in this crowded space?

• Multiple Hops: Like Tor, Nym routes traffic through several nodes, ensuring the origin and destination (IP address) remain unlinked.
• Cover Traffic: Unlike Tor, Nym adds dummy traffic to prevent traffic analysis. As real traffic increases, the need for dummy traffic diminishes.
• Timing Obfuscation: By reordering packets at every hop, Nym thwarts attempts at traffic de-anonymization.
• Horizontal Scalability: Unlike traditional blockchains, Nym’s mixnet can expand seamlessly, accommodating more traffic akin to the web.

For a clearer perspective on how Nym compares and addresses the vulnerabilities of other solutions, here’s a comprehensive slide showcasing their approach.

Source:nymtech.net

Conclusion

The digital landscape is rapidly evolving, with privacy becoming a paramount concern for individuals and businesses alike. While VPNs have traditionally been the go-to solution, their limitations are becoming increasingly evident.

Tools like Nym are emerging as promising alternatives, offering enhanced protection against sophisticated surveillance techniques.

As we move forward, it’s crucial for users and organizations to stay informed, support innovative solutions, and prioritize their digital privacy. Now is the time to invest in and advocate for robust, sustainable privacy tools for a secure digital future.

Important news!

For those keen on understanding and championing privacy technologies, Nym’s upcoming educational program, “Nym Shipyard 2023,” launching this October, is an opportunity not to be missed.
Stay updated by following Nym on Twitter and be on the lookout for registration details. Dive into the world of privacy and act with purpose.