The Geography of Encryption Bans

Cossack Labs
HackerNoon.com
12 min readJul 23, 2018

--

Top Curious Cases of Governments Opposing Encryption and Secure Means of Communication

The recent ban of Telegram in Russia and basically the end of freedom of speech brought by the new legislation in Egypt inspired us to create a little paranoia-driven hit parade of countries banning secure communication tools.

“Don’t steal — Government doesn’t like competition” states a famous anonymous quote. Trying to fully secure your communication also seems to be rubbing the various world governments the wrong way. Although the theoretic concepts of banning or getting a backdoor to the E2EE (currently used in many popular messengers) are laughable due to the sorry lack of understanding of the principles of work of E2EE by the officials (maybe they should check out our ELI5 article on E2EE), numerous attempts are still being made at banning or hijacking the encrypted means of communication on the state level (even though a recent theoretical paper proves that two parties can still create a secure communications channel using a communications system with a backdoor).

The reason governments provide for justifying bans and eavesdropping is the fight against terrorism, but the losses of being spied upon are clear, whilst the real benefits of having no privacy are hazy at best.

THE USA

One of the most famous cases of governments vs. encryption is also one of the oldest and has its own proper title the “FBI-Apple encryption dispute”.

Throughout 2015–2016 the FBI demanded that Apple provide a new piece of software for decryption of the information stored on iPhones running iOS 7. The demand was predictably denied, which led to heated legal disputes until a correct password (but not a general-purpose iPhone unlocking software) was provided for the iPhone originally in question.

The CIA also tried its hand at defeating Apple’s encryption, attempting to create a forged alternative copy of Xcode that would enable adding backdoors to iOS apps. When this became known through Wikileaks, it led to extensive security audits among the Apple developers.

The most important document that regulates the governmental surveillance in the USA is the Section 702 of the Foreign Intelligence Surveillance Act (FISA). FISA allows governmental intelligence services to eavesdrop upon and store the data collected from digital communication of foreign suspects living outside the USA.

FISA was to expire on Dec. 31, 2017 replaced by a new bill drafted up by the House of Representatives’ Judiciary Committee. That draft legislation reframing the balance between security and privacy crafted by privacy-minded lawmakers aimed at limiting the governmental eavesdropping, especially in the absence of a court-issued order (except for the cases involving counterterrorism). However, a FISA reauthorisation bill was passed by the Congress not only to extend wireless surveillance under Section 702, but to expand it in many important ways. The newly passed bill reauthorized Section 702 for six more years. Weirdly enough, President Trump opposed the FISA extension at first, but later reversed his opinion.

EUROPE

A draft report from the European Parliament proposes a ban for encryption backdoors which should be extended to all the EU member countries. Also, according to the amendment to Article 7 of the Charter of Fundamental Rights proposed by the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs, end-to-end encryption should become mandatory for all forms of electronic communication.

However, some of the EU countries have a drastically different view on the subject.

THE UK

The Investigatory Powers Act, passed in 2016 makes the UK one of the most surveillance-heavy countries. This act also also legalises a lot of tools for the government to snoop around the users’ private data. End-to-end encryption remains the last bastion of privacy, but gets attacked repeatedly.

In 2015, the former UK Prime Minister David Cameron already tried to propose a ban of encrypted services (i.e. iMessage, Snapchat, and WhatsApp), but that attempt has failed. In the light of the March 2017 terrorist attacks, this legislative act was brought back into the light for a discussion. The UK Home Secretary Amber Rudd explained the need for drastic measures stating the government shouldn’t provide “a secret place for terrorists to communicate with each other”. It could be that the new Home Sec will finally have the powers to ban the E2EE on the legislative level. How this could be done in reality is still quite unclear.

GERMANY AND FRANCE

France and Germany unanimously claim that providing a backdoor to encryption is crucial for fighting the terrorism. And while no popular end-to-end apps like WhatsApp or Telegram are banned there yet, Interior Minister of France Bernard Cazeneuve and his German colleague Thomas de Maizière stated that such apps constitute challenge during investigations in a joint proposal. Together they appealed to the European Commission for creation of a new law that would make developers compelled to provide backdoors, decrypt messages, and remove unwanted content upon the government’s demand related to terrorism-related investigations. This idea was met with a lot of scepticism, to say the least.

AUSTRALIA

Australia seconds the UK in its government-level attempts at banning the end-to-end encryption statewide. Australia’s Attorney-General George Brandis even said that the new privacy-related laws would be directly modelled on the UK’s Investigatory Powers Act.

Unfortunately for the Australian government, the problem of banning end-to-end encryption doesn’t go anywhere — you either cherry-pick your bans only going after some definite services or you ruin the whole notion of secure transactions over the Internet.

The newly proposed legislation in Australia is supposed to force tech manufacturers to provide the government with access to the user data regardless of it being or not being encrypted in any way. Brandis said he will be meeting with Apple to discuss the cooperation on working towards finding a ways to disclose end-to-end encryption, which is kind of missing the point of how it works.

An attempt at banning all encrypted communication is a brave one, but also an extremely unworkable one. The only semi-practical way end-to-end encrypted info can be somehow disclosed to a 3rd party is through adding keyloggers into the software. The keyloggers will then intercept the information as the user types it, effectively rendering all the further encryption processes useless, let alone mentioning it looks more like something criminals would do, not a government that wants to stop criminals through reading their messages (and that’s even leaving the ethical part out of it!).

ASIA

CHINA

There had been some temporary bans of WhatsApp in China before, but the one that started in September 2017 seems to be a permanent one. The ban left most users in the mainland China without the ability to send and receive WhatsApp messages. The rumour had it that after the Communist Party’s congress in Beijing in October 2017 proper functioning of WhatsApp could be restored, but this never happened. Another encrypted messenger Snapchat was banned in China since day one (which didn’t prevent Snapchat from opening an office in the PRC).

SOUTH KOREA

While the absence of any kind of encrypted means of communication for the citizens of North Korea would hardly be surprising, it is South Korea that got onto our anti-encryption “hit parade”. Turns out that the officials of South Korea are very much prone to listening in on their citizens.

In 2014, President Park Geun-Hye announced that the messages sent through KakaoTalk — South Korean messenger similar to WhatsApp or iMessage will be screened for inappropriate content (i.e. spreading rumours and insulting the government). This made Koreans swiftly turn to WhatsApp and Telegram for more privacy in their communication. The KakaoTalk messenger also was quick to follow suit and add end-to-end encryption to its features.

THE ARABIAN PENINSULA AND AFRICA

UAE AND SAUDI ARABIA

A number of crucial app features are restricted in WhatsApp, Viber, Imo, and Facebook Messenger in Saudi Arabia and Dubai (UAE). This is not a matter of privacy or counter-crime/terrorism measures, but a governmental support for the national VOIP service providers to stop the losses from users’ migrating to free messengers. Basically, all the chat apps that have voice and video calling functions are at least partially restricted under the local ‘regulations’ for the sake of preserving the state monopoly on providing VOIP services.

Banning messengers is not a new practice in this part of the world. For instance, in 2010 both Saudi Arabia and the UAE threatened to ban BlackBerry instant messaging and demanded that the company install local servers to censor the service.

Official ad image from the advertising campaign for C’me VOIP messenger

Apple’s FaceTime is not only banned in the United Arab Emirates, Egypt, Jordan, Qatar, and Saudi Arabia — it is missing (restricted on the hardware level) from the iPhones available for purchase in these countries, for the same reasons. FaceTime is a competition to the national VOIP service providers C’me (for making domestic and international calls via WiFi) and Roaming Callback App (for making calls over WiFi while in roaming) for Android and iOS.

The main difference between the Etisalat (and du) VOIP messengers and the rest of the famous alternatives is that the services of C’me and Roaming Callback App are not free.

The payment for using VOIP is equal to making domestic calls within the coverage zone (the official rate guide states that “C’Me app users can subscribe to Dh20 weekly or Dh50 monthly C’Me packs to enjoy the unlimited offer. Users can receive calls while on a WiFi or mobile data network. In addition, outgoing roaming calls from C’Me app will be charged at Dh2.4 per minute.” with 1DH = $0,27). For those travelling and wanting to make a call home from roaming will pay a flat rate of 3DH per minute.

Even though in September 2017 Saudi Arabia decided to reverse the ban for Skype, WhatsApp, and other Internet calling services, they remain restricted in the UAE. Other African and Arabian Peninsula countries that block VoIP services are:

  • Guyana,
  • Kuwait,
  • Libya,
  • North Korea,
  • Oman,
  • Qatar,
  • Syria.

EGYPT

Egyptian citizens had their first taste of the Internet censorship in 2015 with the temporary bans of Skype, WhatsApp, and Viber. In December 2016, Signal — a messaging app that uses end-to-end encryption (currently considered to be one of the most secure messengers) got banned permanently. The creators of Signal, Open Whisper System, confirmed the news about the ban and initially found a workaround bypassing the ban through domain fronting. Now that Google and Amazon are banning domain fronting, the future of Signal in Egypt is unclear.

The next digital witch hunt in Egypt started against OpenVPN. In August 2017, the Egyptian government took the first step towards trying to block VPNs, blocking PPTP and L2TP. OpenVPN got blocked in Egypt in early October 2017. Around that time the only VPN services still working in Egypt were Softether over TCP (reported to be extremely slow), Shadowsocks, and Tor.

Technically speaking, VPNs are legal in Egypt as currently there are no laws in Egypt prohibiting the use of VPNs. Not all of them work consistently (OpenVPN doesn’t work at all) but many of their servers and websites are blocked. Many Egyptian web resources warn people wanting to travel to the country to download and setup the VPN of their choice before arriving.

The surveillance laws passed after a terrorist attack in 2017 also allowed the Egyptian authorities to monitor and shut down online communication and media with no judicial oversight.

Not just Signal with its secure E2EE exchange, but many messengers providing VoIP services were also partially blocked in Egypt in August 2017. Similarly to the functionality of the Facebook Messenger in Saudi Arabia, voice and video calls made over VoIP were restricted in Skype, FaceTime, and WhatsApp.

The Egyptian government has also ordered ISPs to block many blogs and news sites using the new law enabling blockage of social media accounts and punishment of journalist who publish “fake news”. According to this law, passed in July 2018, a social media account with over 5,000 followers could be prosecuted for publishing fake news. The law also orders anyone wanting to create a new online media outlet to obtain a license from the Supreme Council of Egypt. Existing websites can be blocked or fined under a suspicion of aiding terrorists.

THE RUSSIAN FEDERATION

Roskomnadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media in Russia) tried to ban one encrypted messenger and ended up banning Google, YouTube, Viber, Spotify, and Amazon. Bad luck. And guess what? The messenger still works.

The team working on the secure messaging service Telegram Messenger was warned by the Russian officials that they needed to hand over the keys for decrypting the end-to-end communication going on between the users of the service to the FSB (Federal Security Service). When Telegram refused, an order of the Moscow court for banning the services of Telegram in Russia followed in April 2018.

The resulting sanctions led to a number of crucial services being accidentally banned in Russia as millions of Amazon, Google, and other popular platforms’ IPs were blocked in an attempt to take down the Telegram.

Telegram initially used domain fronting to remain functional for the people within the Russian Federation and directed a considerable stream of their resources to keeping the messenger working for its users. The official website of Telegram where you can download the messenger or use its Web version is indeed banned in Russia (unless ipv6 or DualStack is used specifically), but otherwise it is functional and stable in most of the cases.

In fact, Telegram cannot be fully blocked as currently it is technically impossible. The first wave of bans by Roskomnadzor took place within the ipv4 space and around 1–2 millions of addresses (detected as those accessing the messenger) were banned at a time, per day. The next day Telegram simply moved on to new available addresses. So the cat and mouse game can go on forever, until the address space runs out. What is more fun is that the ipv6 is fully out of reach for the ban as the address space can never run out there. Indeed, not everyone is using ipv6, but it is available and working.

Also, Telegram didn’t just use this loophole, but also created an MTProxy, which only lets through through the traffic created within the messenger. Such proxies cannot be legally banned by Roskomnadzor unless there was a direct complaint. What’s interesting — this re-enabled the work of Telegram in China and Iran where it is also banned.

Summary or Should we worry? (Or can someone really fight Math with legislation?)

Privacy is not something reserved exclusively for exchanging cat nudes, buying firearms, or sending grocery lists to your spouse on the way to a supermarket — it is one of the cornerstones of our digital world and a basic human right.

Although this article mostly uses messengers as examples, end-to-end encryption specifically underpins not just the messaging apps but also online shopping, banking, and even government websites. Banning it would cause chaos. And in any case, you cannot legislate against Math. People will still be able to find ways to communicate securely and encrypt their information when necessary.

Such a reaction of governments to an encryption they cannot get access to is an indicator that we’re onto something powerful here and that we collectively should by all means keep going in developing E2EE communications. If we manage to turn the notion of an end-to-end trust from a scary term straight out of hell of scientific crypto papers into a standard thing, we’ll make this world not just a bit safer, but a bit more free, too.

We take privacy very seriously in Cossack Labs, turning advanced cryptography into simple and useable open source encryption tools. You may want to check them out if you want to bring more security into your own apps.

If you have a story to share about weird encryption bans in your country we’d love to hear from you! Please reach out to us via info@cossacklabs.com or @cossacklabs on Twitter.

--

--

Cossack Labs
HackerNoon.com

Focus on growing your business — while we take care of sensitive data risks, security engineering challenges, and compliance rqmts. https://www.cossacklabs.com