Belarus Internet Shutdowns in 2020: a data-driven dissection
We bring our hour-by-hour granular internet connectivity and latency data to the dissection table. Here’s what we found.
On September 17, the US State Department issued a joint statement with 28 other countries condemning the internet shutdowns in Belarus. The Belarusian government has been suspected of interfering with internet connectivity in response to ongoing anti-government protests surrounding the 2020 Presidential Election, and contested re-election of incumbent Alexander Lukashenko.
Beginning on election day, August 9, and continuing for at least 3 days afterwards, social media websites and foreign news sources became inaccessible in what Belarusian authorities claimed was a massive cyber-attack. However, according to Human Rights Watch, the blocking appeared to be an attempt to demobilize protests and silence information about police brutality against protesters.
Interruptions to internet services and access were reported as early as June 2020, with suspicions that the government may have been testing “deep packet inspection” equipment procured in a $2.5M tender by the National Traffic Exchange Center in 2018. Throughout the lead up to the election, Belarusian internet users reported difficulties using VPN servers and messaging applications such as Telegram and Viber.
In the months since the election, anti-government protests have continued across the country despite crackdowns and wide-spread human rights violations. Tens of thousands of protestors have called for the invalidation of Lukashenko’s reported landslide election victory, which they believe to be fraudulent. Incidents of internet disruption and website censorship have also continued, including reported interruptions to mobile internet before and during planned protests.
In this report, we take a granular look at our remote, consistent, and geo-spatially identified measurements of internet connectivity and latency in Belarus over June to August 2020.
We make billions of measurements every day. Here, we provide a window into what we have seen in Belarus in recent months.
MINSK, JUNE — AUGUST 2020
In Figure 1, we provide an overview of our measurements of connectivity and latency in Minsk, the capital of Belarus, and the centre of most protest activity, over June — August 2020.
By connectivity, we mean the count of unique, online devices in our measurement sample every hour.
The large majority of our measurements are to fixed, broad-band, end-point devices (home and business routers, servers, etc.) in a given region. Mobile or cell towers are also measured, but typically not individual mobile phones. And, to be clear, being “online” in our measurement does not necessarily mean that an end-point user has a free internet experience. Access could be blocked to a specific website or service at any time, even with an active (not blocked) internet connection. Or, access could be practically blocked by a slowing of internet traffic (see latency).
By latency, we mean the average return trip time (rtt) across all unique, connected end-points in a given region, as measured by multiple signals sent from our global platform to the end-point each hour.
Latency can be thought of as the immediacy of the connection. Low latency is crucial for any synchronous internet mediated activity such voice or video chat, but is also a good proxy for the bandwidth pressure on the network at the time. If the network is overloaded latency will tend to rise dramatically as packets of information are slowed down, waiting in queues, if you will. In our team’s earlier work, we know that some governments apply slow-downs (rather than ‘shutdowns’) to make the sharing of voice or video materials practically impossible and influence political outcomes.
For more information on our measurement approach, see Methodology below.
To make anomalous observations clearer, we normalise all of our measurements such that a value of zero acts as a baseline. Fluctuations are then monitored with many considered ‘normal’, whilst others tripping our detectors as ‘anomalous’.
We have labelled Figure 1 with three features of interest.
[a] June 18–19: Reports of internet tampering began over the Summer, with some reports suggesting that the government was undertaking firewall testing. Around June 19 (indicated in red, top panels) some users reported issues with accessing certain communications platforms such as Telegram and Viber. In our observations, there is little evidence of anomalous behaviour at play. This does not mean specific services were made unavailable, but it does suggest that infrastructure changes that would affect many, or most end-points are not obvious in our measurements.
[b] July 14: In contrast, we see several anomalous events in July. Here, events on the ground were escalating with protests and scuffles breaking out after President Alexander Lukashenko’s main rivals were barred from running for election. We consider these events in detail below.
[c] Aug 9: On the day of the election itself, a major anomaly event is clearly underway as shown in the huge spike in latency. This is particularly interesting given reports that Belarus’ internet traffic was by then being shunted through the National Traffic-Exchange Center (NTsOT). Again, we return to this event in more detail below.
MINSK, ANOMALIES in JULY 2020
In Figure 2, we show a zoomed in, hourly, section of our observations spanning 5th to 15th July, 2020.
Given the rising tensions around the forthcoming election, and scuffles breaking out on the streets on the 14th July (labelled in red), it is interesting to see a number of anomalous traces in the lead up.
In our connectivity measures, we can see a large segment which drops on the 10th, starting in the evening [a], and continuing to mid-afternoon on the 11th [b]. Meanwhile, there is a large latency spike in the evening of the 12th [c], which continues through the morning of the 13th, the day before the incumbent’s rivals were barred from the election race, and protests broke out on the streets. Also of note is a series of late-evening latency spikes, all between around 6pm and 12am, beginning on the 6th of July and continuing for five days [d].
As will be shown in Figure 3, for the days following the main election on the 9th August, a similar set of evening latency spikes are visible. Importantly, these spikes are not observed in the lead up to the 9th, nor in the evening of the day after the election, suggesting that demand-pressure is not wholly responsible for these anomalous patterns.
Given that in-country reports suggested that the technical capabilities of the government were being developed over this period to re-route traffic, inspect packets of information for key terms, or shut down specific website access completely, it is perhaps not surprising that tremors of the kind we observe over July are evident, hinting at a technical testing phase prior to the ‘main event’ to come.
PRESIDENTIAL ELECTIONS, 9 AUG 2020
In Figure 3 we show our observations for Minsk, around the day of the presidential election, 9 Aug 2020.
The first, and most obvious feature, is the huge spike in latency which begins at around 9am on the 9th August, and extends into the afternoon, concluding at around 6pm [a].
The timing is particularly interesting. As opposed to the pattern of evening slow-down events over July (Figure 2 above), and subsequently when riots took hold of the streets in Minsk ([b] in Figure 3 below), the slow-down event on election day was not an evening (6pm-12am) event, and instead, coincides more strongly with the voting window on the day.
Additionally, it is worth noting the scale of the latency anomaly. In statistical terms, the event, in our measurements, is around 5 times the threshold for statistical significance, or in raw terms, our signals entering and leaving Minsk, were being slowed by around 100ms on average, representing more than a 50% relative slow-down.
Further, to discount a regional basis, our observations in neighbouring Lithuania, indeed showed no such problem on the 9th August. This was a Belarusian anomaly, not a regional anomaly.
Finally, we note in passing that over the 10th and 11th August, there were a large number of internet addresses which appeared to have gone offline en masse. Whilst on the 12th a large block appeared online for two hours, then disappeared [c]. These IPs were known to be located in Minsk, but were not active in the period until that day.
Our Methodology
To generate the data behind these observations, we combine a commercially available geo-located IP database with our powerful scanning technology which measures the online or offline status of millions of Internet addresses globally every hour.
Our observational methodology uses the most basic Internet messaging protocol that is widely used billions of times a day to establish routes for your email, tweet, or share. After developing a carefully selected set of Internet addresses (IPs) to measure, we periodically send them one of these tiny messages, essentially asking, ‘Are on you online?’. These online/offline answers form the basis for our ‘connectivity’ indicators.
In addition, we also receive back from these measurements the responsiveness, or latency, of the IP (measured in round-trip-time, or rtt). Latency is a reasonable proxy for the experienced speed of connection, especially for any user who is interacting with a major social platform where even basic chat activities to other users nearby must travel to a server well beyond national borders (and back again).
Importantly, the IP Observatory has no access to any content being shared, viewed, visited, or generated by a user at a given IP, and all IP Observatory activity works in aggregates of thousands of randomly sampled measurements across geo-spatial sub-regions.
The mission of the Monash University IP Observatory — ‘internet insights for social good’ — is to monitor the availability and quality of the Internet during critical events such as elections, natural disasters or conflicts. The IP-Observatory is fully compliant with the EU’s General Data Protection Regulation (EU-GDPR). The IP-Observatory does not collect, hold or process personal data. The IP Observatory was founded by Klaus Ackermann, lecturer in Econometrics and Business Statistics, and Simon Angus, and Paul Raschky, Associate Professors in Economics. The observatory is a project of SoDa Laboratories at the Monash Business School, and tweets @IP_Observatory.
