We have reached the end of 2016, as well as the annual CCC congress in Germany. I had the exciting chance to speak together with Philipp Winter on the shifting landscape of Internet censorship in 2016. The talk followed mostly the same format as last year’s, calling out the continuing normalization and ubiquity of censorship around the world.
I left congress once again energized to work on system infrastructure advancing the Internet community in the face of these existential threats.
Slides from the talk are on this site.
A writeup (in german) is on Netzpolitik blog.
On Monday, China ratified an updated cybersecurity legislation that will enter effect next June. The policy regulates a number of aspects of the Chinese Internet: What data companies need to keep on domestic servers, the interaction between companies and the government, and the interaction between companies and Chinese users.
Notably, when considering the impact on the Internet, the law include:
- Network operators are expected to record network security incidents and store logs for at least 6 months (Article 21)
Note that the punishment for refusing to keep logs is a fine up to 10,000usd to the operator, and of up to 5,000usd to the responsible person.
Services must require real-identity information for network access, telecom service, domain registration, blogging, or IM (Article 24)
The punishment for failing to require identity is up to 100,000usd and suspension of operations.
- Network operators must provide support to the government for national security and crime investigations (Article 28)
- If a service discovers prohibited user generated content they must remove it, save logs, and report to the government (Article 47)
The punishment for this is up to 100,000usd and closing down the website
The concerns from foreign companies seem to center around a couple things: The first is that there’s a fairly vague classification of ‘critical infrastructure’, which includes power, water and other infrastructure elements explicitly, but also refers to services needed for public welfare and national security. Any such service gets additional monitoring requirements, and needs to keep all data on the mainland. Companies are worried they could be classified as a critical service, and that there aren’t clear guidelines about how to avoid or limit their risk of becoming subject to those additional regulations.
The other main concern seems to be around the fairly ambiguous regulation of supporting national security investigations by the government. There’s a concern that there aren’t really any limits in place for how much the government can request from services, which could include requiring them to include back doors, or perform significant technical analysis without compensation.
My impression is that these regulations aren’t much of a surprise within China, and they are unlikely to cause much in the way of change from how smaller companies and individuals experience Internet management already.
Excited to see Satellite chosen as best student paper this year at USENIX ATC. Slides and audio from the talk should be online shortly.
The CS department, as always, is on top of its news releases.
I’m excited to present Satellite, a network measurement project I’ve been working on over the last couple years, at USENIX ATC next month.
Satellite takes a look at understanding shared CDN behaviors and automatically detecting censorship by regularly querying open DNS resolvers around the world.
For example, we can watch the trends in censorship in Iran using only a single, external machine.
The data for satellite is posted publicly each week, and will shortly be merged into the OONI data set to help provide better baselines for what behavior should be occurring.