Internet

Most censored nations each distort the Net in own way

2012-05-02T20:00:00Z

One big reason for the Internet's success is its role as a universal standard, interoperable across the world. The data packets that leave your computer in Botswana are the same as those which arrive in Barbados. The same is increasingly true of modern mobile networks. Standards are converging: You can use your phone, access an app, or send a text, wherever you are.

]]> But in CPJ's new report, the 10 Most Censored Nations, communications networks are constructed not to live up to that ideal, but to fit the limitations of press freedom in each country. The Internet and mobile phones may be transforming how the news is covered, but CPJ's list shows the extent to which controls on news-gatherers distort and hamper the growth of the Internet and cellphone use.

• 10 Most Censored
• Video Report:
Top 10 Countdown

The pattern is different in each country, reflecting local priorities in silencing the independent press. In Belarus and Syria, the Net is home to unlawful but state-sanctioned hacking and surveillance. In Saudi Arabia, Internet users are subject to the same harsh controls that are applied to traditional news media. In Uzbekistan, Internet access is growing, but censorship is still draconian. In Equatorial Guinea, Internet and mobile censorship is minimal, but so is the infrastructure.

In fact, the simplest solution many of these countries have found -- including North Korea, Burma, Cuba, and Eritrea -- is to simply deny their people access to any modern communications infrastructure at all. The Internet in these nations is nonexistent, or profoundly limited: in some cases because of these countries' struggle with poverty, but also because these governments are suspicious of the dangers of a free and open Net.

What Internet infrastructure does exist often mirrors political realities on the ground. In Burma, the countries' Internet is effectively divided into three, self-contained systems: one for the people, one for the government, and one for the military. North Korea's citizens (unlike the ruling elite) have as much access to the World Wide Web as they have to any independent media -- which is to say none. And while Cuba has seen some improvement in availability and affordability of mobile telephones, the country is still struggling to catch up after a history of banning private cellphone and computer ownership.

Eritrea stands as a stark example of how a government's uncompromising approach to media has obstructed the spread of modern communications. In a continent where mobile telephony has transformed local reporting and economies, the regime has been slow to allow mobile phones -- (permission was granted only in 2004). The Internet was made available in Eritrea in 2000; the Net on mobiles is still largely unavailable. All mobile communications pass through EriTel, the state provider, and the government requires all ISPs to use the government-controlled Internet gateway.

When a country with advanced systems clamps down on press freedom, that too affects the state of its communication networks. In the six years since CPJ last published a list of most censored countries, Iran's media, and foreign correspondents based there, have suffered increasing setbacks as hardliners tried to choke off local reporting. At the same time, Iran has been investing in technology and personnel with the explicit intent of restricting Internet access. Officials have repeatedly discussed plans to create a national, or "pure," Iranian Internet, and Iranians face frequent slowdowns in Internet access. A member of the Iranian parliament's Net filtering committee described the Internet as "an uninvited guest" in the country, saying that "because of its numerous problems, severe supervision is required."

The working Internet is alike, the world over. Every censored, silenced, and filtered national network is broken in its own way. Each country on our list has found a unique way to hamper the spread of journalism online: the end result has been to punish its own citizens with online isolation and silence.

Verdict postponed in landmark Thai Internet freedom case

2012-04-30T17:53:51Z

Earlier today, press and human rights groups from around the world heard that the decision in the case of Chiranuch "Jiew" Premchaiporn, the manager of Thai online news site Prachatai, was being delayed yet another month. Chiranuch is charged under Thailand's Computer Crime Act for 10 counts of not deleting apparently anti-monarchy comments on Prachatai's online discussion boards.

]]>

There is a reason why this case, more than many other prosecutions related to Thai's lѐse majesté law, is being so closely watched by international human rights groups and Internet companies. Even without a judgment, it is casting a pall over online freedom of expression in Thailand. With a conviction, it could undermine the lawful basis of the Internet there.

The new delay prolongs the uncertainty, not just for Chiranuch, over whose head the threat of imprisonment has been hovering for three years, but for all online media sites in Thailand. The Prachatai case has already exposed many ambiguities in the Thai Computer Crime law, including whether intermediaries like Prachatai are liable for their commenters when they are unaware of the content; what exactly constitutes lѐse majesté within comments; and how long websites can keep such content online before triggering liability.

None of these important elements are detailed in the Computer Crime Act. The ministry responsible for enforcing the act has not provided any guidelines or regulations for compliance with the law, even though it came into force in 2007. No clarification has been made in the three long years of Chiranuch's own prosecution.

Inevitably, prosecution and defense have made differing arguments about the vulnerability of online news sites to such charges. Prosecution witnesses have stated that under the law, intermediaries are liable the moment an offending comment appears. Experts, including CPJ and Wanchat Padungrat, the founder of Thailand's most popular online forum, Pantip.com, testified to the court that perfect monitoring of the country's online users would be impossible.

Pantip runs 24 webboards, with thousands of topics and tens of thousands of comments generated every day. Even though it blocks "dangerous" keywords related to the monarchy, Wanchat stated that he could not police against all potentially illegal statements, which are often couched in elliptical imagery. Yet under the maximalist interpretation of liability argued by the prosecutor in Chiranuch's case, not only Pantip, Prachatai, and the 14 million homepages of Facebook's Thai users, but even ISPs and cellphone service providers would be liable for the unfiltered content passing through their networks.

Faced with the possibility that almost any Internet company could be prosecuted for the acts of its users, Thai's online space for news and commentary has already diminished. Prachatai chose to shutter its own forums completely in 2009, rather than risk more lawsuits against its employees. But fewer forums have not lessened Thai's intense interest in the news of the monarchy -- news that goes largely unreported in Thai's broadcast and print media.

As the pace of censorship and lѐse majesté cases increases in the country, and as the traditional media treads ever more cautiously for fear of triggering its own prosecutions, it is inevitable that rumors and controversial opinions will increasingly spill into the online world. And that means that, unless the law is clarified in favor of free speech, more politicized court cases will be aimed at targets least able to defend themselves.

At the conclusion of the court's hearings in February, the presiding judge reassured both defense and prosecution that he would review the case "based on the rule of law, and place [due] importance on business interest[s]." Today's postponement came as a surprise. Chiranuch, like others, is hopeful that the delay is an indication that the complexity of the case is being taken seriously, and the court and the country is waking up to just how damaging to press freedom and the Thai Internet a wrongful conviction would be.

Pakistani court says website blocking violates constitution

2012-04-19T15:13:24Z

When CPJ covered the Pakistani government's attempt to build a massive censorship system for the country's Internet in February, we noted a key problem with such huge blocking systems: they are, at heart, democratically unaccountable.

]]> In the fallout from the proposal, Pakistan's High Court of Sindh at Karachi has come to the same conclusion. This week, a group of six Pakistani citizens, including journalist Sana Saleem, petitioned the court to put a stay on the Pakistan Telecommunications Authority (PTA)'s site-blocking. In the court's decision, it stated that any such blocking was in violation of Pakistan's constitutional protections for due process and free expression.

The court ordered the PTA to cease blocking any website other than in accordance with the PTA Act of 1996. This law, which defines how the regulatory body exercises its power over Pakistan's communications networks, requires, among other restrictions, that the regulator acts "in an open, equitable, non-discriminatory, consistent, and transparent manner," and that "the persons affected by its decisions or determinations are given a due notice thereof and provided with an opportunity of being heard."

The result of the order should be that the PTA will not be able to block a site without first informing the site administrator of its intention, and giving them the opportunity to be heard.

It almost certainly scuttles any PTA plans for building a million-site blacklist. The regulator is now limited not by its censorship equipment, but by these requirements to be transparent and responsive to those it seeks to block. Hopefully, it will also put an end to the arbitrary and secretive censorship of online journalism sites in the country. At the very least, news sites which have faced such censorship in the past, such as The Baloch Hal, will have to be given reasons for any blocking, and a chance to overturn them in the courts.

When I spoke to Saleem after the ruling, she was keen to put the decision in perspective. While it stops what she describes as the PTA's "ad-hoc blocking," she admitted it leaves the possibility that the PTA would devise a constitutionally-compliant process for blocking sites. Pakistan's extensive blasphemy law and national security provisions mean that if the PTA does seek legal authority for its filtering, it may succeed.

An unanswered question is how the PTA had wielded its censorship power unsupervised for so long. Saleem said that her organization, Bolo Bhi, was repeatedly told by politicians and civil servants that the proposed filtering project was the PTA's initiative, not theirs. That's why the activists shifted from political lobbying to directly challenging the PTA's authority in the courts. But if the PTA was pursuing its own censorship agenda, who was deciding which sites to censor? And when news, such as Rolling Stone's reporting on what it called Pakistan's "insane military spending," was affected, who was telling the PTA to black out those addresses?

For now, though, the petitioners' aims have been met. "We wanted the PTA to act within the constitution, and within the law," said Saleem. "But this isn't the end of our campaign for a free Internet in Pakistan. It's just the beginning."

UK surveillance plan must be watched carefully

2012-04-10T16:38:20Z

When journalists make enemies in high places, they become vulnerable to the powers those figures wield. One such power is the state's capacity to wiretap and obtain personal records from communications companies. From Colombia's phone-tapping scandal to last year's case of Gerard Davet--a Le Monde reporter whose phone records were obtained by the French intelligence service in apparent violation of press freedom laws--state surveillance has a long history of being misused against reporters.

]]> That's why proposed changes to how such surveillance is regulated in any country need to be closely examined for how they could affect press freedom worldwide.

For the past few weeks, the British press has been uncovering a planned shake-up in the country's monitoring systems. Called the Communications Capabilities Development Programme, the proposal has encountered widespread criticism from civil liberties groups in the U.K. It also may set a precedent for a wider re-examination of how governments monitor the Net.

Traditionally, data obtained from the interception of electronic communications--a tapped phone or a monitored Internet connection--has been divided into two categories: the content of the interception (what is said) and what U.K. law calls "communications data." Communications data is everything else about the message: who it was sent to and from, where and when it was sent, what kind of message it was.

Obtaining the content of an intercepted message has traditionally required a higher standard of judicial oversight than access to the communications data. For instance, in the U.K., wiretaps are only permissible via a warrant requested by law enforcement or the security services and signed by the Justice Minister. Communications data can be authorized and obtained by any number of government agencies, ranging from local councils to environmental regulators.

Historically, this statutory division between communications data and content was partly connected to the perceived intrusiveness of monitoring each of these categories. You could get communications data from the phone company's existing billing records; to get the content of a call, you'd have to step in and listen directly. Steaming open an envelope to read a letter is more difficult than noting what letters get sent, when, and to what address.

In the digital world, however, the distinction between communications data and content is far less clear. The address of a web page that I visit is almost certainly communications data, under the old definition--it lists who I'm talking to (the website) and what I'm looking at (a web page). But some of the content of this page is included in its web address; the searches you type in Google are also reflected in web addresses it returns.

Today's communications data can reveal far more about you than simply an address on an envelope--perhaps even more than the content of a message. Telephone companies have a record of the geographical position of their mobile phones, for instance. Is a detailed map of subscriber movements, as some have argued, merely part of the "where and when" of a phone? Should that information be obtainable by a local borough council?

Now add to the mix the myriad ways one can send a message online. One can send a private message via Twitter, or start a voice chat over Google. One can exchange files on Dropbox, or have a chat within a Facebook page. Much of this data is now encrypted to prevent third-party snooping, which means that governments have neither access to communications data nor the content through traditional interception systems, such as black box surveillance at ISPs.

The U.K. proposes to cut through this Gordian knot by setting up regulations and hardware to collect as much data as possible, at every step of the process. U.K.-based civil liberties organization Privacy International, citing experts and members of Parliament, says this will involve placing data-collecting devices in companies like Facebook and Google.

The details of the British proposal are unclear, but in replying to critical press coverage, the U.K. government states that Internet companies would be "required ... to collect and store certain additional information." Both Skype and instant messaging were mentioned as suitable targets for such data collection.

CPJ has advised Internet companies for years to improve security of their systems to prevent spying. The British government suggests that these companies should begin collecting more data on their users, and build systems to pass that data directly to U.K. authorities.

Unaddressed by the British government so far are three key questions: would the expansion in the kind of communications data collected reveal more about individual users than previously? Who would be in charge of unpacking communications data from the content of a message? And if the British government is permitted to obtain access to international companies like Facebook and Microsoft (which owns Skype), what would prevent other governments from demanding, and getting, the same access?

The first two issues are important to the protection of British journalists, and other citizens, from literally unwarranted intrusions on their work and personal life.

The third has global impact on all reporters, including those working in states where surveillance has less statutory oversight. If Britain decides to increase its own surveillance capabilities, it should take care not to step beyond the bounds of a free society--nor export uncontrolled snooping capabilities to the rest of the world.

Iraqi cybercrime bill is the worst kind

2012-03-30T17:35:15Z

After the rash of political revolutions and criminal attacks on governments and companies last year, it wasn't hard to predict that 2012 would be the year of a cybercrime crackdown. The United States is considering its own cybercrime legislation, and the European Union is seeking to harmonize its member state's computer crime laws. Governments understandably want to prevent further online attacks. Journalists suffer these attacks also, but they don't necessarily gain from fiercer laws. And in the case of a proposed new cybercrime law in Iraq, they may face life imprisonment for simply doing their job.

]]> In CPJ's Attacks on the Press in 2011, I covered the risk to press freedom of such a rash of "cybercrime" laws, and how, even when well-meaning, they can have a damaging effect on online press freedom. The human rights group Access published its report on Iraq's new Information Technology Crimes Bill, currently approaching its second reading in the Iraqi Parliament.

As The Economist notes, the IT Crimes Act is similar, in structure and flaws, to last year's Journalist Protection Act. Ostensibly beneficial to freedom of expression, the laws lack precision where it is needed, and effectively could be used to exclude reporters from protections or criminalize their work.

We noted in January that Iraq's Journalist Protection law excluded part-time journalists, bloggers, and others who volunteer to gather and distribute the news. (As Mexico shows, journalist protection laws don't have to be written this way).

The IT Crimes bill goes further. The vague crimes of using the Internet to "harm the reputation of the country" or to broadcast "false or misleading facts" intended to "damage the national economy" is punishable by life imprisonment. Three months imprisonment awaits anyone who "intrudes, annoys, or calls [Internet] users without authorization" or "deliberately accesses a website ... without authorization." And, in the worst catch-all, "whoever violates principles, religious, moral, family, or social values or personal privacy through information networks or computers in any way" can be sentenced to a year in prison.

It is important to ensure that crimes -- such as identity and information theft, spam, unlawful access, and fraud -- that are conducted on the Internet are pursued and penalized as competently as they are in the rest of society. But just because an action takes place on the Internet does not mean it should be assumed to be a crime, or couched in vaguer tones than traditional criminal legislation. Journalists, especially when they expose the misdeeds of prominent figures, are frequently accused of harming the reputation of nations, annoying citizens, accessing information they have not been explicitly authorized to view, and violating social values. The accusation alone is not enough to send them to jail. In Iraq, merely combining these accusations with proof that a computer was used transforms them into serious crimes.

The ambiguity of the IT Crimes Bill alone will have a chilling effect on those who use the Internet to report news. Given that bloggers and part-time reporters are already excluded from the weak protections of Iraq's journalism law, the Internet would become a freshly exposed place to report from what remains one of the world's most dangerous countries for journalists.

Iraq should not pass this perilously overbroad and punitive law.

Defining who is a journalist, Mexican style

2012-03-26T17:16:35Z

This month, the Mexican Senate approved an amendment to the country's constitution that would make attacks on journalists a federal crime in Mexico.

]]> The amendment, which now needs to be ratified by state legislatures, has important potential benefits for the ongoing safety of Mexico's journalists, the reduction of the country's 90% impunity rate, and press freedom in general. Attacks on reporters in Mexico's drug cartel-dominated regions are strongly linked with attempts to silence or distort wider knowledge about the corruption and organized crime; local investigations are frequently hampered by internal corruption of law enforcement and the suspected involvement of drug lords and prominent local officials.

There's a wider benefit of Mexico's amendment which has applications worldwide: It would be one of the first laws to broadly protect the new types of journalism that are emerging from online practice, with enough room to catch formats that we cannot even predict.

Defining who and who isn't a journalist in the modern age is an ongoing challenge for academics and reporters themselves, and the difficulty of coming up with a stable definition has created serious problems for those trying to pass journalist protection laws.

In the U.S., for instance, a federal reporter shield law foundered in part on how reporters should be defined. Other recently passed laws, such as the 2009 French Press Protection Act, have struggled to include new media reporters as well as more traditional reporters. Mexican senators told us that alternatives to the current Mexican amendment also grappled unsuccessfully with a useful definition.

The final language of Mexico's amendment empowers the federal authorities to try any offense "contra periodistas, personas o instalaciones que afecten, limiten o menoscaben el derecho a la información o las libertades de expresión o imprenta" -- "against journalists, people, or outlets that affects, limits, or impinges upon the right to information and freedom of expression and the press."

What's useful about this language is that it accepts that there will always be a central and primary role for journalists (however we define journalists in the future), but that in attacks on the press, others can be caught in the crossfire. The Mexican Congress has chosen not to try to redefine the term journalist, but seeks to ensure that whenever a criminal mounts an attack on the freedom of the press, the federal authorities can intervene.

Of course, constitutional amendments are allowed a little more leeway in their language than the laws and court judgments that spell out how they should be enacted. And the effectiveness of Mexico's press protections will depend far more on the secondary legislation and the vigor of its investigating prosecutors than the letter of the law.

Nonetheless, it's a vital first step that Mexico has devised language that works for the way the 21st century press operates. Let's hope that other countries struggling with similar impunity challenges take it up.

Online news sites as battleground for Mexican drug war

2012-03-07T17:45:16Z

I'm in Culiacán, the capital of the Mexican state of Sinaloa. Part of my work here has been to investigate and highlight the cyber-attacks that the award-winning weekly local newsmagazine Ríodoce has encountered in its coverage of the violent drugs war here.

But discussing the experiences of online editors at other publications here has shown just how intertwined the Net, the work of reporters, and the drug war have become.

]]> Like many newspapers, Noroeste ("Northwest") has a public discussion section underneath the online versions of its articles. Most pieces get a handful of comments. Discussions of the drug war can get more. And sometimes, members of the cartel themselves step in to comment.

The result is a verbal battleground between different gangs, seeking to turn the newspapers into a place where they can boast or threaten each other, or passersby.

Noroeste has over 500 employees, working on three local editions across the state of Sinaloa. Even so, the level of participation in these forums means they cannot monitor or screen every comment. Like almost all Internet publications, they use retrospective moderation, relying on their users to flag unsuitable messages.

But simply the act of removing a comment can cause trouble. When Noroeste's administrators removed one message recently, I was told by the newspapers' director, the next comment was aimed at one of the newspaper's editors more directly. "You did not publish our message," it said. "We know who you are. And we know where your wife is. Watch out." The wife's movements as described by the commenter were recent, and accurate.

In Sinaloa, journalists take such threats very seriously. In September 2010, two cartel members opened fire with AK-47s on the reception at Noroeste's Mazatlan regional offices. The publication's staff was directly threatened in a cartel message scrawled on a blanket at the scene of the crime -- a "narcomantas." At the time, the attorney general stated the attack might have been due to the newspaper's "refusal to publish certain information." Both the region's other major daily newspaper, El Debate, and Ríodoce also experienced attacks.

Journalists here risk their lives for reporting on forbidden topics -- or even just photographing the wrong bystander at a crime scene. Noroeste's experience shows they also face retaliation for simply trying to prevent their own websites from becoming the Internet equivalent of narcomantas.

Pakistan's excessive Internet censorship plans

2012-03-01T22:35:54Z

Last month, Pakistan's government put out requests for proposals for a massive, centralized, Internet censorship system. Explaining that "ISPs and backbone providers have expressed their inability to block millions of undesirable web sites using current manual blocking systems," the state-run National Information Communications Technology Research and Development Fund said it therefore requires "a national URL filtering and blocking system."

]]> The new system would need to handle "up to 50 million [blacklisted] URLs," and would operate across the entire Pakistani Internet. The research fund intends the system to be designed and built within the country, "by companies, vendors, academia and/or research organizations with proven track record."

Fifty million URLs is quite a tall order -- but not, sadly, for the demands of an Internet censorware device. Censorship, managed by routers and software built by a number of companies, scales rather easily to such demands. Companies like McAfee sell blocking systems for corporate intranets with databases in excess of 25 million web addresses. Such databases have been re-purposed for national firewalls in countries like Saudi Arabia and the United Arab Emirates for many years.

It is democratic oversight which fails to scale to such numbers. Databases of millions of sites inevitably include "false positives" -- sites that should never have been included, even on the terms of the blacklist. That's why corporate blocks have been shown to include feminist and gay rights sites under "pornography," as well as high-profile blogging and micro-blogging sites like Twitter and LiveJournal as "dating" websites. When these databases are applied to national firewalls, such sites disappear from general access.

Worse, it's impossible for citizens to oversee such blocking systems to prevent over-censorship, including of news sites, by those in power. Pakistan's current censorship policy is unclear, but already sites such as the Baloch Hal and others carrying news about Baluchistan -- a contested region of Pakistan with a number of secessionist groups -- are blocked. Any future blacklist will undoubtedly be kept secret. And the centralized nature of the database means that the government will be able to censor sites swiftly, with no checks and balances. In the RFP's technical description, there's no room for any civic oversight.

Even the small steps taken by some Pakistani ISPs to automate Internet censorship has led to over-blocking. Last year, a blocking system introduced by one telecommunications company, Mobitel, meant that Pakistani Internet users could not even search for the name of Asif Al Zardari, their own president.

An unchecked, centrally-controlled, censorship regime with such vast capacity is a recipe for disaster for local online press freedom. Companies, vendors, and academics thinking of applying for the role would be complicit in building a system that could easily -- and judging on past behavior, would inevitably -- be misused by the Pakistan government.

High-tech security information needs better dissemination

2012-02-24T20:29:45Z

After the London launch of CPJ's Attacks on the Press at the Frontline Club this week, I had an opportunity to talk to a number of young journalists setting out to regions where reporters are frequently at risk. As CPJ Executive Director Joel Simon noted, these discussions took on an extra poignancy the next day, with the news of the death of Marie Colvin and Rémi Ochlik.

]]> What stood out in the conversation was how often the reporters I spoke to were aware generally of the dangers from using high-tech tools, but felt they were being provided with little practical guidance, either from the media organizations that employed them, or from external sources.

One reporter, due to leave on assignment for Pakistan in a few weeks, was pursuing his own research on how to bypass local censorship and protect his communications from surveillance. His decisions (using a virtual private network, keeping his contact list off his mobile phone) were sensible, but were entirely down to his own research. In that sense, he is being faced with the the info security equivalent of packing off a correspondent into a war zone with no insurance and a first aid kit.

At CPJ, we've been long aware of this widening gulf between the growing risk of journalist's use of technology and institutional knowledge, which is one of the reasons why our forthcoming journalists' security manual has a chapter specifically on information security. But one of the real challenges in providing any advice is that the environment keeps changing. Substantive advice depends on understanding the capabilities of those targeting journalists, as well as new countermeasures that might be taken.

The ongoing discussion of whether Colvin and Ochlik's location was uncovered by tracking their satellite phone transmissions highlights that problem. It's no surprise to technologists that satphones leak location data. As a matter of simple physics, satphones broadcast a signal that can be detected, and which looks very different from the more prevalent mobile phones. What is novel is the idea that journalists, who may use satphones more than others in an urban war zone like Homs, may be specifically identified via their satphone use, and that the Syrian government forces might have the capability to act on that information.

What are the best sources for the knowledge that journalists need? Unsurprisingly, it's journalists -- both those on the ground, and those researching the companies that make and sell such tools to regimes like Syria. But identifying the policies and equipment that can lead to fatalities is only part of the story. We need to turn the research into effective, practical advice. What we need is better and faster and public sharing of such intelligence between reporters, media organizations, and activists.

Brazil set to test Twitter's selective blocking policy

2012-02-10T21:52:48Z

I've been telling reporters that Twitter's new national blocking policy was like Chekhov's gun. Its recent appearance inevitably prefigured its future use.

]]> High up on the list of countries that I thought might take the first step was Brazil; it was one of the first countries to make demands on Google for takedowns, and still remains the country with the highest number of content takedown requests for that company. Sure enough, today, Brazil's federal prosecutor was seeking an injunction to prevent Twitter users from warning others of radar speed traps.

As we've explained before, Brazil's high ranking in Google's transparency data doesn't mean that Brazil is the most draconian censor in the world; it just means that Brazil, like many South American countries, has a judicial system that allows individuals to demand content takedown, and often instructs intermediaries like Google and Twitter to comply with these orders. The prosecutor's order, if a judge agrees, will be aimed at users, but would almost certainly be enforced via a demand on Twitter itself.

The question I posed last week will then come up: will simply hiding the content from Brazilian users, post facto, be enough to satisfy the courts? Will seeing notification of the content vanishing from their Twitter streams encourage readers to search for it elsewhere? Will the courts pursue these traffic reports if they move to other social media sites? News of radar traps and roadblocks are obviously highly time-sensitive. Will the prosecutor seek to require the courts (or Twitter) to preemptively filter future tweets on this topic?

When discussing press freedom, it might seem a stretch to seize on the right to send bite-sized traffic reports as a bellwether. But it does not take much to move from radar trap announcements to the reports made by citizen journalists in Mexico, who use Twitter to notify their community of drug cartel roadblocks and shootings. In China, allegedly false rumors spread online have led to arrests; in Mexico, incorrect rumors spread on Twitter have been transformed into charges of terrorism. When simply disseminating information becomes a criminal offense, the more dangerous it becomes to report any news. And the more topical news is, the more tempted governments will be to press for pre-emptive censorship, instead of slow-moving and retrospective court orders.

Can selective blocking pre-empt wider censorship?

2012-02-03T22:14:11Z

Last week, Twitter provoked a fierce debate online when it announced a new capability--and related policy--to hide tweets on a country-specific basis. By building this feature into its website's basic code, Twitter said it hoped to offer a more tailored response to legal demands to remove tweets globally. The company will inform users if any tweet they see has been obscured, and provide a record of all demands to remove content with the U.S.-based site chillingeffects.org.

]]> A number of outlets also noted that changing the country from which Twitter assumes you are viewing would be relatively easy--just a matter of tweaking a setting on your profile. So if content is blocked in the U.K. only, British readers would be able to see the original content by switching to a U.S. setting.

Earlier this month, Google introduced a similar process for blogs hosted on its Blogger service. If a site contained content prohibited in a country, readers there would be redirected to a new, filtered website address. Users in other countries would see the original content. Readers in blocked countries could switch to the unblocked version by visiting a special URL.

These models, in a roundabout way, have evolved from previous experiences of Silicon Valley tech companies in dealing with foreign jurisdictions. Yahoo lost a jurisdictional and technical argument in 2000 when it claimed that it could not prevent French users from participating in auctions of Nazi memorabilia on its site, an act prohibited by French law. Technical experts testified that Yahoo could identify and therefore block the majority of French users by examining their IP addresses. Yahoo eventually took the simpler step of refusing Nazi memorabilia sales entirely. A French law became a global one for Yahoo users because Yahoo first denied it had the capability, and then neglected to implement a technical system for separating French readers from other visitors.

Google, faced with similar challenges over the lawfulness of YouTube content, took a different tack. Acknowledging that it could block selectively by location, the company chose that route when local law requires. For instance, videos that breach British law forbidding the filming of court proceedings have been blocked in the UK only. Videos that demean the Turkish founder, Atatürk, are blocked only in Turkey, where they are deemed illegal.

In Google's case, the code to regionally block preceded the policy decision. YouTube has always had a very overt system of regional blocking, which is used to prevent copyrighted material from being shown in countries where the content was not licensed for distribution. The company repurposed this tool for legal censorship requests.

Now Twitter and Google are building their own, new tools specifically to deal with legal requests. Both argue that their wish is to minimize the amount of content that is deleted from their site entirely.

All of which illustrates the truth of the old geek adage "code is law". What governments can oblige companies to do is heavily influenced by what the companies themselves have previously built. In the case of Twitter, no national censorship demands have so far been accepted, even though the company has expanded into countries such as the U.K. where civil lawsuits can require content be taken down by intermediaries.

The question is: Will the pre-emptive creation of blocking code limit damaging legal restrictions?

Twitter's new code attempts to mirror what many countries see as the territorial limit of their powers. When the French courts demanded that Yahoo block French users from participating in Nazi auctions, they did not see themselves as having the authority to order Yahoo to cease all such auctions.

But that's not the case for the most press-unfriendly regimes. They don't want to simply hide content from some users; they want offending content removed in its entirety worldwide. And if they can't get that through legal means, they will attempt to obtain it through threats, internal technical measures, or ingenious workarounds of their own. The Turkish courts did not accept Youtube's selective blocking of Atatürk videos, so they blocked the entire YouTube site. States that want information removed from Facebook will be as likely to use floods of fake complaints or drown out the data from their own users, as happens in countries like Syria and Bahrain.

Code has another influence on censors. What censoring states truly want from companies such as Twitter and Facebook varies by how the sites are built and used.

Twitter's 140-character limit is not a physical restriction, but simply a constraint arbitrarily built into the site's code. That simple, coded, limit affects everything that Twitter users do, and what censors wish to stop. The code defines the community.

The most intrusive censorship regimes are concerned about micro-blogging sites not because of specific statements they wish removed, but because they are used to quickly spread news. Reporters break stories on Twitter; readers link to journalism on it. Both are dangerous practices in censorious countries.

You can't stop the flow of tweets by issuing a court order to Twitter to lock down a single posting. You certainly can't do it by restricting visibility in a single country. What a censor needs in such cases is the ability to pre-emptively block entries--defining a series of keywords that will silence an entire set of micro-blog entries on a particular topic.

This is what China does with its local Twitter competitors. It's the power that future legislators will seek in order to control the spread of allegedly defamatory language, supposedly offensive slurs to national heroes, and information about protests and riots.

From their current statements, providing such prior restraint is a line that Twitter currently refuses to cross. Whether they can maintain that stance amid global expansion and more carefully tailored legal challenges is unclear.

Twitter's new code is an attempt to pre-emptively fend off legal attacks that seek to remove its users' content. It seems a sincere and thoughtful attempt to limit the damage. Its many critics are also right in being concerned that it reveals a new front in censorship. Unfortunately, the first shots in that fight were fired a long time ago.

Google+, real names and real problems

2012-01-26T16:35:12Z

At the launch of Google+, Google's attempt to create an integrated social network similar to Facebook, I wrote about the potential benefits and risks of the new service to journalists who use social media in dangerous circumstances.

Despite early promises of relatively flexible terms of service at Google+, the early days of implementation were full of arbitrary account suspensions - particularly of pseudonymous users - and the appeals process was unclear. The result was a lot of early bad press for the service from the traditional "first adopter" crowd, a framing it has subsequently struggled to escape.

]]> As implemented, Google+'s policy against pseudonyms imitated the long-standing stance of Facebook. That sites' founders claim real names foster civility, and struggle to insist that everyone on their service uses their given name.

But as Google executive Eric Schmidt concedes, "[real names] are a more complicated question" in countries like Iran and Syria. In those places it can be dangerous for sources or even reporters to use traceable identities online, so pseudonyms are frequently used. In such circumstances, deletions based on user complaints or reports for violations of terms of service can be misused against independent journalists who are the targets of coordinated government campaigns against their work.

This week, Google+ shifted its policy and the sites' technical implementation slightly. It has taken steps to allow its users to use well-known pseudonyms rather than their given name as part of the suspension appeal process. The company has also indicated it may move further on this topic to allow new pseudonyms to be developed on the site, without requiring evidence of other uses.

Does such policy shifts make Google+ a better, safer site for independent journalists? Frankly, that remains mostly an academic question while Facebook remains the dominant social platform in most of these countries: for now journalists will continue to work where the audience and the sources are.

In practice, though, most cases of silencing sources and journalists are less about the details of the pseudonym policy itself, and more about the suspension procedure. Most at-risk bloggers and sources don't see a problem with faking a convincing false account or two on Facebook or Google if necessary. Neither company can or will strongly enforce real names across the board. It's impossible to check everyone's ID at the door of these websites.

The damaging consequence for press freedom comes when reporter and sources' casual decision to disguise their real identity is used by their enemies to game social network sites into over-enforcing their terms of service. Overnight, reporters or sources are suspended, losing that precious audience or documentary record. A terms of service condition is bent to suit the agenda of a group determined to silence a point of view. (And it's not just real names that get used for this. Claiming that legitimate news coverage is offensive or hateful can also work.)

Under these circumstances, few independent journalists are going to know how to argue their case against these Internet monoliths, even if the rules are in their favor. They will inevitably be dealing with low-level tech support representatives with a pre-recorded script in a foreign language -- a script that almost certainly has no category for "Customer is an independent journalist who skirted our terms of service for their own safety."

Can you fix such problems with service-wide rule changes? As Google executive Bradley Horowitz noted in his post, borderline cases represent a tiny minority of the cases social networks deal with. It may be that the greatest improvements that can be made are working out ways to quickly extract these unusual cases from the automated labyrinths of customer support that process hundreds of millions of users, to a human being with the time and expertise to understand the subtleties. This isn't something that any company could make explicit, out of fear that every spammer will tick that "independent journalist" box. But concentrating on refining such procedures would help press freedom globally -- and prevent some nasty publicity own-goals for these sites along the way.

Online publishers, developers sentenced to death in Iran

2012-01-20T18:24:39Z

Politically-related Iranian prosecutions often take place in near secrecy, with unclear charges morphing and changing over time. It doesn't get any easier to work out the motivations of prosecutors when the charges are connected to technology.

]]> Web developer Saeed Malekpour and IT professionals Vahid Asghari and Ahmad Reza Hasempour, who are all accused of hosting illegal content online, were sentenced to death in early January, according to several news reports. But what kind of content? The prosecutor claim that the network was, in part, pornographic, but Asghari has also been accused of spying in collaboration with blogger Hossein Derakshan, and wrote that he was forced under torture to state that Hossein was an agent of the CIA.

What we do know is Asghari, Hasempour, and Malekpour were all targeted because they were seen as capable of hosting, or assisting with the building of websites. They have been described by the Iranian government and state media as "The Strayed Three" (the "Mozzelin 3"). Iran has a policy of dismantling "destructive" online networks, and the three appear to have been rounded up as part of this crackdown.

It's not even clear whether the three were involved in illegal hosting. Malekpour's wife, Fatima Eftekhari, has stated that his involvement was limited to writing a generic uploading script which was then used by the publishers of adult websites.

If true, that means that in Iran, putting your name to an open source utility could leave you detained, beaten, and tortured, and then sentenced to death.

The charges against Iran's web developers are so vague as to make it difficult for CPJ to ascertain whether their work was directly involved in news reporting. But as any blogger knows, independent web hosts and developers are as key a part of creating a web presence as the writers and reporters. Creating an atmosphere of fear by arresting and torturing independent hosters of content is as damaging to press freedom as rounding up the operators of printing presses would be in an earlier age.

Belarusian website Charter 97 attacked, shut down

2011-12-30T19:43:56Z

It's not unusual for Charter 97, a Belarusian pro-opposition news website, to be disrupted online. CPJ has documented intimidations, threats, and arrests against its staff members, the murder of its founder, and denial-of-service attacks against the website.

]]> On Thursday, the site endured a devastating online raid, Editor-in-Chief Natalya Radina told CPJ. Anonymous individuals used a password that Radina believed they got from malware used on an editor's personal computer. The saboteurs then logged on to the site's administrative section, deleted archives, and created a false news story about opposition presidential candidate Andrei Sannikov, she said. Sannikov was imprisoned after coming second in the December 2010 elections, and was sentenced to five years in prison in May.

Then again, this morning, Charter 97 was forced off-line after another DOS attack, Radina told CPJ.

Sites like Charter 97 do not have the resources to devote to digital forensics. Radina, winner of CPJ's 2011 International Press Freedom Award, works in exile in Lithuania. Like Sannikov, she faces charges of "organizing mass disorder" in her home country of Belarus.

For all of the accusations of criminality they make against journalists and political opponents, Belarusian authorities seem entirely uninterested in combating acts of computer crimes in at least some circumstances. While most of the disruption against Charter 97 took place behind the shield of anonymizing services, one of the attackers was using a Belarusian IP address. An assailant who not only sabotages Charter 97's archive but plants false information about an opposing presidential competitor would seem to be strongly connected to the Lukashenko regime.

Before the second attack this morning, Charter 97 was able to restore most of its archive, but its editors were not sure if some of the articles from December 2011 could be recovered, Radina told us.

Whatever the news from Charter 97 will be in 2012, it's clear that some in Belarus do not want their compatriots to read about it online. Radina remains defiant: "Take it from me that we shall live through today's attack too, no matter how serious it is. And we shall work even better."

Ríodoce attack shows need for denial-of-service defenses

2011-12-12T16:25:05Z

A founder of Mexican news weekly Ríodoce, Javier Valdez Cárdenas, traveled to New York in November to receive CPJ's International Press Freedom Award at our annual benefit dinner. No sooner had he returned to Mexico than Ríodoce's website was thrown offline by a denial of service (DOS) attack, in which multiple computers are used to flood a webserver with fake requests, slowing down the site so that it cannot serve legitimate requests.

]]> Ríodoce is one of the few publications in the Mexican state of Sinaloa that covers in depth the narcotraffickers who operate in the region, including the powerful Zetas cartel. Its staff lives with the consequences every day. In 2009, a hand grenade was thrown at the magazine's offices. This, however, was the first successful online attack on the publication. It's simple to assume that the attempted silencing of Ríodoce online was related to its drug war coverage, but the perpetrators left confusing clues as to their identity. These included a reference to Anonymous, the collective identity adopted by a wide range of Internet activists.

Like many independent media online, Ríodoce relied on a standard webhosting agreement to host its content, in this case with the U.S. company DreamHost. The attack on Ríodoce used enough resources to affect other websites at DreamHost, and eventually the company shut down the news site completely to protect its other customers. Ríodoce has since switched to another provider. The attack began on November 25 and prevented access to the news site for six days.

"We can't accuse anyone [for the attack], because everyone is a suspect... but we are sure that it was a result of our reporting," Valdez told CPJ. "We have another server now and we are thinking of getting our own server. We are protecting ourselves against another one of these kinds of attacks because we are expecting there will be more."

Ríodoce's attackers appear to have hid their tracks by using Ultrasurf, an anonymizing service originally designed to allow users to circumvent China's censorship. They did leave a message for Ríodoce, however. Many of the page requests had embedded the following text:

L3G10N=NOMASMENSAJESDEZETASENLOSMEDIOS!!SomosLegion!!

or "No more messages from the Zetas in the media! We are Legion!"

As Ríodoce noted in its own piece on the matter, the message includes the language of Anonymous, whose activists use the slogan "we are legion" in their announcements. The group has been associated with proclamations against the cartels, as well as rumors that some members intended to release private documents on the drug gangs (although some observers remain skeptical of the accuracy of those threats). Since the terminology and the name "Anonymous" could be adopted by anyone, the use of their slogan in an attack does not indicate a great deal.

Nor is a large conspiracy or gang of super-hackers needed to explain how Ríodoce was taken offline. The attack was small, relative to many denial-of-service attacks. Webserver logs reviewed by CPJ indicate that possibly fewer than 30 computers were used to take the website down. For a website using unfortified software on a shared host such as DreamHost provides, a few machines are all that are needed to force the website offline.

Such an attack could easily have been organized by a small group of hacktivists who misinterpreted Ríodoce's coverage of the Zetas as support. It could have been launched by another cartel attracted by the rebellious imagery of Anonymous. Or it could be one online prankster with a PC.

Taking down the site of an independent news service with a limited Internet budget does not require the financing or organizational capabilities of a powerful group. It could be conducted by a single, technically knowledgeable person with a grudge. Such attacks are no less damaging to free speech than if they were conducted by large conspiracies. Journalists make enemies - especially if, like Ríodoce, they are doing their jobs well - and such enemies will be happy to break the law to silence a critic. Technologists, news site software designers, and hosting services need to have a defense prepared for such attacks.