Technology, Thoughts & Trinkets

Touring the digital through type

Dispelling FUD: Iran and ISP Surveillance

Since the election of incumbent president Mahmoud Ahmadinejad, the world has witnessed considerable political tension in Iran. Protests over the questionable electoral results, beatings and deaths of political protestors, recurring protests by Iranians associated with the Green Revolution, and transmissions of information amongst civil- and global-actors have been broadcast using contemporary communications systems. Twitter, blogs, Facebook, and mobile phone video has enabled Iranians to coordinate, broadcast, and receive information. The existence of Web 2.0 infrastructure has set the conditions under which the Green Revolution operates.

The Iranian government quickly recognized the power of cheap social coordination technologies and, in response, drastically reduced the capacity of national Internet links – the government, in effect, closed the nation’s Internet faucet, which greatly reduced how quickly data could be transmitted to, and received from, the ‘net as a whole. This claim is substantiated by Arbor Networks’ (Internet) border reports, which demonstrate how, immediately after the presidential election, there was a plummet in the data traffic entering and exiting the nation. (It should be noted that Arbor is a prominent supplier of Deep Packet Inspection equipment.)

Prior to trying to dispel the Fear, Uncertainty, and Doubt (FUD) surrounding the contemporary Iranian ISP-surveillance system that is regularly propagated by the media, I need to give a bit of context on the telecommunications structure in Iran.

The Composition of Iranian Telecommunications

As in Western nation-states, there are a series of ISPs that Iranians can select to receive Internet. The catch is that all data traffic has to pass through the state controlled infrastructure of the Telecommunications Company of Iran (TCI). Household connections have a data-transfer ceiling: in the 2006 Ministry of Communications and Information Technology (MCIT) issued an order that forbade ISPs from providing Internet connectivity to households and public access points that exceeded 128 kilobytes/second. To put this in perspective for Canadians (and others in North America), Bell Canada’s slowest service plan is for up to 256 kilobytes/second (i.e. a 2 Mbps connection). Universities and private businesses in Iran can obtain high-speed access, though as a result of capping residential speeds there has been a substantial reduction in fibre-deployment (and increases in broadband speed), which was rapidly expanding from 2005 – 2007.

The limitation of bandwidth speeds was likely meant to hinder (as opposed to prevent) access to rich-format alternate media sources available on the ‘net (e.g. YouTube, media-heavy websites, etc); when it takes ten minutes to load a BBC broadcast, you go somewhere else to get news instead. The benefit of this strategy is that the government could escape claims that they were censoring content:  it was just delayed, and who minds waiting another few minutes for something they really care about?

Fear, Uncertainty, and Doubt and Iranian Digital Surveillance

The Wall Street Journal (WSJ) ran a piece last summer that accused Iranian officials of using Deep Packet Inspection (DPI) equipment purchased from Nokia-Siemens to survey and censor content. The Journal’s assertions were subsequently picked up by major media sources, and the blogosphere along with reputable journalism sites continue to reinforce the position of the WSJ. The problem, of course, is that that to date there has been little to no reputable reinforcement of the WSJ’s initial claim, and Nokia-Siemens has openly refuted the allegations.

The WSJ asserted that, “[e]very digitized packet of online data is deconstructed, examined for keywords and reconstructed within milliseconds. In Iran’s case, this is done for the entire country at a single choke point, according to networking engineers familiar with the country’s system.” Moreover,  ”Iran is “now drilling into what the population is trying to say,” said Bradley Anstis, director of technical strategy with Marshal8e6 Inc., an Internet security company in Orange, Calif. He and other experts interviewed have examined Internet traffic flows in and out of Iran that show characteristics of content inspection, among other measures.”

After the WSJ piece ran David Isenberg, Mark Hopkins, myself separately found fault with various elements of the story as reported. In summary, we argued that:

  • tests for detecting DPI, presently, do not exist;
  • Marshal8e6 is a spam/phishing company; there is no reason why they would have any particular insight into DPI, and a look at their website shows that their core business competencies are not in DPI-related activities;
  • there is no evidence that the Iranian system uses DPI – all we really have is a lone, anonymous, engineer saying that everything is examined for keywords. Keep this point in mind, as we’ll be getting back to it;
  • the WSJ’s primary source, Ben Roome over at Nokia-Siemens, maintains that the company sold only mobile technology capable of lawful access and did not sell DPI equipment. Further, Nokia-Siemens has actually exited the intelligence market, as recognized in the WSJ article.
  • it is, quite simply, easier to leverage existing infrastructure rather than import and embed DPI appliances in an already functioning surveillance environment

It’s key to note before getting into the next section that neither myself nor Isenberg are making the claim that DPI isn’t in use, but instead that there is no clear reason to assume that Iranian authorities have incorporated DPI into their arsenal of surveillance technologies (Hopkins is making the full move to state DPI isn’t being used). DPI is expensive to install, and massive inspection comes with a substantial computational and other technical overheads – it’s for this reason that most DPI devices inspect elements of packet streams rather than streams in their entirety when they must be inspected in real-time. To use DPI for full-stream analysis when there are better tools for the job that already are built and running would be mind numbingly stupid, and we have no reason to believe that Iranian IT admins are stupid people.

The Composition of ISP Surveillance in Iran

A very good report on the status of Internet surveillance in Iran was released by ICTRC in 2005, and it’s nicely supplemented by the OpenNet Initiative’s (ONI) report on Iran. From these, we learn that the Iranian government  uses a series of techniques to filter and censor the ‘net. They include:

  • the use of SmartFilter (which blocks particular websites and content) by all ISPs. The Telecommunications Company of Iran (TCI) itself has reassumed the role of centralized filtering from the ISPs, according to ONI, though some Iranians still see the old ‘access denied’ images that are branded by their ISP. ONI’s findings suggest that the technical difficulties of centralized filtering, identified in the ICTRC report, have likely been overcome.
  • New ‘block sites’ are added to the ever-expanding list of blocked websites, many of which are aimed at countering ‘immoral’ inclinations or limiting dissident political communication.
  • Internet ports are regularly closed by ISPs in accordance with government edicts. These ports are used to access proxy servers, such as TOR, which give Iranians access to the uncensored Internet.
  • Prior to data exiting the Iranian telecom environment and entering the global Internet, all requests are passed through proxy servers that permit keyword filtering. Web searches containing particular words may be blocked, and because content is passing through proxy servers there is the possibility of monitoring all unencrypted  traffic, including chat conversations, email, and web browsing.

In the WSJ article an anonymous engineer stated that “We didn’t know they could do this much … Now we know they have powerful things that let them do very complex tracking on the network.” While the WSJ alleges that this is a reference to DPI, I would suggest that the engineer is probably referring to the Iranian government having backtracked on stated uses of their proxy-based surveillance architecture. You see, in 2006 the Communication and Information Technology Ministry announced that their surveillance apparatus:

…would block access to unauthorized websites, identify Internet users, and keep a record of the sites they visit. The system administrator would have access to this information.

The ministry subsequently denied that the filtering facility could identify users and track their browsing habits, and it stressed that it only wants to block access to pornography. There also were acknowledgements that the previous methodology was imperfect, and a “filtering databank” would be more precise and make fewer mistakes.

Given this broader context, from 2006, engineer’s statement – that they hadn’t thought the government’s apparatus was designed to massively identify users and record visited sites – makes quite a bit of sense; he didn’t know that the government had adjusted how they were using infrastructure already known to exist. If you recall, the engineer had made a reference ‘keyword filtering’, and it only requires a proxy to analyze text. DPI is not required. Further, when Marshal8e6 Inc. referred to content analysis having been performed, the corporation might have been referring to the proxy-based keyword analysis and not DPI surveillance. Given that an already impressive surveillance infrastructure utilizing proxy-based servers has existed for several years now, and is capable of the filtering being witnessed today, it’s unclear how the present monitoring of digital communications requires, or indicates the use of, DPI appliances. On the basis that sources for the article can easily be read as referring to already known t0 exist surveillance systems their statements shouldn’t be used to support the WSJ’s claim that Iran is using DPI, but that the proxy-system is more impressive than previously thought. The latter is an entirely reasonable claim; the former outlandish and requiring substantial reporting to guarantee accuracy.

Intelligence Through Social Networks

Given the supposition that DPI isn’t being used for surveillance purposes in Iran right now one might ask: how is it, then, that seemingly cautious protestors and organizers who practice ‘safe computing’ (i.e. encrypt their data traffic) get caught? In response, I would suggest that rather than focusing on ‘how they broke the encryption’ there needs to be a focus on ‘where they find, and how did they exploit, weak links in the network?’

If just one person transmitted unencrypted data and compromised organizers’ names, then the authorities would have a place to start their investigations. Alternately, if someone in Iran routinely encrypts most of their data traffic they likely rise to the attention of network administrators. Administrators could very easily be under orders to pay attention to any non-encrypted data traffic that such persons of attention transmit to the ‘net, in the hopes of gaining content-based insight into what the encryption-user might be doing, saying, or who they are speaking with online. Moreover, even if you’re sending encrypted email to protect yourself against proxy-based traffic analysis, if your email is stored on an Iranian ISP’s server then the messages are unlikely to be secure when ‘at rest’ on the server itself. Protecting the data in transit isn’t sufficient when you can’t trust your ISP. Finally, there are reports of officer’s seizing people’s laptops, but occasionally leaving the people themselves alone, again negating the value of encrypted data transmissions if data at rest on the computers isn’t similarly secured.

There is often far more to gain in developing social profiles of people and their related associates than on combing through all the data collected of every person; the situation with the Christmas Day bomber last year demonstrates that an excess of particular information, and failure to develop a comprehensive network intelligence system that identifies key threats, is a critical limitation. Without a system that identifies possible ‘persons of interest’ agencies are limited in their abilities to target the ‘right’ person. In developing relationships of people, it is possible to create profiles and map out who is who in vast networks. With the potential to use social demographics to identify ‘key’ figures in any social organization the ‘danger’ in broadcasting oneself through Twitter, Facebook, or other social media environment arises from facilitating network-level intelligence: Who are the key broadcasters and rebroadcasters of messages? Who generates ideas that are rapidly disseminated through the population? Who are the (largely) passive listeners? The last group is probably non-deserving of immediate persecution, but they will be motivated to identify and listen to the first two groups. Thus, if you just watch to see who the ‘passives’ are almost all listening to, you can pick out ‘key’ members of any revolution that target them, weakening or extinguishing the winds of change. The weakest link in a revolution need not be the leaders, but can come from nuanced social profiling, and the Web 2.0 world arguably facilitates such social profiling in ways beyond even that Stasi’s wildest dreams.

Does this mean that even more advanced systems of digital analysis and aggregation won’t be deployed to identify particular patterns of communication in Iran? No. Does what I (or anyone else, for that matter) have definitely written prove that DPI technologies aren’t being used in Iran? No. What I have done, however, is suggest that existing proxy-based surveillance infrastructure can be leveraged in a manner that explains present censorship and content-blocking practices in Iran, and that traditional intelligence gathering processes are likely just being modernized for the social media world. Neither the preexisting surveillance and censorship, nor the intelligence gathering, requires DPI. In light of the evidence and argumentation I have offered, we ought to leverage Occam’s razor to conclude that proxy-based analysis, not DPI-facilitated surveillance, should be the focus of responsible attention to Iranian ISP surveillance practices.


  1. I discovered your homepage by coincidence.
    Very interesting posts and well written.
    I will put your site on my blogroll.

  2. Damn good article Chris. For once I can’t find any “holes” in your logic. You’ve amply illustrated that other technologies can accomplish the desired result. Also nice touch in illustrating that behaviour based analysis can reveal a lot of information without the need for DPI or other intrusive or expensive technologies. Well reasoned and very educational.

  3. Glad you enjoyed it – I’ve been getting increasingly annoyed at how often I’m reading ‘Iran uses DPI!’ and decided to pull something together that clarifies why few people who have looked at the networking end plausibly see that government using DPI for surveillance practices.

  4. What do you think about large scale hacking of regime’s sites as next citizen actions ? Volonteers from all over, even paying some of them.. I’m thinking that they won’t be able to do much, they aren’t very savvy, and can’t trust their own employees.

  5. Good job Chris. There was a time when we had a person on from their telecom infrastructure. Even being freely allowed to ask any question we wanted, how could we ever be sure that we were being answered truthfully? I’ve seen so many different attempts to deduce what is going on in their surveillance environment. On the Nokia/Siemens note, i’m thinking that was just for voice infrastructure only.

  6. @bolly I think that the regime has been clever in their willingness to massively curtail the amount of traffic that is allowed into and out of the nation during times of perceived governmental crisis; the ‘smaller pipe’ of data means that anything like a denial of service attack, from the outside into Iran, is prone to debilitating all Internet users in the nation. As for actually hacking the sites, well, it depends on how clever the individuals doing it are, and how well they actually cover their tracks. It can be very, very hard to identify the point of origin for a change to a webpage – the Citizen Lab at UoT has noted repeatedly that it’s through ‘traditional’ investigative efforts (i.e. phone calls, monitoring email accounts, etc) that tends to reveal who actually did what to some websites.

    In the case of the hacking being an inside job, well, it depends on how good the auditing processes of the companies/government departments are. If they have strong audit processes, then they should be able to catch people who aren’t particularly skilled in covering their tracks.

  7. @JasonSnitker I have to trust the companies to be reasonably truthful, otherwise you’re left with conspiracies that aren’t terribly productive for analysis. In my meetings with various companies, I get the feeling that they don’t want to have been seen as doing something wrong, and that most companies at least try to operate in ethical (or, at least legal…) ways.

  8. Thanks for reply, if I understand correctly, those who do it must be very careful. But hey, today I saw on Enduring America that this site was hacked, and still is at the time I write

    In hard times of total repression, I think that this must become a major weapon and I hope that all those geeks out there will cause them a few headaches.

Leave a Reply

Your email address will not be published.