US Lawmakers’ Help Sought on Use of Encrypting Apps

A digital rights organization has asked congressional leaders for help in persuading Google and Amazon to support a technology that people in authoritarian countries use to get around censorship controls worldwide.

In a letter sent this week, Access Now, which is based in New York, sought to put pressure on Google and Amazon, which decided recently to close a loophole that allowed some encrypted-communication apps to assume a disguise as messages moved through the internet.

Access Now asked for help from leaders of the House and Senate foreign affairs committees, the House and Senate commerce committees and the Congressional Executive Committee on China.

At issue is the ongoing cat-and-mouse game between governments, such as Russia, Iran and China, and those who use internet and messaging technologies, like Telegram and Signal, to communicate outside censors’ oversight.

In this case, encrypted-messaging apps have been using a digital disguise known as “domain fronting.” Some of these technologies have received financial support from the Open Technology Fund, a U.S. government program funded by Radio Free Asia and the Broadcasting Board of Governors, the agency that oversees Voice of America.

Disguising final destination

As an encrypted message moves through networks, it appears to be going to an innocuous destination, such as google.com, by routing through a Google server, rather than its true destination.

If a government acts against the domain google.com, it conceivably shuts down access to all services offered by the internet giant for everyone in the country. The gamble is that governments wouldn’t want to cut off residents’ access to large swaths of the internet just to block a specific communication.

Russia did just that in mid-April when it sought to crack down on Telegram.

But it’s not just dissidents and religious or human rights activists who are using these apps. Hackers can also use this disguise to mask malware, according to ZDNet.

In recent weeks, first Google and then Amazon Web Services said they would close the loopholes that allowed apps to use the disguise.

“No customer ever wants to find that someone else is masquerading as their innocent, ordinary domain,” said Amazon in a news release announcing better domain protections.

“Domain fronting has never been a supported feature at Google,” a Google representative said. “But until recently it worked because of a quirk of our software stack. We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature.”

Matthew Rosenfield, who helped develop the Signal technology, said that “the idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.”

Amazon sent Signal an email telling it that its use of circumvention was against Amazon’s terms of service. In Middle East countries, such as Egypt, Oman and Qatar, Signal disguised itself as Souq.com, Amazon’s Arabic e-commerce platform.

Letter to Congress

In its letter to Congress, Access Now wrote that “until this change by Amazon and Google, domain fronting was the most effective and most widely used method of enabling free speech, free association and freedom online in countries that aggressively filter and monitor internet access.”

“The end of domain fronting will not permanently impede progress toward our shared goal of global internet freedom, but it will set it back, and the adverse effects will be felt most direly by those already experiencing repressive censorship and surveillance,” the letter said.

         

leave a reply: