Scaling the Firewall: Confessions of a Software Activist

by Jeanette Si

“I never expected that making software would be activism,” said Griffin Boyce.

Boyce is a staff member at the Berkman Klein center whose interests include “urban gardening, painting, video games”—and most intensively, Internet privacy. When he’s not busy maintaining Berkman’s systems, he trains people in using censorship circumvention software, specifically Tor, and maintains apps to supplement the distribution and usage of Tor.

But his interest in Tor began as a self-described “accident.”

“Ten years ago, I was running this project called Gender Outreach, and it was basically a helpline for trans people,” he said. “This was way before there was a lot of visibility or awareness about trans stuff.”

Back in 2007, Boyce had been located in the Bay Area, and most of his students were transsexual locals looking to avoid being outed by their browsing history.

“Back at the time, being trans was enough to lose your health insurance, and a whole bunch of bad things could happen. So you actually needed the privacy,” said Boyce.

At first, Boyce only taught people how to use proxies. But as Tor began to gain popularity outside of research circles, he switched to teaching people how to use Tor for its increased anonymity and efficiency compared to proxies.

“Let’s say you want to connect to Yahoo. Let’s say it’s blocked in the U.S. because we hate it now. The easiest thing to do is to connect to something in a place you know [Yahoo] is not censored,” said Boyce. “So you’re connecting to France, and from France you’re connecting to Yahoo. That’s a VPN or proxy.”

“[But] let’s say you wanted to connect to something that’s blocked in France. Then you might need to add another hop or connect some other way,” he added.

This can result in long, convoluted chains of proxies that bounce from country to country as a user tries to circumvent different countries’ filtering protocols. Tor, on the other hand, uses a universal set of nodes internationally and algorithmically generates a path to the user’s desired website using these nodes. For added security, the path is regenerated every ten minutes with a new set of nodes so that there is no consistent path to trace back to the user.

“Tor [is also] what we call ‘fail closed.’ So basically, when one of your nodes goes down, your whole pathway just collapses and you start from scratch with a new pathway. [But] proxy protocols in general … want you to still continue on. So if you break somewhere in the middle, your whole anonymity string is broken,” said Boyce.

Failing closed adds an extra layer of anonymity to a Tor connection and makes it exponentially more difficult for a third party to discern the identity of a user by exploiting any one node. And all it takes to use Tor is a Tor-enabled browser; aside from that, the user experience is much like browsing the web normally.

“I demonstrated [Tor] for a bunch of staffers in Congress, and I loaded it up,” said Boyce. “They said ‘That looks like Firefox.’ I was like, ‘You don’t say!’”

In addition to teaching people to use Tor, Boyce has also developed two applications that supplement Tor. One of them, Satori, helps people verify Tor software they download from the Internet to make sure that it is safe to use.

“[T]he problem, especially with people in highly-censored areas, is that they’re subject to a lot of man-in-the-middle attacks, and a lot of the websites they would typically go to to download things are blocked. [Because] people know that users have trouble getting a hold of things, they’ll put adware and malware into Tor [downloads,]” said Boyce.

Satori informs users whether or not the software they’ve downloaded is compatible with their system, and it can redirect users to trusted sources if the software’s origin is unverifiable. This way, it can stop the dissemination of malware disguised as a Tor browser from user to user and helps users vet trusted sources.

Another one of Boyce’s projects, Cupcake, is a browser extension that allows a user to become a “bridge”—an extra node that a user can jump to before they connect to the Tor network for an added layer of anonymity. Boyce says that participation in the Cupcake network has exceeded his expectations; there are now over 6,000 ephemeral Tor nodes created from Cupcake alone.

More nodes mean that more users can access an uncensored Internet, a cause for which Boyce is a strong advocate.

But Boyce is also very aware that the issue of Internet privacy is an arms race against the censorship regimes of the world. As counter-censor developers get smarter, so do governments. And the sheer amount of force that they are able to command often makes them very formidable opponents.

“[When Russia invaded Crimea] they rolled the tanks in, and the very first decree that came down was ‘We’re censoring the Internet now,’” he said. “They realize that this is an information campaign. This isn’t just tanks in the street [anymore].”

As a platform for open discourse, the Internet is a prominently tangible threat to the authoritarian governments of the world who control the information that their citizens intake. In recent years, however, some of the world's most powerful censorship regimes have banded together to pool their resources against this common enemy.

“I think the big game-changer was China realizing … that [the Great Firewall] was very valuable. So then they take that and they export that to Russia, and they’re also working with Iran. So I think that’s the next real dangerous move—commercialization of … solid censorship systems,” said Boyce.

But ironically enough, he also believes that the systematization which gives these government censorship programs their strength is a weakness when it comes to dealing with counter-censors.

“The people who are circumventing [government censors] have a significant advantage [compared to governments], because they’re not bound by internal policies,” he said. “[They can cross] the threshold entirely and b[e] like ‘well, I guess I’m breaking the law now.’”

Right now, according to Boyce, countries are doing one of two things in regards to censorship: getting rid of it completely, or intensifying the penalties for circumvention. The former is a response to the fact that censorship often results in a net economic loss for the country; the latter appears to be a brute force attempt at compliance.

“[A] bunch of trainers from Amnesty just got busted in Turkey and they’re all being charged as terrorists for doing things that I do every day,” he said. “You’re really seeing like a ratcheting up of people who are regular, everyday, law-abiding citizens going to prison as terrorists and being killed because they were teaching people how to use these tools.”

In the future, Boyce expects there to be “more of a backlash” against countries which make use of these draconian measures. He also doubts their effectiveness.

“Historically, people have broken small laws to look at cat photos. In North Korea, people have televisions illegally just so they can watch their soap operas,” said Boyce. “In the meantime, people are still going to just keep doing what they do.”