Blocking the On-Ramp to the Free Internet

Google and Amazon have made a small technical change that is making it harder for people in repressive countries to go online.

Google and Amazon logos intertwined at a photomontage of a barricade blocking access to computer terminals.
Photo illustration by Lisa Larson-Walker. Photos by Thinkstock, Getty Images, Creative Commons.

Imagine you live in a country whose government intervenes in most aspects of your digital life. Everything you do online is tracked, monitored, reported, and can be used against you. The only news or opinion pieces you can read are tightly controlled and regulated by the authorities, and access to foreign sources is strictly forbidden.

That’s the reality for people in countries like Syria, Ethiopia, Iran, Russia, and China. But fortunately there are organizations and even governments that have our backs. For several years, it has been the bipartisan agenda of the U.S. government to support what’s been called internet freedom around the world. The U.S. position says the world benefits—economically, and in terms of democracy and human rights—if the internet is free and people have access to a variety of news sources.

That is why the U.S. government—working through the Department of State, the Broadcasting Board of Governors, and the Open Technology Fund—helped to incubate and support developing technologies like Psiphon, Ultrasurf, Signal, Tor, Greatfire, and Lantern that allow those living in countries with restrictive controls to access the open internet. These vital anti-censorship tools use a technical strategy called “domain fronting,” a phrase as boring as “network neutrality” but no less important to freedom of expression online.

Domain fronting works by routing online communication through the infrastructure of a major technology company like Amazon or Google, in order to obscure the actual destination, which would otherwise be blocked. Think of it like a piece of mail. Using one of these tools, you can send a letter to a service on a Google server. From the outside, it looks like just a letter to Google. But when opened, the letter inside contains instructions to hand it off to another recipient.

Google has long championed these ideals. But unfortunately, it now appears to be stepping back from them—and leading the way for other private sector actors to do the same. In the past couple of weeks, Google made changes to technical infrastructure that make domain fronting impossible. Amazon, which has never committed to support internet freedom or human rights, quickly followed suit. While Google has avoided the public conversation, Amazon issued a dry description of its decision as terms of service enforcement and a technical policy fix “against misconfigurations and abuse from unrelated third parties.” The moves may stem from reports a year ago that Russia-based hackers Cozy Bear abused domain fronting. While these attacks require a response, quashing this crucial tool like any other bug is the wrong approach. Like many things online, it’s just not as simple as knee-capping the bad guys. Rather, this decision could have immediate, dire consequences for folks already facing massive censorship campaigns, while the malicious actors move on to exploit the next vulnerability in their war chest.

The genius of domain fronting is that countries can’t simply block the relatively small service behind the domain “front” unless they shut off access to the whole suite of popular Amazon or Google products, such as Gmail, Google Search, and YouTube, as well as the many other popular websites online that use the company’s infrastructure. So domain fronting forces governments and state-controlled internet service providers in closed societies to pay a heavy price for shutting down an anti-censorship tool.

It’s not just individuals, like journalists or activists, who rely on the domain fronting. Major public and private international media organizations use this technique to reach audiences globally when they are operating in repressive countries without a free press. These include private media organizations such as the New York Times, the Associated Press, the Wall Street Journal, and the Washington Post, and international broadcasters including the Canadian Broadcasting Corp., the British Broadcasting Corp., and Deutsche Welle. Even U.S government-supported media like Voice of America, Radio Free Europe/Radio Liberty, Office of Cuba Broadcasting, Radio Free Asia, and Middle East Broadcasting Networks use domain fronting to reach their intended audiences.

There are limitations to domain fronting. This strategy works only when it can rely on a large corporation that is too popular to block. That doesn’t work everywhere. For example, Google is enormously popular, but it is already blocked in China. But where it does (or did) work, domain fronting enables millions of people to experience the internet that many of us take for granted.

Though it is far from ideal to rely on a private company for this strategy, the technique has created important opportunities to provide access to a free and open internet. Google and Amazon have long known about domain fronting and have previously ignored complaints,

even threats, from foreign governments. Rightly so: Under the U.N. Guiding Principles on Business and Human Rights, companies have the duty to respect human rights, an obligation that “exists over and above compliance with national laws and regulations.” The principles also note that larger businesses may have more capacity to support human rights than smaller firms. What more should big companies do? For one, Google has joined Microsoft, Yahoo, Facebook, and others in the Global Network Initiative, committing to, among other things, “avoid or minimize the impact of government restrictions on freedom of expression.” Google’s policy work and technical efforts, like collaborations with Alphabet subsidiary Jigsaw, continue to offer activists routes around firewalls and defense from attacks. However, we can’t think of many more direct ways to minimize “restrictions on freedom of expression” than through domain fronting.

In fact, in a 2014 New York Times op-ed, Eric Schmidt, then the CEO of Google, spoke of similar techniques in describing how both the private and public sectors could help expand internet freedom worldwide. (At the time, Schmidt was also chairman of New America; New America is a partner with Slate and Arizona State University in Future Tense.) Highlighting the increasing censorship in places like Russia, Vietnam, and Ukraine, Schmidt wrote:

Obfuscation techniques—when one thing is made to look like another—are also a path forward. A digital tunnel from Iran to Norway can be disguised as an ordinary Skype call. Deep packet inspection cannot distinguish such traffic from genuine traffic, and the collateral damage of blocking all traffic is often too high for a government to stomach. … Much of the fight against censorship has been led by the activists of the internet freedom movement. We can join this open source community, whether we are policy makers, corporations, or individuals.

We still hold out hope for such a vision. Access Now, the digital rights organization we work for, has called on Congress for support and directly asked the companies to reverse course. Representatives from the major platforms will come to our upcoming conference RightsCon Toronto and hear from toolmakers and human rights defenders who’ve depended on domain-fronting apps. Our goal is to get concrete commitments from the companies to collaborate with advocates and technologists toward a sustainable and open way to protect the most vulnerable, and on a timeline that recognizes that this is an issue hurting people now. If the Russias, Turkeys, and Irans do not stop their campaigns against the free and open internet, and the Western democracies continue sliding toward censorship, then the ecosystem of big and small internet firms needs to build stronger ties and trust. That begins with the most powerful coming to the table, with proper manners—like listening before they talk—and meeting their responsibility to respect our rights.