Ethiopia: Evidence of social media blocking and internet censorship
Youth in Addis trying to get Wi-Fi Connection. Credit Addis Fortune Newspaper
Recently we published a post about what appeared to be a possible internet shutdown in Ethiopia during a wave of ongoing protests by ethnic groups. Today, in collaboration with Amnesty International we are releasing a report that includes evidence of recent censorship events during Ethiopia’s political upheaval.
View the pdf version of the report here.
Probed ISP: EthioNet-AS, ET ( AS24757 )
Censorship method: Deep Packet Inspection (DPI), HTTP response failures, DNS tampering, TCP injections
OONI tests: Web Connectivity, Vanilla Tor, WhatsApp test, HTTP invalid request line, HTTP header field manipulation, HTTP Host
Measurement period: 2016-06-15 - 2016-10-07
New OONI data published in this report reveals the following:
WhatsApp was found to be blocked inside Ethiopia.
Deep Packet Inspection (DPI) technology was detected. DPI is technology that can be bought and deployed on any network, enabling monitoring and filtering of Internet traffic. This can be useful as part of network management, but it can also be used for mass surveillance and internet censorship. This finding suggests that Ethiopia has DPI technology in its possession and is deploying it for censorship purposes inside the country.
Out of 1,403 different types of URLs that were tested, the types of sites that consistently presented network anomalies and which were more likely to be blocked include:
News outlets and online forums
Armed groups and political opposition websites
Websites advocating free expression
Circumvention tool websites (including Tor and Psiphon)
The above types of websites mostly presented HTTP response failures, indicating that they were likely blocked by DPI equipment. Overall, 16 different Ethiopian news outlets presented signs of censorship, many of which showed evidence of being blocked prior to the state of emergency declaration.
In the course of this investigation, OONI also sought to verify reports from Ethiopia of a mobile internet shutdown in October 2016. OONI software tests are designed to examine the blocking of sites and services, but do not monitor internet shutdowns as a whole. As such, the organisation referred to third party data such as Network Diagnostic Test (NDT) measurements and Google transparency reports, in an attempt to examine whether the reported internet shutdown could be confirmed.
The below graph from Google’s transparency reports illustrates the total volume of Google Search traffic originating from Ethiopia between July and November 2016. As published in an earlier report by OONI and Strathmore University Centre for Intellectual Property and Information Technology Law (CIPIT), the data shows a complete drop in Internet traffic in early August, suggesting that a full Internet block took place following the call by political activists for region- wide protests on the weekend of 5 and 6 August. While the data shows a decrease in internet traffic during October, there is no strong indication of an internet shutdown along the lines of that observed in early August.
Google Transparency Report, Ethiopia, Google Search traffic between July and November 2016.
The findings suggest that if an internet shutdown did occur in October, it only occurred in some networks in certain locations, rather than nationwide. Furthermore, the decrease in overall traffic during October could be attributed to temporary mobile internet shutdowns in certain local networks, or to an increase of censorship events (for example, targeted blocking of certain websites and instant messaging services). An examination of data from the circumvention software Tor, shows a spike in traffic from Ethiopia in October, suggesting that more people were seeking ways around censorship. This indicates that there might have been an increase in censorship events following the declaration of Ethiopia’s state of emergency.
OONI was unable to confirm the reported mobile internet shutdown in October, partly due to limitations in NDT measurements and Google transparency reports. We therefore strongly encourage Internet companies including Facebook, Microsoft, Yahoo and Twitter, to increase transparency around internet traffic data so that internet shutdowns and other censorship events can be investigated and verified quickly, and more accurately.
Many of these acts of censorship took place before a state of emergency was announced, raising questions about whether these measures had any basis in Ethiopian law, as required by international human rights law. While the State of Emergency may have subsequently provided a legal framework under Ethiopian law for some of these measures, the State of Emergency itself is so broadly drafted that it violates Ethiopia’s international legal obligations and permits violations of numerous human rights. Amnesty International and OONI are concerned that unnecessary and disproportionate censorship of the internet will not only continue during the state of emergency, but become institutionalized and entrenched.
OONI has unearthed evidence of systematic interference with access to numerous websites belonging to independent news organizations and political opposition groups, as well as sites supporting freedom of expression and LGBTI rights. Such widespread interference and blocking is a violation of people’s freedom of expression, and specifically, people’s right to hold opinions without interference, and their right to receive and impart information of all kinds as guaranteed under article 19 (1) and (2) of the International Covenant on Civil and Political Rights (ICCPR), which Ethiopia has ratified.
Ethiopia’s position on the use of social media indicates that the authorities are invoking their obligations to restrict freedom of expression where such freedom is abused, as articulated in article 19 (3) of the ICCPR. However, the acts of censorship uncovered by OONI’s study are inconsistent with the requirements laid out in the ICCPR to restrict these rights. Specifically, that any restrictions will be provided by law and are necessary to respect the rights or reputations of others; or for the protection of national security or of public order, public health or morals. Any restrictions to freedom of expression is subject to a three part test: that they are legal; necessary and proportional. The acts of censorship evidenced in OONI’s study fail to meet the test. They are arbitrary, being carried out in the absence of clear and precise law in the country which governs access to internet and social media, restrictions/blockade of websites and social media, and clear legal procedures governing restrictions, including administrative and judicial procedures to challenge such restrictions and blockades. The acts of censorship also fail the test of proportionality. The censorship acts uncovered by OONI were not restricted to specific content; rather the censorship was happening at a large scale, with dozens of websites and popular communications platforms like WhatsApp affected over the space of several months.
The decision to restrict people’s ability to receive and impart information by censoring internet access during the protests, only served to sweep the underlying issues fuelling the protests under the carpet. To fully address the situation that led up to the state of emergency, the government must genuinely commit to addressing the underlying human rights violations that triggered the protests in the first place; and respect its human rights obligations. This includes refraining from blocking access to the internet and ensuring that all its people can enjoy their right to express their opinions; even those who criticise government policy and action; and guarantee their right to expression and association online and offline.
Social media companies should make available publicly verifiable data on network traffic originating from countries around the world, to ensure transparency when social media restrictions or heavy network disruptions occur.
Waves of protests against the government have taken place across various parts of Ethiopia since November 2015. These protests have consistently been quashed by Ethiopian security forces using excessive, sometimes lethal, force, which led to scores of injuries and deaths. The crackdown on protests was accompanied by increasingly severe restrictions on access to information and communications in large parts of the country by cutting off internet access, slowing down connections and blocking social media websites.
The protests began on 12 November 2015 in Ginchi, a town in West Shewa Zone of Oromia Region, against the Addis Ababa Masterplan, a government plan to extend the capital Addis Ababa’s administrative control into parts of the Oromia. The protests continued even after the Government announced in January that they had cancelled the plans, and later expanded into the Amhara region with demands for an end to arbitrary arrests and ethnic marginalization.
Amnesty International’s research since the protests began revealed that security forces responded with excessive and lethal force in their efforts to quell the protests. Amnesty International interviewed at least fifty victims and witnesses of human rights abuses during the protests, twenty human rights monitors, activists and legal practitioners within Ethiopia, and also reviewed relevant other primary and secondary information on the protests and the government response. Based on this research, the organisation estimates that at least 800 people have been killed since the protests began.
Tensions in Oromia escalated at the beginning of October, following a stampede during a religious festival which killed at least 55 people. Fresh protests, some of which turned violent, broke out amidst contestations over who was responsible for the stampede. Oromo activists blamed security forces for firing live ammunition and tear gas into the crowds, while the government blamed anti- peace protestors. The government of Ethiopia declared a state of emergency on 8 October. The state of emergency imposes broad restrictions on a range of human rights, some of which are non-derogable rights, meaning that under international law, they may never be restricted, even during a state of emergency.
In addition to using security forces to quash protests, the Ethiopian authorities have restricted access to internet services during this time. Amnesty International´s contacts inside Ethiopia reported that social media and messaging mobile applications such as Facebook, WhatsApp and Twitter, have been largely inaccessible since early March 2016, especially in the Oromia region where the bulk of the protests were taking place. Internet services were also completely blocked in Amhara, Addis Ababa and Oromia Regions following a call by political activists for region-wide protests on the weekend of 6 and 7 August 2016. The protests went ahead during these two days. The government security forces used excessive force against the protesters in Addis Ababa, Amhara and Oromia Regions resulting in the death of at least 100 people.
Internet disruptions started again on 5 October 2016 after protesters in some parts of Oromia targeted businesses, investments, government buildings and security forces in the wake of the stampede during the Irrecha thanksgiving festival in Oromo, which killed at least 55 people. Amnesty International´s contacts have since reported that internet connections were very slow and social media services have been inaccessible through browsers. Access to the mobile internet connection in Addis Ababa improved for a couple of days in early December, on 4th and 5th, before becoming inaccessible once again.
The Ethiopian government considers that social media has empowered populists and extremists to exploit people’s genuine concerns and to spread bigotry and hate. This position was made clear in the Prime Minister’s speech to the UN General Assembly in September. Indeed, a number of political and other activists have been arrested and charged under the Anti-Terrorism Proclamation on the basis of their activities on social media platforms. Yonatan Tesfaye, formerly of the Blue Party, was arrested and charged with terrorism crimes because of his facebook posts criticizing government policy and action.
In the midst of these protests, and in response to the numerous reports from Ethiopia that access to the internet was being blocked, the Open Observatory of Network Interference (OONI) performed a study of internet censorship. OONI is a free software project whose goal is to increase transparency about internet censorship and traffic manipulation around the world. OONI undertook the study in order to assess whether, and to what extent the censorship being reported actually occurred during the protests. OONI sought evidence of websites and instant messaging apps were being blocked; systems causing censorship and traffic manipulation; and inaccessibility of censorship circumvention tools such as Tor and Psiphon.
OONI’s software tests were run from a computer inside the country (running on the EthioNet network, the Ethiopia telecom monopoly). Tests were run on a total of 1,403 different URLs, including both Ethiopian and global websites, in order to determine website blocking. Additional OONI tests were run to examine whether systems that could be responsible for censorship, surveillance, and traffic manipulation were present in the tested network. OONI then processed and analysed the network data collected based on a set of criteria for detecting internet censorship and traffic manipulation. The testing period started on 15 June 2016 and concluded on 7 October 2016, immediately prior to the announcement of the state of emergency.
This report, presents the findings of the OONI study, and Amnesty International’s human rights analysis of these findings. This report also provides details of the technical methodology OONI used to verify the blockade on Whatsapp and the restrictions on websites with political and other content in a second, distinct section.
This report has two distinct sections. Part 1 of the report presents Amnesty International and OONI´s joint findings related to Internet censorship during the protests that have rocked Ethiopia since November 2015. Part 2 of the report provides a detailed overview of OONI´s technical study, including the full range of tests performed on Ethiopia´s network and acknowledged limitations in the methodology.
Amnesty International has been documenting the protests since they began, as well as the state response to the same. Primarily, Amnesty International has conducted this research remotely, relying on victim and eyewitness testimony, which has been taken through at least 50 phone and email interviews. Amnesty International researchers have also used a variety of other primary and secondary information to corroborate and verify witness accounts of specific incidents including at least 20 phone and email interviews with human rights monitors in Ethiopia; members of Ethiopian political opposition parties including spokespersons; media reports; reports and images posted on social media; and Ethiopian government communications. Amnesty International has tried unsuccessfully to engage with the Ethiopian authorities on the protests.
The information gathered by Amnesty International and used in this report, is to provide the background, and context within which the OONI network measurement study was carried out. It is not intended to provide comprehensive information on the human rights violations that have occurred in the context of the protests. For more information and analysis on the protests, please visit Amnesty International’s website.
The Open Observatory of Network Interference (OONI) is a free software project that aims to increase transparency about internet censorship and traffic manipulation around the world. OONI undertook a network measurement study, which run from 15 June to 7 October 2016. OONI used multiple free and open source software tests it had designed to examine the following:
Blocking of websites and instant messaging apps.
Detection of systems responsible for censorship and traffic manipulation.
Reachability of circumvention tools (such as Tor, Psiphon, and Lantern) and sensitive domains.
It is important to note that the technical findings are subject to limitations, and do not necessarily reflect a comprehensive view of internet censorship in Ethiopia. The methodology, and its limitations, are discussed in detail in part 2 of the report.
Part 1: Evidence of internet censorship
Background: Sustained protests
Despite the lack of confirmed data about casualties, an estimated 800 people have been killed due to excessive or otherwise unlawful use of force by the security forces - some of which may amount to extrajudicial executions - since the beginning of the protests in November 2015. The United Nations High Commissioner for Human Rights has described the situation as “extremely alarming” and urged Ethiopia to allow international human rights observers into the country. The Ethiopian government, however, rejected this UN request, arguing that it alone is responsible for the security of its citizens.
There have been almost continuous protests in parts of Ethiopia since November 2015. The protests in Oromia region were initially triggered by plans to extend the capital, Addis Ababa, into Oromia, but continued even after the Addis Ababa Masterplan was scrapped in January, evolving into demands for accountability for human rights violations, ethnic equality and the release of political prisoners.
In August 2016, people in the Amhara Region joined protests against arbitrary detention of members of the Wolkait Amhara Identity and Self-determination Committee. The Ethiopian security forces have consistently used excessive, including lethal, force to disperse the protesters. Over 600 protesters in Oromia and 200 in Amhara have been killed as a result. Hundreds of political activists, human rights defenders, journalists and protesters have been arrested. Since the start of the protests in November last year, the police have charged at least 200 people, including journalists, bloggers and opposition political party leaders, under the Anti-Terrorism Proclamation. Their trials were ongoing as of November 2016.
Tensions in Oromia escalated again following a stampede during the Irrecha religious festival on 2 October that resulted in the death of at least 52 people. The cause of the stampede, and the number of casualties, is contested. The government has claimed that protesters triggered the stampede, while Oromo activists claim that the government security forces caused the stampede when they fired tear gas canisters and shot live ammunition into the crowds. Following the stampede, fresh protests broke out in Oromia with a number of them turning violent. Protesters attacked foreign and local businesses, farms, and vehicles, especially those near Addis Ababa.
In response to the wave of protests, the government of Ethiopia severely restricted internet access and declared a state of emergency on 8 October 2016. The state of emergency imposes broad restrictions on a variety of human rights, some of which are non-derogable rights, meaning that under international law, they may never be restricted, even during a state of emergency. The arrest and detention of protesters and politically-outspoken individuals critical of government action continues, including Zone-9 bloggers Natnael Feleke on 4 October and Befeqadu Hailu on 11 November. The government forces also arrested Anania Sorri and Daniel Shibeshi (members of former Unity Party) and Elias Gebru (journalist) on 18 November 2016. The three of them had posted their picture showing the protest sign on 28 October 2016.
The Government of Ethiopia continues to accuse the Ethiopian diaspora based opposition political parties, Egypt and Eritrea for supporting and fostering the protests.
Internet censorship during protests
Testimonies gathered by Amnesty International from different parts of the Oromia region indicate that social media mobile applications such as Facebook, WhatsApp, and Twitter, were largely inaccessible since early March 2016, especially in the Oromia region, where residents were waging protests against the government since November 2015.
”…you can’t use social media apps across Oromia for the last 6 weeks[since Mid- March]. I personally checked it in Ambo town in West Shawa Zone and In Batu/Ziway in East Shawa Zone and all [along] the road to there. The blackout is directed to the apps [both Android and IOS] but, the whole Internet is too slow and not working at all in some parts of the Region.”
Moreover, the witnesses Amnesty International spoke to in the Oromia region and neighbouring cities, such as Hawassa, said that not only are the popular social media applications largely inaccessible, but that the internet has also been rendered unusually slow.
“All the way to Hawassa from Addis Ababa, I was not able to access skype and facebook. Even after I reached Hawassa, the connection was too slow that I was not able to have decent skype conversation during the night.”
The Government blocked access to Facebook, Instagram, Twitter and Viber during the National University Exam week “to prevent students being distracted from studying during the exam period and to prevent the spread of false rumours”. Accordingly, those social media outlets were reportedly inaccessible throughout the country from 9-14 July 2016.
Internet services were also reportedly not available in Amhara, Addis Ababa and Oromia Regions following the call for region-wide protests on the weekend of 6 and 7 August 2016. During these two days, the government used excessive, including lethal force against protesters in Addis Ababa, Amhara and Oromia Regions resulting in the death of at least 100 people.
Social media and mobile internet was also reportedly unavailable from 5 October 2016 after protests in some parts of Oromia targeted businesses, investments, government buildings and security forces, during a proclaimed “week of rage”.
In addition, the government employed legislative and judicial tools to discourage the use of internet and social media for expression of dissenting views. The government passed a new computer crimes law in June 2016 that among other things penalises distribution of “violent messages, audio, or video”. The law also authorizes the Ministry of Justice to issue a warrant for interception or surveillance, and people suspected of computer crimes can be held in pre- trial detention for up to four months. The law has had a chilling effect on the flow of information about human rights violations perpetrated by the security forces against protesters.
The Ethiopian government has relied on the Anti-terrorism Proclamation (ATP) to charge and convict people who have criticized government policy and action on social media platforms. The Ethiopian Government arrested and charged Yonatan Tesfaye, a political activist and former public relation head of the Blue Party, with terrorism crimes under the ATP because of the content of his posts on Facebook. The Zone-9 bloggers and Zelalem Workalemahu et el were also tried because of their online activities. The Prosecutor charged the Zone-9 bloggers with terrorism crimes for using encrypted software to ensure the security of their communications. In Zelalem Workalemahu et al the Court convicted the first defendant, Zelalem Workalemahu, for provision of training on online encryption methods.
The Ethiopian Prime Minister´s speech at the United Nations General Assembly in September 2016, gave an indication of the government’s views around the use of social media: “social media has certainly empowered populists and other extremists to exploit people’s genuine concerns and spread their message of hate and bigotry without any inhibition.”
It is unlikely that social media played a crucial role in mobilizing the protests, given that internet penetration in the country remains very low at 2.9%. However, it has aided protesters in uncovering acts of violence committed by the security forces. Previous protests in the country, such as the April 2014 Oromo Protest against the Addis Ababa Master Plan and the Muslim protest against government interference in religious affairs since 2012 did not attract international media coverage. However, the current protests in Oromia and Amhara Regional States have gained a relatively greater media coverage due to the use of social media, even in very small towns, where witnesses have reported on events and the violence committed by the security forces, sometimes in real- time. For instance, the footage from the Irrecha tragedy on 2 October 2016 was available on social media platforms almost in real time.
Google traffic data depicts an acute decline of traffic on 6 and 7 August 2016, when there was a call by political activists for protests in Addis Ababa, Oromia, and Amhara. The internet shutdown tallied with the heavy-handed response of the security forces to the protests on these dates. Since social media was not accessible on those days in Amhara, Oromia and Addis Ababa there were very little reports at the time of the violence by the security forces. It was only after 8 August 2016 that pictures, footage, and reports of excessive force by security forces started to emerge on social media.
State of emergency
Ethiopia is currently in a state of emergency for six months, as announced by the government on 8 October 2016.
The Government has arrested more than 11,000 people for “violence and property damage”. Amongst those in detention are bloggers, journalists, and members of the political opposition, for publicly criticizing the government, the state of emergency declaration or for posting the protest sign on Facebook.
Under the state of emergency, all unauthorized protests and assemblies are banned. Sharing information about protests through social media platforms, such as Facebook and Twitter, is prohibited, while two TV stations run for the Ethiopian diaspora, ESAT and the Oromia Media Network, are banned due to their coverage of the protests.
The state of emergency declaration imposes broad derogations on a variety of human rights, some of which affect non-derogable rights according to Article 4 (3) of the International Covenant on Civil and Political Rights (ICCPR). The state of emergency declaration established a Command Post chaired by the Prime Minister with the power to determine the specific restrictions, measures, and geographic scope in the implementation of the state of emergency.
The Command Post has broad powers, including to:
Prohibit any overt or covert incitement for violence or ethnic conflict, in whatever form of expression;
Stop or suspend any media;
Prohibit any assembly, association and demonstration;
Arrest anyone suspected of using violence in the areas the Command Post identifies. Those arrested will be educated and released and, if necessary, they will be punished under relevant law;
Search and seize any person or place and confiscate where necessary;
Block any road or public place or evacuate and move people from certain places;
Evacuate people vulnerable to threats and keep them in safe places for a limited period of time;
Use proportionate force necessary for the implementation of the state of emergency;
Accordingly, the Command Post issued a Directive on 15th October, which further enumerated the acts prohibited, the state of emergency measures, and the obligations to keep and communicate records. The directive conferred the security forces with the powers to:
Arrest without warrant;
Detain those arrested at places designated by the Command Post until the end of the state of emergency;
Search without warrant anytime and anywhere;
Monitor and control any messages through radio, TV, articles, pictures, photographs, theatre and movies.
Sources told Amnesty International that the security forces have demolished a number of private satellite frequency receivers in the Oromia and Amhara regions, barring access to the broadcasts of the Ethiopian Satellite Television and Oromia Media Network. Several witnesses have also told Amnesty International that they were unable to access mobile internet service in Oromia, Addis Ababa, and Amhara Regional States resulting in information blackout on the human rights situation in those regions. However, it is not clear why the mobile internet was unavailable.
Findings of the network measurement study
The Open Observatory of Network Interference (OONI) performed a study of internet censorship in Ethiopia in the midst of tensions and ongoing public protests in Oromia region, and prior to the announcement of the country’s state of emergency. The aim of this study was to understand whether and to what extent the censorship being reported actually occurred during the protests, and to provide evidence in relation to:
Blocking of websites and instant messaging apps
Detection of systems responsible for censorship and traffic manipulation.
Reachability of common circumvention tools used to get around censorship (such as Tor and Psiphon).
OONI’s software tests were run from a computer inside the country (running on the EthioNet network, the Ethiopia telecom monopoly). Tests were run on a total of 1,403 different URLs, including Ethiopian websites as well as URLs that are commonly accessed around the world. All URLs were tested for blocking. Other OONI tests were run to examine whether systems that could be responsible for censorship, surveillance, and traffic manipulation were present in the tested network. OONI processed and analysed the network measurement data collected from these tests based on a set of heuristics for detecting internet censorship and traffic manipulation.
The testing period started on 15 June 2016 and concluded on 7 October, immediately prior to the announcement of the state of emergency. The testing was also limited due to security risks to people involved in conducting the testing. Even though Ethio Telecom is government owned and Ethiopia’s main ISP, it is likely that censorship was implemented differently across locations, and that the findings of this study do not necessarily represent nationwide censorship. A detailed explanation of the methodology, including limitations, can be found in part 2 of this report.
This test attempts to perform an HTTP GET request, TCP connection and DNS lookup to WhatsApp’s endpoints, registration service and web version over the vantage point of the user. Based on this methodology, WhatsApp’s app is likely blocked if TCP/IP connections to its endpoints and/or registration service fail, if the DNS lookup illustrates that different IP addresses have been allocated to its endpoints, and/or if HTTP requests do not send back a response to OONI’s servers. Similarly, WhatsApp’s website is likely blocked if any of the above apply to web.whatsapp.com.
An anonymous researcher ran this test in October from a local vantage point in Ethiopia (Ethio Telecom) in an attempt to examine whether and how WhatsApp was censored. The collected measurement data illustrates that while both HTTP and HTTPS requests to web.whatsapp.com succeeded, HTTPS requests to WhatsApp’s registration service failed, and so did TCP connections to WhatsApp’s endpoints. This indicates that WhatsApp’s website was accessible, but its app was blocked.
|web.whatsapp.com||WhatsApp endpoints||WhatsApp registration service|
Deep Packet Inspection detected
An Ethiopian news website (ecadforum.com) was found to be blocked last month based on the use of Deep Packet Inspection (DPI) technology. DPI enables its users to analyze data packets and protocols. This can be useful as part of network management, but it can also be used for data mining and internet censorship.
The blocking of ecadforum.com by DPI equipment was uncovered through OONI’s HTTP host test which was run from a local vantage point in Ethiopia. This test attempts to examine whether the domain names of websites are blocked, and to detect the presence of “middle boxes” (software that could potentially be used for censorship and/or traffic manipulation) in tested networks.
As part of our testing, we performed HTTP requests towards one of OONI’s control servers. This server is responsive for just sending back any data it receives. In absence of censorship equipment, we would be able to view ooniprobe’s request. But when we sent the HTTP Host header containing the domain “ecadforum.com” to our control server, we noticed that the connections would get reset. We were only able to receive the control response when requesting a subdomain of “ecadforum.com” and when we prefixed the request method (GET) with the newline character. This is summarized in the table below:
|Normal GET request||Blocked|
|Modified GET request||Not blocked|
|GET request to subdomain||Not blocked|
|GET request to domain + \t (tab character)||Not blocked|
|Get request to XYZecadforum.comZYX||Not blocked|
This leads us to conclude that the devices implementing this type of interception were in fact “smart” enough to understand the HTTP protocol and could only implement blocking when they found the request to match what they expected to be “valid” HTTP. Therefore, DPI equipment was most likely present in the tested network and used to implement censorship.
It’s worth pointing out that technology with a similar pattern was previously found in Turkmenistan in 2013, as reported by OONI.
Today Ethiopia’s state of emergency imposes restrictions on media. Yet, as part of our study numerous Ethiopian news outlets presented signs of DNS, HTTP, and TCP/IP blocking prior to the state of emergency declaration.
The table below illustrates the amount and types of network anomalies detected when testing such sites.
In some cases, we tested different versions of the same sites to examine whether censorship could potentially be circumvented. Earlier this year, for example, we found Ugandan ISPs only blocking the HTTP versions of social media sites, enabling users to access these sites over HTTPS. In this study we therefore tested various versions of certain sites, such as both the HTTP and HTTPS versions of oromiamedia.org. In all such cases however, access to these sites presented signs of network interference, as illustrated in the table above.
Overall, 16 different Ethiopian news outlets presented signs of censorship. As no block pages were detected, we cannot confirm any censorship events with absolute certainty. However, the sites that presented the highest amount of network anomalies are more likely to have actually been blocked, while those with fewer network anomalies are less likely to have been tampered with. As such, ecadforum.com - with the highest amount of network anomalies - was most likely blocked by DPI equipment (as explained previously), while access to it might have also been interfered with based on DNS tampering. On the other hand, sites which presented fewer cases of network anomalies (such as satenaw.com) are less likely to have been blocked, though this remains a possibility.
In any case, it’s interesting to see that out of the 1,403 different URLs (1,217 URLs in the “global list” and 186 URLs in the “Ethiopian list”) that were tested for censorship as part of this study, access to these 16 Ethiopian news outlets presented the highest levels of network anomalies, indicating that they were most likely tampered with. These sites include oromiamedia.org, which is an independent, nonpartisan, and nonprofit news enterprise that reports on Oromia, one of the main regions that has been at the heart of the recent wave of protests and political unrest.
Currently, access to ethsat.com is banned in Ethiopia under the country’s new state of emergency restrictions. This website is run by the Ethiopian diaspora, aims to “promote free press, democracy, respect for human rights and the rule of law in Ethiopia” and also publishes in Amharic. However, we tested access to this site prior to Ethiopia’s state of emergency declaration and our findings show that it presented many network anomalies. Similarly to ecadforum.com, access to ethsat.com presented high levels of HTTP interference, indicating that it might have also been blocked by DPI equipment before it was even officially banned.
An Amharic online forum (mereja.com) also presented high levels of HTTP interference, and was possibly blocked by DPI as well. While the motivation behind the blocking of news sites could potentially be attributed to the dissemination of information around the protests, the potential blocking of an Amharic forum might be attributed to intentions to block communication, coordination and information dissemination amongst Amharic protesters.
Political opposition and armed groups
As part of our study we found the websites of Ethiopian armed groups and political opposition groups to be tampered with. In the case of those related to armed groups espousing violent opposition to the Ethiopian government, censorship may fall within the permissible restrictions to freedom of expression under international human rights law.
The table below summarizes our findings:
Ginbot 7 is a national political party and part of Ethiopia’s political opposition. In 2009 the Ethiopian government accused Ginbot 7 of fostering a coup attempt to overthrow the government, which Ginbot 7 denied. Ginbot 7 is one of the proscribed organizations under the Anti-Terrorism Proclamation, which is potentially why ginbot7.org was blocked. Through our testing we found that access to this website presented a high amount of network anomalies. In September 2016 we tested ginbot7.org by sending multiple HTTP GET requests to access the site. In all cases however, we never received a response.
The Ethiopian People’s Revolutionary Party (EPRP) is a national political party which was founded by the Ethiopian diaspora and which is currently headquartered in the United States. During the 1970s Ethiopia’s then military government declared open war (“Red Terror” campaign) against the EPRP and other political opponents, resulting in the death of around 250,000 Ethiopians. Similar to ginbot7.org, we found eprp.com inaccessible due to HTTP response failures as part of our testing.
The Oromo Liberation Front (OLF) is a regional political party that was established by Oromo nationalists in the early 1970s to promote self- determination, and which was designated as a “terrorist organization” by Ethiopia’s government. The Ethiopian People’s Patriotic Front (EPPF) is an armed opposition group in north western Ethiopia that was originally founded to overthrow the EPRDF regime. As part of our testing, the websites of both groups appeared to be inaccessible due to HTTP response failures.
Similarly, the websites of two armed opposition groups, the Ogaden National Liberation Front (ONLF) and the Patriotic Ginbot 7 Movement for Unity and Democracy, also presented HTTP response failures as part of our testing. The ONLF is an separatist armed group that is fighting for the independence of the Ogaden region in eastern Ethiopia, bordering with Somalia. An Ogaden news website was also found to be inaccessible, as illustrated in the table of the previous section of this report.
As part of OONI’s testing, access to sites supporting LGBTI rights appeared to be tampered with since we did not receive HTTP responses when querying them. These sites, and our research findings, are included in the table below:
The International Foundation for Gender Education (IFGE) is a US-based educational organization that promotes acceptance for transgender people, while samesexmarriage.ca is a Canadian site that promotes same-sex marriage. QueerNet is a project of the Online Policy Group (a non-profit dedicated to online policy research around digital rights issues) which provides free online services (such as email hosting, websites, and mailing lists) for LGBTI communities.
Same-sex sexual activity is prohibited in Ethiopia under Article 629 of the Criminal Code punishable up to fifteen years imprisonment. All three websites appeared to be inaccessible in September 2016, but appeared to be accessible when tested again in early October 2016.
Human rights websites
Two sites promoting freedom of speech and expression also presented signs of network anomalies as part of our study.
Cyber Ethiopia is a Swiss-based non-profit organization that aims to promote human rights in Ethiopia through programs and policy recommendations that uphold freedom of speech and expression online. The Free Expression Policy Project is a think tank on artistic and intellectual freedom. It provides research and advocacy on free speech, copyright, and media democracy issues.
When querying cyberethiopia.com, we did not receive an HTTP response, indicating that access to the site was blocked. Our results regarding fepproject.org are different. When testing the site in June and October 2016, we were able to successfully connect to it. However, all attempts to establish TCP connections to the site during August and September 2016 failed and presented timeout errors. It remains unclear if fepproject.org was intentionally blocked throughout August and September 2016 based on TCP/IP blocking, or if connections to the site failed due to transient network failures.
Censorship circumvention tool websites
Tor is a free and open source network designed to provide anonymity to its users by bouncing their communications across a distributed network of relays, thus masking their real IP addresses and enabling them to circumvent censorship. Psiphon is free and open source software that utilizes SSH, VPN, and HTTP proxy technology to enable its users to circumvent censorship. Ultrasurf is freeware that utilizes an HTTP proxy server to enable its users to bypass censorship.
Both torproject.org and ultrasurf.us appeared to be inaccessible between June and October 2016 due to HTTP response failures, while psiphon.ca presented the same failures from August 2016 onwards. The fact that all three sites presented HTTP response failures and that http://ultrasurf.us, https://ultrasurf.us and http://psiphon.ca appeared to be slightly more accessible than http://www.ultrasurf.us and http://www.psiphon.ca indicate the presence of Deep Packet Inspection (DPI) equipment in the tested network (as explained in the DPI section of this report).
Organizations and companies hosting websites that may be blocked in Ethiopia can consider hosting their websites on a Tor hidden service to hide its IP address and prevent blocking. It is also recommended to add HTTPS to your site through Let’s Encrypt.
Individuals seeking to access blocked websites may consider using the below circumvention tools and services to get around blocks. Note: Under Anti- terrorism Proclamation, use of digital security tools have been used in the past to prosecute bloggers and activists, even if there is no provision of law that outlaws use of internet security tools, including tor. Yet It is vital that you understand the security risks in accessing such tools.
Use Tor Browser (or other circumvention tools) to circumvent censorship and access blocked sites.
If torproject.org is blocked, download Tor Browser here.
Numerous reports surfaced in October regarding a mobile internet shutdown in Ethiopia, and this was also reported to Amnesty International by contacts on the ground.
OONI software tests are designed to examine the blocking of sites and services, but do not monitor internet shutdowns as a whole. As such, we referred to third party data such as NDT measurements and Google transparency reports in order to assess whether we could confirm the reported internet shutdown.
The below graph from Google’s transparency reports illustrates the total volume of Google Search traffic originating from Ethiopia between July and November 2016. As published in an earlier report by OONI, the data shows a complete drop in Internet traffic in early August, suggesting that a full Internet block took place following the call for region-wide protests on the weekend of 5 and 6 August. While the data shows a decrease in internet traffic during October, there is no strong indication of an internet shutdown along the lines of that observed in early August.
Google Transparency Report, Ethiopia, Google Search traffic between July and November 2016.
As Google Maps is another Google service that is commonly used via mobile phones, we also looked at Google Maps traffic originating from Ethiopia between July and November 2016.
Google Transparency Report, Ethiopia, Google Maps traffic between July and November 2016.
Similar to Google Search traffic, Google Maps traffic appears to be disrupted in August but not in October. The above graphs indicate that if an internet shutdown did occur in October, it only occurred in some networks in certain locations, rather than nationwide. Furthermore, the decrease in overall traffic during October could be attributed to temporary mobile internet shutdowns in certain local networks, or to an increase of censorship events (for example, targeted blocking of certain websites and instant messaging services).
Interestingly, there appears to be a spike in the usage of Tor circumvention software in Ethiopia during October, indicating that internet services might have been less accessible. This is illustrated via Tor Metrics data below:
The graph below shows an increase in Tor usage from 8th October, when Ethiopia’s state of emergency was declared.
Tor Metrics data, combined with third party internet traffic data, indicates a possible increase in censorship events following the declaration of Ethiopia’s state of emergency. While there is no strong indication of an internet shutdown, it is possible that certain mobile data service might have temporarily been shut down in certain locations in Ethiopia at specific points in time.
It is worth noting that OONI’s inability to confirm the reported mobile internet shutdown might also in part be due to limitations in the data sources that we referred to. We therefore encourage companies (like Facebook) to increase transparency around internet traffic data so that internet shutdowns and other censorship events can be studied and evaluated more accurately.
International Human Rights Law
The International Covenant on Civil and Political Rights (ICCPR), to which Ethiopia is a state party, guarantees freedom of expression. This includes the “freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.” This right is also protected under Article 9 of the African Charter on Human and Peoples’ Rights, to which Ethiopia is a state party.
Regarding restrictions on access to internet resources, the United Nations Human Rights Committee has stressed that any restrictions “generally should be content-specific; generic bans on the operation of certain sites and systems are not compatible with paragraph 3 of Article 19 of the ICCPR. It is also inconsistent with paragraph 3 to prohibit a site or an information dissemination system from publishing material solely on the basis that it may be critical of the government or the political social system espoused by the government.”
The UN Human Rights Council resolution on the promotion, protection and enjoyment of human rights on the Internet which was passed on 1 July 2016, “condemns unequivocally measures to intentionally prevent or disrupt access to or dissemination of information online in violation of international human rights law and calls on all States to refrain from and cease such measures.”
The abuse of freedom of expression in the form of propaganda for war, advocacy of national, racial or religious hatred that constitutes incitement to discrimination, hostility or violence may be subject to restrictions under the ICCPR, but these restrictions must meet three requirements laid out in the covenant. The first requirement is that restrictions must be provided by law, which is “formulated with sufficient precision to enable an individual to regulate his or her conduct accordingly”. Additionally, “a law may not confer unfettered discretion for the restriction of freedom of expression on those charged with its execution.”
The second requirement is that restrictions must be “necessary” to achieve one of the enumerated legitimate aims under the ICCPR. The third requirement provides, among other things, that “restrictive measures must conform to the principle of proportionality… they must be the least intrusive instrument amongst those which might achieve their protective function.”
OONI’s findings provide evidence of systematic interference with access to numerous websites belonging to independent news organizations and political opposition groups, as well as sites supporting freedom of expression and LGBTI rights. Such widespread interference and blocking is a violation of Ethiopia’s obligations under article 19 of the ICCPR.
The restrictions on access to information as per the findings of this report fail to meet the legality test, which is the first requirement under article 19(3). Ethiopia lacks clear and precise law that governs access to internet and social media, restrictions/blockade of websites and social media, and the legal procedures. The inventory of Ethiopian relevant telecommunications, cybercrimes, security, and intelligence laws reveals the absence of provisions that govern content control and access to internet in the Country. The laws that established the Information Network Security Agency and the National Intelligence and Security Service1 authorize neither of the institutions to restrict access to internet and social media, censor websites for any reason. The Telecom Fraud Offences Proclamation does not authorize any of the Government agencies to control and restrict access to internet, websites, or social media application in the country.
As such, the blocking of WhatsApp and restrictions of certain websites are arbitrary, being conducted without any specific national law. Moreover, in the absence of such law, the country also lacks the administrative and judicial procedures for challenging such restrictions and blockades.
The internet restrictions also fail the proportionality test, because the interference is not limited to specific content; rather interference is happening at a very large scale, with dozens of websites affected over the space of several months. Similarly, blocking access to WhatsApp, a popular communications platform in Ethiopia is not a justifiable restriction on freedom of expression and access to information.
Ethiopia’s practices of restricting access to large numbers of websites, as well as services such as WhatsApp is therefore a clear violation of the rights to freedom of expression and access to information.
The ICCPR permits derogation from certain rights during emergencies. However, such derogations must meet several criteria in order to be lawful. Most importantly, “the situation must amount to a public emergency which threatens the life of the nation, and the State party must have officially proclaimed a state of emergency.” Measures taken subject to a derogation must be “limited to the extent strictly required by the exigencies of the situation.” The African Charter on Human and Peoples’ Rights does not have a provision that provides for derogation during emergencies.
The State of Emergency Declaration allows the Command Post to “stop or suspend any mass media and communications” throughout the country. The geographic coverage of this measure violates the requirement that derogations under state of emergency must be limited to exigencies of the situation.
The Ethiopian Government has repeatedly alleged that the violence after the Irrecha tragedy prompted the declaration of the state of emergency. While the violence occurred primarily in some districts of Oromia and Amhara, it is unclear how the exigencies of the situation would strictly require the imposition of such measures with a geographic scope that covers the whole of the country.
In the midst of ongoing protests in Ethiopia, access to WhatsApp was found to be blocked, and the covert presence of Deep Packet Inspection (DPI) equipment was not only unveiled, but it was also found to be filtering access to an independent Ethiopian media website (ecadforum.com).
Research conducted by OONI between June and October 2016 shows that access to WhatsApp as well as at least 16 news outlets were blocked prior to the state of emergency. Also targeted were websites supporting Lesbian, Gay, Bisexual, Transgender and Intersex (LGBTI) rights, organizations advocating freedom of expression, sites run by opposition groups and armed movements, as well as websites that offer censorship circumvention tools, such as Tor and Psiphon.
Interestingly, all of these sites consistently presented HTTP response failures when queried, while the testing of different versions of the same sites appeared to bypass the filter in certain cases. This pattern is identical to that of ecadforum.com, indicating that most (if not all) of the above types of sites were likely filtered by DPI equipment as well.
The Amnesty International research findings during the same period corroborate OONI’s findings, indicating that other social media applications were very slow, not working properly or inaccessible, particularly in regions affected by the protests.
The evidence suggesting that the government is deploying Deep Packet Inspection (DPI) technology to filter access to internet traffic is concerning. Though it has many legitimate functions, DPI enables effective surveillance and filtering of internet traffic, increasing the States’ ability to restrict access to the internet, fully or partially, on command.
Many of the acts of censorship identified by OONI took place before a state of emergency was announced, and violated Ethiopia’s obligation to respect, protect and fulfill its people’s right to receive and impact information. The acts of censorship, conducted outside a clear legal framework, over several months and affecting dozens of websites and social media platforms failed to meet the criteria set out under the ICCPR for restrictions on freedom of expression.
While the State of Emergency may have subsequently provided a legal framework under Ethiopian law for some of these measures, the State of Emergency itself is so broadly drafted that it violates Ethiopia’s international legal obligations and permits violations of numerous human rights. The power the state of emergency bestows upon the Command post to monitor and suspend all communications and media throughout Ethiopia is unnecessarily expansive. The protests and the violence following the protest have been limited to Oromia, Amhara, Konso District in Southern Nations Nationalities and Peoples Region (SNNPR) and Addis Ababa.
Amnesty International and OONI are concerned that unnecessary and disproportionate censorship of the internet will not only continue during the state of emergency, but become institutionalized and entrenched.
To Ethiopian authorities
Amnesty International and OONI request the Ethiopian government to respect and protect and fulfill freedom of expression on the internet. Specifically, they request the Ethiopian Authorities to:
Refrain from blocking access to the internet
Refrain from unlawful censorship of the internet
Ensure that limitations on the right to seek or impart information on the internet fully adhere to the requirements of article 19(3) of the ICCPR. Specifically, that the restrictions comply with the three-tier test of legality, necessity and proportionality, and that they are subject to judicial review.
To social media companies (e.g. Facebook, Twitter)
Make available publicly verifiable data on network traffic originating from countries around the world, to ensure transparency when social media restrictions or heavy network disruption occur.
Part 2: Methodology
The methodology of this study, in an attempt to identify potential censorship events in Ethiopia, included the following:
OONI network measurements
OONI’s free software tests were run from a local vantage point (EthioNet) in Ethiopia. Some tests examined two lists of URLs: the one being relevant to Ethiopia, while the other including URLs that are commonly accessed around the world. All URLs included in these two lists were tested in terms of blocking. Other OONI tests were run to examine whether systems that could be responsible for censorship, surveillance, and traffic manipulation were present in the tested network. Once network measurement data was collected from these tests, the data was subsequently processed and analyzed based on a set of heuristics for detecting internet censorship and traffic manipulation.
The testing period started on 15th June 2016 and concluded on 7th October 2016.
An important part of identifying censorship is determining which websites to examine for blocking.
OONI’s software (called ooniprobe) is designed to examine URLs contained in specific lists (“test lists”) for censorship. By default, ooniprobe examines the “global test list”, which includes a wide range of internationally relevant websites, most of which are in English. These websites fall under 30 categories, ranging from news media, file sharing and culture, to provocative or objectionable categories, like pornography, political criticism, and hate speech.
These categories help ensure that a wide range of different types of websites are tested, and they enable the examination of the impact of censorship events (for example, if the majority of the websites found to be blocked in a country fall under the “human rights” category, that may have a bigger impact than other types of websites being blocked elsewhere). The main reason why objectionable categories (such as “pornography” and “hate speech”) are included for testing is because they are more likely to be blocked due to their nature, enabling the development of heuristics for detecting censorship elsewhere within a country.
In addition to testing the URLs included in the global test list, ooniprobe is also designed to examine a test list which is specifically created for the country that the user is running ooniprobe from, if such a list exists. Unlike the global test list, country-specific test lists include websites that are relevant and commonly accessed within specific countries, and such websites are often in local languages. Similarly to the global test list, country-specific test lists include websites that fall under the same set of 30 categories, as explained previously.
All test lists are hosted by the Citizen Lab on GitHub, supporting OONI and other network measurement projects in the creation and maintenance of lists of URLs to test for censorship. Some criteria for adding URLs to test lists include the following:
The URLs cover topics of socio-political interest within the country.
The URLs are likely to be blocked because they include sensitive content (i.e. they touch upon sensitive issues or express political criticism).
The URLs have been blocked in the past.
Users have faced difficulty connecting to those URLs.
The above criteria indicate that such URLs are more likely to be blocked, enabling the development of heuristics for detecting censorship within a country. Furthermore, other criteria for adding URLs are reflected in the 30 categories that URLs can fall under. Such categories, for example, can include file-sharing, human rights, and news media, under which the websites of file- sharing projects, human rights NGOs and media organizations can be added.
A core limitation to the study is the bias in terms of the URLs that were selected for testing. The URL selection criteria, for example, included the following:
Websites that were more likely to be blocked because their content expressed political criticism.
Websites of organizations that were known to have previously been blocked and were thus likely to be blocked again.
Websites reporting on human rights restrictions and violations.
The above criteria reflect bias in terms of which URLs were selected for testing, as one of the core aims of this study was to examine whether and to what extent websites reflecting criticism were blocked, limiting open dialogue and access to information across the country. As a result of this bias, it is important to acknowledge that the findings of this study are only limited to the websites that were tested, and do not provide a complete view of other censorship events that may have taken place before and after the testing period.
OONI network measurements
The Open Observatory of Network Interference (OONI) is a free software project that aims to increase transparency about internet censorship and traffic manipulation around the world. Since 2011, OONI has developed multiple free and open source software tests designed to examine the following:
Blocking of websites.
Blocking of instant messaging apps.
Detection of systems responsible for censorship and traffic manipulation.
Reachability of circumvention tools (such as Tor, Psiphon, and Lantern) and sensitive domains.
As part of this study, the following OONI software tests were run from a local vantage point in Ethiopia:
The web connectivity test was run with the aim of examining whether a set of URLs (included in both the “global test list” and the “Ethiopian test list”) were blocked during the testing period and if so, how. The HTTP invalid request line and HTTP header field manipulation tests were run with the aim of examining whether systems (that could potentially be responsible for censorship and/or surveillance) were present in the tested network. The HTTP host test was run to not only examine if tested URLs were blocked, but to also examine whether specific systems were used in the tested network to implement such blocking.
The sections below document how each of these tests are designed for the purpose of detecting cases of internet censorship and traffic manipulation.
This test examines whether websites are reachable and if they are not, it attempts to determine whether access to them is blocked through DNS tampering, TCP connection RST/IP blocking or by a transparent HTTP proxy. Specifically, this test is designed to perform the following:
HTTP GET request
By default, this test performs the above (excluding the first step, which is performed only over the network of the user) both over a control server and over the network of the user. If the results from both networks match, then there is no clear sign of network interference; but if the results are different, the websites that the user is testing are likely censored. Further information is provided below, explaining how each step performed under the web connectivity test works.
1. Resolver identification
The domain name system (DNS) is what is responsible for transforming a host name (e.g. torproject.org) into an IP address (e.g. 22.214.171.124). Internet Service Providers (ISPs), amongst others, run DNS resolvers which map IP addresses to hostnames. In some circumstances though, ISPs map the requested host names to the wrong IP addresses, which is a form of tampering.
As a first step, the web connectivity test attempts to identify which DNS resolver is being used by the user. It does so by performing a DNS query to special domains (such as whoami.akamai.com) which will disclose the IP address of the resolver.
2. DNS lookup
Once the web connectivity test has identified the DNS resolver of the user, it then attempts to identify which addresses are mapped to the tested host names by the resolver. It does so by performing a DNS lookup, which asks the resolver to disclose which IP addresses are mapped to the tested host names, as well as which other host names are linked to the tested host names under DNS queries.
3. TCP connect
The web connectivity test will then try to connect to the tested websites by attempting to establish a TCP session on port 80 (or port 443 for URLs that begin with HTTPS) for the list of IP addresses that were identified in the previous step (DNS lookup).
4. HTTP GET request
As the web connectivity test connects to tested websites (through the previous step), it sends requests through the HTTP protocol to the servers which are hosting those websites. A server normally responds to an HTTP GET request with the content of the webpage that is requested.
Comparison of results: Identifying censorship
Once the above steps of the web connectivity test are performed both over a control server and over the network of the user, the collected results are then compared with the aim of identifying whether and how tested websites are tampered with. If the compared results do not match, then there is a sign of network interference.
Below are the conditions under which the following types of blocking are identified:
DNS blocking: If the DNS responses (such as the IP addresses mapped to host names) do not match.
TCP/IP blocking: If a TCP session to connect to websites was not established over the network of the user.
HTTP blocking: If the HTTP request over the user’s network failed, or the HTTP status codes don’t match, or all of the following apply:
The body length of compared websites (over the control server and the network of the user) differs by some percentage
The HTTP headers names do not match
The HTML title tags do not match
It’s important to note, however, that DNS resolvers, such as Google or a local ISP, often provide users with IP addresses that are closest to them geographically. Often this is not done with the intent of network tampering, but merely for the purpose of providing users with localized content or faster access to websites. As a result, some false positives might arise in OONI measurements. Other false positives might occur when tested websites serve different content depending on the country that the user is connecting from, or in the cases when websites return failures even though they are not tampered with.
HTTP invalid request line
This test tries to detect the presence of network components (“middle box”) which could be responsible for censorship and/or traffic manipulation.
Instead of sending a normal HTTP request, this test sends an invalid HTTP request line - containing an invalid HTTP version number, an invalid field count and a huge request method – to an echo service listening on the standard HTTP port. An echo service is a very useful debugging and measurement tool, which simply sends back to the originating source any data it receives. If a middle box is not present in the network between the user and an echo service, then the echo service will send the invalid HTTP request line back to the user, exactly as it received it. In such cases, there is no visible traffic manipulation in the tested network.
If, however, a middle box is present in the tested network, the invalid HTTP request line will be intercepted by the middle box and this may trigger an error and that will subsequently be sent back to OONI’s server. Such errors indicate that software for traffic manipulation is likely placed in the tested network, though it’s not always clear what that software is. In some cases though, censorship and/or surveillance vendors can be identified through the error messages in the received HTTP response. Based on this technique, OONI has previously detected the use of BlueCoat, Squid and Privoxy proxy technologies in networks across multiple countries around the world.
It’s important though to note that a false negative could potentially occur in the hypothetical instance that ISPs are using highly sophisticated censorship and/or surveillance software that is specifically designed to not trigger errors when receiving invalid HTTP request lines like the ones of this test. Furthermore, the presence of a middle box is not necessarily indicative of traffic manipulation, as they are often used in networks for caching purposes.
HTTP header field manipulation
This test also tries to detect the presence of network components (“middle box”) which could be responsible for censorship and/or traffic manipulation.
HTTP is a protocol which transfers or exchanges data across the internet. It does so by handling a client’s request to connect to a server, and a server’s response to a client’s request. Every time a user connects to a server, the user (client) sends a request through the HTTP protocol to that server. Such requests include “HTTP headers”, which transmit various types of information, including the user’s device operating system and the type of browser that is being used. If Firefox is used on Windows, for example, the “user agent header” in the HTTP request will tell the server that a Firefox browser is being used on a Windows operating system.
This test emulates an HTTP request towards a server, but sends HTTP headers that have variations in capitalization. In other words, this test sends HTTP requests which include valid, but non-canonical HTTP headers. Such requests are sent to a backend control server which sends back any data it receives. If OONI receives the HTTP headers exactly as they were sent, then there is no visible presence of a “middle box” in the network that could be responsible for censorship, surveillance and/or traffic manipulation. If, however, such software is present in the tested network, it will likely normalize the invalid headers that are sent or add extra headers.
Depending on whether the HTTP headers that are sent and received from a backend control server are the same or not, OONI is able to evaluate whether software – which could be responsible for traffic manipulation – is present in the tested network.
False negatives, however, could potentially occur in the hypothetical instance that ISPs are using highly sophisticated software that is specifically designed to not interfere with HTTP headers when it receives them. Furthermore, the presence of a middle box is not necessarily indicative of traffic manipulation, as they are often used in networks for caching purposes.
This test is designed to examine:
Whether the domain names of websites are blocked;
The presence of “middle boxes” (software that could be responsible for censorship and/or surveillance) in tested networks;
Whether censorship circumvention techniques are capable of bypassing the censorship implemented by the “middle box”.
OONI’s HTTP Host test implements a series of techniques which help it evade getting detected from censors and then uses a list of domain names (such as bbc.co.uk) to connect to an OONI backend control server, which sends the host headers of those domain names back to OONI. If a “middle box” is detected between the network path of the probe and the OONI backend control server, its fingerprint might be included in the JSON data that OONI receives from the backend control server. Such data also informs OONI if the tested domain names are blocked or not, as well as how the censor tried to fingerprint the censorship of those domains. This can sometimes lead to the identification of the type of infrastructure being used to implement censorship.
Through its data pipeline, OONI processes all network measurements that it collects, including the following types of data:
OONI by default collects the code which corresponds to the country from which the user is running ooniprobe tests from, by automatically searching for it based on the user’s IP address through the MaxMind GeoIP database. The collection of country codes is an important part of OONI’s research, as it enables OONI to map out global network measurements and to identify where network interferences take place.
Autonomous System Number (ASN)
OONI by default collects the Autonomous System Number (ASN) which corresponds to the network that a user is running ooniprobe tests from. The collection of the ASN is useful to OONI’s research because it reveals the specific network provider (such as Vodafone) of a user. Such information can increase transparency in regards to which network providers are implementing censorship or other forms of network interference.
Date and time of measurements
OONI by default collects the time and date of when tests were run. This information helps OONI evaluate when network interferences occur and to compare them across time.
IP addresses and other information
OONI does not deliberately collect or store users’ IP addresses. In fact, OONI takes measures to remove users’ IP addresses from the collected measurements, to protect its users from potential risks.
However, OONI might unintentionally collect users’ IP addresses and other potentially personally-identifiable information, if such information is included in the HTTP headers or other metadata of measurements. This, for example, can occur if the tested websites include tracking technologies or custom content based on a user’s network location.
The types of network measurements that OONI collects depend on the types of tests that are run. Specifications about each OONI test can be viewed through its git repository, and details about what collected network measurements entail can be viewed through OONI Explorer or through OONI’s list of measurements.
OONI processes the above types of data with the aim of deriving meaning from the collected measurements and, specifically, in an attempt to answer the following types of questions:
Which types of OONI tests were run?
In which countries were those tests run?
In which networks were those tests run?
When were tests run?
What types of network interference occurred?
In which countries did network interference occur?
In which networks did network interference occur?
When did network interference occur?
How did network interference occur?
To answer such questions, OONI’s pipeline is designed to process data which is automatically sent to OONI’s measurement collector by default. The initial processing of network measurements enables the following:
Attributing measurements to a specific country.
Attributing measurements to a specific network within a country.
Distinguishing measurements based on the specific tests that were run for their collection.
Distinguishing between “normal” and “anomalous” measurements (the latter indicating that a form of network tampering is likely present).
Identifying the type of network interference based on a set of heuristics for DNS tampering, TCP/IP blocking, and HTTP blocking.
Identifying block pages based on a set of heuristics for HTTP blocking.
Identifying the presence of “middle boxes” within tested networks.
However, false positives and false negatives emerge within the processed data due to a number of reasons. As explained previously (section on “OONI network measurements”), DNS resolvers (operated by Google or a local ISP) often provide users with IP addresses that are closest to them geographically. While this may appear to be a case of DNS tampering, it is actually done with the intention of providing users with faster access to websites. Similarly, false positives may emerge when tested websites serve different content depending on the country that the user is connecting from, or in the cases when websites return failures even though they are not tampered with.
Furthermore, measurements indicating HTTP or TCP/IP blocking might actually be due to temporary HTTP or TCP/IP failures, and may not conclusively be a sign of network interference. It is therefore important to test the same sets of websites across time and to cross-correlate data, prior to reaching a conclusion on whether websites are in fact being blocked. Since block pages differ from country to country and sometimes even from network to network, it is quite challenging to accurately identify them. OONI uses a series of heuristics to try to guess if the page in question differs from the expected control, but these heuristics can often result in false positives. Due to this, OONI only confirms an instance of blocking when a known block page has manually been added to the list of block pages that OONI supports.
However, this means that when a block page is not presented by the censor OONI cannot confirm with absolute certainty that blocking is occurring. For the purpose of this study we have extended our methodology to also take into account unusual failures that could be triggered by the censor. In particular, we have looked at sites that appear to fail consistently (that is in the same way) and constantly over the testing period, therefore most likely not due to transient networking errors.
OONI’s methodology for detecting the presence of “middle boxes” - systems that could be responsible for censorship, surveillance and traffic manipulation - can also present false negatives if ISPs are using highly sophisticated software that is specifically designed to not interfere with HTTP headers when it receives them, or to not trigger error messages when receiving invalid HTTP request lines. It remains unclear though if such software is being used. Moreover, it’s important to note that the presence of a middle box is not necessarily indicative of censorship or traffic manipulation, as such systems are often used in networks for caching purposes.
Upon collection of more network measurements, OONI continues to develop its data analysis heuristics, based on which it attempts to accurately identify censorship events.
Acknowledgement of limitations
The findings of this study present various limitations, and do not necessarily reflect a comprehensive view of internet censorship in Ethiopia on a nationwide level.
The first limitation is associated with the testing period, which started on 15th June 2016 and concluded on 7th October 2016, prior to the declaration of Ethiopia’s state of emergency. Therefore, censorship events which may have occurred before and/or after the testing period (such as the reported mobile internet shutdown in October 2016) were not examined as part of this study. Furthermore, security challenges for people conducting OONI tests in Ethiopia limited our ability to perform daily measurements and tests were inevitably run quite sporadically across the testing period. As such, censorship events that may have occurred on days that tests were not run might not be included as part of this study.
Even though measurements were collected from Ethio Telecom, which is Ethiopia’s main telecommunications service provider, the findings of this study do not necessarily apply on a nationwide level. Ethio Telecom might have applied censorship in some locations of Ethiopia, while not in others. Given that OONI software tests were run from the same location across the testing period, we cannot know with certainty whether the censorship events found through this study apply on a nationwide level or not.
Another limitation is associated to the types of URLs that were tested as part of this study. As mentioned in the methodology section of this report (“Test lists”), the criteria for selecting URLs that are relevant to Ethiopia presented bias. While a total of 1,403 different URLs were tested for censorship as part of this study, not all the URLs on the internet were tested, indicating the possibility that other websites not included in test lists might have been blocked.
Finally, the data analysis heuristics as part of this study also present limitations. This is due to the fact that many false positives almost inevitably emerge within the collected measurement data, limiting our ability to confirm censorship events with confidence, especially when block pages are not present.
Warm thanks to Girma Walabuma who took considerable security risks to perform OONI network measurement tests in Ethiopia for this study, and to the Open Technology Fund for funding OONI’s work.