A report published in August found Burundian networks using technology from Chinese company Huawei to block Iwacu and other news sites. The report was funded and published by PrivacyCo, the parent company of privacy research and advice website Top10VPN.com. Co-authors Valentin Weber and Vasilis Ververis, PhD candidates at the University of Oxford and Humboldt University of Berlin respectively, told CPJ in a recent video call about their research tracking Huawei equipment known as middleboxes to internet networks in 72 countries, 18 of which were using the devices to block news or other websites. (Weber has since joined the German Council on Foreign Relations as a cyber research fellow.)
In Cuba, the report found the sole state-controlled internet service provider ETECSA using Huawei technology to block independent news website Cubanet, among others; authorities in Cuba have subjected Cubanet and its journalists to frequent restrictions. Readers can bypass blocks using virtual private networks (VPN), but many news outlets must shift their work to other sites or social media. In Egypt, a number of outlets have gone out of business after being blocked.
Middlebox devices can examine the packets of data that facilitate browsing and communication using a process called deep packet inspection. DPI has benign, even essential functions, like making connections faster or caching content for future access, but it can also be used to manipulate or filter information, the authors said. In the wrong hands, a middlebox could divert visitors to a rogue website designed to steal passwords or install malware, for example.
Such intrusions are hard to detect, but the 18 countries in the report acknowledge blocking – notifying users via their browsers that the content they are trying to access is restricted – making censorship a starting point for researchers to assess whether countries are using middleboxes to undermine human rights, according to Weber and Ververis.
Glenn Schloss and Rob Manfredo of Huawei’s U.S. corporate communications team acknowledged CPJ’s request for an interview when the report was initially published, but did not subsequently respond to emailed questions.
The interview with Weber and Ververis has been edited for length and clarity.
You describe Huawei’s middleboxes performing “online behavior management” – where does that term come from?
Weber: It comes from Huawei marketing material relating to a specific middlebox, the ASG5000 series. We found it in a Chinese language source, so it’s our translation, but I think it matches the capabilities well – it can detect traffic and act on it, managing the behavior of [internet] users in various contexts and venues.
Why are you concerned about the security implications of middleboxes on national networks?
Weber: Important traffic is flowing through these devices but the policies [for the data Huawei receives from them] sometimes weren’t clear – what happens to the data, or whether it can be transferred further. For different continents or territories, we found a database location – in Mexico for Latin America for example – but you wouldn’t know what happens once the data is transferred there.
Ververis: An analogy for a consumer would be a cleaning robot that sends data to the vendor about the dimensions of your house. Hopefully it’s in good faith, but I would not be surprised if that data was being sold or analyzed [for other purposes].
Should individuals on a network be concerned that a middlebox could access private information, or passwords, for example?
Ververis: Usually you should not be worried when you’re visiting websites, especially websites that use some kind of encryption or secure layer [like HTTPS, which prevents others from reading or intercepting information exchanged between a reader and the websites that they visit]. We all know that you shouldn’t connect to open WiFi, [but instead] use a VPN or Tor [on untrusted networks], and [log in to accounts with] two-factor authentication.
But it’s difficult to protect against a strong adversary. Let’s say you’re a journalist on a network that you don’t trust. The network can gain a lot of information from your connectivity, and middleboxes can [be used to facilitate a cyberattack].
How did you detect that these middleboxes were being used to block websites?
Ververis: We use open data from the Open Observatory of Network Interference, which collects network measurements from volunteers all over the world. When you’re sending and receiving a request from a web server you get back some metadata, and we were able to find the specific Huawei tag added to these responses. That might reveal the device, the model, sometimes the version. The middlebox we found had already been found in 2017 OONI research on Cuba.
It’s only possible to do this research if the data is provided openly, the way OONI does. Other entities like Cloudflare and Google, or the transparency reports from social media companies, don’t help researchers and journalists find out what’s going on.
You found 18 countries blocking content with middleboxes, up from seven in an earlier study you did in 2019. What does that suggest?
Ververis: We have more data from OONI now than before, but censorship has [also] been increasing. It’s actually quite surprising that [so many countries] use the same device, so there may be more to unpack there – whether it’s cheap, or easy to deploy, we don’t know.
Is Huawei providing maintenance on these devices or facilitating how they are used?
Ververis: In general, infrastructure [used by internet service providers] should be maintained by the vendor. You usually pay for a license to keep using it [for a specified period].
Weber: The devices report back to the vendor, sending error notices and other information, so the manufacturer might be incentivized to act on that, for example to provide software updates. We also expect that Huawei is likely to provide keyword lists or broad categories for blocking to the customers.
Your report found websites in the news and media category were among those most subject to blocking – what do you take that to mean?
Ververis: News and political advocacy were among the higher categories, though in some countries we have much more data than in others. There are [also] other [blocking] methodologies. In Cuba, they still use the Huawei middlebox, but they’re also deploying something else. Either it doesn’t have a tag or it’s the same equipment that’s been changed, or, most probably, other devices.
The research is not conclusive, but our goal was to raise awareness. If one vendor and one device can do so much damage, what happens with the other dozens or even hundreds that are also out there?
Weber: We uncovered the tip of the iceberg. If there has been some political censorship in a country, even if it’s just a few websites, we can expect there to be more.
Would you argue Huawei is more likely to facilitate censorship because of its origins in China, one of the most censored countries in the world?
Weber: Like all other companies, Huawei is profit driven, which means they will sell anywhere they can make money. We’ve seen that Blue Coat Systems, a company based in the U.S., was selling to regimes that were questionable. There are very few international regulations that would inhibit any of these companies [from] selling wherever there is an opportunity.[Editor’s note: Researchers at the University of Toronto’s Citizen Lab have reported products sold by Blue Coat Systems being used to censor and surveil internet traffic around the world in the past, including in Syria in 2011, despite a U.S. trade embargo. The company – which has since been acquired and restructured, according to Forbes – told the Wall Street Journal that the technology had been transferred without its knowledge.]
What is a company’s responsibility if it supplies a middlebox to a customer that uses it to censor news under local law?
Weber: There are best practices to engage customers abroad and do risk assessments. I haven’t seen much evidence that Huawei does this.
If you’re a manufacturer selling to law enforcement or government entities, you have to assess their human rights record. It’s too easy to say, “We don’t know how it’s going to be used.” We were able to find questionable use of the technology, a multi-million or multi-billion-dollar company should be able to as well.