BEIRUT — Alex, a Swiss bicyclist and Internet geek, thought he’d get a welcome break from his work as a computer engineer and a teacher when he moved to Damascus for a year to study Arabic. It was January 2011, a few months before the Arab uprisings spread to Syria.
But once he was there, Alex noticed with irritation that he couldn’t access Facebook and a seemingly random assortment of websites. Some Google search results were blocked, especially if they turned up pages containing forbidden terms like “Israel.”
He developed tricks to navigate the Internet freely, and sharpened his online evasion skills. If the government was so heavily monitoring and censoring Web surfing, he reasoned, it was surely spying on Internet users in other ways as well. He beefed up ways to encrypt his e-mail and Skype, and learned how to scour his own computer for remote eavesdropping software.
These skills ended up being more than just a personal hobby. When Syrians began to demonstrate against the regime of Bashar Assad, Alex found that his techniques were of urgent use to the friends he had made in the cafes of Damascus. Syrians were turning to activism, and they needed help.
“What was before a nuisance for me was now a danger to my friends,” said Alex, who didn’t want his last name published so as not to endanger any of his Syrian contacts.
Alex ended up spending two years in Beirut training Syrian antiregime activists on how to encrypt their data and protect their phones and laptops from the secret police, in what turned into a full-time job. Alex had become one of a small and secretive group of Internet security experts who work not with governments or companies but with individuals, teaching dissidents the skills they need to evade regime surveillance. Internet activists estimate there are about a hundred technical experts worldwide who work directly with dissidents.
As surveillance steps up and activists get more wired, the practical challenges for these digital security experts offer a unique glimpse of the frontline struggle between free speech and government control, or, as many of them put it, between freedom and authoritarianism. And with surveillance more than ever a concern for Americans at home, the knowledge of these security activists casts a revealing light on the peculiar role of the United States, home of both a powerful tech sector that has generated some of the most skillful evaders of surveillance and a government with an unparalleled ability to peer into our activities.
Indeed, even the people who know how to keep e-mail secret from the Syrians or Iranians say that it would be difficult to make sure the American government cannot eavesdrop on you. “It’s hard to find a service that it isn’t vulnerable to the CIA or NSA,” Alex said in an interview in Beirut. “It’s easier if you’re here, or in Syria.”
Activists in authoritarian states face a range of basic problems when they sit down at a computer. They need to communicate privately in an environment where the regime likely runs the local Internet service. They may want to send news about domestic problems to international audiences; they may want to mobilize their fellow citizens for a cause the regime is trying to suppress. Whatever they do, they need to keep themselves out of trouble, and also avoid endangering their collaborators by unwittingly revealing their identities to the government
Tech experts like Alex offer them a mix of standard security protocols and tools designed specifically with lone activists in mind. The first step is “threat modeling.” Where does the danger come from and what are you trying to hide? A well-known dissident might not be worried about revealing her identity, but might want to protect the content of her phone conversations or e-mails. A relatively unknown activist might be more concerned with hiding her online identity, so that the government won’t connect her real-life identity to her blog posts.
Users new to the world of surveillance and evasion must master a new set of tools. There are proxy servers that allow access to blocked websites without tracking users’ browsing history or revealing their IP address. Security trainers teach activists how to encrypt all their data and communications. And because circumstances change, Web security advocates emphasize the importance of multiple, redundant channels—different e-mails, messaging programs and social media platforms—so that when one is compromised, there are other alternatives.
A repressive regime like Bashar Assad’s can effectively stymie dissent with crude old-fashioned ruses. On one occasion, the government arrested a rebel doctor while he was logged in to his Skype account. Agents posed as the doctor, sending all his contacts a file that supposedly contained a list of field hospitals. Instead, it installed program called a keylogger that allowed the Syrians to monitor everything the doctor’s contacts did on their computers.
Alex warns all the activists he trains that all their encryption measures could come to naught if they are caught, like the doctor was, while their computer is running—or if they give up their encryption password under interrogation. “They can always torture you for your password, and then all your data is compromised,” he said. There’s no foolproof protection against that.
Though these security measures can go a long way, consultants also find themselves needing to balance the effort it takes with the unique urgency of some of the dissidents’ lives. In the heat of violent conflict, encryption doesn’t always take priority. “Many of them are just too busy to care, to follow all the disciplined procedures,” Alex said. “It got to the point where it felt useless to teach them how to encrypt Skype when thousands of tons of TNT were falling from the sky.”
As activists have tapped online resources in their struggles, a range of security specialists have sprung up to assist them. Some, like
Alex, are independent operators; many of them arose loosely around a single crisis and then expanded their efforts.
In response to Tehran’s Web censorship in 2009, a group of Iranian-Americans established an organization called Access Now to train human rights groups and other organizations on more secure communications. In the four years since it has expanded worldwide and now sends technical specialists to work with activists in the former Soviet Union, the Middle East, and Africa. It also acts as a lobbying group, pressing for uncensored access to the Internet. “Access to an unfiltered and unsurveilled Internet is a human right,” says Katherine Maher, the group’s spokeswoman. “We should have the rights to free speech and assembly online as we have offline in the real world.”
A few years later, when the Arab uprisings began, activists again faced crucial concerns about technology and surveillance. Activists throughout the Arab world planned demonstrations online, and used social media as a major artery of communication. In Egypt, the government was so desperate to thwart the protest movement that in January 2011 it briefly cut off the entire nation’s Internet. Telecomix, a freewheeling collective that began in response to privacy concerns in Europe, was one of many groups that helped build workarounds so that Egyptians could communicate with one another and with the outside world in the early days of the uprising.
In Egypt, Alix Dunn cofounded a sort of nerd-wonk research group called The Engine Room in early 2011 to study and improve the ways that activists get tech support from the small community of available experts. “There are people who got really excited because all of a sudden IT infrastructure suddenly became part of something so political,” Dunn said. “They could be geeky and politically supportive at the same time.”
The advice is not always technical. For instance, in Egypt, Alaa Abdel Fattah, one of the country’s first bloggers and later a strategist for the 2011 uprising, championed a strategy of complete “radical openness.” He convinced other activists that they should assume that any meetings or communications could probably be monitored by the secret police, so activists should assume they’re always being overheard. Secret planning for protests should take place person to person, off the grid; in all other matters, activists should be completely open and swamp the secret police with more information than they could process. In the early stages of Egypt’s revolution, that strategy arguably worked; activists were able to outwit the authorities, starting marches in out-of-the-way locations before police could get there.
Given the recentrevelations about the US government’s online surveillance programs, it’s striking to note that much of the effort to improve international digital security for dissidents has been spurred by aid from the US government. The month after the Arab uprisings began, the US Department of State pledged $30 million in “Internet Freedom” grants; most of them have gone, directly or indirectly, to the sort of activist training that Alex was doing in Damascus.
In some ways, the latest American surveillance revelations haven’t changed the calculus for activists on the ground. Maher notes that almost all the State Department-funded training instructs activists around the world to assume that their communications are being intercepted. (Her organization doesn’t take any US government funding.)
“It’s broadly known that almost every third-party tool that you can take is fundamentally compromised, or could be compromised with enough time and computing power,” Maher said.
But there are new wrinkles. Some of the safest channels for dissidents have been Skype and Gmail—two services to which the US government has apparently unfettered access. It’s virtually impossible for a government like Iran’s to break the powerful encryption used by these companies. Alex, the trainer who worked with Syrians, says that a doctor in Aleppo doesn’t need to worry about the NSA listening to Skype calls, but an activist doing battle with a US corporation might.
Officially, American policy promotes a surveillance-free Internet around the world, although Washington’s actual practices have undercut the credibility of the US government on this issue. How will Washington continue to insist, for example, that Iranian activists should be able to plan protests and have political discussions online without government surveillance, when Americans cannot be sure that they are free to do the same?
For activists grappling with real-time emergencies in places like Syria or long-term repression in China, Russia, and elsewhere, the latest news doesn’t change their basic strategy—but it may make the outlook for Internet freedom darker.
“These revelations set a terrible precedent that could be used to justify pervasive surveillance elsewhere,” Maher said. “Americans can go to the courts or their legislators to try and challenge these programs, but individuals in authoritarian states won’t have these options.”