Infinite eyes in the network: Government escalates attack on secure communication
The Egyptian government has intensified efforts in the last six months to bolster its ability to intercept and monitor messages and data sent over the internet, interfering with the digital security tools that facilitate secure communication channels. While there is a history of the Egyptian government breaching private security, something new may be on the horizon.
Mada Masr has reached out to technical experts, information security company executives and digital activists over the past few weeks to discuss the internet disturbances that have become a recurrent feature of Egypt’s online ecology. In many cases, these disturbances have completely or partially disabled the encryption services widely used by commercial and civil services and individuals to secure the flow of their data.
The anomalies in Egypt’s internet traffic began in August 2016, and, according to a government official familiar with the matter, they occurred as a result of an “official state entity” configuring a new system that would allow it to intercept online communications en masse.
While most of the disturbances ceased within a few weeks, evidence has continued to arise of a systematic and comprehensive attempt by government agencies to intercept data or obstruct encryption protocols.
It did not take long before a causal link was established between the issues with access to Google and the interference with Signal.
Awareness of the interference did not gain traction among the wider public until late in December, when users suddenly discovered that Signal, the messaging and voice calling application supported by Open Whisper Systems’ encryption protocol, had stopped working in Egypt. Digital security experts contend that they had faced similar problems months before, a fact that led some information security companies to halt the collection of monthly fees pending a resolution.
Ahmed al-Ezaby, a technical expert and the head of data security at an insurance company, says the turbulent conditions caused by interferences in secure communication could have an adverse affect on Egypt’s information technology sector, leading to the loss of millions of dollars, the closure of data security firms and the companies that depend on their services. “When considering whether to enter the Egyptian market, investors will definitely take such interventions into account,” he says.
One of the fastest growing sectors in the Egyptian economy, the communication and information technology sector posted a growth rate of 11.2 percent in the first quarter of the 2016/2017 Fiscal Year, according to the Communication and Information Technology Ministry, whose minister, Yasser al-Qady, says the sector commands a 3.2 percent share of Egypt’s Gross National Product.
Mada Masr contacted the minister and his office to request comment on the findings of this investigation but had not received a response at the time of publication.
From directed surveillance to mass data collection
Indications that the Egyptian government has made attempts to acquire technology that would allow it greater surveillance of communication networks have surfaced several times in the past few years. The most notable revelation came about as result of a July 2015 data breach when an unknown individual hacked the Milan-based information technology company HackingTeam’s computer system. Around 400 gigabytes of data – including emails, contracts, bills and budgets involving the company and Egyptian security and intelligence authorities – were made accessible to the public.
Since you’re physically in Egypt, there’s not much we would be able to do to prevent them from messing with your traffic ... Your government is performing Deep Packet Inspection and is messing somehow with these secure connections.
In concert with other evidence, the leaked documents show that Egyptian authorities were attempting to acquire technology that would allow them to collect information on specific users of interest through directed surveillance.
“But what we’re talking about now is different: The system targets Egypt’s internet traffic pipeline,” says Ahmed Mekkawy, a technical researcher and founder of the Egyptian information security company Spirula Systems, who has investigated the disturbances that have occurred over the past year.
The first problem that companies and specialists faced that indicated Egyptian security agencies may be targeting the infrastructure of the entire network arose in August 2016. Technicians noted that access to Secure Shell (SSH) — a protocol to provide secure communication channels across unsecured public networks and provided by different online services providers — had been obstructed. SSH is used daily in the management of millions of communication processes that occur over the internet.
Mekkawy says he was surprised about the obstruction of the SSH protocol provided by US company DigitalOcean. “Connection to their servers dropped suddenly,” Mekkawy says. “This occurred all over Egypt.”
In response to the obstruction, DigitialOcean’s users and clients began to contact the company. In a response to a client’s inquiry, which was obtained by Mada Masr, DigitalOcean wrote that the interrupted service was not the result of a technical error but had been deliberately caused: “Since you’re physically in Egypt, there’s not much we would be able to do to prevent them from messing with your traffic … Your government is performing DPI [Deep Packet Inspection] and is messing somehow with these secure connections.”
Data is most often transferred over the internet in small network packets that are “repackaged” and made legible on the recipient’s side. Deep packet inspection intercepts the data and examines the identity of communicators, as well as the content of this communication at an inspection point between the sender and recipient.
DigitalOcean suggested contacting the Egyptian service provider TEData, owned by the Egyptian government. The US company added that they contacted both TEData and the Egyptian government to inquire about the interruption.
In December, five months after the incidents began, DigitalOcean told Mada Masr that they had not completed their investigation.
"The monitoring system is active, traces any connection attempts, analyzes them and throttles them."
Days after the interruption in the SSH protocol was detected, access to HTTPS was blocked. HTTPS is a protocol to securely transfer hypertexts, which constitute the core units of all webpages. Mekkawy says that the protocol continued to operate without interruption for internet giants like Facebook and Google but was completely blocked for all other websites, prompting him to draw the conclusion that the Egyptian government throttled HTTPS for all websites except those that would draw too much attention.
In order to gain further information, Mekkawy sent a data packet and traced it through the network. The communication process takes place in two stages: first, the automated handshaking process sets the parameters of the communication channel established between two entities, after which the communication is encrypted.
“The first packets sent from the computer dropped halfway through,” says Mekkawy. The only explanation for this, he adds, is that there is a monitoring system that traces and obstructs packages emanating from Egypt. To test the issue on a larger scale, Mekkawy established several virtual private network (VPN) connections – through which a user is able to connect to a private server and then send and receive data across public networks securely.
“My attempts to connect using VPN servers were immediately blocked the next day, which means that the monitoring system is active, traces any connection attempts, analyzes them and throttles them,” says Mekkawy.
From Tor to Signal: Further signs of expanded security intervention
Mekkawy was not the only one attempting to trace and analyze the technical disturbances. The Open Observatory of Network Interference (OONI) – an international network operating under the Tor Project that monitors internet censorship, traffic manipulation and signs of surveillance – decided to launch a thorough investigation in August into what was happening in Egypt at the request of technical experts in the country. In October, OONI published a report that confirmed much of what the independent tests had pointed to, as well as DigitalOcean’s assessment.
“Our findings indicate that the Tor anonymity network appeared to be interfered with in Egypt, while HTTPS connections to DigitalOcean’s Frankfurt data centre were throttled. We also found that access to porn sites appeared to be interfered with via in-band TCP packet injections of advertisement and malware content, and that the blocking of The New Arab website led to the blocking of specific content (such as images) of other sites that are hosted on the same Content Distribution Network (CDN),” the OONI report asserted.
Although the report did not address the party behind the interference, the company suggested that the interruption of the Tor browser was caused by a RST injection, which Open Whisper Systems also suggested was behind the interference with Signal. Furthermore, OONI’s report stated that the injected RST packet observed to obstruct user-server communication with The New Arab website shared the “static IP identification (IP ID) value of 0x3412 as the injected RST packets” used in an attempt to block Tor. This similarity is significant as The New Arab, which is Qatari-funded and sympathetic to the Muslim Brotherhood, is known to be blocked by the Egyptian government, suggesting that a state agency using the same server location conducted the RST injection attacks on Tor.
The government source that attributed the initial disturbances to the state's configuration of new surveillance software also asserted the disturbances would “end soon,” a suggestion that was corroborated in the weeks that followed when the protocols began working again. However, a return to operation does not necessarily mean that the surveillance software has ceased to function but may more realistically point to its seamless integration.
Nonetheless, service disturbances indicating some type of interference did not halt completely, as users reported being unable to access the home page of Google’s search engine – although, the Egyptian Google domain www.google.com.eg was functioning normally – from all Egyptian service providers.
It did not take long before a causal link was established between the issues with access to Google and the interference with Signal.
When Signal, the messaging and voice calling application supported by Open Whisper Systems’ encryption protocol and used by a wide range of agents in Egypt for its high-security standards and commitment to open-source software, suddenly stopped working in December, Open Whisper Systems launched a technical investigation. At the conclusion of its inquiry into the problem, the developer laid blame for the issue at the feet of the Egyptian government.
Days later, Open Whisper Systems released an update that would allow users in Egypt and the United Arab Emirates to bypass government interference by deploying a technique known as domain fronting, which uses content distribution networks, such as Google, to allow communication between the company’s servers and users’ devices. Domain fronting was automatically enabled for all Signal users whose associated phone number is listed under an Egyptian or UAE country code.
With the update, when a user sends a message via Signal, it will resemble a regular HTTPS request to content delivery networks (CDNs) like Google. If a state wishes to prevent people from sending messages on Signal, it will have to block all access to Google’s website, according to a statement from the company.
When the interruptions to Google surfaced, Open Whisper Systems tweeted, “Egypt keeps trying to block Signal, inadvertently blocking all of Google, and having to stop as a result. We'll also expand domain fronts.”
A history of war on the internet
Access to the internet has been a controversial topic for the Egyptian government, especially after the January 2011 revolution, as seen in the recurrent arrests and trial of Facebook page administrators. The government is also currently preparing legislation to combat cybercrime.
In a joint policy report published in June 2016 and titled “Anti-Technology,” the Egyptian Initiative for Personal Rights, Support for Information Technology and the Association for Freedom of Thought and Expression wrote that the law “violates the principle of equality before the law and contains penalties regarding the use of information technology.”
In April 2016, sources with direct knowledge of discussions between Facebook and the Egyptian government told Reuters that Egypt blocked Facebook Free Basics internet service at the end of 2015 after the US company refused to give the state the ability to monitor users.
A month earlier, in March, Google published a statement, asserting that it had became “aware of unauthorized digital certificates for several Google domains” issued by an intermediate certificate authority held by the Egyptian company MCS Holdings, which had been contracted by CNNIC to issue certificates for domains that they had registered.
“Rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons,” the Google statement read.
In a previous report, Mada Masr highlighted leaked documents that emerged after Cairo’s State Security headquarters was stormed by protesters in March 2011, which showed that MCS had been corresponding with the State Security Investigation Service (SSIS) to obtain the FinFisher system, surveillance software offered by Anglo-German company Gamma International.
The Citizen Lab, an interdisciplinary laboratory based at the University of Toronto, scanned several countries throughout December 2012 and January 2013 to search for the use of Blue Coat Devices’ products, which have been known to be used to violate human rights. In its published findings, the laboratory found that the Egyptian government had used a ProxySG to monitor, trace and randomly filter content to users.
Map of countries using Planet Blue Coat services
According to the most recent statistics published by the Communication and Information Technology Ministry, the number of internet users in Egypt at the end of 2016 had increased to 30 million, a breadth that represents a tremendous challenge to a state security sector that desires to surveil each user, making the random monitoring provided by mass data collection attractive.
However, mass surveillance of data exchanges and communications lacks legal and constitutional ground. According to Article 57 of the Constitution, “Postal, telegraphic and electronic correspondences, telephone calls, and other means of communication are inviolable, and their confidentiality is guaranteed. They may not be confiscated, revealed or monitored except by virtue of a reasoned judicial order, for a definite period, and only in the cases defined by law.”
Moreover, the 2003 telecommunications law guarantees “the rights of the Users, especially their privacy rights in accordance with the law, and without disturbing the National Security, the State top interests, urban planning and health and environmental standards that are specified by the relevant Ministries and Heads of concerned entities.”
The 2003 statute remains controversial, however, due to the import of several articles, notably Article 64, which grants Egypt’s security forces broad power in intervening in telecommunications networks: “With due consideration to inviolability of citizens private life as protected by law, each Operator and Provider shall, at his own expense, provide within the telecommunication networks licensed to him all technical potentials including equipment, systems, software and communication which enable the Armed Forces, and National Security Entities to exercise their powers within the law.”
The law that Article 64 references is the criminal procedures code, which imposes certain restrictions on security force’s surveillance of Egyptian nationals. “ The investigating magistrate may order the seizure of all letters, correspondences, newspapers, publications and packages found at post offices and all telegrams found at telegram offices and may order the surveillance of telecommunications or recording of conversations taking place in a specific place whenever deemed necessary for the revelation of the truth in a crime or misdemeanor punishable by incarceration for no less than a three-month period ... In all cases, the acts of seizure, inspection, surveillance or recording shall be on the grounds of a justified warrant, for a period of time no longer than thirty days subject to renewal for another equivalent period or periods of time,” reads Article 9 of the telecommunications law.
Does the government have the right to send detectives after all citizens, mapping and monitoring all forms of communication?
Amr Gharbeia, the Egyptian Institute for Personal Rights’ (EIPR) technology and freedoms program officer, believes that the provisions of the criminal procedures code governing surveillance of phone calls should apply to all electronic communication. “Targeted surveillance should have a specific target, for a specific case, within a preset time frame,” Gharbeia says. “But mass surveillance is different. It traces and monitors all sorts of communication between everyone, with no need for legal cover.”
The same thing would apply for online publications, according to Gharbeia. “Investigations too have their regulations, among which is that they have to be related to a specific interrogation not a random digging for information and data, and should be coherent with their purpose.”
It seems that the technical and legal battle over online surveillance will be a protracted affair, given that there appears to be an imbalance in the government’s position. On the one hand, the state has a desire to build and develop telecommunications and the information security sector. However, on the other hand, there are government agencies focused on their own control of internet communications in Egypt.
The government doesn't have the right to send detectives after all citizens, says Gharbeia. "Does it have the right to trace all the interactions within the country, mapping and monitoring all forms of communication between people, and to record every discussion in the public domain?”