Black Code: Inside the Battle for Cyberspace (12 page)

Net-savvy, disenfranchised youth fuelled the protests that swept across the Middle East and North Africa during the Arab Spring, toppling dictatorships that most thought were immovable, but there is a more discomforting scenario, especially as the dust settles and the “youth bulge” looking for jobs grows restless. Just as Willie Sutton famously remarked when asked why he robbed banks – “because that’s where the money is” – the temptation to breach servers that host valuable data thousands of kilometres distant but only a mouse click away might be irresistible to scores of computer-literate unemployed youth from Rio, Rangoon, or Marrakesh.

Perhaps the most noteworthy fact is that
the fastest growth rates are occurring among the world’s failed and most fragile states. In the ITU’S 2009 Information Society Statistical Profiles, the ten countries that saw the fastest Internet user growth rates over the previous five years were Afghanistan, Myanmar, Vietnam, Albania, Uganda, Nigeria, Liberia, Sudan, Morocco, and D.R. Congo. (Afghanistan topped the list with growth in Internet users of 246.6 percent from 2002 to 2007.) The fastest growth rates in mobile cellular subscriptions over five years occurred in some of the world’s poorest and most conflict-prone states: Guinea-Bissau, 230.2 percent; Afghanistan, 184.6 percent; Nepal, 172.2 percent; Ethiopia, 128. 1 percent; Chad, 94.5 percent; Angola, 80.9 percent; and Burkina Faso, 60.7 percent. These statistics are almost certainly
underestimations of the actual number of users connecting to cyberspace in these countries (gathering statistics in zones of conflict and in failing and fragile states being inherently difficult and almost always unreliable), but what we do know from field research in the global South and East is that users there improvise in ways that numbers do not capture: one or several families may share an Internet connection, or regularly use a shared Internet connection point at a café or corner store; cellphones may be shared between several people, multiplying the actual users represented by a single data point. Granted, many of these countries are starting out from a baseline of practically no connectivity whatsoever, but this does not change the fact that they are migrating online and into cyberspace at a furious pace, and in a context of chronic unemployment and minimal government control.

What to expect from these next billion users is hard to say, but innovative uses of cellphones, Internet cafés, satellite uplinks, and websites in the global South and East challenge our assumptions of the type of social effects spawned by cyberspace. The domain may be liberating, but liberating for what, exactly? Over the past ten years of research, much of which I have spent on journeys in poor, less developed regions of the world, I’ve often had a
Wizard of Oz
feeling of “not being in Kansas anymore.”

•  •  •

In many parts of the
developing world, the separation between organized crime and the state is blurred, meaningless really. Public officials use their offices for graft, or employ criminal groups to exercise paralegal authority. It should come as little surprise, then, that the levers of power in such places are used to control cyberspace.

The most striking examples come from the former Soviet Union, a ring of nations forcefully unified under Stalin’s regime and
sharing its legacy of controls: Russia and the “stans” (Kazakhstan, Kyrgyzstan, Tajikistan, Uzbekistan, Turkmenistan), Ukraine, Belarus, Georgia, Moldova, Azerbaijan, and Armenia.
Whereas in others parts of the world cyberspace controls are exercised through technical means like filtering software, in these countries smashed windows, threatening phone calls in the middle of the night, broken bones, arrests, even murder are the not-so-subtle means of shaping the communications space. In Uzbekistan, the regime of President Islam Karimov has long used severe punishments to create a chilling effect on dissent: for instance, two political prisoners accused of belonging to an Islamic extremist group were executed by being boiled to death in 2002. Vladimir Putin’s regime and others like it govern through a combination of intimidation and exploitation, making the boundaries between what is legal or criminal largely abstract, irrelevant in practice. Their political control strategies often veer into outright thuggery, and some organized crime groups might be better described as informal agencies of the state: political authorities regularly use their services to quell unrest or to further kleptocratic ends. Such stone-age techniques have been applied in the digital arena with nearly gleeful indiscretion by Eurasian countries.

Over the years, researchers in the region with whom we collaborate (often at great risk to them) have uncovered countless anomalies that point directly to the vested interests of entrenched authorities: the disabling of access to opposition websites leading up to critical elections; tampering and manipulation of DNS records to favour local, approved websites over international ones; political bloggers arrested on trumped-up charges of copyright violation or possession of child porn; brazen murders of critics of the regime. In one horrifying episode that caused me deep personal grief, a young Kyrgyz journalist named Alisher Saipov with whom Citizen Lab had collaborated was murdered in the middle of a busy street in
Osh, shot several times after what many believe was a $10,000 bounty put on his head by Uzbek security services (Saipov had written articles critical of Uzbek authorities). While reading the news of his death on Radio Free Europe’s website, I noticed that his Skype account, over which he and I had communicated, turning green, signalling that he was online. I was even more taken aback when a chat message popped up: “Professor Deibert, how are you today?” I did not answer, knowing that it was not Alisher, who would never have addressed me in such formal terms. Citizen Lab researchers set up a honeypot computer, to lure whoever had Alisher’s computer and Skype account into contacting us, perhaps giving away who was behind his murder. I opened his Skype chat window and sent a message with the honeypot link, asking the person on the other end to check it out. I never got a reply.

Sometimes the controls used in cyberspace in the former Soviet Union have little or nothing to do with politics; instead, they are just about personal financial gain. In the course of our research, we regularly came across locally hosted versions of websites masquerading as Google, wherein the domain name system would redirect requests for the legitimate Google site to one that was a reasonable facsimile in order to capture advertising revenues. In Uzbekistan, three of four ISPs uniformly blocked access to content, while the fourth was entirely filter free. Further field research uncovered that the owners of the fourth ISP were connected to the family of Uzbek president Islam Karimov, and were operating a filter-free service to capture revenues.

•  •  •

Each country in the global
South and East deals with cyberspace challenges in unique ways. India, the world’s largest democracy, is confronted by most of the usual challenges afflicting the
developing world: sectarian and religious strife, overpopulation and unemployment, infrastructure decay, regional tensions – along with barely contained hostilities with neighbouring Pakistan over the disputed territory of Kashmir. Cyberspace policy issues vaulted to the top of India’s national security agenda after the Mumbai terrorist attacks: three consecutive bombings in July 2008 that left twenty-six dead and hundreds injured. It was widely reported that those responsible coordinated their activities through disposable cellphones and forged SIM cards. Alongside revelations that India’s national security establishment had been thoroughly breached by Chinese-based hackers and constant concerns over inflammatory Internet content offending various religious and cultural sensitivities, these attacks provoked a sudden urgency among Indian policy-makers to do something – anything – to control cyberspace and its now 100 million Indian Internet users. The result has proven extreme, draconian, and chaotic in its effects.

The country’s Information Technology (Intermediaries Guidelines) Rules of 2011 place extraordinary policing responsibilities on ISPs and other services that operate in cyberspace. Companies are required to screen content and any Indian resident can compel Google to remove material he or she deems offensive. Content forbidden by the state includes anything that is “grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, paedophilic, libelous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever; or threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation.” One might wonder what
is
allowed in cyberspace in the world’s largest democracy?

In December 2011, the Indian government asked Google, Microsoft, Yahoo!, and Facebook to set up a proactive “prescreening system” to look for objectionable content and remove it before it goes online. Meanwhile, Section 69 of the 2008 Information Technology Act gives the government the power – in the interest of the sovereignty, integrity, defence, or security of India – to direct any Internet service to block, intercept, monitor, or decrypt any information related to these areas. Failure to comply with such demands can lead to fines and up to seven years in jail for executives. Not surprisingly, companies have found it nearly impossible to meet such broad and unusual requirements, and both Facebook and Google are now facing criminal charges in India for not removing content.
India has also waged a persistent campaign to require companies operating there to assist in surveillance, most notably Canada’s Research in Motion (RIM), the maker of the popular BlackBerry mobile device. Several times India has threatened to expel RIM from the country if the company fails to comply with its demands. At the municipal level, Delhi city authorities have even launched an ambitious program to monitor every single individual visiting the city’s cyber cafés.

•  •  •

In many countries of the
global South and East the rule of law is unevenly applied and arbitrarily enforced, and the newness of the challenges presented by cyberspace cause governments to overstep or awkwardly apply regulations in the face of emergencies or crises. In response to violent demonstrations that erupted across his country against a U.S.-made anti-Islamic film and the publication of French cartoons of the Prophet Muhammad, the Pakistani minister of the interior, Rehman Malik, ordered all cellphone networks disabled, cutting off access to approximately 100 million
users. The ban affected practically everyone, including private security guards, emergency responders, NGOS, and doctors who scrambled to find ways to communicate during the state-imposed blackout.
Meanwhile, the Indian government banned all mass text messaging after false alarms about imminent attacks on minority groups circulated over SMS, leading to an estimated 15,000 people fleeing various cities in panic.

In Kenya,
in an attempt to prevent the sale and distribution of cloned and pirated mobile phones, the government ordered ISPs to turn off nearly 2 million cellphones whose hard-coded numbers didn’t match databases. Thousands of Kenyans woke up to find their phones suddenly didn’t work, even many who insisted that their purchases were legitimate.
In 2010, Turkey ordered ISPs to block access to YouTube, the regulation implemented in such a way that numerous other Google services were also blocked, including Google Books, Google Pages, Google Docs, and Google Translate. In 2005, testing by the OpenNet Initiative found that when
South Korea put in place regulations to block several dozen pro-North Korean websites, they also impeded access to more than 3,000 completely unrelated websites that shared the same IP address as the pro-North Korean websites because they used the same hosting company.

More so than in the largely secular West, religion remains a motive force across the global South and East and a major influence on law and politics. This will invariably shape cyberspace as regimes in those regions transplant laws applied to traditional media to ISPs, cellphones, and social media, banning content that offends religious or cultural sensitivities and downloading policing to the private sector.
In his 2010 report,
In the Name of God
, the Citizen Lab’s Helmi Noman analyzes how “the flow of information in cyberspace in majority Muslim countries mirrors, to a large extent, the flow of information in ‘real’ space in these nations.” Many majority
Muslim countries criminalize the promotion of non-Islamic faiths among their Muslim citizens offline, and they have now taken steps to ensure that the same laws are applied to cyberspace.

Islam is mentioned explicitly as the state religion in almost all Arab countries, and sharia law is a strong influence over the legal code. As a consequence, press and publication laws that make it a criminal offence to insult Islam are being carried into cyberspace. The terms of service of Oman’s Omantel and Yemen’s
Y.net
, for instance, specify that users refrain from using these services to contradict religious values. Saudi Arabia’s Commission for the Promotion of Virtue and Prevention of Vice, a religious police unit in charge of enforcing sharia law, published a document on its website entitled “The Moral Vice of the Internet and How to Practise Hisbah” (
Hisbah
, roughly translated, means encouraging moral virtues while suppressing vice.) Likewise, access to homosexual content online is restricted in many Muslim countries because gay relationships are considered taboo, and are in many cases illegal.

While many of these restrictions are imposed by the state, Noman details how pressures to enact and enforce such laws often come not from governments but from civil society groups and/or religious leaders. In July 2012, Ra’if Badawi, editor of the Free Saudi Liberals website, was arrested under Saudi Arabia’s Anti-Cyber Crime Law for violating state values by providing an online platform for people to debate religion. The primary impetus for the charges seemed to emanate from a powerful Saudi cleric, Shaikh Abdul-Rahman al-Barrak, who declared Badawi an “unbeliever … and apostate who must be tried and sentenced according to what his words require.”