Big Tech could help Iranian protesters by using an old tool
After the Iranian government took extreme measures against internet use to stem the pro-democracy demonstrations that have filled Iranian roads since mid September, tech companies from Western countries scrambled for access to Iranian citizens.
Signal asked its users to help run proxy servers with support from the company. Google offered credits to help Iranians get online using Outline, the company’s own VPN. And in response to a post by US Secretary of State Antony Blinken on Iran’s censorship, Elon Musk quickly tweeted: “Activating Starlink …“
But these workarounds aren’t enough. Though the first Starlink satellites have been smuggled into Iran, restoring the internet will likely require several thousand more. Signal informs MIT Technology Review that it has been hampered by “Iranian telecommunications provider preventing some SMS validation codes being delivered.” Iran has already shut down Google’s VPN. This is what happens when a single VPN becomes too popular (plus Outline, unlike many VPNs, costs money).
Nima Fatemi from Kandoo, a global cybersecurity nonprofit, says that there is no reliable way for Iranian users to find these proxy servers. They are being promoted on social media networks that are banned in Iran. He said that while he appreciated their efforts, “it feels half baked and half-assed .”.”
Some pro-democracy activists, and experts on digital freedom, believe that Big Tech could do more. It has been overlooked, even though many major service providers offered it until a few years back.
“One thing people don’t talk about is domain fronting,” says Mahsa Alimardani, an internet researcher at the University of Oxford and Article19, a human rights organization focused on freedom of expression and information. It’s a technique developers have used for years to avoid internet restrictions such as those that make it extremely difficult for Iranians communicate safely online. Domain fronting is basically a way for apps to disguise traffic directed towards them. For example, when someone types a site in a web browser, this technique can step into that bit browser-to-site communication to scramble what the computer sees back end to hide the site’s true identity.
In the days before domain fronting, “cloud platform were used for circumvention,” Alimardani says. From 2016 to 2018, secure messaging apps like Telegram and Signal used the cloud hosting infrastructure of Google, Amazon, and Microsoft–which most of the web runs on–to disguise user traffic and successfully thwart bans and surveillance in Russia and across the Middle East.
But Google and Amazon discontinued the practice in 2018, following pushback from the Russian government and citing security concerns about how it could be abused by hackers. Now activists working at the intersection between technology and human rights believe that Big Tech could use the technique to quickly get Iranians online, with some tweaks.
Domain Fronting is a good place to begin if tech giants really want help, Alimardani states. They should be investing in circumvention technology and having stamped out domainfronting is really not an attractive Domainfronting could be a crucial tool to help activists and protesters stay in touch for safety and planning purposes and to update their families and friends during dangerous periods. “We recognize the possibility that we might not come back home every time we go out,” says Elmira, an Iranian woman in her 30s who asked to be identified only by her first name for security reasons.
Still, no major companies have publicly said they will consider launching or restoring the anti-censorship tool. Google and Microsoft were the only major service providers that allowed domain fronting. The third, Amazon, directed MIT Technology Review to a 2019 blog post in which a product manager described steps the company has taken to minimize the “abusive use of domain fronting practices.”
“A cat-and-mouse game”
By now, Iranian citizens largely expect that their digital communications and searches are being combed through by the powers of the state. Elmira says that “they listen and control almost every communication in order to counter demonstrations.” “It’s almost like we’re being suffocated This is not a new phenomenon in the country. But it’s reached a crisis point over the past two months, during a growing swell of anti-government protests sparked by the death of 22-year-old Mahsa Amini on September 16 after Iran’s Guidance Patrol–more commonly known as the morality police–arrested her for wearing her hijab improperly. “The world realized that the issue of hijab, which is something I believe is a personal choice for many young girls, could become an incident in which a young girl can lose their life,” Elmira said.
According to rights groups, over 300 people, including at least 41 children, have been killed since protests began. The crackdown was particularly brutal in largely Kurdish west Iran, where Amini is from and Elmira currently lives. The regime has used the internet to further crush dissent by severely restricting access. Elmira states that this is not the first time that internet services have been interrupted in Iran. “The reason for this action is the government’s fear, because there is no freedom of speech here.”
The seeds of today’s digital repression trace back to 2006, when Iran announced plans to craft its own intranet–an exclusive, national network designed to keep Iranians off the World Wide Web.
This is very difficult to do,” says Kian Vensteinsson, senior analyst at the global democracy nonprofit Freedom House. It requires replicating the global infrastructure using domestic resources and limiting global web access. The payoff is “digital space that are easier to control and monitor,” Vesteinsson states. Of the seven countries trying to isolate themselves from the global internet, Iran is the furthest along today.
Iran debuted its National Information Network in 2019, when authorities hit a national kill switch on the global web amid protests over gas prices. During a week when the country was electronically cut off from the rest of the world, the regime killed 1,500 people. The bloody week saw Iran’s economy lose more than a billion dollars, which relies on greater connectivity to do business.
Although Iran has cut off access to some parts of the internet, it has not shut down the entire internet. It is instead pursuing censorship strategies that suppress dissent and preserve the economy. Rolling “digital curfews,” which are enforced from 4 p.m. to the early hours of the morning, make it extremely difficult for the internet to be accessed during protests.
The government has blocked many popular apps like Twitter, Instagram, Facebook and WhatsApp in favor of local copycat applications where search and messages are not private.
” The messaging apps we use like WhatsApp have a certain degree of protection embedded into their coding,” Elmira states. They make us feel more at ease. They are not under the government’s control, so they restrict access .”
The Iranian regime is also aggressively closing down VPNs. These VPNs were a lifeline to many Iranians and the most popular censorship workaround. About 80% of Iranians use tools to bypass censorship and use apps they prefer. An Iranian woman, who requested anonymity to protect her identity, told me that even her grandpa knows how VPN apps are installed. To stop VPN use, Iran’s government invested heavily in “deep pack inspection,” a technology which can see into the fine print of internet traffic to identify and shut down almost any VPN at any given moment.
That has created a “cat and mouse game,” according to Alimardani, an internet researcher. She says that you should be offering thousands of VPNs to ensure that some VPNs are available even though Iran blocks others. Activists don’t have enough VPNs. This makes it difficult for Iranians to coordinate protests or communicate with the outside world as the death tolls rise.
Domain fronting to beat censors
Domain fronting works by concealing the app or website a user ultimately wants to reach. It works in a similar way to putting a properly addressed postcard in a package with a different destination and having someone hand-deliver it.
The technique is attractive because it’s implemented by service providers rather than individuals, who may or may not be tech savvy. This makes it more difficult for governments to pursue censorship. It is impossible to ban domain-fronted apps unless the entire web hosting provider that the app uses is shut down. This will bring down a lot of other apps and websites. Domain fronting by companies like Google, Amazon, and Microsoft would cause countries to block access to undesirable apps.
There’s no way to pick Telegram. Erik Hunstad (CTO of SixGen), a cybersecurity expert, says that this is the power of it.
Nevertheless, in April 2018, Russia blocked Amazon, Google, and a host of other popular services in order to ban the secure-messaging app Telegram, which initially used domain fronting to beat censors. These disruptions made it unpopular with all Russians, not just activists who liked the app.
The Russian government, in turn, exerted pressure on Amazon and Google to end the practice.
In April 2018, the companies terminated support for domain fronting altogether. Alimardani states that “Amazon & Google just completely disabled [this potentially extremely useful service],” Alimardani said.
Google made the change quietly, but soon afterwards, it described domain fronting to the Verge as a “quirk” of its software. In its own announcement, Amazon said domain fronting could help malware masquerade as standard traffic. Hackers could also abuse the technique–the Russian hacker group APT29 has used domain fronting, alongside other means, to access classified data.
Still, Signal, which began using domain fronting in 2016 to operate in several Middle Eastern countries attempting to block the app, issued a statement at the time: “The censors in these countries will have (at least temporarily) achieved their goals.”
“While domain fronting still works with domains on smaller networks, this greatly limits the current utility of the technique,” says Simon Migliano, a digital privacy expert and head of research at Top10VPN, an independent VPN review website.
(Microsoft announced a ban on domain fronting in 2021, but the cloud infrastructure that enables the technique is intact. Earlier this week, Microsoft wrote that, going forward, it will “block any HTTP request that exhibits domain fronting behavior.”)
Migliano echoes Google in describing domain fronting as “essentially a bug,” and he admits it has “very real security risks.” It is “certainly a shame” that companies are revoking it, he says, “but you can understand their position.”
But Hunstad, who also works in cybersecurity, says there are ways to minimize the cybersecurity risks of domain fronting while preserving its use as an anti-censorship tool. He explained that domain fronting could be allowed by Google, Amazon, and Microsoft for certain apps like WhatsApp or Telegram. However, this is not prohibited by any other network.
Hunstad believes that it is not technical limitations that are keeping big providers from enabling domain fronting. They are caught between the pressure of authoritarian governments, and the outcry of activists. He speculates that financial imperatives may also be part of the equation. If I host my website with Google and they decide to allow this for Signal and Telegram or across the board–then I may have less reach.” Hunstad states. “I’ll just move to the provider that isn’t doing it, and Google will have a business effect.” Hunstad says that the likelihood that Amazon or Google will restore domain fronting is dependent on “how cynical” you are about their profit motives and their good intentions for this world.
While Fatemi, from Kandoo, argues that restoring domain fronting would be helpful for Iranian protesters, he emphasizes that it wouldn’t be a silver bullet.
“In the short-term, if they can relaxdomain fronting so people, for instance, can use Signal or people can connect via VPN connections, that would make a tremendous difference,” he said. He suggests that companies like Google could work with non-profits that are skilled in deploying tech in difficult situations to speed up the process.
But Big Tech companies also need to commit a bigger slice of their resources and talent to developing technologies that can beat internet censorship, he says: “[Domain fronting is] a Band-Aid on a much larger problem.
Until the world finds a lasting solution to authoritarian attempts at splintering the global web, tech companies will have to resort to reactive strategies. “There must be a whole set of VPNs and circumvention tools, because they are doing something very sophisticated,” Alimardani states. Google is one of the most powerful and richest companies in the world. One VPN is not enough .” So, seven weeks after Iran’s protests began, internet access and VPN access are still restricted, restrictions are not slowing down, and domain fronting is dead. The biggest burden is on the frontlines.
” “The conditions are terrible here,” Elmira says to me. It is difficult to verify massacres and it has made it more difficult to support protests and other activism.
To counter the demonstrations they cut off our access the internet and social media.” she said.
But Elmira is determined. She says, “I, myself and many of my friends now leave with no fear.” “We are aware that they may shoot us. But it is worth taking this risk and to go out and try our best instead of staying home and continuing taking this.”
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.