“Geographies of Tor.” Image by Stedano Desabatta via Wikimedia (CC BY-SA 4.0)

The hashtag #GoIBlocks (Government of India Blocks) was resurrected on social media in late December 2014 after the Indian government ordered all Internet service providers (ISPs) in the country to censor 32 websites — including Github, Vimeo, Dailymotion, the Internet Archive, Sourceforge — that allegedly were used by ISIS members to upload violent or propagandist content. In the wake of heavy criticism and media coverage of the blocking, those websites that cooperated with the Indian government and removed the controversial content have begun to get unblocked.

Together with a group of tech expert friends in Berlin, I spent some days researching the techniques that Indian ISPs used to comply with the censorship order, verify the reach of the blocking, and measure its effectiveness. We found that censorship was in fact enforced at a national level across all the ISPs we were able to test, but also that the implementation was irregular and differed largely from one provider to another (full results here). Blocking can vary in complexity and efficacy — it can be mild and easily bypassed, or more invasive and resilient. As regulations rarely enforce one technique over the other, ISPs ultimately have the authority to determine what is the best and most efficient way to comply with government orders. Indian ISPs are doing it all.

We observed some providers using DNS hijacking, which consists of monitoring requests to resolve the blocked domains (github.com or pastebin.com for example) and simply redirect the visitor to a host controlled by the provider instead of the original websites. But users can work around this simply by changing their DNS settings. Other providers are employing IP blocking and directly denying access to all the hosts belonging to the censored website, so that even changing DNS settings won't circumvent the block. Still others are instead using Deep Packet Inspection (DPI), which actively dissects the traffic of the users to recognize unauthorized content and block it. That's the most invasive of all.

If you operate an Internet Service Provider, you need to stand by your customers, protect their privacy and defend their freedom of access to information. Establishing unnecessary invasive technology contributes to the creation of a larger infrastructure of control, an open hole for abuses you'll be forced to execute. The deeper the controls you have in place, the higher the chances that governments will try to mandate their use, even against your wishes. You are not required to choose the most invasive option. Do not deploy a proxy if you don't have to. Do not deploy DPI equipment if you can do without. Strip yourself of as many instruments of control as you can and reduce your capacity to monitor and to censor to the bare minimum. Don't block access to Tor.

If you receive a censorship order, comply with the law but demonstrate your commitment to fairness and transparency to your customers, publish the order, and inform your users appropriately. Use the law as leverage to appeal the order. Take advantage of all your legal resources to question the legitimacy of censorship. Many others have succeeded in the past in doing so. A recent example was set by some Dutch providers who have been appealing for years against the censorship of The Pirate Bay and finally managed to nullify the order and lift the block.

If you're a consumer and websites you visit are blocked, contact your ISP, ask what their reason is and what they are doing about it. Demand that they voice your concerns to the government, that they remain neutral and that they fight to enable you the access to information, and not give up or be complicit in blinding it. In the meantime resist censorship and circumvent it.