A tale of new censors - Vodafone UK, T-Mobile UK, O2 UK, and T-Mobile USA

by ioerror | January 18, 2012

The right to read is a fictional story but it warns of a future that has already started to arrive; it paints a picture where information is controlled with a heavy hand and simply reading, let alone speaking is an extremely dangerous activity. In the words of William Gibson, "The future is already here — it's just not very evenly distributed". Restrictions on the right to read though the Internet perfectly match this observation. A lot should be said about perceptions of censorship, and it is often thought that places like Syria or Iran are unique. Generally, people in the West hold that those countries obviously censor as is consistent with facts of life in a supposedly non-free country. This probably holds a lot of truth but it absolutely fails to address the core of the issue — these countries and those networks are not unique.

In fact, we find uncensored networks to almost be an abnormal state. The so-called free countries in the West often shape and tamper with network traffic. They often also log data and even collaborate with governments. Generally, people don't see evidence of this and as a result, they often perceive that their Internet connections aren't monitored or censored. These days are quickly coming to an end and while it sounds like hyperbole, here are examples in the United Kingdom and in the United States of America.

Recently it has come to our attention that our primary website is filtered by Vodafone in the UK, by 3 (three.co.uk) in the UK, by O2 in the UK, and by T-Mobile in the UK and the USA. It used to be the case that we only saw filtering and censorship events in places like Egypt, Syria, or Iran and now we're going to explore what those attacks look like in the context of the UK and the USA.

When a visitor uses a pre-paid account on the T-Mobile USA network and attempts to visit http://www.torproject.org/, they are redirected to a block page. This is enabled by default without user's affirmative consent and only savvy privileged users may even attempt to disable this censorship. There is an informational page about the T-Mobile censorship system and it explains that this censorship may be disabled. We've heard reports that attempts to disable the censorship are not always successful and this certainly doesn't bode well for an easy and censorship-free Internet experience.

The T-Mobile USA network censorship appears to be simple to bypass: it appears to only trigger when a client sends Host: torproject.org on TCP port 80 and visitors that use HTTPS will probably not notice or be obviously impacted by their censorship.

This kind of censorship raises all kinds of interesting questions. I suspect it raises US legal and social questions as well. The Tor Project is a registered 501c3 non-profit corporation in the state of Massachusetts, and the block was experienced in California. Does this count as interfering with interstate commerce? What duty of care does T-Mobile USA have when it relies on systems or infrastructure funded by the public? What duty of care do they have as a common carrier?

Similarly, when a user on the UK Vodafone network visits http://www.torproject.org/ they are greeted by a block page as well. You can visit this block page without directly using their networks. Detecting their filters is straightforward and we see tampering at the sixth hop.

Here is a tcptraceroute to TCP port 80 of torproject.org from an Ubuntu machine connected to the Internet via Vodafone UK:

  1. <br />
  2. Tracing the path to <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (86.59.30.36) on TCP port 80 (www), 30 hops max<br />
  3. 1 192.168.1.1 2.379 ms 1.011 ms 1.313 ms<br />
  4. 2 10.252.225.61 90.998 ms 133.672 ms 95.963 ms<br />
  5. 3 10.252.224.186 78.865 ms 91.722 ms 91.415 ms<br />
  6. 4 * * *<br />
  7. 5 10.203.64.130 88.502 ms 73.259 ms 80.765 ms<br />
  8. 6 <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (86.59.30.36) [open] 77.927 ms 152.599 ms 96.399 ms<br />

Here is a normal traceroute to torproject.org from an Ubuntu machine connected to the internet via Vodafone UK:

  1. <br />
  2. traceroute to <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (86.59.30.36), 30 hops max, 60 byte packets<br />
  3. 1 192.168.1.1 (192.168.1.1) 9.669 ms 9.583 ms 9.460 ms<br />
  4. 2 10.252.225.61 (10.252.225.61) 98.084 ms 98.046 ms 98.224 ms<br />
  5. 3 10.252.224.219 (10.252.224.219) 98.760 ms 109.326 ms 109.261 ms<br />
  6. 4 host203.msm.che.vodafone (10.203.64.154) 109.087 ms 127.554 ms 127.426 ms<br />
  7. 5 * * *<br />
  8. 6 * * *<br />
  9. 7 * * *<br />
  10. 8 * * *<br />
  11. 9 85.205.0.110 (85.205.0.110) 180.920 ms 180.692 ms 180.652 ms<br />
  12. 10 85.205.0.109 (85.205.0.109) 180.659 ms 180.473 ms *<br />
  13. 11 85.205.116.5 (85.205.116.5) 260.480 ms * 85.205.116.1 (85.205.116.1) 152.107 ms<br />
  14. 12 92.79.213.157 (92.79.213.157) 152.265 ms 152.099 ms 151.808 ms<br />
  15. 13 92.79.209.210 (92.79.209.210) 151.453 ms 151.124 ms 92.79.203.254 (92.79.203.254) 151.129 ms<br />
  16. 14 vin-145-254-19-130.arcor-ip.net (145.254.19.130) 157.978 ms vin-145-254-19-126.arcor-ip.net (145.254.19.126) 119.699 ms 129.820 ms<br />
  17. 15 te3-1-vix-iec-c2.ix.sil.at (193.203.0.6) 129.999 ms 136.314 ms 136.338 ms<br />
  18. 16 86.59.118.145 (86.59.118.145) 136.033 ms 135.826 ms 135.666 ms<br />
  19. 17 <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (86.59.30.36) 151.282 ms 118.185 ms 114.603 ms<br />

We've additionally found that pre-paid T-Mobile UK accounts also experience censorship that is similar to T-Mobile USA. Detection of their filter is possible with some of the techniques that I've demonstrated, and it is quite trivial to see that TCP port 80 and 443 are treated in a special way.

Here is a tcptraceroute to TCP port 80 of torproject.org from an Ubuntu machine connected to the Internet via T-Mobile UK:

  1. <br />
  2. Tracing the path to torproject.org (38.229.72.14) on TCP port 80 (www), 30 hops max<br />
  3. 1 * * *<br />
  4. 2 10.126.241.49 305.721 ms 429.908 ms 449.875 ms<br />
  5. 3 10.70.16.221 480.031 ms 339.890 ms 429.951 ms<br />
  6. 4 10.70.17.87 480.447 ms 449.365 ms 439.979 ms<br />
  7. 5 vescum.torproject.org (38.229.72.14) [open] 459.935 ms 659.964 ms 449.849 ms<br />

Here is a tcptraceroute to TCP port 443 of torproject.org from an Ubuntu machine connected to the Internet via T-Mobile UK:

  1. <br />
  2. Tracing the path to torproject.org (86.59.30.36) on TCP port 443 (https), 30 hops max<br />
  3. 1 * * *<br />
  4. 2 10.126.241.53 357.474 ms 360.016 ms 389.772 ms<br />
  5. 3 10.70.16.217 490.136 ms 409.878 ms 359.945 ms<br />
  6. 4 10.70.17.87 469.956 ms 489.883 ms 389.868 ms<br />
  7. 5 <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (86.59.30.36) 410.024 ms 420.494 ms 399.888 ms<br />
  8. 6 10.70.17.66 389.470 ms 429.923 ms 339.861 ms<br />
  9. 7 10.70.16.50 430.002 ms 349.850 ms 450.012 ms<br />
  10. 8 10.70.17.103 339.900 ms 389.836 ms 390.031 ms<br />
  11. 9 149.254.199.162 369.851 ms * 924.522 ms<br />
  12. 10 10.126.168.218 420.035 ms 379.878 ms 409.968 ms<br />
  13. 11 xe-1-3-2-19.lon10.ip4.tinet.net (77.67.73.209) 469.942 ms 480.002 ms 499.940 ms<br />
  14. 12 xe-5-3-0.vie20.ip4.tinet.net (89.149.180.6) 399.851 ms 379.892 ms 379.929 ms<br />
  15. 13 silver-server-gw.ip4.tinet.net (77.67.82.234) 419.899 ms 479.926 ms 449.923 ms<br />
  16. 14 <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (86.59.30.36) 389.925 ms 449.789 ms 549.993 ms<br />
  17. 15 <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (86.59.30.36) [open] 419.869 ms 469.997 ms 479.839 ms<br />

Compare with a normal traceroute to torproject.org from an Ubuntu machine connected to the Internet via T-Mobile UK:

  1. <br />
  2. traceroute to torproject.org (38.229.72.14), 30 hops max, 60 byte packets<br />
  3. 1 * * *<br />
  4. 2 10.126.241.49 (10.126.241.49) 99.671 ms 99.856 ms 159.584 ms<br />
  5. 3 10.70.16.221 (10.70.16.221) 179.672 ms 190.046 ms 159.760 ms<br />
  6. 4 10.70.16.50 (10.70.16.50) 190.250 ms 179.356 ms 90.611 ms<br />
  7. 5 10.70.17.103 (10.70.17.103) 90.565 ms 110.275 ms 90.508 ms<br />
  8. 6 149.254.199.162 (149.254.199.162) 110.476 ms 110.449 ms 110.391 ms<br />
  9. 7 10.126.168.214 (10.126.168.214) 70.022 ms 70.062 ms 60.303 ms<br />
  10. 8 xe-1-3-2-19.lon10.ip4.tinet.net (77.67.73.209) 60.322 ms 69.380 ms 69.383 ms<br />
  11. 9 * * *<br />
  12. 10 limelight-lon-gw.ip4.tinet.net (213.200.77.118) 59.798 ms 60.535 ms 179.659 ms<br />
  13. 11 tge11-1.fr4.lga.llnw.net (69.28.172.149) 240.999 ms 221.715 ms 221.191 ms<br />
  14. 12 tge14-4.fr4.ord.llnw.net (69.28.189.53) 230.570 ms 229.966 ms 210.814 ms<br />
  15. 13 tge7-1.fr3.ord.llnw.net (69.28.172.41) 210.575 ms 200.446 ms 199.453 ms<br />
  16. 14 ve8.fr3.ord4.llnw.net (68.142.80.130) 169.521 ms 148.181 ms 168.037 ms<br />
  17. 15 cymru.tge6-3.fr3.ord4.llnw.net (68.142.73.198) 248.264 ms 229.474 ms 249.066 ms<br />
  18. 16 vescum.torproject.org (38.229.72.14) 249.289 ms 249.234 ms 259.448 ms<br />

In the examples above we see that T-Mobile UK treats TCP port 80 in a special manner and effectively stops users from reaching our web site. This is an attack against users who attempt to connect to our infrastructure. This attack, while primitive, demonstrates an active and malicious action on the part of the above named Internet providers.

We've additionally seen reports of the UK O2 network blocking connections to http://www.torproject.org/ in exactly the same way that Vodafone UK blocks access. The O2 filter has been covered in the popular media in the recent past and we're sad to hear that they've decided to include Tor's website in their race to the bottom.

In all the above cases we do not see DNS tampering but rather outright Man-In-The-Middle attacks against connections to our web server. These censorship systems do not currently implement a Man-In-The-Middle attack against the SSL services offered by our web server. It is not much of a stretch of the imagination to think that such an action may be a future plan; we've seen it elsewhere.

Current users of the Tor network are not impacted by this filtering, but these networks are attempting to deny new users the ability to start using Tor without extensive efforts. You can view their filter page without using their service; the exact block page is also available externally. It appears that it is possible for users to disable this censorship by providing a credit card as a proof of age. This is not exactly a privacy-friendly tactic. The O2 Twitter account contacted me and said they were willing to review their censorship policy for torproject.org but they did not offer to remove the censorship entirely.

This trend of providing partially censored Internet in what we all think of as free countries is alarming. Are we supposed to look the other way because the mobile Internet isn't the same as the "real" Internet? Should we worry that Vodafone's capabilities and behavior here remind us of what they did in Egypt last year? It would seem that the war over network neutrality is far from won.

(Investigation and research thanks go to Andrew Lewman, Steven Murdoch and Runa Sandvik of the Tor Project, SiNA of RedTeam LLC, Jim Killock, Lee Maguire, Peter Bradwell of the Open Rights Group and their project blocked.org.uk and Richard Clayton from the University of Cambridge.)

Comments

Please note that the comment area below has been archived.

January 23, 2012

Permalink

I have just accessed your primary website from my mobile on 3 UK. I was on 3G and not WiFi. I can happily provide screenshots to prove this. What happens is that the HTTP (port 80) request gets automatically changed to a HTTPS (port 443) request, and then connects as it should without being blocked.

January 24, 2012

In reply to Runa

Permalink

Your site is blocked for me on a 3 contract phone in Cornwall :(

Title: Site Blocked

Page:

"img
Sorry, we were unable to
retrieve this web site for you.

-> My 3
> Internet
v Services
^ TOP OF PAGE"

January 23, 2012

Permalink

Sorry but i'm posting this comment from my mobile in Scotland which use 3 network for 3g and I don't have any problem to access this website.

January 25, 2012

In reply to Runa

Permalink

I am on 3 (PAYG) in Scotland, and I cannot access http://www.torproject.org/. Instead, I get redirected to a page on three.co.uk that says "Sorry, we were unable to retrieve this web site for you". Using HTTPS works.

January 23, 2012

Permalink

They are about to do sooo much worse in the UK. ISPs will have to check every data packet through their servers for illegal content.

January 23, 2012

Permalink

Credit card they ask? Only happens on prepaid service... Easy to see they're only after signups... lol

January 23, 2012

Permalink

Yup, Three UK, pay monthly works fine - http becomes https and the world carries on.

That Vodafone block page looks like the one you get if you try to access 18+, content - has anyone tried turning this off, then trying? It's in Vodafone interest to block tor as it can be used to bypass their Web filters, which is still inexcusable. If someone needs web filters, they should not be on the Internet.

January 23, 2012

Permalink

It really strikes me just now, how this will affect people that are just users, and have close to none knowledge about how the internet works, and how they, because of ignorance, will just let that happen and say ¨Ok, it´s broken, next web page...¨

Even if we program apps to bypass these blocks, even with all the media coverage this is getting, I guess that 80% if n more of people will not go out of his way to try and ¨fix¨ this.

Not everyone is going to look for a tutorial on how to bypass a block on some website, and find out he/she has to download and install an app for it to work, that´s why I hope we can eradicate this ¨laws¨

I say all this being in a country which is not first world (lucky me??) and doesn´t have so many restrictions even to the point that TV series use Hollywood blockbuster´s soundtracks

I hope we can prevent instead of trying to fix.

January 24, 2012

Permalink

Working fine on Vodafone UK. Could be the overzealous 18+ content bar at work but I turned that off. No trouble accessing your site at all.

I don't use any of those networks, so cannot check. But if torproject.org access requires looking up how to disable 'parental guidance' filter, then most adults can work that out. The parent of a child should look up how to "lock" this filter. And if more than casually paranoid of their child seeing nasty on the net, then the parent should keep their (unminded) child off the net.
in my opinion...

January 24, 2012

Permalink

I can get to torproject.org on an O2 monthly contract BUT I have proved I am an adult and asked for the adult website block to be removed...

January 24, 2012

Permalink

This is odd. Telefonica own both O2 and giffgaff in the UK. You say that O2 blocks the Tor project website but here I am on giffgaff (checking to ensure its using the mobile internet connection and it is) and I can access Tor fine without any restrictions. Hmm... Same company, O2 blocks, giffgaff don't. Strange...

January 24, 2012

Permalink

I can access your site via T-Mobile in the UK without any problems (this is a contract phone). I can also see it via a Pay as you Go dongle from Three. I'm also in Scotland. Is the problem only in England? I find that very strange to be honest.

January 25, 2012

Permalink

I can access the Tor Project website just fine on Vodafone UK 3G. This is a pay monthly contract SIM, and I've had them remove the adult content restrictions, though.

January 25, 2012

Permalink

something out of nothing....

Tor-project has been associated with enabling access to distribution of images child abuse (as most anonymous networks eventually discover)

which is not to say tor-network is directly responsible, they just faciliate.

Do yourself a favour and go look up IWF on google.

January 25, 2012

Permalink

thats doesnt surprise me at all. sadly the net isnt actually free, everyone can check, using traceroute, how ISPs are monitoring and filtering packets, for what i have seen isnt something new.
thats where money and power leads.

January 27, 2012

Permalink

Is it just me, or has online privacy been under intense attack this year? It's still January and I've seen something on almost every front in a large number of countries.

yes Sir. seems like privacy is under attack.
cherry on the cake, Google's new policy, here is the link: https://www.google.com/intl/en/policies/privacy/preview/

it will be effective march 1 , 2012 and the level of paranoia there seems to be very very high ... for example: "telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls."

THATS CRAZY.

January 27, 2012

Permalink

To people who are saying "It works for me on my contract phone" - Did you read the article? It says users on a pre-paid account are the ones being blocked. I.E., you are supposed to give up your anonymity in order to view the internet uncensored.

Denying civil rights to people under 18 is used as the excuse for denying anonymity to everybody else.

February 01, 2012

Permalink

I've already given up television. Look out computer profiteers. Alot of us old folks will just DO WITHOUT THE COMPUTER AND THE INTERNET !!!!!! You don't need it to live. We will be better off if everyone BUYS LOCALLY anyway. The internet makes that not happen as much. Lets go back to a simple lifestyle without computers, isps, or all the "updates". As of march 1st, I will cancel my internet service and have one less bill----actually, many less bills considering all the software updates, etc. I urge everyone to do the same. Let's bring these people to their knees. This is a luxury, not a necessity. I mainly use it to shop----don't really need those things anyway. Now, I'm afraid to do any business on the internet and as of March 1st, I'm out of here!!!!! My computer will just become a digital picture holder........word processor. Nothing needs to be sent over the internet anyway---we have fax machines, we have snail mail, and I have an old fashioned phone without internet access----when they start making me have internet access on the phone, I will do away with that too. Yes, I would pay extra for an ISP who had a browser that ensured privacy. If that can't happen, it would be hilarious if all the internet companies failed because of their GREED!!!!!!

becoming neo-luddites is not the solution especially when you make a living off the internet and are passionate about it. Technology takes a lot of space in people's life
in 2012 and that's where the fight for freedom is happening. That's how people organize faster and more efficiently. The old utopian dream of living in the woods with no electricity doesn't make sense when you think that most of the earth remote locations are being invaded and polluted by man. I'd rather live in space if you ask me. Well even space is filled with space junk. Alright, I ll live in my head then and become schizophrenic and hooked on meds...

February 01, 2012

Permalink

ioerror, first, thank you for all of your hard work on the project. many of us using Tor for years have not contributed. There have been, over the last 18 months especially, some issues with Torproject which are making a lot of us uneasy. A few minor indicators to start: Torproject required me to allow cookies to be installed on my machine in order to post this reply. Tor's tutorial vids are posted on YouTube and require users to install Flash software on their machines, a suicidal move no Tor user would make. Your own blog states that "this site makes heavy use of javascript." The hardest part, based on your accurate observations [quoted below] follows:
Torproject devs are getting almost all of their funding today, millions of dollars, from the American Federal government, along with some nebulous "anonymous NGO." Dspite inquiries, Torproject has refused to reveal the "donor requested" alterations to TBB and Tor. They have also refused to say exactly why they are receiving millions of dollars from the Feds. This all looks very bad.

per ioerror's fine article:
"They often also log data and even collaborate with governments. Generally, people don't see evidence of this and as a result, they often perceive that their Internet connections aren't monitored or censored. These days are quickly coming to an end and while it sounds like hyperbole, here are examples in the United Kingdom and in the United States of America."

February 03, 2012

Permalink

Ridiculous that this is happening anywhere in the world, but it seems that this is 'par for the course' with some companies, who 'filter'/ban anyone who dares to challenge certain public viewpoints.

February 06, 2012

Permalink

Hi there ioerror! I find your above remarks about censorship simply naïve and disingenuous.

You couldn’t not be aware that most [99%] sites who allow commentary will filter same through their moderator/admin system just as this Tor blog site does with remarks, comments and suggestions in order to censor that with which it disagrees or finds personally egregious!

I today read http://www.bbc.co.uk/news/mobile/uk-16900108 that British MP’s are very concerned about terrorism from the extreme right and that they say “ internet service providers should make greater efforts to remove violent extremist material.” Is that not censorship from the very body that professes to hold it in abhorrence? They refuse to sully their hands and expect isp’s to work without legislated guidance. And when someone complains these same MP’s will throw up their hands in dismay and condemn these isp’s for taking the law into their own hands…

Censorship is [unfortunately] ubiquitous - some overt and some covert and the www, from my point of view, is an enabler of censorship. Assange, for example, also has his own hidden agenda and won’t tolerate any deviation from this. The “anonymous” hactivists too are censors who try to stifle anyone whom they find offensive or in opposition to their secret programme.

What we are really attempting is to negotiate the degree/level of censorship or tolerance commensurate with our personal comfort zones and we’re not doing it very successfully.

I trust y’all now get the point and will, in the future, restrain yourselves from exacerbating the current situation. If’n you don’t wanna then it would be, of course, hypocritical!

Thanks for y’alls attention.

February 11, 2012

Permalink

Pay AS You Go on Three (3) allows access to Tor Project under Tor https: but blocks links to Tails.

I find that a large range of tech sites that contain content that might help you understand how to bypass their filtering are also blocked. All adult sites redirect to Three's pornography service asking for credit card details.

Personally I don't believe this is done to protect children. That could be done easily by refusing to sell phones to under 18's in UK (same as alcohol, knives, etc). Three's intention is to data mine (by getting credit card details) and sell their porn service.

If parents want their childrens content filtered then OPT-IN to censorship. Stop curtailing my freedom for the sake of irresponsible parents.

April 27, 2012

Permalink

I'm getting mixed messages from different T Mobile customers that my own blog is blocked by Web Guard. If you're a T Mobile customer could you try to access my site with WG turned on & turned off & tell me what you discover:

http://www.richardsilverstein/tikun_olam/

I don't find my site on the T Mobile Ooni list so I'm wondering whether I'm really blocked or not.

May 14, 2012

Permalink

I'm on Vodafone PayG and managed to get around the block simply by using Orbot the andriod tor app and a superuser phone. I can now access every previously blocked site.

I'm even using tor now, however it was blocked beforehand.

May 15, 2012

Permalink

img
Sorry, we were unable to retrieve this web site for you.
image
> My 3
> Internet
Services
^ TOP OF PAGE

3 UK SIM Add ons !

some saits is bloked *( How can i fixe it?

May 23, 2012

Permalink

I'm trying to use Orbot on a Vodafone Romania contract. I'm using ICS and Orbot works on Wi-Fi and not on 3G. How can they block Orbot ? The phone is rooted.
No connection can be estabilished. The error in browser:
"Connection problem.
A network eroor ocurred.
Ok"
I'm trying to use Orbot because of another filtering they are applying, on VOIP applications. I cannot use Viber because of this.