Information Controls: Iran's Presidential Elections


Introduction

Information Controls: Iran's Presidential Elections is a collaboration between ASL19 and Psiphon. It evaluates the role and impact of information controls during the Iranian Presidential elections in 2013. This report utilizes a mixed method approach of examining both political events and data from Psiphon3 usage in Iran. The report looks at three periods, Pre-Elections, Elections, and Post-Elections to show how, when, and why "Just-in-Time Information Controls" were implemented. Findings in this report show a correlation between significant political events during the elections and the tampering with the flow of information by the authorities. For example, Psiphon3 data shows that deep packet inspection was implemented days before registration of presidential candidates and network throttling started on the day of announcing qualified candidates. Finally, this research documents how information controls affect the online experience of Iranian Internet users.

Psiphon3 and Research Data

Psiphon3 is a free and open source circumvention tool that utilizes VPN, obfuscated SSH and HTTP Proxy technology to provide uncensored access to Internet content. Psiphon3 uses a content delivery network, where different sponsored clients provide a specific website (landing apge) upon connecting to Psiphon servers. Content providers distribute their own sponsored clients to their own users who want to regularly access their website and content. Understanding how the landing page delivery system works is an important aspect of measuring Psiphon usability and how implemented information controls such as deep packet inspection and network throttling affect its users access to information online. When analyzing Psiphon3's data it is important to note that each Psiphon3 connection also counts as one pageview.

The primary data sets used in this research are: (1) Daily Unique-Users, (2) Daily Pageviews, and (3) Daily Connections. In addition, to show the experience of a Psiphon3 user, the following data sets are created: (A) Average Connections per User and (B) Average Pageviews per each Connection, and (C) Average daily Pageviews per User.

Avg. Connections/User x Avg. Pageviews/Connection = Avg. daily Pageviews/User

Psiphon is currently available for Windows and Android operating systems and the data analyzed and shown here is an aggregation of both.

The following chart is an overview of the average daily experience of a Psiphon3 user between March 1 - August 30, 2013:

Pre-Election: March 1 - April 30, 2013

"Illegal" VPNs are blocked in Iran: March 6 - 9, 2013

Starting on March 6th, Iranian Internet users started reporting on Social Media [ twitter ] and through Psiphon's feedback emails that their VPNs were no longer working. At the time, VPNs were the most popular and widely used circumvention method in Iran and this sudden change left many Internet users who relied on VPNs for circumventing censorship and imposed international sanctions searching for alternative methods. Similar sudden disruptions and changes in Internet controls, such as blocking SSL () have been a normal occurrence in Iran post-2009 elections. This however seemed to be part of Iran's plans of implementing the National Information Network project and had been hinted at by the officials as early as January of the same year.

News of VPN blocking became official on March 9th when Ramezanali Sobhani-Fard, the head of parliament's Information and Communications Technology Committee, told Mehr news agency that "Within the last few days illegal VPN ports in the country have been blocked, only legal and registered VPNs can from now on be used" [Source]. Earlier in January of 2013, the general secretary of Iran's Supreme Council of Cyberspace, Mehdi Akhavan Behabadi, had announced that soon registration for "legal" state-approved VPNs will start. Mentioning that while use of VPNs and other circumvention tools are illegal, certain organizations and institutions such as banks, embassies and universities require using VPN services for security and academic reasons and therefore they would be soon able to register for these "legal" VPNs through a registration portal. [ Small Media's Jan/Feb Iranian Internet Infrastructure and Policy Report]. The same report, released just days after VPNs were blocked in Iran on March 8th, had predicted that access to the widely available 'illegal' VPNs will likely be blocked when the 'legal' VPN registration is implemented, "When Supreme Council of Cyberspace promotes new policies on the registration of VPNs, we can expect that unregistered VPN connection will be blocked and throttled."

As a result, Internet users in Iran began looking at other methods and tools to bypass censorship, turning their attention to free and available methods like Psiphon, Freegate, Socksifier and Web proxies. Psiphon3's multi-protocol design allowed it to not to be completely affected by this change, where its VPN protocol were blocked, its obfuscated SSH protocol allowed for a viable alternative to connect to Psiphon network and bypass censorship. In the following months, Internet users began to join.

The graph below shows Psiphon's growing popularity among Iranian Internet users after March 6:

Iran's cyber police [FATA] issues 20 new requirements to Internet cafes: April 2, 2013

Blocking VPNs were followed by many new policies set out to control old and new media in the lead up to the elections. One of these new regulations included a new set of guidelines imposed on cybercafes, still a popular place to access Internet in many cities in Iran. According to these new requirements, cybercafes were asked to keep detailed records of when and how their customers used the Internet, including a list of the websites they visited and logs to be kept for a minimum of six months. In addition, it has been emphasized that the use of VPNs and any other types of circumvention tools is also forbidden. (complete list of regulations)

The sudden drop in Psiphon traffic and users on April 2nd is due to the 13 bedar holidays where people celebrate the end of the Nowrouz celebrations by spending the day in Nature and away from computers. However the introduction of the new requirements signals the beginning trends of attempts to police the Internet as authorities neared the elections.

University research center warns against using Psiphon: April 16, 2013

In light of Psiphon's growing popularity among users, Computer Emergency Response Team of Academic Protection and Awareness at Isfahan University [APA-IUTCert] published a report warning users against using Psiphon3. Mehdi Behrouzi, deputy director of APA-IUTCert's team the told Islamic Republic News Agency (IRNA) that recent research shows Psiphon steals information saved on computers, laptops, and mobile phones. Behrouzi also noted that Symantec anti-virus identifies this tool as a malware and urged Iranians to avoid using this circumvention tool on their computers and mobile phones.

Behrouzi confirmed that after the blockade of VPN ports in Iran, Psiphon is increasingly being advertised in cyberspace, and is widely used to access blocked websites such as Facebook, and BBC Persian. According to Behrouzi, Psiphon developers do not aim to facilitate the free flow of information, but instead are more interested in gaining access to users' personal and confidential information. Behrouzi also announced that APA-IUTCert experts are leading investigations into other circumvention tools, such as Freegate. [source in Farsi]

APA-IUTCert's full statement[English translation] and Psiphon's response.

Election Period: May 21 - June 14, 2013

DPI Implementation: May 3 - 9, 2013

On May 4th, two months after blocking VPNs, Iran started to Implement Deep Packet Inspection [DPI]; fingerprinting all unknown and random traffic, including Psiphon3's obfuscated SSH protocol, and dropping them every 60 seconds [Collin Andreson's tweet and test results confirming this on May 5]. Small Media's Election Edition Report later reported, "The telecommunications authorities of Iran responded two months later, through imposing a "white list" system, blocking unknown connections after exactly sixty seconds, as well as the outright filtering of the Tor network and ICMP. These limitations paralleled aggressive throughput throttling of encrypted applications essential to online business and communications, such as HTTPS and SSH."

By Monday, May 6th, after confirming reports of a possible DPI implementation by Collin Anderson, effects of the "white-list" system had became obvious through the diagnostic reports users were sending by emails, asking for a solution to the constant 60 second drop of their connections. Dropping connection every 60 seconds had triggered Psiphon3's "client auto-reconnect" feature, built-in to automatically reconnect when the current connection is disconnected. So during this period; the Psiphon3 clients tried to continuously reconnect every 60 seconds a connection was dropped, causing an sharp rise in the total number of daily connections, from 1.65 million on May 3rd to 5.43 million by May 5th.

The successful implementation of the deep packet inspection and its impact on Psiphon users during this time becomes more apparent in the drastic drop of total number of daily Pageviews of more than half a million users. Within two days, while the number of Unique-Users increases from 449K on May 3rd to 549K on May 5th, the total number of daily Pageviews drops from 42.6 million to 9.7 million. By May 9th, the total number of daily Pageviews went down to 2.25 million, dropping by over 40 million in less than a week after May 3rd's 42.6 Million Pageviews per day. In comparison, two weeks prior on April 19th, the same number of Unique-Users had viewed 40 million pages.

	Unique-Users	Pageviews			Unique-Users	Pageviews
May 3	449K	42.6M		April 19	400.7K	39.9M
May 5	549K(+18%)	9.7M(-77%)		May 9	399.1K	2.25M(-133%)

A closer look at the political landscape of Iran shows that the timing of implementing deep packet inspection coincided with the official start of the election period, as the 5-day registration period for presidential candidates started on May 7th [source], with heated national debates surrounding the possible registrations of controversial candidates such as Ali Akbar Hashemi Rafsanjani and Esfandiar Rahim-Mashaei, taking place. [read more]. Having learned from the previous experiences of 2009 elections and the role Internet and social media played both before and after elections, Iran took a proactive role in restricting access. After Blocking VPNs earlier in March, deep packet inspection was a much more sophisticated effort aimed at targeting circumvention tools, like Psiphon and Freegate that had grown more popular ever since. Iran Media Program and ASl19's "Political Evolution of the Iranian Internet" analysis of Internet in Iran during the years released just as DPI was being implemented alluded to this point in its conclusion:

"The 2013 presidential election is likely to differ significantly from 2009. The severe crackdowns in the wake of the 2009 protests had a chilling effect on the online vibrancy of Iran's reformist movement .The majority of reformist websites in Iran are either filtered, shut down, or are now hosted outside the country. The recent closure of VPN ports and crackdowns on their sales could further limit the vibrancy of online presidential campaign activities and debate, as could the progress of Iran's national intranet. As the June elections approach, the significance of the Internet is once again being brought into relief: Access to popular social networks, micro blogging, and video sharing websites such as Facebook, Twitter, and YouTube are blocked and only accessible with the help of circumvention tools. Official online campaign activities are relegated to platforms not filtered by the authorities, such as the online version of newspapers that are not shut down, and blogs that are not banned in Iran. While the 2009 precedent of aggressive policies to close down the Internet lingers, the likelihood of similar behavior being repeated in 2013 depends, to a large extent, on the candidates that are approved during the Guardian Council vetting process from May 7-11, which will determine voters' enthusiasm to participate in the election. The government has already begun to hedge against political unrest and the use of social media to ignite crowds again, and repressive Internet policies are likely to intensify as the elections approach, under the pretext of national security." [Source]

In fact, earlier in February, Abdol Samad Khorramabadi, head of Iran's "Committee for Determining Examples of Criminal Web Content" had announced a list of cyber crimes regarding the presidential elections, aimed at controlling content generation before rather than censoring it after. The following excerpt is taken from Iran Media Program's "Media and the Elections: February 4-15", co-authored with ASL19:

"According to Khorramabadi, these instances of crime are identified under Presidential Election Law and Islamic Criminal Law, which all websites are required to follow. This new list of cyber crimes includes publishing content that encourages the public to boycott the election, to hold protest gatherings without special permits, to strike or to interrupt the normal process of election, or conducting any independent, un-approved media activity. Disturbing public opinion, spreading blasphemous material, publishing materials that are against the national interest, causing conflict between people through racial and ethnic matters, and publishing the results of polls related to the election are also amongst the list of crimes. See Iran Election Watch for the full list."

Thus, as the government had taken steps to control national news outlets, both traditional and online, it also heightened efforts in limiting access to uncensored content and access to social media, first with DPI and later in an unprecedented throttling of Internet speed, access to digital applications and online services. They were in fact very successful in targeting circumvention tools through the imposed "white list" system, effectively rendering Psiphon useless for a week after May 3rd.

Usability and health of Psiphon's network for users during this period can be measured through the number of Connections per User and number of Pageviews per each of those Connections, which equals to the number of Pageviews each unique-user sees per day on average:

Avg. Connections/User x Avg. Pageviews/Connection = Avg. Pageviews/User

The charts below measures Psiphon's usability a week before DPI and a week after between April 26 - May 10, using the indicators above:

Comparing the average number of Pageviews per user during the week prior and after DPI implementation shows a clear distinction of access Psiphon users had to uncensored content and how Iran's Internet controls can change overnight. In just one day between May 3 and 4, while the number of unique-users increased by more than 97,000 (18%) users, the average number of pages these users were able to view in a day dropped by close to 40 pages(42%). One possibility was that the significant increase in users and load on Psiphon servers could have caused such a drop in Pageviews. However, such sudden increase in unique-users had occurred before on more than on one occasion, without effecting usability to this extent:

	Unique-Users	Pageviews/User			Unique-Users	Pageviews/User
April 2	255K	110.9		April 26	419K	89.9
April 3	358K(+103K)	105.4		April 27	481K(+62k)	90.2

Over the next few days, as DPI continued more users began to be affected by the restrictions and the number of daily unique-users began to drop by 40-50K users per day. By May 9th average Pageviews per user had dropped to a low of 5.6, the lowest it would drop for the remainder election period.

	Unique-Users	Pageviews/User			Unique-Users	Pageviews/User
May 3	449K	94.9		April 19	400.7K	99.6
May 5	549K	17.7		May 9	399.1K	5.6

As explained above the average number of daily Pageviews per user is how many times a user connects per day multiplied by how many pages they view per each connection/session. To measure and analyze the experience of Psiphon users against the filtering system, it is important to understand that each time a user connects to a Psiphon server, a sponsored page (based on the sponsored client the user downloaded) automatically opens, which means that each connection is essentially also a pageview. This is important when looking at the effect of DPI and the 60 second disconnections of Psiphon's traffic and thus any other traffic that did not pass through the "white-list" system and was dropped. Between May 5-8, Psiphon users are on average only able to see the sponsored page before getting disconnected, before trying to connect again and on May 9, they are not even able to see the sponsored page.

Small Media's Election Edition Iranian Internet Infrastructure and Policy report provides more insight to how DPI was implemented and the following is an excerpt from page 8 of that report:

"... TCP and UDP connections that traversed the international gateway of the Telecommunications Company of Iran were blocked from exchanging traffic after exactly 60 seconds, after exceeding this quota, further attempts were prevented for about ten minutes (Source). These disruptions appeared to have implemented through deep packet inspection (DPI) of network traffic, rather than shallow properties such as the destination port or IP address. While DPI is often deployed out of the direct path of the network, so that the overhead of utilization or failure does not disrupt all outbound traffic, the disruption appeared to be imposed in line by the routers processing traffic. The blocked appeared to have been implemented through throttling the connection down to nearly one packet per second after reaching the time threshold. This meant that an affected application would believe the connection still existed, even if it was essentially unusable."

By May 5th, the influx of user feedbacks and diagnostic reports showing problems with Psiphon3 connections and a conversation with Researcher Collin Anderson confirmed that Psiphon3's Obfuscated SSH protocol meant to mask Psiphon's traffic from the censors was now also susceptible to deep packet inspection. Collin Anderson also pointed to this in the Small Media Report mentioned above:

"The new filtering rule fundamentally broke the strategy that circumvention tools have thus far implemented to avoid filtering through DPI, wherein they sought to avoid creating a detectable traffic pattern. Iran effectively approached a "whitelist" of permissible applications with a three tier structure for the handing of Internet traffic that traverses the international gateway."

So, Psiphon developers started working on a new solution to circumvent the new changes in the filtering system and By May 6th, the first solution and version of "Fast Reconnect" was ready.

Fast Reconnect would automatically make a new connection before the original connection was dropped at the 60 second mark. While this preemptive action did not prevent the 60 second disconnection drop; it mitigated against disruption by expecting it and initiating a reconnection well before it. These preemptive reconnects were not counted as "connections" in Psiphon's stats and explain in part the visible drop in connections and rise in the number of Pageviews; even though the number of unique users and the number of actual SSH connections probably stayed at the similar levels after the preemptive release. While the original Psiphon "client auto-reconnect" feature automatically reconnects after an unexpected disconnection, the difference with the preemptive mode was that there was no wait time to reconnect, as the new connection was already completed before the drop occurred.

Within the next 3 days, "Fast Reconnect" was distributed to a handful of ASL19 users for feedback and testing on both Android and Windows devices. User feedback and diagnostics reports immediately showed promising results. A more improved version (51) was tested again on May 9th and later that day, Version 52 for Windows and Version 32 for Android were released. Upgrades started to roll out through Psiphon3 client's "auto-upgrade" feature in the following few days. "Fast Reconnect" did have certain limitation for watching videos or downloading large files, because of the disruptions by the preemptive reconnection, but it allowed for a reasonable browsing experience for users during this period, allowing them to visit more pages and access social media websites. On May 9th, just under 400k users only viewed a total of 2.25 million pages while on May 11th, after most Psiphon3 clients upgraded to Fast-Reconnect, the same number of users viewed 21.2 million pages.

During this time Psiphon also implemented and deployed resumable download for Android. Since the Android APK sometimes took more than 60 seconds to download, the "auto-upgrade" feature was getting interrupted in many cases for users. The "resumable upgrade" fix allowed for auto-upgrades to work under the 60 second condition, providing Android users with the latest Psiphon3 versions andsolutions to circumvent censorship during this period.

Network Throttling during election campaigns: May 21 - June 14, 2013

Psiphon was able to temporarily circumvent the filtering system with the release of Fast Reconnect and also halt the rapid decline in its user base by providing a reasonable browsing experience for its users on desktops and mobile devices. The solution was in particular useful for Android users who regained access to their applications. However, the announcement of qualified presidential candidates on May 21 and the disqualifications of Rafsanjani and Mashaei were going to be a key moment in the election process and flow of information online, a domain where, compared to the print press, government has much less control and oversight over. So just as the Iranian Internet users have become very good at circumventing Internet controls, the authorities have also increased their capabilities and methods in controlling flow of information when necessary since the post-2009 elections. Information controls have become much more dynamic in Iran and are implemented and adjusted in response and advance to the changing political context. Whereas the approach in the post-2009 elections was reactive, filtering websites such as Facebook, Twitter, and Youtube after the events surrounding the elections, in 2013, the authorities implemented a proactive approach by controlling flow of the information in advance of events. Blocking VPNs and implementing DPI where the initial steps in limiting access to circumvention tools, network throttling was the next step in controlling flow and access of information. On May 21st, Internet users in Iran started to experience slower Internet speeds and network disruptions limiting their access and use of many online and digital services like Gmail, Facebook, Twitter and news websites. While at the time the authorities declined any connections between the network disruptions and the election process, data from Collin Anderson's research "Dimming the Internet: Detecting Throttling as a Mechanism of Censorship in Iran," shows that clear disruptions and throttling of Internet access in Iran not only happened during the election period, but that it was implemented at key dates and events where flow of information would have the greatest impact:

At the same time, while introduction of Fast Reconnect in May 9th halted the fast decline of users by providing a solution, increased aggressive throttling and slower Internet speeds made circumvention harder and slower, requiring much more patience from users than before. This resulted in an rapid decline of users and between May 20th and June 14th, daily Psiphon users dropped by 73 percent from around 375K uinque-users on May 20th to a low of around 100K unique-users on the day of the Presidential Elections, June 14, 2013. However, the significant drop of traffic, measured in total number of daily Pageviews, between May 20th and 21st, is an example of how throttling effected Iranian Internet users and their access to information during the campaign period. As shown in the graph below, the total number of daily Pageviews from May 20th to 21st drops by almost 80%, dropping from 21.35 million to 4.37 million, in just one day. Total daily Pageviews drop even lower for the next week and remain under ten million until the day of the elections.

Internet condition had become abnormal, even for Iran, and the Iranian media started to ask questions, probing the officials in charge for an answer to the worsening Internet speeds and disruptions, many reporting that Internet in Iran was essentially inaccessible or unusable. The Ghanoon daily wrote "the Internet was in coma" and printed this caricature with the title "illegal" and the caption, "Uncle, loosen up please":

Within a day, the average number of daily Pageviews per user dropped from 59.5 on May 20th to 14.1 on May 21st, the day of candidate announcements.

As reported in Small Media's report:

"Beginning late May, according to data collected from Measurement Lab (Source), the median connection speed was slower than a dialup modem (less than 50 kbps)." [Source]

However, during this period officials repeatedly denied that deteriorating Internet conditions were at all connected to the elections. Early in May, Ali Hakim Javadi, Iran's deputy Minister of ICT , in response to worsening Internet conditions was quoted saying:

"Many parameters are involved in the Internet's speed, but the election drawing near is not one of them" [Sources: English - Farsi].

But, on June 25, 2013, ten days after the elections, Iran's ICT Minister, Mohammad Hassan Nami, acknowledged that throttling was in fact implemented as means for National Security during the election period. In a an Interview with Tasnim News Agency, he said:

"The reduction of the Internet speed, which some called 'disturbances', was the result of security measures taken to preserve calm in the country during the election period," and to prevent "foreigners trying to disrupt the election process". [source]

Small Media's election edition of Iranian Internet Infrastructure and Policy Report provides further analysis of Internet controls during this period, providing "technical evidence and external verification" and a timeline of both policy and technical developments.

Psiphon3's HTTP Prefix against throttling: May 25, 2103

Soon after the implementation of "Fast Reconnect", Psiphon developers continued their research and development on implementing a more robust solution to circumvent DPI and throttling. Testing on a few possible solutions began immediately by studying various open-source DPI packages, as a model for Iran's DPI implementation. At the same time, a server in Iran was aslo acquired to test solutions against Iran's filtering system. Testing showed that while DPI was classifying all traffic, out of the types tested, only HTTP traffic was not severely throttled. After some more testing and analysis of feedback diagnostics, Psiphon released "HTTP Prefix" for Windows and Android on May 25th. "HTTP Prefix": By inserting HTTP headers before each connection to Psiphon servers on the client side, Psiphon successfully masked its SSH connections to its servers as regular HTTP traffic. The release had a positive impact for users. With the new upgrade, they were able to both bypass censorship and actually access the web and view multiple pages per each connection.

The HTTP-Prefix release on May 25th for both Android and Windows was a big step forward for Psiphon in the lead up to the elections and allowed users to circumvent deep packet inspection and throttling. During the campaign period, after the initial drop of connections and Pageviews between May 21th to May 25th, with the release of HTTP-Prefix, circumvention slowly started to improve and users were able to view more pages per each connection. By June 1st, Psiphon users were making on an average 3 connections per day and viewing more than 11 pages per each connection. A week later, on June 8th, users made an average of 3.2 connections and viewed a around 45 pages (14.2/connection), a significant improvement in the quality of connections they were able to make compared to May 24th, a day before the release of HTTP-Prefix, when on average, users viewed 19 pages per day, an average of 4.9 pages per connection (3.9 connections).

Post-Elections: June 15 - August 31, 2013

Throttling Stops: June 15, 2013

With the election period officially ending on June 14th, just as DPI and throttling had been implemented overnight, restrictions on Internet connectivity, speed and access to most online and digital communication services were restored:

"... reports from social media began to describe a return to the pre-February state of the Internet. Through these reports it appears that VoIP services, including ooVoo, Viber and Skype, have been unblocked. Secure web traffic is no longer throttled to the extent of our May measurements, with the throughput rate roughly the same as unencrypted traffic. From out points of observation, upstream deep packet inspection of SSH continued for more than five days after the election, and ceased abruptly. Furthermore, we could find no evidence that the "whitelist" system is operational, with unclassifiable connections able to remain connected well beyond the one minute threshold." [Source]

While network throttling was at its highest leading up to the June 14 presidential elections, Psiphon3, due to its architecture, access to users, feedback diagnostics, testing and quick response to changing Internet control dynamics, was able to retain more than 100,000 Unique-Users making just over 425K connections, accessing 9 million pages through at its lowest point on June 14th, election day. A week later, total daily connections reached 1 million, and over 270K unique-users viewed close to 22 million pages as Iran's Internet was recovering to a much more normal, pre-elections state

This work is licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.