In July, the Open Technology Fund continued to both receive a large number of support requests and to support a diverse portfolio of Internet freedom projects and fellows addressing Internet censorship and surveillance threats in closed societies around the world. This month, the OTF team continued reviewing the 113 concept notes received during the July 1 round, while also continuing to review applications for both the Information Controls Fellowship Program (ICFP) and Digital Integrity Fellowship Program (DIFP).
Notable accomplishments
- OTF’s Red Team Lab supported the audit of the BXAQ app, a tool used by Chinese security forces at border crossings to scan for and collect a large amount of information from tourists or other travelers’ phones, with that data then uploaded to a local file server “over clear-text HTTP without any protections.” The audit, conducted by Red Team Lab partner Cure53, analyzed the app to assess its functionality, security features, and whether it appears to violate users’ basic human rights. Read more about the report in this blog post or in Motherboard, the New York Times, The Guardian, or Süddeutsche Zeitung.
- The Certbot Improvements team hit a major milestone this month, successfully porting all of Certbot’s core functionality to Windows. Because more than 30% of the top 10 million websites are hosted on Windows-based servers, this will substantially increase the amount of potential Certbot adoption – allowing websites to automatically enable HTTPS encryption through use of Let’s Encrypt certificates, for free. The Certbot team is now working on improving the tool’s packaging to make it as accessible and compatible as possible for Windows use cases, while also making it easy to provide updates for the millions of Linux servers currently using Certbot.
- The InfoSec for the Balkans project released InfoSec Manual for Journalists and Civil Society, a guide that focuses on teaching basic digital security skills and practices for such actors in the region. The guide was informed by months of detailed, country and discipline-specific research and threat modeling done in collaboration with media and civil society organizations throughout the region. The guide is available in Albanin, Bosnian, Macedonian, Montenegrin, Serbian, and English.
- The App Store Censorship project added automatic, regular testing of all apps to applecensorship.com, a tool that allows users to test and see which apps are available in Apple’s App Store by country as a way to monitor for instances of possible censorship at the app store level. This update means that apps are not only tested when requested by users, but also tested in the background on an ongoing basis. The system prioritizes frequent testing of apps that are more likely to be censored; all detailed test data is accessible through the project’s website.
- Delta Chat released a report focusing on a needsfinding and usability assessment of the decentralized messaging app, summarizing a year of related testing activities and other user-informed research. The report describes the technical and social evolution of Delta Chat over the course of the year, and also outlines priorities for further development and improvements.
- Following the public release of two-factor login via WebAuthn for the Python Package Index (PyPI) platform in June, the PyPI Improvements project has already seen substantial adoption among PyPI users. In June, 3.08% of all users were using the new 2FA feature; in July, that rose to 4.54%, and through the first week of August that number rose to 11.48%. Meanwhile, the project continued work on other important security-enhancing features, such as support for uploading via API token – a feature released in beta at the end of the month. PyPI users can try out the new feature and submit bug reports to the PyPI team. More details on these and other updates from the PyPI Improvements project can be found on their wiki. As the official software repository for the Python programming language, PyPI is a high value target for bad actors who want to inject malware into popular applications that run on Python – including many Internet freedom projects.
- The Open Observatory of Network Interference (OONI) made progress on improvements to the OONI Probe Mobile app in preparation for the release of version 2.2.0, including by implementing faster measurement resubmission for Android and iOS, adding an API to fetch measurement URLs, and making bug fixes. OONI is also currently working on improving the speed of the tool’s data processing pipeline (how long it takes for new measurements to be published) and creating an RSS feed generator for confirmed instances of blocking. OONI also made progress on revamping OONI Explorer, making various improvements to the beta version. Over the course of the month, OONI Probe was run 356,191 times from 5,090 different vantage points in 205 countries around the world.
- ICFP Fellow Bekah Overdorf presented her project at HotPETs, a workshop held on the sidelines of the PETs (Privacy Enhancing Technologies Symposium) event. Bekah’s talk on Subtle Censorship via Adversarial Fakeness in Kyrgyzstan (pdf) won “Best Talk Winner” for this year’s event. Bekah’s talk focused on why fake accounts/news on social media is a new form of censorship; what challenges arise when studying it and a contrast to classic digital censorship technologies; why Kyrgyzstan was chosen as a focus country; and preliminary findings.
- The Localization Lab published 11 Surveillance Self-Defense guides translated and reviewed at a Localization Sprint with Cambodian contributors in May. The guides cover a wide array of entry-level digital security topics which were prioritized by Cambodian digital security trainers for the communities that they work with. The guides are also available in other languages such as Igbo, Yoruba, Twi, Swahili, Bahasa, Thai, and Burmese. Across all projects, during the month of July, Localization Lab volunteers translated a total of 55,226 words, edited 144,094 words and reviewed 50,369 words in the Localization Lab hub.