October 2019 Monthly Report

Wed, 2019-11-20 19:24

In October, the Open Technology Fund continued to both receive a large number of support requests and to support a diverse portfolio of Internet freedom projects and fellows addressing Internet censorship and surveillance threats in closed societies around the world. This month, the OTF team continued the review process for the 11 applicants invited to submit a full proposal from the September 1 round. With October coming to a close, the OTF team also began actively reviewing and responding to the 210 concept notes received for the November 1 round.

Notable accomplishments

  • Through the Red Team Lab, OTF supported a security audit of the “Study the Great Nation” app, or Xuexi Qiangguo (学习强国). The app, billed by the Chinese Communist Party (CCP) as an educational tool and boasting over 100 million users, was found to contain several problematic privacy and security issues, including appearing to probe for superuser privileges, scanning to find other specific apps running on a user’s device, employing weak encryption by design in areas containing sensitive user information, and logging and transmitting detailed user log reports. The app also employs anti-reversing techniques that attempt to hide the app’s code, limiting the ability of external auditors to fully assess the app’s functionalities. Read more about the audit in this Washington Post article.
  • Data compiled through the App Store Censorship tool was used to confirm that Apple had removed an app from its app store, HKmap (即時地圖), which was being used by protesters in Hong Kong to track active protests in the city. App Store Censorship data was cited in a Congressional letter addressed to Apple CEO Tim Cook expressing “strong concern about Apple’s censorship of apps…at the behest of the Chinese government.”
  • OpenArchive released Save, a new secure, archival management tool designed to provide human rights organizations, newsrooms, and legal advocates (among others) with a way to organize, authenticate, and preserve sensitive mobile media. Save, short for Share, Archive, Verify, Encrypt, is available for iOS and in beta for Android. Thanks to the Localization Lab, Save is available in Arabic, Persian, Spanish, Turkish, French, German, Russian, and English. You can read more about Save’s launch in this press release, through these instructional videos, or through Save’s overview and training materials.
  • Decentralized, encrypted messaging tool Briar released version 1.2 for Android, featuring a new way to add contacts remotely by exchanging links; previously, adding a contact required either meeting in person or by asking a mutual contact for an introduction. In order to protect metadata and users’ privacy, Briar (unlike many other messaging apps) does not access a user’s contact list or upload it to a server. Briar instead connects users directly and securely via the Tor network to maintain user privacy. Briar is designed to maintain operability in the event of an Internet shutdown or connectivity interference, as app users can instead sync via Bluetooth or Wi-Fi to maintain communication even without Internet. You can read more about this and other features found in Briar version 1.2 here.
  • OpenAppStack continued the development of their new open source groupware management tool designed to improve the overall digital security of civil society organizations, officially releasing alpha version 0.2.1. To test out the release, check out this tutorial. OpenAppStack offers a self-managed, self-hosted alternative to popular enterprise file sharing and synching platforms. Note that OpenAppStack remains under heavy development, but testers can help the development process by reporting issues encountered while using the test alpha version.
  • Through an OTF-supported effort on behalf of a group of the world’s leading international broadcasters, BBC News now has a dedicated .onion address – a mirror site of BBC’s international news site, allowing censored users to circumvent blocks and access BBC content more securely via the Tor Browser. You can read more about the new BBC .onion site in this BBC article or in this blog post authored by BBC News Strategy Analyst Abdallah al-Salmi. Other news sites have also benefited from similar OTF support on .onion addresses, including DW, RFA, RFERL, and VOA.
  • Through the Usability Lab, OKThanks worked to investigate the problem of”clone apps”- copycat versions of legitimate apps that may pose a threat to users’ privacy and security by serving up malware and stealing users’ personal information, for example, or at the very least not offer the services that the legitimate app does. Through their research drawing from conversations and surveys with individuals from more than 20 countries, OKThanks gained insight into why clones exist in the first place and what causes people to use clone versions, while also gathering tips on ways technology teams can better ensure that users are downloading the authentic version of their app. This will help inform the goals of increasing downloads of legitimate apps while also decreasing the chance that a malware-laden, fake app could successfully infiltrate app stores – ultimately helping to keep users safe.
  • New research conducted by an OTF Information Controls fellow found a steep upward trend in digital expression violations in Egypt, with the crackdown focusing largely on social media activity. After compiling a dataset of 333 digital expression violations in Egypt from 2011 until mid-2019, the report (pdf) found a yearly increase in the number of digital expression violations, with a surge occurring between 2016-mid 2019. Egyptian authorities routinely targeted social media activity – especially on Facebook – as a basis for detention and arrest. The state relies on provisions such as “joining a banned group,” “spreading false news,” and “misuse of social media” to detain citizens. The data also reveals a dramatic increase in cases handled by the State Security Prosecution (SSP), a special body focusing on national security and terrorism cases. Detainees held by the SSP spend long periods in pretrial detention due to the SSP’s unique procedural rules. Read more about the report and its findings in this blog post or access the full report (pdf).
  • ICFP fellow Hoàng Nguyên Phong published a blog post summarizing the findings from his research, which focused on analyzing different aspects of the I2P (Invisible Internet Project) network, a privacy-enhancing Internet tool that can be used to access online content over an anonymity-enhancing network helpful in circumventing state-imposed censorship. Phong studied the I2P network’s censorship resilience, including identifying what blocking methods a state censor might use to inhibit access to I2P and investigating potential solutions to make I2P more resistant to such blockage. Phong found blocking attempts on the I2P network (specifically via DNS poisoning, SNI-based blocking, TCP packet injection, and page-specific blocks) emanating from five countries: China, Oman, Qatar, Iran, and Kuwait. Phong posits that because the blocks are usually imposed on the I2P download page and reseed servers, such blocking could be mitigated by hosting download links to this content on large cloud service providers – raising the collateral cost of blocking. Phong also built a metrics portal for the platform so that researchers and others can better understand who is using I2P, finding that there are about 20,000 relays in the network on a daily basis. You can read more about Phong’s research and findings here.
  • The Security Policy Generator project released the alpha version of SOAP (Securing Organisations with Automated Policymaking), “a free, easy-to-use online tool that helps civil society organizations build better security policies.” SOAP aims to help address a gap faced by civil society organizations who may lack the resources needed to hire a full-time security staff. With SOAP, such organizations can receive assistance in creating a security policy – an important and relatively easy way for organizations of any size to improve their digital security practices. You can find the alpha version live at https://usesoap.app/.

Projects Mentioned