The Turkey Blocks internet censorship watchdog has identified and verified that restrictions on the Tor anonymity network and Tor Browser are now in effect throughout Turkey. Our study indicates that service providers have successfully complied with a government order to ban VPN services.
— Turkey Blocks (@TurkeyBlocks) December 18, 2016
Tor is a free and open system designed to allow activists, journalists and ordinary internet users to circumvent government censorship of digital communications. As last line of defence against the world’s most severe internet censorship regimes, Tor has seen growing popularity in Turkey alongside commercial VPN services thanks to its free availability and resilience.
Impact of VPN blocking
New, sophisticated blocking measures mean Internet users will no longer be easily able to circumvent social media shutdowns and other mass-censorship events in Turkey as they have become accustomed to over recent years.
Partial or total blocking of VPN, Tor and similar services will shift Turkey’s internet censorship regime from moderate to severe in character, allowing the state fine-grained control of the flow of information in a “walled garden” model of internet access like that imposed by China’s Great Firewall.
Other circumvention methods, including Tor’s bridged modes built to evade similar restrictions imposed by the regime in Syria, as well as custom VPN deployments, continue to remain available to technically skilled users in the short-term.
Government-issued VPN Blocking Order now in effect
In late 2016 reports surfaced that Turkey had ordered ISPs to block access to Tor and several commercial VPN services. On 5 December, ISP industry representatives Turk Internet reported growing pressure to complete the ban, including demands for weekly progress reports on the status of the new technical restrictions. Users started reporting connectivity issues around the same time.
Turkey typically cuts access to individual sites by court order or administrative measure to permanently restrict access to services on grounds of morality and state security. In recent years, the government has also started to shut down social media networks entirely for hours or days during national emergencies and political unrest – a form of network interference that the Turkey Blocks project was founded to investigate.
Internet users in Turkey increasingly resort to VPNs and Tor to circumvent both kinds of censorship, allowing them, for example, to access independent sources of information and seek assistance in the minutes and hours following terror attacks.
Summary of findings
Turkey Blocks finds that the Tor direct access mode is now restricted for most internet users throughout the country; Tor usage via bridges including obfs3 and obfs4 remains viable, although we see indications that obfs3 is being downgraded by some service providers with scope for similar on restrictions obfs4. The restrictions are being implemented in tandem with apparent degradation of commercial VPN service traffic.
We selected four nodes on two ISPs from our network of monitoring probes, and pushed the latest version of the Tor software and bridge software to each device. We tested basic connectivity and data transfer rates over Tor with direct access, obfs3 and obfs4. Hence we collected 12 sets of data, each consisting of a packet capture, a download timing and a connection log, totalling 36 articles of data. We ran a control with identical hardware and software in the United Kingdom with an unrestricted internet connection to validate the results. We sought to cross-reference our findings against Tor metrics breakdowns for Turkey, taken from publicly available aggregated statistics of overall Tor usage worldwide (see Annex A).
Tor v0.2.8.11 (git-9fc59eddc17a726a) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2g and Zlib 1.2.8; Ubuntu Server 16.04; Linux kernel 4.4.38-v7+ armv7l; Raspberry Pi 2
Direct Tor access restrictions started around 12 December 2016. Tor’s direct mode is now entirely unusable via providers TTNet and UyduNet on the residential broadband connections we tested. Packet filtering or Deep Packet Inspection (DPI) are likely used to disrupt the connection phase, which stalls around the 10% mark.
Connection is possible using obfs3 and obfs4 Tor bridges with both providers. While obfs4 is effective across all configurations, obfs3 intermittently fails with TTNet.
We found that removing one of the three obfs3 server IP addresses from the configuration allowed for more reliable connection, suggesting that it might be possible to mitigate interference improving failover in the default configuration or bridge implementation.
Annex A: Anomalous Rise in Tor Metrics Usage
We first sought to evaluate Tor restrictions using freely available statistical data provided by the Tor project. Yet our efforts were confounded by unexpected Tor metrics data. Tor metrics tracks the number of active Tor users in Turkey.
Where we expected a fall in usage corresponding to widespread reports of failure to access the Tor network, charts instead show a huge increase in Tor usage over the same period.
We produced these hypotheses to explain the phenomenon:
- A genuine increase in usage triggered by censorship: We detected no censorship during the periods outlined that could explain such a sudden, large and sustained rise in usage. To put this in context, even absolute, long-term blocks of YouTube or Twitter in the past caused relatively small bumps in Tor usage.
- Genuine increase in usage triggered by privacy concerns: Leaks of private citizen data like the MERNIS database leak and Wikileaks data dump, and government surveillance in relation to alleged coup plotters haven’t been in the headlines recently and it’s unlikely Turkish citizens would switch to Tor so suddenly for its privacy-preserving features.
- A botnet or network of compromised hosts: Rootkits and viruses loaded onto PCs and IoT devices use the Tor network to disguise their control channel and coordinate of DDoS (Distributed Denial of Service) attacks. If such a botnet network had been deployed on the specified dates, that could well explain the sudden increase of Tor usage.
- A measurement anomaly caused by connection failure: The dates when usage spikes correlate with early reports of Tor unreachability. Although it sounds counterintuitive, it’s possible that repeated failed connection attempts caused by Turkey’s new access restrictions were registered by the metrics platform and counted as new users.
During tests we saw over a hundred connection attempts associated with a single user connection request, leading us to favour the theory Tor metrics have incorrectly counted these failed attempts in their overall usage tally.
In rare cases where a successful direct connection was made, Tor was subsequently able to establish further connections successfully using cached values written to temporary files. This means that existing Tor users with a primed cache may be able to connect directly despite the blocking measures.
We invite the Tor developers to take a closer look at the situation. In the meantime we recommend that figures published by the Tor project aren’t taken to indicate increased Tor usage.
Our study corroborates user reports that Tor access with the default configuration is now widely, though not yet totally, restricted. The government ban also covers specific commercial VPN services but not corporate or custom VPN solutions such as those deployed by businesses to allow remote access by employees.
Network restrictions imposed by the government will become absolute for many internet users, even those who were previously able to work around frequent mass-censorship events with relative ease.
The new measures are thus likely to change the nature of internet usage over years to come, diminishing media freedom and freedom of opinion and expression in Turkey.