The Turkey Blocks project combines best practices for forensic validation internet shutdown and digital interference reports, using both digital forensic analysis of network traffic via our Raspberry Pi IoT probe network and traditional verification techniques.
No workflow for validating digital censorship reports is perfect, hence we aim to draw on multiple sources to corroborate, or refute reports rapidly in the minutes and hours following alleged instances of internet mass-censorship or other forms of digital interference that may impact freedom of expression, the right to be informed, the right to a private life, or that might otherwise affect Turkey’s digital economy or international relations.
Turkey Blocks aims to develop a new gold standard for network monitoring of digital interference that can be adopted in the wider region and globally in coming years.
Censorship verification methodology
Our probe network is at the core of Turkey Blocks’ incident detection and monitoring methodology. A number of embedded computers (presently Raspberry Pi, for endpoint nodes and Intel NUC for control nodes) continuously monitor connectivity and report back on potential network issues. Aggregating this data gives a good idea of internet users’ experience of shutdowns, particularly of network throttling that is difficult or impossible to detect via remote scanning alone. Probes are our foremost means of rapid detection of emerging incidents.
Confirmed: Twitter, Facebook & YouTube blocked in #Turkey at 10:50PM after apparent military uprising in #Turkey pic.twitter.com/J9ER5yOGYP
— Turkey Blocks (@TurkeyBlocks) July 15, 2016
Network probes can also securely return data dumps for network packet capture forensic analysis, which can be submitted for further analysis to validate contentious incidents and give insights into the technical implementation of blocks. Early work has been undertaken to build a publicly accessible packet capture archive for information security analysts to peruse, although the effort is on hold pending data privacy work.
PCAP or it didn't happen? Our packet dump from Sunday shows Twitter slowdownhttps://t.co/dwN0pTnLJN cc @ncweaver pic.twitter.com/8kLp1W4NgP
— Turkey Blocks (@TurkeyBlocks) October 15, 2015
Probe results are complemented by remote network scanning, performing reachability analysis including wide network scans and BGP route mapping. Although resource intensive, network scans can help pinpoint full internet shutdowns where probe coverage is limited. More recently, we have explored methods for deriving estimations of the impact, in terms of numbers of users disconnected during regional shutdowns.
New internet shutdown in southeast #Turkey: 8% of country's IP network offline in 3rd day of #Diyarbakir unresthttps://t.co/2L2UOE3drI
— Turkey Blocks (@TurkeyBlocks) October 27, 2016
In addition to active monitoring, Turkey Blocks has occasionally drawn on passive network log sources, namely visitor logs (hit counts) in collaboration with popular websites. This method is now less-used, as we’ve found it difficult to derive statistically significant results from this data source in contrast with other techniques.
Digital monitoring is complemented with more traditional journalistic verification and fact-checking to corroborate blackouts and their impact on the ground. The Turkey Blocks response team aims to contact individuals affected by shutdowns to gain a wider perspective and to reduce confirmation bias potentially arising from purely digital network readings. Local knowledge is important in building up reliable reports and understanding how internet restrictions relate to ongoing political developments or security threats.
In depth: pharmacies, medical supply & infrastructure crippled in 6th day of southeast #Turkey internet shutdownshttps://t.co/CKk59wCoUu
— Turkey Blocks (@TurkeyBlocks) October 31, 2016
We also review the legal framework sometimes used to justify digital interference, studying sources like Turkey’s Resmi Gazete to understand and report on changes to legislation and proposed constitutional amendments that might impact the lawfulness and implementation internet shutdowns in Turkey.
Could #Turkey's new wartime net killswitch amendment explain mystery social media blackout?https://t.co/ZpJ6jixhsB pic.twitter.com/W2NcY2twlU
— Turkey Blocks (@TurkeyBlocks) August 26, 2016
Beyond verification, the Turkey Blocks project occasionally debunks misreporting of censorship incidents or false-positive reports spreading through social media, such as outages affecting wider regions or global networks, or which carry indications of network failure, overload, DDoS or cyber-attack rather than intentional interference.
Twitter, Spotify, Netflix and others are experiencing slowdowns globally due to cyber attack; no indication of a #Turkey-specific block pic.twitter.com/8KvRheNd8x
— Turkey Blocks (@TurkeyBlocks) October 21, 2016
Refinement and independent validation of our techniques will always be an ongoing process – Turkey Blocks started out as a digital journalism project focusing on social media throttling that has since grown to develop novel technical means and workflows for detection network interference affecting large numbers of internet users.