OONI Data Reveals How WhatsApp Was Blocked (Again) in Brazil

Translation(s):

Country: Brazil

Probed ISPs: Tim mobile (AS 26615), Oi landline (AS 7738)

Censorship method: DNS Hijacking

OONI tests: HTTP Requests, DNS Consistency

Measurement period: 2016-05-02 - 2016-05-03

19:10 UTC Saturday, 7 May 2016 Update: Add OONI Explorer measurements links

Ever since WhatsApp implemented end-to-end encryption to protect the privacy and security of its 1 billion users worldwide, several cases of censorship have been ordered by governments who are frustrated with the fact that they can no longer access users’ private communications. Having implemented end-to-end encryption with the Signal protocol, WhatsApp cannot decrypt its users’ data, even if it wanted to - which is precisely what makes it secure.

Last December, a judge in Brazil backfired to WhatsApp’s non-compliance in a criminal investigation by [ordering the blocking of WhatsApp for 48 hours] (https://www.theguardian.com/technology/2015/dec/17/whatsapp-blocked-brazil-48-hours-facebook). Similarly, early this week another Brazilian judge [ordered the blocking of WhatsApp] (https://www.theguardian.com/technology/2016/may/02/brazil-whatsapp-block-72-hours) but this time, for 72 hours - as a form of retribution for the company’s failure to hand over data as part of an ongoing drug trafficking investigation. Both orders for censorship were lifted in less than 24 hours following a public uproar, since [more than 100 million individuals] (http://www.theglobeandmail.com/technology/tech-news/whatsapp-comes-down-how-brazilians-are-coping-without-their-social-mediafixes/article27799710/) in Brazil (91% of mobile users) depend on WhatsApp for their daily communications.

According to Lucas Teixeira, Chief Technologist at [Coding Rights] (https://www.codingrights.org/):

“People reacted to the blocking of WhatsApp with a mix of shock, revolt and mockery, reflecting the fact that Whatsapp is used by pretty much everyone in big and small cities - and even in the countryside - to communicate with each other, replacing SMS and phone calls almost 100%. The company’s zero-rating partnerships with telcos has also helped a lot. Mobile Internet plans with data caps but “free Whatsapp” are common. Marco Civil da Internet explicitly forbids violations to net neutrality, but the legality or not of zero rating will be set in its ongoing regulation process. As for the legality of WhatsApp’s blocking, we can’t be sure because the litigation is secret, but it has been reversed in court.”

Following the latest reports of WhatsApp being blocked in Brazil, the Open Observatory of Network Interference (OONI) ran tests locally in Brazil to detect the technical details of how censorship was implemented. This blog post includes a publication of our measurements, revealing that Brazilian ISPs blocked WhatsApp’s website through DNS hijacking.

Our findings

Two types of OONI tests were run in Brazil to identify whether and how WhatsApp was blocked:

The first test is designed to compare the DNS query results from a DNS resolver which is considered to be reliable with one that it tested for tampering. The second test tries to detect online censorship based on a comparison of HTTP requests over Tor and over the network of the user. By running these two types of tests on web.whatsapp.com and www.whatsapp.com, DNS hijacking was identified as a method for blocking WhatsApp, as illustrated below:

DNS-consistency tests

########################################### # OONI Probe Report for dns_consistency (0.7.0) # Tue May 3 06:20:40 2016 ########################################### probe_asn: AS7738 probe_cc: BR test_helpers: {backend: '213.138.109.232:57004'} test_name: dns_consistency test_start_time: '2016-05-03 04:20:40' test_version: 0.7.0 --- control_resolver: 213.138.109.232:57004 errors: {192.168.122.1: dns_lookup_error} failures: [192.168.122.1] inconsistent: [] input: www.whatsapp.com measurement_start_time: '2016-05-03 04:20:43' queries: - answers: - {answer_type: A, ipv4: 184.173.147.39} - {answer_type: A, ipv4: 184.173.147.38} - {answer_type: A, ipv4: 192.155.212.203} - {answer_type: A, ipv4: 192.155.212.202} failure: null hostname: www.whatsapp.com query_type: A resolver_hostname: 213.138.109.232 resolver_port: 57004 - answers: [] failure: deferred_timeout_error hostname: www.whatsapp.com query_type: A resolver_hostname: 192.168.122.1 resolver_port: 53 successful: [] test_resolvers: [192.168.122.1] test_runtime: 1.2021667957305908 ... control_resolver: 213.138.109.232:57004 errors: {192.168.122.1: dns_lookup_error} failures: [192.168.122.1] inconsistent: [] input: web.whatsapp.com measurement_start_time: '2016-05-03 04:20:43' queries: - answers: - {answer_type: CNAME, hostname: mmx-ds.cdn.whatsapp.net} - {answer_type: A, ipv4: 179.60.192.51} failure: null hostname: web.whatsapp.com query_type: A resolver_hostname: 213.138.109.232 resolver_port: 57004 - answers: [] failure: deferred_timeout_error hostname: web.whatsapp.com query_type: A resolver_hostname: 192.168.122.1 resolver_port: 53 successful: [] test_resolvers: [192.168.122.1] test_runtime: 1.223766803741455

########################################### # OONI Probe Report for dns_consistency (0.7.0) # Tue May 3 01:39:37 2016 ########################################### probe_asn: AS26615 probe_cc: BR software_name: ooniprobe software_version: 1.4.2 test_helpers: {backend: '213.138.109.232:57004'} test_name: dns_consistency test_start_time: '2016-05-02 23:39:37' test_version: 0.7.0 --- control_resolver: 213.138.109.232:57004 errors: {192.168.122.1: no_answer} failures: [192.168.122.1] input: www.whatsapp.com measurement_start_time: '2016-05-02 23:39:40' queries: - answers: - {answer_type: A, ipv4: 169.44.84.178} - {answer_type: A, ipv4: 184.173.147.39} - {answer_type: A, ipv4: 184.173.147.38} - {answer_type: A, ipv4: 169.44.82.102} - {answer_type: A, ipv4: 192.155.212.202} - {answer_type: A, ipv4: 192.155.212.203} failure: null hostname: www.whatsapp.com query_type: A resolver_hostname: 213.138.109.232 resolver_port: 57004 - answers: [] failure: null hostname: www.whatsapp.com query_type: A resolver_hostname: 192.168.122.1 resolver_port: 53 successful: [] test_resolvers: [192.168.122.1] test_runtime: 0.47959399223327637 --- control_resolver: 213.138.109.232:57004 errors: {192.168.122.1: no_answer} failures: [192.168.122.1] input: web.whatsapp.com measurement_start_time: '2016-05-02 23:39:40' queries: - answers: - {answer_type: CNAME, hostname: mmx-ds.cdn.whatsapp.net} - {answer_type: A, ipv4: 179.60.192.51} failure: null hostname: web.whatsapp.com query_type: A resolver_hostname: 213.138.109.232 resolver_port: 57004 - answers: [] failure: null hostname: web.whatsapp.com query_type: A resolver_hostname: 192.168.122.1 resolver_port: 53 successful: [] test_resolvers: [192.168.122.1] test_runtime: 0.03604292869567871

########################################### # OONI Probe Report for dns_consistency (0.7.0) # Tue May 3 15:07:07 2016 ########################################### --- annotations: null data_format_version: 0.2.0 input_hashes: [db9176124032c0dd1d974fa52ee194e8304658ba2f32f5f07911abfb03521ff0] options: [-f, whatsappurl.list] probe_asn: AS7738 probe_cc: BR probe_city: null probe_ip: 127.0.0.1 report_id: null software_name: ooniprobe software_version: 1.4.2 test_helpers: {backend: '213.138.109.232:57004'} test_name: dns_consistency test_start_time: '2016-05-03 13:07:07' test_version: 0.7.0 ... --- control_resolver: 213.138.109.232:57004 errors: {192.168.122.1: dns_lookup_error} failures: [192.168.122.1] inconsistent: [] input: www.whatsapp.com measurement_start_time: '2016-05-03 13:07:12' queries: - answers: - {answer_type: A, ipv4: 192.155.212.202} - {answer_type: A, ipv4: 192.155.212.203} - {answer_type: A, ipv4: 184.173.147.38} - {answer_type: A, ipv4: 184.173.147.39} - {answer_type: A, ipv4: 169.44.84.178} - {answer_type: A, ipv4: 169.44.82.102} failure: null hostname: www.whatsapp.com query_type: A resolver_hostname: 213.138.109.232 resolver_port: 57004 - answers: [] failure: deferred_timeout_error hostname: www.whatsapp.com query_type: A resolver_hostname: 192.168.122.1 resolver_port: 53 successful: [] test_resolvers: [192.168.122.1] test_runtime: 1.296454906463623 ... ---

HTTP-request test

########################################### # OONI Probe Report for http_requests (0.2.5) # Mon May 2 23:17:02 2016 ########################################### probe_asn: AS26615 probe_cc: BR software_name: ooniprobe software_version: 1.4.2 test_helpers: {} test_name: http_requests test_start_time: '2016-05-02 21:17:02' test_version: 0.2.5 ... agent: agent body_length_match: null body_proportion: null control_cloudflare: null control_failure: null experiment_failure: dns_lookup_error factor: 0.8 headers_diff: null headers_match: null input: https://www.whatsapp.com measurement_start_time: '2016-05-02 21:17:07' requests: - failure: dns_lookup_error request: body: null headers: {User-Agent: 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2) Gecko/20100115 Firefox/3.6'} method: GET tor: {exit_ip: null, exit_name: null, is_tor: false} url: https://www.whatsapp.com response: null

Circumventing censorship

The blocking of WhatsApp’s website can be circumvented through the use of Tor. In cases of DNS hijacking, users might even be able to access blocked websites by merely [changing their DNS resolver] (https://developers.google.com/speed/public-dns/docs/using#google_public_dns_ip_addresses) (though this is not something that always works).

If WhatsApp (or other IM applications) is blocked again, Android users in Brazil (and elsewhere) can try circumventing censorship by using the VPN mode of Orbot which enables all apps on their device to run through the [Tor network] (https://www.torproject.org/). It’s important though to note that Orbot’s VPN feature should not be used for anonymity, but only for bypassing censorship.

Limitations to our study

Currently OONI software tests are not specifically designed to test instant messaging (IM) applications (such as WhatsApp), but websites. Our measurements are therefore limited to the testing of WhatsApp’s website which was found to be blocked based on DNS hijacking, and do not include the testing of the WhatsApp application. Over the next year though we plan to develop new OONI tests which will specifically be designed for testing IM applications for censorship.

Until then, the blocking of WhatsApp’s website and web app can be tested through the following:

Install ooniprobe Download the [whatsapp deck] (https://raw.githubusercontent.com/TheTorProject/ooni-probe/0b4cea0ad99696f664cd3083df929d93f88fda43/data/decks/whatsapp.deck) (eg. wget https://raw.githubusercontent.com/TheTorProject/ooni-probe/0b4cea0ad99696f664cd3083df929d93f88fda43/data/decks/whatsapp.deck ) Run test deck ooniprobe -i whatsapp.deck

HTTP Requests measurements

DNS Consistency measurements