• About the Centre for IP and IT Law (CIPIT)
  • Join the CIPIT Blog Team

CIPIT Blog

~ Strathmore University Centre for Intellectual Property and Information Technology Law (CIPIT)

Monthly Archives: July 2018

Zero Rating of the Internet and its Impact on Net Neutrality

27 Friday Jul 2018

Posted by Mercy King'ori in Guest Post, Information Technology

≈ Leave a comment

Mobile phone penetration in the Kenya has increased tremendously over the years. The Communication Authority of Kenya (CA), in its first quarter 2017/2018 financial year report placed mobile and Internet subscriptions in the country at 41 and 51 million subscriptions respectively. In spite of this increased mobile and Internet penetration, the high cost of accessing the Internet continues to be a constant hindrance to a majority of mobile users in Kenya.

Private companies, in response to this issue, have attempted to provide ‘free’ or subsidised Internet through what has come to be known as zero-rating of the Internet. In this practice, providers of zero-rated Internet, partner with Internet service providers (typically mobile networks) to subsidise access to the Internet. Access to the Internet under such programs is however limited to the zero-rated Internet providers’ website. Examples of such services include: Free Basics by Facebook and Wikipedia’s Zero.

These services are however extremely controversial due to concerns about their impact on net neutrality and effectiveness as a long-term policy for improving Internet access.

Proponents of zero-rated Internet claim that such services connect people who previously did not have access to the Internet especially in emerging markets in Africa and Asia. While connectivity may increase, the fact remains that Internet service providers and companies that engage in this service derive immense financial benefits from such services. For example, mobile Internet providers use free access to the Internet as an on-boarding strategy. Secondly, access to the Internet under this practice is limited to one or a few popular sites depending on the zero-rated Internet service in question. This calls to question the supposed ‘benevolence’ of such services especially in light of their detrimental impact on net neutrality, which holds that all content and users be treated equally so as to ensure free flow of information online.

While zero-rating can be viewed as beneficial to consumers as they do not incur data charges when visiting zero rated websites, it is detrimental as it in a sense changes the “face of the Internet” by limiting the number of websites which users can access. It effectively operates as an information control principally in the event that such services become ubiquitous and to the extent that they are the first point of entry to the Internet for millions and potentially billions of people.

Furthermore, zero-rating of the Internet jeopardizes freedom of expression online. The forums on which Internet users can freely develop and express their opinions are limited and to a great extent controlled by the parties that subsidize access to the Internet. The ideological underpinnings of the internet, and its role as a medium for advocacy on the protection of civil rights, is at danger of being obfuscated in this paradigm.

Moreover, zero-rating greatly reduces the incentive for content creators who do not have the required financial muscle to continue producing content. It is therefore no surprise that companies like Microsoft and other tech giants are at the forefront of championing zero rating. This is however highly ironic seeing that companies such as Wikipedia and Facebook would not have been able to transcend the ‘start-up’ stage had the Internet at their time of inception been limited through zero-rating. Again, the undermining of the right of Internet users to freedom of expression and uninhibited access to the Internet cuts to the core of this issue.

The impact of zero rated Internet is best gleaned through an analysis of the areas where it is widely offered as illustrated below.

Binge On™, is a video streaming service provided by T-Mobile, a mobile telecommunications company. Binge On™ provides zero-rated streaming for specific content providers while limiting the capacity of “non zero-rated” content providers from streaming its platform. “T-Mobile’s Binge On Violates Key Net Neutrality Principles” a report done by Stanford Law School found that T-Mobile, through its zero-rated service, stifled innovation by barring content creators who did not meet its substantial technical requirements. This exposes the fallacy of the perceived ‘altruism’ behind such services i.e. through the commercialization of information and innovation by extension. This further underscores the importance of maintaining ‘diversity of expression’, in the current knowledge economy, where large tracts of information are generated and disseminated online.

Proponents of this practice argue that zero rating is necessary if we are to achieve universal connectivity. The discussion above however, pokes serious holes into this argument. While universal connectivity is necessary to bolster communication, such hopes shall be relegated to a pipe dream as companies that cannot afford to zero rate their services are unable to fairly compete and reach consumers.

It is with this in mind that a need for a comprehensive legal and policy framework to address zero rating arises. Zero-rating should not be used as a substitute for Internet access. Openness, which is a central tenet of the Internet, must be legally protected. While, there are no country specific laws that deal with the effects of zero rating on freedom of expression, article 33(1a) of the Constitution of Kenya provides for the freedom to seek, receive and impart ideas. Internationally, article 19(2) of the International Covenant on Civil and Political Rights (ICCPR) provides for the freedom of expression.

The Internet is and should remain a bastion of freedom of expression. Kenya is thus bound to enact laws and policies that specifically protect this right ‘out of the normal context of speech’ seeing as Internet based modes of protection are protected under the ICCPR.

** Mercy King’ori is a 4th Year Bachelor of Laws student at the Strathmore University.

What can we learn from Zimbabwe’s 2013-election DDOS attack ahead of the 2018 Poll?

23 Monday Jul 2018

Posted by Robert Muthuri in Uncategorized

≈ Leave a comment

In the weeks leading up to and following Zimbabwe’s disputed 2013 election, Zimbabweans were hit by significant Internet-based attacks. Because the incident was not widely reported, it did not gain traction at all in the Internet Freedom Community. Yet the incident was one of a kind to be documented during an African election. It adversely affected Zimbabweans’ rights to stay informed including by accessing first-hand information on the elections to inform civic action and response to the election irregularities. This also had repercussions on the transparency and outcome of the election since those who were monitoring them on online platforms were deprived of necessary information to base their reports on. As part of the project Sub Saharan Africa Cyber Threat Modelling, I propose that as Zimbabwe prepares for the 2018 elections, civil society actors in Zimbabwe and those who support their digital security and integrity projects should use the 2013 incident to undertake a proper threat model that takes account of DDOS attacks. This will coincide with the Zimbabwe CSOs’ launch of the2018 Election Situation Room on 27 June 2018 – an initiative that seeks to coordinate their activities & enhance citizen monitoring & participation in electoral processes. Unlike other attack vectors that only affect information confidentiality and integrity, a DDOS goes after the availability of a system or a network. The nature of its attack is like having your home flooded – without warning; attackers can upend the availability of information during an election. When it hits a network, a long time can pass before detection and mitigation. In an ever-expanding field of adversaries and other attack vectors, DDOS is still often difficult to attribute as it can often be orchestrated remotely.

Around July 30, 2013, while working for the Zimbabwe Human Rights Forum, I woke up to realise that most of the real-time content of the website I managed had been compromised through deliberate defacement and selective data erasure. As I tried to locate the content, the site went offline. I fiddled with the network until a U.S. Congress Researcher, who had been following our blogs, alerted me to the DDOS attack directed at our web host Greennet and web hosts of other critical websites such as Electionride.com and Nehanda Radio.

The incident included two massive distributed denial of service (DDoS) on Greennet to disrupt the Forum’s activities, which in turn caused collateral damage to other sites like that of Privacy International. Despite the difficulty of the attack source attribution, experts believed that either a government entity or a private organisation was responsible for the attack given both its nature and magnitude: 100Gbps attack that used DNS reflection rather than an unsophisticated botnet to attempt to overwhelm its servers.

What is a DDOS attack?

Confidentiality, integrity, and availability are the fundamentals of information assurance. Organisations often rely on the so-called CIA (Confidentiality, Integrity, and Availability) triad to benchmark and evaluate their information security. For instance, the data defacement and erasure on the web pages of the Zimbabwe Human Rights Forum affected the integrity of the data and therefore its reliability. However, a DDoS does not go after the confidentiality or integrity of the CIA model. It’s meant to go after the ‘A’, the availability of a system or a network.

A Distributed Denial of Service (DDoS) attack is an attempt made to take a website or online service offline. Attackers use a variety of ways to do this, but they all are designed to overwhelm the site with traffic from multiple sources.

In a DDoS attack, the traffic flooding the site can come from hundreds or thousands of sources, which makes it near-impossible to stop the attack simply by blocking a single IP address. They can be distributed by infected computers via botnets or coordinated. Sites also struggle to differentiate between a legitimate user and attack traffic.

A DDoS attack differs from a Denial of Service (DoS) attack, which typically uses a single computer and connection to flood a system or site.

Zimbabwe experienced a Domain Name System (DNS) reflection attack. This kind of attack spoofs the target’s IP address in DNS requests, causing DNS servers to amplify the volume of data focused on the data centre under attack.

Unlike a malware in the class of worms, a DDOS could generally be classified in the virus category in its mode of attack. Like a DDOS, a virus generally refers to a malicious program that self-replicates but requires some user interaction to be initiated. In this case, the virus/bot has a malicious payload (instruction) that it is meant to execute.

Here is an example by my friend Jonathan Weismann at Rochester Institute of Technology:

If Harry the hacker sends ten, one hundred or even one thousand pictures to an important web server, nothing will happen.

However, if Harry the hacker puts a program on ten thousand user machines and they each are instructed to place programs on thousands of other machines, when the time comes, Harry the hacker will give the kill signal and all machines known as zombies in this botnet, robot network, will be sending traffic to a poor victim’s server that will come to a grinding halt.

Attribution challenge and Recurrence

Cyber-attacks similar to the Zimbabwean one are difficult to attribute to any particular adversary unless such adversaries leave forensic footprints. We cannot predict recurrence during the 2018 election or in future with any degree of certainty because information controls are often applied in highly dynamic ways often responding to events on the ground displaying wide-ranging motives.

There has been an accelerated, dynamic and complex pace of events in Zimbabwe since the November 2017 power transfer. The country’s diversified international business partners potentially open up and diversify the vendors in the market for computer espionage and surveillance in addition to the so-called Huawei problem. Whereas China, also a major investor in Zimbabwe, continues to top the charts with its nation-sponsored surveillance activity, aspects of lesser-known nation-states and benign entities give cause for concern as they can hide in the darker parts of the internet. A good example was the hacking into the Zimbabwe Government websites. The attack vectors are expanding to include the use of social media to influence the opinions and actions of large populations.

Mitigation

The Zimbabwe case study and other recent attacks such as on the DNS Company Dyn shed a few lessons.

DDOS attacks happen very fast and are hard to detect, yet their consequence can be devastating. There can be a long time lapse between an attack, detection and mitigation. One needs a faster, more immediate means of threat detection to prevent severe damage. There’s little an organisation can do to prevent threats which may be the result of larger geopolitical forces but one can substantially reduce the likelihood of the adversaries’ chances to succeed by reducing their own vulnerability, and in turn, their own risk. This may include taking technical measures but also a holistic approach. For example, albeit on a different subject, Citizen Lab Research on targeted malware attacks reveal that the technical sophistication of [attacks] may be fairly low, with more effort placed on social engineering.

In our case the following non-prescriptive steps could have helped mitigate the impact of the DDOS attack:

  • Web content back up, including hosting a blog hosted on a separate platform where we could re-direct our readers.
  • Improving our firewall and password combinations as it appears the adversary gained entry onto our website dashboard to wipe out content.
  • Closely paying attention to the tell-tale signs such as the increase in the number of partisan subscribers.
  • Establishing a good relationship with the web-host and sharing concerns during key political events to enable their technical team to be prepared.
  • Draft an organisational DDOS attack playbook. This document sets out the systematic procedure to be followed in case of a DDOS attack. It helps ensure that organisational staff responds to the attack in an organised manner.

Top 100 IP Blog

Best Education Blog Winner 2015

Subscribe to our mailing list

Subscribe to our mailing list

Follow us on Twitter

Tweets by @StrathCIPIT
July 2018
M T W T F S S
« Jun   Aug »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Kenyan Blog Awards

Archives

  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • May 2019
  • April 2019
  • February 2019
  • December 2018
  • November 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012

Categories

  • 2019 CENSUS
  • Access to Essential Medicines
  • Access to Information
  • Access to Knowledge
  • Agri-Policy
  • Artificial Intelligence
  • Bitcoin
  • Blockchain
  • CIPIT Insights
  • CIPIT news
  • Collective Management Organisations
  • Copyright
  • Counterfeits
  • Creative Commons Kenya
  • Data Protection
  • Database Rights
  • Digital Identification
  • Digital Rights
  • E-Commerce and the Law
  • Elections
  • Fashion
  • Freedom of Access
  • Freedom of Assembly
  • Freedom of Association
  • Freedom of Expression
  • Guest Post
  • Information Controls
  • Information Technology
  • Intellectual Property
  • Lions' Den
  • M-Pesa
  • openAIR
  • Patent
  • Plant Breeders' Rights
  • Public Interest
  • RIght to data protection
  • RIght to Privacy
  • Science Technology & Innovation
  • Social Media and the Law
  • Software Patents
  • Sui-Generis Protection
  • Tech-Legislation
  • Technology & Innovation
  • Technovation
  • Trademark
  • Traditional Cultural Expressions
  • Traditional Knowledge
  • TRIPS
  • Uncategorized
  • Utility Model

Proudly powered by WordPress Theme: Chateau by Ignacio Ricci.