Anyone in Zimbabwe who seeks to express himself or herself must be acutely aware of the level of oppression in the country. The dictatorship of President Robert Mugabe has grown more and more tyrannical over the years to a point where, currently, the most benign criticism of the regime is likely to land one in a jail cell, or at least earn one a visit with the gentlemen of the Central Intelligence Organization.
Zimbabwe is one of the most wired countries in Africa. That is just one indication of the surfeit of “raw materials” for democracy that the country contains. No longer the “breadbasket of Southern Africa” Zimbabwe teeters on the edge of famine. Likewise, the brain drain has weakened the country intellectually. However, enough of the vigorous minds have remained that Mugabe has felt it necessary to increase restrictions on free speech to include the electronic realm.
First, he had the congress pass the Post and Telecommunications Act of 2000, which allowed the interception of email. Fourteen people were arrested for forwarding an anti-Mugabe message under this so-called law. When Zimbabwe’s Supreme Court declared these elements of that act unconstitutional, Mugabe had several other repressive laws passed to make up for them. Foremost among these is the Access to Information and Protection of Privacy Act.
The state of the country regarding free speech is this: There is none. There are no independent radio or television stations, no independent daily newspapers. There are no foreign reporters in the country. One of the most powerful groups to take up the slack are bloggers.
Mugabe, in April of this year, contracted with the Chinese government to secure access to their Internet censorship knowledge and technology. There has yet to be any report that these have been implemented and in October of this year even the Chinese found Mugabe so isolated it refused to help him with his food problems, outgrowth, in part, of his seizure of white-owned farms, which he gave as gifts to political supporters.
Bloggers press on. The efforts of these individuals, estimated to number between 50 and 100, exert a disproportionate influence on their country and on international discourse about Zimbabwe, due to several factors: The lack of any other information and the resolution and intelligence of the bloggers themselves, who have broken news such as the daylight murder of a woman by the police in Bulawayo and the bulldozing of housing for the poor in Harare.
None of you who are blogging in Zimbabwe, or who are considering it, need anyone else to remind you to take care when blogging. We may be able to help you, however, by laying out for you the different tools at your disposal that will allow you to blog safely and explaining how to use them.
By blogging safely, what do we mean? Zimbloggers know…
TO BLOG SAFELY IS TO BLOG ANONYMOUSLY
Most bloggers and other online users arrested around the world for critical speech were discovered because they took no pains at all to disguise who they were. Zimbabwe’s bloggers know better. And because they know better, none have been arrested. Yet.
Nevertheless, we stress: Since, in Zimbabwe, all blogs may be suspected of being rebellious in some way, we remind you: Do not blog using your real name.
It has been said that anyone or any state with enough resources and time will be able to find out the identity of anyone on the Internet. Zimbabwe’s cooperation with the Chinese government makes it a more dangerous opponent of bloggers than ever before. The key is to put more effort and time into staying anonymous than anyone in the government will put into discovering it. Some people in some places may need to devote relatively little work in order to say safe. Others may need to do quite a bit of work.
There are two major ways your identity can be discovered while blogging. One is by revealing your identity through the content you post. For instance, if you write, "I'm a third-year education student at the University of Zimbabwe, I come from Chegutu," there's a good chance that someone reading your blog will be able to figure out who you are.
The other way to get discovered is if someone identifies you from information your web browser or email program provides. Every computer attached to the Internet has, or shares, an address called an IP address. That is a series of four numbers from 0-255, separated by dots, for instance: 213.24.124.38.
With a little work, the authorities may be able to trace any posting you make back to your computer. If you use a home computer and dial into an Internet service provider (ISP), this ISP will have a record of which computer dials in at what time and accesses which information.
There are a number of ways you can hide your identity when using the Internet. As a general rule, the more secure you want to be, the more work you will need to do to hide your identity. Some of the strategies for protecting identity online require a great deal of technical knowledge and work. But they all start with basic, common sense measures.
BASIC ANONYMIZATION MEASURES
Never use your real name. We don’t mean just on your blog. We mean when signing up for your blog you must use a pseudonym. And when you are signing up for your web-based email, also use a fake name. It is very easy to trace traffic from your home or work email unless you use a remailer, which we will talk about later; so we advise you use a web-based email, which we will also talk about in greater depth later.
A good general rule for anonymous blogging: Never use any service that you must pay for or that you sign up for via the government or that uses a service that must report to the government. And do not register with the authorities, of course.
Do not use any identifying information on your blog. For the reasons discussed above, do not use a nickname, for instance, that people know is yours. Do not use one that identifies you somehow. Do not talk about your street or neighborhood, what you do for a living or where you work, or specifics about who you know, where you have traveled and so forth. Otherwise, you will be providing investigators with leads to your identity.
Here's the problem with this strategy. When you sign up for an email service or a weblog, the web server you are accessing logs your IP address. If that IP address can be traced to you, for instance if you are using your computer at home or at work, you could be found.
One additional step you could take to hide your identity is to do your work on heavily-used computers. Rather than setting up your webmail and blogging accounts from your home or work computer, you could set them up from a computer in a cybercafe, a library, or a university computer lab. Should anyone trace the IP used to post a comment or a post they will discover that the post was made from a cybercafe, where any number of people might have been using the computers.
There are flaws in this strategy as well. If the Internet café or computer lab keeps track of who is using what computer at what time, your identity could be compromised. Do not use computers at places like these in the middle of the night or other times when you are likely to be the only person there. If you use Internet cafés, change which ones you use often. If the authorities decide to look into a blog and discover that all the posts are coming from a specific café, it would not be hard to send police to watch who visits.
ANONYMOUS PROXIES
If you choose to, you can take the trouble to use what is called a “proxy.” If you access the Internet through a proxy, you will leave behind the IP address of the proxy server, instead of the address of the computer you are using.
The difficulty in using proxies and anonymizers (we will cover these later) is that they are frequently among the first sites to be blocked by a government seeking control of its people. That is currently not the case in Zimbabwe, but it is something to watch out for. Should Zim begin to block proxies, you may have to search for new proxies as old ones are blocked. Another option (also covered below) is to use Peacefire’s Circumventor program, or another “social” option.
To use a proxy, first choose a proxy server from one of these lists, or find one yourself on a search engine like Google http://www.google.com.
Now, open the “preferences” or “options” section of your web browser. Under the “general”, “network” or “security” tab (usually), find an option to set up a proxy to access the Internet. Here is a set of instructions http://www.freeproxy.ru/en/free_proxy/howuse.htm for various browsers.
Turn on “manual proxy configuration”, enter the IP address of the proxy server and port into the fields for HTTP proxy and SSL proxy and save your settings. Restart your browser.
Your connection to the web will seem a bit slower because every page you request from a web server takes a detour. Instead of connecting directly to Hushmail, for instance, you connect to the proxy, which then connects to Hushmail. When Hushmail sends a page to you, it goes to the proxy first, then to you. You may also notices some trouble accessing websites, especially those that want you to log in.
A final problem is that if authorities discover you have been using a proxy, that in itself may constitute “proof” of wrongdoing.
“SOCIAL” OPTIONS
One way around the excessive blocking of proxies is to use Peacefire’s Circumventor.
To do this, you will need a friend outside of Zimbabwe whom you trust. They will need to set up Circumventor on their computer. Your friend downloads Circumventor http://www.peacefire.org/circumventor/simple-circumventor-instructions.html from the Peacefire site and installs it on his Windows system. It is not easy to do. First, he needs to install Perl on his system, then OpenSA, then Circumventor.
After these installations, he will needs to keep his computer connected to the Internet constantly, so you can use it as a proxy without asking each time. But you will, once it is set up, be able to surf the web, post to your blog, and use your email, all through the proxy your friend has created on his machine by using Circumventor. You can even use it at an Internet café, because the proxy is not listed as such in the state’s filtering technology, so it is not very suspicious.
Here’s the problem with this system: your friend’s computer, running Windows, often reboots. Each time it does, it is assigned a new IP address. And every time this happens, your friend will need to contact you with the address. (Probably cellular phone calls are best for this.) There is always the chance that this proxy will be recognized in time as such by the government.
Another social option is to use Adopt-a-Blog http://www.adoptablog.org/. Designed originally for blocked blogs in China, you can contact this service with a request that someone outside your country host a blog on their server. The server hosting your blog is unlikely to be blocked and, if it becomes blocked, your blog is moved to a different server.
If you know someone trustworthy outside the country, another option is to simply ask that person to set up a blog for you and then to post to it either using a proxy, or by contacting them via web-based email, encrypted email or by using a remailer system (see below). It is highly advisable, however, not to trust anyone quickly whom you do not know. Established human rights and free speech groups might be willing to connect you with trustworthy people willing to help.
TOR ONION ROUTING
Tor, an “onion routing” system takes the idea of proxy servers to a new level of complexity. Each request made through an onion routing network goes through two to 20 additional computers, making it hard to trace what computer originated a request. Each step of the Onion Routing chain is encrypted, making it harder for the government to trace your posts. Furthermore, each computer in the chain onlyknows its nearest neighbors. In other words, router B knows that it got a request for a web page from router A, and that it's supposed to pass the request on to router C. But the request itself is encrypted: router B doesn't actually know what page you are requesting, or what router will finally request the page from the web server.
Given the complexity of the technology, it is surprisingly easy to install Torhttp://tor.eff.org/cvs/tor/doc/tor-doc-win32.html. You download an installer which first installs Tor on your system, and then downloads and installs Privoxy, a proxy that works with Tor.
The Tor system will make it look at one point like you are on a computer at Harvard University, and then it looks like you are in Germany, and so forth, changing all the time as you reload or sign on at different times. Tor is changing your identity from request to request, helping to protect keep your identity private.
This has some a couple of unintended consequences. When you use Google through Tor, it may switch languages on you. One search may be in English; another may be Japanese, German, Danish or Dutch, all in the course of a few minutes. Some sites, Wikipedia, for instance, may not allow connections from a Tor system. Your surfing may slow down quite a bit at times. And, of course, you are reliant on your home computer, since you cannot install Tor on a public machine. Most worrisome, though, is Tor’s occasional malfunctioning: it may sometimes stop working. Your ISP may block some Tor routers.
TORPARK
TOR is somewhat difficult to install for a non-technical user. Although much easier than most anonymizing technologies, it can still be tricky. Also, if you are accessing the Internet from an Internet café, it is unlikely you will be able to install TOR on the computers you are using.
When you insert your USB key into the port of a computer equipped with Windows 2000 or XP and you run the Torpark application, an anonymized browser window will open, allowing you to surf the web, leaving few or no traces behind.
One click starts a script, opens a DOS window and a browser, which then surfs through TOR. Ejecting the USB key removes obvious traces from the system. The browsing experience is the slow, but satisfactory, experience you get when browsing with TOR.
There are some problems: Stylesheet-heavy pages tend to look bad, as some graphics and files fail to load. Some images break. But for the most part, you can surf the web effectively.
There are three difficulties that may prevent some users from adopting Torpark as their preferred method of surfing.
First, not everyone has a USB key. Securing access to a reasonably priced key may be difficult for some people. There may be a lack of supply or the price may place it out of reach for many, especially for Zimbabweans in the current environment.
Second, many Internet cafés may not allow you to attach a USB key to their machines. Should the recently-contracted Chinese filtering regime be put into place, it will be eventually be impossible to make any move online in an Internet café without it being known, though for now it can be done.
Finally, TOR uses a small, published list of servers that transfer and obscure packets. In any country that employs a firewall, it is reasonable to assume that the administrators block traffic from the servers that are currently listed http://proxy.org/tor.shtml and add any new servers to the blacklist when they come online. Again, that is mostly not the case in Zimbabwe today, but should the Chinese system be employed, it will become a reality
Torpark can be downloaded http://torpark.nfshost.com/ in English, Chinese, French, Slovenian, Russian, Korean, Hebrew, Polish and Turkish and other languages.
MIXMASTER, INVISIBLOG AND GPG
There are a number of additional options that do no require proxy servers. One such service is Invisiblog http://www.invisiblog.com/. You do not post to Invisiblog via the web, as you do with most blog servers. You post to it using specially formatted email, sent through the Mixmaster remailer system, signed cryptographically.
That sounds complicated. It is. But here is what you do. First, go to GPG http://www.gnupg.org and set up a “public-key encryption system.” (Public-key encryption is a technique that allows you to send messages to a person that only the recipient can read. Public key encryption also allows people to “sign” documents with a digital signature that is almost impossible to forge.)
Then, set up Mixmaster http://mixmaster.sourceforge.net/, a mailing system designed to obscure the origins of an email message. Mixmaster uses a chain of anonymous remailers (computer programs that strip all identifying information off an email and send it to its destination) to send email messages with a high degree of anonymity. By using a chain of 2 to 20 remailers, the message is very difficult to trace, even if one or more of the remailers is “compromised” and is recording sender information.
Unfortunately, you have to “build” Mixmaster by compiling its source code, a project that requires a great deal of technical know-how.
Once set up, you send a Mixmaster message to Invisiblog, which includes your public key. Invisiblog will use this to set up a new blog for you, with a name like “invisiblog.com/ac4589d7001ac238”. (The long string is the last 16 bytes of your GPG key.) Once your Invisiblog is set up, you send future posts to by writing a text message, signing it with your public key and sending it via Mixmaster.
The misdirection of Mixmaster mailers means that it takes anywhere from two hours to two days for your message to reach the servers. And you must be very careful about looking at your blog. If you look at it too often, your IP address will appear in the blog's log frequently, signaling that you are probably its author. You can be somewhat reassured by the fact that the owners of Invisiblog have no idea who you are.
The main problem with the Invisiblog system is the fact that it is very difficult for most people to use. Most people find GPG a challenge to set up and have difficulty understanding the complexities of public and private keys. More user-friendly cryptographic tools, like Ciphire https://www.ciphire.com/, have been set up to help less technically proficient users, but even they can be difficult. These tools are also frequently blocked by repressive regimes. Another issue that makes this difficult is that if the authorities ever take your computer and find your private key, it would be considered highly suspicious in itself and might be used as evidence that you were the author of the blog. If you do succeed in sending out mail messages wrapped in strong encryption, like Mixmaster, you run the risk of attracting the attention of the Internet authorities.
CONCLUSION
You have a right to be heard. Your voice is important to Zimbabwe, both for its present and its future. And you are powerful. However, in speaking the truth on a blog you will be putting yourself in danger. So, please consider the possible consequences. If you are intent on proceeding, or continuing, do so as safely as possible and as anonymously as you can. Contradicting the fictions of a tyrant requires at least as much discretion and common sense as bravery. Someone who cares about this future can do no good mute. You must remain in possession of your voice.
To that end, we have covered basic anonymization measures, such as pseudonymous blogging and web-based email; proxies; social options, such as individual Circumventor proxies, Adopt-a-Blog and assisted blogging; Tor servers’ onion routing; and very complex email-based blogging systems like Invisiblog.
None of these, nor any combination, is foolproof. There will always remain a chance that you will be discovered and the authorities, which fear the intellect of their own people, will succeed in silencing you. Be very careful. You are fellow bloggers, as well as fellow human beings, and we wish above all for you to remain free and safe.
Please forward this document to anyone you think might benefit from reading it. You are also welcome to add to it your ideas, experiences and experiments—though we ask you leave in place all warnings about the dangers of speaking up and the provisional nature of all anonymizing techniques, tools and processes. Perhaps you have information we do not. Perhaps you know of additional measures to take that we have not covered. Let’s share with each other and take care of one another.
LEGAL
We make no warranty as to the accuracy of the information contained in these guides. The reader assumes all responsibility for the risk of using them.
This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
Comments (0)
You don't have permission to comment on this page.