Thursday, August 20, 2015

Session 11 Paper 4: Encore: Lightweight Measurement of Web Censorship with Cross-Origin Requests

Authors: Sam Burnett (Georgia Tech), Nick Feamster (Princeton)

Presenter: Sam Burnett

Link To Paper
Link To Public Review

More recently there have been studies that focus on internet censorship. One  essential roadblock when looking into such global events is the lack of hight quality data (What ,When and How stuff is being censored). In this talk, the authors present "Encore", a web-based censorship measurement platform that leverages on cross-origin requests. Encore achieves global visibility without installing any vantage points.

Current censorship mechanisms operate on the basis of anecdotal evidence. They require to install vantage points, but the problem is scalability. When censorship is happening in different regions and cultures, there are barriers that are difficult to overcome required to install such infrastructure.

Interestingly, social scientists really need this data, so to help them, Encore, convinces webmasters to install a snippet on their pages, which then reports to the central collection server that collects measurements.

The diagram above shows how encore works. A recruited site, when loaded within the censoring country generates a cross-origin request which reports it to the collections server weather the page loading was successful or not.

As most browsers do not allow cross-origin data reads, encore is designed in such a way that it only needs to see if access to the site was possible, which can be done without this functionality. Some examples that can be loaded using the Encore framework include iframes,  images and stylesheets. Furthermore, the operation is also browser independent.

 Data collection with Encore was done with the help of 17 webmasters and  9 months of data was collected. To validate the results, the authors also develop a testbed to perform controlled experiments. Most of the actual measurements were performed on the popular websites that already have cross-origin requests, for instance, the "facebook like" being button loading on some third party webpage.

As far as the nontechnical aspects are concerned, because Encore loads potentially harmful URLs and informed consent is not possible, there needs to be work to protect users.

Q : What if the censoring countries decide to block the webmasters, won't that be an economic rundown for them if they volunteer?
A: Yes that is correct, this is based on good will that the webmasters will install it on their systems.

Q: How is Encore different from certain censored lists?
A: We essentially want to transform these anecdotes and convert them into detailed data.

Q: You might be violating any ISP based residential laws, have you thought about that?
A: That is a very good, and we have not looked into it.

Q: Do you think cross-origin requests are in the right space?
A: If there is a cross-domain request that is causing someone harm, this  definitely need to be fixed and we are not the only ones who are doing this, there are people out there already.