<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <meta charset="utf-8">
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"
      id="docs-internal-guid-1437e203-8f6e-a416-1981-35f88b9084ef"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">Hi
        Arturo and all,</span></p>
    <br>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">When
        it comes to ethics of soliciting measurements and informed
        consent, I have a different take which has been my research
        topic over the past years.  There are many reasons why I think
        that directly measuring censorship is scary.  First of all, you
        need to acquire reliable vantage points to run your
        measurements. Volunteering one’s machine to foreign researchers,
        or operating a device on their behalf, might be viewed by the
        government as espionage.  Besides, many regions, especially
        places where we don’t have good infrastructure, have a limited
        number of companies/volunteers (if any) that allow foreigners to
        rent computers inside the country.  All the current direct
        approaches, such as RIPE Atlas [1] or other distributed
        platforms or volunteers running Raspberry Pis are often easy to
        spot and data collected from them may not be reliable.  For
        example, regarding China, we showed [2] that censorship is
        different in CERNET (China Education and Research Network)
        compared to other ISPs.</span></p>
    <br>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">When
        it comes to measuring connectivity, I believe that it is better
        to involve the whole country in doing the measurements rather
        than volunteers whose safety is at stake.  Therefore, I have
        developed effective methods for remotely measuring Internet
        censorship around the world, without requiring access to any of
        the machines whose connectivity is tested to or from. These
        techniques are based on novel network inference channels, a.k.a
        idle scans. That is, given two arbitrary IP addresses on the
        Internet that meet some simple requirements such as global IPID
        behaviour, our proposed technique can discover packet drops
        (e.g., due to censorship) between the two remote machines, as
        well as infer in which direction the packet drops are occurring.
         Here are more references to read [3,4]. Basically, for one of
        the idle scans (hybrid idle scan), we only create unsolicited
        packets (a bunch of SYNACK and RST segments) between two remote
        IPs, and look at the changes in the global IPID variable to
        infer whether censorship is happening and if so, in which
        direction packets are dropped.</span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">   
      </span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">   
      </span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">   
      </span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">   
      </span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">   
      </span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">   
      </span></p>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">Back
        to my main point, why I am trying so hard to convince you that
        we also need to use side channels and how this relates to
        ethics, well, here is the story: The discussion you brought up
        has been discussed heavily in academia in the past six months
        after two papers got rejected from the IMC conference because of
        ethics. One of them was my paper [2] after having received good
        reviews on the technical contribution. Here is the link to the
        reviews: </span></p>
    <br>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"><a class="moz-txt-link-freetext" href="https://imc2014.cs.wisc.edu/hotcrp/paper/243?cap=0243a2kWYrwVqbv0">https://imc2014.cs.wisc.edu/hotcrp/paper/243?cap=0243a2kWYrwVqbv0</a></span></p>
    <br>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">I
        personally just got an email with above link from IMC, and
        because of having had a single-entry visa, I couldn’t attend IMC
        or the Citizen Lab workshop where a lot of the discussions about
        ethics were taking place. The ethical issues that usually come
        up are two: First, using idle scans, no consent from users is
        collected. Second, censors could mistakenly assume that two
        machines measured by us are deliberately communicating with each
        other.  This could have negative consequences if a censor
        believes that a user is communicating with a sensitive or
        forbidden IP address. </span></p>
    <br>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">In
        response to the latter argument, it is unlikely that a censor
        would come to such a conclusion as only RST segments are created
        from a client inside a country to a server and only SYN/ACK
        segments are sent from a server to a client inside the censoring
        country.  An adversary would not witness a full TCP handshake,
        let alone any actual data transfer.  <br>
      </span></p>
    <br>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">One
        mitigation technique that I have been focusing on is to use
        routers instead of end points for the side channel measurements.<br>
        <br>
      </span></p>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">If
        you or anyone else is interested in using these techniques, I am
        more than happy to help.</span></p>
    <br>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">Roya</span></p>
    <br>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">[1]
      </span><a href="http://cartography.io/"
        style="text-decoration:none;"><span
style="font-size:15px;font-family:Arial;color:#1155cc;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;">http://cartography.io/</span></a></p>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">[2]
        <a class="moz-txt-link-freetext" href="http://arxiv.org/abs/1410.0735">http://arxiv.org/abs/1410.0735</a></span></p>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">[3]<a class="moz-txt-link-freetext" href="http://arxiv.org/pdf/1312.5739v1.pdf">http://arxiv.org/pdf/1312.5739v1.pdf</a></span></p>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">[4]<a class="moz-txt-link-freetext" href="http://www.usenix.org/event/sec10/tech/full_papers/Ensafi.pdf">http://www.usenix.org/event/sec10/tech/full_papers/Ensafi.pdf</a></span></p>
    <br>
  </body>
</html>