[ooni-talk] OONI Probe ASN Incident Report

Maria Xynou maria at openobservatory.org
Fri Oct 9 14:59:17 UTC 2020


Hello,

Last week we discovered an ASN-related bug in OONI Probe.

Today we published an Incident Report which shares details about the
bug, what we did to fix it, and we document our next steps (as well as
measures for limiting the possibility of similar bugs recurring in the
future).

You can read our Incident Report here:
https://ooni.org/post/2020-ooni-probe-asn-incident-report/

## What you can do

Please update to OONI Probe Mobile 2.7.0 (which fixes the bug):
https://ooni.org/install/mobile

If you're an OONI Probe desktop app user and you prefer *not* to share
your network ASN, please refrain from running tests until we have
released the fix -- hopefully next week (this requires third party action).

If you're a legacy ooniprobe user, please use the OONI Probe Command
Line Interface (CLI) instead. Version 3.0.8 contains the bug fix:
https://github.com/ooni/probe-cli/releases/tag/v3.0.8

Over the next year, we aim to release OONI Probe Linux packages which
would serve as a replacement for legacy ooniprobe.

## The bug in summary

When you run OONI Probe, by default your network ASN (e.g. AS30722 for
“Vodafone Italia”) is collected and published, as this information is
very important for examining internet censorship (i.e. it's important to
know on which network internet censorship is implemented).

Through the OONI Probe apps, you can opt out of ASN collection (and
publication) by disabling the "Include Network Info" setting.

The bug is that if you disabled this setting, your network ASN was not
published in the OONI Explorer measurement page or in the raw JSON data
(where it was displayed as AS0), but it was included in the report ID of
those measurements.

During our investigation, we also found that in some cases, the network
name (such as "Vodafone Italia") was included in AS0 measurements, and
that it may have been possible to retrieve the ASN through the resolver
IP (which we previously didn't sanitize because it's useful for
measuring DNS consistency).

All of these issues have been fixed in our probe engine, and we have
released a fix for OONI Probe Mobile (as mentioned above).

## Affected measurements

Most OONI Probe users were *not* affected by this bug, since roughly 86%
of OONI measurements collected from around the world did not disable the
collection and publication of network information, which is enabled in
the default settings.

According to our analysis, only around 2% of global OONI measurements
leaked the user network ASN in the report ID (this mainly involves new
probes), and about 12% of global OONI measurements might have disclosed
the ASN through the client resolver in OONI’s Web Connectivity test
(this mainly involves legacy probes).

We made changes to OONI Explorer to hide AS0 measurements, and further
details are available through our Incident Report.

The OONI team apologizes to the OONI community for this incident. We
would never intentionally harm our users, we value and respect user
choice, and we take seriously the trust our users have placed in us. We
do our best to give you as much control over how you use OONI Probe, but
sometimes we make mistakes. We will always be transparent when such bugs
occur.

To learn more about our data practices and about the principles that
govern OONI data collection, please refer to our Data Policy:
https://ooni.org/about/data-policy

If you have any questions or concerns related to this incident, please
don't hesitate to reach out.

Thank you,

Maria (on behalf of the OONI team).

-- 
Maria Xynou
Research & Partnerships Director
Open Observatory of Network Interference (OONI)
https://ooni.org/
PGP Key Fingerprint: 2DC8 AFB6 CA11 B552 1081 FBDE 2131 B3BE 70CA 417E




More information about the ooni-talk mailing list