Tracking network interference around political content in Malaysia

Aasil Ahmed and Katherine Maher contributed to this post.

To help keep the internet open in Malaysia, click here.

On Sunday, May 5th, Malaysia will go to the polls for a highly contested general election, potentially ending 56 years of single-party rule. But ever since the elections were announced in April, the internet has become a target: opposition websites and independent media have experienced significant network interference–and with the election days away, pressure is intensifying.

By all accounts, Malaysia’s Sunday’s election will be the closest in the country’s history, with many observers expecting the country to undergo its first handover of power to an opposition party since the country’s independence from the British in 1957. Despite its status as a democratic constitutional monarchy, the ruling party has a track record of suppressing opposition parties and civil society–and as the country has moved online, so too have the repressive tactics.

The country has gone to great lengths to promote internet and mobile network penetration for socioeconomic development. Since the late 1990s, internet access has been a major part of Malaysian political discourse: internet penetration is greater than 60%, mobile phone penetration above 124%, and the country boasts some of the highest rates of social media participation in the world.

But over the past five years, websites friendly to opposition parties have been targeted with DDoS attacks and the operators and employees of independent news sites have been harassed by the police. Bloggers, photographers, and journalists have been arrested and detained, sometimes under the country’s Internal Security Act (ISA), which allows for indefinite detention without trial. As the country’s traditional media remains state-controlled, ranking 145th on the RSF Media Freedom Index, the internet is a critical tool for political dissent and free expression.

Political sites and content inaccessible

In the last week in April, users on select ISPs found they could not access certain websites critical of the ruling government. These ISPs include (but are not limited to) Unifi, TM, Celcom, Digi, and Maxis; however services offered by Time and YTL did not appear to be affected.

At the time, staff at one of the country’s most popular independent news sites, Malaysiakini, complained to the country’s media regulatory body, the Malaysian Communications and Multimedia Commission (MCMC), and interference ceased. But days later, users were experiencing new difficulties accessing select content, again on the same five ISPs: Unifi, TM, Celcom, Digi, and Maxis.

Unlike before, the second time around, filtering was far more specific. Initially entire domains (and therefore whole websites) were being blocked. This time around, the filtering seemed to target specific content, such as YouTube videos with political content that could be deemed embarrassing to the ruling government.

And instead of blocking content outright, the block was implemented in the traffic stream coming back from the content provider, such as YouTube. Users were able to open a connection to YouTube, but were not receiving any data back. Their connection would ‘hang,’ or fail to complete bidirectionally, in a manner that resembled a problem on the sending server side (YouTube), rather than outright blocking.

Evidence of network interference

Working with local partners, Access was able to determine that unencrypted communications seeking political content on those five ISPs, whether directly with YouTube, or via proxies to YouTube experienced this failure in the return data stream, including when a proxy was configured to use non-standard transmission ports, indicating that the interference was being triggered via either deep packet inspection (DPI) or on the HTTP path in the request to the server, rather than more ‘standard’ IP address and port blocking.

When Access’s partners attempted to use an encrypted tunnel out of Malaysia, YouTube returned data downstream per usual, further indicating the use of either DPI or HTTP path based interference, as neither the HTTP path nor packet content is available to the ISP when users transmit requests via an SSH encrypted tunnel.

Packet capture testing demonstrated that requests using proxies always dropped return packets between the proxy server and the end user, indicating that the interference was happening in the ‘near’ network, i.e., their local ISP, rather than in the ‘far’ network, near the YouTube server request.

Further experiments that appended some junk bytes to the URL path of a YouTube request resulted in the video being available via normal downstream provision, suggesting a transparent proxy or DPI device at the ISP level dropping return packets directed to the user, based on the trigger mechanism of HTTP Path.

Further testing also indicated that when the HTTP request was sent fragmented from the user, it defeated the interference mechanism, and the YouTube video was again streamed back as per normal to the user. This behavior points to the likely use of DPI or proxy devices at the ISP level, with custom (if poorly) written rules to first trigger off the HTTP path portion of the URL, and subsequently drop packets on the server to user return path.

There is evidence of content at both YouTube (e.g. hHTz22bTBRw and uVWxB4AWOxc) and specific pages on Facebook (e.g. /DAPMalaysia) being affected. Facebook content is available to users using encrypted channels, but unavailable using plaintext HTTP–which is consistent with other evidence of interference.

It is worth noting that as of yesterday, May 1st, the CitizenLab at University of Toronto’s Munk School released its latest report, For Their Eyes Only: The Commercialization of Digital Spying, which identified the presence of a sample of FinSpy, the surveillance software manufactured by UK-based Gamma Group, that “appears to be specifically targeting Malay language speakers, masquerading as a document discussing Malaysia’s upcoming 2013 General Elections.” This Malay-language sample presents “as Mozilla Firefox in both file properties and in manifest;” Mozilla, long an advocate for user rights, this week announced its intention to sue Gamma for “offensive” trademark violation.

This is not the only form of ‘network interference’ occurring in Malaysia in the lead-up to the elections this weekend. There is evidence of jamming of radio stations critical of the government, as well as Distributed Denial of Service (DDoS) attacks and hacking attempts against independent media, blogs, and opposition party websites, and efforts to compromise social media accounts publishing content favorable to the political opposition.

Malaysia’s legally mandated open internet

Despite the interference currently in evidence on Malaysia’s networks, the country has a legal mandate to defend a free and open internet, as per the Malaysian Communication and Multimedia Act of 1998. This mandate is overseen by the MCMC, an independent regulator tasked with oversight of mobile and internet providers.

Malaysiakini, the independent news site, filed another request with the MCMC, asking the agency to station it’s people at local ISPs to ensure uninterrupted access on Sunday’s polling day. The publication’s CEO and co-founder, Pramesh Chandran, emphasized the need for free and unfettered communications as a fundamental need in democratic practice, and expressed concern that if networks were to be restricted, the inability for citizens to access information about the electoral outcomes could be dangerously destabilizing.

Meanwhile, Human Rights Watch has issued a statement condemning pre-election violence, as well as the online attacks. Access will continue to run network analysis and report on the data over the coming days.

To help keep the internet open in Malaysia, click here.

Disclosure: Access Fellow Aasil Ahmed has worked on human rights and democracy programs in Malaysia, including with opposition candidate Anwar Ibrahim