Some Iranians have been taking the streets in the last few weeks protesting the government and asking for more freedoms. The protests have been met with violent resistance from the government’s forces on the ground, and with tightening censorship online.
After years of growing restrictions online, Iranians know a thing or two about getting around their government’s censorship system, colloquially known as the “Filternet,” and they often turn to circumvention services like Virtual Private Networks, or Tor. Censorship circumvention isn’t done just with ad hoc apps though. And sophisticated government censors have become quite good at blocking specific apps. So, sometimes, an app that would be blocked by censors can mask itself within the traffic of a popular—and approved—service.
That’s a technique known as “domain fronting,” which relies on piggybacking off of popular services like GitHub or Amazon’s AWS to make it harder for countries like Iran or China to block specific apps. The technique essentially makes the traffic of a certain app look like traffic from a major website or service that is less likely to be blocked because it’s too popular—blocking cloud services like Amazon Web Services (AWS) or Microsoft’s Azure, which are used for a multitude of different services, would be perceived worse than blocking a small service that’s used primarily to circumvent surveillance. The concept behind domain fronting has been called “collateral freedom.”
Besides AWS and GitHub, Iranian users could piggyback off of Google as well, but the Google App Engine (GAE), the service that would be used for domain fronting in this case, blocks traffic that comes from Iran. In this case, Google, not Iran is doing the blocking. The effect is that Iranians are unable to use some services that would be particularly useful during protests.
The encrypted messaging app Signal uses Google App Engine to skirt censorship in countries like Egypt, the UAE, and Oman. In Iran, however, the trick doesn’t work because Google blocks GAE in the country.
“Google does not allow access to GAE from Iran in order to comply with sanctions,” Signal’s creator Moxie Marlinspike said in a comment on GitHub.
The thing is that it’s not really clear that the current US sanctions regime toward Iran really prevents Google from providing access to GAE, and Google has not provided more information about why, specifically, it blocks inbound Iranian connections to GAE. According to Iranian internet freedom activists and experts in Iran-American digital communication policy, Google is going above-and-beyond what is required to do in compliance with US sanctions; the result is that the company cannot be used as a domain front to avoid censorship.
“Google is the only entity—the only big entity that’s doing above and beyond what they should be doing,” Nima Fatemi an Iranian independent security researcher who’s been asking Google to lift the restriction in the last few days, told Motherboard.
Collin Anderson, a researcher who has studied Iran and US sanctions’ regime for years, told Motherboard that “civil society has been pushing [Google] on this since 2013. It's clearly not a priority to them.”
Reached by Motherboard, Google declined to comment or give specifics on why GAE is blocked in Iran.
The company restricts some business services in countries like Iran or Cuba. Anderson believes that Google considers GAE to fall under US government export restrictions. But other services, such as Microsoft’s Azure or Amazon’s CloudFront, are available in Iran, according to activists (and are used for domain fronting). In theory, Marlinspike could modify how Signal works to use Azure or CloudFront as a domain front, but those two services are much less popular than Google in Iran, and so could be quickly and easily blocked by the Iranian regime.
A more sustainable option, according to Anderson, would be for Google to ask the Treasury Department for an exemption under the current regime (the Treasury Department declined to comment for this article.)
Iranians, needless to say, are not happy about this. Azadeh Akbari, a London-based Iranian citizen, started an online petition asking Google to revisit its policy and open up GAE to Iran. It has gathered more than 7,500 signature as of this writing.
Akbari told me via email that she grew concerned about her relatives and friends back in Iran as the clashes turned violent. Secure, private communications are key for dissidents in Iran, she told me, because the government routinely uses surveillance and private information against people they arrest. This happened to one of her family members, a journalist who was arrested in 2015.
By blocking apps like Signal, Iran might be forcing protesters to use less secure, easier to spy on services, Akbari argued.
“I am not sure why this time Google is in effect siding with the oppressors by blocking access to important services such as GAE for Iranians at such a crucial time,” she said.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Get six of our favorite Motherboard stories every day by signing up for our newsletter.