Researchers find that routing around surveillance is almost impossible on the internet.
One of the most famous quotes about the web says that "the Net interprets censorship as damage and routes around it." But what about surveillance? Is it possible to make the internet route around spying?
In the last few years, especially after revelations of pervasive monitoring by the NSA and its British sister spy agency the GCHQ, some countries, Brazil being the most vocal, have publicly announced their intentions to avoid sending internet traffic to the US and the UK in an effort to dodge surveillance.
As it turns out, all internet pipes lead to surveillance. Or, at least, it's really hard—if not impossible—to avoid routing web traffic through surveillance states like the United States, according to a recent paper by a group of Princeton University researchers.
"Internet traffic often traverses the United States—a known surveillance state—even when it originates in countries on the other side of the world."
"When internet traffic enters a country, it becomes subject to those countries' laws, and as more countries pass mass surveillance laws, people are more motivated to determine and control where their internet traffic is going," Anne Edmundson, the lead author on the paper, told Motherboard. "We studied traffic originating in Brazil, India, Kenya, the United States, and the Netherlands, and found that internet traffic often traverses the United States—a known surveillance state—even when it originates in countries on the other side of the world."
The research proved empirically that "internet protocols have no notion of national borders," as they put in their paper. That means that even when internet traffic originates and ends in the same country (say, when a Brazilian users connects to the site of a Brazilian newspaper), it often passes through other countries around the world. That might be because some of the content on the site the user is trying to visit is hosted exclusively outside of the country, or for whatever reason, the faster and most effective path to that site goes through another country.
That's why, for example, 84 percent of internet paths originating in Brazil go through the United States, and 60 percent of paths originating in Kenya go through the US, according to the paper.
"It's much more difficult to avoid the United States—and many times impossible—because it is well-connected and also hosts some of the most popular domains in the world," Edmundson said.
For that reason, she added, "it's best not to assume that your location or the nature of the content determines who can see the traffic."
"A pessimist might conclude, the only way to avoid routing through surveillance states is not to route at all."
Or, as the technologist at the Center for Democracy and Technology Joseph Lorenzo Hall put it, "if people are concerned about the confidentiality and integrity of their communications, they will have to treat the internet at large as a hostile network over which one must tunnel securely."
Edmundson and her colleagues, however, also show that there are indeed ways to reduce the amount of traffic that goes through certain countries. One of the solutions is for users to stop using their Internet Service Provider's default DNS resolvers, which are the computers that translate domain names such as vice.com to its corresponding IP address, or using network relays. Using these methods, the researchers found, could help the Netherlands and Brazil avoid the United States in 65 percent of paths, but the US "is completely unavoidable for about 10 percent of the paths," anyway.
Obviously, even bypassing the US or the UK doesn't mean you avoid surveillance altogether—your own country might be spying on you, and the researchers themselves admit that.
"Do we really know with any certainty there are states not conducting surveillance on internet communications?" Doug Madory, a researcher at Dyn, a company that monitors internet use and access around the world, asked rhetorically. "A pessimist might conclude, the only way to avoid routing through surveillance states is not to route at all."