[kictanet] Safaricom and Internet Traffic Tampering

Fri Mar 24 15:54:09 EAT 2017

Hello Steve et al.

Everything raised in this email is answered in our research brief. However for the sake of those who have not read the brief, this is our response:

The description above from Safaricom is in fact a confirmation of the presence of a middle-box. Ngigi did an excellent job of using an analogy on this. “Any crafted or altered packets that violate the accepted correct HTTP formats generate an error. So by CIPT sending a packet that has its HTTP parameters detuned/altered, they would receive an error as explained above.”
The fact that Safaricom inspects which packets are standard or not implies tampering. Is that legal? It depends. Quality optimization is one way of justifying this but the presence of this on the network just after the CA announced plans to deploy network monitoring equipment is suspect. Does it mean Safaricom did not have a traffic optimizer before and just deployed one in February?

As far as the official RFC Standards go, invalid HTTP requests are not specially discriminated at the transport layer: https://www.ietf.org/rfc/rfc2616.txt <https://www.ietf.org/rfc/rfc2616.txt>

As for the responsible disclosure, CIPIT did in fact document the timeline of events and what we were waiting from Safaricom before publishing our research brief was official communication as agreed upon with the subject matter experts. Again, all this is documented in the report.

Ali raised the issue of the judiciary and its role in interpreting the law. We coincidentally provided that as our recommendation. The Judicial Training Institute should consider continuous legal training on new technologies and involve subject matter experts.

Stephen also raised the point of criminals targeting their network.
“We have also observed a concerning trend where entities use the same packet crafting methods mentioned above to defraud the ISP by tunneling traffic through zero rated sites (i.e. by-passing billing).”

We are not aware of such a practice. Ours is an open research methodology that other people can independently repeat and verify. The easiest way to test independently is to download the app from either Android Play store <https://play.google.com/store/apps/details?id=org.openobservatory.ooniprobe&hl=en_GB> or Apple’s App store <https://itunes.apple.com/US/app/id1199566366>. We run the tests on different vantage points and sense-beat the results for false positives. All the data collected so far in Kenya is openly and freely available here <https://explorer.ooni.torproject.org/country/KE>:

As will be noted, all these questions were answered on the research brief but we will are ready to engage as time allows.

Finally, we wish to point out that we monitor all telecom service providers using the same protocols. Safaricom's is the only network where we found the anomalies described in our report, and the anomaly disappeared shortly after our conversation with the company. This does not seem to be consistent with industry standard activities.

-Moses (CIPIT)

> On 23 Mar 2017, at 17:09, Stephen Chege <SChege at Safaricom.co.ke> wrote:
> 
> Mose and all
> 
> We have noted CIPTs claim and wish to state categorically that Safaricom does not in any way alter internet traffic.  In addition, Safaricom did reach out to CIPT through a conference call with our engineers on 24th February 2017, which we believed was the best way to engage on this issue as it is technical and both parties had a chance to express their position.
> 
> From our understanding, CIPT use an application called Ooniprobe to test whether there is any alteration of a packet sent through a particular ISPs network. It uses crowdsourcing to collect information about a network, which is later uploaded to an analytics server whose front-end is the website. In order to test tampering it makes use of detuned / altered / crafted  HTTP parameters. The crafted HTTP packet is then directed towards dedicated servers that echo back HTTP header(s). The expectation is that such a crafted packet should not be subject to any form of network manipulation, even if the query used is wrong it should echo back as sent.
> 
> In the discussions we had with CIPT, we clarified that on our network, we strictly follow the correct formats of the HTTP version on the optimisation gateway, because packets are expected in the correct HTTP format as per agreed global standards (RFC 2616: Section 2.2). Any crafted or altered packets that violate the accepted correct HTTP formats generate an error. So by CIPT sending a packet that has its HTTP parameters detuned/altered, they would receive an error as explained above. This is not evidence of a middle box as now alleged.
> 
> We have also observed a concerning trend where entities use the same packet crafting methods mentioned above to defraud the ISP by tunneling traffic through zero rated sites (i.e. by-passing billing).
> 
> In summary, we have a standard ISP traffic optimizer whose sole purpose is to optimize quality of experience, to deliver service to our customers without bias, and does not alter traffic.
> 
> We further state that anyone testing our network within accepted RFC standards will be able to establish that our network does not in any way alter internet packets.
> 
> regards
> 
> Steve
>   <>
> From: kictanet [mailto:kictanet-bounces+schege=safaricom.co.ke at lists.kictanet.or.ke] On Behalf Of Mose Karanja via kictanet
> Sent: Thursday, March 23, 2017 11:54
> To: Stephen Chege
> Cc: Mose Karanja; KICTAnet ICT Policy Discussions
> Subject: Re: [kictanet] Safaricom and Internet Traffic Tampering
> 
> That is why we did a responsible disclosure. Safaricom did reach back to us and promised to give a detailed report.
> 
> Even after polite reminders, we did not hear back from them officially.
> 
> ---
> Moses
> 
> On 23 Mar 2017, at 11:25, Ali Hussein <ali at hussein.me.ke <mailto:ali at hussein.me.ke>> wrote:
> 
> These are very serious allegations guys.
> 
> It would be great to hear from Safaricom.
> 
> Ali Hussein
> Principal
> Hussein & Associates
> +254 0713 601113
> 
> Twitter: @AliHKassim
> Skype: abu-jomo
> LinkedIn: http://ke.linkedin.com/in/alihkassim <http://ke.linkedin.com/in/alihkassim>
> 
> "We are what we repeatedly do. Excellence, therefore, is not an act but a habit."  ~ Aristotle
> 
> 
> 
> Sent from my iPad
> 
> On 23 Mar 2017, at 10:04 AM, Odhiambo Washington via kictanet <kictanet at lists.kictanet.or.ke <mailto:kictanet at lists.kictanet.or.ke>> wrote:
> 
> I recently had a very traumatizing experience with a client I was consulting for and whose preferred mode of connection is Safaricom 4G.
> 
> For two days I was struggling to figure out why what seemed so obvious (in my mind) was NOT working with Safaricom while I had tested the same with JTL and Access Kenya links.
> 
> It turned out that Safaricom truly tamper with traffic to the Internet. This includes even VPN traffic.
> 
> This test result presented here is not a surprise to me at all. Safaricom's DPI (Deep Packet Inspection) systems are so robust and advanced that they can do ANYTHING with your traffic.
> 
> I wrote a private email to Stephen Chege of Safaricom (we all remember him) but didn't receive even an acknowledgement. The problem I had - with DNS and VPN still stand unresolved.
> 
> And this is why I am always suspicious about the dalliance (for lack of a better word. I am thinking in Dholuo and translating to English) between Safaricom and the govt, especially since one of them was given a senior govt job!
> 
> 
> 
> On 23 March 2017 at 09:27, Mose Karanja via kictanet <kictanet at lists.kictanet.or.ke <mailto:kictanet at lists.kictanet.or.ke>> wrote:
> Hello listers.
> 
> CIPIT has been conducting network measurements on Kenyan Internet Service Providers (ISPs) since June 2016 using assorted techniques. Between 6 – 10 February 2017, the data indicated the presence of a middle-box on the cellular network of one provider, Safaricom Limited (AS33771) that had not previously presented any signs of traffic manipulation. Middle-boxes assume dual-use character in that they can be used for legitimate functions (e.g., network optimisation) and can simultaneously be used for traffic manipulation, surveillance and aiding censorship.
> 
> In light of such dual uses, this report makes clear that service providers operating middle-boxes must communicate to the public in a transparent manner the justification for such activity. This is especially relevant as government bodies announce plans to monitor and possibly censor the Internet during Kenya’s current electoral processes.
> 
> You can download the brief from this link:
> 
> http://blog.cipit.org/2017/03/23/cipit-research-reveals-evidence-of-internet-traffic-tampering-in-kenya-the-case-of-safaricoms-network/#more-5833 <http://blog.cipit.org/2017/03/23/cipit-research-reveals-evidence-of-internet-traffic-tampering-in-kenya-the-case-of-safaricoms-network/#more-5833>
> 
> -Moses
> 
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke <mailto:kictanet at lists.kictanet.or.ke>
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>
> Twitter: http://twitter.com/kictanet <http://twitter.com/kictanet>
> Facebook: https://www.facebook.com/KICTANet/ <https://www.facebook.com/KICTANet/>
> 
> Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/odhiambo%40gmail.com <https://lists.kictanet.or.ke/mailman/options/kictanet/odhiambo%40gmail.com>
> 
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
> 
> KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
> 
> 
> 
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke <mailto:kictanet at lists.kictanet.or.ke>
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>
> Twitter: http://twitter.com/kictanet <http://twitter.com/kictanet>
> Facebook: https://www.facebook.com/KICTANet/ <https://www.facebook.com/KICTANet/>
> 
> Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com <https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com>
> 
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
> 
> KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
> Note:
> All emails sent from Safaricom Limited are subject to Safaricom’s Email Terms & Conditions. Please click here to read the policy.
> http://www.safaricom.co.ke/images/Downloads/Terms_and_Conditions/safaricom_email_terms_and_conditions.pdf <http://www.safaricom.co.ke/images/Downloads/Terms_and_Conditions/safaricom_email_terms_and_conditions.pdf>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170324/a9d8777d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170324/a9d8777d/attachment.sig>