Censorship of GitHub explained

GitHub has been the target of censorship from governments using methods ranging from local Internet service provider blocks, intermediary blocking using methods such as DNS hijacking and man-in-the-middle attacks, and denial-of-service attacks on GitHub's servers from countries including China, India, Iraq, Russia, and Turkey. In all of these cases, GitHub has been eventually unblocked after backlash from users and technology businesses or compliance from GitHub.

Background

GitHub is a web-based Git repository hosting service and is primarily used to host the source code of software, facilitate project management, and provide distributed revision control functionality of Git, access control, wikis, and bug tracking.[1] As of June 2023, GitHub reports having over 100 million users and over 330 million repositories.[2] It offers free accounts, a pastebin service called Gist, and free website hosting under its github.io domain. The GitHub terms of service prohibits illegal use and it reserves the right to remove content at its discretion.[3] Users can fork (copy and individually develop) other projects, which GitHub does not automatically take down when served DMCA takedown notices.[4] GitHub uses HTTPS for its connections, making data more secure against interception from third parties.

China

China heavily regulates Internet traffic and has blocked many international Internet companies including Facebook and Twitter.[5] In addition, Western businesses have said that these restrictions hurt their business by reducing access to information, such as from search engines and those using VPNs.[6] In 2013, the country started blocking GitHub and it was met by protests among Chinese programmers.[7]

GreatFire, a Chinese anti-censorship organization, has attempted to circumvent the Great Firewall of China using mirror websites. However, the links to these pages were posted using GitHub which brings the risk of the site being blocked along with the mirrors. In a previous incident, HSBC bank's Chinese operation was taken offline when the Akamai network was targeted for hosting GreatFire.org websites.[8]

DNS hijacking

Blockage

On January 21, 2013, GitHub was blocked in China using DNS hijacking. It was reported that the attack was carried out in response to political information posted on the platform.[9] Confirming the block, a spokesperson for GitHub said: "It does appear that we're at least being partly blocked by the Great Firewall of China".[10] The block was lifted on January 23, 2013, after an online protest on Sina Weibo.[11]

Criticism

Kai-Fu Lee brought attention to the block after posting about it on Sina Weibo. He derided the block, saying: "Blocking GitHub is unjustifiable, and will only derail the nation's programmers from the world, while bringing about a loss in competitiveness and insight." Lee's post was shared over 80,000 times.[11]

The Next Web called the block unfortunate, saying that "Chinese developers will have to play around with workarounds or find an alternative service when they want to work with their peers around the world."[10]

MITM attack

Attack

On January 26, 2013, GitHub users in China experienced a man-in-the-middle attack in which attackers could have intercepted traffic between the site and its users in China. The mechanism of the attack was through a fake SSL certificate.[12] Users attempting to access GitHub received a warning of an invalid SSL certificate, which, due to being signed by an unknown authority, was quickly detected.[13] A spokesperson for GitHub said: "Early last week, it appeared that GitHub was being at least partially blocked by the Great Firewall of China... After a couple days, it appeared that GitHub was no longer being blocked."[12] NETRESEC performed forensics of the attack and determined that it was indeed an attack, due to the large number of router hops involved (6) and because the user submitting the packet capture was from China.[14]

This attack was performed again on March 26, 2020, on GitHub Pages and March 27, 2020, on GitHub.com.[15] [16]

Rationale

GreatFire speculated that the attack was related to a popular White House petition calling for the denial of entry to the United States of the architects of the Great Firewall of China.[13] The petition linked to a Gist containing names of 3 of the architects and their contact information.[17] GreatFire also said that since GitHub is HTTPS only, Chinese authorities can't block individual pages and have to completely block the website, which helps explain why they would have to resort to the attack.[13] InformationWeek noted the economic difficulty related to blocking GitHub: "What makes GitHub interesting from a censorship point of view is that it combines a critical business service—collaborative coding—with social interaction."[12]

DDoS attack

On March 26, 2015, GitHub was the target of a distributed denial-of-service (DDoS) attack originating from China. It targeted two anti-censorship projects: GreatFire and cn-nytimes, the latter including instructions on how to access the Chinese version of The New York Times.[18] GitHub blocked China-based IP addresses from visiting these repositories. If a visitor comes from China, the page would show "Repository unavailable because of the Chinese Internet Blacklist". Based on GitHub, they are doing this so "that our users in that jurisdiction may continue to have access to GitHub to collaborate and build software." [19] They are now having a gov-takedowns repository to record all the government requirements they could show.[20]

India

See main article: Internet censorship in India.

India selectively censors websites at the federal and state levels. This is enforced by the Information Technology Act, 2000, as well as licensing requirements for Internet service providers (ISPs). Critics such as Rajeev Chandrasekhar have noted the vagueness of these regulations and the Centre for Internet and Society found that ISPs tended to over-comply with takedown requests.[21]

ISP blockage

On December 17, 2014, the Indian Department of Telecom issued an order to ISPs to block 32 websites.[22] The notice was made public on December 31, 2014, and it included GitHub, GitHub's Gist, Vimeo, the Internet Archive, and various pastebin services.[23]

The block order was confirmed on Twitter by Arvind Gupta, the national head of the ruling party BJP, and was attributed to a suggestion by India's Anti Terrorism Squad in response to content by the Islamic extremist group ISIS. Gupta also stated that websites that cooperated with the investigation were being unblocked.[24]

On January 2, 2015, the Ministry of Communications issued a statement that it will be unblocking 4 of the websites, including GitHub's Gist, and said that it will consider unblocking the remaining websites once they complied. Explaining its rationale, the ministry stated: "Many of these websites do not require any authentication for pasting any material on them... These websites were being used frequently for pasting, communicating [jihadi] content..."[25] Gulshan Rai of the CERT-In agency of the ministry said that the order came from the Mumbai Additional Chief Metropolitan Magistrate following an interrogation of Arif Majeed, an ISIS recruit.[26]

On January 4, 2015, a GitHub spokesperson said that some users were still having trouble accessing the site and that GitHub has attempted to reach out to the Indian government, but is still unclear about the cause of the block. They said that restoring access to the developer community in India was their top priority and that they "would like to work with the Indian government to establish a transparent process for identifying unlawful content, restore access, and ensure that GitHub continues to remain available in the future without interruption."[27]

Impact

The Times of India reported blockage for Indian users by the ISPs Vodafone, BSNL and Hathway, but it still had access using Airtel.[22] Because the order only told ISPs what to block and not how, the effectiveness of blocking access varied. The blocking was unreliable and seemed to be occurring at multiple layers, even within the same ISP. Blocking methods included IP blocking, the use of a proxy server, and DNS blocking. Methods for gaining access ranged from using an alternate DNS server to installing circumvention software.[28]

Criticism

Regarding the blocks, TechCrunch remarked that "[the] addition of GitHub... is one of the more head-scratching decisions" and anticipated an uproar considering its importance in the tech industry. They also called it embarrassing in the context of Prime Minister Narendra Modi's Make in India campaign to promote India as a destination for information technology.[29] Prasanth Sugathan of the Software Freedom and Law Center called the blocks short-sighted, saying that "If you block one website, terrorists can always use another one... Such a move only inconveniences the daily users..." Twitter users protested using the hashtag #GOIblocks and recirculated a hypocritical message by Modi from 2012 condemning blanket blocking of websites.[26] Anonymous of India also posted several threats against the government, but did not take any action.[25]

Russia

See main article: Internet censorship in Russia.

The Russian government blacklists websites that include child pornography, drug-related material, advocacy of suicide, extremist material, and other illegal content under the Russian Internet Restriction Bill to protect children. This list is maintained by Roscomnadzor, Russia's regulatory agency.[30]

ISP blockage

On December 2, 2014, Roscomnadzor blocked GitHub due to it hosting various copies of a suicide manual. Because GitHub uses HTTPS, which encrypts data between a user's computer and GitHub's servers, Internet service providers (ISPs) were forced to block the whole website instead of the pages involved. Complying ISPs included: Beeline, MTS, MGTS and Megafon. Maxim Ksenzov, the Deputy Head of Roscomnadzor, said in a statement that the block was due to GitHub not complying with earlier takedown requests for the manual on October 10, 2014.[31] GitHub was also momentarily blocked on October 2, 2014, until the original copy of the manual was deleted by its uploader.[32]

Banned content

The manual in question was posted on March 23, 2014, and details 31 methods of suicide in Russian. It was added to a repository for a software library used for working with Windows filesystems and was forked by several users.[33] The original copy was deleted by the owner on October 2, 2014, after numerous GitHub users complained because of a block by Roscomnadzor.[33] [34]

TechCrunch remarked that the manual seemed to be written as satire and includes methods such as "biting your tongue", "joining the military" or "getting a good gun" from a policeman.[35] The takedown targeted the manual and its copies, as well as a reposted blog entry about suicide.[36]

Response

GitHub complied and blocked access to the content within Russia saying that they were working to get reinstated. Citing its terms of service, GitHub elaborated that "you must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright or trademark laws)."[35] GitHub also created an official repository titled "roskomnadzor" for the purpose of posting takedown notices from the regulator. (It was later moved to "gov-takedowns" after a request from China on June 9, 2016[37]) In the readme of the repository, GitHub states that they are concerned about Internet censorship and believe in transparency to document the potential for chilling effects. They also warn that the presence of a notice is only for documentation and that GitHub does not pass any judgement on their validity.[38]

Turkey

On October 8, 2016, following the leak of emails of Turkish Minister Berat Albayrak by RedHack, the Information and Communication Technologies Authority (BTK) ordered ISPs to block several file sharing websites, including Dropbox, Microsoft OneDrive, and Google Drive.[39] The censorship monitoring watchdog Turkey Blocks observed that GitHub was blocked the following morning, and associated administrative orders were subsequently posted by the BTK stating that access had been officially restricted.[40] Software that depended on GitHub reported errors, such as Font Awesome and Homebrew. Participants in Startup Istanbul week also complained about the unavailability of infrastructure. The #GitHub hashtag became one of Twitter's top trends in Turkey. According to The Daily Dot, RedHack purposefully spread the emails using multiple services, expecting Turkey to block them so that the Streisand effect could be utilized. GitHub was unblocked 18 hours later.[41]

External links

Notes and References

  1. Book: Stephanidis, Constantine. HCI International 2020 - Late Breaking Papers: Cognition, Learning and Games: 22nd HCI International Conference, HCII 2020, Copenhagen, Denmark, July 19-24, 2020, Proceedings. Springer Nature. 2020. 978-3-030-60127-0. Cham, Switzerland. 355.
  2. Web site: About . live . https://web.archive.org/web/20230628143615/https://github.com/about . 2023-06-28 . 2023-06-28 . GitHub . en.
  3. Web site: GitHub Terms of Service. GitHub. 27 June 2015. https://web.archive.org/web/20150624142711/https://help.github.com/articles/github-terms-of-service/. 24 June 2015. live. (Specifically terms A8 and G7)
  4. Web site: DMCA Takedown Policy. GitHub. 27 June 2015. https://web.archive.org/web/20150701020203/https://help.github.com/articles/dmca-takedown-policy/#b-what-about-forks-or-whats-a-fork. 1 July 2015. live.
  5. Web site: Wei. Sisi. Inside the Firewall: Tracking the News That China Blocks. ProPublica. December 17, 2014. 27 June 2015. https://web.archive.org/web/20150605095642/https://projects.propublica.org/firewall/. 5 June 2015. live.
  6. Web site: Chin. Josh. China Internet Restrictions Hurting Business, Western Companies Say. Wall Street Journal Blogs. February 12, 2015. 27 June 2015. https://web.archive.org/web/20150704020127/http://blogs.wsj.com/chinarealtime/2015/02/12/china-internet-restrictions-hurting-business-western-companies-say/. 4 July 2015. live.
  7. Book: Roberts, Margaret E.. Censored: Distraction and Diversion Inside China's Great Firewall. Princeton University Press. 2018. 978-0-691-17886-8. Princeton, NJ. 114.
  8. News: Silbert. Sean. Routing around the Great Firewall of China. LA Times. November 26, 2014. 27 June 2015. https://web.archive.org/web/20150630064455/http://www.latimes.com/business/technology/la-fi-tn-great-firewall-china-censorship-20141126-story.html. 30 June 2015. live.
  9. Book: Fingar. Thomas. Fateful Decisions: Choices That Will Shape China's Future. Oi. Jean C.. Stanford University Press. 2020. 978-1-5036-1223-5. en.
  10. Web site: Protalinski. Emil. The Chinese government appears to be blocking GitHub via DNS (Update: Investigation underway). The Next Web. January 21, 2013. 9 April 2015. https://web.archive.org/web/20150414025518/http://thenextweb.com/asia/2013/01/21/the-chinese-government-appears-to-have-completely-blocked-github-via-dns/. 14 April 2015. live.
  11. Web site: Kan. Michael. GitHub unblocked in China after former Google head slams its censorship. Computer World. January 23, 2013. 9 April 2015. https://web.archive.org/web/20150330034358/http://www.computerworld.com/article/2493478/internet/github-unblocked-in-china-after-former-google-head-slams-its-censorship.html. 30 March 2015. live.
  12. Web site: Claburn. Thomas. China's GitHub Censorship Dilemma. InformationWeek. January 30, 2013. 27 June 2015. https://web.archive.org/web/20150703100130/http://www.informationweek.com/software/social/chinas-github-censorship-dilemma/d/d-id/1108436. 3 July 2015. live.
  13. Web site: martin. China, GitHub and the man-in-the-middle. GreatFire. January 30, 2013. 27 June 2015. https://web.archive.org/web/20160819165216/https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle. 19 August 2016. live.
  14. Web site: Hjelmvik. Erik. Forensics of Chinese MITM on GitHub. NETRESEC Blog. February 2, 2013. 27 June 2015. https://web.archive.org/web/20150630120918/http://www.netresec.com/?page=Blog&month=2013-02&post=Forensics-of-Chinese-MITM-on-GitHub. 30 June 2015. live.
  15. Web site: Hacker is deploying large-scale MITM attack via domestic backbone. 27 March 2020. 27 March 2020. https://web.archive.org/web/20200326164214/https://www.landiannews.com/archives/71707.html. 26 March 2020. live.
  16. Web site: GitHub 遭遇中间人攻击,访问报证书错误 - OSCHINA. www.oschina.net. 2020-03-27.
  17. Web site: Muncaster. Phil. Great Firewall architects fingered for GitHub attack. The Register. January 31, 2013. 27 June 2015. https://web.archive.org/web/20150630072146/http://www.theregister.co.uk/2013/01/31/github_ssl_man_in_the_middle_attack. 30 June 2015. live.
  18. Web site: Anthony. Sebastian. GitHub battles "largest DDoS" in site's history, targeted at anti-censorship tools. ars technica. March 30, 2015. 1 January 2019. https://web.archive.org/web/20190102052158/https://arstechnica.com/information-technology/2015/03/github-battles-largest-ddos-in-sites-history-targeted-at-anti-censorship-tools/. 2 January 2019. live.
  19. Web site: China's fierce censors try a new tactic with GitHub—asking nicely . Horwitz . Josh . June 28, 2016 . Quartz . 25 December 2020 .
  20. Web site: gov-takedowns . hubot . GitHub . 25 December 2020 .
  21. Web site: Patry. Melody. India: Digital freedom under threat? Online censorship. index. November 21, 2013. 2 April 2015. https://web.archive.org/web/20161104152902/https://www.indexoncensorship.org/2013/11/india-online-report-freedom-expression-digital-freedom-1/. 4 November 2016. live.
  22. Web site: Saxena. Anupam. Pastebin, Dailymotion, Github blocked after DoT order: Report. The Times of India. December 31, 2014. 1 April 2015. https://web.archive.org/web/20150302071856/http://timesofindia.indiatimes.com/tech/tech-news/Pastebin-Dailymotion-Github-blocked-after-DoT-order-Report/articleshow/45701713.cms. 2 March 2015. live.
  23. Web site: Blue. Violet. India blocks 32 websites, including GitHub, Internet Archive, Pastebin, Vimeo. ZDNet. December 31, 2014. 1 April 2015. https://web.archive.org/web/20150402065723/http://www.zdnet.com/article/india-blocks-32-websites-including-github-internet-archive-pastebin-vimeo/. 2 April 2015. live.
  24. Web site: Ghoshal. Abhimanyu. GitHub, Vimeo and 30 more sites blocked in India over content from ISIS. The Next Web. December 31, 2014. 1 April 2015. https://web.archive.org/web/20150404055942/http://thenextweb.com/in/2014/12/31/vimeo-github-30-sites-blocked-india-content-isis/. 4 April 2015. live.
  25. Web site: Sharma. Ravi. Indian government unblocks Vimeo, Dailymotion, 2 other websites. The Times of India. January 2, 2015. 1 April 2015. https://web.archive.org/web/20150208102100/http://timesofindia.indiatimes.com/tech/tech-news/Indian-government-unblocks-Vimeo-Dailymotion-2-other-websites/articleshow/45731251.cms. 8 February 2015. live.
  26. Web site: Arora. Kim. Government blocks 32 websites to check ISIS propaganda. The Times of India - Tech. January 1, 2015. 1 April 2015. https://web.archive.org/web/20150104134659/http://timesofindia.indiatimes.com/tech/tech-news/Government-blocks-32-websites-to-check-ISIS-propaganda/articleshow/45712815.cms. 4 January 2015. live.
  27. Web site: Orsini. Lauren. India Unblocks GitHub, Three Other Websites. readwrite. January 2, 2015. 1 April 2015. https://web.archive.org/web/20150320205330/http://readwrite.com/2015/01/02/india-lifts-internet-block-github. 20 March 2015. live.
  28. Web site: Srikanth. Kaustubh. Technical Observations About Recent Internet Censorship In India. The Huffington Post. June 1, 2015. 1 April 2015. https://web.archive.org/web/20150521194154/http://www.huffingtonpost.in/kaustubh-srikanth/technical-observations-ab_b_6421306.html. 21 May 2015. live.
  29. Web site: Russell. Jon. India's Government Asks ISPs To Block GitHub, Vimeo And 30 Other Websites (Updated). TechCrunch. December 31, 2014. 1 April 2015. https://web.archive.org/web/20150326020030/http://techcrunch.com/2014/12/31/indian-government-censorsht/. 26 March 2015. live.
  30. News: Khazan. Olga. Russia's secret new Internet blacklist. The Washington Post. November 9, 2012. 2 April 2015. https://web.archive.org/web/20150511081411/http://www.washingtonpost.com/blogs/worldviews/wp/2012/11/09/russias-secret-new-internet-blacklist/. 11 May 2015. live.
  31. Web site: Lunden. Ingrid. Russia Blacklists, Blocks GitHub Over Pages That Refer To Suicide. TechCrunch. December 3, 2014. 1 April 2015. https://web.archive.org/web/20150327101211/http://techcrunch.com/2014/12/03/github-russia/. 27 March 2015. live.
  32. Web site: Лихачёв. Никита. ru:AliExpress, 2ch и GitHub попали в реестр запрещённых сайтов. http://tjournal.ru/paper/rkn-github-2ch. TJournal. October 2, 2014. 9 April 2015. ru. AliExpress, 2ch and GitHub put on the register of banned sites. https://web.archive.org/web/20150425013521/http://tjournal.ru/paper/rkn-github-2ch. 25 April 2015. live.
  33. Web site: Create suicide.txt. GitHub - amdf/objidlib. March 23, 2014. 8 April 2015. https://web.archive.org/web/20150627095452/https://github.com/amdf/objidlib/commit/e9c31e97c0ca7863516fa6e21c9f6441453d9149. 27 June 2015. live.
  34. Web site: Delete suicide.txt. GitHub - amdf/objidlib. 9 April 2015. https://web.archive.org/web/20150627095712/https://github.com/amdf/objidlib/commit/643077865e390f1eccacf9620199772e1e468a4a. October 2, 2014. 27 June 2015. live.
  35. Web site: Lunden. Ingrid. To Get Off Russia's Blacklist, GitHub Has Blocked Access To Pages That Highlight Suicide. TechCrunch. December 5, 2014. 1 April 2015. https://web.archive.org/web/20150321081034/http://techcrunch.com/2014/12/05/to-get-off-russias-blacklist-github-has-blocked-access-to-pages-that-highlight-suicide/. 21 March 2015. live.
  36. Web site: roskomnadzor/2014-10-21-roskomnadzor.md. GitHub. October 21, 2014. 1 April 2015. https://web.archive.org/web/20141205133607/https://github.com/github/roskomnadzor/blob/master/2014-10-21-roskomnadzor.md. 5 December 2014. live.
  37. Web site: Geraci. Jesse. github/roskomnadzor - README.md. GitHub. June 9, 2016. 9 October 2016. https://web.archive.org/web/20170615120448/https://github.com/github/roskomnadzor/blob/master/README.md. 15 June 2017. live.
  38. Web site: Geraci. Jesse. github/roskomnadzor - README.md. GitHub. February 20, 2015. 9 October 2016. https://web.archive.org/web/20170104165443/https://github.com/github/roskomnadzor/blob/8ae3b09df27f5f6984c57d84b1aa2f28ac6ad897/README.md#what-is-this. 4 January 2017. live.
  39. News: Murdock. Jason. Turkey blocks Google, Microsoft and Dropbox services to 'suppress' mass email leaks. October 10, 2016. 10 October 2016. International Business Times. https://web.archive.org/web/20161011055229/http://www.ibtimes.co.uk/turkey-blocks-google-microsoft-dropbox-services-suppress-mass-email-leaks-1585655. 11 October 2016. live.
  40. Web site: Dropbox, Google Drive and Microsoft OneDrive cloud services blocked in Turkey following leaks. Turkey Blocks. October 8, 2016. 9 October 2016. https://web.archive.org/web/20161209235232/https://turkeyblocks.org/2016/10/08/google-drive-dropbox-blocked-in-turkey/. 9 December 2016. live.
  41. Web site: Sozeri. Efe Kerem. How hacktivist group RedHack gamed Turkey's censorship regime. Daily Dot. October 12, 2016. 12 October 2016. https://web.archive.org/web/20161013074044/http://www.dailydot.com/layer8/redhack-gamed-turkey-censorship/. 13 October 2016. live.