Belarus protests: From internet outages to pervasive website censorship
Image: Block page served in Belarus.
This report was prepared in collaboration with Human Constanta and the Digital Observers Community Belarus.
More than 70 websites have been blocked in Belarus over the last weeks, following a controversial presidential election and amid ongoing anti-government protests. Many of the blocked sites include news media and are related to the elections, while several other sites expressing political criticism were blocked as well. At the time of writing, many of these sites remain blocked in Belarus.
In this report, we share OONI measurement data on the recent blocking of websites in Belarus.
Background
2020 Belarusian presidential election
Belarus has had the same president, Alexander Lukashenko, for 26 years.
Having won every presidential election since 1994, Lukashenko has been described as “Europe’s last dictator” – particularly since international election observers have characterized most of these elections as neither free nor fair. The latest presidential elections were held a month ago on 9th August 2020, where Lukashenko ran for – and won – a sixth term. But this landslide victory – claiming about 80% of the vote – didn’t go unchallenged.
Mass protests erupted in Belarus leading up to the 2020 presidential election, following the arrest of opposition political candidates and against Lukashenko’s bid for a sixth presidential term. Sergei Tikhanovsky, a Belarusian YouTuber and pro-democracy activist, announced his intention of running for the 2020 presidential election in May 2020, but he was arrested two days later. In response, his wife, Svetlana Tikhanovskaya, decided to run against Lukasheno.
However, Tikhanovskaya reportedly received threats that her children would be taken away unless she stepped down from the presidential race, and was forced to send her children abroad. Quite similarly, Amnesty International reported that several other female political activists were also threatened with sexual violence and with threats that their children would be taken away. Despite the harassment, Tikhanovskaya emerged as the main opposition candidate in the 2020 presidential elections, whose political rallies reportedly drew some of the largest crowds that the country has seen in decades.
When the country’s election commission announced that Lukashenko had won around 80% of the vote, Tikhanovskaya rejected Lukashenko’s win, describing the election as massively rigged and appealing to EU leaders to “support the awakening” of Belarus. While EU leaders condemned the latest Belarusian elections as unfair, they stressed that any political change must come from within the country, rather than from foreign interference.
Meanwhile, mass anti-government protests, calling for President Lukashenko to step down, have been ongoing. According to Amnesty International, the protests have been marred by violence, as testimonies from protesters in Belarus describe being beaten, tortured, threatened with rape, and being subjected to other ill-treatment in detection centres. Recently, the UN office of the High Commissioner for Human Rights released a statement calling on Belarusian authorities to stop torturing protesters and to prevent enforced disappearances.
Yet, both the mass protests and the violent crackdown by authorities remain ongoing. Following a fourth consecutive weekend of protests against President Lukashenko, hundreds of protesters have been arrested in recent days. The situation in Belarus remains turbulent.
Internet outages amid 2020 Belarusian presidential election
Several data sources suggest that access to the internet was disrupted amid the Belarusian 2020 presidential election. This was also widely reported by media outlets, while some groups reported that Deep Packet Inspection (DPI) technology (reportedly provided by U.S. company Sandvine Inc.) was used to block SSL traffic at scale, affecting popular messaging apps, social media platforms, email providers, VPNs, among many other services.
The Internet Outage Detection and Analysis (IODA) project of the Centre for Applied Internet Data Analysis (CAIDA) measures internet outages worldwide in near real-time. To track and identify internet outages, IODA uses three complementary measurement and inference methods: Routing (BGP) announcements, Active Probing, and Internet Background Radiation (IBR) traffic. Access to IODA measurements is openly available through their Dashboard, which enables users to explore internet outages with county, region, and AS level of granularity.
IODA data from the following chart (taken from the IODA dashboard) presents signals of internet disruptions in Belarus between 8th August 2020 to 17th August 2020, with the most heavy disruptions being noted between 9th August 2020 to 12th August 2020.
Source: Internet Outage Detection and Analysis (IODA): Belarus
Within this time period, we observe in the chart that the first major disruption occurs on election day on 9th August 2020, between around 18:00 UTC to midnight UTC, coinciding with the protests that erupted as soon as the election results were announced. The second major disruption is observed the next day on 10th August 2020 between 16:00 UTC to around midnight. Very similarly, the third disruption is observed during the same time period on the next day (11th August 2020).
These internet disruptions are corroborated by Google traffic data, which suggests that access to the internet was disrupted in Belarus between 9th August 2020 to 12th August 2020, as illustrated below.
Source: Google Transparency Reports: Traffic and disruptions to Google in Belarus
Similarly to IODA data, Google traffic data shows that Belarus experienced major internet disruptions in the nights of 9th, 10th, and 11th August 2020, with internet access mildly being restored during the day on 10th and 11th August 2020.
This is further corroborated by RIPE, who published a report on the internet outages in Belarus, discussing that this wasn’t a complete internet shutdown affecting the entire country, as some RIPE Atlas probes remained connected throughout this period. The fact that the internet outages didn’t affect all networks across Belarus is further confirmed by OONI Probe measurements collected from Belarus between 9th to 12th August 2020 (as OONI Probe tests require internet connectivity).
Methods
Internet connectivity was restored in Belarus by 12th August 2020, but 10 days later, access to more than 50 websites was reportedly blocked. To examine the potential blocking of websites amid the ongoing wave of protests, we analyzed OONI measurements collected from Belarus.
OONI Probe is free and open source software designed to measure internet censorship and other forms of network interference. The OONI Probe app (available for both mobile and desktop platforms) includes tests designed to measure the blocking of websites, instant messaging apps (WhatsApp, Facebook Messenger, Telegram), and circumvention tools (Tor and Psiphon), among other tests.
As our aim through this study is to examine the blocking of websites, we will focus on the OONI Probe Web Connectivity test, which is designed to measure the blocking of websites. This test does so by attempting to perform a DNS lookup, TCP connection, and HTTP request (to the URLs included in the Citizen Lab test lists) from both a control vantage point and the local vantage point of the user. The measurements collected from both vantage points are automatically compared and if they differ, the result is flagged as “anomalous”. Depending on the type of anomaly detected (DNS, TCP/IP, HTTP), we can infer the type of blocking.
Based on our current heuristics, OONI only automatically confirms cases of blocking if a block page is served, and if the fingerprint of that block page has been added to the OONI database. Given that false positives can occur, all other cases of blocking are confirmed through manual data analysis.
Unless an OONI Probe user opts-out, their test results are automatically sent to OONI’s servers, processed, and openly published. Since September 2015, more than a million OONI Probe tests have been run in Belarus from 59 local networks.
As part of this study, we analyzed OONI Web Connectivity measurements collected from Belarus between 1st August 2020 to 3rd September 2020. The analysis period was mainly limited to August 2020 because our goal was to identify recently blocked websites (the blocking of which reportedly began on 22nd August 2020).
As part of our analysis, we not only examined the testing of URLs included in the Citizen Lab’s global and Belarusian test lists (which are tested by default when OONI Probe users in Belarus run the Web Connectivity test for website testing), but we also examined other URLs that were tested independently by OONI Probe users in Belarus using the OONI Run platform (which is used for custom URL testing). To ensure that the recently blocked URLs are tested regularly in Belarus, we added them to the Citizen Lab’s Belarusian test list.
To confirm censorship events with greater confidence, we limited our analysis to the networks and URLs that received the most testing coverage, potentially excluding cases of blocking that received limited testing coverage.
As we detected the presence of block pages within anomalous Web Connectivity measurements, we updated our database with the fingerprints of those block pages, and detected many cases of blocking automatically. But as ISPs in Belarus adopted a variety of different censorship techniques, we also performed more manual data analysis in order to identify other cases of blocking as well. Our analysis is available through this file.
Blocked websites
Amid ongoing mass protests, Belarusian ISPs blocked access to more than 70 websites, many of which include news media, electoral sites, and sites expressing political criticism. The blocking reportedly began on 22nd August 2020, which is also when OONI Probe users in Belarus started testing most of the reportedly blocked websites.
Our analysis of OONI measurements collected from Belarus between 1st August 2020 to 3rd September 2020 shows that at least 86 websites appear to be blocked. Many more websites presented anomalies as part of the testing, but we narrowed down the scope to the sites that received both the highest volume of testing and which presented the highest ratio of anomalies. This means that we excluded websites which presented non-deterministic signs of blocking and which received limited testing coverage, thereby limiting our ability to rule out potential false positives.
We automatically confirmed the blocking of websites when block pages were served.
Based on this, we were able to confirm the blocking of the following
domains: afn.by
, www.belaruspartisan.org
, www.afn.by
,
www.charter97.org
, intimby.net
, charter97.org
, dmp2.org
,
is.gd
,txti.es
, zapraudu.info
, svaboda2.net
,
www.svaboda.org
, www.praca-by.info
, ucpb.org
,
spring96.org
, mfront.net
, gazetaby.com
,
eurobelarus.info
, belsat.eu
,belarus.regnum.ru
,
tsepkalo.com
, 015.by
, vkurier.by
, udf.by
,
rusproxy.telegramproxy.me
, telegram-socks.tk
, tgproxy.me
,
www.ucpb.org
,www.bchd.info
, www.moyby.com
, opg.ucoz.net
,
zubr.in
, naviny.by
, nn.by
.
We observe a variance in terms of how sites are blocked across different Internet Service Providers (ISPs) in Belarus, which we discuss in a bit more detail in the following sections. In some cases, when sites are hosted on HTTP, we see ISPs serving a blockpage. But when sites are hosted on encrypted HTTPS, we observe interference during the TLS handshake (after the TCP connection and before the HTTP request), resulting in a connection reset error.
As blocking appears to be implemented during the TLS handshake and the connection is being reset, this suggests that either Deep Packet Inspection (DPI) technology is being used (the most probable scenario) or that all traffic goes through a proxy that resets undesired connections. It also seems likely that the SNI field in the TLS handshake is being used to decide whether to block or let connections go through.
In the following sections, we briefly discuss the blocking of media, political, human rights, communication tools, and circumvention tool websites, among other blocked sites.
Media
At least 25 media websites appear to be blocked in Belarus, as suggested through OONI data.
Image: Blocking of media websites across ISPs in Belarus, OONI measurements collected from Belarus between 1st August 2020 to 3rd September 2020
The above chart lists the 25 media websites that presented signs of blocking through our analysis of OONI measurements collected throughout August 2020 (between 1st August 2020 to 3rd September 2020). Results from the testing of each site across 15 local networks are illustrated through the above chart (relevant data is missing if those sites weren’t tested on those networks during the data analysis period).
Out of these media websites, we automatically confirm the blocking of
the following domains (because block pages were served):
afn.by
, www.afn.by
, www.charter97.org
, charter97.org
,
svaboda2.net
, www.svaboda.org
, gazetaby.com
,
eurobelarus.info
, belsat.eu
, belarus.regnum.ru
,
vkurier.by
, www.moyby.com
.
We observe a variance in blocking both in terms of which websites are blocked across ISPs (i.e. different sites blocked on different networks), as well as in terms of censorship techniques. We not only observe variance in censorship techniques across ISPs, but we also see that the same ISP may adopt different censorship techniques, particularly depending on whether a site is hosted on HTTP or encrypted HTTPS.
On 22nd August 2020, for example, Beltelecom (AS6697) served a block page
in order to block access to the HTTP version of www.svaboda.org
. On
the same day, we see Beltelecom blocking access to the HTTPS version of
www.svaboda.org
by interfering with the TLS handshake
and resetting the connection. While the blocking of many of these media
websites appears to have started on 22nd August 2020, some of these
media websites appear to have been blocked since earlier in the month.
Charter 97, a pro-democracy media website
covering human rights issues in Belarus, appears to have been blocked
since at least 8th August 2020 on Beltelecom (AS6697),
as a block page was served (therefore confirming its blocking).
Similarly to www.svaboda.org
and many other blocked sites, we
observe that Beltelecom (AS6697) blocked access to the HTTPS version of charter97.org
during the TLS handshake.
All measurements collected thereafter (testing charter97.org
on
several different local networks) consistently presented signs of
blocking up until 11th September 2020, when the testing of
charter97.org
on Beltelecom (AS6697) showed that the site was
accessible,
suggesting that it has now been unblocked on this network. Quite
similarly, some other media websites (such as eurobelarus.info) appear
to have been
unblocked
in recent days.
The website of the Belarusian Association of
Journalists presented signs of blocking mainly between 13th August 2020 to 18th August 2020,
during which most measurements consistently presented the same HTTP
failures. More recent measurements collected at the end of August 2020
showed that access to baj.by
was
accessible
on Beltelecom (AS6697) – at least during the moments when it was
tested.
In addition to the blocking of independent media websites
(such as belsat.eu
), we observe the blocking of regnum.ru
and
sputnikipogrom.com
which, according to local community members,
are Russian nationalist media with anti-Belarus sentiment.
The list of blocked media websites, and relevant OONI measurements from their testing in Belarus, are available through the table below.
Political
Following the Belarusian 2020 presidential election – and amid protests over a disputed poll – access to several election related sites was blocked. More specifically, at least 25 political websites appear to have been blocked in Belarus, as illustrated through the following chart (based on OONI data).
Image: Blocking of political websites across ISPs in Belarus, OONI measurements collected from Belarus between 1st August 2020 to 3rd September 2020
It is evident that most of these sites appear to have been blocked on at least 4 ISP networks in Belarus. In some cases (when the sites were hosted on HTTP), block pages were served, while in most cases, we observe interference during the TLS handshake, resulting in HTTP failures and connection reset errors.
We automatically confirmed the blocking of the following political
sites (because block pages were served):
www.belaruspartisan.org
, zapraudu.info
, ucpb.org
,
tsepkalo.com
, udf.by
, www.ucpb.org
, www.bchd.info
,
opg.ucoz.net
, zubr.in
.
On election day, on 9th August 2020, we observed DNS spoofing
in the testing of an election related site: belarus2020.org
. The
testing of belarus2020.org
often presented HTTP failures and genetic timeout errors from 10th August 2020 onwards
(though this could potentially have been affected by the internet
outages during that period), while previous testing showed that the site
used to be
accessible.
From 22nd August 2020, we start to observe that the testing of
belarus2020.org
starts to always present connection reset errors
(instead of generic timeout errors), which is consistent with how most
of the other websites were blocked from that date onwards. This suggests
that that local ISPs (such as Beltelecom) may have switched to blocking
belarus2020.org
with the same censorship technique as other sites.
Quite similarly, we observe that zubr.in
– a system for the online
monitoring of Belarus’ 2020 electoral process – presented HTTP failures and generic timeout errors
everytime it was tested from 13th August 2020 onwards, suggesting
potential blocking. From 22nd August 2020, we start to observe that the
testing of the site consistently presents connection reset errors
(with interference happening during the TLS handshake), similarly to how
most sites were blocked from that date onwards.
In addition to the blocking of election monitoring sites, we observe the blocking of political opposition and pro-democracy sites. These include the website of the Belarusian Social Democratic Party (People’s Assembly), the site of a political movement advocating for democratic peaceful change, and the sites of anarchist groups.
The list of blocked political websites, and relevant OONI measurements from their testing in Belarus, are available through the table below.
Human rights
Several human rights sites have been blocked in Belarus as well, as listed in the following table (which shares relevant OONI data).
Blocked domains | OONI measurements |
---|---|
spring96.org | https://explorer.ooni.org/search?until=2020-09-12&probe_cc=BY&domain=spring96.org |
praca-by.info | https://explorer.ooni.org/search?until=2020-09-12&probe_cc=BY&domain=praca-by.info |
www.praca-by.info | https://explorer.ooni.org/search?until=2020-09-12&probe_cc=BY&domain=www.praca-by.info |
vitebskspring.org | https://explorer.ooni.org/search?until=2020-09-12&probe_cc=BY&domain=vitebskspring.org |
www.privacyinternational.org | https://explorer.ooni.org/search?until=2020-09-12&probe_cc=BY&domain=www.privacyinternational.org |
Most measurements have been collected from Beltelecom (AS6697), but some of these sites present signs of blocking on 3 other networks as well (AS25106, AS31143, AS42772). The blocked sites include the site of the Human Rights Center “Viasna”, a human rights NGO which was established in April 1996 during mass protests by the democratic opposition in Belarus. The testing of their site has presented anomalies mainly from 13th August 2020 onwards.
Other blocked sites include that of Vitebsk Spring, an independent information
resource created and maintained by human rights activists and
journalists in the city of Vitebsk and the Vitebsk region. From 22nd
August 2020 onwards, almost all measurements
collected from the testing of their site on several different networks
suggest that access was blocked. However, since the OONI Probe testing of vitebskspring.org
only
started on 22nd August 2020, we are unable to evaluate whether the
blocking started on an earlier date.
Privacy International’s website
also appears to have been blocked by Beltelecom (AS6697)
in Belarus. Similarly to other sites hosted on HTTPS, we observe
interference during the TLS handshake, suggesting the potential presence
of SNI based filtering. All OONI measurements collected from 25th August
2020 onwards suggest
blocking
of www.privacyinternational.org
on Beltelecom (AS6697).
Similarly to other censorship cases discussed in this report, we observe
that Beltelecom (AS6697) serve a block page
for the HTTP version of www.praca-by.info
, but we see that the
connection times out
when they block access to the HTTPS version of the site.
Communication
At least 19 domains of communication platforms (and proxies for those platforms) have been blocked in Belarus in August 2020, all of which are listed in the following table (which also shares relevant OONI data).
Telegram channels have
reportedly
served as an important information and communication platform amid the
ongoing protests in Belarus, which might explain why many of the above
Telegram-related domains were blocked. The
blocked
sites also include privacy-preserving email providers,
tutanota.com
and
startmail.com.
Access to tutanota.com
appears to have been
unblocked
in recent days on some networks.
VK is a Russian social networking service which hosts the channels of Belarusian human rights organizations and of groups expressing criticism against President Lukashenko, which may potentially explain why the platform was recently blocked in Belarus.
Circumvention
Several censorship circumvention tool websites have been blocked in Belarus as well, as illustrated through the following chart (based on OONI data).
Image: Blocking of circumvention tool websites across ISPs in Belarus, OONI measurements collected from Belarus between 1st August 2020 to 3rd September 2020
The following table shares relevant OONI measurements on the blocking of these circumvention tool sites.
Psiphon, SaferVPN, SurfShark, and ZenMate are among the VPN sites that consistently presented anomalies as part of their recent testing in Belarus. Almost all OONI measurements collected from the testing of psiphon.ca from 21st August 2020 onwards show that access to the site has been blocked on several local networks (while some previous measurements from 9th August 2020 onwards also presented signs of potential blocking). Yet, amid the network disruptions following the elections, Psiphon supported a peak of 1.76 million active daily users in Belarus.
Other
Apart from news, political, human rights, communication and circumvention tool sites, we also observed the blocking of several other websites as well (which are included in the reported blocklist), as listed in the following table.
The first domain listed in the above table (mfront.net) has information
on health insurance in Russia, the next three sites (015.by
, masheka.by
,
virtualbrest.by
) are web portals, while intimby.net
is a
Belarusian dating site.
Conclusion
At least 86 websites appear to have been blocked in Belarus over the last month, according to OONI network measurement data. These include news media, political opposition, pro-democracy, and election related websites, as well as communication and circumvention tool sites.
Given that these censorship events emerged amid mass anti-government protests, they appear to be politically-motivated. These findings corroborate the blocking of most sites included in a reported blocklist. Most of these sites appear to have been blocked from 22nd August 2020 onwards, with some presenting signs of blocking right after the Belarusian 2020 presidential election.
We observe a variance in blocking both in terms of which websites are blocked across ISPs (i.e. different sites blocked on different networks), as well as in terms of censorship techniques. We see that the same ISP may adopt different censorship techniques, particularly depending on whether a site is hosted on HTTP or encrypted HTTPS.
In some cases, when sites are hosted on HTTP, we see that ISPs serve a blockpage. But when sites are hosted on encrypted HTTPS, we observe interference during the TLS handshake (after the TCP connection and before the HTTP request), resulting in a connection reset error.
As blocking appears to be implemented during the TLS handshake, this suggests that Deep Packet Inspection (DPI) technology is likely being used. It seems likely that the SNI is being used to decide whether to block or let connections go through.
These findings are limited to our analysis of OONI measurements collected from multiple ISP networks in Belarus between 1st August 2020 to 3rd September 2020, and exclude websites which received limited testing coverage during this period.
Protests in Belarus are ongoing and the political environment remains tense. The findings of this study suggest that there may be a correlation between the development of political events and censorship events, raising the need for further network measurement testing.
As this study was carried out through the use of free and open source software and open data, it can potentially be reproduced and expanded upon.
We thank all OONI Probe users in Belarus who made this study possible.