After Iran’s statistically and historically dubious election results, the world was been glued to screens (both TV and IP) watching the unfolding protests and violence. Despite a complete media and communications blackout, the videos, photos and messages leaked out continuously. But how did all these leaks occur?
The Iranian government has deep content inspection, full control of both data and voice networks, firewalls and intrusion-prevention systems. On top of that, the Iranian government has police, military and armed thugs, comprehensive border control, nasty prisons (allegedly) and the death penalty for far lesser offenses than insurrection and treason.
Yet the images still flow. Witness the failure of perimeter controls and data-leakage prevention on your screens, in near real time. The Iranian protests show clearly that where there is a will there is a way, especially when the will goes as far as risking life and limb for liberty. From that perspective, security must always be weighed against the budget, motivation and potential gain of an attacker. In the case of Iran, no security investment (technological or institutional) will match the will and power of millions of determined people seeking their freedom.
Ask a security expert or a geek about how to organize info-resistance at this scale and they will probably come up with a pretty sophisticated solution. Something involving encryption, onion routing (tor), satellite dishes and PGP. Yet, what we see in these security scenarios is that most successful means of bypassing security (whether for good or evil) are remarkably simple. Boxcutters and duct tape, SD cards passed from hand to hand.
Simple works better in this case because the Iranians can only shut down parts of their communication networks. The government and security forces need phones, local and international, as much as the protesters do. So there are a myriad ways that the blocks can be bypassed.
The problem here is that the government has to focus its interdiction whereas the protesters can use diffuse means. Where the government blocks technology X, they leave everything-except-X open. The universe of open is infinitely larger that the things they can block and monitor. The problem for the Iranian government is that there are millions of people with cameras on their phones.
It was reported recently that Nokia provided some of the technology used for filtering the Internet in Iran. But Nokia also happens to be the biggest manufacturer of cameras in the world — bigger than Kodak or Canon or Fuji combined. So what Nokia allegedly took away in terms of filtering, it gave back a thousand-fold with its camera phones.
When you combine people-powered journalism (sous-veillance – “watching from below”) with global telecommunications there is no technology in the world that can keep information from spreading. Evasion and hacking tools can be freedom tools and security controls can be instruments of oppression. The real issue is whether the tools are in the hands of the many or the hands of the few.
In the end, Iran shows us how data leakage is unstoppable in the hands of the many and security controls are useless in the hands of the few.