Imagine for a moment that you live in Edmonton, Canada. Your best friend lives two blocks away. So why, when you sent e-mails, does that digital message often travel through the US?
That's one of the mysteries of "boomerang routing" – routing that takes data miles off course.
The Internet doesn't care what countries it sends data through. The Internet just looks for the quickest route, which sometimes means using better-connected networks in countries with completely different surveillance laws. It might seem like an innocent quirk if your Canuck data visits New Mexico. But what about February through May of 2013, when a huge chunk of US traffic was routed through Moscow in an event thought to be hackers siphoning off information?
Currently, Internet users have little control over diverting their Web traffic to avoid countries they deem untrustworthy. But last week team from University of Maryland, University of Pennsylvania, and NEC Labs recently announced a possible fix – an Internet traffic routing system designed to give users the ability to determine where information flows as it moves from network to network.
Their project, called "Alibi routing" is a promising development for activists, dissident groups, journalists, or anyone else who has a vested interest in protecting sensitive information from prying eyes.
"Encryption and anonymous networks are still important, but they don’t solve the problem of how available the information is to a country that could tamper with it," said Dave Levin, an assistant research scientist in the Institute for Advanced Computer Studies at the University of Maryland.
“I can try to trick a censoring country into thinking I'm communicate with someone else, but rather than sneak through a bad neighborhood, just avoid it," he said. "Just go around it altogether.”
The Internet relies on a relay system passing data around different networks. If one network routinely drops the packets of information, data would get lost into a digital abyss. If a more nefarious actor alters or replaces that data, that could be even worse.
If a user wants to avoid troublesome countries, they could simply set Alibi to skip those locations.
The types of attacks that Alibi would circumvent are more than theoretical. China has been known to use a "DNS injection" for censorship, substituting data from blacklisted sites with other content. But that can have broad effects. For instance, an anonymous 2012 paper published by the Association of Computing Machinery pointed out that if an American accessed a German site that's critical of Beijing, and the Internet traffic routes through China, that user could also be a victim of DNS injection.
"Alibi is not a silver bullet," said Greg Norcie, a staff technologist for the Center for Democracy and Technology who specializes in privacy issues. "But it still could be useful for avoiding countries known for things like injection."
Alibi works by timing the transit of information. Mr. Levin, the project lead, says information can zip through the Internet at up to two-thirds the speed of light. By timing the trip between each network that handles data, Alibi can guarantee the data never traversed a blacklisted country. Think about it in terms of plane connections: It takes five hours to fly direct from New York to California. So, any trip from New York that takes less than five hours is very likely not a direct trip to California. On a much faster scale, that’s what Alibi does to verify the data does not cross into a location a sender specifically requested it did not go.
"The time it would take a packet to go from East Coast to West Coast and back, so one round trip, that's about 50 milliseconds," says Levin. "It's a really, really small amount of time, but as far as Internet speeds go, that's a noticeable amount of time."
Alibi takes its name from the intermediary servers between the sender and receiver of data. When those servers can be shown to be outside the countries a user wants to dodge, they could be said to provide an "alibi."
But Alibi isn't a panacea. One thing Alibi won't do is circumvent servers in the country where traffic originates or eventually lands.
The proof-of-concept source code for Alibi is available at the project website. Levin says the next step will be for someone to develop an easy to use browser extension from it.
"I think it would be fantastic if folks started using our tool," says Levin. "It would be fantastic if people were empowered to take control of their information."