The Great "Ear" of Bangladesh
Oct 6, 2007
[Update: a much more legible copy of the letter, thanks to Rezwan]
This, in a way, is a follow-up to the "Great Firewall of Bangladesh" stories we did in August. Tanoy pointed out a story on E-Bangladesh about BTRC demanding usage information and other data on Internet use in Bangladesh. Like we said at that time, we will repeat: there is no great firewall of Bangladesh, neither is there a "Great Ear"
E-Bangladesh has a scanned letter sent out by BTRC to ISPs, demanding, among other things, the "Online MRTG (Multi-Router Traffic Graph) and userid/passwords.
But we beg to differ with the devious motives mentioned on E-Bangladesh. In our assessment, this is not a move to monitor and control Internet usage of individuals to suppress free speech. As we mentioned in our original "Great Firewall" post, Bangladesh does not have the infrastructure and equipment necessary to control or even monitor the approximately half-million Internet users. We have verified this from two independent sources.
In the letter from BTRC, we read:
4. How many corporate clients/dedicated clients/shared clients do you have? Please specify the block of IP address and fill out the following chart? [ chart asks for client address, allocated bandwidth and IP address allocation]Anyone who has run MRTG will know that the letter is actually asking for the MRTG userid and password for each user that the ISP uses to monitor the user's bandwidth use, not the userid and password the user uses to log in to the ISP's service. (otherwise there would have been no mention of the "URL address")
..
6. Online MRTG (Multi Router Traffic Graph) for overall bandwidth and also for individual clients should be submitted. The URL address and user ID and password for each client are to be furnished.
BTRC, like other government agencies, is staffed mostly with idiots. First, they are assuming the ISPs are using MRTG, which is a specific product. So if the ISP is not using MRTG, what will they do? But the bandwidth of the BTRC brain-trust is not the topic here; we will return to that another day.
When you combine the demand to find out the total bandwidth purchased by the ISP and access to MRTG data for each user, the reason becomes apparent.
BTRC is trying to find out 3 things:
How much total bandwidth an ISP has
How much of that is utilized
Which of the ISPs customers use how much of the bandwidth
Looking at the MRTG data for the users of the ISP shows how much bandwidth the user was using. It looks something like this. The biggest users will not be emailers, bloggers or chatters. The biggest users will be people downloading or uploading large files, and of course, VoIP service providers.
Combine this with the fact that to monitor actual Internet traffic coming in and out of a user's PC, the government (let's say DGFI) need to monitor the mail servers and web proxies of the ISP, not MRTG output. [I should know a thing or two about this; activities like this have been part of my professional duties for the last 12 years. Rest easy: I worked for various US corporations during that time, and all my work was legal]. So I will wait to see an ISP claim that the government is monitoring their mail server or web proxy logs. Until then, it is all storm in a teacup.
Lastly, some ISPs have a vested interest in continuing illegal VoIP traffic (to the tune of a few crore taka per day)
So we would hope that level heads would prevail. Internet monitoring and control may be very real in Bangladesh. After all, there is a brand-new, 175 person agency being set up to monitor phone conversations.
But this letter, and the current BTRC search and seizures have nothing to do with curtailing free speech.
11 comments:
Thanks JR for the explanation. But I
will express my opinion about MRTG on Bangladeshi context point of view. In last five year I have come across lots of Tier1 and I can share with you my horrible experience with BTTB and BTRC. Before that I refer you to visit
http://www.e-bangladesh.org/2007/10/06/bbc-bengali-internet-restrictions-in-bangladesh/
where ISP association GS clearly mentioned to BBC that BTRC instructed them to give all details for security purpose and they should centralized the system from one single point . He explained about unwanted emails.
Now I am going back to MRTG. You see they have not asked for only high end users. They have asked for each and every user.
Now Maiximum people of Bangladesh uses now a days so called Broad band which is nothing but a
shared LAN connection from ISP and some times they are dedicating ADSL
or Radio Link. In every case MRTG is only you log in information details. USER NAME/PW is mainly applicable for Dialup. But those morons have asked also for Dial Up as well.
Now on VOIP Total things are depending on the protocol(H323, SIP Etc). BTTB blocked 1720 port sevral times. So It is bit funny after
blocking voice port you need to run after people on the base of MRTG only.
Now there are other Data operators like Bank, Hospitals, corporates who have huge usages either by Intranet or Internet. You need connectivity. even those who are in development work also they have also very much hig usage in delivery period of product. Share market broker and others are always busy with online Banking and buying and share. It is very natural MRTG Graph will show high usages. Dangerous thing is that they can have the access of the log of USERS. So It is the hamper of privacy very much.
Basically speculation of Dhaka is more dangerous. Lots of people are telling Shena Kollan is getting VOIP license despite they don't have any qualification as Fixed, Mobile and ISP operation.
But I don''t want to comment on speculations.
I have seen one User Called BIDDUT made a comment in E-Bangladesh. He has given some informations are there that BTTB and BTRC went to the home of lots of End users on the basi of wrong informations. I am not sure but i feel he is insider of BTTB. So over situation and BBC reports clearly indicating VOIP is just excuse.Basically Internet monitoring has been started.
Well JR this is only my personal opinion. If you you feel I am wrong please feel free to give your opinion.
JR, You have not read the whole memo.
It talks about
* Proper subscription form of all individual clients (including dtetails like name/address etc.). (Does not talk about the scratch card based dialup internet users )
* ISPs are not allowed to lease bandwidth to people who use it for their own purposes. They specifically pointed out that the client does not extend the connection beyond the location.
That means this is in fact assuring the ISP their business as some people share broadband connections with friends or say own clients.
The whole episode is to provide security to the government approved four VOIP operators (one is BTTP and for the rest the ISPs are bidding) and the ISPs. So far the VOIP operators have been small time techies turn entrepreneurs. The Government could have devised a way to license them and put sufficient regulatory control that they do their business within legal framework, funnel foreign currency flow in legal channels providing Government the taxes.
But since this is a lucrative business the Government decided to exploit it by creating an oligopoly of 4 operators. I hear that sums as much as 50 lakhs are flying there for lobbying of the rest 3 operators.
And probably ISPs are in this together with the BTRC. They have no problem providing personal client info to the authorities.
I mean what is the big idea of putting hindrances on technologies VOIP when we see these are leagalized in many countries in the world even in India (http://en.wikipedia.org/wiki/Voice_over_IP) .
The authorities could have set a threshold that users over a certain amount of bandwidth should be reported.
Listen to the ISP associations remarks (Tanoy's link). The government is trying to profile each and every user. But yet they are not doing it within constitutional or legal framework. They are doing it under duress through ISPS.
If ISP provides a Bangladeshi citizen's information to the authorities when he/she is not a suspect and there is no specific orders from the security forces under BTRC act 2001 and the amendment in 2006 then the ISP is compromising his/her privacy and his/her contract with the ISP. This is violation of constitutional right (Section no. 43 which guarantees privacy of telecommunication). He/she may as well terminate the contract with ISP and chose his/her means of telecommunication if notified by the ISPs to him/her before doing so.
Profiling/building a database of 450,00 internet users, installing traffic scanners... not alarming? If smart people like you swallow their pills like this... disappointing.
TonoyDutta:
There is (or rather was) a Biddut in BTTB, an electrical engineer who graduated in the mid-80s. I believe he now works for RanksTel.
I actually think the comment from Mr. Biddut proves that there is no raids going on unless there is specific information regarding VoIP, and that sometimes the information provided by an informer with vested interest is wrong.
I have heard the BBC reports as well, and Mr. Russel T. Mahmud does mention email threats, etc. But I will go back to the BTRC letter: that information is not available in MRTG graphs or data.
In the USA, all you have to do to find some company's allocated netblocks is to search the ARIN records. Given an IP address, it is trivial to find out who owns it, and who it is allocated to. In other words, this is public information.
Like I said, BTRC is asking for the MRTG URL userid/password, not the passwords of email accounts or ISP accounts for dial-up users.
Since MRTG shows bandwidth, router utilization and other data about the router and NOT any details about WHAT is flowing through the router.
A source has confirmed that high bandwidth usage will be compared with fixed and mobile line subscriptions to narrow down possible VoIP suspects. So if 50 mobile lines are registered to one address, and that address is also showing high bandwidth utilization, they will come under scrutiny.
You bring up an interesting point about Sena Kollan. I have confirmation from highly reliable sources that Senakollan is preparing to apply for an IGX/IGW license, and that their consultant is incompetent. Tarique (Mr. 10%) Rahman's vacuum has to be filled by someone, so why not Sena Kollan? But that is not really relevant in the internet monitoring discussion, right?
If there is one BTRC activity that concerns me, that is the requirement for individuals to register their Mobile SIMs. With their FINGERPRINTS. Now there is a DGFI project I'd like to see E-Bangladesh dig deeper into.
To summarize my comment: what BTRC is doing is heavy-handed and moronic at best, but not sinister. The fingerprint registration for mobile SIMs--now that is shades of "1984".
Anonymous:
Building a database of 450000 users: yes, cause for alarm. Installing traffic scanners? Yes, alarming.
But here is one small problem: In the BTRC letter, BBC interviews, etc, I do not see any claim that they are building a database of all the users: it is a demand for a list of names, addresses and IP addresses of "corporate clients/dedicated clients/shared clients" which would exclude about 90% of the 450,000 figure.
Same for the traffic scanner. I have tremendous respect for E-Bangladesh, and I think it is a disservice to the readers to say something like "Facilitate installation of 'traffic scanners' provided by RAB on gateway routers" but then not back it up with any detail, not even an anonymous source. If you go back and read the article, you will see what I mean.
Just in case you are wondering, MRTG is NOT a traffic scanner.
Is is possible I am wrong? Certainly. But I try my best to now swallow any pill from anyone.
Well JR I am one of the founder member of E-Bangladesh. E-Bangladesh
has already provided lots of informations on the base of complete documentations. Traffic scanner is also from the reliable source as well. Basically some informations are coming from Black and white and some
are coming from only by telephone calls and instruction.We are Just bloggers. But E-Bd has build up a strong editorial group and They are working on the base of true and reliable source only.
E-Bangladesh is very cautious about the security of the source back Bangladesh.
I hope as a fantastic Blogger , you also can dig the story as well in more details , I am sure you will get the actual picture as well.
But some times we also need to see
the security of the people back Bangladesh. But One thing It is sure E-BD will try to publish supportive documents time to time.
Rezwan:
Actually, I did read the whole memo on your blog a few days ago. Thanks for the PDF link though--I can now copy/paste.
I quote from page 2:
1. ISP's are required to maintain the proper Subscription Form for all the clients.
Perhaps I am missing something, but BTRC is not actually asking for that information; just telling the ISPs that this information needs to be kept. I will wait to be alarmed when all this information is requested by BTRC en-masse.
2. ISP's are not allowed to provide bandwidth to the client to provide internet services from their end. The client (Individual/Corporate) should be allowed only to use bandwidth for their own purposes.
Idiotic, yes. But how is this sinister? The next instruction, even though it seems impossible, is even more stupid.
3. ISPs must have complete information regarding the exact location of the client to whom you are providing bandwidth. JSPs [SIC] must ensure that they provide end connectivity to the respective clients' premise^ [SIC] and the client does not extend the connection beyond the location. ISPs will be held responsible for any extension of connection beyond the designated location.
This is like saying if someone uses a phone to hit another person, or hires a killer over the phone, BTTB is responsible. How can the ISP be responsible if a client breaks the terms of service? What happens if s/he has a Wi-Fi router, and someone else is using those signals?
I have good friends working at 2 of the 7 ISPs who are listed on the letter. I also have a very good friend at BTTB who is one of the few people in the government who understands the technology aspect of monitoring. I finally was able to talk to all 3 (avoiding email just in case I am wrong--I don't want to get them in trouble).
The gist is, this is an anti-VoIP crusade. Monitoring is done against specific individuals, and those are not announced by official letters. Idiotic? Yes. Evil? No.
Tanoy:
I do know your role with E-Bangladesh, and I congratulate you and others involved in it for creating what is easily the most informative blog on Bangladesh. But that is why I have such high expectations.
To quote from SpiderMan (I wish I had a more serious source), "With great power comes great responsibility" and as a highly popular and respected news site, I expect the best from E-Bangladesh.
I know TK knows first-hand how (in)efficient DGFI and its friends are in performing digital forensics and extracting information from computers. I also know that the police and DGFI have much more efficient ways of extracting information out of people instead of spending millions of dollars on traffic scanners (which traffic scanning at this scale will take, and which they don't have, by the way).
I have seen too many mangled fingernails with pins inserted under them during Ershad's rule to trust these people even 1%. But I know and understand the technology involved, and I have spoken to people who are on both sides (receiving and sending) of this letter, and my conclusion, based on their input, is different.
If I am proven wrong, I will be the first to admit it. In the mean time, thanks for keeping the discourse civilized. It is very good to see that we can agree to disagree.
Many Thanks JR for your Kind word and It is really a big honor from a Veteran bloggers like you. E-Bangladesh will certainly follow up your suggestions. Tasneem, Sushanta and all of our authors are really working head and
I hope all of them will keep it up.
Thanks again.
Not going into the discussion about internet monitoring, I feel that, as Shadakalo mentions, SIM registration is another draconian step. Some of us need to step in, digg deep into the whole project and expose the real intention if there is any.
Rumi Bhai, You have Indicated a real nice point. while I am calling to Bangladesh , I notice every one does not want to speak any simple issue by phone. One type of panic seized every where.
This is a very unhealty functions. Another funny thing I encounter cross connection sevral times in mobile.Unfortunately I was entering
as kabab mein haddi on one couple's discussion.
Post a Comment