CIPIT study finds internet traffic manipulation, surveillance software within Safaricom network

A new report released by Strathmore University-based Centre for Intellectual Property and Information Technology Law (CIPIT) indicates that Safaricom has software which can be used  for traffic manipulation, surveillance and even aid in censorship.

The CIPIT report, compiled following a technical research conducted on several internet service providers in Kenya over the last 10 months between June 2016 and March 2017, indicates the presence of software, also called middle-box, on Safaricom’s network.

(TOP: A Safaricom internet router on sale on OLX).

While admitting that middle-boxes assume dual-use character in that they can be used for legitimate functions (that is network optimisation), CIPIT notes that the appliance can simultaneously be used for traffic manipulation, surveillance and aiding censorship.

“In light of such dual uses, this report makes clear that service providers operating middle-boxes must communicate to the public in a transparent manner the justification for such activity. This is especially relevant as government bodies announce plans to monitor the Internet during Kenya’s current electoral processes… Between 6 – 10 February 2017,  the data indicated the presence of a middle-box on Safaricom’s network (AS33771) that had not previously presented any signs of traffic manipulation,” the CIPIT report states.

CIPIT notes that on 10 February 2017, its measurements showed signs of traffic manipulation, indicating a sign of a middle-box presence based on OONI’s methodology, a free software, global observation network for detecting censorship, surveillance and traffic manipulation on the internet.

“This traffic manipulation persisted through end of February to early March 2017… After detecting this traffic anomaly, we contacted Safaricom Limited requesting confirmation on the presence of a middle-box and, if necessary, justification for such activity,” states the report.

Before the report could be released, CIPIT states that it sought Safaricom’s comment on the issue but the telco’s technical team denied the presence of a middle-box in their data.

“On 24 February 2017, Safaricom, through a conference call, put us in touch with the subject matter technical team who sought to know the rationale of such research and further details regarding the technical background of the HTTP Invalid Request Line test. The technical team denied the presence of any middle-box in their networks
and promised a more detailed response in five days. By the time of this publication, 15 days later, we had not received any communication from the network, despite our reminders.”

However, responding after the report was shared online via KICTAnet, Stephen Chege, Safaricom’s Corporate Affairs Director, refuted the middle-box claims, stating that the telco “does not in any way alter internet traffic.”

“We have noted CIPTs claim and wish to state categorically that Safaricom does not in any way alter internet traffic. In addition, Safaricom did reach out to CIPT through a conference call with our engineers on 24th February 2017, which we believed was the best way to engage on this issue as it is technical and both parties had a chance to express their position… We have also observed a concerning trend where entities use the same packet crafting methods mentioned above to defraud the ISP by tunneling traffic through zero rated sites (i.e. by-passing billing). In summary, we have a standard ISP traffic optimizer whose sole purpose is to optimize quality of experience, to deliver service to our customers without bias, and does not alter traffic,” stated Chege.

On 27 February 2017, two days after CIPIT contacted Safaricom’s technical team, tests conducted on the telco’s network showed the absence of network tampering, a change which implies two possibilities – the probable middle-box was reconfigured to avoid triggering errors from the invalid http requests, or the network dropped the probable middle-box in the network – acording to CIPIT.

The CIPIT report, titled “Safaricom And Internet Traffic Tampering,” is available online for download. In addition to Safaricom, the study conducted before the report also focused on Zuku, Jamii Telecom, Airtel Kenya and Telkom Kenya.

Leave a Reply

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.