Riots erupted last week in Harare as election results delayed, prompting concerns of internet censorship events being triggered.
— Zimbabwe Election 2018 (@ZimElection2018) August 1, 2018
Zimelection.com is an independent, citizen-led organization, based out of the UK. Their initial goal was to encourage Zimbabweans to vote, but expanded their activities to include election information, news, and education as well. They also made the voters’ roll available online, but removed all personal data from their site on 5th August 2018, after the elections.
We ran OONI Probe in Zimbabwe to test the potential blocking of zimelection.com across multiple ISPs. As part of our testing, we collected conclusive evidence on the TCP/IP blocking of zimelection.com by state-owned Internet Service Provider (ISP), TelOne.
Blocking of zimelection.com
We tested zimelection.com across multiple networks through the use of OONI Probe, which is software designed to measure the blocking of websites.
Network measurement data collected from OONI Probe tests suggests that TelOne (AS37204) blocked access to zimelection.com by means of TCP/IP blocking.
We tested zimelection.com multiple times from TelOne, an ISP wholly owned by the Zimbabwean government. All measurements consistently presented the same TCP/IP anomalies and our findings were further corroborated by the fact that RIPE Atlas data did not show any local or global routing issues. We were also unable to access zimelection.com from TelOne. All other OONI network measurements collected from TelOne show that all other tested websites were accessible, strongly suggesting that zimelection.com was in fact blocked.
Based on traceroute measurements, we were able to better understand the means through which the blocking of zimelection.com was carried out.
In particular, we can see that a TCP traceroute to the IP address hosting zimelection.com, 220.127.116.11 on port 443, shows packets all the way to the second to last hop:
$ sudo tcptraceroute 18.104.22.168 443
Selected device en0, address 192.168.XXX.YYY, port PPPPP for outgoing packets
Tracing the path to 22.214.171.124 on TCP port 443 (https), 30 hops max
8 asr1-pr-hre.telone.co.zw (126.96.36.199) 36.225 ms 36.732 ms 35.849 ms
9 188.8.131.52 337.824 ms 302.590 ms 307.466 ms
10 184.108.40.206 307.160 ms 243.743 ms
220.127.116.11 303.346 ms
11 et-7-0-0.cr-polaris.fra1.core.heg.com (18.104.22.168) 241.207 ms 228.553 ms 229.795 ms
12 ae1.cr-vega.sxb1.core.heg.com (22.214.171.124) 234.231 ms 276.659 ms 310.863 ms
13 ae4.cr-nunki.sxb1.core.heg.com (126.96.36.199) 232.290 ms 306.593 ms 307.035 ms
14 ae2.cr-sargas.lon1.core.heg.com (188.8.131.52) 307.435 ms 237.307 ms 246.666 ms
15 184.108.40.206 237.524 ms 244.857 ms 242.319 ms
16 220.127.116.11 253.567 ms 266.811 ms 358.259 ms
17 * * *
18 * * *
We can also see that the same behavior happens with a ICMP traceroute:
$ traceroute to 18.104.22.168 (22.214.171.124), 64 hops max, 52 byte packets
9 asr1-pr-hre.telone.co.zw (126.96.36.199) 37.640 ms 37.604 ms 38.004 ms
10 188.8.131.52 (184.108.40.206) 219.583 ms 219.493 ms 267.384 ms
11 220.127.116.11 (18.104.22.168) 218.554 ms 240.429 ms
22.214.171.124 (126.96.36.199) 222.056 ms
12 et-7-0-0.cr-polaris.fra1.core.heg.com (188.8.131.52) 256.960 ms 229.975 ms 230.113 ms
13 ae1.cr-vega.sxb1.core.heg.com (184.108.40.206) 233.903 ms 235.164 ms 232.372 ms
14 ae4.cr-nunki.sxb1.core.heg.com (220.127.116.11) 234.521 ms 234.132 ms 335.489 ms
15 ae2.cr-sargas.lon1.core.heg.com (18.104.22.168) 242.165 ms 239.152 ms 238.498 ms
16 22.214.171.124 (126.96.36.199) 365.730 ms 240.539 ms 332.722 ms
17 188.8.131.52 (184.108.40.206) 307.676 ms 266.867 ms 305.145 ms
In contrast, traceroutes from a “non-censored” network reach the destination:
traceroute to 220.127.116.11 (18.104.22.168), 30 hops max, 60 byte packets
8 ae1.cr-vega.sxb1.core.heg.com (22.214.171.124) 86.778 ms ldn-bb4-link.telia.net (126.96.36.199) 88.889 ms ldn-bb3-link.telia.net (188.8.131.52) 96.399 ms
9 ldn-b5-link.telia.net (184.108.40.206) 91.851 ms ae4.cr-nunki.sxb1.core.heg.com (220.127.116.11) 90.123 ms ldn-b5-link.telia.net (18.104.22.168) 88.980 ms
10 ae0.cr-sargas.lon1.core.heg.com (22.214.171.124) 89.565 ms 84.622 ms ae2.cr-sargas.lon1.core.heg.com (126.96.36.199) 89.077 ms
11 188.8.131.52 (184.108.40.206) 91.030 ms 90.521 ms 87.181 ms
12 220.127.116.11 (18.104.22.168) 100.686 ms 93.149 ms 104.949 ms
13 eris.servers.prgn.misp.co.uk (22.214.171.124) <syn,ack> 91.376 ms 91.802 ms 90.274 ms
Based on our traceroutes, it seems that the blocking is targeting the IP address hosting zimelection.com and that the blocking occurred on the reverse path (i.e. packets are reaching the IP of zimelection.com, but what is blocked is the response).
We didn’t notice any blocking on IP addresses in a close range, making it very unlikely that this is some form of network failure affecting that particular network:
Tracing the path to 126.96.36.199 on TCP port 80 (http), 30 hops max
9 asr1-pr-hre.telone.co.zw (188.8.131.52) 35.734 ms 37.130 ms 37.129 ms
10 184.108.40.206 217.446 ms 220.193 ms 218.716 ms
11 220.127.116.11 218.447 ms
18.104.22.168 218.969 ms
22.214.171.124 218.455 ms
12 et-7-0-0.cr-polaris.fra1.core.heg.com (126.96.36.199) 307.099 ms 306.820 ms 229.930 ms
13 ae1.cr-vega.sxb1.core.heg.com (188.8.131.52) 236.076 ms 231.156 ms 232.041 ms
14 ae4.cr-nunki.sxb1.core.heg.com (184.108.40.206) 233.050 ms 232.326 ms 232.123 ms
15 ae2.cr-sargas.lon1.core.heg.com (220.127.116.11) 422.260 ms 304.031 ms 234.277 ms
16 18.104.22.168 234.858 ms 233.929 ms 235.892 ms
17 22.214.171.124 256.225 ms 304.528 ms 248.658 ms
18 calmzone.servers.prgn.misp.co.uk (126.96.36.199) [open] 256.529 ms 235.979 ms *
Moreover, we found more than 1,700 domains hosted on the same IP address as zimelection.com, suggesting that the blocking of this IP address may have led to collateral damage, blocking many other unrelated websites.
The fact that many other websites are hosted on this same IP address also means that the owners of zimelection.com are very unlikely to have implemented server-side blocking, since they probably don’t have access to firewall settings (and other IPs in the same range of the same provider don’t show evidence of blocking), further consolidating the theory that zimelection.com was intentionally blocked.
It’s worth highlighting that OONI data shows that zimelection.com was accessible in other Zimbabwean networks (such as mobile operator NetOne). This may suggest that independent Zimbabwean ISPs didn’t receive government orders to block zimelection.com.
We reached out to the owners of zimelection.com and they provided us the following statement:
“Section 21(1) of the Electoral Act states that every voters’ roll shall be a public document, open to inspection by the public, free of charge.
The block on our website is in breach of section 62 of the Constitution of Zimbabwe […]
We would like to call upon TelOne to immediately remove the block on our website.”
Moreover, they agreed to take down the electoral roll documents containing personal information prior to the publication of this report.
Zimbabwe Electoral Commission (ZEC) site unavailable
The site of the Zimbabwe Electoral Commission (ZEC), which is hosted on a .zw domain, showed a “404 Not Found” error in the days following the elections (but has now been restored).
This could be due to content removal, a domain takeover, or technical issues triggered, for example, by too much traffic towards the website or some malicious activity (hacking).
A possible domain takeover may be suggested by the domain’s DNS SOA record, which has “2018080211” as a serial number and which is a human-edited field. It’s common practice though to set it to the date of the last DNS zone modification, so it may not necessarily be a domain takeover.
On the other hand, the SSL certificate presented for www.zec.org.zw has been valid since 23rd May 2018. This suggests that the entity currently controlling the domain name and IP addresses behind it have SSL certificate files which were issued and cryptographically signed more than two months ago.
Yesterday, Qurium reported that the Zimbabwe Electoral Commission (ZEC) site was in fact defaced. Their forensic investigation confirms that the site was defaced on the evening of 1st August 2018 by an attacker using the nick zim4thewin. They note that the defacement of the site was a protest against military actions during the riots.
This is probably the first time that OONI Probe captures evidence of internet censorship in Zimbabwe.
Almost daily OONI network measurements have been collected from various networks in Zimbabwe over the last year (with many measurements having been collected since 2016), none of which showed signs of internet censorship, until now.
The general elections last week (on 30th July 2018) came at a politically tense time for Zimbabwe, following the ousting of Robert Mugabe – who governed the country for more than three decades – in late 2017. Incumbent President Emmerson Mnangagwa has since governed the country, leading the Zimbabwe African National Union – Patriotic Front (ZANU-PF), which was previously led by Mugabe and which has ruled the country since independence in 1980.
ZANU-PF won most seats in parliament, but the announcement of the presidential vote was delayed, spurring violent riots in Harare amid concerns that the results were being rigged. Even European Union election monitors questioned the delay in announcing the presidential vote. Last week, the presidential vote was announced with Mnangagwa narrowly winning the presidential poll.
As political events unfold, more censorship events may emerge. This study can be expanded upon through the use of OONI Probe and OONI data.