Zimbabwean election website blocked following 2018 general elections

09 Aug 2018

Riots erupted last week in Harare as election results delayed, prompting concerns of internet censorship events being triggered.

Internet censorship has been measured in Zimbabwe all along (since 2016) and OONI data hadn’t shown any signs of internet censorship, until the following tweet caught our attention. is an independent, citizen-led organization, based out of the UK. Their initial goal was to encourage Zimbabweans to vote, but expanded their activities to include election information, news, and education as well. They also made the voters’ roll available online, but removed all personal data from their site on 5th August 2018, after the elections.

We ran OONI Probe in Zimbabwe to test the potential blocking of across multiple ISPs. As part of our testing, we collected conclusive evidence on the TCP/IP blocking of by state-owned Internet Service Provider (ISP), TelOne.

Blocking of
We tested across multiple networks through the use of OONI Probe, which is software designed to measure the blocking of websites.

Network measurement data collected from OONI Probe tests suggests that TelOne (AS37204) blocked access to by means of TCP/IP blocking.

We tested multiple times from TelOne, an ISP wholly owned by the Zimbabwean government. All measurements consistently presented the same TCP/IP anomalies and our findings were further corroborated by the fact that RIPE Atlas data did not show any local or global routing issues. We were also unable to access from TelOne. All other OONI network measurements collected from TelOne show that all other tested websites were accessible, strongly suggesting that was in fact blocked.

Based on traceroute measurements, we were able to better understand the means through which the blocking of was carried out.

In particular, we can see that a TCP traceroute to the IP address hosting, on port 443, shows packets all the way to the second to last hop:

$ sudo tcptraceroute 443
Selected device en0, address 192.168.XXX.YYY, port PPPPP for outgoing packets
Tracing the path to on TCP port 443 (https), 30 hops max

8 ( 36.225 ms 36.732 ms 35.849 ms
9 337.824 ms 302.590 ms 307.466 ms
10 307.160 ms 243.743 ms 303.346 ms
11 ( 241.207 ms 228.553 ms 229.795 ms
12 ( 234.231 ms 276.659 ms 310.863 ms
13 ( 232.290 ms 306.593 ms 307.035 ms
14 ( 307.435 ms 237.307 ms 246.666 ms
15 237.524 ms 244.857 ms 242.319 ms
16 253.567 ms 266.811 ms 358.259 ms
17 * * *
18 * * *

We can also see that the same behavior happens with a ICMP traceroute:

$ traceroute to (, 64 hops max, 52 byte packets

9 ( 37.640 ms 37.604 ms 38.004 ms
10 ( 219.583 ms 219.493 ms 267.384 ms
11 ( 218.554 ms 240.429 ms ( 222.056 ms
12 ( 256.960 ms 229.975 ms 230.113 ms
13 ( 233.903 ms 235.164 ms 232.372 ms
14 ( 234.521 ms 234.132 ms 335.489 ms
15 ( 242.165 ms 239.152 ms 238.498 ms
16 ( 365.730 ms 240.539 ms 332.722 ms
17 ( 307.676 ms 266.867 ms 305.145 ms

In contrast, traceroutes from a “non-censored” network reach the destination:

$ sudo tcptraceroute 443
traceroute to (, 30 hops max, 60 byte packets

8 ( 86.778 ms ( 88.889 ms ( 96.399 ms
9 ( 91.851 ms ( 90.123 ms ( 88.980 ms
10 ( 89.565 ms 84.622 ms ( 89.077 ms
11 ( 91.030 ms 90.521 ms 87.181 ms
12 ( 100.686 ms 93.149 ms 104.949 ms
13 ( <syn,ack> 91.376 ms 91.802 ms 90.274 ms

Based on our traceroutes, it seems that the blocking is targeting the IP address hosting and that the blocking occurred on the reverse path (i.e. packets are reaching the IP of, but what is blocked is the response).

We didn’t notice any blocking on IP addresses in a close range, making it very unlikely that this is some form of network failure affecting that particular network:

Selected device en0, address REDACTED, port PPPPP for outgoing packets
Tracing the path to on TCP port 80 (http), 30 hops max

9 ( 35.734 ms 37.130 ms 37.129 ms
10 217.446 ms 220.193 ms 218.716 ms
11 218.447 ms 218.969 ms 218.455 ms
12 ( 307.099 ms 306.820 ms 229.930 ms
13 ( 236.076 ms 231.156 ms 232.041 ms
14 ( 233.050 ms 232.326 ms 232.123 ms
15 ( 422.260 ms 304.031 ms 234.277 ms
16 234.858 ms 233.929 ms 235.892 ms
17 256.225 ms 304.528 ms 248.658 ms
18 ( [open] 256.529 ms 235.979 ms *

Moreover, we found more than 1,700 domains hosted on the same IP address as, suggesting that the blocking of this IP address may have led to collateral damage, blocking many other unrelated websites.

The fact that many other websites are hosted on this same IP address also means that the owners of are very unlikely to have implemented server-side blocking, since they probably don’t have access to firewall settings (and other IPs in the same range of the same provider don’t show evidence of blocking), further consolidating the theory that was intentionally blocked.

It’s worth highlighting that OONI data shows that was accessible in other Zimbabwean networks (such as mobile operator NetOne). This may suggest that independent Zimbabwean ISPs didn’t receive government orders to block

We reached out to the owners of and they provided us the following statement:

“Section 21(1) of the Electoral Act states that every voters’ roll shall be a public document, open to inspection by the public, free of charge.
The block on our website is in breach of section 62 of the Constitution of Zimbabwe […]
We would like to call upon TelOne to immediately remove the block on our website.”

Moreover, they agreed to take down the electoral roll documents containing personal information prior to the publication of this report.

Zimbabwe Electoral Commission (ZEC) site unavailable
The site of the Zimbabwe Electoral Commission (ZEC), which is hosted on a .zw domain, showed a “404 Not Found” error in the days following the elections (but has now been restored).

This could be due to content removal, a domain takeover, or technical issues triggered, for example, by too much traffic towards the website or some malicious activity (hacking).

A possible domain takeover may be suggested by the domain’s DNS SOA record, which has “2018080211” as a serial number and which is a human-edited field. It’s common practice though to set it to the date of the last DNS zone modification, so it may not necessarily be a domain takeover.

On the other hand, the SSL certificate presented for has been valid since 23rd May 2018. This suggests that the entity currently controlling the domain name and IP addresses behind it have SSL certificate files which were issued and cryptographically signed more than two months ago.

Yesterday, Qurium reported that the Zimbabwe Electoral Commission (ZEC) site was in fact defaced. Their forensic investigation confirms that the site was defaced on the evening of 1st August 2018 by an attacker using the nick zim4thewin. They note that the defacement of the site was a protest against military actions during the riots.

This is probably the first time that OONI Probe captures evidence of internet censorship in Zimbabwe.

Almost daily OONI network measurements have been collected from various networks in Zimbabwe over the last year (with many measurements having been collected since 2016), none of which showed signs of internet censorship, until now.

The general elections last week (on 30th July 2018) came at a politically tense time for Zimbabwe, following the ousting of Robert Mugabe – who governed the country for more than three decades – in late 2017. Incumbent President Emmerson Mnangagwa has since governed the country, leading the Zimbabwe African National Union – Patriotic Front (ZANU-PF), which was previously led by Mugabe and which has ruled the country since independence in 1980.

ZANU-PF won most seats in parliament, but the announcement of the presidential vote was delayed, spurring violent riots in Harare amid concerns that the results were being rigged. Even European Union election monitors questioned the delay in announcing the presidential vote. Last week, the presidential vote was announced with Mnangagwa narrowly winning the presidential poll.

As political events unfold, more censorship events may emerge. This study can be expanded upon through the use of OONI Probe and OONI data.

This report was produced in collaboration with Natasha Msonza, Digital Society of Zimbabwe , Kuda Hove, MISA Zimbabwe and the Open Observatory of Network Interference Team

Share This