DDoSing a regulator: A how-to manual from Facebook’s Free Basics
On December 10, something unprecedented happened that many Indians are yet to realize the significance of: a $300 billion global corporation started ‘DDoS-ing’ an independent Indian regulator. The corporation was Facebook and the regulator was India’s apex telecom regulator, TRAI.
“What’s DDoS?” you ask?
A DDoS, or Distributed Denial of Service, is a particularly malicious type of cyber attack that can bring down the best of websites by flooding it with an overwhelming amount of unexpected and unrequested traffic from a large number of computers distributed around the world.
To the victim website, each individual DDoS request appears to be legitimate and coming from different PCs and servers. But collectively, once these requests reach hundreds of thousands or millions in number, the victim site gets so overwhelmed that it shuts down or becomes unreachable to its intended users.
Interestingly, the actual “attackers” in a DDoS attack are largely unaware of their involvement, as most of their PCs and servers are part of ‘botnets’, having been compromised through computer viruses.
On December 10, something unprecedented happened that many Indians are yet to realize the significance of: a $300 billion global corporation started ‘DDoS-ing’ an independent Indian regulator.
The corporation was Facebook and the regulator was India’s apex telecom regulator, TRAI.
“What’s DDoS?” you ask?
A DDoS, or Distributed Denial of Service, is a particularly malicious type of cyber attack that can bring down the best of websites by flooding it with an overwhelming amount of unexpected and unrequested traffic from a large number of computers distributed around the world.
To the victim website, each individual DDoS request appears to be legitimate and coming from different PCs and servers. But collectively, once these requests reach hundreds of thousands or millions in number, the victim site gets so overwhelmed that it shuts down or becomes unreachable to its intended users.
Interestingly, the actual “attackers” in a DDoS attack are largely unaware of their involvement, as most of their PCs and servers are part of ‘botnets’, having been compromised through computer viruses.
Facebook’s ‘DDoS’ kicked off on 10th, exactly a day after TRAI published a crucial 9-page document on its website titled “Consultation Paper on Differential Pricing for Data Services”. The paper was in continuation to an earlier one in April on “Over The Top Services” which led over one million Indians to email TRAI their responses. The contentious thread between both papers was “Net Neutrality” – the simple, transparent and fair set of principles atop which the Internet was built: all traffic will be treated equally by ISPs and there shall be no discrimination for or against a website or service.
After 8 pages of fairly elaborate, balanced and nuanced explanations of “differential pricing” – the practice of ISPs discriminating between traffic passing through their networks and charging variable rates from consumers – TRAI requested comments from stakeholders on four questions.
Written responses were to be emailed to a senior officer’s email address before the deadline of December 30.
We do not know why, but within 24 hours Facebook, a powerful corporation with expensive and experienced legal & regulatory teams in every major country – including India – decided to ignore the TRAI paper and instead launch the regulatory version of a DDoS attack.
The first signs of Facebook’s strategy became apparent on 10thDecember as unwitting users across India started seeing an alert pop up in their notifications: “Act Now to Save Free Basics in India”.
The Free Basics DDoS had started.
Those who clicked the alert were taken to a specially designed page where Facebook, using emotion-laden, fear-inducing messaging like “Without your support, it could be banned in a matter of weeks”; “Unless you take action now, India could lose access to free basic Internet services” and “A small, vocal group of critics are lobbying to have Free Basics banned on the basis of net neutrality”, asked them to register their support for Free Basics send TRAI a pre-drafted email.
Free Basics is Facebook’s global zero rating platform, earlier called “Internet.Org”, through which it makes available its own services plus a small number of third party sites for “free” by signing deals with individual ISPs and telcos. In India Free Basics was only available on Reliance Communications mobile network, though that has subsequently been ordered to be shut down by TRAI.
Zero rating is a clear violation of Net Neutrality and India’s Department of Telecom had clearly called for a ban on them till India formulated its Net Neutrality laws.
Meanwhile, many Facebook users complained on Twitter that merely scrolling through Facebook’s Free Basics page on their phones caused Facebook to record their support, and then message that “support” to their friends in turn, thus rapidly spreading the Free Basics campaign across social circles. One user even said Facebook sent him a notification that his deceased uncle had supported Free Basics and so he should too.
A social network was using its own platform to get its users to support its own corporate initiative. But that isn’t the story.
Here’s the thing – nowhere in Facebook’s messaging was there a single mention of any of the four questions asked by TRAI. Worse, there wasn’t even a mention of the phrase “Differential Pricing”, the title of TRAI’s paper.
So every response that Facebook recorded and sent to TRAI was not remotely a response that TRAI was expecting. That such an experienced and powerful corporation chose to wilfully disregard a regulator’s due process was astounding.
Over the next few days Facebook started expanding this campaign of deliberate disinformation to other media – SMSes, roadside hoardings, 2-page advertisements in every major newspaper almost every day, WhatsApp promotions, online video ads and radio. The messaging kept evolving, becoming progressively vague, misleading and emotional.
“Support a connected India”
“Support Ganesh”
An SMS sent to mobile users in Tamil Nadu said, in Tamil, “Free Basics provides all basic Internet services for free” asking them to give a missed call to a number to register their support.
Notwithstanding the dishonesty in that statement – because Free Basics does NOT provide ALL basic Internet services (you cannot access Google, Twitter, Flipkart, Zomato and practically the entire Internet except Facebook and a handful of other sites that have signed up) – Facebook was now sending responses to TRAI from people’s mobile numbers with content that only it had access to.
“A connected India means 65 million new jobs”
“Support Rahul”
With over 130 million users in India alone and given the emotional “Save India” pitch of its messaging, it was natural Facebook would get a lot of responses. In a few days it claimed to have sent 3.2 million emails to TRAI.
The current count stands apparently at 5.5 million.
Meanwhile news reports came of even users in the US and Canada being shown Facebook’s Free Basics messaging, and asked to email TRAI. How a US or Canadian user would qualify as a “stakeholder” to comment on India’s Internet regulation process we do not know, but when pointed out, Facebook casually ascribed it to an “error”.
But what has all of this got to do with a DDoS attack?
Remember, a DDoS attack is one in which the perpetrators use a large number of unwitting PCs and servers to launch an attack on a site, so as to prevent the latter from serving its legitimate users and performing its stated function.
What Facebook had carefully and deliberately crafted in India was a method to overwhelm TRAI with a distributed set of responses that didn’t have anything to do with its consultation paper or questions.
But why would they do that?
The real answers only Facebook can give, but we can surmise.
Perhaps because Facebook is aware of the true support for Net Neutrality among Indians, including citizens, entrepreneurs, startups, trade bodies and even political parties. Save The Internet, the volunteer-driven group that had rallied over one million Indians to write to TRAI in support of Net Neutrality in April, is currently running a follow up campaign on the latest consultation paper. By drowning TRAI’s email inbox with millions of individual emails that do not have anything to say on “Differential Pricing”, Facebook is running the regulatory version of a DDoS.
Facebook knows that TRAI will not have the technical knowhow or manpower to sift through millions of responses in order to find the ones that actually have answers to its questions. The Free Basics is designed to dump truckloads of hay on TRAI so that real responses turn into proverbial needles.
But wait, isn’t STI also getting people to email TRAI? How is that okay?
Yes, you’re right – the STI too is running a campaign that on the surface seems similar to Facebook’s. But unlike Facebook’s deliberate campaign of obfuscation and misinformation, the STI is helping Indians understand the full paper and answer each of the four questions in as informed a manner as possible.
This is a serious matter. Because what we have here a social platform that is supposed to be “neutral”, openly misrepresenting the issues TRAI is trying to formulate policies on and flooding it with non-responses in the possible hope that real responses can be suppressed.
This form of behavior is unprecedented in India’s regulatory history. Even Microsoft at the height of its power and facing the prospect of central and state governments switching to open source, did not directly exhort individual Windows or Office users to lobby on its behalf. If Facebook’s DDoS attempts go unchecked, why will a Google or Microsoft not want to leverage its Android/Search or Windows/Office users to hijack public policy agendas at scale?
DDoS-ing a website is a criminal activity in most countries, including India. DDoS-ing a regulator should be no less.
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home