#OrangeIsTheNewBlacklist: In France, Google and Wikipedia briefly censored for “apologia of terrorism”

Oops, something didn't go as planned.
Par défaut

You dislike Mondays? You’d have loved this one: Google and Wikipedia were censored for an hour in France, for “apologia of terrorism”.

Yesterday 17 October 2016, an ordinary Monday morning, I was searching for a document online. Using different search engines — DuckDuckGo, Qwant, Google — helps me find out more details; incidentally and in contrast with Google, alternative engines also respect my privacy since they neither log nor keep track of my search requests.

Weirdly enough, Google was timing out. I tried out a few more times, to no success. My Internet connection was fine, though, and Qwant was also responding. Even more bizarre, my Gmail account was functional. On Twitter, some people were also flagging a “Google down” situation and started asking me which my ISP is. My Internet service provider (ISP) is Orange. It turned out that the issue seemed to affect only subscribers at Orange and its low-cost subsidiary, Sosh.

When trying to reach Google gets you to the Ministry of Interior

While my requests to Google were timing out, others’ were getting a response… A quite unusual response, though:

It also occurred that the IP address one was reaching when trying to reach google.fr was 90.85.16.52. It is operated by Orange as well but belongs to the Ministry of Interior.

Orange’s DNSes — that the majority of the ISP’s subscribers uses — were redirecting google.fr to the Ministry of Interior (MoI).

In a nutshell, a DNS connects a domain name, e.g. google.fr, to a bunch of technical characteristics such as (and most prominently) the IP address(es) of the computer(s) serving responses to requests. Thus, a DNS knows which IP(s) match(es) which domain(s). The user is served this link thanks to resolvers: these are ‘contacted’ by the user (you, me, etc.) and ‘ask’ the DNS having knowledge of the correspondence IP(s)-domain(s) to provide said knowledge. The ISP, Orange in this case, operates and manages those resolvers. Orange/Sosh subscribers using other ISP’s resolvers (e.g., those belonging to independent ISP FDN) had no issues reaching google.fr. If you are a techie, you could have a look at this great piece by Stéphane Bortzmeyer, and consider following him on Twitter.

Wait a second… What had happened for, when I try to reach google.fr, I reach the French MoI instead?

via GIPHY

The initial stun aside, the situation cleared quite a bit: Google was not down. The Ministry of Interior was, temporarily, serving the requests in lieu of google.fr. Oh my. Considering the number of people searching for stuff every minute on Google, it is no wonder that the MoI’s infra did not hold the load. My request to google.fr was thus not ‘timing out’ because of google.fr being down, but because the Ministry could not respond to all requests.

How did that happen? The perils of DNS censorship

Technicalities aside then, the confusion persisted. Different Twitter users, as the one above, trying to reach www.google.fr or fr.wikipedia.org were received with a scary notification from the Ministry of Interior that read (in all caps and in red):

You have been redirected to this web page [operated by] the Ministry of Interior because you attempted to reach a website whose content is incitative to [commit] acts of terrorism or publicly praised acts of terrorism.

OK, google.fr and fr.wikipedia.org are both blocked for “apologia of terrorism”, as the sort of offence is known as in France. Administrative censorship is legal in France: Decree 2015–125 of 5 February 2015 introduced the right of a special administrative commission (and not a judge) to block and take down websites “incitative to or apologetic of terrorism” as well as disseminating pedopornographic content.

Critics of the law have highlighted that such operations are not approved by a judge. The latter has, however, the legal tools to apply the law when deciding whether a website is guilty of inciting or promoting terrorist acts. The administrative commission in charge of listing which online resources to block also admitted the real risk of over-blocking. In other words, instead of taking down only one website hosted on — say, a popular blog platform, — DNS blocking as operated here can cause thousands or more blogs be blocked because they are hosted on the same platform. Such cases exist elsewhere:

According to Orange, the problem was due to “human error” during server maintenance procedures. This, however, is a meager explanation: it does not allow to tell whether there was a mistake in the list of websites the Ministry sent to Orange or whether the error comes indeed from the ISP itself only. If there were an error in the files sent to the ISP, then all operating ISPs should have experienced such issues. Such was not the case.

A “human error” is yet quite unlikely: who, amongst the highly trained technical staff at France’s biggest ISP, would mistakenly and by hand inscribe google.fr and fr.wikipedia.org in a websites-to-censor file? And although the ISP maintains that a “human error” caused the blocking, it does not provide details allowing to explain how such an “error” could materialise.

But more importantly, the formal procedure does not portend to such errors. When the Ministry of Interior sends ISPs the list of websites to block, it is a spreadsheet with four columns. Those contain the domain name and the IP addresses to which redirect users who were searching to reach those websites; redirections depend on the nature of the offence (apologia of terrorism, pedopornography, etc.).

Such a procedure does not leave room for “human error” that results in blocking google.fr or fr.wikipedia.org. Most probably, adding those domain names to a pre-existing list is not done by a human who copy-pastes by hand. More so, the IP address 90.85.16.52 belongs to the Ministry of Interior and corresponds to a service that counts the attempts to reach a website blocked for providing illegal content (apologia for terrorism, pedopornography, etc.), “for statistical purposes”. The IP addresses used to display block motives are 90.85.16.50 and 90.85.16.51.

Thus, the “human error” would mean that someone has manually entered the specific domain names and redirected them to a somewhat unusual IP address, namely 90.85.16.52. Those elements make it quite unlikely to have a “human error” involved. Of course, one could also speculate about a malevolent action behind the accident. There is, however, no ground for such claims so far. A news outlet also alleged that an erroneous use of a test file in lieu of the ‘official’ one was used, but there is no way of confirming such a claim either.

So, anything is possible. However, speculating about how the accident occurred makes us go astray of the real issue: DNS blocking is plain toxic, for all. Not only is DNS a critical layer of the Internet infrastructure; it ensures the network is resilient. Politically or commercially motivated interference and censorship endanger this infrastructure and Internet resilience. Weakening the foundations of the network as it happens through large-scale DNS filtering weakens the security and reliability of the Internet. Do we really want to endure the effects of those actions?


If you read/understand French, you can also follow the following hashtags on Twitter: #OrangeIsTheNewBlacklist (self-explanatory) and #laMainRouge (a moniker for the French MoI which used a red hand to signal blocked websites in the beginning). #laMainOrange (you get the idea, I think 😉 ) briefly surfaced but didn’t make it to an established hashtag.