Rohini Lakshané (The Bachchao Project) and Prateek Waghre (The Takshashila Institution) conducted a preliminary analysis of whitelist comprising 153 entries issued by the Home Department, Government of Jammu and Kashmir on 18 January 2020, to empirically determine whether the whitelisted websites and services would be practically usable for an ordinary resident. The Twitter thread published here shines a light on the method of testing and the signficant findings. A detailed write-up will be published soon. The dataset comprising test results is licensed and can be accessed here: https://zenodo.org/record/3627665
Thread on the Kashmir Whitelist.
Earlier this week @aldebaran14 and I analysed the 153 websites on the whitelist as per the 18th Jan Order and found that ~80 were not ‘practically usable’. We wanted to understand how these websites will work/look under this whitelist regime(1/n)
— Prateek Waghre (@prateekwaghre) January 25, 2020
So we setup Chrome with an extension to allow access only to the hostnames listed in the order. Now, there are limitations with this method. We did not test on a 2G network. We could not carry out actual transactions and the assessment of usability is a bit subjective (2/n)
— Prateek Waghre (@prateekwaghre) January 25, 2020
We looked for whether the website was visually affected, if the images loaded, if the login section was accessible and the main function(s) of the website still worked along with some general navigation to see what was affected (3/n)
— Prateek Waghre (@prateekwaghre) January 25, 2020
In perusing the list we found typos, duplicate entries, entries without actual hostnames and some that were indeterminate. After removing these, we were left with 134. Of these we found ~80 websites were not practically usable. Why? (4/n)
— Prateek Waghre (@prateekwaghre) January 25, 2020
Well, the way most websites are designed, a lot of content comes from subdomains, CDNs. They also have 3rd party content like analytics services, ads, various libraries that manage the UI etc. None of this worked because there were not on the whitelist (5/n)
— Prateek Waghre (@prateekwaghre) January 25, 2020
So most of the websites were broken. Here is an example of https://t.co/lrODnoKXrm. We also pulled a request map to highlight how much content comes from other domains. Different websites were affected to varying degrees depending on how they were designed (6/n) pic.twitter.com/IvNOAXjsjG
— Prateek Waghre (@prateekwaghre) January 25, 2020
In case of https://t.co/VZism9Q7nA, we found that though the page was still (sort of) readable, the search feature was unresponsive. The train status feature took us to another link, which of course, was not the on the whitelist. (7/n) pic.twitter.com/CCsuk5L8OA
— Prateek Waghre (@prateekwaghre) January 25, 2020
For the ones classified as banking websites, we found that only 2 of the 15 on the list had accessible login pages (eg. For SBI bank, the whitelisted domain was https://t.co/puxIdFlslj, but to login you need to go to https://t.co/Owwg9o3Qth which was not on the list) 8/n
— Prateek Waghre (@prateekwaghre) January 25, 2020
The inclusion of streaming services seems absurd because:
1) 2G
2) Most of them use CDNs for delivering video content (as I said earlier, these are not on list).
3) No actual hostnames were given – how does the ISP know what to allow? Are they expected to analyse the apps? (9/n)— Prateek Waghre (@prateekwaghre) January 25, 2020
We excluded these and ‘Jio Chat’, so in reality (esp. over 2G) the number of unusable websites maybe higher than what I said earlier in thread.
Of the ones that worked, 25 were minimally impacted (mainly had textual information). 30 were ‘partially usable’ (10/n)— Prateek Waghre (@prateekwaghre) January 25, 2020
We ended the exercise with more questions than answers. Some of them are:
1) On what basis are these (and future) domains selected?
2) Why are some some sites on the list while others in the same category are not?
3) How will ISPs actually implement this? (11/n)— Prateek Waghre (@prateekwaghre) January 25, 2020
I know the list was updated to approx 300.Haven’t read through it in detail,but a cursory glance was enough to spot duplicates and strange entries (trying hard not to judge).I would love to test the new ones, sadly, we’re caught up with other stuff over the next few days. (12/n)
— Prateek Waghre (@prateekwaghre) January 25, 2020
We’ve also done a detailed write-up that we’re hoping to publish soon. Both @aldebaran14 (credit to her for kicking this off) and I are also happy to release the spreadsheet that we recorded our analysis on, in case anyone wants to build off it. (13/n)
— Prateek Waghre (@prateekwaghre) January 25, 2020
Correction for #8. The whitelisted domain for SBI is www_onlinesbi_com (I’ve replaced the . with _ because twitter drops the www automatically)
— Prateek Waghre (@prateekwaghre) January 25, 2020
One thought on “Tweet thread: Preliminary analysis of first whitelist for Internet access in Jammu and Kashmir”
Comments are closed.