MEHDI YAHYANEJAD THOUGHT that after Iranians voted on June 12, 2009, he would finally get some rest. Yahyanejad, the editor-in-chief of the social news and citizen journalism site Balatarian.com, had been working around the clock to cover the election. So when hard-line President Mahmoud Ahmadinejad shocked the country by defeating reformer Mir Hussein Moussavi in a suspiciously large landslide, sending protestors flooding into the streets, the 33-year-old Iranian immigrant was on vacation in Big Sur, California. Instead of enjoying his summer holiday, Yahyanejad spent the next week locked in front of a computer, fighting to keep his site from getting crushed by a crippling cyberattack.
That digital bombardment, seemingly launched by the Iranian government to keep his site down during a critical political moment, was only the first of many. For years, every time there was new protest, the site got hit with a so-called “distributed denial of service” attack that flooded it with junk traffic to overwhelm its servers—often preventing foreign media from accessing the photos and video of the unrest that Iranians posted on the site. Balatarin’s staff blocked thousands of IP addresses a day and even brought in a Dutch cybersecurity consultant, to no avail. During an attack, “any server we launched got shut down in a matter of minutes,” Yahyanejad remembers. “It was a pretty awful experience.”
Then in May of 2013, one of Yahyanejad’s contacts at Google suggested he sign up for a free trial of the company’s Page Speed service, which caches websites on Google servers to give them faster loadtimes. He did, and the result was immediate. Suddenly, Balatarin was backed by Google’s immense infrastructure. Its servers absorbed or filtered out the DDOS attacks, and Balatarin stayed online. “It was a very sudden transformation,” Yahyanejad says. “We stopped worrying on those days of protest.”
Google had quietly adopted Balatarin into an early pilot of a service called Project Shield. That service, designed to stop DDOS attacks from being used as a censorship tool, currently protects close to a hundred similar sites focused on human rights, election monitoring and independent political news. And now it’s finally coming out of its invite-only beta phase to offer its free cyberattack protection to not just the most at-risk sites on the Internet, but to virtually any news site that requests it.
Today Google Ideas, recently renamed Jigsaw, is opening Project Shield to applications from any “independent” news site—in other words, one that’s not owned by a government or political party. Large corporate news sites are also eligible, but Project Shield team lead George Conard says the initiative’s real target is small, under-resourced news sites that are vulnerable to the web’s growing epidemic of DDOS attacks. “Just about anyone who’s published anything interesting has come under an attack at some point,” says Conard. “The smaller and more independent voices often don’t have the resources, whether technical or financial, to really put good protections in place…That’s where we come into the picture.”
Any site that signs up for Project Shield can make a change to their domain name configuration that redirects visitors to a Google server. That server acts as a so-called “reverse proxy”—an intermediate server owned by Google designed to filter out malicious traffic and cache some elements of the site to lighten the load on the website’s own computers. (Conard was hesitant to describe any details of the service’s filtering, to avoid giving tips to potential DDOS attackers.)2
What’s in It for Google?
And what does Google, and its parent company Alphabet, get out of serving up its infrastructure resources—for free—to thousands of sites? Project Shield falls under Jigsaw’s mission, as Alphabet executive director Eric Schmidt wrote last week, “to use technology to tackle the toughest geopolitical challenges.” Among Alphabet’s collection of subsidiary organizations with a less-than-direct focus on profits, in other words, Jigsaw may be the least profit-focused of all.
“This isn’t about revenue,” says Jigsaw president Jared Cohen, a former staffer at the U.S. State Department who helped lead the agency’s Internet freedom campaigns during the Arab Spring. He points to Google’s larger mission statement, saying, “When we talk about organizing the world’s information and making it available and useful…you have to make sure that once people have access to the information, it doesn’t get DDOS attacked, it doesn’t get compromised, it doesn’t get censored in a politically motivated way.”
Preventing DDOS attacks, Jigsaw engineers and execs argue, is good for the Internet. And what’s good for the internet, they say, is good for Google. “We just don’t think that DDOS attacks should exist,” Cohen says. “We hope that Shield can do for DDOS attacks what Gmail did for spam.”
Why News Sites Specifically?
For nearly a decade, DDOS attacks have been used as a form of “just-in-time” political censorship, as some Internet freedom analysts have called it. This is when, instead of blocking a site with a Chinese-style Great Firewall, governments or government-sponsored hackers will knock it offline at a crucial moment, like a protest or an election. And DDOS attacks have only become a more powerful and accessible method of censorship in recent years: DDOS-tracking firm Arbor Networks has found that attacks now routinely top 100 gigabits a second, compared with peak attacks of 50 gigabits a second in 2009.
That growing threat to the web led Google to launch Project Shield in 2013, and now to expand it to encompass any willing news site. Google chose to offer Project Shield specifically to news organizations because in many cases those groups depend entirely on their web presence to get information to the public, says early Project Shield product manager C.J. Adams. Project Shield is also open to human rights and election monitoring sites by invitation, but Adams differentiates those categories of Shield users from news sites in that they’re able continue their work even if their sites go offline.1
“News” is also a broader and more easily defined category of sites than those others, Adams explains; Jigsaw will open Project Shield to news sites defined as those that would appear in Google News—in other words, those with journalistic standards and attribution of reported facts. Individual bloggers and citizen journalism sites are welcome to apply, Jigsaw staffers say, but will be considered on a case-by-case basis.
They’re careful to note, however, that the political slant or opinions of the site won’t be used to discriminate who receives Shield’s help. “We’ll protect people on all sides of a political dialogue,” says Conard. “One of the important things about keeping these voices alive is that you shouldn’t be able to silence one point of view just by launching an attack.”
Even this seemingly benevolent move by Google is sure to raise the eyebrows of the company’s privacy critics, since involvement in Project Shield requires giving Google access to data about who visits a news site. But Jigsaw promises that the raw logs it collects from its reverse proxy service will be kept for a maximum of two weeks and then stored only in aggregate form to learn more about DDOS attack patterns. And it commits not to use any data it collects from Project Shield for advertising purposes. “This comes up: What’s the catch? What’s in this for Google?” says Adams. “We’ve made it very explicit we don’t have the rights to commercialize anything that comes through.”
Instead, Jigsaw argues that keeping news sites safe from DDOS attacks fits into Google’s central purpose: to not just lead searchers to information, but to make sure it’s online when they reach it. “Is it worth it for us to spend the money and the bandwidth capacity to protect the world’s news sites from getting DDOS attacked if that’s something they want?” Cohen asks. “The answer for us is an obvious yes.”
Correction 2/24/2016 10:12 EST: An earlier version of the story used the wrong last name and job description for Google staffer C.J. Adams.
Correction 2/24/2016 7:15 EST: An earlier version of the story stated that sites had to switch to Google’s domain name servers to use Project Shield rather than merely change their own domain name configuration.