Voidly probe vantage selection: ASN diversity, operator safety, and reaching hard-to-measure countries

A censorship measurement is only as useful as its vantage. Two probes in the same country on the same ISP tell you the same thing — they share the same network path, the same upstream resolver, and the same government-facing routing policy. Two probes on different ISPs, especially on the residential and mobile networks where most people actually connect, can reveal something structurally different: that a block is ISP-specific and commercially motivated rather than government-ordered at the national level. Vantage selection is where this distinction begins.

Why ASN diversity beats geographic spread

An Autonomous System Number (ASN) identifies a network operating under a common routing policy — usually an ISP, a mobile carrier, a university, or a large corporation. From a censorship measurement perspective, ASNs are the unit of analysis that matters. Two probes on different /24 subnets but within the same ASN share the same DNS resolvers, the same upstream peering relationships, and the same points where a government or the ISP itself can inject a block. Counting them as independent vantages would be wrong.

Most internet users in any given country connect through a surprisingly small number of residential ASNs. In a mid-sized country like Thailand or Peru, the top five residential ISPs typically account for 85–90% of broadband subscribers. Our vantage selection goal, therefore, is not to maximize the raw number of probes or to spread them evenly across administrative regions — it is to reach as many distinct ASNs as possible, with strong preference for the residential broadband and mobile carrier networks where ordinary users connect.

Data-center ASNs are actively de-prioritized in our coverage scoring. Government-ordered blocks almost never target data centers — doing so would disrupt cloud hosting and e-commerce services that governments generally want to preserve. If an anomaly shows up exclusively from data-center vantage points, it is almost always an upstream route filter applied by a transit provider, not a political block. Including DC ASNs at full weight in our coverage calculations would inflate our apparent network diversity without contributing meaningfully to the signal we care about.

For a Verified Incident to use the “multi-ASN” confidence boost — the scoring multiplier that raises confidence when a block is visible across independent network paths — we require at least three distinct residential or mobile ASNs confirming the anomaly. The coverage score that determines whether a country meets this threshold is computed as follows:

VANTAGE_QUALITY_MULTIPLIER = {
    'residential_broadband': 1.0,
    'mobile_carrier':        1.0,
    'university':            0.7,
    'data_center':           0.4,
    'transit_provider':      0.5,
}

def asn_coverage_score(country: str, probes: list[Probe]) -> float:
    unique_asns = {p.asn for p in probes}
    weighted_count = sum(
        VANTAGE_QUALITY_MULTIPLIER[asn_type(asn)]
        for asn in unique_asns
    )
    return min(1.0, weighted_count / 3.0)  # saturates at 3+ quality vantages

A country with three residential ISP probes scores 1.0 and qualifies for the multi-ASN boost. A country with five data-center probes scores 0.67 and does not. The denominator of 3.0 reflects our empirical finding that three independent residential vantages is sufficient to distinguish ISP-level filtering from national-level policy with high confidence; beyond that, additional ASNs produce diminishing returns in the corroboration signal.

Operator recruitment and vetting

Voidly probes are run by volunteer operators — individuals or organizations who download the Voidly desktop application, agree to the operator terms of service, and leave the application running on a machine connected to their home or office network. The network effect that makes vantage diversity possible is the same network effect that makes it difficult to engineer: we need volunteers on specific ISPs in specific countries, and we cannot simply purchase that coverage.

Recruitment happens through four channels. The open-source community — particularly developers and systems engineers who follow internet freedom projects — is the largest source. Civil society organizations are the second: we have relationships with groups in the Freedom House network and the Reporters Without Borders digital security program whose staff or partners run probes as part of their own monitoring work. University research groups focusing on internet measurement or network security are the third. The fourth, smaller channel is technology journalists who have covered internet censorship and want first-hand data access in exchange for hosting a probe.

Operator vetting is intentionally lightweight. We do not perform KYC, we do not collect email addresses, and we do not require identification. An operator proves they are connecting from the intended country by completing a first measurement run that produces a geolocation consistent with the declared country. The probe architecture uses an X25519 public key as the sole operator identifier — we know which key is associated with which ASN, but we deliberately do not know who is behind the key. The operator agreement is a terms of service, not an identity assertion.

For coverage accounting purposes, we track per-ASN operator counts rather than per-person counts. An ASN with five operators who all share the same university campus network counts as one effective vantage — they are on the same network path, seeing the same routing policy, and providing no additional measurement independence. This matters for computing the ASN coverage score above: the denominator is unique weighted ASNs, not headcount.

Operator safety in high-risk countries

In some countries, running a network measurement probe is not merely inconvenient — it is a legal risk or a personal safety risk. Network measurement activities can be construed as unauthorized computer access, as espionage-adjacent behavior, or as evidence of connection to foreign organizations, depending on the legal regime. We take these risks seriously because ignoring them would expose operators to harm and would eventually eliminate our presence in the countries that matter most for censorship monitoring.

We categorize countries as High Safety Risk (HSR) based on two inputs: Freedom House's Freedom on the Net annual scores and the presence of specific network monitoring or unauthorized-access laws that could apply to measurement activity. Current HSR countries include China, Russia, Iran, North Korea, Belarus, Ethiopia, Eritrea, and Turkmenistan, along with eight additional countries where legal counsel has identified specific enforcement risk. This list is reviewed annually.

In HSR countries, probe behavior is restricted in four ways. First, cryptographic key rotation is accelerated: HSR probes rotate their X25519 keypair every 24 hours rather than the standard weekly rotation, limiting the linkability window if a key is ever exposed. Second, measurement cycles are shorter: HSR probes run against a 60-domain test list rather than the standard 80, reducing the measurement traffic volume and the time the probe is active on the network in any given cycle. Third, we exclude certain content categories from HSR test lists — specifically categories that carry criminal penalties in many HSR jurisdictions, such as adult content and alcohol-related domains, where accessing the content itself (not just measuring it) could constitute an offense. Fourth, timing randomization is applied to the measurement traffic to avoid patterns that would identify the probe as measurement software rather than ordinary encrypted traffic.

# per-country probe config
CN:
  safety_tier: high
  key_rotation_hours: 24
  test_list_size: 60
  excluded_categories: [PORN, ALDR]
  measurement_delay_ms: [800, 2000]  # randomized
US:
  safety_tier: low
  key_rotation_hours: 168  # weekly
  test_list_size: 80
  excluded_categories: []
  measurement_delay_ms: [0, 200]

The tradeoff is explicit: HSR country probes produce lower-coverage measurements than their low-risk counterparts. A 60-domain test list misses 25% of the targets we would otherwise measure. We accept this tradeoff because a probe operator who is detained or whose equipment is seized produces zero measurements indefinitely — the expected value of the reduced-risk configuration is higher than the expected value of maximum coverage with elevated operator risk.

Reaching hard-to-measure countries

Some countries present a different kind of measurement challenge: not safety risk, but infrastructure scarcity. Landlocked low-income countries, Pacific island nations, and some sub-Saharan African countries have very few broadband operators available to run a probe. In these countries, mobile-only connectivity often dominates for the majority of users — and our desktop application cannot run on a mobile handset. A probe that measures fixed-line connectivity in a country where 90% of users are mobile-only is providing information about a network that most people never use.

We use three approaches to extend coverage into sparse-probe countries. The first is mobile tethering: operators in these countries connect the probe machine to a mobile data hotspot rather than fixed-line broadband. This is operationally inconvenient — it consumes battery and mobile data allowance — but it means the probe is measuring the mobile carrier's ASN rather than a fixed-line ISP. For countries where mobile carriers are the primary censorship enforcement point, this is meaningfully more accurate than fixed-line measurement.

The second approach is organizational probes. We partner with civil society organizations — local journalists, NGOs, press freedom groups — who host a probe on their organizational internet connection. This covers fixed-line connectivity and typically provides a stable, long-running vantage, but it is usually a single ASN per organization and that ASN may be atypical of how most residents connect. We weight organizational probes appropriately in the coverage score.

The third approach is supplemental OONI coverage. For countries where we have fewer than two active Voidly probes, we give heavy weight to OONI's independent measurements. OONI has probe coverage in all 200 countries we track, and for countries where our own coverage is thin, OONI data is often the only structured censorship measurement that exists. We flag events in these countries as OONI-primary rather than Voidly-primary in the public dataset.

OONI-primary events carry a lower confidence floor than Voidly-primary events for one structural reason: OONI does not share real-time data. Their data pipeline introduces a corroboration latency of several hours to a day, which means an OONI-primary event reaches our dataset later and with less temporal precision than a Voidly-primary event. These events are tagged with data_source: ooni_primary in the dataset schema so downstream consumers can filter or weight accordingly.

Why vantage count isn't the right metric

We deliberately do not publish “N probes across 200 countries” as a headline metric, because raw probe count is misleading without ASN context. A country with 15 probes all operated from the same university campus network is a worse measurement environment than a country with 3 probes on 3 different residential ISPs. The university scenario gives you 15 observations of a single network path. The three-ISP scenario gives you 3 observations of 3 independent network paths, each of which can confirm or contradict the others.

The metric we use internally — and publish alongside every incident and country-level forecast — is a coverage score that combines two factors: distinct residential ASNs with active probes, and temporal consistency defined as probes that have been continuously active for more than 30 days. A probe that appeared yesterday and has not yet demonstrated stability contributes less to the coverage score than a probe that has been running for three months. The formula is straightforward:

def country_coverage_score(country: str, probes: list[Probe]) -> float:
    qualified = [
        p for p in probes
        if p.days_active >= 30
    ]
    # ASN score from quality-weighted unique ASNs
    asn_score = asn_coverage_score(country, qualified)

    # Temporal consistency: fraction of probes that are long-running
    if not probes:
        return 0.0
    temporal_score = len(qualified) / len(probes)

    return round(asn_score * temporal_score, 3)

A country with three long-running residential probes scores close to 1.0. A country where all probes are newly installed scores near 0.0 even if the ASN diversity is good, because we do not yet have evidence that those probes are stable. A country with good ASN diversity but a mix of old and new probes will score somewhere in between. This score is what appears in thecoverage_score field of every record in the public dataset — it is the number data consumers should use to understand how much to trust the measurement quality behind any given event.

For the test list that probes measure at each vantage: The Voidly test list: domain selection, category weighting, and country-specific overrides →

For the probe application that operators install: Voidly probe architecture: how measurements are collected, signed, and transmitted →

For how anomalies detected at these vantages are classified: The Voidly anomaly classifier: five interference classes and why we optimize for recall →