News Cluster: China

There has been a flurry of articles on Internet censorship in China recently. One very interesting AFP article suggests that China may relax its restrictions and allow access to some sites currently blocked by the GFW:

Plans to tear down the so-called Great Firewall of China were being debated and a decision was expected soon, said Wang Hui, head of media relations for the organising committee…

“I believe you will be able to (access banned sites such as the BBC) but I can’t give you a promise yet. The relevant government departments are still working on it,” she said.

That’s something to keep an eye on for sure.

An article in The Guardian discusses the rapid growth of Internet usage in China the related effects. The article discusses how the Internet, and blogs in particular, have created “competing public opinions.” This is an interesting way to frame the topic as censorship in China is often characterized as monolithic when in fact there is a significant amount of competition in the realm of ideas. Even within a confined informational space there is considerable movement — what I’ve called wiggle room in the past — if one looks for it.

However, the article repeats the charge that China is exporting their Internet censorship technology:

Campaigners suspect China is passing its censorship know-how to Cuba, Vietnam and several African countries.

Now, I don’t doubt that others are looking at the forms of control China is applying to the Internet and evaluating how they too can keep the benefits, particularly economic, that come with the Internet while minimizing its use for free expression but I’m not so sure that this means that China is actively exporting censorship technology. As it currently stands, ONI found no filtering in Zimbabwe despite reports to the contrary. While Vietnam does censor the Internet it does so in a very different way than China does. Cuba may conduct a limited amount of filtering, but it is also much different than that in China. RSF reported:

There is hardly any censorship of the Internet in Internet cafes. Tests carried out by Reporters Without Borders showed that most Cuban opposition websites and the sites of international human rights organisations can be accessed using the “international” network. In China, filtering for key-words makes it impossible to access webpages containing “subversive” words. But, by testing a series of banned terms in Internet cafes, Reporters Without Borders was able to established that no such filtering system has been installed in Cuba.

While not ruling out the possibility, I am skeptical of this claim based on my experience with testing filtering systems in these countries. (What’s more interesting is that Comcast’s filtering in the USA is more like the GFW than any of these countries.)

The New York Times published an article that looks at the resistance to Internet censorship in China. It picks up on the theme of backlash that I’ve suggested comes about when over blocking occurs. When common web sites and services are blocked, it helps turn normally apolitical people into activists. The NYT reports:

For a vast majority of Internet users, censorship still does not appear to be much of a factor. The most popular Web applications here are games and messaging services, and the most visited Internet sites focus on everyday subjects like entertainment news and sports. Many, in fact, seem only vaguely aware that China’s Internet universe is carefully pruned, and even among those who know, a majority hardly seems to care.

But growing numbers of others are becoming increasingly resentful of restrictions on a wide range of Web sites, including Flickr, YouTube, Wikipedia, MySpace (sometimes), Blogspot and many other sites that the public sees as sources of harmless diversion or information. The mounting resentment has inspired a wave of increasingly determined social resistance of a kind that is uncommon in China.

The Financial Times reports that Guo Quan, a Chinese scholar, is planning to sue Google because a search for his name in is censored. If some one gives me the proper Chinese translation for his name I can check this out further. (In English it returns results, using 郭泉 results are also returned along with Google’s standard censorship notification. The name itself is a censored term as a search for it with a non-existent domain will produce the censorship notification as well. and Baidu produce no results. They will produce results if something is appended to the search (, baidu)

The Atlantic published an article on censorship in China (it seems to be gone now, here are links to Google’s cache: 1, 2, 3, 4) that takes on the challenge of explaining the technical measures used to censor the Internet. The article also discusses circumvention and the self-censorship component that is so integral. The article concludes with some salient points regarding the important role of domestic censorship as well as the widening space for dialog:

It would be wrong to portray China as a tightly buttoned mind-control state. It is too wide-open in too many ways for that. “Most people in China feel freer than any Chinese people have been in the country’s history, ever,” a Chinese software engineer who earned a doctorate in the United States told me. “There has never been a space for any kind of discussion before, and the government is clever about continuing to expand space for anything that doesn’t threaten its survival.” But it would also be wrong to ignore the cumulative effect of topics people are not allowed to discuss.

However, the are several issues with the technical analysis as well as underlying tones of “exceptionlism” that obscure some of the bigger picture issues.There seems to be confusion over surveillance and filtering. Its best to think of filtering a set of rules, if packets contain something that violates the rules certain actions are taken. If a destination IP address is on a block list, the connection is not made, if packets contain certain keywords reset packets are sent to the source and destination to terminate the connection. Surveillance implies that someone is watching the traffic, or more logically it is stored, parsed and then someone looks at it. When surveillance and filtering are (con)fused together you get something strange like this:

Thus Chinese authorities can easily do something that would be harder in most developed countries: physically monitor all traffic into or out of the country. They do so by installing at each of these few “international gateways” a device called a “tapper” or “network sniffer,” which can mirror every packet of data going in or out. This involves mirroring in both a figurative and a literal sense. “Mirroring” is the term for normal copying or backup operations, and in this case real though extremely small mirrors are employed. Information travels along fiber-optic cables as little pulses of light, and as these travel through the Chinese gateway routers, numerous tiny mirrors bounce reflections of them to a separate set of “Golden Shield” computers.Here the term’s creepiness is appropriate. As the other routers and servers (short for file servers, which are essentially very large-capacity computers) that make up the Internet do their best to get the packet where it’s supposed to go, China’s own surveillance computers are looking over the same information to see whether it should be stopped.

If one conducts passive surveillance with a tap, one cannot then go back and interfere with the packets. For filtering, such a setup is not needed. You just route the traffic though something that filters — basically all routers can filter. The filter looks at the packets and matches them to the rules. There are no “tiny mirror” or whatever. If you want to conduct passive surveillance you can use a tap and record the traffic for analysis. The two things are not really related. Moreover, internet surveillance is not something that only China does or that is easier for China to do — a quick look at the most sophisticated internet surveillance system in world can demonstrate that.

On to the mechanisms:

DNS tampering
is explained well (although there may be some new variant). An important point is that most ISPs have their own DNS servers, managing a centralized system could be awkward (though not impossible), and users can use other uncensored DNS servers.

IP Blocking: This technique is incorrectly explained in the article.

While your signal is going out, and as the other system is sending a reply, the surveillance computers within China are looking over your request, which has been mirrored to them. They quickly check a list of forbidden IP sites. If you’re trying to reach one on that blacklist, the Chinese international-gateway servers will interrupt the transmission by sending an Internet “Reset” command both to your computer and to the one you’re trying to reach.

If packets are sent (trying to establich a tcp connection) for a particular IP and they pass through a router configured to block packets for that IP, the router will block those packets. Thats it. There is no connection ever made. If you sniff such a connection you will only see outgoing syn packets and nothing else. No reset packets are sent. There’s no “mirror” processing anything while you wait.

URL keyword block – This technique is actually the resest one described under IP blocking. If any part of the get request contains certain keywords — and domain names are often used as keywords — a reset packets will be sent to both the source and destination to terminate the connection. When is it triggered? This is confusing because the GFW’s keyword filtering is bi-directional but in my experience it is triggered on the way out of China. I say this because you can trigger it by requesting non-existent content. Depending on how long it takes to send the reset packet you may receive some of the content you requested which is what makes it appear that the filtering happens on the way in. After receiving reset packets the source and destination will not be able to connect to each other for a period of time.

Body Filtering – This is a bit of a tough one. Basically, if you create a web page with a keyword that normally triggers the reset packets if it appears in the url path, you can access it fine from China. I originally thought that this meant that body content was not filtered, but if you create a large page of such words the reset packets can be triggered. This may mean that a sampling of packet are checked, not all packets. In any case the behavior is the same as discussed above — the source and destination cannot connect to one another for a period of time. If you keep requesting the content you trigger more reset packets so t takes longer to be able to connect, but if you wait, and then trigger the reset packets again it won’t be longer the second or third time. There’s no escalating punishment.

Bi-directional keyword filtering

As Chinese-speaking people outside the country, perhaps academics or exiled dissidents, look for data on Chinese sites—say, public-health figures or news about a local protest—the GFW computers can monitor what they’re asking for and censor what they find.

Again, the keyword filtering is bi-directional, if you trigger it on connections to China the same behavior applies. Again, the issue of “monitoring” in this context implies that there’s something intelligent and deliberate about the filtering. If the packet matches the rules, it triggers the filtering mechanism, in this case reset packets.


Easy is a relative concept here. If a user chooses to break the law and acquires the necessary knowledge to by pass censorship then, yeah, it can be easy. You can buy vpn access — at least until lots of people start using and then it gets blocked – or use an encrypted proxy — at least until it gets blocked. They don’t need to block all VPNs, they can just block the IP addresses of those they want — those that become popular amongst citizens seeking to circumvent the GFW.

But despite the issues with the technical mechanisms the article is dead on with its conclusions:

What the government cares about is making the quest for information just enough of a nuisance that people generally won’t bother. Most Chinese people, like most Americans, are interested mainly in their own country. All around them is more information about China and things Chinese than they could possibly take in… When this much is available inside the Great Firewall, why go to the expense and bother, or incur the possible risk, of trying to look outside?

All the technology employed by the Golden Shield, all the marvelous mirrors that help build the Great Firewall—these and other modern achievements matter mainly for an old-fashioned and pre-technological reason. By making the search for external information a nuisance, they drive Chinese people back to an environment in which familiar tools of social control come into play.

Ding! We have a winner.

Post a comment.