Posts tagged “Circumvention”
Psiphon, an Internet censorship evading software project developed by the University of Toronto’s Citizen Lab has been deemed “the world’s most original, significant and exemplary Net and Digital Initiative” by a panel of French and international government, media and business experts. Psiphon was chosen first among 100 technology projects from around the world that were nominated for the Netxplorateur of the Year Grand Prix award.
There has been a flurry of articles on Internet censorship in China recently. One very interesting AFP article suggests that China may relax its restrictions and allow access to some sites currently blocked by the GFW:
Plans to tear down the so-called Great Firewall of China were being debated and a decision was expected soon, said Wang Hui, head of media relations for the organising committee…
“I believe you will be able to (access banned sites such as the BBC) but I can’t give you a promise yet. The relevant government departments are still working on it,” she said.
That’s something to keep an eye on for sure.
An article in The Guardian discusses the rapid growth of Internet usage in China the related effects. The article discusses how the Internet, and blogs in particular, have created “competing public opinions.” This is an interesting way to frame the topic as censorship in China is often characterized as monolithic when in fact there is a significant amount of competition in the realm of ideas. Even within a confined informational space there is considerable movement — what I’ve called wiggle room in the past — if one looks for it.
However, the article repeats the charge that China is exporting their Internet censorship technology:
Campaigners suspect China is passing its censorship know-how to Cuba, Vietnam and several African countries.
Now, I don’t doubt that others are looking at the forms of control China is applying to the Internet and evaluating how they too can keep the benefits, particularly economic, that come with the Internet while minimizing its use for free expression but I’m not so sure that this means that China is actively exporting censorship technology. As it currently stands, ONI found no filtering in Zimbabwe despite reports to the contrary. While Vietnam does censor the Internet it does so in a very different way than China does. Cuba may conduct a limited amount of filtering, but it is also much different than that in China. RSF reported:
There is hardly any censorship of the Internet in Internet cafes. Tests carried out by Reporters Without Borders showed that most Cuban opposition websites and the sites of international human rights organisations can be accessed using the “international” network. In China, filtering for key-words makes it impossible to access webpages containing “subversive” words. But, by testing a series of banned terms in Internet cafes, Reporters Without Borders was able to established that no such filtering system has been installed in Cuba.
While not ruling out the possibility, I am skeptical of this claim based on my experience with testing filtering systems in these countries. (What’s more interesting is that Comcast’s filtering in the USA is more like the GFW than any of these countries.)
The New York Times published an article that looks at the resistance to Internet censorship in China. It picks up on the theme of backlash that I’ve suggested comes about when over blocking occurs. When common web sites and services are blocked, it helps turn normally apolitical people into activists. The NYT reports:
For a vast majority of Internet users, censorship still does not appear to be much of a factor. The most popular Web applications here are games and messaging services, and the most visited Internet sites focus on everyday subjects like entertainment news and sports. Many, in fact, seem only vaguely aware that China’s Internet universe is carefully pruned, and even among those who know, a majority hardly seems to care.
But growing numbers of others are becoming increasingly resentful of restrictions on a wide range of Web sites, including Flickr, YouTube, Wikipedia, MySpace (sometimes), Blogspot and many other sites that the public sees as sources of harmless diversion or information. The mounting resentment has inspired a wave of increasingly determined social resistance of a kind that is uncommon in China.
The Financial Times reports that Guo Quan, a Chinese scholar, is planning to sue Google because a search for his name in google.cn is censored. If some one gives me the proper Chinese translation for his name I can check this out further. (In English it returns results, using 郭泉 results are also returned along with Google’s standard censorship notification. The name itself is a censored term as a search for it with a non-existent domain will produce the censorship notification as well. Yahoo.cn and Baidu produce no results. They will produce results if something is appended to the search (yahoo.cn, baidu)
The Atlantic published an article on censorship in China (it seems to be gone now, here are links to Google’s cache: 1, 2, 3, 4) that takes on the challenge of explaining the technical measures used to censor the Internet. The article also discusses circumvention and the self-censorship component that is so integral. The article concludes with some salient points regarding the important role of domestic censorship as well as the widening space for dialog:
It would be wrong to portray China as a tightly buttoned mind-control state. It is too wide-open in too many ways for that. “Most people in China feel freer than any Chinese people have been in the country’s history, ever,” a Chinese software engineer who earned a doctorate in the United States told me. “There has never been a space for any kind of discussion before, and the government is clever about continuing to expand space for anything that doesn’t threaten its survival.” But it would also be wrong to ignore the cumulative effect of topics people are not allowed to discuss.
However, the are several issues with the technical analysis as well as underlying tones of “exceptionlism” that obscure some of the bigger picture issues.There seems to be confusion over surveillance and filtering. Its best to think of filtering a set of rules, if packets contain something that violates the rules certain actions are taken. If a destination IP address is on a block list, the connection is not made, if packets contain certain keywords reset packets are sent to the source and destination to terminate the connection. Surveillance implies that someone is watching the traffic, or more logically it is stored, parsed and then someone looks at it. When surveillance and filtering are (con)fused together you get something strange like this:
Thus Chinese authorities can easily do something that would be harder in most developed countries: physically monitor all traffic into or out of the country. They do so by installing at each of these few “international gateways” a device called a “tapper” or “network sniffer,” which can mirror every packet of data going in or out. This involves mirroring in both a figurative and a literal sense. “Mirroring” is the term for normal copying or backup operations, and in this case real though extremely small mirrors are employed. Information travels along fiber-optic cables as little pulses of light, and as these travel through the Chinese gateway routers, numerous tiny mirrors bounce reflections of them to a separate set of “Golden Shield” computers.Here the term’s creepiness is appropriate. As the other routers and servers (short for file servers, which are essentially very large-capacity computers) that make up the Internet do their best to get the packet where it’s supposed to go, China’s own surveillance computers are looking over the same information to see whether it should be stopped.
If one conducts passive surveillance with a tap, one cannot then go back and interfere with the packets. For filtering, such a setup is not needed. You just route the traffic though something that filters — basically all routers can filter. The filter looks at the packets and matches them to the rules. There are no “tiny mirror” or whatever. If you want to conduct passive surveillance you can use a tap and record the traffic for analysis. The two things are not really related. Moreover, internet surveillance is not something that only China does or that is easier for China to do — a quick look at the most sophisticated internet surveillance system in world can demonstrate that.
On to the mechanisms:
DNS tampering is explained well (although there may be some new variant). An important point is that most ISPs have their own DNS servers, managing a centralized system could be awkward (though not impossible), and users can use other uncensored DNS servers.
IP Blocking: This technique is incorrectly explained in the article.
While your signal is going out, and as the other system is sending a reply, the surveillance computers within China are looking over your request, which has been mirrored to them. They quickly check a list of forbidden IP sites. If you’re trying to reach one on that blacklist, the Chinese international-gateway servers will interrupt the transmission by sending an Internet “Reset” command both to your computer and to the one you’re trying to reach.
If packets are sent (trying to establich a tcp connection) for a particular IP and they pass through a router configured to block packets for that IP, the router will block those packets. Thats it. There is no connection ever made. If you sniff such a connection you will only see outgoing syn packets and nothing else. No reset packets are sent. There’s no “mirror” processing anything while you wait.
URL keyword block – This technique is actually the resest one described under IP blocking. If any part of the get request contains certain keywords — and domain names are often used as keywords — a reset packets will be sent to both the source and destination to terminate the connection. When is it triggered? This is confusing because the GFW’s keyword filtering is bi-directional but in my experience it is triggered on the way out of China. I say this because you can trigger it by requesting non-existent content. Depending on how long it takes to send the reset packet you may receive some of the content you requested which is what makes it appear that the filtering happens on the way in. After receiving reset packets the source and destination will not be able to connect to each other for a period of time.
Body Filtering – This is a bit of a tough one. Basically, if you create a web page with a keyword that normally triggers the reset packets if it appears in the url path, you can access it fine from China. I originally thought that this meant that body content was not filtered, but if you create a large page of such words the reset packets can be triggered. This may mean that a sampling of packet are checked, not all packets. In any case the behavior is the same as discussed above — the source and destination cannot connect to one another for a period of time. If you keep requesting the content you trigger more reset packets so t takes longer to be able to connect, but if you wait, and then trigger the reset packets again it won’t be longer the second or third time. There’s no escalating punishment.
Bi-directional keyword filtering
As Chinese-speaking people outside the country, perhaps academics or exiled dissidents, look for data on Chinese sites—say, public-health figures or news about a local protest—the GFW computers can monitor what they’re asking for and censor what they find.
Again, the keyword filtering is bi-directional, if you trigger it on connections to China the same behavior applies. Again, the issue of “monitoring” in this context implies that there’s something intelligent and deliberate about the filtering. If the packet matches the rules, it triggers the filtering mechanism, in this case reset packets.
Easy is a relative concept here. If a user chooses to break the law and acquires the necessary knowledge to by pass censorship then, yeah, it can be easy. You can buy vpn access — at least until lots of people start using and then it gets blocked – or use an encrypted proxy — at least until it gets blocked. They don’t need to block all VPNs, they can just block the IP addresses of those they want — those that become popular amongst citizens seeking to circumvent the GFW.
But despite the issues with the technical mechanisms the article is dead on with its conclusions:
What the government cares about is making the quest for information just enough of a nuisance that people generally won’t bother. Most Chinese people, like most Americans, are interested mainly in their own country. All around them is more information about China and things Chinese than they could possibly take in… When this much is available inside the Great Firewall, why go to the expense and bother, or incur the possible risk, of trying to look outside?
All the technology employed by the Golden Shield, all the marvelous mirrors that help build the Great Firewall—these and other modern achievements matter mainly for an old-fashioned and pre-technological reason. By making the search for external information a nuisance, they drive Chinese people back to an environment in which familiar tools of social control come into play.
Ding! We have a winner.
The journal Index on Censorship has published an article I wrote. In it I argue that there is a failure to recognise Internet censorship and surveillance as a growing global concern. There is a tendency instead to criticise the most infamous offenders-notably China and Iran-and to overlook repressive practices elsewhere. There is, however, a growing resistance to Internet censorship and surveillance, although it is often characterised as a struggle confined to dissidents in a few select authoritarian regimes.
Battles are being fought all over the globe, while the development and use of technologies that protect privacy and make it possible to circumvent censorship are rapidly increasing. The same tools helping dissidents to evade censorship in repressive countries are also being used by citizens in democratic countries-to protect themselves from unwarranted Internet surveillance. Focusing on the global character of both the practice of Internet censorship and surveillance, as well as the resistance to it, provides for both a better understanding of this important trend as well as for the possibility of creating global alliances to combat its spread.
The full article is available below.
This article in Foreign Policy is representative of accounts of the development and use of anti-Censorship/privacy enhancing technologies that only tell part of the story. While technologies such as Tor and psiphon are given great treatment, the frame used to contextualize their use gives the misleading impression that they are only used in “repressive” countries:
One software program called Psiphon, which was developed by researchers at the University of Toronto’s Citizen Lab, allows any person with a computer to serve as a proxy for someone living behind a firewall. Since it was launched a year ago, more than 100,000 people have turned their personal computers into proxies.
The most sophisticated proxy technology may be Tor, developed jointly by the U.S. Naval Research Laboratory and the Electronic Frontier Foundation, an Internet freedom advocacy organization. Tor is a downloadable software that routes an Internet surfing session through three proxy servers randomly chosen from a network of more than 1,000 servers run by volunteers worldwide. “Tor is state of the art,” says John Mitchell, an expert on Internet security at Stanford University. For citizens of repressive regimes, it may be the best hope or evading the cat’s paw.
This partial picture ignores the global use of these technologies. More and more countries are censoring the Internet — not just China and Iran.
Here’s an interesting anecdote. When psiphon was released the CBC, Canada’s national public broadcaster, covered it but the reporter working on the story had to phone me at the Citizen Lab because she could not access the psiphon website from CBC because it was blocked by their filtering software, aka censorware. This is not the first time I’ve heard this. Reporters at CBC need to use tools like psiphon to do their jobs!
The other missing piece is surveillance. The U.S., which has the most sophisticated electronic surveillance program in the world, has been caught illegally spying on citizens. Anti-Censorship/privacy enhancing technologies are used all over the world. Even the Privacy Commissioner of Canada recommends that Canadians use anonymous communications technologies. These are tools developed for and used by people all over the world. To pitch them as something that’s only used in repressive countries is misleading and inaccurate.
The Citizen Lab has released “Everyone’s Guide to Bypassing Internet Censorship (pdf)”. It was a team effort to produce the guide and I’m very pleased to have contributed to it. I’ve long argued that users can benefit from circumvention technology the most when the carefully select the technology that meets their specific needs.
The guide walks users through the process of assessing their needs and and capabilities and lists clusters of circumvention technology options for users to choose from.
Media coverage of Internet censorship is usually framed through one of two lenses: The “1984” approach overstates censorship capabilities claiming that legions of internet police monitor everything in “real time” and are just one kick away if you make the wrong click. The “technoptimist” approach understates censorship capabilities and claims that circumvention technology is proliferating and the internet is a democracy-battering-ram chipping away at the crumbling walls of oppressive regimes.
Recent coverage of the protests in Myanmar/Burma have generally been falling into the latter camp. Noting that, according to ONI, Myanmar/Burma has one of the most restrictive Internet filtering systems in place this article wonders why information about the protests is getting out. It claims that “the cyber-reality in Myanmar is actually much less restricted than ONI’s research indicated” because circumvention technologies are available to citizens.
Filtering technologies seek to keep citizens inside Myanmar/Burma from have access to sites hosted outside — it does not say much about keeping information from moving in the opposite direction. Why? Because sites are filtered when they are contextually important, become well known, and/or can reach a large audience. For information to flow from a few to these sites if far harder to control than the information from these few sites to the many.
Similarly, while there are censorship circumvention technologies readily available these are used by the few not the many for a variety of reasons including fear of being caught, lack of technical ability, or just now knowing (or caring) about them.
Internet censorship regimes, such as Myanmar/Burma’s, are effective not because they can filter out all the content they want but because their filtering systems are backed up by other forms of repression that force users into a condition of self-censorship where they will not seek out banned content (the filter is just a reminder) let alone seek to violate their countries laws and put themselves at risk by using circumvention technologies.
So the reality is actually somewhere in between. While the majority are kept in line by the filtering matrix, there is a still resistance. Determined Internet users can use a variety of methods to bypass censorship while others speak out publicly and risk repression. All of this slowly widens the scope of accepted speech within these confined spaces — not cataclysmic event.
Not fully understanding or improperly using applications that protect your privacy and allow you to bypass censorship can seriously affect your online security. A researcher recently revealed that he was able to gather sensitive data including the user names and passwords of government email accounts by snooping on the traffic of five Tor exit nodes he controlled. If you are not using end to end encryption the Tor exit node can see your traffic in plain text. as the researcher notes:
ToR isn’t the problem, just use it for what it’s made for.
This reminds me of the “trick” a lot of people use in which they set up an email account but don’t actually send email but rather just store email in the drafts folder thinking that this protects them from government surveillance. Unless the full session is encrypted, and many using this technique are using web mail account which only encrypt the login not the rest of the traffic, it can still be snooped even though you are not “sending” the email.
FT has recently run a series of articles on internet censorship. Each touches on an interesting theme.
TOR can be used for both anonymity and censorship circumvention, but while “anonymous” proxies can be used for censorship circumvention they not really anonymous. A “proxy” may sheild your identity from the website you are visiting but it does not hide you or anything you are doing from the owner of the proxy. And if the proxy is not encrypted — most of the “open” proxies are not — then anyone monitoring Internet traffic can also see everything you do through the proxy. TOR, on the other hand, encrypts your traffic and hides what you are doing from the TOR network itself, it is hardly comparable to “open” proxies. I have not looked closely at GPass, but it appears to be an encrypted Socks proxy, and if so, is not anonymous — all traffic through it can be viewed by the owners of GPass. (And you don’t have to use Swedish Google, Google just redirects you to the localized version, you can always click the google.com link and use google.com).
It is not only “repressive” governments that are increasing their level of filtering and employing new techniques (new techniques for the country, not for filtering in general), countries such as India and Thailand are filtering as well. There is a tendency to analyze all regulations and restriction in particular countries, such as China and Iran, out of context. For example, there is a tendency to think of China’s Internte cafe’s as places teeming with cyberdissdents and therefore when China closed many and instituted restrictions after a deadly fire in an unlicensed cafe many interpretted it as a crackdown on free expression. I think that the Iranian bandwidth limitation story may prove to go this way as well — it’s more likely to do with porn than with politics. But, hey, I could be wrong.
Human rights groups and NGO’s worldwide have long protested that they are often the victims of state surveillance, computer breakins and denial of service attacks. ONI has documented an attack on Kyrgyz opposition newspaper websites during that countries elections in 2005 and there have been reports of such Denial of Service attacks during elections in Belarus as well. What is new is not the technique but the correlation between the target — important opposition website — and the time period — during an election. Denial of Service disrupts access to a website for everyone — as opposed to filtering which would only block it from the affected location. It also provides deniability on the part of the government. In the Kyrgyz case, the attacks appear to have been conducted by a “botnet for hire” leaving the conection to the government circumstantial. This is a trend we will probably see more of especially in countries that don’t have a national filtering system (or officially filter very little content).
A good article about the forthcoming ONI study, however, some instances listed as “new censorship techniques” are not really new at all. They may be new to certain countries, but they are standard filtering techniques. And there is not yet evidence that Zimbabwe is censoring the Internet, let alone using the same techniques as China. I have heard reports about this, but even if they are true, it has not been implemented.
Amnesty International is currently working with the OpenNet Initiative (ONI) to help raise awareness of internet censorship around the world. Amnesty International is launching a campaign to show that online or offline the human voice and human rights are impossible to repress.
The aim of the ONI is to document empirically patterns of Internet content filtering and surveillance worldwide behind national firewalls over an extended period of time. Its reports have documented the scope, scale and sophistication of numerous filtering regimes worldwide, and have helped verify the use of commercial filtering technologies that are used to underpin these regimes. The ONI’s flash map of global filtering shows the results of these investigations.
Google.cn is a Chinese language search service targeted towards users in the People’s Republic of China. It was launched on January 25 2006 and it filters search requests to content deemed to be “sensitive” by the government of China. (You can compare search results between the uncensored Chinese language Google.com and the censored Google.cn using the OpenNet Initiative’s Search Comparison tool.)
The filtering takes place in at least three ways:
- de-listed domains: specific websites are removed entirely from search results; it is as if the website never existed.
- de-listed urls: specific urls are removed from search results if they contain a de-listed domain.
- restricted keywords: specific keywords are restricted to searches of web pages hosted in China only.
The New York Times reports that the Chinese government did not give Google a list of sites to block. Rather, Google set-up a computer in China and tested to see what content was accessible and content found to be inaccessible was deemed to be sensitive and added to Google’s blocklist.
For example, the website for Human Rights Watch (hrw.org), which is blocked in China, has also been de-listed from Google.cn. A normal web request to hrw.org from within China triggers an error and the content of the site never loads in a users browser. A search in Google using the modifier “site:” for content on hrw.org (site:hrw.org) on Google.cn yields no results. In China, it is as if hrw.org does not exist.
Is there a way to circumvent Google’s censorship in China?
Google has an advertisement program, Google Adsense/Adwords, that allows one to purchase certain keywords that will display an ad on Google when users search for those words. I created an account with Google Ads and selected that my ad be shown in Chinese to users in China. I noticed that a warning appeared indicating that there may be restrictions on advertising in China.
Google describes some specific categories of content that require licensing (local pdf). This list does not include content that may be sensitive for political reasons.
Due to advertising regulations and laws of the People’s Republic of China, Google AdWords requires advertisers to submit business licenses and approval certificates for the following product categories: Agricultural Chemicals Books/Periodicals Cosmetics Food/Foodstuffs Health Supplements Medical Appliances Medical Services Patents Real Estate Veterinary Medicine
I created my ad (which does not appear to fall under these categories) for hrw.org, which is censored by google.cn, and it was held in a queue waiting to be viewed and labeled “Family Safe”. Only “Family Safe” ads are allowed to be shown by Google in China. Eventually my ad was approved as “Family Safe” and was labeled as currently being shown.
However, my ad was initially not shown on Google.cn.
Google indicates that there is an ad for the search terms I selected, but it is not shown. I emailed Google for an explanation of why my ad was not being shown and was informed that there may be a technical error.
My ad was being shown on the uncensored Chinese language Google, but not the censored Google.cn. Google checks what ads to deliver by location (determined by IP address) and the language setting of your browser. Despite both of these showing that my language was Chinese and my location was in China the ad did not properly appear.
Eventually, my ad began to be shown on Google.cn. While my ad does not appear every time the keywords are searched, it does periodically appear. (See possible explanation below).
Although there are no search results available for hrw.org, my ad for a censored website did appear on some occasions. (See below for a possible explanation.)
This is a neat way to circumvent Google’s censorship. It may be possible to extend this even further. Mirror sites and alternative URLs for censored web sites can be displayed through the use of Google Ads.
Testimony of Nart Villeneuve at the Congressional Human Rights Caucus Members’ Briefing: Human Rights and the Internet – The People’s Republic of China Wednesday, February 1, 2006.
Mr. Chairman and Members of the Caucus:
On behalf of the Citizen Lab, I would like to thank the Congressional Human Rights Caucus for inviting me to speak on the issue of Human Rights and the Internet. As Director of Technical Research for the Citizen Lab I have worked extensively over recent years on the OpenNet Initiative, a collaboration between the Munk Centre for International Studies at the University of Toronto, the Berkman Center for Internet & Society at Harvard Law School, and the Cambridge Security Programme at Cambridge University focused on the study of Internet filtering and surveillance worldwide.
At the Internet & Democracy 2005 conference in London we had a session on “Detecting and Evading Filtering”. The goal was to explain some techniques used to better determine filtering and give an overview of the ONI methodology.
In the second half of the presentation we focused on censorship circumvention. I like to talk about circumvention from two perspectives: push & pull. The “push” strategy if from the perspective of content producers and I hoped to use the discussion to start developing a sort of “best practices” document for content producers who expect their content to be blocked.
The final part of the presentation focused on pull strategies, basically proxies/anonymizers etc… — technology that enables users to select filtered content to view. Most of the strategies from this perspective are detailed in “Choosing Circumvention“. We also demo’d psiphon :)
The slides from the presentation are available here: