[Joint House and Senate Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
CHINA'S CYBER-WALL: CAN TECHNOLOGY BREAK THROUGH?
=======================================================================
ROUNDTABLE
before the
CONGRESSIONAL-EXECUTIVE COMMISSION ON CHINA
ONE HUNDRED SEVENTH CONGRESS
SECOND SESSION
__________
NOVEMBER 4, 2002
__________
Printed for the use of the Congressional-Executive Commission on China
Available via the World Wide Web: http://www.cecc.gov
U.S. GOVERNMENT PRINTING OFFICE
83-512 WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
CONGRESSIONAL-EXECUTIVE COMMISSION ON CHINA
LEGISLATIVE BRANCH COMMISSIONERS
Senate
House
MAX BAUCUS, Montana, Chairman DOUG BEREUTER, Nebraska, Co-
CARL LEVIN, Michigan Chairman
DIANNE FEINSTEIN, California JIM LEACH, Iowa
BYRON DORGAN, North Dakota DAVID DREIER, California
EVAN BAYH, Indiana FRANK WOLF, Virginia
CHUCK HAGEL, Nebraska JOE PITTS, Pennsylvania
BOB SMITH, New Hampshire SANDER LEVIN, Michigan
SAM BROWNBACK, Kansas MARCY KAPTUR, Ohio
TIM HUTCHINSON, Arkansas SHERROD BROWN, Ohio
JIM DAVIS, Florida
EXECUTIVE BRANCH COMMISSIONERS
PAULA DOBRIANSKY, Department of State
GRANT ALDONAS, Department of Commerce
D. CAMERON FINDLAY, Department of Labor
LORNE CRANER, Department of State
JAMES KELLY, Department of State
Ira Wolf, Staff Director
John Foarde, Deputy Staff Director
(ii)
C O N T E N T S
----------
Page
STATEMENTS
Rubin, Aviel, co-founder, Publius Web Publishing System, West
Caldwell, NJ................................................... 1
Xia, Bill, president, Dynamic Internet Technology, Inc., Cary, NC 5
Lin, Hai, computer scientist, Shanghai, China.................... 7
Baranowski, Paul, chief architect, Peekabooty Project, Toronto,
ON, Canada..................................................... 9
APPENDIX
Prepared Statements
Rubin, Aviel..................................................... 28
Xia, Bill........................................................ 29
Baranowski, Paul................................................. 31
CHINA'S CYBER-WALL: CAN TECHNOLOGY BREAK THROUGH?
----------
MONDAY, NOVEMBER 4, 2002
Congressional-Executive
Commission on China,
Washington, DC.
The roundtable was convened, pursuant to notice, at 2:30
p.m. in room SD-215, Dirksen Senate Office Building, Ira Wolf
(staff
director) presiding.
Also present: William Farris, senior specialist on Internet
issues and commercial rule of law; Keith Hand, senior counsel;
Holly Vineyard, U.S. Department of Commerce; and Dr. Jay
Sailey, interpreter, Silver Spring, MD.
Mr. Wolf. I would like to welcome everyone here to today's
roundtable on China's Cyber-Wall: Can Technology Break Through?
This is actually our second roundtable this year dealing
with Internet issues in China. The first dealt more with policy
issues, and today we are going to get more into the technology
side.
Next to me is William Farris, who is on the Commission
staff and is in charge of Internet issues. Holly Vineyard works
at the U.S. Department of Commerce for our Commissioner, Under
Secretary of Commerce Grant Aldonas, and Keith Hand is one of
our senior legal counsels on the Commission staff.
I am Ira Wolf, staff director of the Commission. John
Foarde, who is the deputy staff director and normally would be
here, is in China.
We have four panelists. Avi Rubin is co-founder of Publius;
Bill Xia, president of Dynamic Internet Technology; Lin Hai, a
computer scientist from Shanghai; and Paul Baranowski, chief
architect for the Peekabooty project.
We also have Jay Sailey, who will be helping with
interpretation. Jay, it is good to always have you back again.
Thanks.
Avi, why do we not start with you?
STATEMENT OF AVIEL RUBIN, CO-FOUNDER, PUBLIUS WEB PUBLISHING
SYSTEM, WEST CALDWELL, NJ
Mr. Rubin. Let me give a little more of an introduction of
myself. I want to give you an idea of the kinds of questions I
am hoping to get and the kinds that I will defer to my other
panelists.
I am a researcher at AT&T Labs, a computer science
background. I am here explicitly not as a representative of
AT&T, but as a computer scientist.
In January, I will be starting to work in a faculty
position as an associate professor at Johns Hopkins, and the
technical director of their Information Security Institute.
The reason that I am here is that some of my research in
the past that focuses on computer security and networking has
been on systems that resist censorship. One of them called
``Crowds'' was designed for browsing the Web anonymously so
that end users and other users of the system cannot tell who is
accessing what.
The other system, called ``Publius,'' which has won a
censorship resistance award and is a little better known, was
designed to publish information on a large network like the
Internet in such a way that it is very difficult for anyone to
forcibly remove the content.
I am not an expert on China and I would rather answer
general questions, such as, ``Is this possible? Is that
possible? Why or why not? ''
So let me talk a little bit about censorship. I think it is
important to make a distinction between censorship within a
network or within an organization or a country and censorship
between users who are on the inside trying to access something
that is on the outside where an adversary controls the
interface between the inside and the outside, which is the kind
of model that we are looking at here.
The censor can prevent access to content on the outside
through several means. One of them is simply by routing,
looking at the Internet Protocol [IP] addresses of the
destination of a request, and if it is on the outside, perhaps
blocking that or filtering it some other way, or making a
decision about how to treat that traffic
differently.
Another way would be through use of the domain name system.
For those of you that do not know, the domain name system is
the service that translates names like www.google.com into an
IP address that networks need in order to get the packets where
they need to go.
So one thing that a censor could do, and I believe in a lot
of cases this happens not only for censorship but for other
purposes, is if the organization controls the domain name
service [DNS]--and a powerful government can control the domain
name service, or at least control those that control it--you
can return false information, so when someone asks for
google.com you can return an IP
address. This will all be transparent to the users.
That is an IP address to a computer under your own control,
which could then simulate Google, giving the user the
experience that they think they are at Google, but they are
actually at some other, mirroring network. This would be a
censorship technique that could be employed, or could simply
drop the traffic or do whatever they want with it.
Finally, you could do something called application level
filtering. Instead of doing the censorship at the routing level
or the domain name service level, what you could do is allow
all traffic through. But, if it is destined for port 80, which
is the World Wide Web port, then you could treat it
differently.
You could make filtering decisions and you could run it
through software that looks for particular destinations,
compare it to a blacklist and say, well, we are not going to
allow that, or worse, we are going to substitute something for
that in the reply, spoofing the reply.
So, this has had to do with blocking the access of an
individual within an organization to sites that are outside the
organization.
Another type of censorship is prohibiting the posting of
content. I am an individual and I have something that I wish to
have people access. Maybe I have some agenda that I want to
publicize, or I want to be critical of the government, or
whatever. A censor may wish to block the ability of somebody to
post the content.
One way to do that would be to monitor sites carefully
using search engines or hot lists, and see if content that is
objectionable is there, and then to go make the people remove
it if the content is on the inside.
Another, is through informants or spies who could
infiltrate organizations that may wish to publish something
that they would find offensive, and then finding out that it is
there and doing the same thing.
Again, if you control the connectivity, you can prevent
someone inside your organization, your country, or China from
being able to publish something that is in a site that is
outside by simply blocking the connectivity or making the
decision not to allow that.
So what I have discussed up to this point is a one-to-many
censorship. Somebody publishes something on the Web, say, and
you either block their ability to publish that or you block
people's ability to retrieve that information.
Another type of censorship would be one-to-one
communication. Someone may want to monitor e-mail messages that
are going from one individual to another, and there are various
ways of doing that.
The FBI has a system called ``Carnivore'' that can be
deployed at an Internet service provider [ISP]. What it does is
it searches
e-mails coming in and out for certain key words, looking
perhaps for terrorist activity.
The Chinese Government could deploy similar things at ISPs.
In fact, they probably have more control over what the ISPs are
doing, and look for whatever it is that they are interested in
blocking. Then they can take whatever actions they want. They
could block those e-mail messages. They could try to trace the
owners of the accounts who sent or received those.
Another thing that could happen to e-mail is, again, an
application-level way of censoring. At the network level, what
we call the IP layer, you could sniff. Network sniffers are
programs that will look at packets coming in and out and make
the same kind of decisions that were made at the application
level about the e-mail by just looking at raw IP packets.
It is a bit harder to do, but there are tools out there to
do it. You take a bit of a performance hit when you do it that
way, but the advantage for the censoring party in doing it that
way is that it is completely passive. The ISP does not need to
know that this kind of sniffing is taking place. Nobody can
detect that it is happening.
Another way to censor the one-to-one communication is to
forbid encryption. If encryption is not allowed, then something
like Carnivore or network sniffing is very effective.
What sort of enforcement could take place if censorship
were to detect that somebody had offensive content posted
somewhere? When something is published, it resides in a
physical place. It is on a computer. If that computer is under
the domain of the censor, the censor can apply pressure to the
administrator, or sanctions to the administrator of that
computer and say, ``take that content down.''
Finally, a way of censoring content might be to mandate a
custom client. Instead of a Netscape or Internet Explorer
browser, a government could say, ``We require you to use this
program to browse the net,'' and that program could be some
sort of scaled-down version that can only access certain
approved sites.
So up until now I have talked to you about ways of
censoring. Let me speak, for my remaining time, about types of
circumvention that you might have.
One, is called steganography. The idea behind steganography
is to hide content in other content. Briefly, imagine a
photograph of your cat encoded as a JPEG image on a computer.
There are tools out there for you to take a letter, an
ASCII text letter, and encode the content of that letter in the
picture of the cat, which still will look like a cat. And the
only people that could extract that information, the letter
from this picture, would be someone who knew the key, say, that
you had shared with them.
In fact, there are techniques where two photographs are
indistinguishable relative to whether or not they contain
content to anyone except the holder of the key. So, this might
be a valuable technique to use if encryption is outlawed and
you are worried about
sanctions.
On the other hand, if someone does discover the key through
force or through some other means, then you could be in a lot
of trouble, because once they extract the letter that could not
have been coincidental.
Another way is to disperse content widely. If you want to
publish something and you have an automated way of publishing
it in a thousand places, it becomes a lot harder for a censor
to remove it, especially if these are under different
administrative domains and countries.
The Publius system that I designed and built uses the last
two techniques in tandem, along with several others. I am happy
to cover it more during questions and answers.
Two other mechanisms for circumventing the censorship to
post something are covert channels. A quick example of a covert
channel might be, let us say that I was to communicate a
message to you. So what I do is send you an e-mail message
every second, or I do not send you an e-mail message every
second, and whether or not I send you a message encodes a zero
or a one.
That is just a very lightweight example of how I could
communicate information to you where I am actually using a
covert
channel. The fact that I sent something or did not send it is
the information, and whatever it is that I sent could be just
innocuous.
Finally, there is a technique called a homomorphic
encryption. That is a mechanism whereby you can encrypt
something so that it can be decrypted two different ways. So I
send you an encrypted document.
Of course, only a regime that allows encryption would
support something like this. You can decrypt it and it is a
picture of your cat, and you can decrypt it and it is a call to
arms. It depends on how you decrypt. So, that might be useful.
For retrieval. I am running out of time, so I will just
enumerate the things you could use. Special proxies, the Crowd
system, which I can talk more about in the questions and
answers, or an anonymous location, a library, a cafe, something
like that if the country supports these kinds of things.
Finally, let me just say that I believe there is an arms
race between censorship and censorship circumvention, because
if you tell me what you are using to censor I can tell you what
to do to get around it. But, once I do that, then I could come
back and tell you what you could do to get around that. I think
we are in the midst of this arms race.
I believe that any technology to circumvent censorship,
having had the experience of developing such a thing, is going
to lead to a double-edged sword where you could be accused of
providing mechanisms whereby bad people can also do things.
[The prepared statement of Mr. Rubin appears in the
appendix.]
Mr. Wolf. Thank you very much.
Bill Xia.
STATEMENT OF BILL XIA, PRESIDENT, DYNAMIC INTERNET TECHNOLOGY,
INC., CARY, NC
Mr. Xia. Good afternoon, ladies and gentlemen. I would like
to thank William Farris for inviting me to come here today.
My name is Bill Xia. I am the president of Dynamic Internet
Technology [DIT]. DIT conducts research regarding Internet
censorship and provides service for anti-censorship
technologies.
Today I would like to share with you the experience of
DynaWeb and ponder upon the role of technology in breaking
through China's cyber-wall.
DynaWeb was launched on March 12, 2002 as a proxy network
that allows users to circumvent Internet censorship in China
and to have secure and full access to the Internet.
Users can use DynaWeb as an information Web or to go to
other Web sites. Since the inception of DynaWeb, we have
managed to stay ahead of the censorship by China most of the
time. About 20,000 unique users gain regular, unblocked access
to the Internet through us.
DynaWeb has already played several rounds of the censorship
and anti-censorship game in the past 8 months. Before I start,
I would like to explain a few critical technical terms for
understanding the DynaWeb experience.
There are two ways to access a Web site through an Internet
browser. One, is through typing the domain name, for example,
google.com. The other way is through typing the IP address of
the domain name. The IP address is the essential element from
which the browser can fetch the Web site information for the
user.
However, a domain name is more user friendly. After a user
types in a domain name, the Web browser will browse domain
names to IP addresses and fetch the right information for the
user. So this is essentially what Mr. Rubin explained about the
DN
system.
The game started with an e-mail subscription service. At
the
beginning, DynaWeb e-mailed unblocked IP address updates to
subscribers. After 2 weeks, the censor probably subscribed to
our e-mail service as well because the very time window of
DynaWeb IP addresses was reduced a range of a couple hours to a
few days after release.
Then our services expanded to the domain name with Dynamic
IP addresses. However, censors started chasing the DynaWeb
domain by automatically detecting the IP addresses that pointed
to the domain name. This dramatically increased the need for
back-up IP addresses, hence, increased costs of DynaWeb
maintenance.
Then DynaWeb adopted a new strategy so that censors had to
manually verify the IP address before blocking it. Then
automatic IP blockage stopped.
Soon, in August, users started to have difficulty in
accessing DynaWeb through https, even though the IP was not
blocked. It was found out later on that the certificate DynaWeb
used for secured access from the Internet browser was filtered.
This can be achieved by package-level analysis of Internet
traffic to find out the signature related to the certificate
DynaWeb used.
In response to this, DynaWeb started to change its
certificates daily. No reports of certificate blocking have
been found since then. Again, censors were frustrated with the
resources required for daily updates of all related content
filtering engines, and quit.
At the end of September, DynaWeb domain names were hijacked
to a fixed IP 64.33.88.161 in China, along with many other Web
sites like www.voa.gov. DIT has published a detailed report
about this hijacking and it can be independently verified from
the United States. More study about this hijacking is still
ongoing and will be released after we pass this stage.
So what is next with the cyber-wall? As a first look, it is
a technical question. If technology can break through China's
cyber-wall, in fact, the process is a race of technology and
time. As DynaWeb's experience has demonstrated, both parties
can always implement new technologies to stay ahead and sustain
the advantage.
If the Internet breakthrough is defined as a pure technical
issue, the future is brighter for censors because China
purchases the most advanced censorship technologies from
Western companies.
China is also developing the ``Golden Shield'' project, a
``database-driven remote surveillance system.'' When the whole
Beijing city is wired with a biometric sensor and camera
network, no Internet-based anti-censorship can get around the
surveillance system.
Even now, during the 8 months of the technical race with
DynaWeb, China has developed the largest and most sophisticated
IP blocking and content filtering system in the world.
The more anti-censorship techniques are developed, the more
comprehensive censorship technology has become. This leaves
less and less technical room for anti-censorship. So, it is
critical to take full use of technologies to benefit as many
people as possible before the door is closed.
Second, it is a matter of available resources. China has
30,000 Internet police that specialize in Internet censorship,
and ISPs are forced to perform self-censorship. The self-
censorship is even adopted by foreign ISPs such as Yahoo.
China has purchased top technology from Western companies.
These technologies have been modified for China's particular
censorship needs. Nortel, Sun Microsystems, Cisco, and many
smaller companies contributed to building China's cyber-wall.
Compared to China's investment in censorship and the cyber-
wall, investment in breaking through this cyber-wall is next to
nothing. There are very few groups developing technologies
suitable for this wall. With more resources, DynaWeb can
provide services to more people, develop better client
software, and have closer monitoring of censors' new
technologies, and respond faster.
Third, people develop technology and technology serves
people. The people factor is the most important factor,
eventually. Recent increase of public awareness about China's
Internet censorship both inside and outside of China is a great
sign. We hope that this will help improve the current situation
soon.
Currently, companies contributing to China's cyber-wall
bear little public pressure, not to mention any legislative
limitation.
Inside China, more and more harassment and arrests of
dissidents and journalists are related to the Internet. Last
year, there were more than 10 arrests in China for distributing
forbidden information. This will create fear among the public.
For the general public in China, they are now gradually
realizing the existence of censorship consciously.
More importantly, the government has adopted subtle mind
control and propaganda to decrease the Chinese's interest in
uncensored information. All major events outside of China are
reported, with seemingly a variety of views, although all the
different views are in fact the government's view. There is a
fully developed online community inside China serviced by self-
censoring ISPs. This strategy is an extension of China's cyber-
wall, a wall in people's minds.
The Internet, combined with TV, newspapers, and other
information channels, now offer the Chinese people different
types of information and different views on certain issues. It
looks like full
freedom of speech has been achieved.
However, the government produces all the different views
and types of information. The censors tried to use these to
reduce
people's interest in uncensored information.
In summary, technology alone will not decide the future of
China's cyber-wall, but people do. If all Chinese people would
like to obtain uncensored information, the cyber-wall will be
broken from the inside.
Thank you.
[The prepared statement of Mr. Xia appears in the
appendix.]
Mr. Wolf. Thank you very much.
Lin Hai.
STATEMENT OF LIN HAI, COMPUTER SCIENTIST, SHANGHAI, CHINA
Mr. Lin. Ladies and gentlemen, good afternoon. My name is
Lin Hai. I was born in Shanghai, China and graduated from
Beijing's University of Aeronautics. I majored in computer
science.
After graduation, I worked as a software engineer, as well
as sales marketing in some technology companies in Beijing for
more than 5 years.
At the end of 1995, I went back to my home town, Shanghai,
and created a small Internet company with my partners. Our
major business was to help other people to set up Web sites.
Our major clients are joint ventures and foreign companies who
are in
business in Shanghai.
As one of the first Internet users in China at that time, I
was involved with the Internet Society, as well as technology
because I, myself, was an Internet engineer.
As was my interest, I did some technology research. For
example, at that time I collected a lot of information on
Chinese Internet users to see who was using the Internet, just
for my own interest.
Also, I was very excited about this new technology and
expected some possible changes to the society by the new
technology.
I received a letter from a U.S.-based student's
organization. The organization publishes newsletters that
promote democracy, freedom of information, and independent
opinions, as well as news into Mainland China. I was so excited
because it was the first time that people could have a media
that is not censored by the central
government.
So, I did something to help the organization, especially to
help them in collecting information on Chinese Internet users
so they could promote their newsletters to more receivers.
For that activity, I was arrested by the Chinese
Government. The date was March 25, 1998. As reported, I was the
first victim of China's censorship of the Internet. So, I thank
this Commission for letting me have a chance to speak here to
all of you nice people.
After I was arrested, my case was reported online. Finally,
the government closed the trial and sentenced me to 2 years for
some political crime. Thanks to the media reporters and many
other supporters from outside organizations, especially human
rights organizations, the Government of China released me
early, with only 6 months to go. So, actually, I stayed in jail
for a total of 18 months.
After I was released, I stayed at home and tried to find
some chance to re-start my business or career. I failed to do
that because China is still a Communist country.
So, for reasons you can probably understand, I found that I
had to leave the country to seek my opportunities. So, I came
to the United States. Right now, I am working in a small
Internet company in New York City doing similar jobs as I did
before as an Internet engineer. That is all of my story.
Right now, we are doing a project named ``Secure Email
Proxy,'' an Internet proxy project. The background is that
people in China try to get free information. The Web sites on
democracy are all blocked by the Chinese Government.
E-mail seems to be an option for receiving information. E-
mail is a traditional application on the Internet, and they are
still using it daily. It is proven to be easy to use and cost
effective.
People in China can receive information from those
independent sources by subscribing to e-mail newsletters and
some other organizations who send e-mails.
It has worked in the past few years. Some months ago,
something happened. As before, the Chinese Government has
filters at almost all major IPs in China. Those filters check
every e-mail that comes in to China, to check if there are any
key words encoded in the e-mail. If they find more than, for
example, 10 key words in an e-mail, they will block this e-mail
and the people will not
receive it. Furthermore, it may be dangerous to the receivers.
So, clever Chinese people found that they can use free e-
mail boxes such as Hotmail and Yahoo Mail, which are based in
the United States. It is out of the control of the Chinese
Government. They can subscribe to those sources with their free
e-mail account.
It worked for years. But several months ago, the Chinese
Government developed new technology that not only filtered the
e-mails themselves, but also filtered the normal Web pages. If
people in China accessed an e-mail box, say, Hotmail, it really
works like a normal Web page on the Hotmail Web server.
The Chinese filters--they installed filters on the gateway,
I think--if people access a Web page that contains key words,
the whole Web page will be fed back as a blank page. The people
in China can access their e-mail box, but they cannot read the
e-mail content if this e-mail is so-called ``sensitive.'' So,
the people are waiting for some new technology to stop this
kind of trouble.
Our project, called ``Secure Email Proxy,'' is aimed for
this purpose. Our mission is to provide a midway platform
between the Chinese users within the firewall and the outside
world.
The traditional way of encrypting information is to use
software such as the popular PGP software. But the PGP software
requires that both senders and receivers use the same software,
so it limits the usage of such kind of software. Most e-mail
senders in the United States do not use it because they do not
need it. So, that could be a problem.
With our platform, we will forward all e-mail to Chinese e-
mail users who are interested in our system. Our function is to
encrypt normal e-mail, then to send it back to Chinese users.
It will help Chinese Internet users to have secure e-mail
communication with outside people who do not use encryption
software such as PGP.
This will be very helpful. For example, in China, people
subscribe to a mailing list from Voice of America, or Radio
Free Asia. They can hardly receive the information, actually.
We think, with our help, they can subscribe to the mailing
list and the information can come to us at the e-mail proxy
server, and we will encrypt it and send it back to the real
receiver. So, this will help them to skip the firewalls of the
Internet gateway. That is the solution, and we are doing it.
That is all, thank you very much.
Mr. Wolf. Thank you very much.
Paul Baranowski.
STATEMENT OF PAUL BARANOWSKI, CHIEF ARCHITECT, PEEKABOOTY
PROJECT, TORONTO, ON, CANADA
Mr. Baranowski. Good afternoon. I am the project leader for
Peekabooty, a piece of software that is designed to get around
state-sponsored Internet censorship at the national level.
Peekabooty accomplishes this using peer-to-peer [PTP]
technology. ``Peer-to-peer'' basically means that there is no
central
authority governing some part of the network system. The idea
is that anyone using the peer-to-peer system also helps out
other
people in the system at the same time. Napster, Gnutella, and
others are all examples of peer-to-peer networks.
Peekabooty uses other nodes in the network to relay data
around the firewall. It is kind of like a distributed proxy
service.
China has been working on its firewall since at least 1997,
and we have seen its power growing over the years. Just about
every other month we are seeing a new technology being deployed
that makes it even more powerful.
The Chinese authorities started blocking Web pages based on
their Internet protocol addresses, which we have already talked
about. People got around this initially by using open proxies,
which are basically other computers that relay your requests
for a Web page indirectly back to you.
In early 2001, the Chinese Communist Party countered the
use of open proxies by scanning the Internet for them and
adding these proxies to the ban list. Another thing that some
Web sites did--
apparently DynaWeb did as well--is that they changed their IP
address every few days in order to try to prevent blocking of
their Web site. But this is fairly ineffective.
Safe Web and Voice of America set up a system that would
send the IP addresses of available proxies to whoever requested
them. Again, DynaWeb also tried this technique. However, it was
not long before the Chinese authorities started requesting the
proxy addresses and blocking them as well.
There are two strategies that have not been effectively
countered yet: bulk e-mail lists and freenet. Bulk e-mail still
works because the origination of the e-mail is different every
time. E-mail does, of course, has the drawback of being one-way
communication, but at least that is something.
Freenet is a peer-to-peer system that allows two-way
communication. It still works because the only way to discover
a new node in the Freenet system is through ``out-of-band''
means. This means you have to call up a friend, or your friend
has to e-mail you an IP address of another domain network. You
join the network and then you can get access to censored
information.
One of the main goals of Peekabooty is to eliminate this
limitation, to create a method of discovery that automatically
allows you to discover new nodes in the network without
allowing you to discover all the nodes in the network, so that
the Chinese authorities could not join the network and block
everything.
Some of the more recent developments of the Chinese
firewall include selectively blocking out content within a Web
site instead of blocking the entire site, denying Internet
access for a certain amount of time to anyone searching for a
band key word. So, for example, if you search for Falun Gong on
Google, your Internet
access would be denied.
Suppressing dissident comments and chat rooms.--If you do
type in some sort of dissident comments, a warning e-mail is
sent to you telling you not to do that again.
Finally, they are starting to log Google key word searches.
So if you type in ``Falun Gong,'' they are going to remember
who
requested that.
We can do something about all of this if we act now. The
Chinese Government is already on its third generation of
firewall technology, and we have not even started version one
of a counter-strategy yet. If we do not do something soon, they
may be able to close off the country completely and obtain
absolute control of their net before we can do anything about
it.
A fair guess is that, by the Olympics in 2008, it will be
much too late to act. Our window of opportunity is now, at this
moment. The U.S. Government is the only organization that has
the power to mount an effective counter against this type of
censorship.
Independent efforts, such as mine, by volunteer groups will
be ad hoc and there will be no coordination between the
releases of the various projects. A well-funded, centralized
program could plan application releases so they occur at
regular intervals in order to keep the Chinese authorities
constantly scrambling to keep up.
In other words, the U.S. agency in charge could coordinate
and plan a global strategy that would be much more effective
than the current ad hoc state of affairs. Centralizing this
type of activity also allows for the possibility of inter-
operation between the projects and allowing more advanced
features in these projects, eliminating redundancy.
There are few, if any, commercial possibilities for this
type of software, which is why the government is the only
organization with the power to fund this type of activity on
the scale that is
required.
The amount of money proposed in the Global Internet Freedom
Act could fund dozens of projects. There are so many aspects to
this problem and so many ways to solve it, that this is the
kind of depth we need.
Research is just beginning on this subject and we have a
long way to go. This panel here represents a sample of what is
out there. There are perhaps a dozen grassroots efforts
attempting to do something about this on a shoestring budget.
They all rely on volunteers.
However, this many projects is not as many as we need.
Right now, development on all of them is extremely slow, due to
the fact that there is little funding and they all rely on
volunteers.
The first thing that is dealing with funding, is
development speed. The second thing, is usability. The third
thing, is translation into various languages. Finally, every
project that is funded should have a budget for marketing so
that each project can be promoted appropriately.
If the government does fund projects such as these, it
should be done through credible organizations that are
committed to developing open-source solutions. Open-source
software is crucial due to the fear of software back doors that
would allow remote monitoring of or tampering with a user's
computer.
Open-source software relieves these fears because the code
can be vetted by outside experts. One of the most important
things with many of the current projects, is that they use
peer-to-peer technology. This means, in terms of costs, there
is little cash that is needed to keep them running.
Funds are mainly needed for the maintenance of the code and
the addition of new features. Each project could be initially
funded by only a few hundred thousand dollars a year, and even
less for maintenance once they have been deployed.
The current crop of anti-censorship projects that show
promise and should be considered for funding include the
following: Peekabooty, the Freenet/Freenet-China project, the
Invisible IRC project, which allows anonymous chat, CryptoMail,
which is a Web-based e-mail system similar to Yahoo which
provides encryption of e-mail, and finally, plug-ins to e-mail
clients such as PGP and GPG to make encryption of e-mail
easier.
It should be noted that the National Science Foundation
[NSF] has started funding anti-censorship research at the
academic level. What we need, though, is a system to transfer
the research into real-world applications.
One of the areas of research that has not yet been
exploited is in the field of wireless networking. This type of
technology could allow individual devices to route information
on their own. This would allow those devices to bypass the
Internet infrastructure completely and create basically a new
wireless Internet that could not be filtered.
Also, another area of research that should be considered is
making e-mail encryption even easier to use and more
transparent. Right now, it is a little bit too difficult for
most people.
Finally, to sum up, China's censorship technology is
becoming more advanced every day. We can do something about it,
but we must act now. The government should fund credible third
party
organizations to develop open-source anti-censorship
technology.
Multiple strategies should be developed and their release
should be coordinated according to a centralized high-level
strategy. If we do not act, there is no doubt the Chinese
Communist Party will have more power over its populace than
ever before in history
instead of less.
Thank you.
[The prepared statement of Mr. Baranowski appears in the
appendix.]
Mr. Wolf. Thank you very much.
Avi, you talked, first, about the arms race. You did not
draw a conclusion. Is this arms race a winnable arms race on
the circumvention side, or is it simply a continuing process of
raising the costs at each level?
Mr. Rubin. I, unfortunately, do not think there is a
straightforward answer to that, because there are several
different axes that I drew for censorship.
If you are talking about the censorship between the inside
of China to sites that are outside of China, it is pretty clear
where the end of the arms race is, which is that they cutoff
all connectivity. Then, short of going through a satellite, or
phone lines, or some other way, there is really no way anyone
could get out.
However, there are a lot of other things. For example, if
you look at people within China trying to communicate with
other people within China, and maybe posting content where
things are not going through the firewall, then I think there
is an interesting arms race.
It is not clear who the winner is, because I think the
technology has only advanced so far at present. We need new
research. I support the comments that were made about funding
new research.
You could imagine a technology developed whereby Internet
traffic becomes untraceable, so the next thing that happens is
that the government mandates router manufacturers to put
something in each packet so that they can trace it. That is
another step in the arms race. We have got to go back to the
drawing table and figure out how to get around that, and I do
not see where that kind of an arms race terminates.
Mr. Wolf. Anyone else want to comment on that?
Mr. Xia. I would.
Mr. Wolf. Yes, please.
Mr. Xia. I would like to make a little comment.
Technically, you can comment on technology if it can be
censored or it cannot, how hard it is.
Another factor is if the user will use it. Like, for the
Freenet China project, there are people sending e-mails and
saying, I am a peasant, I only went to elementary school, so
tell me how to use it in two sentences, something like this.
So, even if technology works, there is the matter of,
first, how can you overcome the first barrier, if you can
convince the user to use the software and learn how to use it.
Mr. Wolf. Thank you.
Mr. Baranowski. I have a comment.
Mr. Wolf. Go ahead.
Mr. Baranowski. I think, if we do nothing, then eventually
we will not be able to do anything. But if we do something
soon, then the arms race will continue, and continue on
indefinitely until whenever.
But there is a point that, if we do nothing now, we will
not be able to do anything eventually because they would have
cracked down too much at that point and there would be no way
to get
anything in or out.
Mr. Wolf. Is there a point in this arms race where the cost
to China is too high, in the sense that the measures the
government would have to take would so negatively impact on the
use of the Internet, and on Chinese businesses' ability to use
the Internet to be internationally competitive?
Mr. Rubin. I think you have put your finger on it right
there. If China were willing to isolate themselves from the
rest of the world, then they could censor in a way that we
probably could not overcome.
But as long as there are forces within China that want to
have, for the sake of their own businesses, like you said,
connectivity, then I think that there is something we can do.
I also see the door closing if nothing is done, but maybe
not as fast. The thing that will push them to the next level in
censoring is when circumvention technologies start to move. If
they stagnate, then I do not see them having a need to respond.
Mr. Xia. I am also thinking of another possibility, that
Western companies collaborate in doing censorship even outside
of China. Then they can collaborate with censorship technology
so it will not affect, like e-commerce communication, inside
and outside of China. One technical example I can think of, is
content filtering of any Web site--for example, Google--so if
you are searching for key words, you are kicked out.
However, it is actually easy to resolve this. Google can
just implement https so your requests will be encrypted. I am
not sure if Google is willing to do that. It is obvious that
Google will be confronting China's content filtering engine.
Mr. Lin. I might comment. I think those who do censorship
and who did anti-censorship, they actually use similar
technologies. The result is people or companies do something
for profit. So that is why we see that the Chinese Government
can create a firewall.
I think some U.S. companies are heavily involved with it,
say, especially some companies in California. The backbone, the
technology, and the core equipment are developed and
manufactured by the United States, especially California
companies.
So we do not have exact evidence, but we can reasonably
conclude that the American companies are helping the Chinese
Government to build the censorship firewalls. So that is why
the same technology can result very differently for different
sides. For people who are doing anti-censorship, like Paul, he
is just doing it for the ideals, not for profit.
I think the two sides are not even. So, the result is, we
can expect who will win the war. I do not think, in any small
part, that we will win the war. That is the reality, so I am
worried about it. So, I think it is my duty to speak here to
help many people to
understand the situation.
Mr. Baranowski. Can I answer that as well?
Mr. Wolf. Sure.
Mr. Baranowski. You raised a good point about the commerce
and tying this anti-censorship technology to commerce. This is
the only way I think that these technologies will work.
For example, using SSL [Secure Sockets Layer] encryption
for secure communication. SSL is also used in e-commerce to buy
things over the Web, so they cannot outlaw, for example, that
type of encryption. So, this opens a whole lot of China which
they cannot really block unless they want to block all of e-
commerce.
The second thing I want to talk about is the stagnation of
censorship technology that Avi mentioned. I do not think this
would
happen at all, because they are plowing forward as fast as they
can to implement more and more technology. For example, the
Golden Shield project. They are trying to use as much
technology as possible to control their population. I do not
think it is going to
stagnate anytime soon.
Mr. Wolf. All right. Thanks.
Holly.
Ms. Vineyard. I would like to follow up on Ira's point
there. I would first direct this toward Paul. It is open for
anyone else who would like to answer. As technologists, how
would you characterize the economic cost of censorship?
I am interested in this as an approach for, how do we
engage the Chinese to see the true economic potential of the
Internet if it is left unfettered?
Mr. Baranowski. Obviously it is costing them a lot of money
to employ this many people to constantly be looking at Web
sites and trying to filter them. So that's the obvious, up-
front cost, as well as buying the right type of hardware
equipment that they need.
Another economic cost that might be borne by them is the
fact that they might be blocking sites that are not supposed to
be blocked which are e-commerce sites, so if people cannot get
to those sites, they will not be able to buy goods and services
through those sites. That is just off the top of my head. Maybe
someone else can answer that as well.
Mr. Rubin. Well, I am not certain how much commerce there
is from China to e-commerce sites in the United States, and I
think that is something that should be looked at to figure out.
That was used as a motivation for why they are not likely to
block SSL, but blocking SSL is trivial. It is 443.
They just turn it off and say, we do not have SSL through
our firewall. If it is not the case that people in China can
purchase things on e-commerce sites in the United States, then
that point is pretty meaningless. I do not know. Maybe somebody
knows about that.
Ms. Vineyard. Does anyone know if there is much in the way
of e-commerce going the other way?
Mr. Rubin. People in the United States purchasing things in
China? I do not know, either. I would be surprised.
Mr. Xia. I do not think many people are buying things
outside of China from inside China.
Mr. Baranowski. Maybe not consumers, but maybe businesses.
Of course, I do not think any of us have any data on this
whatsoever. We are just making the best guesses that we can.
Mr. Xia. When China blocked Google, there was a big cry
inside China and more people are complaining. They want to do
research or just common activity and they are blocked.
Mr. Baranowski. That is a good point. I believe it was
businesses eventually that complained so much that Google was
blocked that they had to unblock it.
Mr. Wolf. Let me just jump in here. Rather than e-commerce
and individual e-commerce, as Chinese industry continues to
develop and become more sophisticated, they are going to have
global sourcing strategies that require fairly sophisticated
use of the Internet, whether it is sourcing, inventory
controls, and so on.
That is what I was getting at. Not so much individual e-
commerce so much as, does additional effort by China to
monitor, block, and control the Internet raise the costs,
ultimately, of a joint venture auto manufacturer that is
involved in global logistics?
Mr. Rubin. Definitely. I mean, the way that I would
envision that this would happen would be if they do not want to
allow unfettered access to the SSL port, which someone serious
about
censoring would not because a lot of circumvention technologies
could be built on it.
They could perhaps require any company or any entity that
wants to do that to clear it with them, and then they would
provide a special port and maybe some encryption keys that they
know that they allow them to use, and then they could monitor
it carefully. That would all be very expensive.
It would require a lot of databases to keep track of which
keys are used for which communications, and then all of the
monitoring equipment. So, they are raising the bar on
themselves to some
extent by making it more expensive to allow those business-type
communications that they want to allow while preventing general
use.
Mr. Xia. I think this is true right now for e-mail service.
If you are running e-mail service in China, you have to put in
all the
filtering software. For the Chinese ISPs, many of them have
very
sophisticated e-mail filtering software which will delay users
receiving e-mails.
Also, many people will lose their e-mails. It is quite
different from here. I can call you and say I just sent you an
e-mail, but in China you cannot rely on this.
Ms. Vineyard. Thank you.
Mr. Farris. I am wondering if any of you could speculate on
what sort of attributes any anti-censorship or censorship
circumvention software or project would have to have in order
to be successful.
For example, I think issues like deniability on the user
end, the receiver end, would be important. But perhaps Bill or
Lin Hai can speak to whether or not they think that is really
an important issue in China.
Other issues like user interface, I think you mentioned, or
translations into Chinese. How important is it to the Chinese
people at the user end that this be in the Chinese language, or
does the average Internet user have an English level sufficient
to use these
programs? If any of you have any speculation on what a good
censorship circumvention program would possess.
Mr. Rubin. I can tell you what we did with Publius and some
of the lessons that we learned in that regard. In terms of user
interface, I think the best way to distribute client software
is as a
plug-in to a browser.
We experimented with client-side proxies. Those require
someone who knows how to run a compiler in order to get them
running, unless you want to write something native, but then
people use many different operating systems.
The one common denominator seems to be a browser. So, a
client-side plug-in would have the advantage of being able to
have general-purpose functionality.
You could build your whole protocol into it, whatever that
might be. Users would be able to not know necessarily exactly
what it is doing and just have content displayed for them. So,
as far as user interface goes, I think that is the way to do
it.
That will not work in a cyber cafe, for example, where you
do not have access to installing a plug-in. In that case, you
need to go with raw html, and it is a lot harder because if you
need to do any decryption or decoding or anything like that in
the software, then the only way you might do that would be via
a Java applet.
The Java applet would come from some well-known site, and
that could easily be blocked. So, after looking at all the
different alternatives, I think a browser plug-in is the way to
go.
You mentioned deniability. In the Publius project, what we
did was take the content that somebody wanted to publish and
break it up into many, many little pieces. Those things had
transformations performed on them so that you needed some
subset of them to reconstruct the content.
So, here's an example. Take a piece of Web content, whether
it is an image or a document, and break it up into 100 pieces
such that any 4 of them can reconstruct it, but any fewer than
4 is meaningless and more than that is redundant. The idea
here, is then you store those pieces on 100 different servers
all over the world. We had a bunch of servers up and running in
seven countries. This was a research prototype.
The sites that would host the content, they see this 1
piece out of 100 and they do not know what it is. So, there is
deniability from the host server. Without three other pieces
they do not know what it is and they do not necessarily have
that information on where the other pieces are.
So it was a system for publishing something. It got
dispersed throughout the Net. Nobody knew exactly what the
individual pieces meant. Then somebody to retrieve it would get
a special URL, or they could get a link through something, and
by running a proxy on their machine that their browser talked
to, could go out and get four pieces, do a cryptographic check-
sum on them, verify that they had not changed, and then load
the image into the browser or the document without the user
having to be aware that all this happened behind closed doors.
Mr. Baranowski. May I answer that as well?
Mr. Wolf. Please.
Mr. Baranowski. As far as user interface, I think a variety
of methods should be used depending on the individual user.
Something different should be in an Internet cafe versus
someone from a home computer, versus someone at a business,
which is what I was getting at before in my speech. I was
saying we should have multiple projects going on at once using
a variety of methods.
As far as deniability, the only thing I can say is that
this does exist in Peekabooty. The connections to the Web
server are anonymous. No one can tell who is fetching which Web
page.
As far as English level proficiency, I just read a report
last week that said 20 percent of Web pages viewed from China
are in English. So, definitely the minority. That is all.
Mr. Lin. May I comment? There are some informal
technologies used by the Chinese Internet guys. They can always
find some secret way to access the outside world. But the
problem is, it is not public technology. So, the public needs
to use most widely used technologies, say, for Web access.
I think if we can offset technology to let people use a
normal browser to access the outside world, the effect or the
result will be very limited. So, that is a problem. Not all
people are educated in technology. They are just normal users.
Mr. Xia. I think the answer, a lot, depends on how many
users you are targeting. For the most computer-capable people,
many of them can read English. They will find ways themselves.
They do not quite need your help. Like, DynaWeb has reached the
level of tens of thousands. So at this level, you need
something really easy. We got complaints, in the beginning,
about DynaWeb using the
domain name, or just visiting a Web site.
I cannot say anything easier than that. But, still, some
people do not like the pop-up windows, https, because it is not
certified, or something like that. Or we do some technology
that makes the
domain name look weird, and then some users say, should I click
it, or something like this.
So, even at this level of users there are lots of questions
that arise. But if you are working on something like a plug-in
or a
program, people need to download a Chinese interface. That is
important. Like for the Freenet China project, it has software
and it reaches a user level of 10,000. So at this level of user
base, you do need the Chinese interface, and a very easy-to-
understand
interface.
Another factor we tried to compile, is we want to put the
program below 1.44 megabytes so people can carry it around with
a floppy. Then people do not have to leave that program on
their computer's hard drive, they can, every time, download it
and delete it.
But this is getting harder because in the Internet cafe
situation, it is really bad. In many of those registered
Internet cafes, you cannot download and there is no floppy
drive.
I think for some software, the administrator can remotely
look at your screen at any moment. I think for this specific
environment, it is almost like the door is closed. There is
hardly anything to do with it.
Mr. Rubin. Just one other point. In a country where it is
illegal to do certain activity, you could conceive that if
there were such a plug-in or proxy program, the fact that that
thing is on your
machine could be a liability.
Mr. Farris. So just a follow-up. In terms of the state-of-
the-art right now, is it possible for there to be a system that
has complete deniability, something that would not have to be
downloaded, that would not involve any obvious encryption that
would tip off the
authorities?
Mr. Rubin. It depends on your threat model. If you have a
threat model that the authorities are sniffing your line, then
the answer is, without encryption, no. If they do not allow
encryption, then there is nothing you can do.
If you have authorities that are, with some probability,
sniffing your line, then maybe you can play some games and
adjust or tune your risk factor and say, I will get caught with
this probability, and that may be able to be small enough that
it would be worth it for people. But if the adversary can view
the line going into your house and you do not allow encryption,
then I do not see how there is anything you could do.
Mr. Baranowski. Since China still does allow encryption,
what you could do is if you are in China and you have a friend
in the United States, you could download a program such as PGP
Net, I believe, and encrypt all your data between the two
computers, he sets it up on his computer and his computer is on
all the time, and you just route everything through him.
So, it has to be more of a personal connection to someone
who is going to help you out in another country, and then you
could quite easily get around it. As far as an automatic
system, there is no way right now to--sorry.
Could you repeat the question real quick?
Mr. Farris. I guess I am trying to see if it is possible to
have complete deniability.
Mr. Baranowski. Oh, complete deniability.
Mr. Farris. So nothing needs to be installed in the
computer.
Mr. Baranowski. Nothing that is automatic. Right.
Mr. Farris. Yes.
Mr. Xia. Technically, I think it is probably impossible to
achieve that. But right now, I think the closest is DynaWeb.
You only need a domain name to visit a Web site, and then you
can clean your history with your Internet browser. But still,
if someone is looking through your computer, still you can be
caught.
Here, just now what Paul mentioned, I think, we can put in
a social background.
Right now, downloading and using PTP will not get you into
prison. But there are people arrested, and PTP is used as site
evidence. So, just using PTP is fine, but if you are doing
something else along with PTP then it is something else. I
think this is an important point. In the last 20 years, China
has changed a lot.
During the Cultural Revolution, all the requirements were
really harsh. If you were listening to the VOA radio at
midnight, you could be caught and sent to prison. But now the
government, instead of arresting you, is only trying to jam VOA
radio.
Mr. Wolf. Thanks.
Keith.
Mr. Hand. I wanted to get back to this arms race issue for
a minute. I was curious what the typical timeframe is in terms
of the cycle of technology and counter technology.
Then maybe you could follow it up with another point. There
has been some concern expressed that, as these new technologies
are developed, there could be a false sense of security among
users in China as to the degree of protection that they have.
I was wondering if you could comment on that risk and
whether, in your experience, people understand it or whether
they feel like they are completely protected from monitoring
when a new technology is introduced.
Mr. Xia. From my experience, they correct that mistake
pretty quickly, like 1 day after. If they mistakenly block
their own sites or something like that, they will correct that
pretty quickly since they only need to release what they did
with that technology. But to develop brand-new technology, from
our recent experience, it is more like months. But for security
concerns, I think you have to foresee it to be compromised.
Mr. Rubin. To answer the other part of your question, it is
interesting. When we came out with Publius, I got approached by
somebody who wanted to use it for very sensitive--they did not
tell me what--activities and they said they were really
worried, and how much would I vouch for the software.
It is interesting, because normally if there is a bug in a
program that I write, something crashes. But the responsibility
of potentially putting someone in harm's way by a bug in the
software was too much. So we disclaimed it and said, this is a
research
prototype. We did open-source it. I agree that open-source is
an
important component of anything like this.
If you are going to use a program that could get you thrown
in jail if it does not behave properly, that is a pretty scary
notion. I mean, the way they measure the number of bugs in a
program, the metric in software engineering, is by the number
of lines of code.
You ask a software engineer, how many bugs does a program
have, they say, well, how many lines of code? And then you know
how many bugs it has, or a minimum, anyway.
So for something to be that reliable that you are going to
risk your freedom to use it, I think it is tough and I am not
sure that I would want to take that chance, myself.
Mr. Hand. Thank you.
Mr. Wolf. Paul, if you had a different hat, let us say as a
representative of a U.S. intelligence agency, and you were
sitting here as the fifth person on this panel, and you heard
Paul Baranowski talk about the need to develop open-source
software for countermeasures, what would you say to us in
response?
Mr. Baranowski. In response to what?
Mr. Wolf. Regarding the technology required for
countermeasures, what concern would the intelligence community
have that obviously bad people would put this to bad use?
Mr. Rubin. The double-edged sword.
Mr. Baranowski. Oh, yes. All right. I have been asked this
question before. Yes, I would have concerns about whether bad
people could use this technology for bad things. My response to
that is I have tried to think of ways that, especially
Peekabooty, could be used to do bad things and I am hard
pressed to come up with something that is not already done
better using the different programs specifically designed to do
bad things.
There are plenty of programs out there in the Internet area
that do bad things, like denial of service attacks, viruses.
All this, you can get easily. So, something that simply makes
your Web browsing anonymous, it is somewhat difficult to think
of scenarios that you could use it to do evil with.
Mr. Lin. I might comment. I think no one can prevent some
people from doing bad things with some technologies. So, based
on this theory, to make any policy to limit people using
technology, you will not really reach your goal.
For example, the PGP software. To my understanding, it is
still banned for people outside of the United States to
download the PGP software from U.S. Web sites. It is the United
States law. So how do they do it? They just publish the PGP
software, soft code, and carry it to Norway, and then retype it
into the computer at the Web site in Norway at PGPI.com, or
something like that.
So that other part of the world--outside of the United
States--can download the same program. That is just an example.
The United States making some kind of policy to try to limit
the people using technology, it does not work. That is my
opinion.
Mr. Rubin. Getting back to your question for a minute, when
Publius came out we took a lot of criticism from people who
came up with the example, imagine somebody came up with child
pornography or some other kind of offense-to-pretty-much-
everybody image and posted it to a system where it was
published where it could not easily be removed. That is
something that was not possible before. Or instructions on how
to make a bomb, or something like that.
You sort of take a step back when you suddenly think about
uses of your technologies. There are several different ways to
look at it. One is an example I go back to. When the automobile
was first introduced, law enforcement was afraid to allow these
things to be mass produced because they were worried bad guys
would be able to get away more easily. Yet, we see all the good
that has come out of the automobile. The same thing could be
said for the Internet.
A more constructive answer, though, is to say that you can
build censorship-resisting technologies with dials in them and
let society set the dial. So in the United States, for example,
we all believe pretty much--we should believe--in freedom of
speech and the right to do certain things.
Then there are certain acts which pretty much are the norm
in society that that is unacceptable, certain things like child
pornography that there is just no debate about. So, perhaps we
can build a censorship system so that if almost all the users
in the system do not want something, then that thing can be
censored, but it requires a communal effort of almost
everybody. That is just some thoughts on how to do it. You have
got to be very careful that you do not enable, accidentally,
ways of censoring that are more easy than before.
Mr. Wolf. Let me turn to United States suppliers of
technology, equipment and software for China's backbone. Lin
Hai was talking about California companies. Others have talked
about the need to license or restrict United States export of
technology to China that can be used for censorship and
control.
I wonder if you could comment on what you think should or
could be done regarding control of United States exports of
Internet technology to China, or whether it is something you
believe is a road that we should not go down.
Mr. Lin. I think that it is not easy to make any kind of
policy like that because people can find some ways, any ways,
for profit. So my suggestion is, do some reverse policies to
encourage companies, and individuals, and organizations to
develop any other technologies against censorship. This is the
way to work, I think. For example, set up some funds to sponsor
people like Paul, to develop anti-censorship technologies. That
is the right way.
Mr. Baranowski. I would say to ask the companies themselves
to have them issue a statement saying we do not support
censorship and surveillance. We do not take part in it. For
them to come out and publicly say that, I think, would be a
very good first step in that process.
There is a precedent for regulating this type of
technology, and that is with encryption. Just a few years ago,
you had to first submit any encryption product to some agency
to have it checked out before it was exported, so you could not
export anything that encrypted above a certain level. This
could also be done with censorship technology. That would be a
more extreme thing to do, but there is precedent for it.
Mr. Rubin. Yes. I pretty much would oppose any idea of
regulating what Internet companies can and cannot sell abroad.
While I agree with the goal, I think that such export
restriction attempts have fallen flat on their face before, as
we have seen with the encryption.
Mr. Wolf. Bill, do you have a comment on this?
Mr. Xia. I think it is kind of analogous to export arms so
that arms can be used for good things or bad things. So, there
can be restrictions on what kind of technology you can export
and where you can export. They cannot just say, I am sending
the technology, I do not know or I do not care what they are
doing with it.
Especially for China, in the past years, it has been
demonstrated, what are they going to do with content filtering
technologies. So, I think there can be regulations on some
specific cases.
Mr. Rubin. I would worry that China would start buying
their backbone technologies from other countries that have
equally
developed products, and that we would be hurting our business
without actually helping fight censorship.
Mr. Wolf. Holly.
Ms. Vineyard. If China has such effective cyber-walls, in
your opinion, why is it these cyber-walls are not being used to
stop
piracy as well?
In the recent regulations, copyright piracy was not
identified specifically as an illegal purpose. How do you
recommend we go about raising this?
I mean, we would be asking the Chinese to provide
additional policing to a medium that we essentially want to be
free, but we still want to protect the rights of copyright
holders.
Mr. Xia. I think Internet censorship has become a very
essential policy of the Chinese Government. This year, the head
of the Public Bureau of Security commented that there is a
conspiracy about anti-China forces trying to distribute
subversive information through the Internet.
I think for the Chinese Government, the Internet Freedom
Act can potentially endanger their current authority, so it is
a pretty high priority, not just economics.
Ms. Vineyard. But my question was really trying to get at
the protection of intellectual property rights, especially
copyrighted
material. If any of you have any experience with how that is
being protected or not protected on the Chinese Internet, I
would appreciate your views.
Mr. Rubin. I think that it is really a different security
technology that protects or prevents traffic from flowing
freely and that guards intellectual property. It is almost like
guarding the information in the other direction.
So, if something that is a particularly valuable
intellectual property gets inside China and can get replicated
very easily, the fact that it went through a firewall when it
got through is meaningless at that point.
Intellectual property protection technologies are somewhat
limited in their capabilities. If there is something that you
have in software, you can replicate it. Hardware assistance is
expensive. It is difficult to distribute things when you
require people to have a particular kind of player.
Intel and Microsoft are taking steps to provide
intellectual property protection in the platform that people
have in their homes. At that point, if that works, it will be
successful in China as well. But I do not think that the
censorship technologies are designed, nor can they very easily
protect, intellectual property of something once it has gone
through the firewall.
Mr. Lin. To my understanding, this is more consistent with
the law. In China and in the United States, they seem to have
similar copyright laws, but they actually deal with them very
differently.
In China, on the big Web sites, they understand the
copyright law, but individual users do not care. The government
also does not care about the individuals who use free copies of
copyrighted
materials.
So, the censorship through technology will not help to
protect the copyright, but it should be done by something like
how to develop the law and how to actually do something under
the law.
Mr. Baranowski. Actually, one of the scary things is that
if China does get this DRM technology, which is Digital Rights
Management, which allows you to protect your intellectual
property, if that goes to China, it actually gives China more
power to censor their people because you could use that same
technology to say, you can only run this program on your
computer, or this set of programs on your computer, and nothing
else that is not approved by the Chinese Government. Thus, no
program that we could write, any anti-censorship program we
could write, could ever bypass that sort of control.
Mr. Rubin. And that is not limited to China. A lot of
people worry that DRM technology in the United States could
greatly
restrict fair use of all kinds of things.
Ms. Vineyard. Thank you.
Mr. Farris. I would like to stay on that point for a
moment. I think at least Publius, and maybe also Peekabooty,
were not specifically designed with China in mind, and there
may be a concern about other countries as well.
Do any of you have a view on where China fits in the
spectrum of censorship compared with, say, even the United
States or other countries? Is China the worst offender? Do you
see the United States moving in a similar direction?
Mr. Baranowski. China is the worst offender, possibly tied
with Saudi Arabia. The other countries that are censored are
Burma, Cuba, and even Australia.
There are about 20 or 21 countries that censor their
Internet the last time I checked.
You are right that this type of technology could work in
any country. It is not just limited to China, which is, in my
opinion, a good thing.
Mr. Farris. Thank you.
Mr. Wolf. Keith.
Mr. Hand. I wanted to get at Ira's question from a slightly
different angle. There was a lot of controversy over the Yahoo
China pledge earlier this year. Some argued that even operating
under some restrictions, there is still an advantage to having
a company like Yahoo operating in China, delivering information
and pushing the limits of the controls there where they can.
I was wondering if you could comment on that and give us
your sense of where you think the line should be drawn between
working within the system and struggling within it for change,
and where you end up colluding with the government on these
censorship issues.
Mr. Rubin. I think that anything that encourages the
openness, the connectivity between China and the rest of the
world, opens up avenues for other censorship-defeating
technologies to piggy-back on the existence of that network.
So, from that sense I think it is a good thing.
Mr. Baranowski. It seems to me that companies going into
China are playing right into their hands. China basically stops
any company from coming in unless they obey their rules.
So, basically it does not seem like any Western thought is
getting into China through these corporations. For example, the
Norton Antivirus software. They gave China virus software
before they could get into China. Cisco built special routers
for them.
All these companies are playing right into their hands and
basically doing whatever the Chinese Government says so they
can get into this imaginary market, in my opinion, that is not
quite as big as they made it out to be.
Mr. Xia. I agree with what Paul said, especially in the
case of Yahoo. They have openly signed a self-censorship
agreement. In the case of Yahoo, it actually helped China to
create a kind of Chinese Internet and make it look like people
can stay there and get everything.
Mr. Wolf. Paul, you just said Cisco provided special
routers. Are you saying that the Chinese Internet censors
provided specifications to Cisco to provide some unique
equipment, or are we talking about equipment that they provided
that have multiple uses?
Mr. Baranowski. The reports are that they asked for
specific features in these routers, and Cisco made it for them.
Mr. Wolf. Is it your assumption that those features are
unique?
Mr. Baranowski. Unique to China.
Mr. Wolf. Unique to censorship functionality as compared to
some other functionality?
Mr. Baranowski. To censorship technology.
Mr. Wolf. But that is a guess, right?
Mr. Baranowski. These are reports from interviews of people
that worked on the project, so I do not have direct experience
with that.
Mr. Wolf. As you develop circumvention technologies, is the
target user the average Internet user in China, or is the
target someone who has a fair amount of sophisticated
knowledge? In other words, is the beneficiary someone who has a
PC at home, does not know much about the technology but knows
how to sign onto his ISP?
Mr. Baranowski. Are you saying, for Peekabooty, is that the
main target market?
Mr. Wolf. Yes.
Mr. Baranowski. Yes. Yes. For my project, Peekabooty, that
is the target market, the personal home computer or any
computer you can actually install software on.
Mr. Wolf. And a user who is not particularly sophisticated.
Mr. Baranowski. Yes, and a user that has no special
knowledge of Internet technology.
Mr. Wolf. Avi.
Mr. Rubin. Since it was a research prototype, we never got
it to that phase. But the design was made with that as one of
the original main constraints, is that it should be usable by
anyone.
Mr. Wolf. Bill.
Mr. Xia. From the response I got, there are people who
really have little computer technology. They ask me, you gave
me the URL. What should I do? So I have to tell them, please
copy the URL to the address of your Internet browser and
return. You will see the Web interface, blah, blah, blah.
Mr. Wolf. All right.
Mr. Lin. I think nobody can get benefits from a virus. If
the government, for some purpose, makes some special virus that
is very dangerous and powerful, you can understand because most
of the users are uneducated in special technology. They will
not find
anything special.
All information can be collected by the central government.
It is very easy and effective and could happen. We have not had
any
reports that it has already happened, but it is just a
technical
possibility.
Mr. Rubin. It is actually pretty bad. There is a program
out there for Windows, which is the most popular platform,
called Back Orifice. It is a spoof on the name Back Office.
What this program does, is it can be installed on a
computer in stealth mode, meaning that you cannot really tell
that it is running on your computer, and it provides a remote
terminal to whoever installed it there where they would have a
window on their screen that was exactly your desktop, whatever
you saw there.
They could control it with mouse clicks and keyboard events
that would be sent from their computer to the target computer,
and anything that was done on that target computer would be
visible, and any keystroke, any password that was typed in,
would be
visible.
So in the extreme where the government wishes to install
this kind of a virus, or even to require vendors to install
this on the computer when they sell them, they could pretty
much see exactly what was going on on every single computer any
time they wanted. Big brother. Turn the switch on this house
and watch what is going on on that computer. That is not just
technically feasible, that has already been done. That software
is out there.
Mr. Wolf. I have one last question. Bill, the figure of
30,000 Internet police. Where does that come from?
Mr. Xia. I think it is originally from some report from
China, and then everybody is quoting it.
Mr. Lin. There is a specific Web site. They publish a lot
of information related to the Web site, at dfn.org, Digital
Freedom Network. That is my recommendation. You can find some
information related to it.
Mr. Wolf. All right. Well, I would like to thank you all
very much for coming today. This has been helpful in our
understanding of the Internet technology issues. I appreciate
the fact that, although you are all technologists, you talk
about it in a way that non-technologists can understand.
So, thank you all very much for spending the time, and
thank you all for your commitment to this.
[Whereupon, at 4:13 p.m. the roundtable was concluded.]
A P P E N D I X
=======================================================================
Prepared Statements
------
Prepared Statement of Avi Rubin
november 4, 2002
While I am a researcher at AT&T Labs, I am participating in this
round table as an individual, representing only my personal beliefs and
opinions. I have been researching computer security issues since 1991.
Much of my work has focused on privacy, anonymity, and censorship
resistance.
The purpose of my statement is to discuss technical issues related
to censorship. I will discuss the techniques that a network
administrator, including a large company or a country, could use to
censor access and content to and from its network, and I will discuss
techniques that could be used to circumvent this censorship. For the
remainder of this paper, I will refer to the party controlling the
network as the Censor, and to the party wishing to circumvent
censorship as the User.
Censorship is somewhat of a broad term. It can refer to the
blocking of access to web sites. It can refer to blocking all
connectivity outside of the domain of the Censor, and censorship can
refer to the limitation of access to certain content. Censorship can
also involve forceful removal of content from the Web, by applying
pressure to the publisher and/or the web hosting party. The latter is
the type of censorship that the Publius system was designed to
circumvent. In this statement, I do not discuss censorship within the
domain of the Censor, but rather, the censorship of content available
from outside of the domain for people whose network is under the
control of the Censor. I also focus on the User as the receiving party
of information and not the publishing party. I will be happy to discuss
issues related to the latter in the question and answer period.
There are three principle techniques that can be employed by the
Censor.
1. Routing filters: The Censor is in a position to control how
traffic from the User reaches the rest of the Internet. The Censor can
refuse to route Internet packets from the User that are destined for
particular locations. Thus, the Censor can use the destination address
of the packets to make a censorship decision. In the extreme, the
Censor can prevent all traffic from all of its users from reaching any
network outside of its control. This is easy to do, and any Censor can
accomplish this without the need to purchase any new hardware or
software. The functionality is built into all off the shelf routing
equipment that sites use to connect to the Internet.
2. DNS tricks: The Censor can exert some control on which external
sites users can communicate with by virtue of its control over the
Domain Name Servers (DNS) within its administrative boundary. The DNS
is the service that maps computer addresses (IP addresses) to names.
For example, wow.avirubin.com has the address 207.140.168.155.
Computers communicate using such numerical address, but people enter
readable names into web browsers. The DNS translates these names into
numbers. Since the Censor controls its own DNS service, it can
translate requests from the User to addresses under its own control.
For example, if the User attempts to connect to www.avirubin.com, the
Censor can program its DNS to return 10.10.32.1 when the User's machine
tries to figure out the IP address of the machine, and this address can
be that of a machine controlled by the Censor. Thus, DNS provides the
Censor with the ability to control which computers the User can connect
to.
3. Application level filtering: The previous censorship techniques
dealt specifically with connectivity issues. Application level
filtering, on the other hand, is a mechanism for controlling the
content, even if the User can connect to a server. The most likely type
of application level filter that the Censor would use is an HTTP proxy.
This is a program that intercepts requests sent to Web servers and the
responses returned to the User. The Censor can inspect the content, and
a decision can be made, as to whether or not to block the information
from reaching the User. A Censor using an HTTP proxy might focus its
attention on popular search engines.
The first type of censorship, based on routing filters, is
difficult to circumvent. If the routers do not allow packets in and out
of the network, then there is no way to get around that. The best one
could do is to dial up to an external ISP. Of course, this could get
expensive if the Censor is a country. Also, a very strict and powerful
censor could monitor the phone network for data dial-up connections and
disconnect them, as well as sanction the User.
The second type of censorship, based on DNS spoofing, can be
circumvented by users who know the IP address of the server with which
they wish to communicate. Instead of referring to the server by name,
they could connect using the IP address directly. However, IP addresses
change frequently, and it may not always be possible for users under
the control of the Censor to know the IP address of a server. In
general, this is not a very effective technique.
The third type of censorship, based on application level filtering,
is perhaps the easiest to circumvent. Encrypted content is difficult to
censor, but a very strict Censor can maintain a policy of blocking all
content that it cannot interpret for the purposes of filtering. Perhaps
the easiest way to bypass HTTP proxies is to proxy web content over a
different port. Port numbers are used on the Internet to identify the
type of service for packets between hosts. For example, Web traffic
uses port 80. HTTP proxies process packets that are marked with port
80. A User wishing to circumvent this monitoring could cooperate with
someone on the outside of the Censor's administrative control. They
could set up two proxies. The inside one would translate port 80
packets into ones that use, say, port 14500. The outside one would
translate port 14500 back to port 80 and send them to the server. Thus,
the User could browse the Web without the Censor detecting it. However,
a strict censor could block all ports except 80, and then filter on
port 80. There is little that could be done by the User in that case.
It should be noted that researchers have succeeded in identifying
services by their traffic patterns, independent of port numbers.
The bottom line is that there is an arms race in censorship. An
extreme Censor can win every time, but at the expense of completely
disconnecting all users. The more tolerant a Censor, the more avenues
there will be for circumvention of the censorship that is in place.
______
Prepared Statement of Bill Xia
november 4, 2002
DynaWeb was launched on March 12, 2002. It is a proxy network that
allows users to circumvent the Internet censorship in China and to have
secure and full access to the Internet. Users use DynaWeb as an
information web portal to all other web sites. Since the inception of
DynaWeb, we have managed to stay ahead of the censorship by China most
of the time. 20,000 unique users gained regular unblocked access to the
Internet through us.
DynaWeb has already played several rounds of the censorship and
anti-censorship game in the past 8 months.
Before I start, I would like to explain a few critical technical
terms for understanding DynaWeb experience. There are two ways to
access a web site through an Internet browser. One is to type in the
domain name, for example, www.google.com. The other way is to type in
the IP address of the domain name. The IP address is the essential
place the browser will fetch the web site information for the user.
However, domain name is more user-friendly. After a user types in a
domain name, web browser will resolve domain names to IP addresses and
fetch the right information for the user.
The game started with e-mail subscription service. DynaWeb e-mailed
unblocked IP address updates to subscribers. After 2 weeks, the censors
probably subscribed to our e-mail service too because the valid time
window of DynaWeb IP addresses reduced to a range from a couple of
hours to a few days after release.
Then our services expanded to domain names with dynamic IP
addresses. However, censors started chasing DynaWeb domain by
automatically detecting the IP addresses that pointed to the domain
name. This dramatically increased the needs for back-up IP addresses,
hence increased the cost of DynaWeb maintenance. DynaWeb adopted new
strategy so that censors had to manually verify the IP addresses before
blocking it. Then automatic IP blockage stopped.
Soon in August, users started to have difficulty of accessing
DynaWeb through https even the IP was not blocked. It was found out
later on that the certificate DynaWeb used for secured access from the
Internet browser was filtered. This can be achieved by package level
analysis of Internet traffic to find out signature related to the
certificate DynaWeb used. In response to this, DynaWeb started to
change its certificate daily. No reports of certificate blocking have
been found since then. Again, censors were frustrated with the resource
required for daily updates of all related content filtering engine, and
quit.
At the end of September, DynaWeb domain names were hijacked to a
fixed IP 64.33.88.161 in China, along with many other web sites like
www.voa.gov. DIT has published a detailed report about this hijacking
(http://www.dit-inc.us/report/hj.htm), and it can be independently
verified from the U.S. More study about this hijacking is still
undergoing and will be released after we pass this stage.
So, what is next with the Cyber-wall?
At the first look, it is a technical question if technology can
break through China's Cyber-wall. In fact it is not. This process is a
race of technology and time. As DynaWeb's experience has demonstrated,
both parties can always implement new technologies to stay ahead and
sustain the advantage. If Internet breakthrough is defined as a pure
technical issue, the future is brighter for censors because China
purchases the most advanced censorship technology from western
companies.
China is also developing the Golden Shield project, a ``data base-
driven remote surveillance system.'' When the whole Beijing city is
wired with biometric sensor and camera network, no Internet based anti-
censorship can get around the surveillance system.
Even now, during the 8 months of technical race with DynaWeb, China
has developed the largest and most sophisticated IP blocking and
content filtering system in the world. The more anti-censorship
technique is deployed, the more comprehensive censorship technology has
become. This leaves less and less technical room for anti-censorship.
It is critical to take full use of technologies to benefit as many
people as possible before the door is closed.
Second, it is a matter of available resources. China has 30,000
Internet police specialized on Internet censorship, and ISPs are forced
to perform self-censorship. The self-censorship is even adopted by
foreign ISPs such as Yahoo. China has purchased top technology from
western companies. These technologies have even been modified for
China's particular censorship needs. Nortel, Sun Microsystems, Cisco
and many smaller companies contributed to building China's Cyber-
wall.\1\
---------------------------------------------------------------------------
\1\ China's Golden Shield: Corporations and the Development of
Surveillance Technology in
the People's Republic of China, by Greg Walton, International Centre
for Human Rights and Democratic Development http://www.ichrdd.ca/
english/commdoc/publications/globalization/goldenShieldEng.html
---------------------------------------------------------------------------
Comparing to China's investment in censorship and cyber wall,
investment in breaking through this Cyber-wall is next to nothing.
There are very few groups developing technologies suitable for this
Wall. With more resources, DynaWeb can provide services to more people,
develop better client software, have closer monitoring of censors' new
technologies and respond faster.
Third, people develop technology and technology serves people.
People factor is the most important factor eventually. Recent increase
of public awareness about China's Internet censorship both inside and
outside of China is a great sign. We hope that this will help improve
the current situation soon. Currently companies contributing to China's
Cyber-wall bear little public pressure, not mention any legislative
limitation.
Inside China, more and more harassment and arrests of dissidents
and journalists are related to the Internet. Last year, there are more
than ten arrests in China for distributing forbidden information. This
will create fear among the public. For the general public in China,
they are now gradually realizing the existence of censorship
consciously.
More importantly, government has adopted subtler mind control and
propaganda to decrease Chinese's interests in uncensored information.
All major events outside of China are reported, with seemingly a
variety of views, although all the different views are in fact the
government's view. There is a fully developed online community inside
China serviced by self-censoring ISPs. This strategy is an extension of
China's Cyber-wall, a wall in people's mind. Internet, combined with
TV, newspaper and other information channels now offers Chinese people
different types of information and different views on certain issues.
It looks like that full freedom of speech has been achieved. However,
the government produces all the different views and types of
information. The censors try to use this to reduce people's interest in
uncensored information.
In summary, technology along won't decide the future of China's
Cyber-wall. But people do. If all Chinese people would like to obtain
uncensored information, the Cyber-wall will be broken, from the inside.
Prepared Statement of Paul Baranowski
november 4, 2002
I am the project leader of Peekabooty, a piece of software that is
designed to get around state-sponsored Internet censorship at the
national level. Peekabooty accomplishes this using peer-to-peer
technology. Peer-to-peer (P2P) basically means that there is no central
authority governing some part of a networked system. The idea is that
anyone that uses a P2P system also helps out others. Napster, Gnutella,
Morpheus, and Kazaa are all examples of peer-to-peer networks.
Peekabooty uses other nodes in the network to relay data around the
firewall, kind of like a distributed proxy service.
China has been working on its firewall since before 1997, and we
have seen its power growing over the years. Just about every other
month now we see another story of a new technology being implemented in
order to more effectively filter information.
The Chinese authorities started by blocking web pages based on
their Internet Protocol (IP) address. Citizens of China initially
worked around this by using ``open proxies''--that is, other computers
on the Internet that indirectly fetch web pages for the user. In early
2001, the Chinese Communist Party countered the use of open proxies by
scanning the Internet for them, and adding the proxies to their banned
list. Web sites have also responded by changing their IP addresses.
However, they can only change their IP addresses every few days and
this costs money, so this is fairly ineffective.
SafeWeb and Voice of America (VOA) set up a system that would send
the IP addresses of available proxies to whoever requested them.
However, it wasn't long until the Computer Monitoring and Supervision
Bureau of the Ministry of Public Security started requesting the proxy
addresses and simply banned any IP addresses it received.
There are two strategies that have not been effectively countered
yet: bulk email lists (where email is sent out to an enormous number of
people) and Freenet. Bulk email still works because the origination of
the email is different every time. However, email has the drawback of
being one-way communication. Freenet is a peer-to-peer system that
allows two-way communication, and it still works because the only way
to find another Freenet node is through ``out-of-band'' means. This
means there is no automatic way to discover all the nodes in the
network. The only way to find another node is, for example, by calling
up a friend of yours that is running Freenet and getting his IP address
or having an IP address personally sent to you in an email.
One of the main goals of Peekabooty is to overcome this limitation:
to create a method of discovery that is automatic yet never allows
anyone to discover all the nodes in the network. I am currently
developing a simulation of a system that shows great promise in this
regard.
More recent developments of the Chinese firewall include:
Selectively blocking out content within a web site instead
of blocking the entire site
Denying Internet access for a certain amount of time to
anyone searching for a banned keyword
Suppressing dissident comments in chat rooms, followed by
a warning email to the user who made the comments
Logging Google keyword searches
We can do something about this if we act now. The Chinese
Government is already on its third generation of firewall technology,
and we haven't even started version one of our counter-strategy yet. If
we do not do something soon, they may be able to close off the country
completely and obtain absolute monitoring and control of their net
before we can do anything about it. A fair guess is that by 2008, when
the Olympics go to Beijing, it will be much too late to act. Our window
of opportunity is now, at this moment.
The U.S. Government is the only organization that has the power to
mount an effective counter against this type of censorship. Independent
efforts by volunteer groups will be ad-hoc, and there will be no
coordination between the releases of the various projects. A well-
funded, centralized program could plan application releases so that
they occur at regular intervals in order to keep the Chinese
authorities constantly scrambling to keep up. In other words, the U.S.
agency in charge could coordinate and plan a global strategy that would
be much more effective than the current ad-hoc state of affairs.
Centralizing this type of activity also allows for the possibility of
interoperation between the projects, allowing more advanced features in
each product and eliminating redundancy.
There are few, if any, commercial possibilities for this type of
software, which is why the government is the only organization with the
power to fund this kind of activity on the scale that is required. The
amount of money proposed in the Global Internet Freedom Act has the
possibility to fund dozens of projects. There are so many aspects to
this problem and so many ways to solve it that this is the kind of
depth we need. Research is just beginning on this subject and we have a
long way to go. This panel represents a sample of what is out there--
there are, perhaps, on the high end, a dozen grass-roots efforts
attempting to do something about this on a shoestring budget. However,
this is not as many as we need. Right now development on all of them is
extremely slow due to the fact that they all rely on volunteers,
usually only one or two per project. The first thing that is gained
with funding is development speed. With a full-time staff working on
each project we would see rapid improvements in the technology. The
second thing that we gain is usability. For your average consumer, the
user interface is everything. For developers, this usually comes last.
With appropriate funding, experts can be hired to solve the usability
problem. Third, the interface for each program must be translated into
various languages, most importantly Chinese. With funding this becomes
possible. Finally, marketing the applications to their intended
audience is critical. Some part of the funding for each project should
be spent on promotion.
If the U.S. Government does fund projects such as these, it should
be done through credible organizations that are committed to developing
open-source solutions. Open-source software is crucial, due to fear of
software backdoors that would allow remote monitoring or tampering of a
user's computer. Open-source software relieves these fears because the
code can be vetted by outside experts.
One of the important things about many of the current projects is
that they use peer-to-peer technology. In terms of cost, this means
that they do not need large amounts of cash to keep them running. Funds
are mainly needed for maintenance of the code and the addition of
features. Each project could be initially funded by only a few hundred
thousand dollars a year, and even less for maintenance once they have
been deployed.
The current crop of anti-censorship projects that show promise and
should be considered for funding include the following: Peekabooty,
Freenet/Freenet-China; the Invisible IRC project (IIRC) which allows
anonymous chat; CryptoMail, a web-based email system like Yahoo that
provides automatic encryption of email; and Pretty Good Privacy(PGP)
and Gnu Privacy Guard(GPG) plug-ins to email clients (examples of such
plug-ins are enigmail and Kmail).
It should be noted that the National Science Foundation (NSF) has
started funding anti-censorship research at the academic level. What we
need is a system to transfer the research into real world applications.
One of the areas of research that has not yet been exploited is in the
field of wireless networking. This technology would allow wireless
devices to route information on their own. If there was an application
that did this, and enough wireless devices, it would create a new
Internet infrastructure which could not be filtered. I also think there
should be work done to make email encryption easier to use and more
transparent.
China's censorship technology is becoming more advanced every day.
We can do something about it, but we must act now. The government
should fund credible third-party organizations to develop open-source
anti-censorship technology. Multiple strategies should be developed and
their release should be coordinated according to a centralized high-
level strategy. If we do not act, there is no doubt the Chinese
Communist Party will have more power over its populace than ever before
in history.
-
�