Great Firewall
The Great Firewall of China is the combination of legislative actions and technologies enforced by the People's Republic of China to regulate the Internet domestically. Its role in Internet censorship in China is to block access to selected foreign websites and to slow down cross-border internet traffic.
The effect includes: limiting access to foreign information sources, blocking foreign internet tools and mobile apps, and
requiring foreign companies to adapt to domestic regulations.
Besides censorship, the GFW has also influenced the development of China's internal internet economy by nurturing domestic companies
and reducing the effectiveness of products from foreign internet companies. The techniques deployed by the Chinese government to maintain control of the Great Firewall can include modifying search results for terms, such as they did following Ai Weiwei’s arrest, and petitioning global conglomerates to remove content, as happened when they petitioned Apple to remove the Quartz business news publication’s app from its Chinese App Store after reporting on the 2019–20 Hong Kong protests.
The Great Firewall was formerly operated by the SIIO, as part of the Golden Shield Project. Since 2013, the firewall is technically operated by the Cyberspace Administration of China, which is the entity in charge of translating the Communist Party of China's will into technical specifications.
As mentioned in the "One country, two systems" principle, China's special administrative regions such as Hong Kong and Macau are not affected by the firewall, as SARs have their own governmental and legal systems and therefore enjoy a high degree of autonomy. Nevertheless, the U.S. State Department has reported that the central government authorities have closely monitored Internet use in these regions.
The term Great Firewall of China is a portmanteau of firewall and the Great Wall of China, and was first used in print by Geremie Barmé in 1997. The term started its use in Beijing in 1996 by Stephen Guerin of Redfish Group, . 1996 interviews of Guerin by CNN's Andrea Koppel and NPR's Mary Kay Magistad included Guerin discussing China's "reversing the firewall".
History
A favorite saying of Deng Xiaoping’s in the early 1980s, "If you open the window, both fresh air and flies will be blown in", is considered to be the political and ideological basis of the GFW Project. The saying is related to a period of the economic reform of China that became known as the "socialist market economy". Superseding the political ideologies of the Cultural Revolution, the reform led China towards a market economy and opened up the market for foreign investors. Nonetheless, despite the economic freedom, values and political ideas of the Communist Party of China have had to be protected by "swatting flies" of other unwanted ideologies.The Internet in China arrived in 1994, as the inevitable consequence of and supporting tool for a "socialist market economy". Gradually, while Internet availability has been increasing, the Internet has become a common communication platform and tool for trading information.
The Ministry of Public Security took initial steps to control Internet use in 1997, when it issued comprehensive regulations governing its use. The key sections, Articles 4–6, are:
In 1998, the Communist Party of China feared that the China Democracy Party would breed a powerful new network that the party elites might not be able to control. The CDP was immediately banned, followed by arrests and imprisonment. That same year, the GFW project was started. The first part of the project lasted eight years and was completed in 2006. The second part began in 2006 and ended in 2008.
On 6 December 2002, 300 people in charge of the GFW project from 31 provinces and cities throughout China participated in a four-day inaugural "Comprehensive Exhibition on Chinese Information System". At the exhibition, many western high-tech products, including Internet security, video monitoring and human face recognition were purchased. It is estimated that around 30,000–50,000 police were employed in this gigantic project.
Fang Binxing is known for his substantial contribution to China's Internet censorship infrastructure, and has been dubbed "Father of China's Great Fire Wall".
Origins of Chinese Internet law
China's view of the internet is as "Internet sovereignty": the notion that the Internet inside the country is part of the country's sovereignty and should be governed by the country.While the United States and several other western countries passed laws creating computer crimes beginning in the 1970s, China had no such legislation until 1997. That year, China's sole legislative body, the National People's Congress passed CL97, a law that criminalizes "cyber crimes", which it divided into two broad categories: crimes that target computer networks and crimes carried out over computer networks. Behavior illegal under the latter category includes among many things the dissemination of pornographic material and the usurping of "state secrets."
Some Chinese judges were critical of CL97, calling it ineffective and unenforceable. However, the NPC claimed it intentionally left the law "flexible" so that it could be open to future interpretation and development. Given the gaps in the law, the central government of China relies heavily on its administrative body, the State Council, to determine what falls under the definitions, and their determinations are not required to go through the NPC legislative process. As a result, the CPC has ended up relying heavily on state regulation to carry out CL97.
The latter definition of online activities punishable under CL97, or "crimes carried out over computer networks" is used as justification for the Great Firewall and can be cited when the government blocks any ISP, gateway connections, or any access to anything on the internet. The definition also includes using the internet to distribute information considered "harmful to national security," and using the internet to distribute information considered "harmful to public order, social stability, and Chinese morality." The central government relies heavily on its State Council regulators to determine what specific online behavior and speech fall under these definitions.
The reasons behind the Internet censorship in China include:
- Social Control: The Internet is a means for freedom of speech, and dissemination of campaigns could lead to protests against the government.
- Sensitive Content: To control information about the government in China.
- Economic Protectionism: China prefers the use of local companies that are regulated by Chinese regulations, since they have more power over them. E.g. Baidu over Google.
Campaigns and crackdowns
Internet cafés, an extremely popular way of getting online in developing countries where fewer people can afford a personal computer, are regulated by the Chinese government and by local Chinese government officials. Minors are not allowed into Internet cafés, although this law is widely ignored and when enforced, has spurred the creation of underground "Black Web Bars" visited by those underage. As of 2008 internet cafés were required to register every customer in a log when they used the internet there; these records may be confiscated by local government officials and the PSB. To illustrate local regulation of internet cafés, in one instance, a government official in the town of Gedong lawfully banned internet cafés from operating in the town because he believed them to be harmful to minors, who frequented them to play online games and surf the internet. However, internet cafés in this town simply went underground and most minors were not deterred from visiting them.
In May 2015, China indefinitely blocked access to the Chinese-language Wikipedia. In contrast, the English-language Wikipedia was blocked only rarely and intermittently. China in 2017 discussed plans for its own version of Wikipedia. As of May 2019, all language versions of Wikipedia have been blocked by the Chinese government.
Blocking methods
Active filtering
One function of the Chinese firewall is to selectively prevent content from being accessed. It is mostly made of Cisco, Huawei and Semptian hardware Not all sensitive content get blocked; in 2007 scholar Jedidiah R. Crandall and others argued that the main purpose is not to block 100%, but rather to flag and to warn, in order to encourage self-censorship. An illustrative but incomplete list of tactics includes:| Method | Description |
| IP range ban using black holes | The Chinese firewall maintains a list of IP ranges that are automatically dropped. Because of the complexity to maintain a big, up-to-date banned network list with dynamic IPs, and because this method has proven not to be compatible with services using content delivery networks, it is usually used as last resort and other blocking methods are preferred. |
| DNS spoofing, filtering and redirection | One part of the Chinese firewall is made of liar DNS servers and DNS hijackers returning incorrect IP addresses. Studies seems to point out that this censorship is keyword-based. Contrary to popular belief, foreign DNS resolvers such as Google Public DNS IP address 8.8.8.8 are reported to work correctly inside the country; however, these DNS servers are also subject to hijacking as their connections aren't encrypted: DNS queries do reach the DNS server, but if the request matches a banned keyword, the firewall will inject a fake DNS reply before the legitimate DNS reply arrives. Typical circumvention methods include modifying the Hosts file, typing the IP address instead of the domain name in a Web browser or using DNS over TLS/HTTPS. |
| URL filtering using transparent proxies | The Chinese firewall is made of transparent proxies filtering web traffic. These proxies scan the requested URI, the "Host" Header and the content of the web page or the Server Name Indication for target keywords. Like for DNS filtering, this method is keyword based. Encrypting the Server Name Indication can be used to bypass this method of filtering. It is currently in development by the IETF, and is offered as a setting in Firefox. |
| Quality of service filtering | Since 2012, the GFW is able to "learn, filter and block" users based on traffic behavior, using deep packet inspection. This method was originally developed for blocking VPNs and has been extended to become part of the standard filtering system of the GFW. The method works by mirroring all traffic to a dedicated analytics unit, that will then deliver a score for each destination IP based on how suspicious the connection is. This score is then used to determine a packet loss rate to be implemented by routers of the Chinese firewall, resulting in a slowed connection on the client side. The method aims to slow down traffic to such an extent that the request times out on the client side, thus effectively having succeeded in blocking the service altogether. It is believed that the analytics system is using side-channel to estimate how suspicious is a connection. It is able to detect traffic protocols, and can measure packets Entropy to detect encrypted-over-encrypted traffic. The sensitivity can be turned up during sensitive political events. This attack may be resisted by using a pluggable transport such as Format Transforming Encryption or Dust2 in order to mimic 'innocent' traffic, and never connect to 'suspicious' IPs by always having the circumvention software turned on, yet not proxy unblocked content, and the software itself never directly connect to a central server. |
| Packet forging and TCP reset attacks | The Chinese firewall may arbitrarily terminate TCP transmissions, using packet forging. The blocking is performed using a TCP reset attack. This attack does not block TCP requests nor TCP replies, but send a malicious TCP RST packet to the sender, simulating an end-of-connection. Side channel analysis seems to indicate that TCP Reset are coming from an infrastructure collocated or shared with QoS filtering routers. This infrastructure seems to update the scoring system : if a previous TCP connection is blocked by the filter, future connection attempts from both sides may also be blocked for short period of times. An efficient circumvention method is to ignore the reset packet sent by the firewall. a patch for FreeBSD has been developed for this purpose. |
| Man-in-the-middle attacks with TLS | The theoretically allows the Chinese government to request and use the root certificate from any Chinese certificate authority, such as CNNIC, to make MITM attacks with valid certificates. Multiple TLS incidents also happened in the last decade, before the creation of the law: On 26 January 2013, the GitHub SSL certificate was replaced with a self-signed certificate in China by the GFW. On 20 October 2014, iCloud SSL certificate was replaced with a self-signed certificate in China. It is believed that the Chinese government discovered a vulnerability on Apple devices and was exploiting it. On 20 March 2015, Google detected valid certificates for Google signed by CNNIC in Egypt. In response of this event, and after a deeper investigation, CNNIC certificate has been removed by some browsers. Because of the removal being based on proofs and not suspicion, no other Chinese certificate authority has been removed from web browsers, and some have been added since then. This type of attack can be circumvented by websites implementing Certificate Transparency and OCSP stapling or by using browser extensions. |
Active probing
In addition to previously discussed techniques, the CAC is also using active probing in order to identify and block network services that would help escaping the firewall. Multiple services such as Tor or VPN providers reported receiving unsolicited TCP/IP connections shortly after legitimate use, for the purported purpose of network enumeration of services, in particular TLS/SSL and Tor services, with the aim of facilitating IP blocking. For example, shortly after a VPN request is issued by a legitimate Chinese VPN client and passes outbound though the Great Firewall to a hidden VPN IP, the Great Firewall may detect the activity and issue its own active probe to verify the nature of the previously-unknown VPN IP and, if the probe confirms the IP is part of a blacklisted VPN, blacklist the IP. This attack can be circumvented with the Obfs4 protocol, which relies on an out-of-band shared secret.Proxy distribution
The Great Firewall scrapes the IPs of Tor and VPN servers from the official distribution channels, and enumerates them. The strategy to resist this attack is to limit the quantity of proxy IPs revealed to each user and making it very difficult for users to create more than one identity. Academics have proposed solutions such as Salmon. It is also quite helpful to have dynamic IPs for proxy servers. Resilient proxy distribution still remains a major research question.Effectiveness and impact
The Great Firewall in China has direct influence on the population's belief and way of thinking.It is mainly used by the Chinese government to promote and encourage right thinking by censoring dissident ideas. One of the main goals of the Great Chinese firewall is to create an environment where people have the same values. Therefore, the GFW is a political tool using Chinese citizens to promote Chinese Communist Party ideas, such as:
- Taiwan, Hong Kong and Tibet are part of China.
- 1989 Tiananmen Square protests should not be considered very important.
- Prohibition of pornography and obscenity.
- Democracy is not the best system for governing a country. As such pro-democracy groups should be considered as terrorists and Hong Kong protests are supposedly organized by foreign entities.
- Falun Gong and other anti CCP groups, are "outlawed".
Because the social environment of an individual does not necessarily change when moving country, there are multiple reports of Chinese users still promoting these ideas even when they are going abroad and are not under direct influence of the GFW. It is largely admitted that the GFW, as well as other means, is playing a non-negligible role in keeping stable, patriotic and CAC-compliant values.
Aside from the social control aspect, the Great Firewall also acts as a form of trade protectionism that has allowed China to grow its own internet giants, such as Tencent, Alibaba, and Baidu. China has its own version of many foreign web properties, for example: Tencent Video, Tencent Weibo, Qzone, WeChat, Ctrip, Zhihu. With nearly one quarter of the global internet population, the internet behind the GFW can be considered a "parallel universe" to the Internet that exists outside.
Circumvention
Methods for bypassing the firewall
Because the Great Firewall blocks destination IP addresses and domain names and inspects the data being sent or received, a basic censorship circumvention strategy is to use proxy nodes and encrypt the data. Most circumvention tools combine these two mechanisms:- Proxy servers outside China can be used, although using just a simple open proxy without also using an encrypted tunnel does little to circumvent the sophisticated censors.
- Freegate, Ultrasurf, Psiphon, and Lantern are free programs designed and experienced with circumventing the China firewall using multiple open proxies.
- VPNs are one of the most popular tools used by Westerners for bypassing censorship technologies. They use the same basic approaches, proxies and encrypted channels, used by other circumvention tools, but depend on a private host, a virtual host, or an account outside of China, rather than open, free proxies.
- Tor partially can be used in China. Since 2010, almost all bridges at TorProject.org are blocked through proxy distribution. Tor still functions in China using independently published Obfs4 bridges and meek.
- I2P or garlic routing is useful when properties similar to Tor's anonymity are needed. Due to I2P being much less popular than Tor, it has faced little to no blocking attempts.
- Using encrypted DNS may bypass blocking of a few sites including TorProject, and all of GitHub, which may be used to obtain further circumvention. In 2019 Firefox released an update to make it easy to enable DNS over HTTPS. Despite DNS over encryption, the majority of services remains blocked by IP.
- Ignoring TCP reset packets sent by the GFW. Distinguishing them by the TTL value, and not routing any further packets to sites that have triggered blocking behavior.
- There is a popular rumour that using IPv6 bypasses DPI filtering in China. The academic community is yet to confirm.
Developing circumvention software
- Use pluggable transports such as Obfs4 to evade Deep Packet Inspection.
- Limit proxy distribution.
Known blocked methods
- OpenVPN protocol is detected and blocked. Connections not using symmetric keys or using "tls-auth" are blocked at handshake, and connections using the new "tls-crypt" option are detected and slowed down by the QoS filtering system.
- GRE tunnels and protocols that use GRE are blocked.
- IPSec tunnels and protocols that use it are detected and slowed down by the QoS filtering system and are sometimes blocked at handshake.
- TLS, the Great Firewall can identify the difference between legitimate https TLS and other implementations by inspecting the handshake perimeters.
Exporting technology
Protest in China
Despite strict government regulations, some Chinese people continue to protest against their government's attempt to censor the Internet. The more covert protesters set up secure SSH and VPN connections using tools such as UltraSurf. They can also utilize the widely available proxies and virtual private networks to fanqiang, or bypass the GFW. Active protest is not absent. Chinese people post their grievances online, and on some occasions, have been successful. In 2003, the death of Sun Zhigang, a young migrant worker, sparked an intense, widespread online response from the Chinese public, despite the risk of the government's punishment. A few months later, Premier Wen Jiabao abolished the Chinese law that led to the death of Sun. Ever since, dissent has regularly created turmoil on the Internet in China. Also in January 2010, when Google announced that it will no longer censor its Web search results in China, even if this means it might have to shut down its Chinese operations altogether, many Chinese people went to the company's Chinese offices to display their grievances and offer gifts, such as flowers, fruits and cigarettes.Arguments against the GFW
Critics argue that the GFW is a consequence of China's paranoia of the potential that the Internet has of spreading opposition to their one-party rule. Other arguments given against China are that their method of having a limited Internet impedes freedom of speech and that it holds them down, economically speaking, by discouraging innovation, disapproving communication of important ideas and prohibiting firms the use of certain services that they use. It is also thought to be a detrimental approach for students and professors since they do not have access to resources which promote the sharing of work and ideas for a more comprehensive learning.Another important argument against the GFW and fear that the critics have is that if other big countries begin following China's approach, the whole purpose of the creation of the Internet could be put in jeopardy. If like-minded countries are successful in imposing the same restrictions on their inhabitants and globalized online companies, then the free global exchange of information could cease to exist.
Reaction of the United States
The United States Trade Representative's "National Trade Estimate Report" in 2016 referred the China's digital Great Firewall: "China's filtering of cross-border Internet traffic has posed a significant burden to foreign suppliers." Claude Barfield, the American Enterprise Institute's expert of International trade, suggested that the U.S. government should bring a case against the Firewall, a huge trade barrier, in the World Trade Organization in January 2017. 8 of the 24 more trafficked websites in China have been blocked by The Great Firewall. This has created a burden to foreign suppliers who rely on these websites to sell their products or services.The lobby's 2016 business climate survey showed 79 percent of its members reported a negative impact on business due to internet censorship.According to Stephen Rosen, the GFW is reflective of the Chinese government's fear of civil disobedience or rebellion among the Chinese population against the Chinese Communist Party's rule: