Big Mama's Field of View

The Present and Future of
Internet Control in China

Jared Friedman
January 2006
China’s Two Social Revolutions
TF: Dian Yang

Abstract
Both in the Western news media and in the academic literature there has been
much debate on what effect the free information flow that we associate with the internet
will have on China, and on whether China can effectively censor the internet. This article
reviews arguments that have been made on both sides and considers additional technical
and survey data in an attempt to come to some resolution on the issue. Novel data on
current blocking techniques is collected using proxy servers. These novel results show
that simple methods of evading internet controls in China exist today. I conclude,
however, that unless a couple of somewhat speculative technologies are developed, China
should, given sufficient intent and investment in technology, be able to nearly eliminate
the amount of unwanted information viewed online.
A Brief History of Internet Filtering in China
Since the very beginning of the availability of internet access in China in 1994,
the Chinese government has attempted to control and filter internet access. (“Internet
Filtering in China”, 2005) Considering that China has always exerted strict controls over
available information and that the internet is basically just another source of information,
this is hardly surprising. In fact, China initially totally rejected the internet, and only
came to gradually tolerate it when it became clear that one, the internet was here to stay
and there wasn’t anything China could do about that (Endeshaw, 2004) and two, that it
seemed possible to control the internet much as other forms of communication had been
controlled (Gutmann, 20002). According to Article 5 of the 1997 regulations (taken from
Sohmen, 2001), which provide one of the more extensive lists of outlawed content, the
prohibited content includes all material which is:
i. Subversive of state power or the socialist system
ii. Damaging to national unity
iii. Inciting discrimination between nationalities
iv. Disturbing to social order
v. Propagating feudal superstition
vi. Pornography, gambling or violence
vii. Insulting or libelous
viii. Violating the Constitution or other laws
Clearly, this casts a fairly wide net. China has a number of ways of implementing these
prohibitions. The first line of defense has become known, somewhat derisively, as the
Great Firewall of China (Barmé, 1997). The firewall works primarily by having state
workers scour the internet for objectionable content on servers outsides of China and add
certain sites to a country-wide black-list. The intention is that when people in China try
to visit these sites, they receive an error saying the page could not be found and are
unable to access the blocked content.
From both a political and technological perspective, the reason that China was
able to implement the firewall easily is that providing internet access to China (as to any
other country) requires the construction of certain very expensive telecommunications

2

equipment (primarily routers, switches, and fiber optic lines) to connect the network in
China to the broader internet outside of China. There are currently only nine operators of
such interconnecting networks (“Internet Filtering in China”, 2005), of which the biggest
are China Telecom, China Netcom, China Science and Technology Network, and China
Unicom (Tan, 1999). All international connections must go through these
interconnecting networks, and despite rumors of illicit cables running from Hong Kong to
Guangzhou (Gutmann, 2002), secret illegal connections would be extremely difficult to
build. Thus, the government’s firewall need be implemented only at the routers of those
nine operators, which is quite simple to organize.
The second line of defense against prohibited content is monitoring. No one
knows the extent or architecture of the Chinese monitoring apparatus, because unlike
filtering, which can be directly observed, there is no way for researchers to see what is
being monitored. According to Amnesty International, at least 54 people were
imprisoned in 2003 for internet crimes detected through China’s internet monitoring
apparatus(“Controls Tighten”, 2004), and it is likely that this significantly understates the
true figure. There are several possible types of monitoring. The simplest is to find
objectionable public websites or blogs run by people in China and trace these back to the
actual individuals. All of Amnesty International’s 54 prisoners for which there was
sufficient information appear to have been caught this way. The more sophisticated type
of monitoring is to watch all of a user’s internet browsing and email traffic. There is little
doubt that China has some capabilities along these lines, but the details are unknown.
Monitoring of the internet is not useful to the Chinese authorities unless they can
connect content they find with actual people to arrest. As late as 2002, there were about
200,000 internet Cafés in China, some of which were open 24 hours a day, and whose
clientele consisted almost entirely of teenagers and young adults (Endeshaw, 2004).
Rules supposedly required clients to register with the managers of the cafés and to
produce valid ID’s, but such rules were apparently routinely ignored (Neumann, 2001).
Without a record of who was using what computer, illegal content that passed through
computers in cafés could not be traced back to anyone. However, times have changed.
The situation was ripe for a crackdown, and helped along by the convenient excuse of a
fire in an internet café in Beijing in June 2002 which reportedly killed 24 people, the
authorities placed strict new regulations in place. Thousands of cafés have been shut
down all over the country (“Internet Filtering in China”, 2005). Internet cafés must now
close by midnight, restrict access by minors, and most importantly, must have all patrons
register by ID on entry and keep records of who was using what computer for 60 days.
It is not easy to use home internet connections anonymously anymore, either. A
1996 law requires all users of the internet from home to register with the Ministry of
Public Security within 30 days of making a connection. The Measures for Managing
Internet Information Services, issued in 2000, requires that ISPs track the IP addresses
assigned to their customers and keep records of all websites visited for 60 days (Tsui,
2001). With these records, it should usually be a simple matter for authorities to trace
detected illegal activity back to an IP address, and from that to an individual.

3

A final line of defense against illegal internet activity is to outsource everything.
In 2002, all ISPs in China had to sign a pledge to work comply with “safeguarding the
information safety of the State, upholding the overall interests of the industry and the
interests of the users, and improving the service quality of the industry” (Endeshaw,
2004, p. 48). Through this and many other regulations, China has begun to put the
burden of filtering and monitoring on the ISPs. ISPs are now supposed to do their own
monitoring on top of whatever monitoring may be happening at the backbone level, and
to report signs of suspected illegal activity. The ISPs have, of course, complied to a great
extent. For the rest of the paper, however, I will not often consider the distinction
between blocking/monitoring at the ISP level and the same at the backbone level because
both ultimately face the same technical challenges.
Literature Review
A great deal has been written on the question of what effect the internet will have
on political openness in China, and on whether the Chinese government will be able to
successfully block unwanted political information from the internet. A complete review
is, of course, impossible, but here I would like to give just a flavor for the diametrically
opposed opinions that exist even within the academic literature. In the late twentieth
century, the dominant point of view seemed to be that the internet would have vast
transformative effects on authoritarian governments worldwide. In March 2000 President
Bill Clinton said
We know how much the internet has changed America, and we are already
an open society. Imagine how much it could change China. Now, there’s
no question China has been trying to crack down on the internet --- good
luck. That’s sort of like trying to nail Jello to the wall.
(Tsui, 2001, p. 6)
Many academic articles agreed with Clinton. In 2002, Jason Lacharite published an
article subtitled “A Critical Analysis of Internet Filtering Policies in the People’s
Republic of China,” in which he “concludes that digital censorship is unworkable”
(Lacharite, 2002, p. 333). Similarly, Assafa Endeshaw argued that “Above all, China’s
fixation with shutting out the Internet as a means of mass communication and flow of
information will only shorten the days of the dictatorship” (Endeshaw, 2004, p.41).
There is still plenty of this sentiment (e.g., Pan, 2005). However, after many years of
internet censorship with no massive political event in sight, the overall tone of the debate
appears to have drifted towards a sentiment that the internet censorship will likely be
basically successful. One of the earlier and more powerful advocates of this position was
Lokman Tsui in his master’s thesis and other writings.
Some Analysis of Previous Literature
Why has there been such disagreement? More importantly, what are the
underlying differences that cause such opposing beliefs? Surely, a complete answer is
impossible, but I believe that a partial answer can come from drawing a distinction

4

between filtering and monitoring, a distinction which I believe has often been lost. To be
clear, filtering refers to blocking websites, email, or other electronic communication so
that people are technologically prevented from certain actions. Monitoring refers to
secret detection and recording of illegal activities, which is used either by making arrests
of the parties involved or at least issuing stern warnings directly to them.
Looking at articles written on the subject, it appears that it is generally the case
that articles that forecast free internet in China in the long run focus on the filtering and
the ease of avoiding it, while articles that forecast tightly controlled internet focus on the
potential of monitoring. This article will not attempt to determine the exact extent to
which this is true by examining all relevant publications, but it is worthwhile to at least
quote some examples. In “A Critical Analysis of Internet Filtering Policies in the
People’s Republic of China,” Jason Lacharite describes a number of anti-censorship
technologies; one of the primary ones he mentions is sending blocked pages and other
taboo information over email. About this he says that “for every e-mail account that is
disabled, several more are created to meet the demand for China’s growing online
community” (Lacharite, 2002, p. 344). But as we have already seen, China possesses the
ability to easily trace most email accounts back to their owners. If the person sending
emails is disabled along with his email account, several more emailers will not be
created.
By contrast, in his thesis on the subject, Lockman Tsui (2001) (taking an idea first
stated by Harvard’s Lawrence Lessig) compares the internet in China to the Panopticon.
The Panopticon is an idea for a prison invented by Bentham in which prison guards are
able to watch the prisoners at all times, but the prisoners cannot tell if they are being
watched. In this case, Bentham argues, it is not necessary to hire enough prison guards to
watch every prisoner all the time; the mere potential of being watched will be enough to
virtually eliminate unwanted activity. Lessig has argued that exactly the same principle
can be adopted for the internet. If invisible internet police could be monitoring your
every online action, then you do not need enough police to actually monitor everything
all the time – the mere threat of an unknown probability of being detected combined with
harsh penalties on detection will strongly discourage illegal internet activity.
An important part of the arguments of Lacharite (2002), Tang (2000), and others
is a “just keep trying” philosophy: if one method of accessing restricted content is
blocked, the internet provides so many ways of accessing information that one can just
keep trying until one finds a method that isn’t blocked yet. This technique works well in
American libraries, which are required by law to install commercial filtering systems, and
allows technically inclined American teenagers to circumvent school censoring systems
with minimal repercussions. Even though advocates of the efficacy of internet filtering
may argue with this notion (Tsui, 2001) it appears to be basically correct – certainly, it is
still very possible to access illegal content in China, as the findings of this paper show.
However, by trying method after method of evading content – each of which may be
monitored and recorded – a dissident may be walking right into a trap and providing ideal
incriminating evidence to the authorities.

5

Research on Current Blocking Techniques
As stated previously, it is very difficult to detect what monitoring might be
occurring in China, as such information can only really be gleaned by attempting to
determine how certain arrests were made. However, one can determine what is and what
is not blocked in China by simply comparing access to certain sites in China with access
in a non-regulated country. There have been number of crucial empirical studies which
have done just this. The first major study on exactly what the Chinese censors are
blocking was done by Jonathan Zittrain and Benjamin Edelman from Harvard’s Berkman
Center for Internet & Society (“Empirical Analysis”, 2003). Zittrain and Edelman,
working from Harvard, connected remotely to computers in China both by using proxy
servers and by dialing into foreign ISPs. They then attempted to access content that they
suspected would be blocked and recorded a long list of blocked and not blocked sites. By
trying many similar requests, they were even able to reverse engineer much of the
blocking apparatus and to determine how the blocking was done technologically.
They found four methods of blocking: web server IP address, DNS server IP
address, keyword, and DNS redirection. The most important of these are web server IP
address and keyword blocking. DNS server IP address is difficult to distinguish from
keyword blocking; in fact, I suspect on the basis of my own experiments with proxy
servers (discussed below) that the authors may have mistaken some DNS server blocking
with keyword blocking, or at least did not explain how they distinguished. Apparently,
the earliest blocking done was mostly by server IP address. However, as Edelman found
in other research (Edelman, 2004), more than 87% of active domain names share their IP
address with other domain names, and therefore any server IP address blocking scheme is
bound to suffer from significant overblocking (unintentional blocking of unobjectionable
content), which Edelman and Zittrain also document.
Beginning in roughly 2001-2002, China began blocking based on keywords in the
URL. This is a more sophisticated blocking technique which requires more sophisticated
routers. However, the Cisco 12000 series and later routers which make up much of the
Chinese backbone, are perfectly capable of doing such URL filtering and, crucially, doing
it extremely fast, a capability which was ostensibly built to help filter internet worms and
viruses. For example, Edelman found that all URL’s containing the string “jiang+zemin”
anywhere were blocked.
In September 2002, China cut off access to Google, redirecting viewers to stateapproved search engines (“Internet Filtering”, 2005). In addition to the fact that one of
the top results in a Google search for “Jiang Zemin” was a “slap the evil dictator game,”
(Endeshaw, 2004, p. 47) the primary concern with Google appears to have been not the
search engine itself, but its widely known cache of all the documents on the web (Lyman,
2002). Many viewers had apparently learned that they could access blocked pages by
simply viewing Google’s cache of those pages. Google negotiated with the Chinese, and
a few weeks later access was restored. A major study of the mechanics of the Chinese
firewall was done by the OpenNet Initiative in 2004-2005, in collaboration with the same
researchers who did the Berkman study. The ONI study gives a good hint as to what the

6

terms of the settlement between Google and China were. The study found that all URLs
containing the string “search?q=cache” were blocked in China, no matter where the string
appeared. This is, of course, part of the URL required to make a query to the Google
cache, and so the Google cache is now blocked in China. However, the study also points
out some fairly gaping holes in the current blocking mechanism. Apparently, simply
inserting an ampersand into the string, making the string “search?&q=cache” fools the
firewall but does not bother Google’s server. Also, the Yahoo cache, despite being
essentially equivalent, remained accessible at the time of the study. I was able to confirm
in my own data collection that the Yahoo cache remains inexplicably accessible.
Like the Berkman study, the OpenNet Initiative study conducted detailed
empirical work to find out what sites were and were not blocked in China. I will quote
the ONI study, as it is the more current. The ONI found that blocking of specific
objectionable sites was fairly extensive. 82% of the top 100 Jiang Zemin sites (based on
a Google search) were blocked. 100% of the top 7 Falun Gong sites were blocked. 93%
of the top 100 Chinese Labor Party sites were blocked (“Internet Filtering”, 2005). Some
of the ones not marked blocked may have just been inaccessible, and some of them may
have been deemed to be an appropriate view of the subject matter. However, the study
also found a large number of notable lapses in the firewall. It seemed particularly bad at
blocking pornography, filtering only 13% of sites tested, compared to 70-90% filtering by
leading commercial packages (“Empirical Analysis”, 2003). Even for Falun Gong,
perhaps the most actively blocked content, only 44% of the top 100 sites for Falun Gong
were blocked. It seems unlikely that 56% of these sites were actually anti-Falun Gong;
in fact, repeating the Google search today and taking but a quick glance at the sites listed
shows that almost all of them are critical of the Falun Gong crackdown. It is not clear
why these sites were still accessible, as it is certainly within the Chinese government’s
technical capability to block them.
Research on Chinese Internet Usage
Looking at technical filtering practices is only one side of the coin – looking at
Chinese internet usage patterns and popular sentiment and their reaction to the censorship
is a key component to the internet censorship question. The China Internet Network
Information Center, a governmental organization, conducts a semi-annual survey of
Chinese internet usage and popular sentiment. However, the survey, in addition to being
considered notoriously inaccurate (“Empirical Analysis”, 2003), is government
sponsored, and so does not even mention internet censorship.
The best survey done on this issue is a 2005 study done by the Markle Foundation
of internet usage in five major Chinese cities. Perhaps surprisingly to Western observers,
36.8% of interviewees believed “it is very necessary” to manage or control the internet,
and 45.6% believed “it is somewhat necessary.” Only 3.5% believed it was “not
necessary” or “not necessary at all.” Interestingly, this last percentage has decreased
significantly since 2003, when it was 12.1%, and even since 2004, when it was 5.8%
(Markle Foundation, “Surveying Internet Usage”, 2005). However, in a follow-up
question, interviewees were asked what specific content needs to controlled, and the

7

responses to this question paint a different picture. 85% of interviewees thought
pornography should be controlled, 73% thought violence should be, and 52% thought
spam should be. But only 8% thought that politics should be controlled. Clearly, the
government’s opinion is not aligned with the people’s on this question.
The Markle Foundation study also asked the Chinese interviewees what they
thought about the political impact of the internet. 45.1% of interviewees “agreed” or
“strongly agreed” that “using the internet, people can have more political power”
(“Surveying Internet Usage”, 2005, p. 98). 62.8% “agreed” or “strongly agreed” that
“using the internet, people will have better knowledge of politics.” Among internet users,
the percentage was 79.2%. Comparatively, less than 40% of respondents in Spain and
Sweden agreed when asked the same question. Finally, 54.2% of interviewees “agreed”
or “strongly agreed” that “using the internet, people will have more opportunities to
criticize the government.” Only 20% of respondents in the USA agreed to that statement.
Clearly, a large percentage of internet users in China – who are the people who should
know – still believe that the internet will give them greater access to freedom of political
expression.
Anti-Censorship Techniques: Spam and Dial-up
Many techniques for evading internet filtering systems have been proposed in the
literature, and many, no doubt, have been put into practice. This section will review the
most important anti-censorship technologies, taking more of an abstract perspective as to
their potential viability than a empirical perspective as to which currently work.
One of the simplest but potentially most effective techniques, within its scope, is
political spam. The idea is simple – dissident groups acquire a large number of email
addresses of Chinese citizens, and then send them political newsletters as spam, i.e.,
without asking or receiving permission to do so. Several such newsletters exist already.
The most famous of these was the “VIP Reference,” a daily newsletter which was
spammed to at least 250,000 email addresses in China (Farley, 1999). The VIP Reference
contained various pro-human rights and pro-democracy material, and news updates on
stories censored by the official press. According to its website (http://www.bignews.org),
it appears to have been discontinued as of May 2005; however, it certainly showed the
possibility of such a publication.
A crucial aspect of spamming newsletters is that since the people receiving it did
not ask for it and have no way of preventing it, they can not be held liable for receiving it.
In the long term, such newsletters may be one of the hardest information sources for the
Chinese to block. Consider, as evidence, the extreme difficulty spam filters in America
have in correctly filtering spam, despite many millions of dollars of R&D and the
enormous market for the first person to build a truly accurate spam filter. This presents a
strong argument that it is not possible technologically to build such a filter. It does not
appear that the VIP Reference ever used sophisticated anti-filter techniques such as being
sent as an image or generating random free text; however, such a publication clearly
could. It is also hardly the case that ordinary spammers have not reached China yet - in

8

the latest CNNIC survey, the average ratio of spam received to email received was almost
2:1 (“16th Statistical Survey”, 2005). Given this, it seems virtually certain that if Chinese
dissidents abroad could team up with the champions spammers of the “free Viagra” ads
(or, perhaps more plausibly, adopt their techniques), they could propagate whatever
newsletters they wanted to the inboxes of most Chinese.
Inevitably, however, emailing newsletters is a sharply limited tactic. It offers only
one-way communication, and only communicates what the newsletter writers choose to
communicate. An optimal anti-censorship technique would have to allow full free email
and internet access. One of the simplest and yet fairly effective techniques for this is to
dial into a foreign ISP. Using an ordinary modem to dial into an account at, say, a Hong
Kong ISP allows someone in China to completely evade the Chinese firewall and internet
monitoring system since the information never travels over the Chinese internet
backbone. A report from the Global Internet Liberty Campaign argues that “Even if the
telephone company is state-owned, it cannot differentiate a telephone call to a foreign
server from an international fax” (“Regardless of Frontiers”).
Unfortunately, things are not so simple. While the dial-up solution undoubtedly
evades all internet filters, it cannot be guaranteed to evade all government monitors.
Paying the foreign ISP, likely by credit card or cheque, creates a low-tech evidence trail.
Also, dialing in to a foreign ISP necessitates dialing a number that belongs only to that
ISP, and it would not be too difficult for the Chinese government to gather a fairly
complete catalogue of such phone numbers, at least in nearby areas, and to monitor all
calls to those numbers. Alternatively, the government could make use of the fact that
people tend to spend a lot of time on the internet, whereas the number of multi-hundred
page international faxes sent from China is probably very small. All long international
data transmissions could be monitored and their numbers investigated. The good news
for potential users of this technique is that even if the government were to suspect dialing
into a foreign ISP, it is, while technically possibly, very unlikely that they could
determine the information being transferred, as the technology to decode data over phone
line transmissions while merely listening in on the call is complex and not at all
widespread. Nevertheless, the non-negligible risk and especially the low speed and very
high cost of this strategy guarantee that its use will not become widespread.
Anti-Censorship Techniques: Proxy Servers
The most important anti-censorship technology is the proxy server, and its role in
evading internet censorship deserves a detailed exploration. A complete technical
explanation of proxy servers is beyond the scope of this article, but briefly, a proxy server
is just a computer (either server-class or an ordinary PC) that allows itself to be used as
an intermediary in internet requests. Proxy servers have many uses, including, ironically,
powering internet censorship, but here is how they can be used to evade internet
censorship. Say, for example, that someone in China wants to access the website
www.falundafa.org. Unfortunately for this individual, the IP address of this website,
currently 216.127.147.243, has been blocked in China and all request directed to this IP
address are blocked. But what the user can do is to send a request to a proxy server, say,

9

for example, the popular proxify.com. The request is rather like the computer translation
of “Please send me the data in www.falundafa.org.” The proxy server faithfully
complies, accessing the site itself and sending along the requested data, which is then
displayed normally. This request is not blocked because it did not go to the blocked
website – it only went to proxify.com, which we are assuming for the moment is not
blocked. ISP’s internet histories will show only that the user accessed proxify.com, not
falundafa.org.
Proxies provide a cheap, simple, and highly effective method of defeating internet
filters, and it appears that their use in China is quite common. Data from a Chinese
Academy of Social Sciences survey showed that 10% of internet users admit to regularly
using proxy servers to defeat censorship (Walton, 2001). Lin Neumann (2001) found,
more anecdotally, that students in internet café’s regularly used proxies to read foreign
news sites. Most incredibly, Nina Hachigian (2001) found that most computers in
Beijing internet cafés were preconfigured to use international proxies.
Proxies are certainly the most popular method of circumventing internet
censorship in China. Nevertheless, they are hardly a foolproof solution. Lokman Tsui
has been particularly critical of proxy servers as an anti-censorship device, claiming
several inadequacies. While some of his points are valid, many of the problems he and
others have argued for are either not problems or are easily avoided. Given the current
state of the debate on proxy servers, a clarification of these issues is definitely in order,
and the following attempts to clear up certain misconceptions.
One argument Tsui makes against proxy servers is that “there is no commercial
incentive in running a proxy server” (2001, p.33), and therefore that not many will exist
in the long run, and service will be intermittent. However, this is very clearly not the
case. To see the commercial incentive in running a proxy service, it is important to
distinguish between an HTTP or HTTPS proxy and a CGI or PHP proxy. The former
type of proxy is connected to by changing one’s internet settings, usually in a browser
control panel. Once this change is made, there is no other sign on the user’s machine that
a proxy is being used; one types the address to connect to in the ordinary URL box of the
browser and the translation to a proxy request is made transparently. With a CGI or PHP
proxy, by contrast, a user actually goes to the proxy server’s website. The website is
designed with a control bar at the top, as shown in Figure 1.

10

Figure 1. Typical design of a CGI/PHP proxy service.
As can be clearly seen from the figure, CGI/PHP proxy services present an obvious
business model. The client gets free, anonymous, fire-wall proof browsing, and in return
the operator of the proxy service gets to show the user ads the entire time the user is
browsing. The Google ads shown at the top automatically change to be targeted to the
content of the webpage being viewed, which means that the operator of the proxy service
does not need to negotiate with individual advertisers; the world’s largest collection of
online ads can be called upon and perfectly targeted with a simple Google advertising
account. Scripts for making these proxy servers are open source and freely available
(see, http://www.jmarshall.com/tools/cgiproxy/ and http://sourceforge.net/projects/phpproxy/). This business model makes it possible for anyone with a spare computer, a static
IP, and a bit of technical know-how to put their computer to use earning some extra
money with no cash down for them. Even operators of an HTTP based proxy service can
make money. While they cannot advertise on the HTTP service, they can use the
popularity of the HTTP service to promote a CGI/PHP service. They can also offer
premium services for paying members and use the popularity of the free service to
promote the paid service. Tsui also argues that these servers will necessarily be slow; but
a simple empirical test of many of the most popular proxies showed that they were in fact
usually very fast. Given that there are hundreds, if not thousands, of free CGI/PHP proxy
services online, there is little doubt that this business model is entirely viable, and it
appears to be gaining in popularity.

11

However, the ultimate problem with proxy servers is that they, just like Falun
Gong websites, can be blocked by the censors. All proxy servers need an IP address and
usually a URL too, and the censors can simply set their routers to block requests to these
IP addresses and URLs. The Chinese government is certainly not oblivious to this
loophole. Since 2001, it has blocked a number of popular proxy services, including the
infamous anonymizer.com service (Tsui, 2001) (“Internet Filtering”, 2005). The most
common way of finding a proxy server is to do a Google or similar search for “free
proxy” or use one of the pages known to list free proxies, like proxy4free.com and
proxy.org. Clearly, internet censors could follow exactly the same techniques to find
these proxy servers and block them like they have blocked other websites.
While this remains an inevitable possibility, several factors complicate the matter
for the authorities. The first is that in addition to the proxy servers run intentionally by
people either as an act of goodwill or for profit, there are thousands of proxy servers run
unintentionally by system administrators who incorrectly configured their servers and left
them open as free proxies. There are now a number of free programs which are capable
of scanning random IP addresses for such free proxies and reporting when ones are
found. Of course, the authorities have the ability to run such programs too and to block
all free proxies found. However, any attempt to do this will be frustrated by the fact that
there are thousands of such servers which change much faster than ordinary dissident
sites. Also, many of these proxies also run real websites with presumably
unobjectionable content, so blocking them all could result in major overblocking; the
extent of this overblocking is not easy to determine. However, if the authorities became
more concerned, they could block all webpages with URLs that include the string
“proxy”. While this would not block proxy servers themselves, it would block any
attempt to use a search engine to find proxies, and it would block almost all pages that list
proxies, and it would probably suffer from very little overblocking.
One simple but clever solution to the problem of having the authorities blocking
proxies is to use certain services that are not advertised as proxies but nevertheless
function as such. One such creative proposal, made as a simple comment on a website
(http://www.oreillynet.com/pub/h/4807), is to use the Google translation service as a
proxy. Google offers a free online translator which allows you to browse foreign
websites in your own language automatically translating all text. However, it also works
as a simple proxy server. The article recommends entering URLs in the following form:
http://www.google.com/translate?langpair=en|en&u=www.forbiddensite.com

This will show you forbiddensite.com, but to a firewall, it will appear that you are only
accessing Google. Of course, the censors could block all access to the Google translate
feature; however, the fact that Google just released the beta version of an astonishingly
accurate Chinese (simplified only, for now) to English translator1 is likely to make this a
fairly unpopular restriction. In addition, there are countless websites which intentionally
offer free proxies, though they don’t call them that, in order to keep visitors on their site.
1

This statement is based only on personal experience, and only on the Chinese to English translator, which
appears to be very good. It was not possible to test the English to Chinese translator.

12

For example, when a user of howthingswork.com clicks a link which looks like it will
take him to a third-party website, the link instead takes him to the website opened within
the howthingswork.com proxy. This allows howthingswork to continue to show him a
banner at the top with ads and perhaps also to display pop-up ads and monitor his internet
surfing, while confusing the user, who thinks he has left the howthingswork site.
About.com and countless other websites play the same somewhat devious trick.
However, this trick could easily be exploited by a savvy Chinese web user, by entering
URLs such as
http://howstuffworks.com/framed.htm?url=http://fofg.org

Which would take the user to the Friends of Falun Gong page while showing the
howstuffworks.com bar at the top of the page. This appears at first to be a pretty good
solution to problem of the authorities blocking proxies, since it seems unlikely that the
authorities will find and block all the major websites which play the little proxy trick.
However, hijacking about.com or Google as a proxy and most more conventional
proxy services suffer from a critical flaw: they may bypass filtering, but they do not
necessarily bypass monitoring. The worst is that services like about.com and
howstuffworks.com appear to almost universally transmit the URL the user is actually
browsing (e.g., the forbidden one) in plain text as a GET parameter in the page URL.
Since ISPs keep records of internet histories for at least 60 days, a complete record of a
user’s true internet history would be just sitting there waiting for a censor to look at it.
Keywords in the URLs could trigger automatic reviews of the user’s internet use.
Susceptibility to monitoring is worst with Google as proxy or CGI proxies, which
transmit the URL as plain text. However, it appears to exist for many CGI, PHP and
HTTP proxies. Most of these proxies ultimately pass along the data from the webpage a
user requests in unencrypted form, changing only the header of the packet to fool the
firewall. If a full recording is being made of the data a user transmits over the internet, it
would be a simple matter for the authorities to extract from this record all the websites
the user visited. In addition, if the authorities ever gain the ability to look through the
entire packet being transmitted, and block packets based on keywords (e.g., “Falun
Gong”) found anywhere within the body of the packet, then this technique could even
become susceptible to filtering, for at least some websites.
The best solution to this problem is simple: only use proxy servers that offer
encrypted connections. Currently, an encrypted connection means a 128-bit HTTPS
connection to the proxy server. This is the same encryption which secures online credit
card transactions. It is very secure and cannot be broken, even by determined
government agencies. A user browsing the web using an HTTPS connection to a proxy
server can be assured that even if the authorities detect that the user is browsing through
an illegal proxy service, they will not be able to detect what the user is actually browsing,
and so will not have any evidence more incriminating than that an illegal proxy was used.
There are some proxy servers, such as proxify.com, which offer PHP browsing over an
HTTPS connection. However, because of certain technical issues, this service is much
more expensive for a typical operator to offer than an ordinary unencrypted connection is.
It is therefore the case that only a small percentage of the commercial proxy sites offer
13

HTTPS browsing for free (this is often a paid for feature for premium members), and an
even smaller percentage of proxies unintentionally left open will support it.
The final word on public commercial proxies is that proxy servers with addresses
distributed over public internet sites are a more powerful anti-censorship device than
some (e.g., Tsui 2001, Chase & Mulvenon 2002) have given them credit for. However,
even if the government is not currently effectively blocking these services, there is no
question that virtually all encrypted (over HTTPS) proxies that are advertised widely over
the internet can be blocked. While there will probably always be unencrypted proxies
that are not blocked, the government can use URL keyword and normal blocking
techniques to block the websites which allow ordinary people to find them. Internet
monitoring and packet-level filtering could make using an unencrypted proxy discovered
on one’s own (perhaps through IP scanning software) a dangerous game to play.
Data Collection
The above discussion gives several methods of potentially evading the firewall
and internet monitoring using proxy servers, but also shows that each is subject to flaws
which could theoretically prevent its use. This theoretical discussion is clearly quite
relevant, but it is also interesting to determine empirically whether these methods work
today or have already been blocked. The ONI and Berkman studies looked in great detail
at what political content was blocked, but it does not appear that any study to date has
examined in any detail what blocks have been placed on methods of evading the firewall.
To this end, I decided to conduct some experiments on the extent to which the
Chinese firewall blocks various proxy and proxy-like services. I believe that these
experiments have collected novel data on this question.
The methodology for conducting such experiments involves, ironically, yet
another proxy server. Specifically, the idea is to find an open proxy server in China and
to connect to the internet through this proxy. Then, despite being in Cambridge, I was
able to in some sense, see the internet as the proxy in China sees it, exactly as if I were
physically at the proxy server in China. I then connected to various (CGI or PHP) proxy
servers in America, creating what is known as a proxy-chain, to determine what would
happen if someone in China were to attempt to connect to those proxy servers.
My more detailed methodology is as follows. I first accessed websites which list
free HTTP proxy servers. One of the ones I had the best luck with was
http://www.samair.ru/proxy/. I then went down the list of free proxies that were said to
be in China (most sites give a country with each listing). For each IP address given, I ran
a geolocation by IP search and a whois search to determine the actual location, and
rejected it if it was not actually in mainland China. I then tried connecting to the IP
address as a proxy, to see if connectivity was present. When connectivity was present, I
first went to certain sites I knew would be unblocked (e.g., Yahoo) to make sure the proxy
was working correctly. I then went to several sites I knew should be blocked (e.g.,
http://www.chinasite.com/dissident.html) and made sure that each was actually

14

inaccessible. With this initial calibration over, I was then ready to test the Chinese
firewall.
Because there are several backbone providers in China, each with slightly
different blocking techniques (“Internet Filtering”, 2005) and because the ISPs now
implement their own blocking, the accessibility of various websites differs from point to
point in the country. Some studies, like the ONI study, have attempted to connect to
many different points at several different times to determine what is blocked where. Due
to the considerable resources required to do such experiments well, in this small study I
made no attempt to follow this example. Strictly speaking, the results for this study apply
only in the area of the proxy servers tested. However, since most of the filtering in China
is still at the backbone level, and since this filtering does not differ much from provider to
provider, it is very likely that most of the sites that were accessible in these experiments
are also accessible in most places in China. Informally, I appeared to get quite consistent
results across the proxy servers I tried, which were in disparate areas.
Here is a table of the IP addresses and corresponding whois information of the
principal proxy servers I connected to.
Proxy IP
219.144.196.226
218.64.204.61

218.56.32.230

APNIC whois Information
SHAAN XI NET MANAGE BUILDING
Xi'an city, shaanxi
CHINANET jiangxi province network
China Telecom
No.31,jingrong street
Beijing 100032
China Yinhe securities corporation Yantai branch
No.77 Jingsan Road,
Jinan,Shandong,
P.R.China

Using these proxies, I then tried imitating someone in China who wanted to
access blocked sites. The first step in such a process might be to access a page containing
a list of free proxy servers, so I first checked to see if these pages would be accessible.
To my surprise I found that they were.
Site tested
Result
http://www.publicproxyservers.com/
Accessible
http://www,proxy4free.com
Accessible
http://www.freeproxy.ru/
Accessible
http://www.proxy.org/
Accessible
I then tested some specific proxies, to see if one could connect to the proxy. The
below results do not include connecting to various forbidden sites using the proxy, but
only connecting to Yahoo using the proxy.

15

Site tested
http://www.anonymizer.com
http://www.proxify.com
http://www.ipzap.com
http://www.famous5.net
http://www.proxilla.com
http://www.hujiko.com
http://www.umzo.com

Result
Blocked
Accessible
Accessible
Accessible
Accessible
Accessible
Accessible

Clearly, the vast majority of these were accessible. The anonymizer service was
at one point extremely popular, though it appears to have become less so, and this was the
only one found blocked. Even the now very popular proxify service appeared to be
accessible. Proxify is the only one of these to offer encrypted service through HTTPS, so
it is important to clarify that because I was not able to test the HTTPS version of proxify,
only the regular HTTP version; however, I suspect that if the HTTP version is unblocked
that the HTTPS version is unblocked too.
Of course, proxies are only useful if one can access blocked sites with them. I
therefore tried accessing several ordinarily blocked sites using these proxies. The results
were interesting. For all of the PHP proxies, or proxies which encrypted the URL, all
blocked sites were perfectly accessible. I had no problems browsing falundafa.org,
http://www.chinasite.com/dissident.html, and other sites which are among the most
forbidden. However, for CGI proxies which transmit the URL as a plaintext parameter,
certain sites were not accessible. The Falun Dafa site, falundafa.org, for example, was
consistently inaccessible using such proxies. In the ONI study, they give a humorous
example, saying that Chinese authorities could give the following command to one of
their Cisco routers:
Match protocol http url “*falun*”.

This command blocks all websites whose URL contains the substring “falun”. The ONI
authors were mostly joking, but my findings seem to indicate that precisely this command
may have been given to the border routers. Of course, blocking all such addresses casts a
fairly wide net. To see just how wide, I composed the following little Google query,
which I believe should find precisely the sites which are incorrectly blocked by this
command: “inurl:falun -dafa -gong -falundafa -falungong.” According to
Google, there are approximately 178,000 such sites. Of course, given that in 1996 Zhu
Rongji said with respect to blocking internet sites, “Better to kill a thousand in error than
to let one slip through,” these 178,000 sites probably don’t concern the authorities too
much. To see if the “falun” URL blocking was being used, I tested a few of these sites,
all of which contain no content relating to Falun Gong.

16

Site tested
www.falun.se/www/falun.nsf
www.falun.cc/
www.topix.net/city/falun-ks

Result
Blocked
Blocked
Blocked

Clearly China is performing URL keyword-based filtering. With this information in
mind, I then tested some of the more creative pseudo-proxies mentioned earlier in the text
to see if they would really work. I found that, as long as one did not using the damned
string “falun”, they did.
Site tested
http://www.howstuffworks.com/framed.htm?url=http://fofg.org
http://www.google.com/translate?u=http://fofg.org%2F&langpair=en|en
http://216.109.125.130/search/cache?p=fofg.org&toggle=1&ei=UTF8&u=www.fofg.org/&d=CjeLLQ0DME-F&icp=1&.intl=us
Where the last entry indicates a query to Yahoo’s cache, which was accessible.

Result
Accessible
Accessible
Accessible

The conclusion of these simple experiments can only be that while we have shown that
the Chinese authorities could, given sufficient intent, block all the proxy services tried,
they clearly have not done so, and in fact, proxy services remain widely unblocked and
freely available. It is worth emphasizing the importance of a few unblocked proxy sites
versus for example an unblocked Falun Gong site. An unblocked Falun Gong site allows
access only to that individual site. However, a single unblocked proxy allows access to
every blocked site, and so is in effect potentially much more damaging. It therefore
seemed surprising how sparse the blocking of proxies was. Nevertheless, it is apparent
that Chinese users who are aware of proxies and are willing to take some risk can
currently access blocked content quite easily.
Conclusion
The findings of this paper indicate that many proxy servers are not blocked,
allowing for easy evasion of the firewall. However, it is impossible to determine if these
unblocked proxy services are closely monitored. With only a few exceptions,
communication over these proxies is unencrypted, and authorities could, in principle, be
monitoring and reading every packet. If the servers are neither blocked nor monitored, it
is likely only a matter of time before they will be. Is the outcome of the debate, then, that
blocking of the internet is entirely possible, and that given sufficient will and investment,
the Chinese authorities will inevitably be able to virtually eliminate unwanted
information flow?
With just a couple of possible exceptions, I believe the answer to this question is
in the affirmative. One major exception has already been discussed – it is the sending of
political newsletters via spam email. However, this is a very limited means of
communication. In my opinion, the only means of evading the firewall and monitors to
gain free full internet access is the speculative idea of peer-to-peer proxy servers.

17

The problem with proxy servers at its core is that once the Chinese government
knows about them, it will block the proxy servers, and that if the Chinese people can find
out about proxy servers, then the Chinese authorities can use the same techniques,
whatever they are, to find out about them too. The idea of peer-to-peer proxy servers is
to create a network of proxy servers so huge –in the millions-- and so difficult to detect
that it will completely surpass the ability of any government to block them without
shutting down the entire internet. The way this is supposed to be done is to allow
ordinary people to easily turn their PCs into proxy servers without interrupting their
ordinary operation. Then, computers in China can simply scan random IP addresses to
see if they are running the peer-to-peer proxy server, and if they are, make a secure
encrypted connection and allow free and anonymous internet browsing.
One such system, Triangle Boy, was released amidst much media enthusiasm in
April 2001 (Chase & Mulvenon, 2002). It was heralded as a complete, timeless antidote
to all firewalls everywhere. It was also very buggy. The Chinese government reportedly
had an easy time blocking it (Chase & Mulvenon, 2002), and the Triangle Boy project
came to an end very quickly. However, another peer-to-peer program, Freenet, has
apparently been more successful. Freenet is not intended to allow internet browsing; it is
only a file sharing network. However, Freenet is built on a strong and sophisticated
technical framework, and according to freenet-china.org, Chinese authorities have not yet
figured out how to block it.
It appears, however, that the only projects working on free internet access are the
Hacktivismo six/four project and the “Cult of the Dead Cow”’s peakabooty project. Both
of these are small, merely works in progress, and in the eyes of this author, fairly
unimpressive. Obviously there is no commercial incentive involved in developing such a
product – it will only be done by programmers with strong beliefs in internet freedom and
extra time on their hands. If a group of such programmers can figure out how to build a
peer-to-peer internet proxy system integrating strong encryption, completely irregular
innocent-looking packet traffic, extremely difficult detection of both servers and clients,
and an effortless user interface, and furthermore if they can promote such a system
widely enough in countries with and without firewalls, then I believe they could
decisively circumvent the Chinese firewall. Unless such a product is created, however,
the Chinese authorities, given sufficient intent, should be able to control the internet in
China to a great extent.

18

References
Amnesty International. (2004). People’s Republic of China: Controls Tighten as Internet
Activism Grows. AI Index: ASA 17/001/2004. Retrieved January 2006 from
http://web.amnesty.org/library/Index/ENGASA170012004

Barmé, G. R. & Ye, S. (1997) “The Great Firewall of China.” Wired 5.06. Retrieved 
January 2006 from http://www.wired.com/wired/5.06/china_pr.html
Chase, M. S., Mulvenon J. C. (2002). You've Got Dissent! Chinese Dissident Use of 
the Internet and Beijings' Counter­Strategies. RAND Corporation. 
China Internet Network Information Chinese. (2005, July).  16th Statistical Survey 
Report on the Internet Development in China.  
Edelman, B. (2004) Web Sites Sharing IP Addresses: Prevalence and Significance.  
The Berkman Center for Internet & Society.  Retrieved January 2006 from 
http://cyber.law.harvard.edu/people/edelman/ip­sharing/
Endeshaw, A. (2004). Internet Regulation in China: The Never-ending Cat and Mouse
Game. Information and Communications Technology Law. 13(1). 41-57.

Farley, M.  (1999).  Electronic guerrillas breach blocks set up by the government to 
keep citizens from seeing unorthodox news and opinions on the Internet. Los Angeles 
Times. Retrieved January 2006 from http://www.gis.net/~cht/dissidents.html
Global Internet Liberty Campaign.  Regardless of Frontiers.  Retrieved January 2006 
from http://www.cdt.org/gilc/report.html
Gutmann, E. (2002, February 25). Who Lost China's Internet?. The Weekly Standard.

Hachigian, N. (2001).  China’s Cyber Strategy.  Foreign Affairs. March­April 2001. 
118­133.
Lacharite, J. (2002). Electronic Decentralisation in China: A Critical Analysis of Internet
Filtering Policies in the People’s Republic of China. Australian Journal of Political
Science. 37(2). 333-346.

Lyman, J. (2002, September 3).  Google Responds to China Ban. Newsfactor 
Magazine.  Retrieved January 2006 from 
http://www.newsfactor.com/perl/story/19279.html

19

Markle Foundation. (2005). Surveying Internet Usage and Impact in Five Chinese
Cities. Retrieved January 2006 from www.markle.org/downloadable_assets/
china_final_11_2005.pdf
Neumann, A. L. (2001) The Great Firewall. CPJ Press Freedom Report. Retrieved
January 2006 from http://www.cpj.org/Briefings/2001/China_jan01/Great_Firewall.pdf
OpenNet Initiative. (2005). Internet Filtering in China 2004-2005: A Country Study.
Retrieved January 2006 from www.opennetinitiative.net/
studies/china/ONI_China_Country_Study.pdf
Pan, P, P. (2005, December 17). Internet appears to be weakening China government's
control of news. The Washington Post.

Sohmen, P. (2001).  Taming the Dragon: China’s Efforts to Regulate the Internet.  
Stanford Journal of East Asian Affairs. Spring 2001 (1). 17­26.
Tan, Z., Foster, W., Goodman, S. (1999). China’s State-Coordinated Internet
Infrastructure. Communications of the ACM. 42(6).
Tang, D. (2000, September 25). China goes cyber: Internet opens window to dissent as
leaders reach for economic gain. The Washington Times. Retrieved January 2006 from
http://freedomwriter.com/Archive/Issue_9/wld_04.htm
Tsui, L. (2001). Internet in China: Big Mama is Watching You. Masters Thesis.
Retrieved January 2006 from www.lokman.nu/thesis/010717-thesis.pdf.

Walton, G. (2001).  China's Golden Shield: Corporations and the Development of 
Surveillance Technology in the People's Republic of China.  International Centre for 
Human Rights and Democratic Development.
Zittrain, J. & Edelman, B. (2003) Empirical Analysis of Internet Filtering in China. The
Berkman Center for Internet & Society. Research Publication No. 2003-02.

20

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.