The Shawshank Prevention

The "Shawshank Redemption" has nothing to do with China, but that hasn’t kept social media censors from blocking the movie’s title from searches on the country’s most popular Twitter-like microblogging service, Weibo.

After last month’s dramatic escape by the the blind lawyer Chen Guangcheng from house arrest in Shandong Province into U.S. diplomatic custody, Weibo’s internal censors moved quickly to ban searches for Chen’s name and related terms like "embassy." People determined to discuss Chen’s case were forced to speak in code — and the Shawshank Redemption, a Hollywood movie about a dramatic prison break — quickly caught on. So did the censors. According to the California-based China Digital Times, a website that closely monitors Chinese Internet censorship, the movie title has been banned on Weibo since April 28 — along with the names of Linyi township and Dong Shigu village where Chen is from, as well as the Chinese word for "pearl," which happens to be the English name of He Peirong, the woman who helped him escape and who is now believed in custody.

Due to censorship, if one were to poll a random sample of college-educated people in China today, very few would know about Chen. Concern for his case is limited mainly to liberal-minded bloggers, social media mavens, and intellectuals who make a point of seeking out and passing around alternative news. Nobody knows exactly how large this group is, but Xiao Qiang, founder of the China Digital Times, estimates that it may amount to roughly 2-3 million people.

As Secretary of State Hillary Clinton arrived in China for high-level diplomatic talks already overshadowed by Chen’s case, this small but elite group was following news of her visit. To get the full story, however, they had to circumvent the nationwide Internet censorship system known popularly as the "Great Firewall of China" that keeps Chinese social media and other domestic web services within a censored walled garden. Some use circumvention software funded by Clinton’s own State Department. But as Washington has been learning the hard way, bringing free and open Internet to a critical mass of Chinese people is neither cheap nor easy.

Since 2008, the State Department has spent more than $70 million on "Internet freedom programming" worldwide. In budget year 2012 it will spend $25 million and is requesting $27.5 million for 2013 — one of the few government expenditures, it seems, that garners bipartisan support these days. The Broadcasting Board of Governors (BBG), which runs the Voice of America, Radio Free Asia, and other services aimed at audiences in countries without a free press, was given $10 million by Congress to spend in the current fiscal year and is requesting an increase for next year.

After Secretary Clinton announced in January 2010 that Internet freedom would be a major pillar of U.S. foreign policy, the State Department decided to take what Clinton calls a "venture capital" approach to the funding of tools, research, public information projects, and training. Censorship, as it turns out, is only one of many threats faced by people seeking to speak, assemble, and access information online. Other threats include surveillance, spyware, hacking of activist websites and social media accounts, and total Internet shutdown — something that most famously happened last year in Egypt but has happened elsewhere. The Chinese government sometimes shuts down the Internet and mobile services in specific areas where unrest occurs. Faced with a global mandate and a multitude of threats to online freedom, the State Department says it funds the development and deployment of more than 20 different circumvention and secure communications technologies, in addition to in-person training for thousands of activists in different parts of the world, as well as online campaigns to raise public awareness about censorship and surveillance.

This approach came under attack in 2010 from administration critics who argued that the State Department should instead focus the bulk of its funding on circumvention tools called Freegate and Ultrasurf, created by members of the Falun Gong religious sect, a group that is banned in China and whose members are well documented to have been victims of widespread human rights abuses at the hands of Chinese authorities. Created roughly a decade ago by volunteer programmers working out of the homes of Chinese exiles in the United States, they are among the earliest widely adopted non-commercial tools developed specifically to subvert the censorship of an authoritarian regime. Demand for such tools by Internet users in China has spiked over the past several months in the wake of the political leadership crisis triggered by the public downfall of Chongqing Party Secretary Bo Xilai. According to the Ultrasurf team, traffic from China on the project’s servers jumped from 70,000 users per day last December to around 200,000 in April — spiking to a high of 270,000 on April 11, right after the arrest of Bo Xilai’s wife in connection with the suspected murder of British businessman Neil Heywood.

While Freegate and Ultrasurf have received some modest funding from the State Department over the past year and have received support from the BBG since 2003, advocates have argued that more robust funding could be politically game-changing in countries like China. In promoting their software to the media, however, the Ultrasurf team in 2010 allowed a journalist from WIRED and a columnist from the Washington Post to view their internal user logs, demonstrating that the project not only collects data about who their users are and their online activity, but that users’ privacy is not particularly well-guarded once it hits Ultrasurf’s servers in the United States. Security experts began raising concerns about the software’s vulnerability to attack, infiltration, and data theft. In summer 2011, Jacob Appelbaum, a security researcher and developer who works on Tor, a free and openly developed tool that helps Internet users obscure their traffic from surveillance (and which also receives U.S. government funding), conducted an analysis of Ultrasurf because, he explained, he had "seen people promoting it without also offering evidence that it is safe."

Appelbaum’s findings, shared in draft form with funders and with Ultrasurf in December and made public last month over the objections of what he describes as "multiple parties," were startling: "We find that it is possible to monitor and block the use of Ultrasurf using commercial off-the-shelf software," he wrote. The security vulnerabilities, he warned, could present "life-threatening danger in hostile situations." He provided technical evidence to refute claims on the Ultrasurf website that user activity would be rendered "untraceable," stating that "Ultrasurf not only leaves traces on the network level, it additionally leaves traces on the system where it is used" — your computer. He also discovered that Ultrasurf’s engineers had failed to keep their servers updated with the basic security "patches" necessary to protect against attackers.

Ultrasurf refuted a number of Appelbaum’s technical claims. While the developers fixed some other security problems pointed out in Appelbaum’s report, Ultrasurf argued that the tool "is not designed primarily as a privacy tool" but as an anti-censorship tool. They pointed out that while Tor’s developers work hard to make their tool as secure as possible for users, and openly publish its source code so that its workings and defects are well known, China’s censors have managed to block Tor for most users. Meanwhile Ultrasurf’s engineers have kept their tool accessible for use by millions of Chinese.

Even though Ultrasurf’s users may be less safe than they realize, neither the State Department nor the BBG are dropping their support for the software. Instead — given that millions of people around the world are already using it — they are working with Ultrasurf to make it more secure and to be more open with users about its vulnerabilities. According to a BBG spokeswoman, after becoming aware of Ultrasurf’s vulnerabilities, "we asked Ultrareach to submit it to further testing and a security review." The State Department has made it clear that disbursement of the current round of funding committed to Ultrasurf will be contingent on peer review, as well as revision of Ultrasurf’s instructions and explanatory documentation for users, to make sure that users are aware of its strengths and vulnerabilities. "One reason we have funded a range of tools as well as training," explains Deputy Assistant Secretary Dan Baer, "is so that people can be aware of risks and tradeoffs associated with different tools."

As Xiao Qiang of the China Digital Times describes it, the two or three million Chinese Internet users who make regular, active efforts to get around censorship are using a variety of different circumvention tools — well over half if not two thirds of which he estimates are not U.S. government-funded at all. People who work in IT-related jobs partner with friends overseas to buy their own server space and create their own private secure tunnels to an outside connection — often making some money on the side by selling access to friends and colleagues. The security of such setups varies, but most people are focused simply on accessing banned websites and aren’t thinking about surveillance. White-collar workers with credit cards use commercial "virtual private network" services — a booming business, often run by companies about which the users know very little, and about whose security practices even less is known. Others are using "free proxy" services — linking users to overseas computer servers whose owners are generally unknown, which work for a while before getting blocked. Others use Freegate and Ultrasurf. The more hard-core consumers of content from the Voice of America and Radio Free Asia may use another U.S.-government funded tool called Psiphon, or the most security-conscious activists may find a way to use Tor through secret bridges obtainable only directly from the project’s developers. But it’s a cat-and-mouse game between the authorities and the users. "As far as China is concerned none of them are reliable so people are constantly switching," says Xiao.

Chinese users generally find out about these tools through word of mouth, and teach each other how to use them. Independent security researcher Collin Anderson argues that the funders of circumvention tools for free expression and human rights purposes need to put more resources into global public education about how the Internet works along with basic principles of computer security so that people understand their risks and can make informed decisions about what tools to use: The most secure tools tend to be more difficult to use, while faster speeds and ease of use come at a security cost. "Different kinds of people have different threat models, which requires different solutions," he believes. Ultrasurf should not be used by people whose lives are in clear and immediate danger if their online activity is tracked. Such people must understand the importance of trading connection speed and ease of use for slower and more cumbersome, but safer tools, and invest the time to learn how to protect themselves properly. (While Tor, designed specifically for people seeking to evade surveillance, does not generally work in China, it does work in most other countries.)

Because every tool also has different weaknesses and vulnerabilities, Anderson argues that funders also need to support as wide a range of quality, well-documented tools as possible. "Diversity of tools will make it harder for governments to control what people are doing online," he argues. Diversity — and healthy competition — will keep developers on their toes. Government funders must also set and enforce strict standards for peer review, pre-release testing, quality and security standards if it they are to avoid contributing to the endangerment of activists who might unknowingly use a tool for purposes to which it is not suited.

Whether or not the U.S. government funds circumvention tools, or who exactly it funds and with what amount, it is clear that Internet users in China and elsewhere are seeking out and creating their own ad hoc solutions to access the uncensored global Internet. In China today, thanks to the government’s success in nurturing a domestic commercial walled garden, circumvention technology has not been a direct driver of political change. Yet circumvention tools of various kinds have provided a lifeline for a small core of tech-savvy liberals who are becoming more active online as political uncertainty grows. Meanwhile, the recent political uncertainty is driving new demand for circumvention technology, which could make it just that much more difficult than in the past for the government to control what the Chinese public learns — or believes — about Chen Guangchen and this week’s delicate diplomatic dance between Washington and Beijing.