Punching a Hole in the Great Firewall

The ‘Collateral Freedom’ Project

In January, when the International Consortium of Investigative Journalists published its exposé of the use of offshore tax havens by Chinese politicians and business moguls, the Chinese government blocked access to the consortium’s website and to news articles about the report. Internet users trying to load ICIJ.org or follow-up stories by The Guardian, The New York Times, and other news organizations saw a familiar message: “This webpage is not available.”



“We’ll Know It When We’re There”

Jonathan Landreth
Martin Johnson (not his real name), is a co-founder of the China-based Internet freedom advocacy collective GreatFire.org. On the condition that he not be photographed, he gave the following interview to ChinaFile at an outdoor cafe in Manhattan...

So free-speech activists deployed a simple yet effective way for the Chinese public to access the ICIJ report: They uploaded it to Amazon Web Services (AWS)—a cloud-hosting service used by large companies in China. Netizens then spread the word about the AWS link, which could be accessed without a virtual private network (VPN) or other privacy software.

AWS is encrypted, and so to block the ICIJ report, the Chinese government would have to block the entire AWS domain—a step it is loath to take because it would hinder e-commerce by the country’s businesses, according to technology experts in the U.S. and China. Amazon says thousands of Chinese customers, including major corporations, depend on AWS for database management and other cloud-computing applications.

Posting the ICIJ report on Amazon was but one of the latest deployments of a strategy called “collateral freedom.” The term was coined last year in a report by the Open Internet Tools Project, a New York-based nonprofit group that fights government censorship around the world. It boldly dares censors to block access at the cost of inflicting collateral damage (in this case, on China’s economy).

Free-speech advocates say “collateral freedom” is one way for residents of China to circumvent the Ministry of Public Security’s censorship and surveillance system, which is formally called the Golden Shield and colloquially known as the Great Firewall.

China has “one of the most pervasive and sophisticated regimes of Internet filtering and information control in the world,” according to the OpenNet Initiative, a collaboration among Harvard University, the University of Toronto, and a Canadian cyber-research think tank called the SecDev Group.

The Great Firewall blocks access to thousands of websites focusing on what authorities deem politically “sensitive” issues or individuals (such as the Dalai Lama), or offer unfiltered discussions. The blocked sites include not only fairly obvious targets like the websites of human rights groups such as Amnesty International and Freedom House, but also news organizations such as Radio Free Asia and The New York Times and social networking platforms such as Facebook and Twitter. Many sites are blocked on moral grounds, because they promote pornography or gambling. Other blocked sites are less predictable, ranging from Medicare.gov and Sears.com to Internet.org and a portal on Taiwanese culture.

The Chinese government’s efforts to control the Internet have prompted countermeasures by free-speech advocates. “We believe that every Chinese netizen should have access to uncensored and high-quality reporting on Internet issues such as censorship and surveillance,” said William Valkenburg, Editor-in-Chief of Radio Netherlands Worldwide, which has started publishing content on the AWS domain. He said that’s where “collateral freedom” comes in.

“It is only thanks to the development of this new strategy that we are finally able to make such reporting available in China, and we are very excited about this.”

In recent months, groups that advocate free speech in China have used the strategy a half-dozen times to set free otherwise-blocked content, such as the ICIJ report and China Digital Times, a U.S.-based website which regularly publishes the full text of Chinese government censorship directives, maintains a “lexicon” of phrases Chinese internet users use to evade the censors, and collects satirical cartoons and other material critical of China’s leaders. The activists are betting that Chinese censors won’t block sites like AWS and GitHub, a cloud-hosting service many Chinese computer programmers use for storing data and sharing code. So far, the bet is paying off.

The loudest cheerleader for “collateral freedom” in China has been an organization called GreatFire.org, which monitors and opposes censorship behind the Great Firewall. The group has created four websites in the encrypted cloud out of otherwise blocked content.

Charlie Smith, the pseudonymous spokesman for GreatFire.org, says that under the “collateral freedom” banner, his organization is “creating ‘unblockable’ mirrors via ‘unblockable’ cloud services.” Widespread implementation of this strategy would “end online censorship in China,” Smith said in an email interview. (Smith and other GreatFire.org officials refuse to give their real names or discuss specifics of their organization because they say they fear retribution by Chinese authorities.)

Other experts doubt whether “collateral freedom” will render the Great Firewall fully obsolete, noting that it is still a challenge to spread the word of the unblockable URLs among China’s Internet users. And they wonder what will happen if China pressures Amazon to remove the content free-speech advocates have posted.

Still, the “collateral freedom” strategy is chipping away at censorship in China says Carl Levinson, a U.S. expert on technology and China who writes frequently in opposition to government control of information. “This is a cool angle—it’s fresh, it’s new,” he says.

The Open Internet Tools Project (OpenITP) report introducing the concept was based on a survey of 1,175 Chinese residents who routinely “jump over the wall” to avoid the censors. These individuals, still a tiny minority of Chinese internet users, use a variety of tools, from Virtual Private Networks to GoAgent, a browser plug-in that runs on Google’s cloud-hosting platform. But the tools have one thing in common: “the collateral cost of choosing to block them is prohibitive for China’s censors,” the OpenITP report stated.

That’s because Chinese businesses also rely on VPNs and Google’s cloud infrastructure, the study said.

“Our survey respondents are relying not on tools that the Great Firewall can’t block, but rather on tools that the Chinese government does not want the Firewall to block,” it said. “Internet freedom for these users is collateral freedom, built on technologies and platforms that the regime finds economically or politically indispensable.”

The study focused on how individuals were implementing “collateral freedom” tactics. But GreatFire.org and other groups say the report inspired them to leverage the strategy, too.

In December, their game plan got a boost when Amazon announced it was expanding its cloud-computing platform in China. According to its press release, Amazon Web Services, which provides data storage, database management, and other IT functions, has signed up thousands of Chinese businesses, such as Xiaomi, a smartphone and mobile Internet service provider; Qihoo 360, which develops anti-virus software and other computer security products; the Tiens Group, a biotechnology and health-products firm; and FunPlus Game, which makes interactive games for mobile devices and social networks.

But just as businesses can store data on AWS, so can other users. This poses a dilemma for government censors: They can’t selectively block content on encrypted cloud services, according to officials at GreatFire.org, OpenITP, and other groups. China must either tolerate the material posted on AWS by GreatFire.org and other free-speech activists—or block AWS entirely and undermine the businesses using it.

Thus, “collateral freedom” is based on a dare.

This would have been an obvious bluff a few years ago when Amazon and other cloud-hosting services had a dispensable handful of Chinese clients, says Smith, who has written an FAQ explaining GreatFire.org’s adoption of the “collateral freedom” strategy.

But now, these services have a “critical mass” of Chinese business clients, he said. “China will clearly see that blocking all access to Amazon AWS, for example, would have devastating economic consequences inside of China.”

David Robinson, a technology consultant and visiting fellow at Yale Law School’s Information Society Project who co-authored the OpenITP report, said the study did not invent the concept of “collateral freedom.” But it helped “document a trend already underway.”

“We’re glad the report has proved useful as a framing device,” he said.

This frame focuses on businesses, not dissidents. There are advantages to looking at Internet freedom “through an economic lens,” Robinson said.

“Economic growth is a value that the United States and China share. The conversation about Internet freedom sometimes takes place in ways that seem distinctively American or distinctively Western.” But, he said, more progress may be made if economic growth is the “central animating goal” of increasing access to information on the Internet.

“Collateral freedom” can be exercised in two ways, and both entail trade-offs:

  • When individuals install a VPN or similar tool, they can access any site (such as YouTube, Facebook, or NYTimes.com) that is blocked. But individual internet users must implement this solution themselves on each computer or device—a task requiring a certain level of technological competence.
  • When an organization uploads otherwise-blocked content to the encrypted cloud, it can be accessed by anybody with a computer, potentially reaching a mass audience. But, of course, this frees only the uploaded material.

“Both types of solutions can play a role,” Robinson said. He was complimentary of GreatFire.org’s work: “It’s exciting to see them implement this strategy.”

“Internet freedom is hard,” Robinson said. “Technology available to censors is advancing. Anything we can do to make clear the options available to advance Internet freedom is helpful.”

So far, GreatFire.org has put “collateral freedom” into action four times.

In mid-November, China blocked Reuters’ Chinese-language website after it published a story about a New York Times report that JPMorgan Chase had paid nearly $2 million in 2006-2008 to the daughter of Wen Jiabao, who at the time was China’s Prime Minister overseeing financial institutions. GreatFire.org responded by created its first unblockable mirror: a duplicate of the Reuters site on Amazon Web Services.

With that step, “we decided to take the battle against online censorship in China to a new level,” Smith said. His group won that battle: Chinese authorities not only left the mirror site alone, but also relaxed their grip on cn.reuters.com.

“The availability of our mirror website may have been one of the reasons why the Chinese authorities decided to lift the block on Reuters one month after the initial block,” Smith said. (Independent experts said it’s hard to say whether the AWS mirror site was a factor in the censors’ decision.)

Since then, GreatFire.org has used AWS to host mirrors not only of China Digital Times but also of its signature project called FreeWeibo.com, which publishes Chinese “tweets” that have been censored by the government.

Chinese censors routinely peruse messages on Sina Weibo, the country’s equivalent of Twitter, and delete postings they find objectionable. For example, after a Malaysian Airlines plane carrying 239 people mysteriously disappeared en route to Beijing on March 8, censors tried to purge speculation that it was an act of terrorism. Among other postings, they deleted Weibo messages quoting a tweet by media tycoon Rupert Murdoch, who wrote that the presumed crash of the Malaysian jet “confirms jihadists turning to make trouble for China.”

Censoring Weibo can be hit and miss, given that the service averages 100 million messages a day and that Weibo users have developed a variety of tactics, such as inventing euphemisms and posting images instead of text, to avoid censorship. So some re-postings of Murdoch’s tweet survived on Weibo.

The GreatFire organization captures messages that have been deleted from Weibo and posts them on FreeWeibo.com. The dot-com site is blocked in China (but according to Smith, it still gets more than 12,000 visitors on a typical day—a testimony to the Chinese citizens using VPNs and other “collateral freedom” tactics at the individual level).

FreeWeibo’s replica website on Amazon “has experienced steady growth with over 1,000 unique visitors each day,” Smith said. “By making this information accessible, we are providing a window onto the real discussions that are taking place on the country’s largest social network.” Viewed against the millions who use Weibo every day in China, that number is miniscule. But GreatFire says it’s still significant because the revelations on FreeWeibo can circulate via email, word of mouth and other means.

Traffic to FreeWeibo and its Amazon mirror site spiked after March 1, when a group of eight knife-wielding attackers killed twenty-nine people and injured 143 others at a train station in Kunming in Southwest China. Chinese officials called the massacre an act of terrorism by separatists from the far western province of Xinjiang, where members of the Uyghur ethnic group say they face repression.

The March 1 attack was a topic of intense discussion on Weibo. Censors deleted postings that linked the attack to governmental policies. One such message stated: “I think using force to keep stability is not the right way. We should find the root of their hatred and that would be the right way to solve the conflict.”

Those deleted messages were archived at FreeWeibo.com and its Amazon mirror, sometimes called Amazon S3 for “Simple Storage Service.”

“Since Monday [March 3] the S3 traffic has been 2500-3000 per day compared to 2000 before. And freeweibo.com hit a record 21k in one day on Sunday [March 2]” the founder of GreatFire.org, who goes by the pseudonym Martin Johnson, said in an email.

Besides hosting content on AWS, GreatFire.org hosts on GitHub a directory of URLs for the unblockable mirrors. “Like Yahoo, circa 1996!” Smith said.

“We are very encouraged with what has happened so far,” he said. “The most encouraging thing now is that we have seen individual netizens, not related in any way to us, create their own mirror websites. That is awesome.”

For instance, when the International Consortium of Investigative Journalists released its report on the offshore holdings of China’s elite, it was an individual who uploaded the data to Amazon Web Services. He then promoted the link on Weibo, but censors deleted his message. (Smith said that Weibo user was unaffiliated with GreatFire.org. He said his group had included the ICIJ report on the mirror website for China Digital Times.)

In February, Pao-Pao.net, a news website blocked in China, launched a mirror on Amazon Web Services. Pao-Pao, which means bubbles in Chinese, is supported by Radio Netherlands Worldwide (RNW), GreatFire.org, Hong Kong Independent Media, China Digital Times, and other Chinese journalists and bloggers.

“The idea to start Pao-Pao was conceived only after the unblockable mirror site strategy was developed by GreatFire,” Valkenburg, RNW’s Editor-in-Chief, said in an email interview.

Pao-Pao’s dot-net site launched on February 4 and was blocked eight days later by Chinese authorities. “We anticipated that this Pao-Pao site would be quickly blocked, and we consider the mirror site our main site,” Valkenburg said.

He declined to say how many visitors the mirror site is getting because “our number of visitors is still too low to be able judge the success of our mirror site.”

“But our first numbers indicate that the mirror site is indeed helping us reach a wider audience: Until the block, most visitors went to Pao-Pao.net, but now the majority of our visitors are coming to the mirror site,” Valkenburg said.

The latest mirror site is for Lantern, a new peer-to-peer censorship circumvention software produced by a self-described “network of people working together to defeat internet censorship around the world.”

China has blocked Lantern’s regular website, but its Chinese-language counterpart on AWS is freely accessible within the country.

If the mirror sites work so well, why has the strategy been used only a handful of times? One reason, Smith said, is that “it is a relatively new concept—most people don’t know [about it] We have not had enough general press exposure to make people understand what it is using layman's language.”

Moreover, Smith said, small websites that are blocked in China may lack the technical know-how or financial resources to create a mirror site on Amazon. And for a big site like The New York Times, “this is a major political decision which likely would involve trying to get people to buy in to the concept and for them to be willing to stand up to censorship in such a public way.”

If they’re trying, Chinese authorities have been unable to block access to the cloud-hosted mirror sites. But “collateral freedom” still faces challenges.

For instance, the content on AWS must use the http://s3.amazonaws.com domain name. This can result in unwieldy URLs like https://s3.amazonaws.com/icij/www.icij.org/project/zhong-guo-chi-jin-rong-jie-mi.htm. But Smith notes that it’s better to have a long but unblockable URL than a URL that’s easy to remember but inaccessible.

Another problem is disseminating those unblockable URLs. GreatFire.org and other groups have been broadcasting the information on social media platforms such as Twitter, but Twitter is blocked in China. And when free-speech advocates try to publicize the URLs on Weibo, their messages get deleted.

That may explain why the mirror sites have generated little traffic in a country with more than 600 million Internet users. China Digital Times’ site on AWS was receiving about 500 unique visitors a day until GreatFire.org posted the ICIJ report there. Then, the number of daily visitors jumped to 2,000 and has stayed at that level, Smith said.

He added that traffic to the mirror sites is growing. “We expect the mirrors to eclipse the traffic to the blocked sites soon.”

At some point, cost could be a factor, but probably not a big one: It can cost less than $100 a month to host on AWS a website that gets 100,000 hits a day, according to Amazon.

The biggest challenge facing “collateral freedom” is the potential pushback: What would happen if Chinese officials pressure Amazon to remove the content they want to censor? Or if China’s government decides to cut off Amazon Web Services entirely?

“There’s going to be pressure on AWS,” predicts University of Toronto researcher Jason Ng, author of the book and blog Blocked on Weibo. He said China might try to thwart “collateral freedom” by moving all of AWS’s Chinese customers to a separate cloud and then blocking access to the domain used by GreatFire.org and other activists.

King-wa Fu, an Assistant Professor and censorship researcher at the Journalism and Media Studies Centre at the University of Hong Kong, agreed that the Chinese government eventually will play hard ball.

If the mirror sites attract a tipping-point level of Chinese visitors, Fu fears “that the Chinese government would block Amazon or ask Amazon to take down the contents.”

“I think GreatFire is doing an excellent and important job,” he said. “But it doesn’t work to a point that really threatens the stability of the Chinese government. Once the critical mass is reached, the Chinese government would intervene without second thought.”

There’s a precedent: Last summer, under pressure from the Chinese authorities, Apple removed OpenDoor, a censorship circumvention tool, from its China app store. The company said the app “includes content that is illegal in China” and that apps “must comply with all legal requirements in any location where they are made available to users.” In December, Apple took the same action against GreatFire.org’s FreeWeibo app.

Moreover, in January 2013 China blocked GitHub after the code-sharing website was used to muster support for a petition to prevent Chinese academics involved in building and supporting the country’s online censorship system from traveling to the United States.

But Smith noted that Chinese programmers howled in protest, and less than a week later the Chinese government unblocked GitHub. That episode validates the “collateral freedom” strategy, he said.

“Even the cost of blocking GitHub was considered too high,” Smith said. “Nothing is certain, but this is a strong indicator that our approach can be sustained.”

To date, activists who have posted otherwise-censored content on AWS have not heard from Amazon or Chinese authorities.

“Not a peep,” Smith said. “And I hope it stays like this.”

Amazon did not respond to requests for a comment about the use of AWS by GreatFire.org and others to circumvent censorship in China. What if the company asks GreatFire.org to take down its mirror sites?

“We’d make as public a fuss about it as we could—draw as much media attention to Amazon’s practices as would be possible,” Smith said. “We would not remove the material if they asked us to.”