What is the Golden Shield?
As the Internet became more accessible to the general population and expanded globally, the Chinese government had little choice but to allow its expansion into its country, since its mainstream use among the population was to be essential for the growth of the economy.
In 1997, the Chinese government issued strict guidelines for the Internet’s use, to protect the country’s ‘socialist’ ideology from western influence. This is the type of political correctness where anything that disagreed with the state’s ideology or version of events is banned. After all, the reason censorship exists is to protect a set of established values from the threat of information.
In the case of Chinese censorship, the state is trying to prevent the population becoming inspired by the ideals proclaimed by the United States, such as freedom, civil rights and opportunities. The government also wanted to prevent the China Democratic Party using the Internet to spread its message and build a network of supporters. The China Democratic Party has since been banned and its members imprisoned. The state soon went further went further and enforced its policies with a comprehensive system of censorship.
Today, as far as we know, China has the most sophisticated Internet traffic filtering in existence, according to the OpenNet Initiative. The system of monitoring, filtering, censoring and suppressing information is known as the Golden Shield, better known to the west as The Great Firewall of China.
The main component of this system is a collection of between five and nine advanced border routers that filter data being exchanged between China and the outside world. Three identified layers of filtering that were identified during studies into the Golden Shield are:
IP blocking: Blocks traffic by IP address.
DNS Hijacking: Redirects URLs by interfering with the Domain Name System.
TCP Blocking: Filters traffic by content and key words within URLs.
In addition to the above, the Golden Shield includes a range of other surveillance and censorship measures, which include software installed on public computers to monitor content.
First-hand accounts, compiled lists and attempts at quantitative analysis have confirmed the information being censored includes content related to political and human rights organisations, and the Falun Gong movement.
From the research into the Golden Shield, it can also be speculated that the main Internet Service Providers in that country are deploying their traffic filtering routers differently from each other, with one filtering at the gateways to the backbone of the country’s infrastructure, and another distributing the filtering system between border and regional routers.
The routers here appear to be high-specification Cisco routers incorporating advanced Intrusion Detection Systems at the software layer, and at least one Access Control List that’s being manually updated.
As far as the domestic traffic within China is concerned, the content is monitored by 30,000 – 40,000 government employees, but the censorship is by organisations meeting the requirements of doing business there.
Data is sent and recieved across the Internet as frames/packets. Although each frame is a very long binary number, it can be abstracted as two parts – the header and the payload. The payload is the actual data being communicated. The header contains the source and destination addresses, and other things that help the data get from A to B in one piece. The header also enables the data to be relayed along a certain route by a series of routers and proxies between two points.
IP blocking was the earliest method used by the Chinese government, and it works by configuring a router relaying the traffic to drop frames if they were being sent to particular IP addresses on a blacklist.
One way around this type of filtering is to use proxy servers which haven’t been blacklisted as the destination address, while the proxy relays requests and responses on behalf of the blocked server.
Also inpected are the data within the frames, which allows the content to be monitored for certain keywords, and for certain flags to be set within the frame to disrupt the connection to a server. Research has indicated that all traffic that relies on TCP is inspected, and that the Golden Shield appears to disrupt the connection for just over two minutes to discourage repeated attempts at reconnection.
This is effective against the use of proxy servers, since the URL in most cases contains keywords relevant to the site being accessed. Encrypted connections must be used, and web pages must be given non-suggestive file paths.
This works by affecting the Domain Name System (DNS) to redirect URLs. The URL address is much like a huuman-readable label used in place of the IP address it’s assigned to, and there’s a list that maps both types of address to each other. e.g. http://localhost often maps to IP address 192.168.0.1
The redirection/hijacking works when the DNS is modified to redirect the URL to the IP address of another server. The Golden Shield uses this method to redirect traffic for banned URLs. A similar type of attack has been used by other governments, in which domain names are seized so the URL doesn’t map to anything.
The good news is that URLs aren’t normally essential for accessing web sites, and the IP address can be entered in the browsers’ address field instead.
The Golden Shield and Cisco
Quite recently, members of the outlawed Falun Gong movement and the Human Rights Law Foundation have taken court action against Cisco in the United States, claiming the company was actively involved in the state repression in China that led to the arrest, imprisonment and torture of dissidents. Even though the Human Rights Law Foundation claimed to have strong evidence of this, in the form of marketing materials, Cisco denied the charges.
Some of this evidence was actually leaked, in particular a file used in a sales presentation given by a Cisco engineer (Overview of the Public Security Sector, 2002). It suggests the company was actively involved in facilitating tthe repression in China. Although it’s difficult to determine the company’s actual role, its intentions went far beyond merely supplying equipment for the Golden Shield, which is evident from the areas of ‘opportunity’ it identified.
The presentation laid out in extensive detail the structure of law enforcement agencies in China, the technologies they used, comprehensive information regarding their information and communications infrastructure, and areas for development. In relation to the Golden Shield, Cisco specifically identified planning, construction, training and maintenance as opportunities for the company (slides 49 – 58).
Intensive research is needed into the Golden Shield so a detailed picture of the hardware and software can be built and more effective circumvention methods can be developed that exploit weaknesses in the system.
Client software must be able to deal with whatever censorship and monitoring measures exist on the local host. From a programmer’s perspective, the client must be simple, run at a basic level and close as possible to the network layer, while hiding data from the rest of the system. Since installation may be impossible for the average person using a shared public computer, the client software must also run from a portable storage device.
According to Amnesty International, China has the highest number of dissidents and journalists in prison than any other country, so those using the circumvention technologies will be at high risk. A hard disk drive with the software installed could be seized and used as evidence against them.
Perhaps the most obvious, and most widely mentioned countermeasure, is the use of proxy servers. This works when banned web sites are accessed indirectly using proxy servers, which haven’t been blacklisted, as relays. Solutions range from using Google Translate servers to accessing a proxy network run specifically for bypassing censorship. It’s important to remember that most these services on their own provide very limited anonymity, since the IP addresses of hosts accessing them may be logged. If the traffic goes through a series of proxy servers used by many others, there’s less chance of being traced.
In early 2002, Dynamic Internet Technology created the DynaWeb proxy network, and the FreeGate client was distributed. The concept is that people use the client software to route their traffic through the proxies. Lists of proxy addresses were also circulated to subscribers.
Eventually, DIT altered its strategy a bit, so those running the Golden Shield had to enter the proxy addresses manually, which slowed their ability to block the addresses. SSL certificates for the servers are now changed daily, to counter the other filters.
There are several other organisations with the same objectives as Dynamic Internet Technology, and together they formed the Global Internet Freedom Consortium in 2002. It now handles around 90% of the circumvented traffic in China, and aims to be the institution off human rights and free expression. The Global Internet Freedom Consortium has identfied the following criteria for effective countermeasures to the Golden Shield:
Anti-censorship systems must meet the following criteria to be effective:
– The circumvention technologies as a whole must be more adaptive and innovative than the censorship system.
– The proxy networks must be scalable and capable of adapting to different loads.
– The proxy networks and software clients must support a range of communication methods, including HTTP, email, instant messaging and FTP.
– The circumvention technologies must be easy to use, and the client software must be run with the minimum effort.
– The addresses for the proxy servers must be change quickly as they are blocked.
– A delivery system is needed for distributing the client software and list of available proxy addresses.
The development and distribution of anti-censorship technologies is only the beginning. Social impact depends on how widely these technologies are used and how it empowers the people politically.