Falun Dafa Minghui.org www.minghui.org PRINT

The Australian Financial Review : The Great Firewall

Sept. 10, 2002 |   Ethan Gutmann

24/08/2002

It's not easy being the father of the Chinese internet. Children are running by, boats are paddling, the smell of roast lamb fills the air, and Michael Robinson, a young computer engineer from the United States, sits rigidly, facing an empty cafe on the shore of Qianhai Lake, speaking in a low voice of the crackdown. "What is better? Big Brother internet? Or no internet at all?" he asks.

Robinson was hired as the lead support engineer in 1996 by the Chinese Government and Global One (a Sprint-France Telecom-Deutsche Telekom joint venture) to build the first network in China providing public access to the internet. One day sticks in his mind. The Chinese engineers working with him suddenly convened a special meeting, demanding to know if it would be possible to do keyword searching inside emails and web addresses on the Chinese internet. Not really, he replied; all information that travels the net is broken up into little packets. It's hard to "sniff" the packets, especially coded packets. You would need to intercept packets as they travel, and then there's the problem of collating the information, making sense of it. Yes, yes, they said, but can you do it?

On the third go-round, it dawned on Robinson that his fellow computer geeks wanted to end the meeting, too. But at a higher level, someone required assurance. Before internet construction went further, they would need to monitor what Chinese users did with it. For the engineers, this was just cover-your-arse stuff. As long as the foreigner assured them that down the road the Chinese would be able to build an internet firewall against the world and conduct surveillance on citizens, the engineers could continue working with him. Yes, yes, it can be done, Robinson told them, and they went back to work.

Americans make dreams, and every generation carries new ones to China. Since 1979 that dream has been the fall of the Chinese Communist Party and the rise of the world's largest market, an event that US businessmen and China hands keep predicting is on the horizon, even imminent. Yet Robinson was not naive. He understood the self-serving nature of much of the democracy-is-just-around-the-corner rhetoric. He sensed the Chinese leadership's true motives in building an internet.

But for Robinson, any reservations about complicity with the Chinese Government's objectives were outweighed by a bedrock faith in the internet's ingenious architecture. A system originally conceived, in part, as a method of relaying US command messages over a damaged network after sustaining a Soviet nuclear strike could surely find a way to get messages through, securely, amid the white noise of millions of Chinese users. Resistance would be futile - even the Chinese Borg could not stop it. With the genie of free speech out of the bottle, it would just be a matter of time before the predictions of democracy in China would come true.

That vision has been called into question, not by a failure of the internet's architecture, but in several cases by a failure of US corporate values. Let's start where Robinson left off, with the expansion of the Chinese internet. I treated a top Chinese engineer (who wishes to remain anonymous) to a 30-course meal by the shores of Beijing's Beihai Lake. As hoped, the shark's fin soup loosened his tongue - on the subject of Cisco Systems.

In the US, Cisco is known (among other things) for building corporate firewalls to block viruses and hackers. In China, however, the Government had a unique problem: it wanted to keep 1 billion people from accessing politically sensitive websites, now and forever.

The way to do it would be this: if a Chinese user tried to view a website outside China with political content, such as Dacankao Daily News (also known as VIP Reference, a Chinese dissident information source), the address would be recognised by a filter program that screens out forbidden sites. The request would then be thrown away, with the user receiving a banal message: "Operation timed out." Great, but the financial excitement of a wired China had quickly led to a proliferation of internet service providers. There were eight major ISPs and four pipelines to the outside world. To force compliance with government objectives they needed the networking superpower, Cisco, to standardise the Chinese internet and equip it with firewalls on a national scale.

According to the Chinese engineer, Cisco came through, developing a router device, integrator and firewall box especially for the Government's telecom monopoly. Cisco also appears to have offered a significant initial discount in the price of the firewall boxes. The engineer claimed that a similar Cisco product could sell in the West for up to $US50,000; at $US20,000 a box, China Telecom "bought many thousands" and IBM arranged the "high-end" financing. Accordingly, "every [Chinese] firewall has Cisco routers". Robinson confirms: "Cisco made a killing. They are everywhere." And across China, as users searched for the forbidden internet, operations timed out.

Cisco does not deny its success in China. Nor did its Beijing office deny that it may have slightly altered its products to suit the special needs of the Chinese "market" - a localisation scheme the company avoided elsewhere in the world. But it categorically rejects any responsibility for how the Government uses its firewall boxes. David Zhou, a systems engineer manager at Cisco, Beijing, told me flat out: "We don't care about the [Chinese Government's] rules. It's none of Cisco's business."

I replied that he has a point: it's not the gun but the way it's used, and how can a company that builds firewalls be expected to, well, not build firewalls? Zhou relaxed, then confidently added that Cisco's routers could be used to intercept information and to conduct keyword searches: "We have the capability to look deeply into the packet." He admitted that Cisco was under the direct scrutiny of State Security, the Public Security Bureau and the People's Liberation Army.

Does Cisco allow the PLA to look into packets? Zhou didn't know or wouldn't say. But consider, for example, the arrest of veteran activist Chi Shouzhu last April. He was picked up in a crowded train station minutes after printing out online materials promoting Chinese democracy. Consider also the arrest of Li Dawei from Gansu province, who just received an 11-year sentence for downloading "reactionary" material from the internet, and emailing friends abroad. Incidents such as these have mushroomed in China, suggesting that Cisco may not be the only one capable of looking deeply into the packets. In fact, Cisco's ability to thrive in China may well depend on co-operation with the Public Security Bureau and the PLA.

Cisco's firewall has proved far from foolproof. New sites on forbidden topics crop up daily, and with the proliferation of ISPs that just want more subscribers surfing, the lag time between updating the Government's list of banned sites and implementation can be erratic. So Chinese security organs needed to control the search engines through which new sites can be found.

Enter Yahoo!

Some business press has painted a picture of a thriving, home-grown Chinese market for portals and search engines - mirroring such companies as AOL, Google and Excite - with names such as Sohu and Sina fighting for the top spots. Chinese Yahoo!, the US outrider, trails in fifth place.

A top Yahoo! representative spoke to me on the condition that I would not use his name or give identifying details other than that he had recently left the company. He said Yahoo! was the most popular portal in China by a mile. As a Chinese internet research company confirmed, Yahoo! played a clever game. For every major survey, it split into several sites so it would not appear to be number one. Management fudged the hit rate, because "we were viewed as extremely aggressive. We were seen as too foreign."

Chinese xenophobia has led many other US companies to play similar games, but Yahoo! was particularly eager to please. All Chinese chat rooms or discussion groups have a "Big Mama", a supervisor for a team of censors who wipe out politically incorrect comments in real time. Yahoo! handles things differently. If in the midst of a discussion you type, "China should have nationwide multiparty elections!!", no-one else will react to your comment. How could they? It appears on your screen, but only you and Yahoo!'s Big Mama actually see your thought crime. After intercepting it and preventing its transmission, Mother Yahoo! generates a friendly email suggesting that you cool your rhetoric - censorship, but with a New Age nod to self-esteem.

The former Yahoo! rep admits that the search phrase "Taiwan independence" on Chinese Yahoo! would yield no results, because Yahoo! has disabled searches for keywords such as "Falun Gong" and "China democracy". Search for the dissident site VIP Reference, and you get a single hit, a government site ripping it to shreds.

He defends such censorship: "We are not a content creator, just a medium, a selective medium." But it is a critical medium. The Chinese Government uses it to wage political campaigns against Taiwan, Tibet and the US. And of course the great promise of the internet in China was supposed to be that it was unfettered. The Yahoo! rep again: "You adjust. The crackdowns come in waves; it's just the issue du jour. It's normal."

But what is "normal" in China can be altered under duress. When Chinese authorities ordered Microsoft to surrender its software's underlying source codes - the keys to encryption - as the price of doing business there, Microsoft chose to fight, spearheading an unprecedented Beijing-based coalition of US, Japanese and European chambers of commerce. Faced with being left behind technologically, the Chinese authorities dropped their demands.

Theoretically, China's desire to be part of the internet should have given the capitalists who wired it similar leverage. Instead, the leverage seems to have remained with the Government, as Western companies fell over themselves bidding for its favour. AOL, Netscape Communications and Sun Microsystems all helped disseminate government propaganda by backing the China Internet Corporation, an arm of the state-run Xinhua news agency.

Not to be outdone, Sparkice, a Canadian internet colossus, announced that it would serve up only state-sanctioned news on its website. According to human rights activist Greg Walton, Nortel provides wraparound software for voice and closed-circuit camera recognition - technology that the Public Security Bureau has already put to good use, according to the Chinese press.

A leaked press strategy memo to The Washington Post revealed that AOL was quietly weighing the pros and cons of informing on dissidents if the Public Security Bureau were to request such a service; the right decision would clearly speed Chinese approval for AOL to offer internet services and perhaps get a foothold in the Chinese television market. In fact, AOL signed a landmark deal with a Chinese station at the end of October.

Smaller US companies and smaller nations smell the blood. Along with Chinese officials, they dominate Chinese internet-security trade shows.

China Telecom has looked into buying software from iCognito, an Israeli company that invented a program called "artificial content recognition", which surfs along just ahead of you, learning as it censors in real time. It was built to filter "gambling, shopping, job search, pornography, stock quotes, or other non-business material", but the first question from the Chinese buyers is invariably: Can it stop Falun Gong?

After the terrorist attacks on the US, some of the byplay between Beijing and its entrepreneurial suitors has taken on new significance.

According to James Mulvenon of Rand Corporation, Network Associates (the producer of McAfee AntiVirus), Symantec (Norton AntiVirus) and Trend Micro of Tokyo gained entry to the Chinese market by donating 300 live computer viruses to the Public Security Bureau. The US embassy has already monitored the picture.exe virus, which worms into a computer and then sabotages the encryption software Pretty Good Privacy by sending the personal encryption keys to China. Last August's notorious Code Red worm, which some thought originated in China, appears to have been little more than an amateur nuisance. But Chinese military reports on unconventional warfare explicitly advocate co-ordinated virus attacks to debilitate US communication and financial systems during a crisis. The US may expect a more sophisticated visit from the offspring of a Network Associates or Symantec sample virus.

Why has there been so little oversight of such corporate activity? As Robinson puts it, for the first four years of the internet era, those with paranoid visions of China's Government were never able to square their suspicions with the rapid expansion of the Chinese internet. Although it was rumoured that up to 30,000 state security employees were monitoring the internet in Beijing alone, the monitoring was laughed at. Apparently the bureaucrats liked monitoring pornography so much that they had a massive backlog.

State security was said to be lax, corrupt, full of holes. Chinese ISPs were happy to sell prepaid internet cards on the streets of Beijing, just like prepaid phone cards. Chinese whiz-kids could still surf through the firewall and beyond. Associations could flourish among the patrons of the cybercafes, using anonymous monikers.

Many saw the internet as a populist river leading to the ocean of the global community. Then, the Government abruptly built a cyber version of the Three Gorges Dam.

In October 2000, the State Council ordered ISPs to hold all Chinese user data - phone numbers, time and surfing history - for at least 60 days, thus making the prepaid ISP card vulnerable to a phone trace, or to simply linking up a name with a phone number. In November, commercial news sites were banned. In December, the National People's Congress decreed all unauthorised online political activity illegal. In January 2001, it became a crime to use the internet to transfer "state secret information", such as reports of human rights violations. February brought "internet Police 110", software blocking "cults, sex and violence" while monitoring attempts to access such sites. By March, the surveillance started to work; hundreds of emails on the controversy surrounding a schoolhouse bombing in Jiangxi disappeared.

Around the same time, Chinese authorities announced near completion of a "black box" to collect all information flowing across the internet. In April, arrests of democracy activists using the web and a nationwide crackdown on cybercafes reached critical mass. Surviving cafes had to install internal monitoring software. Email to Tibet now took three days to get through, if at all, and Falun Gong email was eradicated.

By October 2001, when President Bush flew to Shanghai for the Asia-Pacific Economic Co-operation Summit, he was entering an internet police state. To deflect criticism, but perhaps also as a demonstration of power, blocks on US news websites were magically lifted by Chinese authorities. The minute Bush was airborne, they were back in place.

Recently, as pressure over the closed internet began to build, the Chinese authorities lifted the blocks again while simultaneously floating the "Public Pledge on Self-Discipline for the China Internet Industry". The pledge commits companies to avoid "producing, posting or disseminating pernicious information that may jeopardise state security and disrupt social stability". Three hundred Chinese companies, including all the ISPs, eagerly signed on. Just for good measure, Yahoo! signed on, too.

The outcome for the Government is a model of public/private collaboration: censorship of anything the Chinese authorities don't like, combined with the appearance of openness - in short, a public relations coup. And any official US attempt to discuss loosening Chinese internet controls will undoubtedly be brushed aside using the rhetoric of America's own struggle against terrorism. (What, you're against surveillance?)

There were urgent reasons for the Chinese internet crackdown; fighting terrorism wasn't one of them. Instead, look to the slow-motion crisis of a leadership transition, the release of the Tiananmen papers, the emergence of a cyber Falun Gong, and a stirring - you could feel it on the street - for greater freedom of expression, if not genuine democracy. Then again, there may be a more elaborate game afoot. Chairman Mao knew the utility of briefly loosening controls to create a dragnet. In effect, the Chinese leadership has promoted a period of relative internet freedom - again, not to capture terrorists, but to expose anyone who disagreed with their rule and to attract massive Western investment. US technologies of surveillance, encryption, firewalls and viruses have been transferred to Chinese partners - and might one day be turned against America's own ludicrously open internet. The US funded, built and pushed into China what it thought was a Trojan Horse, but forgot to build the hatch.

Consider a Chinese user in search of an unblocked news article or a democracy site. Perhaps something on the Taiwanese elections, or VIP Reference, or a BBC article on Jiang's attempt to hold on to power. He won't expect to get through, and if he does, it will be cause for alarm, for the site may be a tripwire - not for spam, but for state security. Everything he does on the web might conceivably be used against him. Pornography? Potentially, a two-year sentence. Political? Possible permanent loss of career, family and freedom.

Email may be the riskiest: three years ago, working from my office in a Chinese TV studio, I got an email from a US friend with the words "China", "unrest", "labor" and "Xinjiang" in queer half-tone brackets, as if they had been picked out by a filter. I now realise that it was a warning; any savvy Chinese user would have sensed it instantly. Before the crackdown, you could escape and surf anonymously in a cybercafe or use a proxy server - a computer that acts as an intermediary between surfers and websites, helping to evade the filters. Not surprisingly, the most common search words in China were not words like "Britney" and "hooters", but words like "free" and "proxy". At least 10 per cent of Chinese users - about 2 million people - used proxies to circumvent government controls.

In what Robinson calls "the first sign of cleverness" by the Government, a proxy pollution campaign began last northern spring when the Chinese authorities either developed or imported a system that sniffs the networks for proxies. A user, frantically typing in proxy addresses until he finds one that isn't blocked, effectively provides the Government with a tidy blacklist.

After a few of these tedious sessions, many of my Chinese friends simply gave up climbing over the firewall. For a small fee, expat users could turn to a web-based proxy browser, such as Anonymizer. But credit cards are effectively blocked for the vast majority of Chinese citizens. Just for good measure, Anonymizer was finally blocked as well. And the shelf life of a working proxy server in Beijing is less than 30 minutes.

Is China's internet beyond redemption? Is it destined to be a tool of surveillance and repression, managed by the Chinese Government and serviced by cynical Western partners? Maybe not. The Great Firewall might be vulnerable to a few physicists at the University of Oregon. I spent a day watching Stephen Hsu diagram the Chinese web and its weaknesses. Hsu and his company, SafeWeb, have developed a proxy server system called Triangle Boy. The triangle refers to the Chinese user, to a fleet of servers outside of the firewall, and to a mothership which the servers report to, but the Chinese Government cannot find.

Tens of thousands of Chinese users have connected with it; five of the top 20 Triangle Boy search sites are in the Chinese language. Every day, the Chinese user should receive an email listing new addresses of Triangle Boy servers, which allow the user to visit websites that they would otherwise be unable to reach. Because the addresses of the servers change constantly, the system, if properly funded, is theoretically hard to defeat.

But as surely as Triangle Boy works to liberate the surfing Chinese masses, you can bet state security has already been looking for ways to pounce on this latest proxy rebellion. The simplest one will be to enlist US companies and get them to develop software allowing the Public Security Bureau to sniff out and block proxies as quickly as they are created.

This sort of US corporate activity is finally being targeted by oversight entities such as the US-China Security Review Commission and the Congressional-Executive Commission on China. The House Policy Committee has taken up the cause as well; its new report is entitled "Tear Down This Firewall". But US companies in China do not have to simply wait for sanctions - they could pre-empt the problem. A pledge of neutrality from the American Chamber of Commerce in Beijing and the US-China Business Council would indicate a seminal shift in attitudes and would help to restrain further transfers of proxy-sniffing technology. These initiatives would be valuable, particularly in slowing down the pursuit of proxies - but the Chinese leadership, having come this far, isn't likely to call off the dogs.

The only practical solution to this puzzle is for the Bush Administration to make internet freedom in China a high priority. Although there are signs that the State Department has taken notice, so far the response has been truly sluggish. The Voice of America, whose website has been a high-profile target of Chinese blocking, began funding Triangle Boy last northern summer to the tune of $US10,000 a month. VOA officials attempt to send daily news via email to some 800,000 addresses in China, with no guarantee that they are getting through.

Hsu estimates that supplying 1 million Chinese users with Triangle Boy (about 600 million page views a month) would require just $US1million annually. Budgeted at $US300 million a year, VOA has the means and is wisely looking at several other solutions such as Peekabooty and a new program called Socket2me by hacktavismo.

The hacker idealists in the internet community have begun to respond, even with the scarce funding I've described; recognition is growing that competing systems operating simultaneously could frustrate the Chinese authorities. But for VOA to justify an anti-blocking effort on a scale that will make a difference, it will need to be seen as carrying out important US foreign policy, not just acting on the margins as it is now.

And why not make this a higher-profile US policy? Cracking the Chinese firewall is at least as technically interesting as strategic defence. Even if Triangle Boy was well funded, it would still be theoretically vulnerable to spoof sites, authorisation problems, or a Code Red-style worm attacking the servers. And recent Chinese Government statements have targeted foreign attempts to overcome the firewall, implying that they are well aware of the efforts. That implies a need for a highly technical layering operation, involving an endless and ever-changing supply of low-key web-based proxies, mirror sites, and encrypted email and messenger services in Mandarin and English, in sufficient volume to overwhelm the Chinese firewall.

None of these measures will be cheap. Nor can the US Government be expected to fully manage this defence of internet freedom. Even if they back the overall concept, US Administration officials will inevitably want "deniability" about certain parts of such an operation. This means the project will need to attract the support of foundations, human rights groups, religious organisations - any group that cares about a free China.

But it will be worth it. Given the willingness of capitalists to work hand-in-hand with the Chinese regime, the internet may be the only force left that is potentially anti-hierarchical. Think of it as a way to levy a web-based democracy tax on the Chinese Government. Think of it also as a way around the university students and the intelligentsia, who are overrated as agents for democratic change in China.

As Robinson, the father of the Chinese internet, notes: "In the Chinese internet's infancy, the first three sites that the Government blocked were two anti-government sites - and one Maoist site. What threatens them? Not the West, not pornography, but the heartland." Ultimately, it won't be the intellectuals who are key to bringing democracy to China. Irate, overtaxed peasants and rust-belt workers with internet-enabled cell phones 10 years from now are the real target market.

And those whose dream is democracy in China are operating with diminishing points of entry, for the US business presence in China is deeply, perhaps fatally, compromised as an agent for liberalising change. The internet remains the strongest force for democracy available to the Chinese people. But it will remain just a dream unless the US grapples with the question: who lost China's internet? Well, America did. But it can still repair the damage. It can, in Robinson's words, "lay down the communication network for revolution".

Ethan Gutmann, a visiting fellow at the Project for the New American Century, is finishing a book, Beijing Boot Camp.