The Great (Fire)Wall of China:
Internet Security and Information Policy Issues
in the People's Republic of China
William Yurcik ** Zixiang Tan ***
University of Pittsburgh Syracuse University
Abstract: In an attempt to tighten control over information flow, the People's
Republic of China has initiated a clamp-down policy on Internet users. This
policy has resulted in several 1996 government regulations including a circular
issued by the Ministry of Public Security on February 14, 1996 which ordered
all users of the Internet and other international computer networks to register
with the police. This registration approach is also being complemented with a
technology approach so as to ensure control over the information flow in PRC's
fledgling computer networks. The technology approach includes "firewall"
technology which will be used to create a national "intranet" likely to become
the largest intranet in the world if implemented successfully.
In this paper we discuss the concepts of firewalls and intranets, public policy
issues concerning information security and censorship in China*, the state of
awareness of insecurity of present-generation computer networks in China,
Chinese security planning for future information systems, specific
technologies that Chinese professionals hold promising, and unique
problems in the Chinese context.
This research is a result of a joint United States/United Kingdom Computer
Security Delegation which visited China May 18, 1996 - May 31, 1996 at the
invitation of the Chinese Association for Science and Technology (CAST).
Dr. Ravi Sandhu, Chairman of the ACM's Special Interest Group on Security,
Audit, and Control (SIGSAC) lead the delegation (which also included
Mr. Yurcik) in professional exchanges.
* for the remainder of this paper, we refer to the People's Republic of China
as "China"
** corresponding author: yurcik@tele.pitt.edu +1 412-624-9411
FAX +1412-624-2788 mailing address: University of Pittsburgh,
Department of Information Science and Telecommunications, 742 LIS Bldg.,
135 North Bellefield Avenue, Pittsburgh PA. 15260 USA
*** Assistant Professor, School of Information Studies, Syracuse University
1.0 Introduction
At a recent conference sponsored by the Internet Society in Montreal Canada
(INET '96) where Internet leaders from around the world convened to discuss
technical issues, a new discussion emerged which focused on the increasing
number of governments intent on erecting barriers to free speech on the
Internet.[25] These barriers to free speech have occurred in over 20 countries
including Germany, Singapore, New Zealand, China and the United States. The
form of these barriers to free speech has been to restrict network access,
limit content, criminalize some forms of communication, and new technological
barriers that are still being developed. The Internet as a new medium is at
a relatively early stage of development and these barriers to free speech
represent a significant trend which will shape future communications.
This paper will focus exclusively on Internet security and information policy
issues in the People's Republic of China (China). China's computer policies
are important not only because they appear on face value to be the most
"orwellian" in the world but also because China has close to one fifth of the
world's population (1.2 billion).[28] China has the third largest economy
behind the U.S. and Japan (with an average 10% growth rate since 1990), the
world's largest armed forces, and the largest potential consumer market in the
world. China is seen by many as the key to stability in Asia and peace in
the world.
The emerging importance of trade with China increasingly depends on
developments in electronic commerce and the compatibility of China's
Internet policies with global Internet policies may either accelerate or
slow these developments. China is the sixth largest trading partner with
the U.S. and the U.S. Central Intelligence Agency estimates the Pacific Rim
will contain five of the world's six largest economies (China, U.S., Japan,
India, Indonesia, and South Korea) in the near future.[43] In particular,
the opening of Chinese markets has accounted for a substantial rise in U.S.
telecommunications equipment exports with the fastest growing
telecommunications markets in 1995 being Hong Kong, up 119% to $890M and
China, up 36% to $870M.[according to Telecommunications Industry
Association (TIA)]
The China Association for Science and Technology (CAST) is the largest
association of scientists and engineers in China (2 million members), having
grown to several hundred affiliated associations since the end of the cultural
revolution in the 1970s. In an attempt to seek continued expansion of its
relationships with foreign universities, government agencies, international
standards organizations and businesses, CAST invited an international
delegation to visit China for professional exchanges focused on computer
security. Dr. Ravi Sandhu, Chairman of the ACM's Special Interest Group
on Security, Audit, and Control (SIGSAC) lead the delegation which included
experts from the United States and United Kingdom. From May 18, 1996 to
May 31, 1996 we participated in professional exchanges with our Chinese
counterparts.
The Internet is still a very young technology in China but there are already
powerful forces at work seeking to exert control over the flow of information
within the Chinese portion on the Internet and between the Chinese portion of
the Internet and the rest of the global Internet. The information from
professional exchanges expressed here seek to highlight different attempts at
Internet censorship by the Chinese and the information policy ramifications
for the rest of the Internet. These issues of Internet censorship are common
to all participating countries. Just as no one country can solve the problem
alone, one country's policies will affect the transborder information flows to
all countries.
2.0 Chinese Internet Infrastructure
Since the Internet depends on underlying infrastructure, understanding
telecommunications, language encoding, and computer networks in China will
frame the issues. For instance, given that the government controls all the
mass media in China (newspapers, broadcast stations, films, recordings), it
should be no surprise that they are now regulating the Internet.[34] China's
security infrastructure is equipped to selectively monitor telephone calls and
FAXes. The Chinese government has even banned paging companies from "editing
and disseminating news" in the message function of their pagers.[40]
2.1 Telecommunications in China
Due to the shear size of its markets, China is expected to have more
telephones, more cellular telephones, more beepers, and more fiber optic
transmission capacity than any other nation within 25 years. The analogy
that has been made in the literature is that every two years China adds a
telephone network equal to France's entire national system.[40] This is
slightly misleading, however, if you consider that average telephone
penetration in China was 0.7% in 1988, 3.25% in 1995, and only projected to
reach 8.0% by 2000.[39] This is among the worst telephone penetration rates
in the world for an industrialized nation.
Since telephone service prior to 1980 was non-existent or inadequate, China has
been able to "leapfrog" generations of intermediate technology. The speed of
construction has been attributed to the low cost of labor in China (about 5% of
a telecommunications installation compared to about 50% in the U.S.).[31] As
a result of rapid construction of new technology, a high percentage of China's
telephone lines that now exist are less than five years old and provide an
excellent channel for modem dial-in Internet access of the kind typically used
by individuals in their homes.
Dynamic changes occurred in the Eighth Five-year Post and Telecommunications
Plan Period (1991-1995) when China's Ministry of Post and Telecommunications
(MPT) began building a three-tier network consisting of fiber optic systems,
satellite ground stations, and microwave trunks. By 1995, China had
established 23 ground satellite stations, 22 fiber optic backbone cables,
completed more than 50,000 km of digital microwave systems, and constructed
several international fiber optic cables (Sino-Japan submarine cable,
Sino-South Korea submarine cable, and the trans-Asia-Europe continental cable
expected 1997).[42]
The MPT is responsible for regulating all post office, telecommunications,
telegraph, and wire services. MPT is also a traditional telecommunications
monopoly operator of telecommunications services. MPT is in the process of
flattening the hierarchical structure of the public network from three levels
(interprovincial transport network, intraprovincial transport network, and
local access network) to two levels (long distance transport and local access).
The Ministry of Electronic Industries (MEI) disseminates policy, conducts
research, and manufactures telecommunications equipment. MEI also has strong
political power. China's President Jiang Zemin is a former Minister of MEI
and Premier Li Peng is a former head of the Leading Group for Revitalization
of the Electronics Industry.[39] The MPT and MEI are both contending for
administrative authority to provide telecommunications leadership, but as the
Chinese economy shifts from a central command system to a market-oriented
system, there is a question whether it is possible for any one organization to
be able to control the forces unleashed.[39] With the rise of the Chinese
Internet built on MPT facilities, information censorship may be the decisive
function which will determine who will provide telecommunications leadership.
At present it appears that MPT's bottleneck control of international Internet
connections gives MPT the edge.
As of 1993, two new telecommunications organizations have been licensed to
operate nationwide services to compete with the MPT: Lian Tong and Ji Tong.
Lian Tong, also known as China United Telecommunications, was formed by a
group of government agencies and other organizations. Its primary offerings
include fixed line, mobile, paging, satellite, and value-added services.
Ji Tong is a joint venture established as a data communications competitor to
the MPT. MPT has responded by lowering prices and increasing investment.
MPT operates several data networks. The China National Public Data Network
(CHINAPAC) is an X.25 network started in 1989 and upgraded in 1994.
CHINAPAC now has access nodes in all areas covered by the telephone network
(700 cities).[5] CHINAPAC can be accessed at leased line speeds up to 64 Kbps
as well as through the public telephone network. MPT also operates a
nationwide digital data transmission network called the Digital Data
Network (DDN). Built in 1994, the DDN provides data services from 30 Mbps
to 2 Gbps with more than 3,000 nodes. The DDN is the backbone of China's
information highway plans.
The Chinese Government has concentrated on funding telecommunications projects
that lead to more efficient centralized government planning.[39]
These projects are referred to collectively as "Golden Projects".
Starting in 1992 when three Golden Projects were initially introduced,
several more Golden Projects have been added each year. These Golden
Projects rely mostly on MPT public network circuits, CHINAPAC, DDN, and
CHINANET for transport. A partial list of currently active Golden Projects
is listed in Table 1.
TABLE 1: THE GOLDEN PROJECTS
Golden Bridge......... public economic information processing network
Golden Customs...... foreign trade information sources
Golden Card........... electronic monetary and modern payment system
Golden Tax............ electronic taxation system
Golden Enterprises.... industrial production information network
Golden Agriculture.... management and service information system
Golden Intellectual.... education and research computer network
Golden Policy......... economic micro-policy making support system
The Chinese government prohibits foreign operation of telecommunications
networks. MPT officials cite national security reasons as their
justification to ban foreign investment in operating telecommunications
networks but a more compelling reason would suggest that any such foreign
investment would be in direct competition with the MPT.
However, telecommunications product vendors such as Motorola, AT&T, Nortel,
Nokia, Ericsson, and Siemens are making significant profits in China. Only a
few telecommunication service corporations such as Ameritech, McCaw, Singapore
Telecom, and Siemens-Deutsche Telekom have managed to forge joint venture
agreements in which they are defined not as telecommunications service
providers but rather as engineering advisors. Such joint venture
agreements offer little legal protection. In fact there is no
telecommunications law in China. The absence of telecommunications law
bolsters the influence of the MPT as both the dominant telecommunications
common carrier and the telecommunications regulatory agency.
In summary, the Chinese telecommunications infrastructure is a study in
contrast. China has deployed nearly every technology currently available and
yet has a low level of penetration; it is a highly regulated monopoly yet has
strong competition and foreigners trying to enter; since it has no policy of
universal service there are barren service areas but some areas have
state-of-the-art services. The communist leaders of China have long adhered
to a centralized, secure, and propagandized approach to governance.
The implications of the Internet, where millions of Chinese people will soon
have access to the wealth of information from the global community, questions
whether this approach to governance will be able to continue.
2.2 Chinese Language Encoding
Language is an important but often overlooked factor in Internet
communications. Chinese written languages can be divided into two groups:
(1) simplified Chinese used in mainland China and (2) traditional Chinese
used in Taiwan and Hong Kong. Both represent ideas with many different
picture symbols (ideograms). Simplified Chinese originates from traditional
Chinese but is easier to write, using fewer strokes. Readers of traditional
Chinese have difficulty distinguishing simplified Chinese because the reduced
number of strokes decreases the difference between similar ideograms.
Readers of simplified Chinese have extreme difficulty interpreting traditional
Chinese because ideograms can be totally different with no shared
characteristics. There are also written phonetic forms of Chinese language,
known as pinyin, that uses the Latin alphabet to transliterate the language
but this is not universal and vital indicators of pitch movement
(high-low, low-high, steady, high-low-high) are often not incorporated.
Pitch movement is important in Chinese because the same sound can have very
different meanings depending on the pitch movement used when spoken.
These Chinese language characteristics have presented significant problems to
computer usage and now Internet communications. English language computer
keyboards and computer hardware/software expect ASCII symbols (American
Standard Code for Information Exchange) in which each symbol is represented
in 8 bits. Thus ASCII can represent a maximum of 256 (2^8) symbols which is
much less than the approximately 19,000 unique symbols needed for all
Chinese languages. To a certain extent, this problem of representing a large
set of ideograms has locked out a large population from the computer age
since typing is a foreign notion. Most Asians have not been familiar with the
concept of a keyboard until just recently.
A proposed global standard, Unicode, would solve this problem by representing
all symbols in sixteen bits instead of eight bits thus allowing for 65,536
total symbols. However, Unicode has not yet gathered unanimous international
support from standards bodies and corporations and any transition to
Unicode if adopted would be have far-reaching consequences, since it would
instantly double computer memory requirements among other computer
architecture impacts. In the interim before Unicode or a competing standard
is eventually adopted, the Chinese have submitted Chinese exchanging codes
ISO-2022-CN and ISO-2022OCN/EXT to the Internet Engineering Task Force (IETF)
as proposed standards.[15,32] In addition, searching and indexing tools for
Chinese language-coded documents are being developed.[24]
PC manufacturers have approached the challenge of encoding the Chinese
language as an opportunity. Many PC packages use either: (1) the phonetic
form of Chinese, pinyin, and the user selects from a menu of possibilities or
(2) a combination of up to four keystrokes to generate a single ideogram with
the memorization of the four exact keystrokes being the limitation. Chinese
version Windows 3.2 is bundled with 10 input methods and Apple's Macintosh has
four input methods.
The Chinese government has been supporting the development of Chinese language
encoding standards. This represents a potential vulnerability to government
control of Internet communications since the encoding standards are vital for
interoperability. The Chinese government is aware of the importance of
language use on the Internet. A recent article in the Communist Party
newspaper urged Chinese to work hard to make Chinese the main language on the
Internet.[35] Recently there have been efforts to encourage the study of the
Chinese language abroad and the Chinese foreign ministry has stopped English
translations at news briefings.[21] There is speculation that as large numbers
of Chinese begin using the Internet that the Chinese language could begin to
dominate Internet communications.
2.3 Computer Networks With Internet Connectivity in China
"Over the past few years, with the growth of a market economy and progress in
spreading information, computer information networks have been playing an
active role in accelerating China's economic, scientific, technological, and
educational development"
- as reported by The New China News Agency February 1996 [12]
The Internet has developed in China in two short years. The Asia-Pacific
Network Information Center (APNIC) database lists 190 registered networks
under country domain code .CN of which 19 are self-defined as Internet Service
Providers (ISPs). Although China prohibits foreign companies from operating
telecommunications networks within its borders, China does allow operational
interconnection between its national data networks and foreign-run data
networks.
The first direct link from China to the Internet was established in 1993 by
the Institute of High Energy Physics (IHEP) which is part of the Chinese
Academy of Sciences (CAS). IHEP connected to Stanford University via a
64 Kbps leased satellite circuit from AT&T. In March 1994 this link was
formally provided full Internet access and in July 1994 the connectivity was
changed to a submarine circuit through KEK (National Laboratory for High
Energy Physics, Japan).[42]
In parallel with IHEP, the National Computing and Networking Facility Center
(NCFC) within CAS was also funded by the World Bank and the Chinese government
to interconnect three campus networks with their supercomputer site.
CAS's campus network (CASNET) was extended to Beijing University and Tsinghua
University at 10 Mbps. As CASNET grew, NCFC was designated as the network
center, designated China's top domain server, and connected to the
Internet (64 Kbps). CASNET has now grown to 30 research institutions
(20,000 users).[27] In September 1994 the Beijing University of Chemical
Technology (BUCT) became the third institution in China to have full Internet
connectivity via a 64 Kbps MCI satellite circuit connected to CAREN
(Consortium of Asian Research and Education Network) and JVNCnet
(John von Neumann Center Network - Princeton University).[42]
The largest Chinese network to connect to the Internet is the Chinese Education
and Research Network (CERNET). Government-funded and managed by the Chinese
State Education Commission, CERNET is charted to connect all Chinese
universities and institutes in the near future and all K12 schools by 2000.
CERNET was started in 1993 and within the first two years more than 100
universities have been connected (with each campus averaging about 2,000
computers). Most Chinese universities must first build their campus networks
before connecting to CERNET, which is the exact opposite order of development
from most other countries where networked campuses organize subsequently to
form wide area networks. It is predicted that CERNET will become the world's
largest education and research backbone connected to the Internet.
CERNET is configured in three layers: (1) the national backbone, (2) eight
regional networks, and (3) university campus networks. CERNET uses DDN
circuits ranging from 64 Kbps to 2 Mbps to interconnect these three layers
with CHINAPAC circuits used as backup. CERNET, centered at Tsinghua
University, was originally connected to the Internet through (NCFC/CASNET)
but obtained a separate Internet connection via a 128 Kbps circuit
in May 1995.
Although CERNET is an academic network, Internet security was a major design
criteria. Firewalls and access lists have been set up on different levels to
ensure the "safety" of the network. CERNET traffic is recorded and analyzed
for network performance and security analysis. In particular, CERNET's
analysis of the traffic over their Internet connection is that inbound traffic
(Internet to China) has been capacity constrained since original connection
while outbound traffic (China to Internet) has been increasing and will soon
also be capacity constrained.[24]
CHINANET is China's commercial ISP operated by the government via the MPT.
Individuals have been able to purchase Internet accounts directly from
CHINANET since mid-1995. CHINANET has two international links to the Internet
and uses DDN and CHINAPAC circuits to form its domestic network.
In addition to CHINANET, there are a handful of private commercial companies
now beginning to offer access to the Internet to individuals in China.
Recent regulations have allowed new private ISPs to connect to CHINANET if
minimum quality of service standards are met. Connecting private ISPs to the
centrally administered CHINANET enables government authorities to monitor and
potentially censor Internet services and content offered by the new private
ISPs. Private ISPs not only need CHINANET for their international Internet
connectivity but also to coordinate the following technical requirements in
order for interoperability to take place: network access point (NAP) /
Internet exchange (IX) establishment; network information center (NIC)
services; network operation center (NOC) services; and domain naming
system (DNS) standardization.
Examples of the new private ISPs include 1+Net which owns COMPUNET and the
China Internet Company (CIC). COMPUNET started in October 1995 with
$600,000 in capital and provides dial-up service with Chinese language
software. After much success, COMPUNET has expanded to 20 cities with $20M in
new capital and has also opened a Cybercafe in the lobby of the Beijing
Concert Hall.[20,29,33] CIC is managed by James Chu, a U.S. trained computer
scientist. Based in Hong Kong, CIC is owned 60% by Xinhua News Agency
(China's official government news agency). With the Chinese government
indirectly overseeing the operation, CIC offers a business-oriented Internet
environment with controlled content access to the Internet.[18]
3.0 Chinese Internet Policy
It is reported that Chinese Internet regulation began in late December 1995
when Guangen Ding, head of the Communist Party's propaganda department,
installed Microsoft's Windows 95 on his home computer. Roughly two weeks
after Ding began browsing, CHINANET stopped issuing new Internet accounts.
Guangen Ding had supposedly found Playboy's web site as well as several Chinese
dissident homepages and protest newsletters.[38] While this appears to be a
match to the timing of events that unfolded in 1996, Internet regulation has
its roots in Tiananmen Square 1989.
On June 4, 1989, the day that government troops entered Tiananmen Square in
Beijing to end the democracy movement taking place there, the government also
ordered monitors deployed at every FAX machine in China to intercept foreign
reports about the events. The protesters had been using FAX machines to
communicate with each other both internal and external to China.
The Internet, as a more functional means of communication, soon replaced FAX
machines for those protesting Chinese Government policies. Until this year,
the only official response from the Chinese Government has been to covertly
shut down the Chinese portion of the Internet on the June 4th anniversary of
Tiananmen Square each year.
On February 18, 1994, a computer protection law was announced by Premier Li
Peng.[16] The Safety and Protection Regulations of the Computer Information
System of the People's Republic of China dictates that each organization has
to create their own specific procedures to implement computer protection.
For example an organization must develop access controls, administrative
controls, and personnel controls.[16] This law was the first official
regulation on computer security and was issued before Internet access was a
reality in China.
In May 1995, CHINANET in Beijing and Shanghai began selling Internet accounts
to individuals but with restrictions. Each user had to register with the
MPT and Usenet newsgroups "alt." "rec." and "soc." were blocked ("comp." and
"sci." Usenet newsgroups were not blocked). The cost of an Internet account
was relatively expensive and this combined with registration lead quickly to
the creation of a black market in Internet accounts. The Minister of Posts
and Telecommunications, Wu Jichuan, is quoted as saying not all information on
the Internet would be allowed to flow into the country "as a sovereign
nation, China must strengthen information management."[30]
On January 1, 1996, the Xinhua News Agency reported that the government called
for a crackdown on the Internet to rid the country of unwanted pornography and
detrimental information. This is several days after CompuServe cut off access
to 200 Usenet newsgroups as part of unrelated litigation in Germany. A joint
statement issued by the State Council and the Communist Party Central
Committee said effective measures had to be adopted to solve the problem of
uncontrolled information. Ten days later on January 10, 1996, the State
Council (this time with representation from all networks with international
Internet connections) decided no additional permits for international Internet
connections would be granted and new user registration should be postponed
indefinitely. Five days later, CHINANET announced a moratorium on new user
accounts. Official press reports stated that a high volume was more than
CHINANET could handle, with an estimated 70,000 people using only
7,000 registered accounts.
On January 23, 1996, a government cabinet meeting chaired by Premier Li Peng
adopted rules governing international Internet connections. The cabinet
reiterated its provisional approval for international computer links but
declared it imperative to formulate rules to govern China's use of the new
technology. On February 1st, the following new regulations promulgated by
this meeting were announced by the Xinhua News Agency:
- all ISPs have to liquidate and reregister
- all computer information networks making international connections must
use a channel designated by the Ministry of Post and Telecommunications
- all networks will be supervised by one of four branches of the Government:
(1) the Ministry of Post and Telecommunications (general)
(2) the Ministry of Electronics (computer companies)
(3) the State Education Commission (universities)
(4) the Academy of Sciences (scientific research)
- any organization applying for an Internet node must have legal status:
appropriate equipment, technical personnel, & safety/security control
measures.
- no organization or individual may engage in activities at the expense of
state security. producing, retrieving, duplicating, or spreading
information that may hinder public order is forbidden; pornography is
explicitly banned
At this point, ISP providers began asking users to sign an agreement to abide
by the new Internet regulations, not endanger state security, promise not to
put business advertisements on the Internet (spamming), and not delay their
monthly payments.[11] It was also reported at this time that the MPT was
developing software to filter pornography and counter-revolutionary ideas from
Internet traffic.[17,18]
On February 14, 1996, the Ministry of Public Security (MPS) issued a circular
requiring all Internet users to register with them within 30 days. Users must
also report to MPS if they switch accounts with a different ISP or cancel
their account.[8] The MPS's primary function is policing with branches at
the federal, provincial, county, city, and village level. The MPS is also in
charge of computer security where it investigates computer crime, provides
computer security training, and issues computer security regulations.
MPS has regulations for computer rooms, computer security products,
international communications, and the import/export of information in any
medium. For example, International Email Privacy Article 12 states that all
software entering China must be declared to Customs officials.[16]
The Internet user registration regulation is actually a modification of the
CERNET student Internet account registration form.[23] The CERNET
administration board, composed of government officials and in charge of
policy making, has three documents which comprise CERNET's "Acceptable Use
Policy" for users: [24]
Management Regulations of China Education and Research Network
China Education and Research Network Safety Management Contract
China Education and Research Network User's Regulations
The 1996 Internet regulations coincide with 1996 Chinese regulations to
restrict foreign news services from offering international economic
information (i.e. Dow Jones, Reuters).[17] Xinhua News Agency now has a
monitoring room to censor foreign news service.[12] Providing real-time
financial information generates tens of millions of dollars in the developing
Chinese stock, bond, and commodity markets as well as allowing banks and
trading houses to hedge risks on markets abroad. Whether these foreign news
service restrictions represent a simple economic motive or whether they are
another manifestation of Internet control is not clear.[13] The Internet
has many such financial news sources who have global marketing plans.
These are the first business information restrictions since the early days of
China reform (post 1949) when Communist authorities banned residential
telephones.[17]
In September 1996, the State Council Information Leading Group ordered the MPT
to block access to about 100 Internet sites "suspected of carrying spiritual
pollution" with a second group to be blocked at a later date. The blocked
sites can be categorized into U.S. news media sites; Taiwanese Chinese-
language sites; Hong Kong news media sites; dissident sites external to
China; and pornographic sites. This censorship has been implemented and
independently verified.[9,26]
As the Internet proves its utility in China, it will not only promote economic
growth but also provide a new channel for freedom of speech. While China
attempts to officially control freedom of speech within China, the overseas
Chinese dissident community is not so easily controlled and is already sending
and posting information over the Internet which is objectionable to the
Chinese government.[17] One prominent example are three groups (Human
Rights in China, The Center for Modern China, and China Spring) who each
publish reports every Sunday accessible in China via the Internet.[12]
Another example is Wei Jingsheng, a leading democracy campaigner, who was
resentenced to a second long prison term in 1995 for a text authored 16 years
ago entitled "Fifth Modernization." At about the same time Mr. Wei was being
resentenced, the U.S.-based China News Digest Emailed its 40,000+ Internet
subscribers, including many subscribers inside China, the full text of
"Fifth Modernization".[18]
It is ironic that the announcement of these Internet policies was simultaneous
with announcements of CHINANET plans to expand Internet access to all
provinces in China and announcements of additional Golden Projects. While
China's Internet regulations have been seen by most western observers as
negative, many Chinese see the government actions as positive. "China is not
closing its door to all information. It's just requiring that all information
coming in has to follow Chinese laws," states James Chu of CIC.[34]
Although the Chinese government is wary of the Internet, the information it
carries is simply too important for economic development.[34] No modern
economy can do without a national information infrastructure and these
regulations can be interpreted as the Chinese government's acceptance of the
Internet given it was not entirely outlawed as it could have
been. "We should find a way for the Internet to work for our nation,"
states Jiang Lintao an Internet specialist at the MPT.[17]
4.0 Internet Censorship
"One can regard the Internet in some of the same ways as radio waves with
respect to the abilities of the medium to transparently flow across national
boundaries."
- Tony Rutkowski, former Head of the Internet Society [22]
Nations have been jamming radio and television broadcast signals, censoring
news reports, and spreading propaganda via official channels for many years.
With the advent of wired computer communications, completely new forms of
broadcasting have evolved. The digital nature of these new signals now make
it easier to instantly control transborder communications flows.[22] From a
technical feasibility point of view, it is becoming possible to segment
Internet communications country by country.
The Internet promotes flow of ideas and the ability to freely and instantly
communicate. In contrast, an authoritarian nation's very survival may depend
upon its ability to control information, information citizens have about their
country and the outside world as well as information the outside world knows
about the internal situation of the country. The very fact that authoritarian
governments are among the first attempting to control the Internet shows an
indication of the potential importance of the Internet.[14]
4.1 Non-Technological Internet Censorship Strategies
As witnessed by China's 1996 Internet regulations, nations are not passively
observing the powerful new influence of the Internet. Rather governments are
attempting to extend their power from the physical world into the Internet.
Before examining the new censorship strategies made possible by the digital
nature of the Internet, we first examine the applicability of non-
technological strategies to censor the Internet. These non-technological
strategies have evolved in other contexts over the past century and proven
themselves extremely effective. Despite the attractiveness of new sterile
technological censorship solutions, non-technological solutions are still the
predominant and maybe the most effective censorship techniques available.
While Internet censorship is already taking place in many countries, we will
confine our examples to the use of these non-technological Internet
censorship strategies in China. The following list extends discussion
found in [14].
(1) Legislate illegal content
{Internet regulations, for Chinese examples see Section 3.0}
(2) Control the physical land and sea right-of-ways and spectrum allocation
rights [14]
This will provide sovereign authority over telecommunications projects, set
conditions for network construction and operation, and allow access to
communications facilities as needed for censorship. In China the government
controls all right-of-ways and spectrum allocation and thus controls network
topology and access to network equipment.
(3) Ban or regulate the equipment necessary for users to communicate [14]
China regulates satellite dishes, FAX machines, pagers, and Internet accounts.
The MEI manufactures most of the telecommunications equipment used in China
and the MPT regulates and operates DDN, CHINAPAC, and the public telephone
network which underlies most computer networks in China. Equipment control
is also access control.
(4) Control access
It is impossible to control content without also controlling access. The best
way to control access is by becoming the only access provider. In China,
there are already multiple ISPs but private commercial ISPs are mandated to
use CHINANET and MPT facilities and all ISPs are regulated by the government.
In addition, the MPS is attempting to control Internet access via both user
registration and control of international Internet connections.
(5) Special business restrictions for foreign corporations [14]
The most celebrated use of this technique by China is in dealing with Rupert
Murdoch. Mr. Murdoch had publicly predicted in 1993 that satellite TV would
prove to be the undoing of totalitarian regimes; "Satellite broadcasting makes
it possible for information-hungry residents of many closed societies to bypass
state-controlled television channels."[3,17] In order for Murdoch to operate
satellite broadcasts into China, the Chinese Government forced Murdoch to
remove the BBC World Service Television newscasts from his Star TV's satellite
broadcasts into the China, Hong Kong, and Taiwan. Mr. Murdoch also had to
agree to pay $5.4 M to the Chinese Communist Party's flagship newspaper.[3]
In response to other international satellite entrepreneurs, China also
outlawed the sale of satellite dishes, launched a nationwide cable laying plan
to expand its own programming, and launched its own satellite-based pay TV
China Central Television Network (CCTV).[3]
(6) Domestic regulations to influence organizations internationally [14]
For example, government threats from different countries have inhibited the
New York Times and Washington Post from running critical articles in their
globally distributed International Herald Tribune.[14]
(7) Apply government pressure on organizations to reveal information [14]
Although encrypted information may not be practically decipherable by "sniffing
Internet packets", the government can place various forms of pressure on
organizations to reveal information or create incentives to reveal information.
The Chinese government has been studying the Singapore government's technique
of "community gatekeeping" where users who notice undesirable material on the
Internet are encouraged to immediately alert authorities.[2] There is
pressure on new private ISPs in China to self-censor their services to operate
within the limit of Internet regulations. Threats of severe punishment
increase the incentive of ISPs to be responsive and vigilant to Internet
regulations.
(8) Assert diplomatic pressure [14]
Nations can assert diplomatic pressure via economic sanctions, contract awards,
boycotts, and military exercises (blockades, mining, no-fly restrictions) to
modify the behavior of other nations. Examples include China's war games in
the Taiwan Strait in an effort to intimidate the Taiwanese elections process
and the 1996 $1.5 B airplane purchase agreement lost by Boeing to European
Airbus in protest against U.S. statements about human rights and intellectual
property rights violations in China.
(9) Control pertinent technological standards via non-technological means
Control of a standard can mean control of the technology and the international
standards process can be manipulated given appropriate means. We have already
mentioned the importance of the Chinese language encoding standard in
Section 2.2. Another example is the MPS. The MPS defines standards for
databases and information management and network security, approves encryption
products and smart cards, and sets national computer security policy.[16]
These standards are key to any potential monitoring of Internet content.
Before leaving these non-technological techniques, we need to expand on
strategy 5 (special business restrictions) since China is both centrally
controlled yet has some open markets. As China continues to operate under
the command model, it has incorporated lessons from failed communist models
and implemented uniquely Chinese-favored open markets.
Foreign firms cannot simply buy from and sell to any Chinese firms and
individuals. China grants the right to trade only to designated firms,
largely state monopolies. China will grant trading rights to foreign firms
but only in joint ventures with Chinese companies. This reinforces the Chinese
notion that access to a market is a political gift to be handed out as a
reward to firms. China's main tactic in attempting to discourage foreign
meddling in its internal affairs has been to threaten foreign firms with the
loss of contracts and trade. This situation appears inviting to a situation
in which market access is a reward for facilitating Internet censorship.
Since China prohibits foreign firms from operating telecommunications networks
within its national borders, foreign firms seeking Internet business in China
must enter into a joint venture agreement with a Chinese organization. Finding
the right joint venture partner is absolutely critical to success.
Strong Chinese partners can insulate joint ventures from government regulation
but strong Chinese partners may also apply pressure for Internet censorship.
In summary, these non-technological Internet censorship strategies are the
established techniques used by nations to control information. The techniques
are based on the use of power. Whether they alone will be successful in
controlling information over the Internet is an open question.
4.2 Technological Internet Censorship Strategies
"The Internet interprets censorship as damage and routes around it."
- an Internet axiom credited to John Gilmore, Silicon Valley network
engineer [22]
While there are strong motivations for a nation-state to censor the Internet,
Internet information flow is difficult to control. Although
interorganizational coordination is needed for address and routing management,
Internet (TCP/IP) networking is essentially plug-and-play with low-end
access available via a computer, a modem, and a telephone line. Once connected
to the Internet, a user can access information from around the world and
become an author by publishing a web page or posting to a Usenet newsgroup
or an Internet mail distribution list.
The main obstacle to Internet censorship is the basic design of the Internet
itself. The Internet was built for fault tolerance of unreliable network
links and computers, such that if a link or a computer fails then packets can
adaptively recover and automatically detour around faults. If access to
information on one computer is blocked on one route, a user can simply use an
alternate route via another computer. A user concerned about censorship can
encrypt information making the level of intervention necessary to intercept
and decipher information such that it is virtually unreadable except for the
intended recipient. It is possible to bypass censors simply by changing names
of newsgroups, using an Email alias, or sending Email via chains of anonymous
remailers.[22]
New commercial hardware and software tools provide Internet censorship
abilities without limiting network access or the prospect of employing masses
of censors to monitor all Internet traffic. These tools do not attempt to
censor transmissions within the network but rather attempt to block undesired
content at each user's computer. Software could block information by using
content descriptive tags developed by third parties to select what can and
cannot be retrieved or transmitted. When using most Internet services users
must take an affirmative action and control of this affirmative action is a
focus of censorship activities.
In an attempt to empower users with this type of Internet censorship
capability, a group called the Platform for Internet Content Selection
(PICS) is creating an Internet content ratings system similar to movie
ratings. Niche Internet vendors have produced PICS filtering software which
an adult or a boss can use to keep children or employees from accessing parts
of the Internet. The PICS motivation is to move governments from their
traditional censorship role toward a new role as a content rating police
ensuring Internet information sources do not falsely represent
themselves.[4,22]
If a feasible content rating system is eventually agreed upon, it will be
challenged by the many new Internet information sites that are created every
day. Even with frequent upgrades, any Internet censorship software will always
be at least partly out of date. PICS filters identify only the well-known and
relatively permanent sites of objectionable material but content within an
acceptable site or newsgroup can change to unacceptable at any time.[22]
When a well-known web site is blocked, content can be distributed and stored
on multiple "mirror" sites throughout the Internet. This puts censors in
the position of detecting and blocking each mirrored web site. Web sites also
can be cleverly disguised and placed beyond the legal jurisdiction of
governments.[14] Besides blocking web sites directly, the results of numerous
powerful search engines will also need to be censored.
Lastly, when implementing any technological Internet censorship strategy,
unforeseen consequences will be exposed by human users. Two examples of such
unforeseen consequences are substitutability and tunneling.
In substitutability, when one Internet service is blocked or censored, users
will migrate to another service or set of services that can provide similar
functionality. For example, if FTP is blocked or censored, users will
transfer files via Email (files broken up in pieces) or if Email is blocked
or censored, users will send messages via FTP or the web. Thus Internet
services must be viewed collectively for an effective technological
censorship strategy. In tunneling, users can combine multiple Internet
services that are uncensored to create the functionality of Internet
services that are censored. In technical terms, tunneling encapsulates the
information of a censored protocol within an uncensored protocol, wrapped by
header/trailer packet information fields. The uncensored protocol then
traverses the network to the destination point where the uncensored protocol
headers/trailers fields are then stripped away leaving only the information
of the censored protocol.
In summary, these arguments are not meant to imply that governments are
powerless or will not try to censor the Internet but they do imply that it
will take more than one simple automated tool to do so. Many governments are
already attempting to scale proven technologies designed for private networks
to a larger national scale. Creating controlled Internet environments using
combinations of new technologies such as intranets and firewalls represent the
state-of-the-art in technological Internet censorship strategies. We will now
examine intranets and firewalls in the Chinese context.
4.2.1 Intranets
The initial reaction to a problem that can be traced to the Internet is to
disconnect the organization's Internet connection, breaking all physical
network links between internal networked computers and the Internet. This is
essentially what an intranet is: an enterprise network (spanning geographical
boundaries to connect different types of computers in various parts of an
organization) that provides users with Internet application tools (i.e. web
browsers) to access organizational information. Note that an intranet is an
internal network to link organizational members to organizational information.
An intranet is completely controlled by the organization. If any Internet
connection does exist (one does not have to exist) a "firewall" (which will be
discussed in the next section) prevents outside computers anywhere on the
Internet from accessing computers on the intranet.
Intranets are popular now for four reasons: (1) the infrastructure is in place,
in terms of computers, software, and connectivity for any networks with
Internet access; (2) they work, allowing all organizational members instant
and uniform access to broadcast organizational information, internal databases,
and internal collaboration; (3) they scale well, because the technology is the
same as that used in the Internet; and (4) intranets are secure from the
Internet. Due to the popularity of the world wide web, most intranets are
implementations of an enterprise network providing access to web server(s).
In the web context, to create an intranet requires the following:
(1) establishing a web server, requiring hardware and software;
(2) establishing web server access by building a TCP/IP network
(Transmission Control Protocol / Internet Protocol which is the protocol
suite that providesinteroperability on the Internet); (3) loading client web
browsers on each user's computer; and (4) creating a web homepage document
using HTML (hypertext markup language).
If China is attempting to build a national intranet to take advantage of
established network connectivity while limiting access to information
forbidden by Chinese Internet regulations, it would become the largest intranet
in the world if successfully implemented.[14] One private ISP, CIC, is creating
an intranet using filtering technology from Sun Microsystems. CIC provides
unlimited network access within China but has screened menus to access the
Internet. Users will be able to petition to open a channel to any
international ISP subject to review by the MPT and MPS. CIC is being
periodically inspected by the MPS.[17]
The overwhelming majority of Internet traffic originating in China (90%) is now
destined outside of China. The Chinese authorities (MPT and MPS) have set a
future target of diminishing the proportion of outbound Internet traffic from
China to the Internet to 30%.[12] One technique to accomplish this is by
blocking access to all sites which have not been reviewed by Chinese officials.
The new private ISPs are in a vulnerable position to cooperate, not wanting to
violate Chinese Internet regulations and be closed down.
One advantage of a web-based intranet to an organization seeking to control
information is the developing ability to track aggregate web traffic and
individual user web traffic. Emerging intranet products are developing
methods to infer user information from web server requests logs. Two current
products include WebTrends from Software Inc. and Market Focus from Interse
Corp.. Each product logs information in files that can be used with
relational databases for specific queries. Other products are starting to be
released that track web pages users access, the path users take to get to web
pages, and the amount of Email an individual user sends and receives (Internet
SnapShot by Tinwald Networking Technologies and Net Analysis by Net.Genesis
Corp.). Two popular web-based search engines, Lycos and Infoseek, plan to
launch systems that will keep track of search topics requested by an individual
user and compile databases that will allow tailored content and advertising
designed for individual users each time they search.
Most of these web-based surveillance tools use the concept of a "cookie".
The cookie was originally designed to maintain state information within a
session of "hits" (a single web client/server transaction) since each hit is
independent. The cookie has become a mechanism that a web server can use to
store and retrieve information on a client. Individual browsers are
identified by electronic tags stored in the browser's "cookie", a sector
on the client's hard disk that can be used by web servers to deposit an
identification (ID) tag. The web server could keep track of every client,
but this is not practical due to storage limitations and the server also does
not know how long to retain the information about each session; therefore,
the use of cookies to distribute storage among clients is one solution.
New surveillance systems will borrow from the "cookies" approach of
transparently collecting information. Unlike the limited capabilities
associated with cookies which just record ID tags, new systems are expected
to collect a wider range of information.
In summary, a national Chinese intranet with little or no access to the
Internet provides one model for Chinese authorities who want to control
Internet information. Intranet surveillance tools currently exist which
allow Chinese authorities to track web-based information flows.
4.2.2 Firewalls
"Better to kill 1,000 in error than let even one slip through."
- China's Vice Premier Zhu Rongji on the need to censor the Internet,
February 1996. [29]
A firewall is a computer or group of computer systems that enforces an access
control policy between two networks by blocking traffic or permitting traffic.
Typically a firewall is one computer that sits between an internal network and
the Internet, filtering packets between the Internet and the internal network
according to various criteria. Firewalls simplify security management because
network security can be consolidated on firewall systems rather than being
distributed on systems all over an internal network. Firewalls thus offer a
convenient point where logging and auditing functions can provide summaries
about traffic flows passing through, traces of inbound and outbound
connections, attempts to break through, and alarms for attacks as they
occur. Without a firewall, protection defaults to individual computer
security mechanisms implemented on each internal computer and network device.
Theoretically, a firewall would not be needed if each computer on the internal
network is well-managed and properly secured with sophisticated authentication
but this is seldom the case.[19] The primary difference between a firewall
and the more common network router is that firewalls can actually run
applications including mail daemons, FTP servers, web servers, and proxy
applications.
The term "firewall" is an analogy to the concrete block firewalls used in
building construction which are designed to stop fires from spreading between
parts of a building. This term is misleading, however, since concrete
firewalls are intended to stop all fires while computer network firewalls
generally permit most traffic to pass through. A better analogy might a fire
door that opens for permitted data to flow from one side to the other while
preventing a fire from spreading.
A national firewall system for all computer networks with Internet access
within China has served as one of the main motivations of this research.
During the process of writing this paper, evidence for the existence of just
such a national firewall system for China has been independently verified by
several sources.[ 9, 26, personal correspondence] The Chinese motivation of
Internet censorship for a national firewall system is different from the
typical function served by firewalls in most organizations. The following
general firewall concepts presented in this section are designed to illuminate
the possible techniques being used by the Chinese national firewall system.
A firewall itself must be immune to penetration. If a firewall is compromised
then not only is its protection ability eliminated but the firewall itself can
be turned against its original owner. The most effective way to ensure
firewall security is to use a trusted system as the basis for a firewall.
Firewalls have traditionally been built on computers using the UNIX operating
system. There are standards for security extensions to UNIX and UNIX has the
largest most extensive set of available tools.[16] Our professional exchanges
uncovered a well-established effort to develop a secure Chinese-UNIX called
COSIX (Chinese Operating System based on UNIX-version 2.4). This is consistent
with the development of a Chinese firewall which would require a trusted
system platform. The primary advantage of the Chinese building their own
UNIX is that they will have complete control over the end product
firewall features.
A firewall can not control traffic that is not routed through it. Traffic
that can go around a firewall represents a significant back-door security
hole for which a firewall cannot defend. A simple example of this is a dial-
up connection from inside the firewall to the Internet or from the Internet
to inside the firewall. In the Chinese context, dialing-up an international
Internet connection to go around a firewall to get access to the uncensored
Internet would be prohibitively expensive for most Chinese. It is also likely
that this would be detected by the MPT since telephone calls, especially
international telephone calls, are monitored in China.
Before implementing a firewall, an organization must control its traffic
routing such that external connections to the Internet are identified and
managed. In China, some computer network traffic between two domestic
locations has been routed via international Internet links in the U.S. due
to lack of bandwidth in China and inefficient routing. In 1996, these problems
appear to have been corrected. Table 2 lists China's six current
international links to the Internet. Where the number of international
Internet connections is small as it is in China, it is relatively easy for
a government to control a handful of Internet routers and use them as
firewalls.[14]
TABLE 2: CHINA'S INTERNATIONAL LINKS TO THE INTERNET [10,23]
{for more details see Section 2.3}
No. Since China Speed Internet
1 1994 IHEP------ 64 Kbps------KEK
2 1994 NCFC------ 64 Kbps------Sprint
3 1995 CERNET--- 128 Kbps------Sprint
4 1995 BUCT------ 64 Kbps------CAREN
5 1995 MPT------- 64 Kbps------Sprint
6 1995 MPT-------256 Kbps------Sprint
Rather than attempting to completely block Internet access in an
intranet model, Chinese Internet regulations instead appear aimed at steering
the flow of traffic through officially controlled firewalls on these
international connections.[12] Officially, the MPT says it does not want
to limit points of access into China but make more efficient use of
expensive international circuits linking China's networks to the Internet
(gaining economies of scale over fewer "fat pipes" versus many smaller
pipes).[10]
Generally, firewalls function at two different levels. The first level is IP
packet filtering at the network level. Internet communications is implemented
in packets which transmit information. There are five pieces of information
in each IP packet on a network that are guaranteed to be unique for each
session, collectively referred to as a full association. A full association
is: (1) a protocol number (identifies upper layer protocol which is most often
TCP but there are possible multiple protocols and services); (2) a source IP
address (globally-unique IP address of source computer); (3) a source port
number (next available port number from a pool, used to help identify session);
(4) a destination IP address (globally-unique IP address of destination
computer); and (5) a destination IP port number (identifies the Internet
service requested). There are fixed "well-known" destination port numbers
that are standard conventions for Internet services.
Using full associations, a firewall using packet filtering can filter on
source computers, source networks, destination computers, destination networks,
Internet services, and inbound/outbound direction (based on network
interfaces). There are two philosophies of firewall packet filtering:
(1) "that which is not expressly prohibited is permitted" and (2) "that which
is not expressly permitted is prohibited." In the first philosophy, services
are denied on a case-by-case basis allowing users considerable freedom.
Filters may only be implemented in reaction to specific penetrations that
have already occurred. In the second philosophy, services are approved on
a case-by-case basis which has a restrictive effect on services.
Filters are implemented proactively in an attempt to prevent penetrations
from occurring in the first place.[41] Some Internet services can be more
effectively handled with packet filtering (i.e. telnet, Email) while other
Internet services can be more effectively handled at the a higher level
(ftp, gopher, web).
A variant of packet filtering and a relatively new technique is called dynamic
route filtering. In dynamic route filtering the firewall has the ability to
dynamically add or delete entire sets of packet filters when a particular set
of circumstances occur. Possibilities of triggering events for dynamic route
filtering include day and time restrictions, traffic load shedding (maximum
number of simultaneous connections), and known suspicious events.[1] With this
technique, it is possible to have a firewall that detects suspicious activity
to automatically deny a computer access for a period of time. In the Chinese
context, this technique can be used to dynamically alter filters in order
to track and censor user communications that are likely to migrate to
different network connections.
The second level at which a firewall can function is the application level.
An application level firewall has more control of a session since it creates
and manages the actual connection. A firewall operating at the application
level does not allow any packets to pass directly between two networks.
Instead the firewall creates a special-purpose application called a proxy
application. The proxy application then determines whether to actually
establish a connection to the requested destination computer on behalf of the
originating computer. Proxies can perform sophisticated functions such as
logging or user authentication and because they are built to monitor specific
protocols, proxies can enforce customized security options.
The major limitation of an application-level firewall is that it requires a
separate proxy for each Internet service to be supported. For every new
protocol or Internet service that is developed, the firewall will have to add
another proxy. Proxies affect transparency and degrade performance. The user
interface for an Internet service might have to modified to operate through a
proxy and, because the proxies are executing on a firewall, there are a limit
to the number of active simultaneous connections that can be supported.
Network address translation (NAT) is one type of proxy service that executes on
firewalls because a firewall is typically located at the ideal point to provide
its services (the juncture between networks). NAT was developed to ease the
shortage of IP addresses by allowing private numbering schemes on private
networks. In IP addressing, each computer is given a globally unique address
consisting of 32 bits but the explosive growth in TCP/IP networking has
resulted in the rapid depletion of the available IP address space. NAT is
based on the concept of IP address reuse by private networks (similar in
concept to cellular telephone frequency reuse). NAT works by mapping
private non-globally unique IP addresses to reusable globally unique
addresses required for Internet communications.
In NAT, mapping between local and global addresses is done dynamically.
An Internet-bound packet sent by an internal computer in the private network
follows default routes to the NAT. Upon receipt of the outbound packet, the
source address is extracted and compared to an internal table of existing
translations. If the internal computer's address does not appear in the
translation table, a new entry is created for that computer and it is assigned
a globally unique IP address from the pool of available IP addresses.
After a time-out period during which no packets are translated, the global
address is freed for another internal computer. The NAT maintains a table of
the destination address, port numbers, sequencing information, byte counts,
and internal flags for each TCP connection associated with a particular
computer's address translation. Inbound packets from the Internet will be
compared against entries in the connection table and only permitted if an
appropriate connection exists.
There has been speculation about China being allocated a large globally-unique
address space (i.e. class A addresses) or maybe using a private Chinese
addressing scheme behind a firewall running a NAT.[10] A NAT proxy running
on a firewall would enable Internet censorship because this would mean that
China's networks could have a private IP address scheme and might not be
interoperable with the rest of the Internet without going through a NAT. So a
NAT implemented in firewalls would effectively force China's users through
firewalls and discourage attempts to circumvent the firewall since this would
only result in lack of interoperability. A NAT would, however, require DNS
(domain naming system) coordination of all Chinese ISPs.
There are performance tradeoffs depending on which level a firewall functions.
A firewall operating at the network level can operate faster, is transparent
to users, and processes more packets per second (pps) especially if few
filters are defined. Packet filtering is stateless, however, decisions are
made without session context and this may allow packets to slip by which are
meant to censored. In contrast, a firewall operating at the application level
provides stronger session security and will not have to consider the complex
interactions between potentially many packet filter rules.[7] A proxy,
however, may not be transparent to users, only specific Internet services may
be supported, and its performance will be heavily dependent on the number of
simultaneous connections.
The decision of which level is the most effective to operate a firewall for
censorship is subjective. The Singapore Broadcasting Authority (SBA) uses a
firewall operating at the application level. SBA now requires all Internet
users in Singapore to connect to the Internet through a proxy. By using a
firewall at the application level allows the Singapore government to censor
"dangerous" web sites discussing politics, religion, and pornography.[36]
Chinese firewall developments are said to be relying on a Sun Microsystems
firewalls to selectively block access to the Internet. At CIC, Herman Ho of
Sun Microsystems says Sun software is being configured for firewall use
where it will effectively filter information.[17] By using a firewall, the
Chinese authorities intend to make it at least difficult and risky to violate
the new Chinese Internet regulations. James Chu of CIC reassures his Chinese
users that Internet Email will not be screened or read "unless you have broken
the law".[37]
In forming a national firewall system, how fast will the firewalls need to
process packets? Back of the envelope calculations can provide some insights
on this question. Packet filtering is a per packet operation. The smallest
possible TCP/IP packet (no data) is 40 bytes. Based on this packet size, the
packet filtering speeds needed for China's current wide area serial connections
to the Internet are: 200 pps for the 64 Kbps connection, 400 pps for the
128 Kbps connection, and 800 pps for the 256 Kbps connection. These packet
filtering rates are well below the maximum speeds of available firewalls.
Actual TCP/IP packets will not be empty thus further reducing the maximum
packet per second rate required. At higher speed wide area serial connections
to the Internet, firewalls will need to process 4,825 pps for a 1.544 Mbps
connection (T1) and 140,625 pps for a 45 Mbps connection (T3). At these
speeds and higher, requirements for firewall processing speeds will begin
to constraint Internet service performance. A firewall with more than
two connections will have even higher processing speed requirements.[6]
For the foreseeable future, new "third generation" firewalls will begin to
synergistically combine network and application level filtering.[6] In the
next generation network technology, ATM, it is not clear if it will be
possible to implement firewalls. The problem is that once an ATM virtual
connection is set up, no intermediate devices process any of the transmitted
cells. There have been proposals that an ATM firewall could be implemented
at connection set-up time with special information elements defined within
signaling messages to indicate the actual higher layer application binding
such that intermediate switches could filter based on higher layer
information.
In this section we have illuminated general firewall concepts and their
applicability to the Chinese Internet context. While not directly stating what
specific firewall technique are being used by the Chinese authorities, the
functionality is nonetheless clear - China has implemented a national firewall
system. We challenge the Internet community to further describe the
capabilities of China's national firewall system through experimentation and
presentation of findings.
5.0 Conclusions
Internet censorship is not a Chinese or even Asian issue but rather a global
issue. While this research has looked exclusively at China, at the World
Economic Forum's annual meeting in February 1996, Microsoft's Bill Gates noted
that all countries felt the need to control what they perceived to be
undesirable material: Germany with neo-Nazi newsgroups, United Kingdom with
national security information, France with medical/privacy laws and the United
States with the Communications Decency Act within the Telecommunications
Act of 1996.[2]
For all the free speech potential that the Internet makes possible, if few
people in China have access to the Internet due to lack of network access,
bandwidth, a language encoding standard, or a registered Internet account then
the global Internet community will suffer from the lack of participation of
one fifth of the world's population. If the people of China do gain access
to the Internet but the information flow is censored then it is debatable
whether what was really gained is full Internet access after all.
In this paper we have described that status of Internet infrastructure in
China and Internet policies that are being implemented by the Chinese
government. We have described non-technological and technological strategies
that are being used to censor the Internet in China and other countries. We
focused on a firewall-restricted intranet and described the potential
censorship strategies that are likely in this environment.
The Great Wall is one of the most recognized symbols of China through the ages.
A less visible yet equally significant (fire)wall has now emerged as a current
symbol of a China. A Chinese national firewall system threatens to impede not
only Chinese Internet development but also set a precedent for international
transborder information flows. The Great Wall failed to prevent invaders and
censoring the Internet appears to be an equally futile exercise to limit free
speech. Just as the Great Wall is no longer a symbol of war but a meeting
point for ideas and goods which binds China's many ethnic groups, each nation
should reconsider the function of computer firewalls from Internet censorship
to routing functions as Internet exchange points. To do otherwise will lead to
segmenting the Internet and whither the global Internet community that has
been evolving.
Acknowledgments: We would like to thank the following experts on Chinese
computer networking who made our professional exchanges so successful:
Delegation Leader Ravi Sandhu, Professor and Associate Chairman, Information
and Software Systems Engineering (ISSE) Department, George Mason University
and Chairman ACM Special Interest Group on Security, Audit, and Control
(SIGSAC); our exceptional national guide and Mandarin translator Ruiman
(Raymond) Weng/CICCST; our Beijing city guide Ma Jing/CICCST; our Guangzhou
city guide and Cantonese translator Meikuan Li/GICCSTC; Harold Chen/Shanghai
Software Center; David Conrad/APNIC; Huang Degen/MPT(DCTRI);
JunHua Fang/Shanghai Institute of Computing Technology;
Wang Guihai/South China Normal University; Daoyuan Hu/Tsinghua University;
L. K. Hwang/Shanghai University; Yin Cai Hua/CS&S; Qian Li/Shanghai Securities
Exchange; Xing Li/CERNET/Tsinghua University; Xinming Li/CS&S;
Xu Feng Li/Industrial & Commercial Bank of China; Qiyuan Liu/CS&S;
Ma Xian-Yu - Chairman of the Committee on Computer Security/Shanghai Computer
Society; Qin Guang and his entire staff/Shanghai Public Security Bureau;
Yunlin Su/Jinan University; GuiHai Wang/South China Normal University;
Jingyin Wang/Shanghai Institute of Computing Technology; Jianping Wu/CERNET;
Xiao Xianxun and his entire staff - Beijing Division Chief/Ministry of Public
Security; Ying Dong Luo/Public Security; Zhansheng Zhao/Beijing University;
Xu Gui Zhen - Deputy Secretary General/Shanghai Computer Society; Zhang
Zhiheng/MPT(DCTRI); Zong-Gui/Jiao Tong University; and a special thanks to
the members of our delegation: Kathleen Harvey/Datapro; Edwin Heinlein/AVCOIN;
Deborah Knowles/Deloitte and Touche; Eugene Kozik/Pennsylvania State
University; James Morris/Trident Data Systems; Kevin Priest/Intel; Earnest
Reigstad/Warner Lambert; Patricia Smith/Temple Junior College; James
Snaith/South Bank University; and Thomas Wesley/University of Bradford.
References:
[1] Amoroso, Edward and Rondal Sharp. Intranet and Internet Firewall
Strategies. Ziff-Davis Press, Emeryville CA, 1996.
[2] Ang, Peng Hwa and Berlinda Nadarajan. "Censorship and the Internet:
A Singapore Perspective." Communications of the ACM, Vol. 39, No. 6,
June 1996, pp. 72-78.
[3] Brauchli, Marcus W. et. al. "Murdoch's Plans Could Aid China In Media
Control." The Wall Street Journal, January 31, 1996, p. A6.
[4] Browning, John. "The Internet is Learning to Censor Itself."
Scientific American, September 1996, p. 38.
[5] Carstens, Andrew. "International Networking - The Great WANs of China."
LAN Magazine, August 1996, pp. 35-38.
[6] Chapman, D. Brent and Elizabeth Zwicky. Building Internet Firewalls.
O'Reilly & Associates, Sebastopol CA, 1995.
[7] Cheswick, William and Steven Bellovin. Firewalls and Internet Security:
Repelling the Wily Hacker. Addison-Wesley, Reading MA, 1994.
[8] "China Tells Internet Users To Register With Police." The Wall Street
Journal, February 15, 1996, p. A11.
[9] Chen, Kathy. "China Bars Access To As Many As 100 Internet Web Sites."
The Wall Street Journal, September 5, 1996, p. B12.
[10] David R. Conrad, personnel correspondence, APNIC - Asia Pacific
Network Information Center United Nations University Headquarters,
Tokyo Japan.
[11] "Controlling the Internet, Chinese Style." The New York Times,
February 5, 1996.
[12] Faison, Seth. "China Issues Rules to Control Internet."
The New York Times, February 5, 1996.
[13] Frezza, Bill. "China Begins Building The Great Wall of Cyber."
CommunicationsWeek, February 26, 1996, p. 43.
[14] Greenburg, L.T. and S.E. Goodman. "Is Big Brother Hanging By His
Bootstraps?" Communications of the ACM, July 1996/Vol. 39, No. 7,
pp. 11-15.
[15] Internet Draft draft-freed-charset-reg-00.txt
IANA Character Set Registration Process
ftp://ds.internic.net/internet-drafts/
{associates a name with a registered character set}
[16] Kabay, Michel E. et. al. Journal of the Citizen Ambassador Program
Computer Security Delegation To The People's Republic of China
April 7 -21, 1994. Citizen Ambassador Program: Dr. Michel E. Kabay
Delegation Leader, Spokane, WA 1994.
[17] Kahn, Joseph et. al. "Chinese Firewall: Beijing Seeks to Build Version
of the Internet That Can Be Censored." The Wall Street Journal,
January 31, 1996, p. A1, A4.
[18] Kahn, Joseph, et. al. "Beijing Seeks To Build Censored Version of the
Internet." The Wall Street Journal Classroom Edition, April 1996, p. 23.
[19] Kaufman, Charlie, R. Perlman and M. Speciner. Network Security: Private
Communication in a Public World. PTR Prentice Hall, Englewood Cliffs,
New Jersey, 1995.
[20] Krantz, Michael. "China, Wired." Time, April 22, 1996, p. 73.
[21] "Lessons from China, In Chinese" The Economist. August 31, 1996, p. 32.
[22] Lewis, Peter H. "The Internet's Very Nature Defies Censorship by
Government or Individual." The New York Times, January 15, 1996.
[23] Xing Li, personnel correspondence, CERNET (China Education and Research
Network Center) / Tsinghua University, Professor, Electronic Engineering
Department, Beijing.
[24] Li, Xing. "China Education and Research Network: A Continuous Report."
Inet'96 Conference Proceedings, Montreal Canada, 1996.
http://info.isoc.org/isoc/events/inet/96/proceedings/
[25] Nemey, Chris. " 'Net Freedom Limited Abroad." Network World,
July 1, 1996, Vol. 13 No. 27, pp. 1,10.
[26] "NetNanny States." The Economist, September 14, 1996, p. 34.
[27] Ning, Yutian."Present Situation and Development Framework of CSTNET."
Proceedings of the 1996 International Conference on Information
Infrastructure (ICII'96), April 1996, pp. 706-710.
[28] Orwell, George. 1984. originally published 1949.
[29] Parker, Jeffrey. "China and the Internet: Pushing the Limits of
Tolerance." The New York Times. February 21, 1996.
[30] Press, Larry. "Eye on Emerging Nations: China - Cisco to Provide
Internet Access in 30 Provinces in China." OnTheInternet,
January/February, 1996.
[31] Rausch, Howard. "China's Great Leap in Telecom." Photonics Spectra,
May 1996 pp. 25-26.
[32] RFC 1922 - Chinese Character Encoding for Internet Messages
ftp://ds.internic.net/rfc/rfc1922.txt
{describes method of transporting Chinese characters in Internet
services}
[33] Richburg, Keith B. "A Great Wall of China Slowly Gives Way."
The Washington Post, April 8, 1996, pp. A1, A18.
[34] Schoof, Renee. "Chinese Government Sole Access to Internet."
Los Angeles Times, May 12, 1996, p. A12.
[35] Schoof, Renee. "Entrepreneur Wants All China In Her Net."
Los Angeles Times, July 7, 1996, p. D7.
[36] "Singapore's Single Point of Censorship." InformationWeek,
September 9, 1996, p. 10.
[37] Sorenson, Karen. "Silencing the Net: The Threat to Freedom of
Expression On-Line." Human Rights Watch, Vol. 8, No. 2 (G), May 1996.
[38] "Surfing Censor." Far Eastern Economic Review, February 8, 1996.
[39] Tan, Zixiang. "China's Information Superhighway: What Is It and Who
Controls It." Telecommunications Policy, Vol. 19,, No. 9, 1995,
pp. 721-731.
[40] Tempest, Rone. "Wiring China." Los Angeles Times, July 1, 1996, p. D1.
[41] Weiss, Martin. Communications Security and Vulnerability. Custom
Course Material Packet for TELCOM 2101, University of Pittsburgh,
Fall 1995.
[42] Zhu, Qiang. "Latest Development of Internet in Mainland China."
CALA 1995 Annual Conference Proceedings, Chicago, June 1995.
[43] http://www.odci.gov/cia/publications/95fact/index.html.
APPENDIX A
Partial List of Professional Exchanges Locations
Data and Computer Security Delegation to the People's Republic of China
May 18 - May 31, 1996
* China National Computer Software and Technology Service Corporation (CS&S),
Beijing.
* The Industrial and Commercial Bank of China Guangzhou Branch, Guangzhou.
* Jiao Tong University, Shanghai.
* Ministry of Posts and Telecommunications, Data Communications Technology
Institute, Beijing
* Ministry of Public Security, Computer Management and Inspection Bureau,
Beijing.
* Shanghai Computer Society, Shanghai.
* Shanghai Computer Technology Institute, Shanghai.
* Shanghai Securities Exchange, Shanghai.
* Tsinghua University / CERNET Network Research Center, Beijing.
APPENDIX B
Registration Form for International Networking of Computer Information
System in P. R. C.
{graphic not linked}