b"<html>\n<title> - CHINA'S CYBER-WALL: CAN TECHNOLOGY BREAK THROUGH?</title>\n<body><pre>[House Hearing, 107 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n           CHINA'S CYBER-WALL: CAN TECHNOLOGY BREAK THROUGH?\n=======================================================================\n\n                               ROUNDTABLE\n\n                               before the\n\n              CONGRESSIONAL-EXECUTIVE COMMISSION ON CHINA\n\n                      ONE HUNDRED SEVENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                            NOVEMBER 4, 2002\n\n                               __________\n\n Printed for the use of the Congressional-Executive Commission on China\n\n\n         Available via the World Wide Web: http://www.cecc.gov\n\n\n\n\n\n\n                           U.S. GOVERNMENT PRINTING OFFICE\n83-512                          WASHINGTON : 2003\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  \nFax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001\n\n\n\n\n\n\n\n\n              CONGRESSIONAL-EXECUTIVE COMMISSION ON CHINA\n\n                    LEGISLATIVE BRANCH COMMISSIONERS\n\nSenate\n\n                                     House\n\nMAX BAUCUS, Montana, Chairman        DOUG BEREUTER, Nebraska, Co-\nCARL LEVIN, Michigan                 Chairman\nDIANNE FEINSTEIN, California         JIM LEACH, Iowa\nBYRON DORGAN, North Dakota           DAVID DREIER, California\nEVAN BAYH, Indiana                   FRANK WOLF, Virginia\nCHUCK HAGEL, Nebraska                JOE PITTS, Pennsylvania\nBOB SMITH, New Hampshire             SANDER LEVIN, Michigan\nSAM BROWNBACK, Kansas                MARCY KAPTUR, Ohio\nTIM HUTCHINSON, Arkansas             SHERROD BROWN, Ohio\n                                     JIM DAVIS, Florida\n\n                     EXECUTIVE BRANCH COMMISSIONERS\n\n                 PAULA DOBRIANSKY, Department of State\n                 GRANT ALDONAS, Department of Commerce\n                D. CAMERON FINDLAY, Department of Labor\n                   LORNE CRANER, Department of State\n                    JAMES KELLY, Department of State\n\n                        Ira Wolf, Staff Director\n                   John Foarde, Deputy Staff Director\n\n                                  (ii)\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               STATEMENTS\n\nRubin, Aviel, co-founder, Publius Web Publishing System, West \n  Caldwell, NJ...................................................     1\nXia, Bill, president, Dynamic Internet Technology, Inc., Cary, NC     5\nLin, Hai, computer scientist, Shanghai, China....................     7\nBaranowski, Paul, chief architect, Peekabooty Project, Toronto, \n  ON, Canada.....................................................     9\n\n                                APPENDIX\n                          Prepared Statements\n\nRubin, Aviel.....................................................    28\nXia, Bill........................................................    29\nBaranowski, Paul.................................................    31\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n           CHINA'S CYBER-WALL: CAN TECHNOLOGY BREAK THROUGH?\n\n                              ----------                              \n\n\n                        MONDAY, NOVEMBER 4, 2002\n\n                            Congressional-Executive\n                                       Commission on China,\n                                                    Washington, DC.\n    The roundtable was convened, pursuant to notice, at 2:30 \np.m. in room SD-215, Dirksen Senate Office Building, Ira Wolf \n(staff \ndirector) presiding.\n    Also present: William Farris, senior specialist on Internet \nissues and commercial rule of law; Keith Hand, senior counsel; \nHolly Vineyard, U.S. Department of Commerce; and Dr. Jay \nSailey, interpreter, Silver Spring, MD.\n    Mr. Wolf. I would like to welcome everyone here to today's \nroundtable on China's Cyber-Wall: Can Technology Break Through?\n    This is actually our second roundtable this year dealing \nwith Internet issues in China. The first dealt more with policy \nissues, and today we are going to get more into the technology \nside.\n    Next to me is William Farris, who is on the Commission \nstaff and is in charge of Internet issues. Holly Vineyard works \nat the U.S. Department of Commerce for our Commissioner, Under \nSecretary of Commerce Grant Aldonas, and Keith Hand is one of \nour senior legal counsels on the Commission staff.\n    I am Ira Wolf, staff director of the Commission. John \nFoarde, who is the deputy staff director and normally would be \nhere, is in China.\n    We have four panelists. Avi Rubin is co-founder of Publius; \nBill Xia, president of Dynamic Internet Technology; Lin Hai, a \ncomputer scientist from Shanghai; and Paul Baranowski, chief \narchitect for the Peekabooty project.\n    We also have Jay Sailey, who will be helping with \ninterpretation. Jay, it is good to always have you back again. \nThanks.\n    Avi, why do we not start with you?\n\n STATEMENT OF AVIEL RUBIN, CO-FOUNDER, PUBLIUS WEB PUBLISHING \n                   SYSTEM, WEST CALDWELL, NJ\n\n    Mr. Rubin. Let me give a little more of an introduction of \nmyself. I want to give you an idea of the kinds of questions I \nam hoping to get and the kinds that I will defer to my other \npanelists.\n    I am a researcher at AT&T Labs, a computer science \nbackground. I am here explicitly not as a representative of \nAT&T, but as a computer scientist.\n    In January, I will be starting to work in a faculty \nposition as an associate professor at Johns Hopkins, and the \ntechnical director of their Information Security Institute.\n    The reason that I am here is that some of my research in \nthe past that focuses on computer security and networking has \nbeen on systems that resist censorship. One of them called \n``Crowds'' was designed for browsing the Web anonymously so \nthat end users and other users of the system cannot tell who is \naccessing what.\n    The other system, called ``Publius,'' which has won a \ncensorship resistance award and is a little better known, was \ndesigned to publish information on a large network like the \nInternet in such a way that it is very difficult for anyone to \nforcibly remove the content.\n    I am not an expert on China and I would rather answer \ngeneral questions, such as, ``Is this possible? Is that \npossible? Why or why not? ''\n    So let me talk a little bit about censorship. I think it is \nimportant to make a distinction between censorship within a \nnetwork or within an organization or a country and censorship \nbetween users who are on the inside trying to access something \nthat is on the outside where an adversary controls the \ninterface between the inside and the outside, which is the kind \nof model that we are looking at here.\n    The censor can prevent access to content on the outside \nthrough several means. One of them is simply by routing, \nlooking at the Internet Protocol [IP] addresses of the \ndestination of a request, and if it is on the outside, perhaps \nblocking that or filtering it some other way, or making a \ndecision about how to treat that traffic \ndifferently.\n    Another way would be through use of the domain name system. \nFor those of you that do not know, the domain name system is \nthe service that translates names like www.google.com into an \nIP address that networks need in order to get the packets where \nthey need to go.\n    So one thing that a censor could do, and I believe in a lot \nof cases this happens not only for censorship but for other \npurposes, is if the organization controls the domain name \nservice [DNS]--and a powerful government can control the domain \nname service, or at least control those that control it--you \ncan return false information, so when someone asks for \ngoogle.com you can return an IP \naddress. This will all be transparent to the users.\n    That is an IP address to a computer under your own control, \nwhich could then simulate Google, giving the user the \nexperience that they think they are at Google, but they are \nactually at some other, mirroring network. This would be a \ncensorship technique that could be employed, or could simply \ndrop the traffic or do whatever they want with it.\n    Finally, you could do something called application level \nfiltering. Instead of doing the censorship at the routing level \nor the domain name service level, what you could do is allow \nall traffic through. But, if it is destined for port 80, which \nis the World Wide Web port, then you could treat it \ndifferently.\n    You could make filtering decisions and you could run it \nthrough software that looks for particular destinations, \ncompare it to a blacklist and say, well, we are not going to \nallow that, or worse, we are going to substitute something for \nthat in the reply, spoofing the reply.\n    So, this has had to do with blocking the access of an \nindividual within an organization to sites that are outside the \norganization.\n    Another type of censorship is prohibiting the posting of \ncontent. I am an individual and I have something that I wish to \nhave people access. Maybe I have some agenda that I want to \npublicize, or I want to be critical of the government, or \nwhatever. A censor may wish to block the ability of somebody to \npost the content.\n    One way to do that would be to monitor sites carefully \nusing search engines or hot lists, and see if content that is \nobjectionable is there, and then to go make the people remove \nit if the content is on the inside.\n    Another, is through informants or spies who could \ninfiltrate organizations that may wish to publish something \nthat they would find offensive, and then finding out that it is \nthere and doing the same thing.\n    Again, if you control the connectivity, you can prevent \nsomeone inside your organization, your country, or China from \nbeing able to publish something that is in a site that is \noutside by simply blocking the connectivity or making the \ndecision not to allow that.\n    So what I have discussed up to this point is a one-to-many \ncensorship. Somebody publishes something on the Web, say, and \nyou either block their ability to publish that or you block \npeople's ability to retrieve that information.\n    Another type of censorship would be one-to-one \ncommunication. Someone may want to monitor e-mail messages that \nare going from one individual to another, and there are various \nways of doing that.\n    The FBI has a system called ``Carnivore'' that can be \ndeployed at an Internet service provider [ISP]. What it does is \nit searches \ne-mails coming in and out for certain key words, looking \nperhaps for terrorist activity.\n    The Chinese Government could deploy similar things at ISPs. \nIn fact, they probably have more control over what the ISPs are \ndoing, and look for whatever it is that they are interested in \nblocking. Then they can take whatever actions they want. They \ncould block those e-mail messages. They could try to trace the \nowners of the accounts who sent or received those.\n    Another thing that could happen to e-mail is, again, an \napplication-level way of censoring. At the network level, what \nwe call the IP layer, you could sniff. Network sniffers are \nprograms that will look at packets coming in and out and make \nthe same kind of decisions that were made at the application \nlevel about the e-mail by just looking at raw IP packets.\n    It is a bit harder to do, but there are tools out there to \ndo it. You take a bit of a performance hit when you do it that \nway, but the advantage for the censoring party in doing it that \nway is that it is completely passive. The ISP does not need to \nknow that this kind of sniffing is taking place. Nobody can \ndetect that it is happening.\n    Another way to censor the one-to-one communication is to \nforbid encryption. If encryption is not allowed, then something \nlike Carnivore or network sniffing is very effective.\n    What sort of enforcement could take place if censorship \nwere to detect that somebody had offensive content posted \nsomewhere? When something is published, it resides in a \nphysical place. It is on a computer. If that computer is under \nthe domain of the censor, the censor can apply pressure to the \nadministrator, or sanctions to the administrator of that \ncomputer and say, ``take that content down.''\n    Finally, a way of censoring content might be to mandate a \ncustom client. Instead of a Netscape or Internet Explorer \nbrowser, a government could say, ``We require you to use this \nprogram to browse the net,'' and that program could be some \nsort of scaled-down version that can only access certain \napproved sites.\n    So up until now I have talked to you about ways of \ncensoring. Let me speak, for my remaining time, about types of \ncircumvention that you might have.\n    One, is called steganography. The idea behind steganography \nis to hide content in other content. Briefly, imagine a \nphotograph of your cat encoded as a JPEG image on a computer.\n    There are tools out there for you to take a letter, an \nASCII text letter, and encode the content of that letter in the \npicture of the cat, which still will look like a cat. And the \nonly people that could extract that information, the letter \nfrom this picture, would be someone who knew the key, say, that \nyou had shared with them.\n    In fact, there are techniques where two photographs are \nindistinguishable relative to whether or not they contain \ncontent to anyone except the holder of the key. So, this might \nbe a valuable technique to use if encryption is outlawed and \nyou are worried about \nsanctions.\n    On the other hand, if someone does discover the key through \nforce or through some other means, then you could be in a lot \nof trouble, because once they extract the letter that could not \nhave been coincidental.\n    Another way is to disperse content widely. If you want to \npublish something and you have an automated way of publishing \nit in a thousand places, it becomes a lot harder for a censor \nto remove it, especially if these are under different \nadministrative domains and countries.\n    The Publius system that I designed and built uses the last \ntwo techniques in tandem, along with several others. I am happy \nto cover it more during questions and answers.\n    Two other mechanisms for circumventing the censorship to \npost something are covert channels. A quick example of a covert \nchannel might be, let us say that I was to communicate a \nmessage to you. So what I do is send you an e-mail message \nevery second, or I do not send you an e-mail message every \nsecond, and whether or not I send you a message encodes a zero \nor a one.\n    That is just a very lightweight example of how I could \ncommunicate information to you where I am actually using a \ncovert \nchannel. The fact that I sent something or did not send it is \nthe information, and whatever it is that I sent could be just \ninnocuous.\n    Finally, there is a technique called a homomorphic \nencryption. That is a mechanism whereby you can encrypt \nsomething so that it can be decrypted two different ways. So I \nsend you an encrypted document.\n    Of course, only a regime that allows encryption would \nsupport something like this. You can decrypt it and it is a \npicture of your cat, and you can decrypt it and it is a call to \narms. It depends on how you decrypt. So, that might be useful.\n    For retrieval. I am running out of time, so I will just \nenumerate the things you could use. Special proxies, the Crowd \nsystem, which I can talk more about in the questions and \nanswers, or an anonymous location, a library, a cafe, something \nlike that if the country supports these kinds of things.\n    Finally, let me just say that I believe there is an arms \nrace between censorship and censorship circumvention, because \nif you tell me what you are using to censor I can tell you what \nto do to get around it. But, once I do that, then I could come \nback and tell you what you could do to get around that. I think \nwe are in the midst of this arms race.\n    I believe that any technology to circumvent censorship, \nhaving had the experience of developing such a thing, is going \nto lead to a double-edged sword where you could be accused of \nproviding mechanisms whereby bad people can also do things.\n    [The prepared statement of Mr. Rubin appears in the \nappendix.]\n    Mr. Wolf. Thank you very much.\n    Bill Xia.\n\nSTATEMENT OF BILL XIA, PRESIDENT, DYNAMIC INTERNET TECHNOLOGY, \n                         INC., CARY, NC\n\n    Mr. Xia. Good afternoon, ladies and gentlemen. I would like \nto thank William Farris for inviting me to come here today.\n    My name is Bill Xia. I am the president of Dynamic Internet \nTechnology [DIT]. DIT conducts research regarding Internet \ncensorship and provides service for anti-censorship \ntechnologies.\n    Today I would like to share with you the experience of \nDynaWeb and ponder upon the role of technology in breaking \nthrough China's cyber-wall.\n    DynaWeb was launched on March 12, 2002 as a proxy network \nthat allows users to circumvent Internet censorship in China \nand to have secure and full access to the Internet.\n    Users can use DynaWeb as an information Web or to go to \nother Web sites. Since the inception of DynaWeb, we have \nmanaged to stay ahead of the censorship by China most of the \ntime. About 20,000 unique users gain regular, unblocked access \nto the Internet through us.\n    DynaWeb has already played several rounds of the censorship \nand anti-censorship game in the past 8 months. Before I start, \nI would like to explain a few critical technical terms for \nunderstanding the DynaWeb experience.\n    There are two ways to access a Web site through an Internet \nbrowser. One, is through typing the domain name, for example, \ngoogle.com. The other way is through typing the IP address of \nthe domain name. The IP address is the essential element from \nwhich the browser can fetch the Web site information for the \nuser.\n    However, a domain name is more user friendly. After a user \ntypes in a domain name, the Web browser will browse domain \nnames to IP addresses and fetch the right information for the \nuser. So this is essentially what Mr. Rubin explained about the \nDN \nsystem.\n    The game started with an e-mail subscription service. At \nthe \nbeginning, DynaWeb e-mailed unblocked IP address updates to \nsubscribers. After 2 weeks, the censor probably subscribed to \nour e-mail service as well because the very time window of \nDynaWeb IP addresses was reduced a range of a couple hours to a \nfew days after release.\n    Then our services expanded to the domain name with Dynamic \nIP addresses. However, censors started chasing the DynaWeb \ndomain by automatically detecting the IP addresses that pointed \nto the domain name. This dramatically increased the need for \nback-up IP addresses, hence, increased costs of DynaWeb \nmaintenance.\n    Then DynaWeb adopted a new strategy so that censors had to \nmanually verify the IP address before blocking it. Then \nautomatic IP blockage stopped.\n    Soon, in August, users started to have difficulty in \naccessing DynaWeb through https, even though the IP was not \nblocked. It was found out later on that the certificate DynaWeb \nused for secured access from the Internet browser was filtered. \nThis can be achieved by package-level analysis of Internet \ntraffic to find out the signature related to the certificate \nDynaWeb used.\n    In response to this, DynaWeb started to change its \ncertificates daily. No reports of certificate blocking have \nbeen found since then. Again, censors were frustrated with the \nresources required for daily updates of all related content \nfiltering engines, and quit.\n    At the end of September, DynaWeb domain names were hijacked \nto a fixed IP 64.33.88.161 in China, along with many other Web \nsites like www.voa.gov. DIT has published a detailed report \nabout this hijacking and it can be independently verified from \nthe United States. More study about this hijacking is still \nongoing and will be released after we pass this stage.\n    So what is next with the cyber-wall? As a first look, it is \na technical question. If technology can break through China's \ncyber-wall, in fact, the process is a race of technology and \ntime. As DynaWeb's experience has demonstrated, both parties \ncan always implement new technologies to stay ahead and sustain \nthe advantage.\n    If the Internet breakthrough is defined as a pure technical \nissue, the future is brighter for censors because China \npurchases the most advanced censorship technologies from \nWestern companies.\n    China is also developing the ``Golden Shield'' project, a \n``database-driven remote surveillance system.'' When the whole \nBeijing city is wired with a biometric sensor and camera \nnetwork, no Internet-based anti-censorship can get around the \nsurveillance system.\n    Even now, during the 8 months of the technical race with \nDynaWeb, China has developed the largest and most sophisticated \nIP blocking and content filtering system in the world.\n    The more anti-censorship techniques are developed, the more \ncomprehensive censorship technology has become. This leaves \nless and less technical room for anti-censorship. So, it is \ncritical to take full use of technologies to benefit as many \npeople as possible before the door is closed.\n    Second, it is a matter of available resources. China has \n30,000 Internet police that specialize in Internet censorship, \nand ISPs are forced to perform self-censorship. The self-\ncensorship is even adopted by foreign ISPs such as Yahoo.\n    China has purchased top technology from Western companies. \nThese technologies have been modified for China's particular \ncensorship needs. Nortel, Sun Microsystems, Cisco, and many \nsmaller companies contributed to building China's cyber-wall.\n    Compared to China's investment in censorship and the cyber-\nwall, investment in breaking through this cyber-wall is next to \nnothing. There are very few groups developing technologies \nsuitable for this wall. With more resources, DynaWeb can \nprovide services to more people, develop better client \nsoftware, and have closer monitoring of censors' new \ntechnologies, and respond faster.\n    Third, people develop technology and technology serves \npeople. The people factor is the most important factor, \neventually. Recent increase of public awareness about China's \nInternet censorship both inside and outside of China is a great \nsign. We hope that this will help improve the current situation \nsoon.\n    Currently, companies contributing to China's cyber-wall \nbear little public pressure, not to mention any legislative \nlimitation.\n    Inside China, more and more harassment and arrests of \ndissidents and journalists are related to the Internet. Last \nyear, there were more than 10 arrests in China for distributing \nforbidden information. This will create fear among the public. \nFor the general public in China, they are now gradually \nrealizing the existence of censorship consciously.\n    More importantly, the government has adopted subtle mind \ncontrol and propaganda to decrease the Chinese's interest in \nuncensored information. All major events outside of China are \nreported, with seemingly a variety of views, although all the \ndifferent views are in fact the government's view. There is a \nfully developed online community inside China serviced by self-\ncensoring ISPs. This strategy is an extension of China's cyber-\nwall, a wall in people's minds.\n    The Internet, combined with TV, newspapers, and other \ninformation channels, now offer the Chinese people different \ntypes of information and different views on certain issues. It \nlooks like full \nfreedom of speech has been achieved.\n    However, the government produces all the different views \nand types of information. The censors tried to use these to \nreduce \npeople's interest in uncensored information.\n    In summary, technology alone will not decide the future of \nChina's cyber-wall, but people do. If all Chinese people would \nlike to obtain uncensored information, the cyber-wall will be \nbroken from the inside.\n    Thank you.\n    [The prepared statement of Mr. Xia appears in the \nappendix.]\n    Mr. Wolf. Thank you very much.\n    Lin Hai.\n\n   STATEMENT OF LIN HAI, COMPUTER SCIENTIST, SHANGHAI, CHINA\n\n    Mr. Lin. Ladies and gentlemen, good afternoon. My name is \nLin Hai. I was born in Shanghai, China and graduated from \nBeijing's University of Aeronautics. I majored in computer \nscience.\n    After graduation, I worked as a software engineer, as well \nas sales marketing in some technology companies in Beijing for \nmore than 5 years.\n    At the end of 1995, I went back to my home town, Shanghai, \nand created a small Internet company with my partners. Our \nmajor business was to help other people to set up Web sites. \nOur major clients are joint ventures and foreign companies who \nare in \nbusiness in Shanghai.\n    As one of the first Internet users in China at that time, I \nwas involved with the Internet Society, as well as technology \nbecause I, myself, was an Internet engineer.\n    As was my interest, I did some technology research. For \nexample, at that time I collected a lot of information on \nChinese Internet users to see who was using the Internet, just \nfor my own interest.\n    Also, I was very excited about this new technology and \nexpected some possible changes to the society by the new \ntechnology.\n    I received a letter from a U.S.-based student's \norganization. The organization publishes newsletters that \npromote democracy, freedom of information, and independent \nopinions, as well as news into Mainland China. I was so excited \nbecause it was the first time that people could have a media \nthat is not censored by the central \ngovernment.\n    So, I did something to help the organization, especially to \nhelp them in collecting information on Chinese Internet users \nso they could promote their newsletters to more receivers.\n    For that activity, I was arrested by the Chinese \nGovernment. The date was March 25, 1998. As reported, I was the \nfirst victim of China's censorship of the Internet. So, I thank \nthis Commission for letting me have a chance to speak here to \nall of you nice people.\n    After I was arrested, my case was reported online. Finally, \nthe government closed the trial and sentenced me to 2 years for \nsome political crime. Thanks to the media reporters and many \nother supporters from outside organizations, especially human \nrights organizations, the Government of China released me \nearly, with only 6 months to go. So, actually, I stayed in jail \nfor a total of 18 months.\n    After I was released, I stayed at home and tried to find \nsome chance to re-start my business or career. I failed to do \nthat because China is still a Communist country.\n    So, for reasons you can probably understand, I found that I \nhad to leave the country to seek my opportunities. So, I came \nto the United States. Right now, I am working in a small \nInternet company in New York City doing similar jobs as I did \nbefore as an Internet engineer. That is all of my story.\n    Right now, we are doing a project named ``Secure Email \nProxy,'' an Internet proxy project. The background is that \npeople in China try to get free information. The Web sites on \ndemocracy are all blocked by the Chinese Government.\n    E-mail seems to be an option for receiving information. E-\nmail is a traditional application on the Internet, and they are \nstill using it daily. It is proven to be easy to use and cost \neffective.\n    People in China can receive information from those \nindependent sources by subscribing to e-mail newsletters and \nsome other organizations who send e-mails.\n    It has worked in the past few years. Some months ago, \nsomething happened. As before, the Chinese Government has \nfilters at almost all major IPs in China. Those filters check \nevery e-mail that comes in to China, to check if there are any \nkey words encoded in the e-mail. If they find more than, for \nexample, 10 key words in an e-mail, they will block this e-mail \nand the people will not \nreceive it. Furthermore, it may be dangerous to the receivers.\n    So, clever Chinese people found that they can use free e-\nmail boxes such as Hotmail and Yahoo Mail, which are based in \nthe United States. It is out of the control of the Chinese \nGovernment. They can subscribe to those sources with their free \ne-mail account.\n    It worked for years. But several months ago, the Chinese \nGovernment developed new technology that not only filtered the \ne-mails themselves, but also filtered the normal Web pages. If \npeople in China accessed an e-mail box, say, Hotmail, it really \nworks like a normal Web page on the Hotmail Web server.\n    The Chinese filters--they installed filters on the gateway, \nI think--if people access a Web page that contains key words, \nthe whole Web page will be fed back as a blank page. The people \nin China can access their e-mail box, but they cannot read the \ne-mail content if this e-mail is so-called ``sensitive.'' So, \nthe people are waiting for some new technology to stop this \nkind of trouble.\n    Our project, called ``Secure Email Proxy,'' is aimed for \nthis purpose. Our mission is to provide a midway platform \nbetween the Chinese users within the firewall and the outside \nworld.\n    The traditional way of encrypting information is to use \nsoftware such as the popular PGP software. But the PGP software \nrequires that both senders and receivers use the same software, \nso it limits the usage of such kind of software. Most e-mail \nsenders in the United States do not use it because they do not \nneed it. So, that could be a problem.\n    With our platform, we will forward all e-mail to Chinese e-\nmail users who are interested in our system. Our function is to \nencrypt normal e-mail, then to send it back to Chinese users. \nIt will help Chinese Internet users to have secure e-mail \ncommunication with outside people who do not use encryption \nsoftware such as PGP.\n    This will be very helpful. For example, in China, people \nsubscribe to a mailing list from Voice of America, or Radio \nFree Asia. They can hardly receive the information, actually.\n    We think, with our help, they can subscribe to the mailing \nlist and the information can come to us at the e-mail proxy \nserver, and we will encrypt it and send it back to the real \nreceiver. So, this will help them to skip the firewalls of the \nInternet gateway. That is the solution, and we are doing it.\n    That is all, thank you very much.\n    Mr. Wolf. Thank you very much.\n    Paul Baranowski.\n\n   STATEMENT OF PAUL BARANOWSKI, CHIEF ARCHITECT, PEEKABOOTY \n                  PROJECT, TORONTO, ON, CANADA\n\n    Mr. Baranowski. Good afternoon. I am the project leader for \nPeekabooty, a piece of software that is designed to get around \nstate-sponsored Internet censorship at the national level.\n    Peekabooty accomplishes this using peer-to-peer [PTP] \ntechnology. ``Peer-to-peer'' basically means that there is no \ncentral \nauthority governing some part of the network system. The idea \nis that anyone using the peer-to-peer system also helps out \nother \npeople in the system at the same time. Napster, Gnutella, and \nothers are all examples of peer-to-peer networks.\n    Peekabooty uses other nodes in the network to relay data \naround the firewall. It is kind of like a distributed proxy \nservice.\n    China has been working on its firewall since at least 1997, \nand we have seen its power growing over the years. Just about \nevery other month we are seeing a new technology being deployed \nthat makes it even more powerful.\n    The Chinese authorities started blocking Web pages based on \ntheir Internet protocol addresses, which we have already talked \nabout. People got around this initially by using open proxies, \nwhich are basically other computers that relay your requests \nfor a Web page indirectly back to you.\n    In early 2001, the Chinese Communist Party countered the \nuse of open proxies by scanning the Internet for them and \nadding these proxies to the ban list. Another thing that some \nWeb sites did--\napparently DynaWeb did as well--is that they changed their IP \naddress every few days in order to try to prevent blocking of \ntheir Web site. But this is fairly ineffective.\n    Safe Web and Voice of America set up a system that would \nsend the IP addresses of available proxies to whoever requested \nthem. Again, DynaWeb also tried this technique. However, it was \nnot long before the Chinese authorities started requesting the \nproxy addresses and blocking them as well.\n    There are two strategies that have not been effectively \ncountered yet: bulk e-mail lists and freenet. Bulk e-mail still \nworks because the origination of the e-mail is different every \ntime. E-mail does, of course, has the drawback of being one-way \ncommunication, but at least that is something.\n    Freenet is a peer-to-peer system that allows two-way \ncommunication. It still works because the only way to discover \na new node in the Freenet system is through ``out-of-band'' \nmeans. This means you have to call up a friend, or your friend \nhas to e-mail you an IP address of another domain network. You \njoin the network and then you can get access to censored \ninformation.\n    One of the main goals of Peekabooty is to eliminate this \nlimitation, to create a method of discovery that automatically \nallows you to discover new nodes in the network without \nallowing you to discover all the nodes in the network, so that \nthe Chinese authorities could not join the network and block \neverything.\n    Some of the more recent developments of the Chinese \nfirewall include selectively blocking out content within a Web \nsite instead of blocking the entire site, denying Internet \naccess for a certain amount of time to anyone searching for a \nband key word. So, for example, if you search for Falun Gong on \nGoogle, your Internet \naccess would be denied.\n    Suppressing dissident comments and chat rooms.--If you do \ntype in some sort of dissident comments, a warning e-mail is \nsent to you telling you not to do that again.\n    Finally, they are starting to log Google key word searches. \nSo if you type in ``Falun Gong,'' they are going to remember \nwho \nrequested that.\n    We can do something about all of this if we act now. The \nChinese Government is already on its third generation of \nfirewall technology, and we have not even started version one \nof a counter-strategy yet. If we do not do something soon, they \nmay be able to close off the country completely and obtain \nabsolute control of their net before we can do anything about \nit.\n    A fair guess is that, by the Olympics in 2008, it will be \nmuch too late to act. Our window of opportunity is now, at this \nmoment. The U.S. Government is the only organization that has \nthe power to mount an effective counter against this type of \ncensorship.\n    Independent efforts, such as mine, by volunteer groups will \nbe ad hoc and there will be no coordination between the \nreleases of the various projects. A well-funded, centralized \nprogram could plan application releases so they occur at \nregular intervals in order to keep the Chinese authorities \nconstantly scrambling to keep up.\n    In other words, the U.S. agency in charge could coordinate \nand plan a global strategy that would be much more effective \nthan the current ad hoc state of affairs. Centralizing this \ntype of activity also allows for the possibility of inter-\noperation between the projects and allowing more advanced \nfeatures in these projects, eliminating redundancy.\n    There are few, if any, commercial possibilities for this \ntype of software, which is why the government is the only \norganization with the power to fund this type of activity on \nthe scale that is \nrequired.\n    The amount of money proposed in the Global Internet Freedom \nAct could fund dozens of projects. There are so many aspects to \nthis problem and so many ways to solve it, that this is the \nkind of depth we need.\n    Research is just beginning on this subject and we have a \nlong way to go. This panel here represents a sample of what is \nout there. There are perhaps a dozen grassroots efforts \nattempting to do something about this on a shoestring budget. \nThey all rely on volunteers.\n    However, this many projects is not as many as we need. \nRight now, development on all of them is extremely slow, due to \nthe fact that there is little funding and they all rely on \nvolunteers.\n    The first thing that is dealing with funding, is \ndevelopment speed. The second thing, is usability. The third \nthing, is translation into various languages. Finally, every \nproject that is funded should have a budget for marketing so \nthat each project can be promoted appropriately.\n    If the government does fund projects such as these, it \nshould be done through credible organizations that are \ncommitted to developing open-source solutions. Open-source \nsoftware is crucial due to the fear of software back doors that \nwould allow remote monitoring of or tampering with a user's \ncomputer.\n    Open-source software relieves these fears because the code \ncan be vetted by outside experts. One of the most important \nthings with many of the current projects, is that they use \npeer-to-peer technology. This means, in terms of costs, there \nis little cash that is needed to keep them running.\n    Funds are mainly needed for the maintenance of the code and \nthe addition of new features. Each project could be initially \nfunded by only a few hundred thousand dollars a year, and even \nless for maintenance once they have been deployed.\n    The current crop of anti-censorship projects that show \npromise and should be considered for funding include the \nfollowing: Peekabooty, the Freenet/Freenet-China project, the \nInvisible IRC project, which allows anonymous chat, CryptoMail, \nwhich is a Web-based e-mail system similar to Yahoo which \nprovides encryption of e-mail, and finally, plug-ins to e-mail \nclients such as PGP and GPG to make encryption of e-mail \neasier.\n    It should be noted that the National Science Foundation \n[NSF] has started funding anti-censorship research at the \nacademic level. What we need, though, is a system to transfer \nthe research into real-world applications.\n    One of the areas of research that has not yet been \nexploited is in the field of wireless networking. This type of \ntechnology could allow individual devices to route information \non their own. This would allow those devices to bypass the \nInternet infrastructure completely and create basically a new \nwireless Internet that could not be filtered.\n    Also, another area of research that should be considered is \nmaking e-mail encryption even easier to use and more \ntransparent. Right now, it is a little bit too difficult for \nmost people.\n    Finally, to sum up, China's censorship technology is \nbecoming more advanced every day. We can do something about it, \nbut we must act now. The government should fund credible third \nparty \norganizations to develop open-source anti-censorship \ntechnology.\n    Multiple strategies should be developed and their release \nshould be coordinated according to a centralized high-level \nstrategy. If we do not act, there is no doubt the Chinese \nCommunist Party will have more power over its populace than \never before in history \ninstead of less.\n    Thank you.\n    [The prepared statement of Mr. Baranowski appears in the \nappendix.]\n    Mr. Wolf. Thank you very much.\n    Avi, you talked, first, about the arms race. You did not \ndraw a conclusion. Is this arms race a winnable arms race on \nthe circumvention side, or is it simply a continuing process of \nraising the costs at each level?\n    Mr. Rubin. I, unfortunately, do not think there is a \nstraightforward answer to that, because there are several \ndifferent axes that I drew for censorship.\n    If you are talking about the censorship between the inside \nof China to sites that are outside of China, it is pretty clear \nwhere the end of the arms race is, which is that they cutoff \nall connectivity. Then, short of going through a satellite, or \nphone lines, or some other way, there is really no way anyone \ncould get out.\n    However, there are a lot of other things. For example, if \nyou look at people within China trying to communicate with \nother people within China, and maybe posting content where \nthings are not going through the firewall, then I think there \nis an interesting arms race.\n    It is not clear who the winner is, because I think the \ntechnology has only advanced so far at present. We need new \nresearch. I support the comments that were made about funding \nnew research.\n    You could imagine a technology developed whereby Internet \ntraffic becomes untraceable, so the next thing that happens is \nthat the government mandates router manufacturers to put \nsomething in each packet so that they can trace it. That is \nanother step in the arms race. We have got to go back to the \ndrawing table and figure out how to get around that, and I do \nnot see where that kind of an arms race terminates.\n    Mr. Wolf. Anyone else want to comment on that?\n    Mr. Xia. I would.\n    Mr. Wolf. Yes, please.\n    Mr. Xia. I would like to make a little comment. \nTechnically, you can comment on technology if it can be \ncensored or it cannot, how hard it is.\n    Another factor is if the user will use it. Like, for the \nFreenet China project, there are people sending e-mails and \nsaying, I am a peasant, I only went to elementary school, so \ntell me how to use it in two sentences, something like this.\n    So, even if technology works, there is the matter of, \nfirst, how can you overcome the first barrier, if you can \nconvince the user to use the software and learn how to use it.\n    Mr. Wolf. Thank you.\n    Mr. Baranowski. I have a comment.\n    Mr. Wolf. Go ahead.\n    Mr. Baranowski. I think, if we do nothing, then eventually \nwe will not be able to do anything. But if we do something \nsoon, then the arms race will continue, and continue on \nindefinitely until whenever.\n    But there is a point that, if we do nothing now, we will \nnot be able to do anything eventually because they would have \ncracked down too much at that point and there would be no way \nto get \nanything in or out.\n    Mr. Wolf. Is there a point in this arms race where the cost \nto China is too high, in the sense that the measures the \ngovernment would have to take would so negatively impact on the \nuse of the Internet, and on Chinese businesses' ability to use \nthe Internet to be internationally competitive?\n    Mr. Rubin. I think you have put your finger on it right \nthere. If China were willing to isolate themselves from the \nrest of the world, then they could censor in a way that we \nprobably could not overcome.\n    But as long as there are forces within China that want to \nhave, for the sake of their own businesses, like you said, \nconnectivity, then I think that there is something we can do.\n    I also see the door closing if nothing is done, but maybe \nnot as fast. The thing that will push them to the next level in \ncensoring is when circumvention technologies start to move. If \nthey stagnate, then I do not see them having a need to respond.\n    Mr. Xia. I am also thinking of another possibility, that \nWestern companies collaborate in doing censorship even outside \nof China. Then they can collaborate with censorship technology \nso it will not affect, like e-commerce communication, inside \nand outside of China. One technical example I can think of, is \ncontent filtering of any Web site--for example, Google--so if \nyou are searching for key words, you are kicked out.\n    However, it is actually easy to resolve this. Google can \njust implement https so your requests will be encrypted. I am \nnot sure if Google is willing to do that. It is obvious that \nGoogle will be confronting China's content filtering engine.\n    Mr. Lin. I might comment. I think those who do censorship \nand who did anti-censorship, they actually use similar \ntechnologies. The result is people or companies do something \nfor profit. So that is why we see that the Chinese Government \ncan create a firewall.\n    I think some U.S. companies are heavily involved with it, \nsay, especially some companies in California. The backbone, the \ntechnology, and the core equipment are developed and \nmanufactured by the United States, especially California \ncompanies.\n    So we do not have exact evidence, but we can reasonably \nconclude that the American companies are helping the Chinese \nGovernment to build the censorship firewalls. So that is why \nthe same technology can result very differently for different \nsides. For people who are doing anti-censorship, like Paul, he \nis just doing it for the ideals, not for profit.\n    I think the two sides are not even. So, the result is, we \ncan expect who will win the war. I do not think, in any small \npart, that we will win the war. That is the reality, so I am \nworried about it. So, I think it is my duty to speak here to \nhelp many people to \nunderstand the situation.\n    Mr. Baranowski. Can I answer that as well?\n    Mr. Wolf. Sure.\n    Mr. Baranowski. You raised a good point about the commerce \nand tying this anti-censorship technology to commerce. This is \nthe only way I think that these technologies will work.\n    For example, using SSL [Secure Sockets Layer] encryption \nfor secure communication. SSL is also used in e-commerce to buy \nthings over the Web, so they cannot outlaw, for example, that \ntype of encryption. So, this opens a whole lot of China which \nthey cannot really block unless they want to block all of e-\ncommerce.\n    The second thing I want to talk about is the stagnation of \ncensorship technology that Avi mentioned. I do not think this \nwould \nhappen at all, because they are plowing forward as fast as they \ncan to implement more and more technology. For example, the \nGolden Shield project. They are trying to use as much \ntechnology as possible to control their population. I do not \nthink it is going to \nstagnate anytime soon.\n    Mr. Wolf. All right. Thanks.\n    Holly.\n    Ms. Vineyard. I would like to follow up on Ira's point \nthere. I would first direct this toward Paul. It is open for \nanyone else who would like to answer. As technologists, how \nwould you characterize the economic cost of censorship?\n    I am interested in this as an approach for, how do we \nengage the Chinese to see the true economic potential of the \nInternet if it is left unfettered?\n    Mr. Baranowski. Obviously it is costing them a lot of money \nto employ this many people to constantly be looking at Web \nsites and trying to filter them. So that's the obvious, up-\nfront cost, as well as buying the right type of hardware \nequipment that they need.\n    Another economic cost that might be borne by them is the \nfact that they might be blocking sites that are not supposed to \nbe blocked which are e-commerce sites, so if people cannot get \nto those sites, they will not be able to buy goods and services \nthrough those sites. That is just off the top of my head. Maybe \nsomeone else can answer that as well.\n    Mr. Rubin. Well, I am not certain how much commerce there \nis from China to e-commerce sites in the United States, and I \nthink that is something that should be looked at to figure out. \nThat was used as a motivation for why they are not likely to \nblock SSL, but blocking SSL is trivial. It is 443.\n    They just turn it off and say, we do not have SSL through \nour firewall. If it is not the case that people in China can \npurchase things on e-commerce sites in the United States, then \nthat point is pretty meaningless. I do not know. Maybe somebody \nknows about that.\n    Ms. Vineyard. Does anyone know if there is much in the way \nof e-commerce going the other way?\n    Mr. Rubin. People in the United States purchasing things in \nChina? I do not know, either. I would be surprised.\n    Mr. Xia. I do not think many people are buying things \noutside of China from inside China.\n    Mr. Baranowski. Maybe not consumers, but maybe businesses. \nOf course, I do not think any of us have any data on this \nwhatsoever. We are just making the best guesses that we can.\n    Mr. Xia. When China blocked Google, there was a big cry \ninside China and more people are complaining. They want to do \nresearch or just common activity and they are blocked.\n    Mr. Baranowski. That is a good point. I believe it was \nbusinesses eventually that complained so much that Google was \nblocked that they had to unblock it.\n    Mr. Wolf. Let me just jump in here. Rather than e-commerce \nand individual e-commerce, as Chinese industry continues to \ndevelop and become more sophisticated, they are going to have \nglobal sourcing strategies that require fairly sophisticated \nuse of the Internet, whether it is sourcing, inventory \ncontrols, and so on.\n    That is what I was getting at. Not so much individual e-\ncommerce so much as, does additional effort by China to \nmonitor, block, and control the Internet raise the costs, \nultimately, of a joint venture auto manufacturer that is \ninvolved in global logistics?\n    Mr. Rubin. Definitely. I mean, the way that I would \nenvision that this would happen would be if they do not want to \nallow unfettered access to the SSL port, which someone serious \nabout \ncensoring would not because a lot of circumvention technologies \ncould be built on it.\n    They could perhaps require any company or any entity that \nwants to do that to clear it with them, and then they would \nprovide a special port and maybe some encryption keys that they \nknow that they allow them to use, and then they could monitor \nit carefully. That would all be very expensive.\n    It would require a lot of databases to keep track of which \nkeys are used for which communications, and then all of the \nmonitoring equipment. So, they are raising the bar on \nthemselves to some \nextent by making it more expensive to allow those business-type \ncommunications that they want to allow while preventing general \nuse.\n    Mr. Xia. I think this is true right now for e-mail service. \nIf you are running e-mail service in China, you have to put in \nall the \nfiltering software. For the Chinese ISPs, many of them have \nvery \nsophisticated e-mail filtering software which will delay users \nreceiving e-mails.\n    Also, many people will lose their e-mails. It is quite \ndifferent from here. I can call you and say I just sent you an \ne-mail, but in China you cannot rely on this.\n    Ms. Vineyard. Thank you.\n    Mr. Farris. I am wondering if any of you could speculate on \nwhat sort of attributes any anti-censorship or censorship \ncircumvention software or project would have to have in order \nto be successful.\n    For example, I think issues like deniability on the user \nend, the receiver end, would be important. But perhaps Bill or \nLin Hai can speak to whether or not they think that is really \nan important issue in China.\n    Other issues like user interface, I think you mentioned, or \ntranslations into Chinese. How important is it to the Chinese \npeople at the user end that this be in the Chinese language, or \ndoes the average Internet user have an English level sufficient \nto use these \nprograms? If any of you have any speculation on what a good \ncensorship circumvention program would possess.\n    Mr. Rubin. I can tell you what we did with Publius and some \nof the lessons that we learned in that regard. In terms of user \ninterface, I think the best way to distribute client software \nis as a \nplug-in to a browser.\n    We experimented with client-side proxies. Those require \nsomeone who knows how to run a compiler in order to get them \nrunning, unless you want to write something native, but then \npeople use many different operating systems.\n    The one common denominator seems to be a browser. So, a \nclient-side plug-in would have the advantage of being able to \nhave general-purpose functionality.\n    You could build your whole protocol into it, whatever that \nmight be. Users would be able to not know necessarily exactly \nwhat it is doing and just have content displayed for them. So, \nas far as user interface goes, I think that is the way to do \nit.\n    That will not work in a cyber cafe, for example, where you \ndo not have access to installing a plug-in. In that case, you \nneed to go with raw html, and it is a lot harder because if you \nneed to do any decryption or decoding or anything like that in \nthe software, then the only way you might do that would be via \na Java applet.\n    The Java applet would come from some well-known site, and \nthat could easily be blocked. So, after looking at all the \ndifferent alternatives, I think a browser plug-in is the way to \ngo.\n    You mentioned deniability. In the Publius project, what we \ndid was take the content that somebody wanted to publish and \nbreak it up into many, many little pieces. Those things had \ntransformations performed on them so that you needed some \nsubset of them to reconstruct the content.\n    So, here's an example. Take a piece of Web content, whether \nit is an image or a document, and break it up into 100 pieces \nsuch that any 4 of them can reconstruct it, but any fewer than \n4 is meaningless and more than that is redundant. The idea \nhere, is then you store those pieces on 100 different servers \nall over the world. We had a bunch of servers up and running in \nseven countries. This was a research prototype.\n    The sites that would host the content, they see this 1 \npiece out of 100 and they do not know what it is. So, there is \ndeniability from the host server. Without three other pieces \nthey do not know what it is and they do not necessarily have \nthat information on where the other pieces are.\n    So it was a system for publishing something. It got \ndispersed throughout the Net. Nobody knew exactly what the \nindividual pieces meant. Then somebody to retrieve it would get \na special URL, or they could get a link through something, and \nby running a proxy on their machine that their browser talked \nto, could go out and get four pieces, do a cryptographic check-\nsum on them, verify that they had not changed, and then load \nthe image into the browser or the document without the user \nhaving to be aware that all this happened behind closed doors.\n    Mr. Baranowski. May I answer that as well?\n    Mr. Wolf. Please.\n    Mr. Baranowski. As far as user interface, I think a variety \nof methods should be used depending on the individual user. \nSomething different should be in an Internet cafe versus \nsomeone from a home computer, versus someone at a business, \nwhich is what I was getting at before in my speech. I was \nsaying we should have multiple projects going on at once using \na variety of methods.\n    As far as deniability, the only thing I can say is that \nthis does exist in Peekabooty. The connections to the Web \nserver are anonymous. No one can tell who is fetching which Web \npage.\n    As far as English level proficiency, I just read a report \nlast week that said 20 percent of Web pages viewed from China \nare in English. So, definitely the minority. That is all.\n    Mr. Lin. May I comment? There are some informal \ntechnologies used by the Chinese Internet guys. They can always \nfind some secret way to access the outside world. But the \nproblem is, it is not public technology. So, the public needs \nto use most widely used technologies, say, for Web access.\n    I think if we can offset technology to let people use a \nnormal browser to access the outside world, the effect or the \nresult will be very limited. So, that is a problem. Not all \npeople are educated in technology. They are just normal users.\n    Mr. Xia. I think the answer, a lot, depends on how many \nusers you are targeting. For the most computer-capable people, \nmany of them can read English. They will find ways themselves. \nThey do not quite need your help. Like, DynaWeb has reached the \nlevel of tens of thousands. So at this level, you need \nsomething really easy. We got complaints, in the beginning, \nabout DynaWeb using the \ndomain name, or just visiting a Web site.\n    I cannot say anything easier than that. But, still, some \npeople do not like the pop-up windows, https, because it is not \ncertified, or something like that. Or we do some technology \nthat makes the \ndomain name look weird, and then some users say, should I click \nit, or something like this.\n    So, even at this level of users there are lots of questions \nthat arise. But if you are working on something like a plug-in \nor a \nprogram, people need to download a Chinese interface. That is \nimportant. Like for the Freenet China project, it has software \nand it reaches a user level of 10,000. So at this level of user \nbase, you do need the Chinese interface, and a very easy-to-\nunderstand \ninterface.\n    Another factor we tried to compile, is we want to put the \nprogram below 1.44 megabytes so people can carry it around with \na floppy. Then people do not have to leave that program on \ntheir computer's hard drive, they can, every time, download it \nand delete it.\n    But this is getting harder because in the Internet cafe \nsituation, it is really bad. In many of those registered \nInternet cafes, you cannot download and there is no floppy \ndrive.\n    I think for some software, the administrator can remotely \nlook at your screen at any moment. I think for this specific \nenvironment, it is almost like the door is closed. There is \nhardly anything to do with it.\n    Mr. Rubin. Just one other point. In a country where it is \nillegal to do certain activity, you could conceive that if \nthere were such a plug-in or proxy program, the fact that that \nthing is on your \nmachine could be a liability.\n    Mr. Farris. So just a follow-up. In terms of the state-of-\nthe-art right now, is it possible for there to be a system that \nhas complete deniability, something that would not have to be \ndownloaded, that would not involve any obvious encryption that \nwould tip off the \nauthorities?\n    Mr. Rubin. It depends on your threat model. If you have a \nthreat model that the authorities are sniffing your line, then \nthe answer is, without encryption, no. If they do not allow \nencryption, then there is nothing you can do.\n    If you have authorities that are, with some probability, \nsniffing your line, then maybe you can play some games and \nadjust or tune your risk factor and say, I will get caught with \nthis probability, and that may be able to be small enough that \nit would be worth it for people. But if the adversary can view \nthe line going into your house and you do not allow encryption, \nthen I do not see how there is anything you could do.\n    Mr. Baranowski. Since China still does allow encryption, \nwhat you could do is if you are in China and you have a friend \nin the United States, you could download a program such as PGP \nNet, I believe, and encrypt all your data between the two \ncomputers, he sets it up on his computer and his computer is on \nall the time, and you just route everything through him.\n    So, it has to be more of a personal connection to someone \nwho is going to help you out in another country, and then you \ncould quite easily get around it. As far as an automatic \nsystem, there is no way right now to--sorry.\n    Could you repeat the question real quick?\n    Mr. Farris. I guess I am trying to see if it is possible to \nhave complete deniability.\n    Mr. Baranowski. Oh, complete deniability.\n    Mr. Farris. So nothing needs to be installed in the \ncomputer.\n    Mr. Baranowski. Nothing that is automatic. Right.\n    Mr. Farris. Yes.\n    Mr. Xia. Technically, I think it is probably impossible to \nachieve that. But right now, I think the closest is DynaWeb. \nYou only need a domain name to visit a Web site, and then you \ncan clean your history with your Internet browser. But still, \nif someone is looking through your computer, still you can be \ncaught.\n    Here, just now what Paul mentioned, I think, we can put in \na social background.\n    Right now, downloading and using PTP will not get you into \nprison. But there are people arrested, and PTP is used as site \nevidence. So, just using PTP is fine, but if you are doing \nsomething else along with PTP then it is something else. I \nthink this is an important point. In the last 20 years, China \nhas changed a lot.\n    During the Cultural Revolution, all the requirements were \nreally harsh. If you were listening to the VOA radio at \nmidnight, you could be caught and sent to prison. But now the \ngovernment, instead of arresting you, is only trying to jam VOA \nradio.\n    Mr. Wolf. Thanks.\n    Keith.\n    Mr. Hand. I wanted to get back to this arms race issue for \na minute. I was curious what the typical timeframe is in terms \nof the cycle of technology and counter technology.\n    Then maybe you could follow it up with another point. There \nhas been some concern expressed that, as these new technologies \nare developed, there could be a false sense of security among \nusers in China as to the degree of protection that they have.\n    I was wondering if you could comment on that risk and \nwhether, in your experience, people understand it or whether \nthey feel like they are completely protected from monitoring \nwhen a new technology is introduced.\n    Mr. Xia. From my experience, they correct that mistake \npretty quickly, like 1 day after. If they mistakenly block \ntheir own sites or something like that, they will correct that \npretty quickly since they only need to release what they did \nwith that technology. But to develop brand-new technology, from \nour recent experience, it is more like months. But for security \nconcerns, I think you have to foresee it to be compromised.\n    Mr. Rubin. To answer the other part of your question, it is \ninteresting. When we came out with Publius, I got approached by \nsomebody who wanted to use it for very sensitive--they did not \ntell me what--activities and they said they were really \nworried, and how much would I vouch for the software.\n    It is interesting, because normally if there is a bug in a \nprogram that I write, something crashes. But the responsibility \nof potentially putting someone in harm's way by a bug in the \nsoftware was too much. So we disclaimed it and said, this is a \nresearch \nprototype. We did open-source it. I agree that open-source is \nan \nimportant component of anything like this.\n    If you are going to use a program that could get you thrown \nin jail if it does not behave properly, that is a pretty scary \nnotion. I mean, the way they measure the number of bugs in a \nprogram, the metric in software engineering, is by the number \nof lines of code.\n    You ask a software engineer, how many bugs does a program \nhave, they say, well, how many lines of code? And then you know \nhow many bugs it has, or a minimum, anyway.\n    So for something to be that reliable that you are going to \nrisk your freedom to use it, I think it is tough and I am not \nsure that I would want to take that chance, myself.\n    Mr. Hand. Thank you.\n    Mr. Wolf. Paul, if you had a different hat, let us say as a \nrepresentative of a U.S. intelligence agency, and you were \nsitting here as the fifth person on this panel, and you heard \nPaul Baranowski talk about the need to develop open-source \nsoftware for countermeasures, what would you say to us in \nresponse?\n    Mr. Baranowski. In response to what?\n    Mr. Wolf. Regarding the technology required for \ncountermeasures, what concern would the intelligence community \nhave that obviously bad people would put this to bad use?\n    Mr. Rubin. The double-edged sword.\n    Mr. Baranowski. Oh, yes. All right. I have been asked this \nquestion before. Yes, I would have concerns about whether bad \npeople could use this technology for bad things. My response to \nthat is I have tried to think of ways that, especially \nPeekabooty, could be used to do bad things and I am hard \npressed to come up with something that is not already done \nbetter using the different programs specifically designed to do \nbad things.\n    There are plenty of programs out there in the Internet area \nthat do bad things, like denial of service attacks, viruses. \nAll this, you can get easily. So, something that simply makes \nyour Web browsing anonymous, it is somewhat difficult to think \nof scenarios that you could use it to do evil with.\n    Mr. Lin. I might comment. I think no one can prevent some \npeople from doing bad things with some technologies. So, based \non this theory, to make any policy to limit people using \ntechnology, you will not really reach your goal.\n    For example, the PGP software. To my understanding, it is \nstill banned for people outside of the United States to \ndownload the PGP software from U.S. Web sites. It is the United \nStates law. So how do they do it? They just publish the PGP \nsoftware, soft code, and carry it to Norway, and then retype it \ninto the computer at the Web site in Norway at PGPI.com, or \nsomething like that.\n    So that other part of the world--outside of the United \nStates--can download the same program. That is just an example. \nThe United States making some kind of policy to try to limit \nthe people using technology, it does not work. That is my \nopinion.\n    Mr. Rubin. Getting back to your question for a minute, when \nPublius came out we took a lot of criticism from people who \ncame up with the example, imagine somebody came up with child \npornography or some other kind of offense-to-pretty-much-\neverybody image and posted it to a system where it was \npublished where it could not easily be removed. That is \nsomething that was not possible before. Or instructions on how \nto make a bomb, or something like that.\n    You sort of take a step back when you suddenly think about \nuses of your technologies. There are several different ways to \nlook at it. One is an example I go back to. When the automobile \nwas first introduced, law enforcement was afraid to allow these \nthings to be mass produced because they were worried bad guys \nwould be able to get away more easily. Yet, we see all the good \nthat has come out of the automobile. The same thing could be \nsaid for the Internet.\n    A more constructive answer, though, is to say that you can \nbuild censorship-resisting technologies with dials in them and \nlet society set the dial. So in the United States, for example, \nwe all believe pretty much--we should believe--in freedom of \nspeech and the right to do certain things.\n    Then there are certain acts which pretty much are the norm \nin society that that is unacceptable, certain things like child \npornography that there is just no debate about. So, perhaps we \ncan build a censorship system so that if almost all the users \nin the system do not want something, then that thing can be \ncensored, but it requires a communal effort of almost \neverybody. That is just some thoughts on how to do it. You have \ngot to be very careful that you do not enable, accidentally, \nways of censoring that are more easy than before.\n    Mr. Wolf. Let me turn to United States suppliers of \ntechnology, equipment and software for China's backbone. Lin \nHai was talking about California companies. Others have talked \nabout the need to license or restrict United States export of \ntechnology to China that can be used for censorship and \ncontrol.\n    I wonder if you could comment on what you think should or \ncould be done regarding control of United States exports of \nInternet technology to China, or whether it is something you \nbelieve is a road that we should not go down.\n    Mr. Lin. I think that it is not easy to make any kind of \npolicy like that because people can find some ways, any ways, \nfor profit. So my suggestion is, do some reverse policies to \nencourage companies, and individuals, and organizations to \ndevelop any other technologies against censorship. This is the \nway to work, I think. For example, set up some funds to sponsor \npeople like Paul, to develop anti-censorship technologies. That \nis the right way.\n    Mr. Baranowski. I would say to ask the companies themselves \nto have them issue a statement saying we do not support \ncensorship and surveillance. We do not take part in it. For \nthem to come out and publicly say that, I think, would be a \nvery good first step in that process.\n    There is a precedent for regulating this type of \ntechnology, and that is with encryption. Just a few years ago, \nyou had to first submit any encryption product to some agency \nto have it checked out before it was exported, so you could not \nexport anything that encrypted above a certain level. This \ncould also be done with censorship technology. That would be a \nmore extreme thing to do, but there is precedent for it.\n    Mr. Rubin. Yes. I pretty much would oppose any idea of \nregulating what Internet companies can and cannot sell abroad. \nWhile I agree with the goal, I think that such export \nrestriction attempts have fallen flat on their face before, as \nwe have seen with the encryption.\n    Mr. Wolf. Bill, do you have a comment on this?\n    Mr. Xia. I think it is kind of analogous to export arms so \nthat arms can be used for good things or bad things. So, there \ncan be restrictions on what kind of technology you can export \nand where you can export. They cannot just say, I am sending \nthe technology, I do not know or I do not care what they are \ndoing with it.\n    Especially for China, in the past years, it has been \ndemonstrated, what are they going to do with content filtering \ntechnologies. So, I think there can be regulations on some \nspecific cases.\n    Mr. Rubin. I would worry that China would start buying \ntheir backbone technologies from other countries that have \nequally \ndeveloped products, and that we would be hurting our business \nwithout actually helping fight censorship.\n    Mr. Wolf. Holly.\n    Ms. Vineyard. If China has such effective cyber-walls, in \nyour opinion, why is it these cyber-walls are not being used to \nstop \npiracy as well?\n    In the recent regulations, copyright piracy was not \nidentified specifically as an illegal purpose. How do you \nrecommend we go about raising this?\n    I mean, we would be asking the Chinese to provide \nadditional policing to a medium that we essentially want to be \nfree, but we still want to protect the rights of copyright \nholders.\n    Mr. Xia. I think Internet censorship has become a very \nessential policy of the Chinese Government. This year, the head \nof the Public Bureau of Security commented that there is a \nconspiracy about anti-China forces trying to distribute \nsubversive information through the Internet.\n    I think for the Chinese Government, the Internet Freedom \nAct can potentially endanger their current authority, so it is \na pretty high priority, not just economics.\n    Ms. Vineyard. But my question was really trying to get at \nthe protection of intellectual property rights, especially \ncopyrighted \nmaterial. If any of you have any experience with how that is \nbeing protected or not protected on the Chinese Internet, I \nwould appreciate your views.\n    Mr. Rubin. I think that it is really a different security \ntechnology that protects or prevents traffic from flowing \nfreely and that guards intellectual property. It is almost like \nguarding the information in the other direction.\n    So, if something that is a particularly valuable \nintellectual property gets inside China and can get replicated \nvery easily, the fact that it went through a firewall when it \ngot through is meaningless at that point.\n    Intellectual property protection technologies are somewhat \nlimited in their capabilities. If there is something that you \nhave in software, you can replicate it. Hardware assistance is \nexpensive. It is difficult to distribute things when you \nrequire people to have a particular kind of player.\n    Intel and Microsoft are taking steps to provide \nintellectual property protection in the platform that people \nhave in their homes. At that point, if that works, it will be \nsuccessful in China as well. But I do not think that the \ncensorship technologies are designed, nor can they very easily \nprotect, intellectual property of something once it has gone \nthrough the firewall.\n    Mr. Lin. To my understanding, this is more consistent with \nthe law. In China and in the United States, they seem to have \nsimilar copyright laws, but they actually deal with them very \ndifferently.\n    In China, on the big Web sites, they understand the \ncopyright law, but individual users do not care. The government \nalso does not care about the individuals who use free copies of \ncopyrighted \nmaterials.\n    So, the censorship through technology will not help to \nprotect the copyright, but it should be done by something like \nhow to develop the law and how to actually do something under \nthe law.\n    Mr. Baranowski. Actually, one of the scary things is that \nif China does get this DRM technology, which is Digital Rights \nManagement, which allows you to protect your intellectual \nproperty, if that goes to China, it actually gives China more \npower to censor their people because you could use that same \ntechnology to say, you can only run this program on your \ncomputer, or this set of programs on your computer, and nothing \nelse that is not approved by the Chinese Government. Thus, no \nprogram that we could write, any anti-censorship program we \ncould write, could ever bypass that sort of control.\n    Mr. Rubin. And that is not limited to China. A lot of \npeople worry that DRM technology in the United States could \ngreatly \nrestrict fair use of all kinds of things.\n    Ms. Vineyard. Thank you.\n    Mr. Farris. I would like to stay on that point for a \nmoment. I think at least Publius, and maybe also Peekabooty, \nwere not specifically designed with China in mind, and there \nmay be a concern about other countries as well.\n    Do any of you have a view on where China fits in the \nspectrum of censorship compared with, say, even the United \nStates or other countries? Is China the worst offender? Do you \nsee the United States moving in a similar direction?\n    Mr. Baranowski. China is the worst offender, possibly tied \nwith Saudi Arabia. The other countries that are censored are \nBurma, Cuba, and even Australia.\n    There are about 20 or 21 countries that censor their \nInternet the last time I checked.\n    You are right that this type of technology could work in \nany country. It is not just limited to China, which is, in my \nopinion, a good thing.\n    Mr. Farris. Thank you.\n    Mr. Wolf. Keith.\n    Mr. Hand. I wanted to get at Ira's question from a slightly \ndifferent angle. There was a lot of controversy over the Yahoo \nChina pledge earlier this year. Some argued that even operating \nunder some restrictions, there is still an advantage to having \na company like Yahoo operating in China, delivering information \nand pushing the limits of the controls there where they can.\n    I was wondering if you could comment on that and give us \nyour sense of where you think the line should be drawn between \nworking within the system and struggling within it for change, \nand where you end up colluding with the government on these \ncensorship issues.\n    Mr. Rubin. I think that anything that encourages the \nopenness, the connectivity between China and the rest of the \nworld, opens up avenues for other censorship-defeating \ntechnologies to piggy-back on the existence of that network. \nSo, from that sense I think it is a good thing.\n    Mr. Baranowski. It seems to me that companies going into \nChina are playing right into their hands. China basically stops \nany company from coming in unless they obey their rules.\n    So, basically it does not seem like any Western thought is \ngetting into China through these corporations. For example, the \nNorton Antivirus software. They gave China virus software \nbefore they could get into China. Cisco built special routers \nfor them.\n    All these companies are playing right into their hands and \nbasically doing whatever the Chinese Government says so they \ncan get into this imaginary market, in my opinion, that is not \nquite as big as they made it out to be.\n    Mr. Xia. I agree with what Paul said, especially in the \ncase of Yahoo. They have openly signed a self-censorship \nagreement. In the case of Yahoo, it actually helped China to \ncreate a kind of Chinese Internet and make it look like people \ncan stay there and get everything.\n    Mr. Wolf. Paul, you just said Cisco provided special \nrouters. Are you saying that the Chinese Internet censors \nprovided specifications to Cisco to provide some unique \nequipment, or are we talking about equipment that they provided \nthat have multiple uses?\n    Mr. Baranowski. The reports are that they asked for \nspecific features in these routers, and Cisco made it for them.\n    Mr. Wolf. Is it your assumption that those features are \nunique?\n    Mr. Baranowski. Unique to China.\n    Mr. Wolf. Unique to censorship functionality as compared to \nsome other functionality?\n    Mr. Baranowski. To censorship technology.\n    Mr. Wolf. But that is a guess, right?\n    Mr. Baranowski. These are reports from interviews of people \nthat worked on the project, so I do not have direct experience \nwith that.\n    Mr. Wolf. As you develop circumvention technologies, is the \ntarget user the average Internet user in China, or is the \ntarget someone who has a fair amount of sophisticated \nknowledge? In other words, is the beneficiary someone who has a \nPC at home, does not know much about the technology but knows \nhow to sign onto his ISP?\n    Mr. Baranowski. Are you saying, for Peekabooty, is that the \nmain target market?\n    Mr. Wolf. Yes.\n    Mr. Baranowski. Yes. Yes. For my project, Peekabooty, that \nis the target market, the personal home computer or any \ncomputer you can actually install software on.\n    Mr. Wolf. And a user who is not particularly sophisticated.\n    Mr. Baranowski. Yes, and a user that has no special \nknowledge of Internet technology.\n    Mr. Wolf. Avi.\n    Mr. Rubin. Since it was a research prototype, we never got \nit to that phase. But the design was made with that as one of \nthe original main constraints, is that it should be usable by \nanyone.\n    Mr. Wolf. Bill.\n    Mr. Xia. From the response I got, there are people who \nreally have little computer technology. They ask me, you gave \nme the URL. What should I do? So I have to tell them, please \ncopy the URL to the address of your Internet browser and \nreturn. You will see the Web interface, blah, blah, blah.\n    Mr. Wolf. All right.\n    Mr. Lin. I think nobody can get benefits from a virus. If \nthe government, for some purpose, makes some special virus that \nis very dangerous and powerful, you can understand because most \nof the users are uneducated in special technology. They will \nnot find \nanything special.\n    All information can be collected by the central government. \nIt is very easy and effective and could happen. We have not had \nany \nreports that it has already happened, but it is just a \ntechnical \npossibility.\n    Mr. Rubin. It is actually pretty bad. There is a program \nout there for Windows, which is the most popular platform, \ncalled Back Orifice. It is a spoof on the name Back Office.\n    What this program does, is it can be installed on a \ncomputer in stealth mode, meaning that you cannot really tell \nthat it is running on your computer, and it provides a remote \nterminal to whoever installed it there where they would have a \nwindow on their screen that was exactly your desktop, whatever \nyou saw there.\n    They could control it with mouse clicks and keyboard events \nthat would be sent from their computer to the target computer, \nand anything that was done on that target computer would be \nvisible, and any keystroke, any password that was typed in, \nwould be \nvisible.\n    So in the extreme where the government wishes to install \nthis kind of a virus, or even to require vendors to install \nthis on the computer when they sell them, they could pretty \nmuch see exactly what was going on on every single computer any \ntime they wanted. Big brother. Turn the switch on this house \nand watch what is going on on that computer. That is not just \ntechnically feasible, that has already been done. That software \nis out there.\n    Mr. Wolf. I have one last question. Bill, the figure of \n30,000 Internet police. Where does that come from?\n    Mr. Xia. I think it is originally from some report from \nChina, and then everybody is quoting it.\n    Mr. Lin. There is a specific Web site. They publish a lot \nof information related to the Web site, at dfn.org, Digital \nFreedom Network. That is my recommendation. You can find some \ninformation related to it.\n    Mr. Wolf. All right. Well, I would like to thank you all \nvery much for coming today. This has been helpful in our \nunderstanding of the Internet technology issues. I appreciate \nthe fact that, although you are all technologists, you talk \nabout it in a way that non-technologists can understand.\n    So, thank you all very much for spending the time, and \nthank you all for your commitment to this.\n    [Whereupon, at 4:13 p.m. the roundtable was concluded.]\n                            A P P E N D I X\n\n=======================================================================\n\n\n                          Prepared Statements\n\n                                ------                                \n\n\n                    Prepared Statement of Avi Rubin\n\n                            november 4, 2002\n    While I am a researcher at AT&T Labs, I am participating in this \nround table as an individual, representing only my personal beliefs and \nopinions. I have been researching computer security issues since 1991. \nMuch of my work has focused on privacy, anonymity, and censorship \nresistance.\n    The purpose of my statement is to discuss technical issues related \nto censorship. I will discuss the techniques that a network \nadministrator, including a large company or a country, could use to \ncensor access and content to and from its network, and I will discuss \ntechniques that could be used to circumvent this censorship. For the \nremainder of this paper, I will refer to the party controlling the \nnetwork as the Censor, and to the party wishing to circumvent \ncensorship as the User.\n    Censorship is somewhat of a broad term. It can refer to the \nblocking of access to web sites. It can refer to blocking all \nconnectivity outside of the domain of the Censor, and censorship can \nrefer to the limitation of access to certain content. Censorship can \nalso involve forceful removal of content from the Web, by applying \npressure to the publisher and/or the web hosting party. The latter is \nthe type of censorship that the Publius system was designed to \ncircumvent. In this statement, I do not discuss censorship within the \ndomain of the Censor, but rather, the censorship of content available \nfrom outside of the domain for people whose network is under the \ncontrol of the Censor. I also focus on the User as the receiving party \nof information and not the publishing party. I will be happy to discuss \nissues related to the latter in the question and answer period.\n    There are three principle techniques that can be employed by the \nCensor.\n\n    1. Routing filters: The Censor is in a position to control how \ntraffic from the User reaches the rest of the Internet. The Censor can \nrefuse to route Internet packets from the User that are destined for \nparticular locations. Thus, the Censor can use the destination address \nof the packets to make a censorship decision. In the extreme, the \nCensor can prevent all traffic from all of its users from reaching any \nnetwork outside of its control. This is easy to do, and any Censor can \naccomplish this without the need to purchase any new hardware or \nsoftware. The functionality is built into all off the shelf routing \nequipment that sites use to connect to the Internet.\n    2. DNS tricks: The Censor can exert some control on which external \nsites users can communicate with by virtue of its control over the \nDomain Name Servers (DNS) within its administrative boundary. The DNS \nis the service that maps computer addresses (IP addresses) to names. \nFor example, wow.avirubin.com has the address 207.140.168.155. \nComputers communicate using such numerical address, but people enter \nreadable names into web browsers. The DNS translates these names into \nnumbers. Since the Censor controls its own DNS service, it can \ntranslate requests from the User to addresses under its own control. \nFor example, if the User attempts to connect to www.avirubin.com, the \nCensor can program its DNS to return 10.10.32.1 when the User's machine \ntries to figure out the IP address of the machine, and this address can \nbe that of a machine controlled by the Censor. Thus, DNS provides the \nCensor with the ability to control which computers the User can connect \nto.\n    3. Application level filtering: The previous censorship techniques \ndealt specifically with connectivity issues. Application level \nfiltering, on the other hand, is a mechanism for controlling the \ncontent, even if the User can connect to a server. The most likely type \nof application level filter that the Censor would use is an HTTP proxy. \nThis is a program that intercepts requests sent to Web servers and the \nresponses returned to the User. The Censor can inspect the content, and \na decision can be made, as to whether or not to block the information \nfrom reaching the User. A Censor using an HTTP proxy might focus its \nattention on popular search engines.\n\n    The first type of censorship, based on routing filters, is \ndifficult to circumvent. If the routers do not allow packets in and out \nof the network, then there is no way to get around that. The best one \ncould do is to dial up to an external ISP. Of course, this could get \nexpensive if the Censor is a country. Also, a very strict and powerful \ncensor could monitor the phone network for data dial-up connections and \ndisconnect them, as well as sanction the User.\n    The second type of censorship, based on DNS spoofing, can be \ncircumvented by users who know the IP address of the server with which \nthey wish to communicate. Instead of referring to the server by name, \nthey could connect using the IP address directly. However, IP addresses \nchange frequently, and it may not always be possible for users under \nthe control of the Censor to know the IP address of a server. In \ngeneral, this is not a very effective technique.\n    The third type of censorship, based on application level filtering, \nis perhaps the easiest to circumvent. Encrypted content is difficult to \ncensor, but a very strict Censor can maintain a policy of blocking all \ncontent that it cannot interpret for the purposes of filtering. Perhaps \nthe easiest way to bypass HTTP proxies is to proxy web content over a \ndifferent port. Port numbers are used on the Internet to identify the \ntype of service for packets between hosts. For example, Web traffic \nuses port 80. HTTP proxies process packets that are marked with port \n80. A User wishing to circumvent this monitoring could cooperate with \nsomeone on the outside of the Censor's administrative control. They \ncould set up two proxies. The inside one would translate port 80 \npackets into ones that use, say, port 14500. The outside one would \ntranslate port 14500 back to port 80 and send them to the server. Thus, \nthe User could browse the Web without the Censor detecting it. However, \na strict censor could block all ports except 80, and then filter on \nport 80. There is little that could be done by the User in that case. \nIt should be noted that researchers have succeeded in identifying \nservices by their traffic patterns, independent of port numbers.\n    The bottom line is that there is an arms race in censorship. An \nextreme Censor can win every time, but at the expense of completely \ndisconnecting all users. The more tolerant a Censor, the more avenues \nthere will be for circumvention of the censorship that is in place.\n                                 ______\n                                 \n\n                     Prepared Statement of Bill Xia\n\n                            november 4, 2002\n    DynaWeb was launched on March 12, 2002. It is a proxy network that \nallows users to circumvent the Internet censorship in China and to have \nsecure and full access to the Internet. Users use DynaWeb as an \ninformation web portal to all other web sites. Since the inception of \nDynaWeb, we have managed to stay ahead of the censorship by China most \nof the time. 20,000 unique users gained regular unblocked access to the \nInternet through us.\n    DynaWeb has already played several rounds of the censorship and \nanti-censorship game in the past 8 months.\n    Before I start, I would like to explain a few critical technical \nterms for understanding DynaWeb experience. There are two ways to \naccess a web site through an Internet browser. One is to type in the \ndomain name, for example, www.google.com. The other way is to type in \nthe IP address of the domain name. The IP address is the essential \nplace the browser will fetch the web site information for the user. \nHowever, domain name is more user-friendly. After a user types in a \ndomain name, web browser will resolve domain names to IP addresses and \nfetch the right information for the user.\n    The game started with e-mail subscription service. DynaWeb e-mailed \nunblocked IP address updates to subscribers. After 2 weeks, the censors \nprobably subscribed to our e-mail service too because the valid time \nwindow of DynaWeb IP addresses reduced to a range from a couple of \nhours to a few days after release.\n    Then our services expanded to domain names with dynamic IP \naddresses. However, censors started chasing DynaWeb domain by \nautomatically detecting the IP addresses that pointed to the domain \nname. This dramatically increased the needs for back-up IP addresses, \nhence increased the cost of DynaWeb maintenance. DynaWeb adopted new \nstrategy so that censors had to manually verify the IP addresses before \nblocking it. Then automatic IP blockage stopped.\n    Soon in August, users started to have difficulty of accessing \nDynaWeb through https even the IP was not blocked. It was found out \nlater on that the certificate DynaWeb used for secured access from the \nInternet browser was filtered. This can be achieved by package level \nanalysis of Internet traffic to find out signature related to the \ncertificate DynaWeb used. In response to this, DynaWeb started to \nchange its certificate daily. No reports of certificate blocking have \nbeen found since then. Again, censors were frustrated with the resource \nrequired for daily updates of all related content filtering engine, and \nquit.\n    At the end of September, DynaWeb domain names were hijacked to a \nfixed IP 64.33.88.161 in China, along with many other web sites like \nwww.voa.gov. DIT has published a detailed report about this hijacking \n(http://www.dit-inc.us/report/hj.htm), and it can be independently \nverified from the U.S. More study about this hijacking is still \nundergoing and will be released after we pass this stage.\n    So, what is next with the Cyber-wall?\n    At the first look, it is a technical question if technology can \nbreak through China's Cyber-wall. In fact it is not. This process is a \nrace of technology and time. As DynaWeb's experience has demonstrated, \nboth parties can always implement new technologies to stay ahead and \nsustain the advantage. If Internet breakthrough is defined as a pure \ntechnical issue, the future is brighter for censors because China \npurchases the most advanced censorship technology from western \ncompanies.\n    China is also developing the Golden Shield project, a ``data base-\ndriven remote surveillance system.'' When the whole Beijing city is \nwired with biometric sensor and camera network, no Internet based anti-\ncensorship can get around the surveillance system.\n    Even now, during the 8 months of technical race with DynaWeb, China \nhas developed the largest and most sophisticated IP blocking and \ncontent filtering system in the world. The more anti-censorship \ntechnique is deployed, the more comprehensive censorship technology has \nbecome. This leaves less and less technical room for anti-censorship. \nIt is critical to take full use of technologies to benefit as many \npeople as possible before the door is closed.\n    Second, it is a matter of available resources. China has 30,000 \nInternet police specialized on Internet censorship, and ISPs are forced \nto perform self-censorship. The self-censorship is even adopted by \nforeign ISPs such as Yahoo. China has purchased top technology from \nwestern companies. These technologies have even been modified for \nChina's particular censorship needs. Nortel, Sun Microsystems, Cisco \nand many smaller companies contributed to building China's Cyber-\nwall.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ China's Golden Shield: Corporations and the Development of \nSurveillance Technology in \nthe People's Republic of China, by Greg Walton, International Centre \nfor Human Rights and Democratic Development http://www.ichrdd.ca/\nenglish/commdoc/publications/globalization/goldenShieldEng.html\n---------------------------------------------------------------------------\n    Comparing to China's investment in censorship and cyber wall, \ninvestment in breaking through this Cyber-wall is next to nothing. \nThere are very few groups developing technologies suitable for this \nWall. With more resources, DynaWeb can provide services to more people, \ndevelop better client software, have closer monitoring of censors' new \ntechnologies and respond faster.\n    Third, people develop technology and technology serves people. \nPeople factor is the most important factor eventually. Recent increase \nof public awareness about China's Internet censorship both inside and \noutside of China is a great sign. We hope that this will help improve \nthe current situation soon. Currently companies contributing to China's \nCyber-wall bear little public pressure, not mention any legislative \nlimitation.\n    Inside China, more and more harassment and arrests of dissidents \nand journalists are related to the Internet. Last year, there are more \nthan ten arrests in China for distributing forbidden information. This \nwill create fear among the public. For the general public in China, \nthey are now gradually realizing the existence of censorship \nconsciously.\n    More importantly, government has adopted subtler mind control and \npropaganda to decrease Chinese's interests in uncensored information. \nAll major events outside of China are reported, with seemingly a \nvariety of views, although all the different views are in fact the \ngovernment's view. There is a fully developed online community inside \nChina serviced by self-censoring ISPs. This strategy is an extension of \nChina's Cyber-wall, a wall in people's mind. Internet, combined with \nTV, newspaper and other information channels now offers Chinese people \ndifferent types of information and different views on certain issues. \nIt looks like that full freedom of speech has been achieved. However, \nthe government produces all the different views and types of \ninformation. The censors try to use this to reduce people's interest in \nuncensored information.\n    In summary, technology along won't decide the future of China's \nCyber-wall. But people do. If all Chinese people would like to obtain \nuncensored information, the Cyber-wall will be broken, from the inside.\n\n                 Prepared Statement of Paul Baranowski\n\n                            november 4, 2002\n    I am the project leader of Peekabooty, a piece of software that is \ndesigned to get around state-sponsored Internet censorship at the \nnational level. Peekabooty accomplishes this using peer-to-peer \ntechnology. Peer-to-peer (P2P) basically means that there is no central \nauthority governing some part of a networked system. The idea is that \nanyone that uses a P2P system also helps out others. Napster, Gnutella, \nMorpheus, and Kazaa are all examples of peer-to-peer networks. \nPeekabooty uses other nodes in the network to relay data around the \nfirewall, kind of like a distributed proxy service.\n    China has been working on its firewall since before 1997, and we \nhave seen its power growing over the years. Just about every other \nmonth now we see another story of a new technology being implemented in \norder to more effectively filter information.\n    The Chinese authorities started by blocking web pages based on \ntheir Internet Protocol (IP) address. Citizens of China initially \nworked around this by using ``open proxies''--that is, other computers \non the Internet that indirectly fetch web pages for the user. In early \n2001, the Chinese Communist Party countered the use of open proxies by \nscanning the Internet for them, and adding the proxies to their banned \nlist. Web sites have also responded by changing their IP addresses. \nHowever, they can only change their IP addresses every few days and \nthis costs money, so this is fairly ineffective.\n    SafeWeb and Voice of America (VOA) set up a system that would send \nthe IP addresses of available proxies to whoever requested them. \nHowever, it wasn't long until the Computer Monitoring and Supervision \nBureau of the Ministry of Public Security started requesting the proxy \naddresses and simply banned any IP addresses it received.\n    There are two strategies that have not been effectively countered \nyet: bulk email lists (where email is sent out to an enormous number of \npeople) and Freenet. Bulk email still works because the origination of \nthe email is different every time. However, email has the drawback of \nbeing one-way communication. Freenet is a peer-to-peer system that \nallows two-way communication, and it still works because the only way \nto find another Freenet node is through ``out-of-band'' means. This \nmeans there is no automatic way to discover all the nodes in the \nnetwork. The only way to find another node is, for example, by calling \nup a friend of yours that is running Freenet and getting his IP address \nor having an IP address personally sent to you in an email.\n    One of the main goals of Peekabooty is to overcome this limitation: \nto create a method of discovery that is automatic yet never allows \nanyone to discover all the nodes in the network. I am currently \ndeveloping a simulation of a system that shows great promise in this \nregard.\n    More recent developments of the Chinese firewall include:\n\n    <bullet> Selectively blocking out content within a web site instead \nof blocking the entire     site\n    <bullet> Denying Internet access for a certain amount of time to \nanyone searching for     a banned keyword\n    <bullet> Suppressing dissident comments in chat rooms, followed by \na warning email to     the user who made the comments\n    <bullet> Logging Google keyword searches\n\n    We can do something about this if we act now. The Chinese \nGovernment is already on its third generation of firewall technology, \nand we haven't even started version one of our counter-strategy yet. If \nwe do not do something soon, they may be able to close off the country \ncompletely and obtain absolute monitoring and control of their net \nbefore we can do anything about it. A fair guess is that by 2008, when \nthe Olympics go to Beijing, it will be much too late to act. Our window \nof opportunity is now, at this moment.\n    The U.S. Government is the only organization that has the power to \nmount an effective counter against this type of censorship. Independent \nefforts by volunteer groups will be ad-hoc, and there will be no \ncoordination between the releases of the various projects. A well-\nfunded, centralized program could plan application releases so that \nthey occur at regular intervals in order to keep the Chinese \nauthorities constantly scrambling to keep up. In other words, the U.S. \nagency in charge could coordinate and plan a global strategy that would \nbe much more effective than the current ad-hoc state of affairs. \nCentralizing this type of activity also allows for the possibility of \ninteroperation between the projects, allowing more advanced features in \neach product and eliminating redundancy.\n    There are few, if any, commercial possibilities for this type of \nsoftware, which is why the government is the only organization with the \npower to fund this kind of activity on the scale that is required. The \namount of money proposed in the Global Internet Freedom Act has the \npossibility to fund dozens of projects. There are so many aspects to \nthis problem and so many ways to solve it that this is the kind of \ndepth we need. Research is just beginning on this subject and we have a \nlong way to go. This panel represents a sample of what is out there--\nthere are, perhaps, on the high end, a dozen grass-roots efforts \nattempting to do something about this on a shoestring budget. However, \nthis is not as many as we need. Right now development on all of them is \nextremely slow due to the fact that they all rely on volunteers, \nusually only one or two per project. The first thing that is gained \nwith funding is development speed. With a full-time staff working on \neach project we would see rapid improvements in the technology. The \nsecond thing that we gain is usability. For your average consumer, the \nuser interface is everything. For developers, this usually comes last. \nWith appropriate funding, experts can be hired to solve the usability \nproblem. Third, the interface for each program must be translated into \nvarious languages, most importantly Chinese. With funding this becomes \npossible. Finally, marketing the applications to their intended \naudience is critical. Some part of the funding for each project should \nbe spent on promotion.\n    If the U.S. Government does fund projects such as these, it should \nbe done through credible organizations that are committed to developing \nopen-source solutions. Open-source software is crucial, due to fear of \nsoftware backdoors that would allow remote monitoring or tampering of a \nuser's computer. Open-source software relieves these fears because the \ncode can be vetted by outside experts.\n    One of the important things about many of the current projects is \nthat they use peer-to-peer technology. In terms of cost, this means \nthat they do not need large amounts of cash to keep them running. Funds \nare mainly needed for maintenance of the code and the addition of \nfeatures. Each project could be initially funded by only a few hundred \nthousand dollars a year, and even less for maintenance once they have \nbeen deployed.\n    The current crop of anti-censorship projects that show promise and \nshould be considered for funding include the following: Peekabooty, \nFreenet/Freenet-China; the Invisible IRC project (IIRC) which allows \nanonymous chat; CryptoMail, a web-based email system like Yahoo that \nprovides automatic encryption of email; and Pretty Good Privacy(PGP) \nand Gnu Privacy Guard(GPG) plug-ins to email clients (examples of such \nplug-ins are enigmail and Kmail).\n    It should be noted that the National Science Foundation (NSF) has \nstarted funding anti-censorship research at the academic level. What we \nneed is a system to transfer the research into real world applications. \nOne of the areas of research that has not yet been exploited is in the \nfield of wireless networking. This technology would allow wireless \ndevices to route information on their own. If there was an application \nthat did this, and enough wireless devices, it would create a new \nInternet infrastructure which could not be filtered. I also think there \nshould be work done to make email encryption easier to use and more \ntransparent.\n    China's censorship technology is becoming more advanced every day. \nWe can do something about it, but we must act now. The government \nshould fund credible third-party organizations to develop open-source \nanti-censorship technology. Multiple strategies should be developed and \ntheir release should be coordinated according to a centralized high-\nlevel strategy. If we do not act, there is no doubt the Chinese \nCommunist Party will have more power over its populace than ever before \nin history.\n\n                                   - \n\x1a\n</pre></body></html>\n"