It’s July 1, and in China the ominous deadline to implement the Green Dam/Youth Escort internet filtering software has been postponed, to much rejoicing by Internet users in the country.

To outsiders, this must seem quite puzzling. Why would China’s “totalitarian” system need to back down on this?

This should be seen as a case study on how the complexities of China’s decision system is much more nuanced than what a “Communist” regime would suggest, and the role of citizen deliberation in a new, upwardly mobile, aspirational, IT-savvy China.

While the outside world sees the PRC government in absolute control, in reality the heavy handed, top down authoritarian system rides on a delicate balance of, bottom up public consent that supports the state’s legitimacy.

Here’s why Green Dam illustrates this quite well.

China’s Internet filtering is by far the most advanced in the world in terms of precision and scale. But until now, it happened in the “cloud,” in far off intangible spaces through two main vehicles:

• One is through massive domestic Web site content regulation through revokable Internet Content Provider licenses (ICP). Operators have to self-censor through technical or human means to please the authorities regarding general guidelines on taboo topics. Keywords are banned and discussion topics are forbidden. In some cases, explicit timely edicts are required, such as for significant June anniversaries, sensitive political meetings (People’s Congress) or poor construction standards in Sichuan earthquake zones. Even with these, China’s netizens have come up with clever tricks and puns to get around many of these automated filtering systems.

• The other is the Great Firewall, the blocking of what foreign Web sites China users can surf. The implementation is clever, in that restrictions show up as technical errors (connection reset, site not found/unreachable) and curb behavior through uncertainty and doubt about a site’s reach-ability, rather than fear. You don’t know whether it’s the Internet acting flaky, or whether a site is actually being filtered. Tech-savvy users can trivially circumvent this.

But you don’t need perfect censorship to have effective censorship. Both these systems do quite well for the PRC government in keeping the 3T1F topics outside the mainstream, and ensuring that the government is not embarrassed by reporting on its incompetence.

The key, here is that both the domestic and international filtering activities happened in the cloud, the ether, the machines that comprise the Internet. It wasn’t in your home and it didn’t intrude beyond the cable to your desk.

Green Dam suddenly put the specter of restriction, surveillance and control in your home.

With that one stroke, which probably seemed like the next logical innocuous extension of the censorship regime for PRC bureaucrats, the government took the big miscalculation of crossing into the the private space, and the personal property of China’s citizens. And that’s where the outrage came.

This was the camel’s nose into the private tent of Internet users. A poll on China’s major sites (Sina, Netease, et al) all showed over 3/4 of respondents said Green Dam was not necessary or a bad idea.

(NB: China is not the first or the only government wanting to censor Internet traffic for content. Australia’s Clean Feed proposal to covertly filter out sites at the ISP level has been under fire from their netizens, and was unceremoniously put on hiatus as well. Most public schools and libraries in the United States implement content filtering at some level. This is not a uniquely China issue.)

What the authorities in China didn’t realize was how serious that breach of boundary would be.

I knew it was going to be a tough road for Green Dam when it appeared the MIIT initiative was not a unified effort. Before leaving for my travels, I did commentaries with the Associated Press, Deutsche Welle, Al Jazeera and others, making the point that even China’s official news outlets were openly questioning Green Dam’s legitimacy. The new Global Times newspaper, which has been rather frank about other issues, led off with serious questions about the software’s safety.

Then came the big one.

China Daily, the official mouthpiece of the government, was publishing criticisms of Green Dam shortly after it was announced, even publishing Photoshop’ed illustrations of netizens mocking the system. (”Outrage over bid to tame Web“, China Daily, June 18, 2009)

One picture it included with the article was a “Who Wants to be a Millionaire?” multiple choice question describing Green Dam as “spyware” with “systemic flaws” that could be “exploited by hackers.” Another cartoon shows a gray hand of censorship coming from the computer screen and stiff-arming a computer user in the face.

It was clear at this point, the Green Dam initiative was from a smaller portion of the PRC bureaucracy, and not from the highest levels. China Daily would have never published something so critical if it was of the highest-level of agenda pushing.

China’s netizens were speaking, and the media and government were taking notice (and with higher ups looking the other way). So while this was not democracy in action, it certainly was something in action.

At TEDxShanghai last month, I described the phenomenon of Wikipedia and Twitter forming the basis of a new online commons where global netizens come to share and reinforce memes across geographic and social boundaries (SlideShare presentation). For years, enthusiastic faith-based technology enthusiasts hoped the Internet would bring democracy to any place it touched. This has been spectacularly elusive. On the flipside, some viewed the new Web 2.0 social revolution as “socialist”, “collectivist” and at worst, Maoist. That’s been inaccurate as well.

Instead, I describe the new borderless, socially agile, activist associations that crop up on the Internet as a new system of ‘deliberative adhocracy’. Alvin Toffler, and later Cory Doctorow, used adhocracy to describe a new form of rule based ephemeral associations that “capture opportunities, solve problems, and get results.” (Waterman)

Whether it’s as massive as #IranElection to bring global awareness to its politics, or as small as #MotrinMoms to discuss outrage at an insulting advertisement, we now have an online information commons (Twitter) and knowledge commons (Wikipedia) that supports a space for the new distributed Zeitgeist. In China, obviously there are other analogs (Twitter clone Fanfou, Baidu Baike, BBS forums, et al.) but the effect is the same. To see deliberative adhocracy in action look no further than the Human Flesh Search Engine that metes out social justice in the absence of a strong rule of law in China.

Readers familiar with my book will know I described how a Wikipedia Revolution changed forever how we deal with free access to knowledge and its production. I will however, be quite Burke-ian in my pronouncement about the Internet’s effect on China.

Revolutions are sudden overthrows and disruptive repudiations of the status quo. China has a terrible modern history with revolutions, with more of them going bad than good. The rule law is sometimes described as when “reason trumps politics.” To China’s authorities, the Internet is being used in a deliberative process that fulfills that role. It is not perfect, nor prevalent enough to ensure social justice on a large scale. However, it is a huge step forward for a country that is convinced that after a century of turmoil, that any step must take safety and efficiency into account.

The hiatus for Green Dam, is the standard face-saving way for the government to back down. There is a good possibility it may come back in another form, watered down or otherwise. But for now, China’s netizens are having their day.

It seems yesterday’s dispatch of sites being spontaneously unblocked was part of a larger move. Today, Hu Jintao held a rare pow-wow of media outlets in the wake of Internet restrictions being eased. From the WSJ:

The 66-year-old Mr. Hu’s appearance before foreign reporters Friday was a rare move into the public spotlight for a leader who has long shunned it. Mr. Hu has never given a news conference in China or abroad.

From the BBC:

Hosting the Games showed China’s desire for peaceful global ties, he said.

His comments came amid apparent concessions by Beijing in a row over internet access for journalists.

More sites which had been blocked in Olympic media centres - such as that of rights group Amnesty International - were accessible on Friday, journalists said.

Here’s a rather representative list of sites that are now available in China, which include newspaper, magazine and NGO web sites previously hard blocked. This is taken from some that were sent on a recent Great Firewall list, and some I’ve added.

• 西方媒体：(Western media)
• 路透社 http://cn.reuters.com/
• 维基百科 http://zh.wikipedia.org/
• 自由亚洲电台 http://www.rfa.org/mandarin/
• 美国之音 http://www.voanews.com/chinese/
• 华尔街日报 http://chinese.wsj.com/gb/index.asp
• 金融时报中文 http://www.ftchinese.com/sc/index.jsp
• 香港媒体：(Hong Kong media)
• 明报新闻网 http://www.mingpaonews.com/
• 明报月刊 http://www.mingpaomonthly.com/cfm/main.cfm
• 亚洲时报 http://www.atchinese.com/
• 亚洲周刊 http://www.yzzk.com/cfm/main.cfm
• 南华早报 http://www.scmp.com/portal/site/SCMP/
• 南华早报中文 http://olympics.scmp.com/GCO_Simpchi_Index.aspx
• 苹果日报 http://www1.appledaily.atnext.com/template/apple/sec_main.cfm?
• 台湾媒体：(Taiwan media)
• 联合新闻网 http://udn.com/NEWS/main.html
• 中国时报 http://news.chinatimes.com/mainpage.htm
• 自由时报 http://www.libertytimes.com.tw/index
• NGOs
• Human Rights Watch http://www.hrw.org
• Reporters Sans Frontiers http://www.rsf.org (Chinese site unblocked only in Olympics media center)
• Amnesty International http://www.amnesty.org

This is actually quite remarkable for folks living in China. The “Big Three” NGOs that have been unrelenting critics of China have been reliably blocked for years. YZZK (Yazhou Zhoukan) and Apple Daily both in Hong Kong, have done some of the most critical journalism regarding China.
RSF, acknowledging the good news, doesn’t take much time to celebrate and continues to push hard.

“This partial lifting of censorship shows that the Chinese government is not completely insensitive to pressure. If the entire world had been pressuring China since 2001, even before these games were assigned to Beijing, the situation might have been different today. And perhaps imprisoned journalists would have been freed before the opening ceremony.

Let’s be clear though: these unblocked sites are still subject to the sophisticated keyword blocking system of the GFW, which looks at both URLs and the body of web sites. The sites above are no longer blocked, as a rule, but the content on the site might still trigger a block. On the plus side, it seems the keyword filtering of the GFW seems to be less sensitive than normal, but the big taboo subjects are still blocked quickly.

NBC Nightly News did a piece on the blocking yesterday (July 31). I was amused when Danwei’s Jeremy Goldkorn was on camera demonstrating how to use a virtual private network and noted that living with the net nanny wasn’t that big a deal.

Goldkorn: “I don’t see that it’s really going to impede anybody’s work.”
NBC: “Do you think the foreign media is just whining a little bit?”
Goldkorn: “Yeah. Absolutely they’re whining.”

I suppose one could make the argument that leaving the restricted GFW “harmonized” Internet as-is would have given foreign journalists a real taste of what China’s Internet users deal with every day. Now, they get a freed-up, “special” Internet to do their job and this issue goes away for the next three weeks. The question is, after the party’s over, will any of the sites above stay unblocked.

On the evening of July 31, 2008, Beijing time, reports started to roll in on Twitter that Web sites previously considered hard blocked in China were suddenly accessible. Among the sites now allowed for me (using Beijing CNC as ISP) and others include:

• http://www.bbc.co.uk/chinese/
• http://zh.wikipedia.org
• http://www.rfa.org (Radio Free Asia)
• http://www.atnext.com (Apple Daily HK, newspaper critical of Beijing)

These were all considered pretty firmly blocked for a long time, so it’s a pleasant surprise. Perhaps the cry of reporters in the Beijing Olympic Media Center finally made it through to the organizers that they should follow through on their promise.

Public relations-wise, putting a censored Internet in the press center simply seemed like a terribly dumb move. Yes, before the Olympics even start, why don’t you completely poke and upset the press corp and give them plenty of material for harping on human rights and censorship in China. Maybe they thought the journalists would be too busy writing about the bad pollution problems instead.

So for now, kudos to the authorities for opening up these sites, even though every indication is that the authorities will revert to pre-Olympic policies around October 17. John Kennedy suggested a betting pool as to when the sites will be reblocked. My bet: 8 hours and 8 minutes after the Olympic closing ceremony.

Let’s not forget though there are plenty of sites still blocked in China, including Tor Project, Amnesty International, Wikia, The Pirate Bay, AboutUs.org, and LiveJournal, for which Twitterer wangzhongxia could not help observing:

I don’t kno why Livejournal is a bigger threat to China than things like RFA mandarin edition

Sometimes you need a sense of humor to deal with the net nanny. 

I take back my gripes about paying Accor hotels US $30 a night for Internet access. We have a new winner, namely the Beijing Olympics Media Village. My wife who is staying there already told me they were going to charge reporters for Internet access (and a censored one at that) but now the details have been posted to Slashdot, the online tech salon:

“Working for the Olympics as an IT contractor, I recently moved to the Media Village (where all of the reporters live) and was surprised the there was no free internet. BOCOG (Beijing Organizing Committee of the 2008 Olympic Games) is charging a ridiculous amount of money for ADSL service: for

• 512/512 it costs 7712.5 RMB (1,131.20 USD);
• 1M/512 it costs 9156.25 (1,342.95 USD);
• 2M/512 it costs a whopping 11,700 RMB (1,716.05 USD).

That is for only one month! For extra features like a fixed IP? That costs an additional 450 RMB (66 USD). I just can’t believe that not only do I have to deal with the Great Firewall of China, but also pay through the nose to use it!”

While I can imagine that it is “noise” for NBC and the big guys, it is not inconsequential for other news outfits.

I suggest someone be kind and bring an Airport Express or other Wifi router and share the Internet love.

Not sure where Narus.com gets their info, but they seem to have the scoop on the details of the CNN DDOS attack last week.

Multiple sites of CNN (www.cnn.com, www4.cnn.com, edition.cnn.com) were the target of these attacks. NarusInsight Secure Suite (NSS) reported 2 different kinds of attacks going towards CNN - ICMP flood attacks and TCP SYN flood attacks. Interestingly the attacks had very similar signatures, e.g. an instance of a SYN flood involved the attacker distributing his packets across multiple source ports while sending exactly the same number of packets per source port). This can be expected given that the hacker group had made it easy for the novice who could download a script to launch the attack. The highest bandwidth attack seen by NSS was an 80 Mbps SYN flood attack, while the others were much less than that.

They seem to think that the DDOS attack was not successful, saying, “Fortunately, there were no large scale attacks and CNN.com was very much up and running.”

However there was widespread news of flakiness for a whole day, with China and US users finding timeouts and unreachable servers.

Not known for their sense of humor, the Chinese authorities chose April Fools day to unblock Wikipedia and Blogspot and netizens in the PRC are rejoicing. Danwei, Kaiser Kuo and CNET had the scoop. This past month saw both YouTube and BBC News unblocked as well. Ironic, considering the recent unrest in T%bet.

The downside is that Chinese Wikipedia (zh.wikipedia.org) is still blocked, through the filtering of its “host header.” For the tech inclined, here are examples of the block in action showing how de: (German Wikipedia) works fine, but zh: does not:

SUCCESS

$ wget –header “Host: de.wikipedia.org” http://203.212.189.253
–2008-04-03 01:22:54–  http://203.212.189.253/
Connecting to 203.212.189.253:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://de.wikipedia.org/wiki/Hauptseite [following]
–2008-04-03 01:22:55–  http://de.wikipedia.org/wiki/Hauptseite
Resolving de.wikipedia.org… 203.212.189.253
Reusing existing connection to 203.212.189.253:80.
HTTP request sent, awaiting response… 200 OK
Length: 34452 (34K) [text/html]
Saving to: `Hauptseite’

100%[=======================================>] 34,452      38.0K/s   in 0.9s

2008-04-03 01:22:57 (38.0 KB/s) - `Hauptseite’ saved [34452/34452]

FAILURE

$ wget –header “Host: zh.wikipedia.org” http://203.212.189.253
–2008-04-03 01:23:02–  http://203.212.189.253/
Connecting to 203.212.189.253:80… connected.
HTTP request sent, awaiting response… Read error (Connection reset by peer) in headers.
Retrying.

James Fallows has a new piece in The Atlantic about the Great Firewall, and is largely on target. I particularly like the analysis in the kicker:

It would be wrong to portray China as a tightly buttoned mind-control state. It is too wide-open in too many ways for that. “Most people in China feel freer than any Chinese people have been in the country’s history, ever,” a Chinese software engineer who earned a doctorate in the United States told me. “There has never been a space for any kind of discussion before, and the government is clever about continuing to expand space for anything that doesn’t threaten its survival.” But it would also be wrong to ignore the cumulative effect of topics people are not allowed to discuss.

It’s pretty tough to relate all the tech details in a literary magazine and I spent some time with Fallows in  Beijing Starbucks going over the nitty gritty. Hope to post the entire details sometime soon.

There are many independent reports coming in that as of last night, YouTube is accessible again in China via the big providers China Netcom and China Telecom. I can confirm Beijing China Netcom can access it.

It may be that blocks are unwinding after the CPC 17th National Congress, or it could be a hiccup. Thomas Crampton, who has been unable to do video blogs from Beijing, will be happy to hear the good news.

Congratulations to the Chinese Wikipedia, which just hit 150,000 articles, despite being blocked in China.

The latest stats showed that Hong Kong and Taiwan contributors make up over 50% of the contributors. Dedicated PRC users who can get to zh.wikipedia.org by proxy and overseas Chinese make up the rest. A quick spot check also shows lots of the activity in zh: relates to pop culture and current events, such as Harry Potter (哈利波特－死神的聖物), Rain Man (雨人), Heart of Greed (溏心风暴), GiGi Lai (黎姿). This does not seem so different than English Wikipedia, and may well be what gets folks introduced to Wikipedia first.

Welcome Comcast USA users to the club of Internet blocking. You now share a bond with millions of Internet users in China! It may seem annoying, but with the right tools and some perseverance, you too can keep downloading without any hiccups.

The story

It seems the US Internet service provider has been using Great Firewall-style tactics to prevent customers from running P2P protocols like BitTorrent. Some sleuthing by the EFF found that TCP reset packets (RST) are sent to kill connections related to P2P file transfers by Comcast customers. This clandestine connection sniping is pretty hard to diagnose without geeky tools like Wireshark or ethereal, but the shutdown technique is used by more and more ISPs. It’s what the Great Firewall here in China depends on for blocks triggered by keywords.

This revelation comes at a particularly bad time for ISPs in the US, when the network neutrality debate had died down. But this will re-energize the Internet purists, as it directly hurts the credibility of ISPs who say the US does not need regulation of “neutrality.” If Comcast had given fair notice to customers via service agreements about proper and improper use of their connections, that would be one thing. But users had their IP connections shut down mysteriously for unstated reasons. That’s something that usually happens in other places. Like China.

There is a solution

While there is widespread piracy over P2P networks, there are absolutely legitimate uses for them. Comcast seems to have classified any BT P2P file transfers as something that should be shuttered for copyright infringement. That would be a bad assumption.

The other day I downloaded NeoOffice (open source) for the Mac at 140 Mbytes using BitTorrent because it’s much faster than FTP. I was able to get 120 kilobytes/second on P2P versus 15 kilobytes/second via straight download. Many folks download Linux distributions and operating system patches via BT for exactly this reason.

Is there a solution for customers? Well EFF is considering a legal challenge, as this seems ripe for a class action lawsuit. In the meantime, there are ways to circumvent RST-based tactics of firms like Comcast.

Here, China Netcom also frowns on P2P by slamming shut transfers and tracker communication. A combination of techniques, like using BT clients supporting encrypted connections, can solve the problem. The following is what works for me, and it should work for most nearly anyone that has to deal with a firewall/fitlering system with BT.

BACKGROUND: There are two different “channels” that BitTorrent uses — tracker communication and peer communication. Tracker communication is basically what the BT client needs to connect to a tracker server, which has the particulars of the transfer: what file is being transferred, which peers have it, and the progress of the client. It’s basically the coordination center for the entire session and is the only real vulnerable hub of a P2P system, becoming a single point of failure/blocking. The other part is peer communication. This is what takes place between your computer and the multitude of other computers on the Internet. This makes up the big bulk of traffic on P2P, when your computer is perhaps chatting with 100+ other clients to transfer little chunks of the file you want.

So the tactic of ISPs is to block either or both of these types of communication. In days of old, when BitTorrent was new (or ISPs didn’t care or notice) all peer communication happened on port 6881 and tracker communication happened on 6969. For a long time this worked fine. But since these port numbers are well known, to block BT the ISP could simply block all packets to those ports. Game over for the client.
So people started changing port numbers to high numbered random values (37412 for example) used for peer communication and to less known port number for tracker communication. That worked for a while. But in this escalating game of cat and mouse, ISPs started putting in systems to actually inspect packets across all ports to see if they had telltale BitTorrent “headers,” and shutting down those connections. Thus high numbered, randomly selected ports were not good enough. The power swung back to the ISPs.

SOLUTION. What’s fascinating is the furious software arms race the P2P open source community engaged in to solve this problem. Programmers have upped the ante by using encryption and de-centralizing the tracker function to the point where BT is now nearly unblockable. But it’s not for the average user, since you do need some special configuration with the right clients.

The basic solution is to use encrypted peer communication, and a proxy server for the tracker communication.

Newer clients like uTorrent (Windows) and Azureus (nearly every platform), now support encrypting all traffic between peers using RC4 encryption, and setting an arbitrary port number. The only thing ISPs see then are IP packets with encrypted gibberish going from one random port number to another computer’s random port number. They cannot tell whether it is VoIP traffic, a file transfer, VPN, MMORPG data, or anything else. It is completely opaque to them, and filtering cannot work on the packets. Because the two peers do a handshake to establish a unique session key that no one else knows, the ISP is out of luck.

The RC4 encryption used by clients, while not the state of the art, is hard enough to crack that it isn’t practical to inspect those packets without major horsepower (like supercomputer horsepower). Comcast, China Netcom, or anyone else as intermediary ISP have no real options but to pass it along as an ordinary IP packet.

Tracker communication needs a different treatment. It’s much easier for ISPs to block this, because there are only a few dozen popular BitTorrent trackers in the world. By simply blocking all traffic to them, or watching each packet, they can just shut down those connections. The simplest way to circumvent this is to use a proxy. Azureus supports the use of a SOCKS proxy server. As a China Internet user, I always have an SSH tunnel open and in use for my proxy communication. It’s just a normal part of my day to get to blocked sites like BBC, Blogger, YouTube, etc.

However, SSH is not something everyone has. I happen to have it as part of a hosting plan, but it’s fairly easy to get one as part of a $5.95/month plan like on BlueHost. There are also sites that give free SSH accounts, like silenceisdefeat.org. In the Azureus options, you can simply instruct the client to use a proxy for tracker communication. That way, the ISP you are using cannot even tell any P2P is happening since your proxy server is doing all the tracker communication on your behalf, and it’s encrypted in the SSH tunnel. (There is a full tutorial about this technique for Windows here and here).

With this whole thing setup — high numbered random ports, encrypted peer communication and proxy tracker communication — your local ISP is none the wiser to what’s going on, even when employing basic surveillance techniques like packet inspection. I’ve been able to max-out my connection speed using this arrangement for torrents that have lots of peers. There are some small caveats — not all clients support RC4 encryption, so not all the seeds/leechers listed will be available to you. Also, if your SSH connection breaks off for some reason, it will likely stall your transfer. (I use a command line tool like “autossh” to keep a persistent SSH connection.)

As I warned though, this is not for the average person. The most exotic part of the solution is an SSH tunnel, which only real hard-core Internet users would have.

The final tally

What this arms race means in the long run is more interesting. If the US government will not regulate the maintenance of “neutrality” into the operation of ISPs, users can demand it in part by encrypting everything and preventing operators from discriminating against (or currying favor towards) certain types of traffic.

This has always been the problem with the perennial hope of ISP-supported Quality of Service (QoS) because it depends on the operator being a relatively fair or accommodating intermediary. This assumes there is a telco/ISP being purely a “common carrier” whose job is to expeditiously relay traffic efficiently and for the benefit of the customer. The problem is one side of the connection is the ISP’s customer, the other end is usually not. Also, more and more ISPs have a vested interested in pushing their own VoD, VoIP or walled garden product over the exact same lines that Google, Facebook and Joost are using for their multibillion dollar ambitions.

It is natural, though problematic, for a “common carrier” to mix its own product’s fortunes into its relaying policy. And that’s where the heart of the debate is.