Posted on Jul 20, 2017 by Glyn Moody

Putting together the pieces of the Chinese VPN jigsaw puzzle

VPNs are indispensable tools for today’s Internet users, and nowhere more so than in China. The famous “Great Firewall of China” – the name given to the set of technologies used to enforce censorship of foreign sites – can be circumvented by VPNs, but not in a consistent way. Sometimes VPNs are blocked, sometimes they work fine. Two recent posts on this blog reflect a broader uncertainty. According to the first story, the Chinese government had ordered ISPs to block personal VPN use by February 1st next year. According to the second, published a few days later, there were no such plans.

Just this week, another piece of the Chinese VPN jigsaw puzzle has been placed on the table by the authorities, as reported by Associated Press. It concerns the use of VPNs by foreign companies with subsidiaries in China:

“the biggest Chinese internet service provider says virtual private networks, which create encrypted links between computers and can be used to see sites blocked by Beijing’s web filters, will be permitted only to connect to a company’s headquarters abroad. The letter from state-owned China Telecom Ltd. says VPN users are barred from linking to other sites outside China, a change that might block access to news, social media or business services that are obscured by its “Great Firewall”.”

One possible explanation for all those conflicting signals is that the Chinese authorities actually want its citizens and companies to be unsure whether VPNs will be allowed or not. This unpredictability is a feature, not a bug, as pointed out in an analysis on the Tech in Asia blog of China’s Web censorship last year. Contradictory statements and actions mean that Internet users are not entirely sure where exactly the Chinese government draws the line for comments that will be censored or even punished. As a result, most people self-censor well inside where they think the limits might be, just to be on the safe side. That means the authorities get the benefits of strict censorship without needing to impose it directly.

Perhaps the same is happening with VPNs. China’s rulers are well aware that people use VPNs to circumvent censorship, and that is obviously a threat to their control. On the other hand, they also know that their businesses and academics need access to certain “forbidden” material in order to be competitive in global markets. One resolution is to allow people to use VPNs, but make them unsure how much they can rely on them. That in itself might limit their use to things that are really “need to know”, rather than just “nice to know”.

Another explanation of the mixed signals from Beijing is offered by a new post on the Macro Polo blog. It echoes a point made by Caleb Chen in his report on the Chinese government denial that VPNs would be blocked. There’s a key word in the short statement provided by the Ministry of Industry and Information Technology, which reads as follows:

“Trade or multinational enterprises, if they require leased lines or other methods to access the internet abroad, can turn to authorized telecommunications entities.”

The key word there is “authorized”. As the Macro Polo blog notes, there’s an easy and subtle way that the Chinese government can nudge Internet users to move to authorized VPNs:

“Imagine an extreme scenario in which there was one authorized VPN that, with a little help from the government, worked faster than all others, and was accessible almost 100% of the time. All other VPNs would operate at their current levels, hit or miss, with lots of misses during particularly sensitive periods. With the help of that very forceful “nudge” from the government, VPN users would flock to the Chinese Party-state’s preferred and authorized provider.”

By supporting a few better VPNs that circumvent the Great Firewall more reliably, the Chinese authorities encourage Internet users to migrate to them. In doing so, the government gains something that is much more important than stopping people visiting a few “illegal” sites like Twitter: greater long-term control. If there were some major emergency that threatened the country’s stability – or the government’s power – Beijing could be sure that the authorized VPNs would shut down connections immediately. The unauthorized ones might resist, or find new ways around blocks, but by then they would be used by fewer people, and would therefore represent less of a problem.

There’s a precedent for this nuanced approach, with all its apparent contradictions. Back in 2014, the site reported that a Man-in-the-Middle attack was being used against Google. Google’s sites were blocked for most Chinese Internet users, with the exception of those accessing them via CERNET, China’s national education and research network. The reason is the one mentioned above: Chinese researchers need to be able to stay current with work done outside the country, and therefore require access to Google for that purpose.

But in 2014 the authorities were faced with a problem. Google had just started to enforce HTTPS connections to its services. That meant that the Chinese government was unable to censor sensitive searches on Google, since the encrypted connection to the US service hid all details of what the user was looking for. The solution to that conundrum was to use a Man-in-the-Middle attack against Google. By injecting a fake SSL certificate, the authorities gave the impression that the connection to Google was secure, while still being able to inspect all the search terms before they were sent on to the search engine. That, in its turn, allowed politically-sensitive keywords to be blocked, but for academic users to continue to access non-controversial material needed for their research.

A move towards authorized VPNs would achieve the same results. Most of the time, Internet users in China would be allowed to circumvent the Great Firewall, just as academic users can use Google for their searches. But for both situations, the authorities retain the option to spy on what exactly people are doing, and to block them in extreme cases.

Amidst this confusion, it’s hard to discern how exactly the Chinese government is planning to address the problem of VPNs that circumvent its censorship measures. The outcome matters, because governments all around the world are grappling with similar issues. For example, it is clearly trivial to circumvent the UK government’s new compulsory age verification for porn sites using VPNs with exits outside the UK. Similarly, plans by various Western governments to record every Internet site visited by Internet users are rendered pointless when people connect via VPNs.

The fear has to be that other countries will start to move towards the idea of requiring VPN companies to be authorized by the government. Such suppliers are likely to be cooperative when the police or intelligence services start demanding metadata or help with surveillance, otherwise they will soon find themselves unauthorized.

Featured image by Dong Fang.

About Glyn Moody

Glyn Moody is a freelance journalist who writes and speaks about privacy, surveillance, digital rights, open source, copyright, patents and general policy issues involving digital technology. He started covering the business use of the Internet in 1994, and wrote the first mainstream feature about Linux, which appeared in Wired in August 1997. His book, "Rebel Code," is the first and only detailed history of the rise of open source, while his subsequent work, "The Digital Code of Life," explores bioinformatics - the intersection of computing with genomics.

VPN Service