Golden Shield Project
||This article may be expanded with text translated from the corresponding article in the Chinese Wikipedia.|
The Golden Shield Project (Chinese: 金盾工程; pinyin: jīndùn gōngchéng), colloquially referred to as the Great Firewall of China  (Chinese: 防火长城; pinyin: fánghuǒ chángchéng) is a censorship and surveillance project operated by the Ministry of Public Security (MPS) division of the government of China. The project was initiated in 1998 and began operations in November 2003. It is now used to attack international web sites using Man-on-the-side DDoS, for example to attack GitHub on 2015/03/28.
The political and ideological background of the Golden Shield Project is considered to be one of Deng Xiaoping’s favorite sayings in the early 1980s: "If you open the window for fresh air, you have to expect some flies to blow in." (Chinese: 打开窗户，新鲜空气和苍蝇就会一起进来。; pinyin: Dǎkāi chuānghù, xīnxiān kōngqì hé cāngying jiù huì yìqǐ jìnlái.[nb 1]) The saying is related to a period of the economic reform of China that became known as the "socialist market economy". Superseding the political ideologies of the Cultural Revolution, the reform led China towards a market economy and opened up the market for foreign investors. Nonetheless, the economic freedom, values, and political ideas of the Communist Party of China have had to be protected by "swatting flies" of other unwanted ideologies.
The Internet in China arrived in 1994, as the inevitable consequence of and supporting tool for the "socialist market economy". Gradually, while Internet availability has been increasing, the Internet has become a common communication platform and tool for trading information.
The Ministry of Public Security took initial steps to control Internet use in 1997, when it issued comprehensive regulations governing its use. The key sections, Articles 4-6, are: "Individuals are prohibited from using the Internet to: harm national security; disclose state secrets; or injure the interests of the state or society. Users are prohibited from using the Internet to create, replicate, retrieve, or transmit information that incites resistance to the PRC Constitution, laws, or administrative regulations; promotes the overthrow of the government or socialist system; undermines national unification; distorts the truth, spreads rumors, or destroys social order; or provides sexually suggestive material or encourages gambling, violence, or murder. Users are prohibited from engaging in activities that harm the security of computer information networks and from using networks or changing network resources without prior approval."
In 1998, the Communist Party of China feared that the China Democracy Party (CDP) would breed a powerful new network that the party elites might not be able to control. The CDP was immediately banned, followed by arrests and imprisonment. That same year, the Golden Shield project was started. The first part of the project lasted eight years and was completed in 2006. The second part began in 2006 and ended in 2008. On 6 December 2002, 300 people in charge of the Golden Shield project from 31 provinces and cities throughout China participated in a four-day inaugural “Comprehensive Exhibition on Chinese Information System”. At the exhibition, many western high-tech products, including Internet security, video monitoring and human face recognition were purchased. It is estimated that around 30,000-50,000 police are employed in this gigantic project.
It has been nicknamed "the Great Firewall" (防火长城) (a term that first appeared in a Wired magazine article in 1997) in reference to its role as a network firewall and to the ancient Great Wall of China. A major part of the project includes the ability to block content by preventing IP addresses from being routed through and consists of standard firewalls and proxy servers at the six Internet gateways. The system also selectively engages in DNS cache poisoning when particular sites are requested. The government does not appear to be systematically examining Internet content, as this appears to be technically impractical. Because of its disconnection from the larger world of IP routing protocols, the network contained within the Great Firewall has been described as "the Chinese autonomous routing domain".
During the 2008 Summer Olympics, Chinese officials told Internet providers to prepare to unblock access from certain Internet cafés, access jacks in hotel rooms and conference centers where foreigners were expected to work or stay.
In September 2002, Li Runsen, the technology director at Ministry of Public Security and member of the Golden Shield leadership, further explained this broad definition to thousands of police nationwide at a meeting in Beijing called "Information Technology for China’s Public Security".
In October 2001, Greg Walton of the International Centre for Human Rights and Democratic Development published a report; he wrote:
Old style censorship is being replaced with a massive, ubiquitous architecture of surveillance: the Golden Shield. Ultimately, the aim is to integrate a gigantic online database with an all-encompassing surveillance network – incorporating speech and face recognition, closed-circuit television, smart cards, credit records, and Internet surveillance technologies.
The empirical study by the OpenNet Initiative (collaboration between Harvard Law School, University of Toronto Citizen Lab, and Cambridge Security Program) found that China has the most sophisticated content-filtering Internet regime in the world. Compared to similar efforts in other countries, Chinese Government effectively filters content by employing multiple methods of regulation and technical controls. In contrast, the PRC-sponsored news agency, Xinhua, stated that censorship targets only "superstitious, pornographic, violence-related, gambling and other harmful information."
In July 2007, authorities intensified the "monitoring and control" of The Great Firewall, causing email disruption, in anticipation of the Shanghai Cooperation Organisation meeting scheduled for August 2007.
Some commonly used technical methods for censoring are:
|IP blocking||The access to a certain IP address is denied. If the target Web site is hosted in a shared hosting server, all Web sites on the same server will be blocked. This affects all IP protocols (mostly TCP) such as HTTP, FTP or POP. A typical circumvention method is to find proxies that have access to the target Web sites, but proxies may be jammed or blocked. Some large Web sites allocated additional IP addresses to circumvent the block, but later the block was extended to cover the new addresses.|
|DNS filtering and redirection||Doesn't resolve domain names, or returns incorrect IP addresses. This affects all IP protocols such as HTTP, FTP or POP. A typical circumvention method is to find a domain name server that resolves domain names correctly, but domain name servers are subject to blockage as well, especially IP blocking. Another workaround is to bypass DNS if the IP address is obtainable from other sources and is not blocked. Examples are modifying the Hosts file or typing the IP address instead of the domain name in a Web browser.|
|URL filtering||Scan the requested Uniform Resource Locator (URL) string for target keywords regardless of the domain name specified in the URL. This affects the Hypertext Transfer Protocol. Typical circumvention methods are to use escaped characters in the URL, or to use encrypted protocols such as VPN and SSL.[nb 2]|
|Packet filtering||Terminate TCP packet transmissions when a certain number of controversial keywords are detected. This affects all TCP protocols such as HTTP, FTP or POP, but Search engine pages are more likely to be censored. Typical circumvention methods are to use encrypted protocols such as VPN and SSL, to escape the HTML content, or reducing the TCP/IP stack's MTU, thus reducing the amount of text contained in a given packet.|
|Connection reset||If a previous TCP connection is blocked by the filter, future connection attempts from both sides will also be blocked for up to 30 minutes. Depending on the location of the block, other users or Web sites may be also blocked if the communications are routed to the location of the block. A circumvention method is to ignore the reset packet sent by the firewall.|
|SSL man-in-the-middle attack||makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.|
|Active IP probing||makes active probing and distinguish content of CDNs and large computer farms when victims access unknown website, such as non-public Google IP. Future connection attempts blocked with IP blocking or DNS filting.|
|VPN/SSH traffic recognition||recognize VPN/SSH traffic|
Mainland Chinese Internet censorship programs have censored Web sites that include (among other things):
- Web sites belonging to "outlawed" or suppressed groups, such as pro-democracy activists and Falun Gong
- News sources that often cover topics that are considered defamatory against China, such as police brutality, Tiananmen Square protests of 1989, freedom of speech, democracy, and Marxist sites. These sites include Voice of America and the Chinese edition of BBC News.
- Sites related to the Taiwanese government, media, or other organizations, including sites dedicated to religious content, and most large Taiwanese community websites or blogs.
- Web sites that contain anything the Chinese authorities regard as obscenity or pornography
- Web sites relating to criminal activity
- Sites linked with the Dalai Lama, his teachings or the International Tibet Independence Movement
- Most blogging sites experience frequent or permanent outages
- Web sites deemed as subversive
According to The New York Times, Google has set up computer systems inside China that try to access Web sites outside the country. If a site is inaccessible, then it is added to Google China's blacklist. However, once unblocked, the Web sites will be reindexed. Referring to Google's first-hand experience of the great firewall, there is some hope in the international community that it will reveal some of its secrets. Simon Davies, founder of London-based pressure group Privacy International, is now challenging Google to reveal the technology it once used at China's behest. "That way, we can understand the nature of the beast and, perhaps, develop circumvention measures so there can be an opening up of communications." "That would be a dossier of extraordinary importance to human rights," Davies says. Google has yet to respond to his call.
Because the Great Firewall blocks destination IP addresses and domain names and inspects the data being sent or received, a basic censorship circumvention strategy is to use proxy nodes and encrypt the data. Most circumvention tools combine these two mechanisms.
- Proxy servers outside China can be used, although using just a simple open proxy (HTTP or SOCKS) without also using an encrypted tunnel (such as HTTPS) does little to circumvent the sophisticated censors.
- Companies can establish regional Web sites within China. This prevents their content from going through the Great Firewall of China; however, it requires companies to apply for local ICP licenses.
- Onion routing, such as I2P or Tor, can be used.
- Freegate, Ultrasurf, and Psiphon are free programs that circumvent the China firewall using multiple open proxies, but still behave as though the user is in China.
- VPNs (virtual private network) and SSH (secure shell) are the powerful and stable tools for bypassing surveillance technologies. They use the same basic approaches, proxies and encrypted channels, used by other circumvention tools, but depend on a private host, a virtual host, or an account outside of China, rather than open, free proxies.
- Open application programming interface (API) used by Twitter which enables to post and retrieve tweets on sites other than Twitter. "The idea is that coders elsewhere get to Twitter, and offer up feeds at their own URLs—which the government has to chase down one by one." says Jonathan Zittrain, co-director of Harvard's Berkman Center for Internet and Society.
- Reconfiguration at the end points of communication, encryption, discarding reset packets according to the TTL value (time to live) by distinguishing those resets generated by the Firewall and those made by end user, not routing any further packets to sites that have triggered blocking behavior.
Certain sites have begun to be partially unblocked, including:
- The English-language BBC website (but not the Chinese language website).
- Wikipedia (wikipedia.org), HTTPS version is not blocked (As of December 2013[update]). However, if one uses HTTP, many wikis are blocked.
- Social websites and free web hosting websites. However, these have also been re-blocked.
- Some foreign news websites.
Protest in China
Despite strict government regulations, the Chinese people are continuing to protest against their government’s attempt to censor the Internet. The more covert protesters will set up secure SSH and VPN connections using tools such as UltraSurf. They can also utilize the widely available proxies and virtual private networks to fanqiang(翻墙), or "climb the wall." Active protest is not absent. Chinese people will post their grievances online, and on some occasions, have been successful. In 2003, the death of Sun Zhigang, a young migrant worker, sparked an intense, widespread online response from the Chinese public, despite the risk of the government’s punishment. A few months later, Prime Minister Wen Jiabao abolished the Chinese law that led to the death of Sun. Ever since, dissent has regularly created turmoil on the Internet in China. Also in January 2010, when Google announced that it will no longer censor its Web search results in China, even if this means it might have to shut down its Chinese operations altogether, many Chinese people went to the company’s Chinese offices to display their grievances and offer gifts, such as flowers, fruits and cigarettes.
- List of government surveillance projects
- Blocking of Wikipedia by China
- Censorship in China
- Green Dam Youth Escort
- Human rights in China
- Internet in China
- Internet censorship in the People's Republic of China
- International Freedom of Expression Exchange – monitors Internet censorship in China
- Media of China
- Politics of China
- Who Controls the Internet?
- There are several variants of this saying in Chinese, including “如果你打开窗户换新鲜空气，就得想到苍蝇也会飞进来。" and "打开窗户，新鲜空气进来了，苍蝇也飞进来了。". Their meanings are the same.
- For an example, see Wikipedia:Advice to users using Tor to bypass the Great Firewall
- Norris, Pippa; World Bank Staff (2009). Public Sentinel: News Media and Governance Reform. World Bank Publications. p. 360. ISBN 978-0-8213-8200-4. Retrieved 11 January 2011.
- "How China’s Internet Police Control Speech on the Internet". Radio Free Asia. Retrieved 11 June 2013.
China’s police authorities spent the three years between 2003 and 2006 completing the massive “Golden Shield Project.” Not only did over 50 percent of China’s policing agencies get on the Internet, there is also an agency called the Public Information Network Security and Monitoring Bureau, which boasts a huge number of technologically advanced and well-equipped network police. These are all the direct products of the Golden Shield Project.
- "China's Man-on-the-Side Attack on GitHub".
- R. MacKinnon “Flatter world and thicker walls? Blogs, censorship and civic discourse in China” Public Choice (2008) 134: p. 31–46, Springer
- "中国接入互联网". chinanews.com. Retrieved August 28, 2013.
- “China and the Internet.”, International Debates, 15420345, Apr2010, Vol. 8, Issue 4
- Goldman, Merle Goldman. Gu, Edward X.  (2004). Chinese Intellectuals between State and Market. Routledge publishing. ISBN 0415325978
- Goldsmith, Jack L.; Wu, Tim (2006). Who Controls the Internet?: Illusions of a Borderless World. New York: Oxford University Press. p. 91. ISBN 0-19-515266-2.
- 首屆「2002年中國大型機構信息化展覽會」全國31省市金盾工程領導雲集 (Chinese)
- "What is internet censorship?". Amnesty International Australia. 28 March 2008. Retrieved 21 February 2011.
- Watts, Jonathan (20 February 2006). "War of the words". The Guardian. Retrieved 3 May 2010.
- "Costs and Benefits of Running a National ARD" (PDF).
- Fallows, James (March 2008). "The Connection Has Been Reset". The Atlantic. Retrieved 22 May 2011.
- "China's Golden Shield: Corporations and the Development of Surveillance Technology in China" (PDF). Retrieved 2011-06-13.
- China and the Internet. International Debates, 15420345, Apr2010, Vol. 8, Issue 4
- "Chinese Internet censors blamed for email chaos". Reuters. 18 July 2007. Retrieved 19 August 2007.
- "Empirical Analysis of Internet Filtering in China". Cyber.law.harvard.edu. Retrieved 2011-06-13.
- "GFW (Great Firewall of China) FAQ". HikingGFW. See the section named 'IP blocking'. Retrieved August 28, 2013.
- "zdnetasia.com". zdnetasia.com. Retrieved 2011-06-13.
- "China, GitHub and the man-in-the-middle". greatfire.org. Retrieved 2014-10-13.
- Marquand, Robert (24 February 2006). "China's media censorship rattling world image". The Christian Science Monitor. Retrieved 22 May 2011.
- "controlling information: you can't get there from here -- filtering searches". The tank man. Frontline (pbs.org).
- Thompson, Clive (23 April 2006). "Google's China Problem (and China's Google Problem)". The New York Times. p. 8. Retrieved 22 May 2011.
- Will Google's help breach the great firewall of China? By: Marks, Paul, New Scientist, 02624079, 4/3/2010, Vol. 205, Issue 2754
- "Splinternet Behind the Great Firewall of China: The Fight Against GFW", Daniel Anderson, Queue, Association for Computing Machinery (ACM), Vol. 10, No. 11 (29 November 2012), doi:10.1145/2390756.2405036. Retrieved 11 October 2013.
- "Leaping the Great Firewall of China ", Emily Parker, Wall Street Journal, 24 March 2010. Retrieved 11 October 2013.
- "Ignoring the Great Firewall of China", Richard Clayton, Steven J. Murdoch, and Robert N. M. Watson, PET'06: Proceedings of the 6th international conference on Privacy Enhancing Technologies, Springer-Verlag (2006), pages 20-35, ISBN 3-540-68790-4, doi:10.1007/11957454_2. Retrieved 11 October 2013.
- "BBC website 'unblocked in China'". BBC News. 25 March 2008. Retrieved 22 May 2011.
- (Chinese) 如何访问维基百科#当前情况
- "Going online in Cuba: Internet under surveillance" (PDF). Reporters Without Borders. 2006.
- August, Oliver (23 October 2007). "The Great Firewall: China's Misguided — and Futile — Attempt to Control What Happens Online". Wired. Retrieved 4 February 2011.
- Ramzy, Austin (13 April 2010). "The Great Firewall: China's Web Users Battle Censorship". Time. Retrieved 4 February 2011.
|Wikibooks has a book on the topic of: Transwiki:Bypassing the Great Firewall of China|
- China Digital Times: Internet Control
- Breaking Through the “Golden Shield”
- ViewDNS.info - Chinese Firewall Test - Tests if Golden Shield is performing DNS filtering/redirection on your domain within mainland China.
- Dotcom-Monitor- Tests if a website (or third-party hosts to a website) is filtered from within Great Firewall of China using an actual Internet Explorer browser