We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

Who built the Great Internet Wall of China?

This story is old hat by now, but it reminded me of an unusual anomaly when I was in China recently. Most readers are probably aware that some time ago China erected a firewall that censors parts of the internet it deems too sensitive for ordinary Chinese to view. Consequently, the more uncontrollable realms of the internet (like Blogspot.com) that could be exploited by computer users with a dissenting streak – as well as sources of critical news and the like – cannot be accessed within China. Wikipedia is also out of bounds.

Whilst in the Middle Kingdom, I visited a Sinophilic friend of mine. I would go so far as to say he has a case of the old rose-tinted glasses regarding China and the nature of its administration – needless to say we enjoyed a number of discussions about the direction China is heading in. Apart from being a China enthusiast, he is also an Apple Macintosh fanatic, and he owns one of those rather handsome new and expensive Apple Powerbook laptops. In one of our debates about Chinese freedom – or lack thereof – I parried with an example of China’s neutered internet access. Why, I was not even able to access my own (and now defunct) Blogspot blog in the country! Rubbish, cried my friend. He read my blog all the time on his Macintosh.

Of course, I had to see for myself, and sure enough it was able to be accessed on his computer. I know that sometimes the firewall does not work and once in a while you can view sites that are normally off limits. Then the firewall kicks in again and the illicit page is unable to reload. However, I accessed a number of different Blogspot sites on his Mac several times over a period of days without the slightest bit of hindrance, even though all Blogspot sites I tried to visit were blocked across the country on computers that ran Windows platforms. I even tried using a different browser – Firefox was no different to MSIE. I would have liked to have been able to test the theory further and Google up some Falun Gong links, but this did not seem prudent on someone else’s machine, given the Chinese government’s attitude to that group.

The above got me thinking – when the story broke about Microsoft shutting down that Chinese blog, I wondered if Microsoft and the Chinese government had colluded in the construction of the Great Internet Wall. In the eyes of the computing world, this would surely be a far more heinous crime. Since the Windows platform enjoys considerably less competition in China than it does in the MS-dominated West, ensuring Chinese Windows machines cannot access sites the Government disapproves of means the job is pretty much done.

I admit, if China and Microsoft did work together to construct the wall, it seems like an unusual and inelegant solution – relying on the software of the end user to filter out content. Surely some specific backdoor entrance would need to be engineered into the programme. I am certainly no computer expert – there could be a perfectly reasonable explanation for the above, and there are some pretty switched on people who comment here. Ideas?

26 comments to Who built the Great Internet Wall of China?

  • Mary Contrary

    If it’s the case that the Great Firewall of China only works to block Windows based PCs then, from one free-speech enthusiast to another, SHUT UP!

  • rc

    Yeah, how ’bout Linux.

  • John Steele

    There’s nothing magic about Macintosh IP vs Windows IP. I don’t know but I’d hazard a guess that he’s using a Virtual Private Network (VPN) of one sort or another to connect to a VPN server outside China. Once he’s “outside” the firewall he can do or see anything. If this is the case it will work until the Chinese block the various VPN ports. If he’s real lucky they can’t block then because some critical government function(s) need the VPN.

  • sanborn

    “I visited a Sinophilic friend of mine. I would go so far as to say he has a case of the old rose-tinted glasses regarding China and the nature of its administration”

    What’s (s)he do for a living in China?

  • Richard Thomas

    The point to remember about such heavy handed control such as the Chinese censorship of the internet is that it is, of course, only for the masses. I wouldn’t be surprise if certain classes of foreginers/foreign companies did not have their feeds censored and I would be highly surprised if government officials *did* have their feeds censored.


  • The guy is *definitely* no computer expert. There is no chance that he deliberately evaded the firewall. He’s an English teacher at a Chinese high school and he connects to the school’s server. I can’t imagine that a school would be allowed unrestricted internet.

  • guy herbert

    I was under the impression that China is pretty much as Windows-dominated as the resy of the world. It is just that only one Chinese PC in a hundred has a duly licensed copy of Windows on it. Am I wrong?

  • Caz

    No idea the answer to your question, but nothing would surprise.

    Xerox now make copy machines that enable the identification of every piece of paper that goes through the machine, including the ID of the machine, the time and the date – very handy for quickly finding the culprit, eg, for political leaks, but can be used for any purpose at all.

    Another example is the software that allows tracking of emails, without anyone knowing, that is, the person who sends out a mail can find out if any of the recipients forward the message to anyone else, and if so, who.

    This type of sneaky technology is increasing, and for the most part we don’t even know it’s out there. One or two newspaper articles, and then you never hear of it again. It’s as if it’s too trivial to worry about. I don’t think it is though.

  • guy herbert

    Steganographic coding in printers seems to be established, but is subject to the same flaws as typewriter registration, DRM, and the now forgotten plan to tag PC-created documents with a processor ID: it is hard to implement with no benefit to most users and too expensive to use in practice except in circumstances where the person you wish to spy on unlikely to be naive about being watched.

    Another example is the software that allows tracking of emails, without anyone knowing, that is, the person who sends out a mail can find out if any of the recipients forward the message to anyone else, and if so, who.

    Sounds implausible. How would that work?

  • Julian Taylor

    Perhaps if you required every email to be digitally ‘signed’ you could track it through a central server, but with Gmail and a plethora of other free http-based email systems it would be relatively easy to circumvent.

  • rosignol

    Tracking email using a central server requires that all of the other servers periodically communicate with that central server. All it would take to defeat is mailserver software that strips out the encrypted signature, and the tracking system stops working.

    Such things already exist, it’s called an anonymous remailer.

  • Ben

    I live in Beijing and use a Powerbook, and I cannot access anything on blogspot or wikipedia (or other hosts like blog-city) without using a VPN. John is right that the issue isn’t with your friend’s computer, and Microsoft shouldn’t be blamed for the Great Firewall.

    I’m no expert on this, but people I know who have stayed in certain complexes in this city (especially the expensive ones full of prominent foreigners) have been able to access pages that are blocked to the rest of the country. If your friend is teaching at one of the international schools then maybe this is part of some kind of PR policy of excepting wealthy visitors and their kids from the firewall. If it’s a regular Chinese high school, then I have no idea. Perhaps you had best chalk it up as yet another of the many things about this government that don’t make sense.

  • He teaches at a private high school in Beijing for Chinese students. It is quite exclusive, however.

    And yes, I think you’re probably right, Ben.

  • Paul Marks

    Whether Microsoft cooperated with the Great Firewall or not, it certainly cooperates with the Chinese government in trying to suppress political dissent.

    This goes all the way to the top. As a general rule of thumb if Bill Gates supports a proposition in Washington State it will be a freedom hating proposition (“anti discrimination”, more government spending or whatever).

    It is difficult to defend Mr Gates’ freedom (against antitrust attacks and so forth) when it is well known that he does not care about the freedom of anyone else.

  • Jacob

    It is difficult to defend Mr Gates’ freedom (against antitrust attacks and so forth) when it is well known that he does not care about the freedom of anyone else.

    I beg to differ.

    We should oppose government’s attacks against businesses (such as antitrust) on principle. no matter who they are directed against.

    Perhaps you had best chalk it up as yet another of the many things about this government that don’t make sense.

    Of course. There are failures and inconsistencies in the implementation of their policies. What’s new about that ?

  • Pavel

    I was speaking with an IT guy from our company who recently returned from China where he installed a network for our subsidiary.

    He said that many Chinese use a patch that enables the user’s computer to override the firewall. I suppose he spoke about Windows users. He just mentioned it very briefly and I didn’t ask detailed questions not being a computer expert myself.

    So it is possible to get through the protection, both in principle and in practice.

  • Zimon

    There is no chineses firewall in sense of actual hardware or software. What the goverment puts out are policies that ISPs must enforce to operate, This is mostly done via IP and DNS black lists, port filtering, blocking and proxying etc. Allmost everything is done on an ISPs core network – nothing need be done on client machines. Implmentation seems to vary greatly across providers and locations and can even change day to day.

    Re; Tracking emails. An old, simply and still efective trick. A URL to an image file on a server somewhere is embeded in a rich email (often small and invisible to a reader). When the email is opened the readers email software wil pull the image from the server to be displayed in the email. The server simples logs all incoming requests for that image file and can then say who has viewed the image. Even a services like Gmail still needs to pull the image, put you won’t see the user account that made the pull. So you can still get useful information from it. It’s defeated by forwarding all emails in plain text and stopping your email software displaying rich emails

  • Julian Taylor

    Pavel, I’ve been told that as well by a client of mine, that there is indeed a router setup that you should follow in order to access certain proxies for companies not wishing to be restricted by the state-controlled system.

    Living in a country where individual rights are being stripped away from the population on a monthly basis we should in the UK perhaps be paying more attention to how to circumvent these internet restrictions. I get the feeling we may soon need to know this sort of stuff in earnest.

  • guy herbert


    So you could say it is a sort of collective pharming policy?

  • Paul Marks

    Jacob is, of course, correct when he says that we should stand against things like “antitrust” even when such actions are directed against men like Bill Gates.

    However, it remains the case that it is difficult to defend the freedom of man who does not care about the freedom of anyone else. Mr Gates’ support of every leftist cause under the sun may not be a matter of principle (i.e. he may be doing it to try and get the leftists off his back), but that does not mean that it is much better.

    Nor is the case so clear cut as in (say) the case of Standard Oil.

    Standard Oil company had cut prices for consumers and had improved standards of service – it was admired by its customers (even if it was disliked by politically conected competitors).

    Microsoft is basically just a creature of the copyright laws. Whilst I am not saying that copyrights and patents are wrong (that is a complex debate), it is less easy to defend Microsoft than (say) Standard Oil.

    Do “Windows” customers really tend think they are getting a great deal from Mr Gates?

    Or do they think of him as a man who conned I.B.M. into signing over certain rights to him – and has been ripping people off ever since?

    I am not saying that is my view, and I am certainly not defending any antitrust attack on Microsoft.

    I am simply saying that it is hard to defend a company with such an image.

    “Defend Microsoft, help send more Chinese dissidents to the labour camps” is not a great slogan.

    It is hard in practice – not in theory.

  • It’s highly unlikely that Microsoft did anything in their OS to enable the firewall – what they did outside of that is debatable tho.

    It’s far more likely that your friend is getting in through an unintentional crack in the Great Firewall – but it’s always possible to get through given the right settings or programs.

    Also – Paul, if you compare the price and quality changes in oil products under Standard Oil to the price and quality changes in computer products under Microsoft, you’re right, there’s no comparison. Microsoft has been a MUCH more beneficial monopoly than Standard Oil ever was.

  • A little domestic example may explain the situation. My boss is COO of a small, privately held firm. He standardizes clients on Windows. Ok by me, I can support the platform. A partner in the firm and the CEO both went out and got Macs (happened before I arrived). I was given explicit instructions by the COO not to support these nonstandard machines (I’ve supported Macs as an administrator since the very early ’90s).

    The CEO periodically asks for support for his Mac when he needs it. He gets that support. I make sure that the COO never finds out.

    I guarantee you that the stress and complexity of my personal situation is just 1% of the political intrigue that goes on over the Great Firewall of China. The Firewall must block content from entering China but it must be porous. It must allow:
    1. Intelligence agents to gather information of Falun Gong and other enemies of the state
    2. Unfettered access for military cyberwarriors
    3. Business intelligence and commercial espionage efforts must remain unhindered
    4. Things must be porous enough that the techno-elite feel the firewall is a game and not oppression serious enough to organize resistence to it

    And these are just some of the legitimate reasons to make exceptions. Every single one of those holes can be expanded and leveraged to further access via the use of internal proxies and NAT even ignoring the external proxies that are the subject of constant cat and mouse games.

    But this doesn’t even begin to cover the entirely illegitimate holes that get put in constantly. A minister will issue a permit if he gets unfiltered access at home. He wants his kids to know the real world. A party boss wants filters off as a showpiece to impress his friends. The list of “illegitimate” reasons is long and varied and it doesn’t matter one bit. They have the power to ruin the network administrators so they blow in the wind and open and shut holes in order to further their careers.

    These administrators aren’t dumb. They know the score. They just aren’t willing to ruin themselves and throw away their careers in order to man that firewall.

  • Zimon

    It’s woth remembing plenty of UK ISPs are allready using traffic shaping and port filting/blocking to control user usage. This is being done for econnomical reasons rather than political edicts. But provding you control both ends you can tunnel anything over anything (vast simplification).

    I would imagine that china will have something equivalent to Carnivore/DCS1000, but it will be deployed in targeted manner- not aginast every internet user.

  • Paul Marks

    Standard Oil was never a “monopoly” (that is B.S. put in to school history books), it had intense competition from (for example) the Russian oil industry.

    Even in the United States the market share (if one defines “monopoly” in this way – rather than the more useful defintion of a government grant of monopoly) was in decline for years before the case.

    As for Microsoft.

    I know nothing about the computers – but I did live with people who did (the University of York people – years ago). Very few of them had a good word to say about the products of Microsoft.

  • Paul Marks

    How did “the” computers get into my last comment? It makes it sound as if I think Mircrosoft produces computers.

    Oh well, I must have typed the word. I wish someone could provide better software for my brain (although, I suspect, it is the hardware that is at fault).

  • Caz

    James – lots of good contributions here, but believe it or not, I have part of the answer, and you were on the right track.

    It would seem that Google, Yahoo, and Microsoft limit the search results for China. Simple as that, so it’s not even as complex as having a weird firewall. The big providers just cooperate with the Chinese government in limiting what people can find, and therefore access, on the Internet. I guess that firewalls play some role as well, but it’s not necessarily the first point of censorship defence.

    Obviously, from all of the great comments from others, there are ways that some people in China find to get around this, but for most users, Google, Yahoo and Microsoft cooperate with the Chinese government to restrict access to a wide range of information.

    So, there ya go. You weren’t wrong.