internet censorship thesis

Modeling and Characterization of Internet Censorship Technologies

The proliferation of Internet access has enabled the rapid and widespread exchange of information globally. The world wide web has become the primary communications platform for many people and has surpassed other traditional media outlets in terms of reach and influence. However, many nation-states impose various levels of censorship on their citizens' Internet communications. There is little consensus about what constitutes “objectionable” online content deserving of censorship. Some people consider the censor activities occurring in many nations to be violations of international human rights (e.g., the rights to freedom of expression and assembly). This multi-study dissertation explores Internet censorship methods and systems. By using combinations of quantitative, qualitative, and systematic literature review methods, this thesis provides an interdisciplinary view of the domain of Internet censorship. The author presents a reference model for Internet censorship technologies: an abstraction to facilitate a conceptual understanding of the ways in which Internet censorship occurs from a system design perspective. The author then characterizes the technical threats to Internet communications, producing a comprehensive taxonomy of Internet censorship methods as a result. Finally, this work provides a novel research framework for revealing how nation-state censors operate based on a globally representative sample. Of the 70 nations analyzed, 62 used at least one Internet censorship method against their citizens. The results reveal worldwide trends in Internet censorship based on historical evidence and Internet measurement data.

Degree Type

Doctor of Philosophy
Information Security

Campus location

West Lafayette

Advisor/Supervisor/Committee Chair

Advisor/supervisor/committee co-chair, additional committee member 2, additional committee member 3, additional committee member 4, usage metrics.

Cybersecurity and privacy not elsewhere classified

Freedom of expression in the Digital Age: Internet Censorship

Living reference work entry
First Online: 08 May 2020
Cite this living reference work entry

Md Nurul Momen 4

286 Accesses

Freedom of expression includes freedom to hold opinions and ideas and to receive and impart information without restrictions by state authorities.

Introduction

Internet is regarded as an important issue that shapes free expression in today’s volatile nature of human rights world (Momen 2020 ). In the digital age, authoritarian governments in the world always attempt to undermine political and social movement through the complete shutdown of the Internet or providing partial access to it. It is also found that the restrictions on freedom of expression on the Internet are through surveillance and monitoring the online activities. In response to any kind of political and social movement, authoritarian governments across the border occasionally shut down many websites, along with the arrest of several anti-government bloggers and political activists. However, under the international legal instruments, for instance, Universal Declaration of Human Rights (UDHR), denial of the...

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Ariffin, L. J. (2012). Rais backs Dr M call for curbs to Internet freedom . https://www.malaysia-today.net/2012/06/05/rais-backs-dr-m-call-for-curbs-to-internet-freedom/ . Accessed 10 June 2018.

Arnaudo, D., Alva, A., Wood, P., & Whittington, J. (2013). Political and economic implications of authoritarian control of the internet. In J. Butts & S. Shenoi (Eds.), Critical infrastructure protection VII (IFIP AICT) (Vol. 417, pp. 3–19). Berlin, Heidelberg: Springer.

Google Scholar

Cristiano, F. (2019). Internet access as human right: A dystopian critique from the occupied Palestinian territory. In G. Blouin-Genest, M. C. Doran, & S. Paquerot (Eds.), Human rights as battlefields (Human rights interventions). Cham: Palgrave Macmillan. https://doi.org/10.1007/978-3-319-91770-2_12 .

Chapter Google Scholar

Diamond, L. (2010). Liberation technology. Journal of Democracy, 21 (3), 69–83. https://doi.org/10.1353/jod.0.0190 .

Article Google Scholar

Freedom House. (2019). Freedom on the Net . Washington DC/New York, Retrieved from https://www.freedomonthenet.org/countries-in-detail

Hill, D. T. (2002). East Timor and the Internet: Global political leverage in/on Indonesia. Indonesia, 73 , 25–51.

Kee, J. S. (2012). Bad laws won’t stop cyber crime . https://www.loyarburok.com/2012/05/28/bad-laws-stop-cyber-crime/?doing_wp_cron . Accessed 10 June 2019.

Momen, M. N. (2020). Myth and reality of freedom of expression on the Internet. International Journal of Public Administration, 43 (3), 277–281. https://doi.org/10.1080/01900692.2019.1628055 .

Nocetti, J. (2015). Contest and conquest: Russia and global Internet governance. International Affairs, 91 (1), 111–130. https://doi.org/10.1111/1468-2346.12189 .

Randall, J. (1996). Of cracks and crackdown: Five translations of recent Internet postings. Indonesia, 62 , 37–51.

Rodan, G. (1998). The Internet and political control in Singapore. Political Science Quarterly, 113 (1), 63–89.

Shirokanova, A., & Silyutina, O. (2018). Internet regulation: A text-based approach to media coverage. In D. A. Alexandrov et al. (Eds.), Digital Transformation and Global Society (DTGS) 2018 (Communications in computer and information science (CCIS)) (Vol. 858, pp. 181–194). Cham: Springer. https://doi.org/10.1007/978-3-030-02843-5_15 .

Ziccardi, G. (2013). Digital activism, internet control, transparency, censorship, surveillance and human rights: An international perspective. In Resistance, liberation technology and human rights in the digital age (Law, governance and technology series) (Vol. 7). Dordrecht: Springer. https://doi.org/10.1007/978-94-007-5276-4_6 .

Download references

Author information

Authors and affiliations.

Department of Public Administration, University of Rajshahi, Rajshahi, Bangladesh

Md Nurul Momen

You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Md Nurul Momen .

Editor information

Editors and affiliations.

University of Alberta, Alberta, AB, Canada

Scott Romaniuk

University for Peace, San Jose, Costa Rica

Manish Thapa

Nemzetkozi Tanulmanyok Intezet, Rm 503, Corvinus Univ, Inst of Intl Studies, Budapest, Hungary

Péter Marton

Rights and permissions

Reprints and permissions

Copyright information

About this entry

Cite this entry.

Momen, M.N. (2019). Freedom of expression in the Digital Age: Internet Censorship. In: Romaniuk, S., Thapa, M., Marton, P. (eds) The Palgrave Encyclopedia of Global Security Studies. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-319-74336-3_31-1

Download citation

DOI : https://doi.org/10.1007/978-3-319-74336-3_31-1

Received : 15 March 2018

Accepted : 29 June 2019

Published : 08 May 2020

Publisher Name : Palgrave Macmillan, Cham

Print ISBN : 978-3-319-74336-3

Online ISBN : 978-3-319-74336-3

eBook Packages : Springer Reference Political Science and International Studies Reference Module Humanities and Social Sciences Reference Module Business, Economics and Social Sciences

Publish with us

Policies and ethics

Find a journal
Track your research

113 Censorship Essay Topics & Examples

Looking for censorship topics for research papers or essays? The issue is controversial, hot, and definitely worth exploring.

🏆 Best Censorship Topic Ideas & Essay Examples

🚫 internet censorship essay topics, 📍 censorship research questions, 💡 easy censorship essay topics, 😡 controversial censorship topics to write about, ❓ research questions about censorship, 🙅 censorship topics for research paper.

Censorship implies suppression of public communication and speech due to its harmfulness or other reasons. It can be done by governments or other controlling bodies.

In your censorship essay, you might want to focus on its types: political, religion, educational, etc. Another idea is to discuss the reasons for and against censorship. One more option is to concentrate on censorship in a certain area: art, academy, or media. Finally, you can discuss why freedom of expression is important.

Whether you need to write an argumentative or informative essay on censorship, you’re in the right place. In this article, we’ve collected best internet censorship essay topics, title ideas, research questions, together with paper examples.

Pros and Cons of Censorship of Pornography This is due to the fact that pornography is all about exploitation of an individual in maters pertaining to sex as well as violence exercised on females by their male counterparts.
Need for Internet Censorship and its Impact on Society The negative impacts of internet have raised many concerns over freedom of access and publishing of information, leading to the need to censor internet.
Literature Censorship in Fahrenheit 451 by Ray Bradbury The issues raised in the novel, Fahrenheit 451, are relevant in contemporary American society and Bradbury’s thoughts were a warning for what he highlighted is happening in the contemporary United States.
Aspects of Internet Censorship by the Government When one try to access a website the uniform resource locator is checked if it consists of the restricting keyword, if the keyword is found in the URL the site become unavailable.
Censorship for Television and Radio Media This paper seeks to provide an in-depth analysis of censorship with the aim of determining the extent to which content on broadcast media can be censored. A good example of a situation in which moral […]
Censorship and the Arts in the United States The article titled “Censorship versus Freedom of Expression in the Arts” by Chiang and Posner expresses concerns that the government may illegitimately censor art to avoid corruption of morals and avoid subversion of politics.
Societal Control: Sanctions, Censorship, Surveillance The submission or agreeing to do according to the societal expectations and values are strong under the influence of both official and informal methods of control.
Self-Censorship of American Film Studios In this sense, the lack of freedom of expression and constant control of the film creations is what differs the 20th-century film studios from contemporary movie creators.
Twitter and Violations of Freedom of Speech and Censorship The sort of organization that examines restrictions and the opportunities and challenges it encounters in doing so is the center of a widely acknowledged way of thinking about whether it is acceptable to restrict speech.
Censorship and “13 Reasons Why” by Jay Asher Though the novel “13 Reasons Why” by Jay Asher could be seen as inappropriate for young adults, attempting to censor it would mean infringing upon the author’s right to self-expression and the readers’ right to […]
Censorship by Big Tech (Social Media) Companies Despite such benefits, these platforms are connected to such evils as an addictive business model and a lack of control over the type of content that is accessible to children users.
”Fahrenheit 451” by Ray Bradbury: Censorship and Independent Thinking By exploring the notion and censorship and how it affects people, the author draws parallels with the modern world of his time and the increasing impact of government-led propaganda. Censorship is a recurring theme that […]
Freedom of Speech: Is Censorship Necessary? One of the greatest achievements of the contemporary democratic society is the freedom of speech. However, it is necessary to realize in what cases the government has the right to abridge the freedom of self-expression.
Censorship on Fahrenheit 451 by Ray Bradbury The main protagonist of the novel is Guy Montag, a fireman whose job like others, is to burn books without questioning the impact of his decision.
The Issue of Parents’ Censorship Filtering the sources of information by the adults is like growing the plants in the greenhouse, hiding them from all the dangers of the surrounding world.
Censorship of Pornographic Material Effects of pornography are broad and the consequences are hazardous as it affects the moral fiber of the society. Censorship of explicit and pornographic material should be encouraged as we cannot imagine the catastrophe that […]
Censorship, Holocaust and Political Correctness In this paper, we will focus on exploring different aspects of formal and informal censorship, in regards to a so-called “Holocaust denial”, as we strongly believe that people’s ability to express their thoughts freely is […]
Censorship: For the People, or for Controlling The main aim for this art in our societies is to restrain and conceal beneath the disguise of defending the key fundamental public amenities that are; the State, families and churches.
Balance of Media Censorship and Press Freedom Government censorship means the prevention of the circulation of information already produced by the official government There are justifications for the suppression of communication such as fear that it will harm individuals in the society […]
Music Censorship in the United States Censorship is an act of the government and the government had no hand in the ban of Dixie Chicks songs, rather it was the fans boycotts that led to a ban on airplay.
Art and Media Censorship: Plato, Aristotle, and David Hume The philosopher defines God and the creator’s responsibilities in the text of the Republic: The creator is real and the opposite of evil.
Censorship, Its Forms and Purpose The argument here is that censorship is a means being used by conservative persons and groups with distinct interests to make life standards so difficult and unbearable for the minors in the society, in the […]
Censorship in China: History and Controlling This is especially so when the government or a dominant religious denomination in a country is of the view that the proliferation of a certain religious dogma threatens the stability of the country or the […]
Creativity and Censorship in Egyptian Filmmaking The intention of the media laws and other statutes censoring the film industry is to protect the sanctity of religion, sex, and the overly conservative culture of the Egyptian people.
Internet Censorship and Cultural Values in the UAE Over the past few years, the government of the UAE introduced several measures, the main aim of which is to protect the mentality of people of the state and its culture from the pernicious influence […]
Censorship of Films in the UAE Censorship of films in the United Arab Emirates is a major ethical dilemma as reflected in the case study analysis because the practice contravenes the freedom of media.
Censorship Impacts on Civil Liberties In the US, the First Amendment guarantees the freedom of expression; it is one of the main democratic rights and freedoms.
Internet Censorship: Blocking and Filtering It is the obligation of the government to protect the innocence of the children through internet censorship. In some nations, the government uses internet blocking and filtering as a method to hide information from the […]
Media Censorship: Wikileaks Wikileaks just offers the information which is to be available for people. Information is not just a source of knowledge it is the way to control the world.
Censorship on the Internet Censorship in the internet can also occur in the traditional sense of the word where material is removed from the internet to prevent public access.
Censorship of Social Networking Sites in Developing Countries Censorship of social media sites is the control of information that is available to users. The aim of this paper was to discuss censorship of social media sites in third world countries.
Censorship defeats its own purpose Is that not a disguised method of promoting an authoritarian regime by allowing an individual or a group of individuals to make that decision for the entire society The proponents of SOPA bill may argue […]
Censorship and Banned Books Based on what has been presented in this paper so far it can be seen that literary freedom is an important facilitator in helping children develop a certain degree of intellectual maturity by broadening their […]
Ethics and Media: Censorship in the UAE In this case, it is possible to apply the harm principle, according to which the task of the state is to minimize potential threats to the entire community.
Censorship vs. Self-censorship in the News Media Assessment of the appropriateness of the mass media in discharging the above-named duties forms the basis of the ideological analysis of the news media.
Should Censorship Laws Be Applied to the Internet? On the other hand, the need to control cyber crime, cyber stalking, and violation of copyrights, examination leakage and other negative uses of the internet has become a necessity.
Internet Censorship in Saudi Arabia The censorship is charged to the ISU, which, manage the high-speed data links connecting the country to the rest of the world.
Media Control and Censorship of TV The second type of control imposed on the media is the control of information that may put the security of a country at risk.
Chinese Censorship Block Chinese People from Creativity With the development of the country’s first browser in the year 1994 and subsequent move by the government to “provide internet accessing services” in the year 1996, the use of the technology began to develop […]
Censorship in Advertising One of the most notorious examples is the marketing of drugs; pharmaceutical companies have successfully convinced a significant number of people that drugs are the only violable solution to their health problems.
Empirical Likelihood Semiparametric Regression Analysis Under Random Censorship
An Argument Against Internet Censorship in United States of America
The Lack of Freedom and the Radio Censorship in the United States of America
Censorship as the Control of What People May Say or Hear, Write or Read, or See or Do
An Analysis and Overview of the Censorship and Explicit Lyrics in the United States of America
The First Amendment and Censorship in the United States
Advertiser Influence on The Media: Censorship and the Media
The Freedom of Speech and Censorship on the Internet
Censorship Necessary for Proper Education of Guardian
An Argument in Favor of Censorship on Television Based on Content, the Time Slot and the Audience
Music Censorship and the Effects of Listening to Music with Violent and Objectionable Lyrics
An Analysis of Controversial Issue in Censorship on the Internet
Consistent Estimation Under Random Censorship When Covariables Are Present
Music Censorship Is a Violation of Constitutional and Human
Censorship Should Not Be Imposed by the Government
Internet Censorship and Its Role in Protecting Our Societys Addolecent Community
Against Internet Censorship Even Pornography
The Concept of Censorship on College Campuses on the Topic of Racism and Sexism
Cyber-Frontier and Internet Censorship from the Government
Creative Alternatives in the Issues of Censorship in the United States
Asymptotically Efficient Estimation Under Semi-Parametric Random Censorship Models
Chinese and Russian Regimes and Tactics of Censorship
An Overview of the Right or Wrong and the Principles of Censorship
An Argument Against the Censorship of Literature in Schools Due to Racism in the Literary Works
The History, Positive and Negative Effects of Censorship in the United States
Burlesque Shows and Censorship Analysis
Importance of Free Speech on the Internet and Its Censorship
Historical Background of the Libertarian Party and Their Views on the Role of the Government, Censorship, and Gun Control
Internet Censorship and the Communications Decency Act
Monitoring Children’s Surfing Habits Is a Better Way Than Putting Censorship Over the Internet
A History of Censorship in Ancient and Modern Civilizations
Censorship, Supervision and Control of the Information and Ideas
Importance of Television Censorship to the Three Basic Social Institutions
An Argument That Censorship Must Be Employed if Morals and Decency Are to Be Preserved
Is Internet Censorship and De-Anonymization an Attack on Our Freedom
Censorship or Parental Monitoring
What Does Raleigh’s Letter Home and the Censorship Issue Tell You About Raleigh?
Does Censorship Limit One’s Freedom?
How Darwin Shaped Our Understanding of Why Language Exists?
How Does Censorship Affect the Relationship with His Wife?
Why and How Censorship Lead to Ignorance in Young People?
What Is the Impact of Censorship on Children?
How Does Media Censorship Violate Freedom of Expression and Impact Businesses?
Censorship or Responsibility: Which Is the Lesser of Two?
How Can Censorship Hinder Progress?
How Musical Censorship Related to the Individual?
How The Media Pretends to Protect Us with Censorship?
What Is the Impact of Censorship on Our Everyday Lives?
Is There China Internet Censorship Against Human Rights?
Can Ratings for Movies Censorship Be Socially Justified?
Censorship: Should Public Libraries Filter Internet Sites?
Does Parental Censorship Make Children More Curious?
What Are the Arguments for and Against the Censorship of Pornography?
How Propaganda and Censorship Were Used In Britain and Germany During WWI?
Should the Chinese Government Ban the Internet Censorship?
How Virginia Woolf’s Orlando Subverted Censorship and Revolutionized the Politics of LGBT Love in 1928?
How Modern Dictators Survive: Cooptation, Censorship, Propaganda, and Repression?
What arguments Were Used to Support or Oppose Censorship in Video Nasties?
Why News Ownership Affects Free Press and Press Censorship?
Should Music Suffer the Bonds of Censorship Interviews?
Why Should Graffiti Be Considered an Accepted from of Art?
What Is the Connection Between Censorship and the Banning of Books?
How Does Congress Define Censor and Censorship?
How Does Censorship Affect the Development of Animations?
Why Should Internet Censorship Be Allowed?
Fake News Research Ideas
Government Regulation Titles
Internet Research Ideas
Music Topics
Public Relations Titles
Video Game Topics
Media Analysis Topics
Child Development Research Ideas
Chicago (A-D)
Chicago (N-B)

IvyPanda. (2023, October 26). 113 Censorship Essay Topics & Examples. https://ivypanda.com/essays/topic/censorship-essay-examples/

"113 Censorship Essay Topics & Examples." IvyPanda , 26 Oct. 2023, ivypanda.com/essays/topic/censorship-essay-examples/.

IvyPanda . (2023) '113 Censorship Essay Topics & Examples'. 26 October.

IvyPanda . 2023. "113 Censorship Essay Topics & Examples." October 26, 2023. https://ivypanda.com/essays/topic/censorship-essay-examples/.

1. IvyPanda . "113 Censorship Essay Topics & Examples." October 26, 2023. https://ivypanda.com/essays/topic/censorship-essay-examples/.

Bibliography

IvyPanda . "113 Censorship Essay Topics & Examples." October 26, 2023. https://ivypanda.com/essays/topic/censorship-essay-examples/.

Study at Cambridge

About the university, research at cambridge.

For Cambridge students
For our researchers
Business and enterprise
Colleges and Departments
Email and phone search
Give to Cambridge
Museums and collections
Events and open days
Fees and finance
Postgraduate courses
How to apply
Fees and funding
Postgraduate events
International students
Continuing education
Executive and professional education
Courses in education
How the University and Colleges work
Visiting the University
Annual reports
Equality and diversity
A global university
Public engagement

Internet censorship: making the hidden visible

Research home
About research overview
Animal research overview
Overseeing animal research overview
The Animal Welfare and Ethical Review Body
Animal welfare and ethics
Report on the allegations and matters raised in the BUAV report
What types of animal do we use? overview
Guinea pigs
Equine species
Naked mole-rats
Non-human primates (marmosets)
Other birds
Non-technical summaries
Animal Welfare Policy
Alternatives to animal use
Further information
Funding Agency Committee Members
Research integrity
Horizons magazine
Strategic Initiatives & Networks
Nobel Prize
Interdisciplinary Research Centres
Open access
Energy sector partnerships
Podcasts overview
S2 ep1: What is the future?
S2 ep2: What did the future look like in the past?
S2 ep3: What is the future of wellbeing?
S2 ep4 What would a more just future look like?

Despite being founded on ideals of freedom and openness, censorship on the internet is rampant, with more than 60 countries engaging in some form of state-sponsored censorship. A research project at the University of Cambridge is aiming to uncover the scale of this censorship, and to understand how it affects users and publishers of information

Censorship over the internet can potentially achieve unprecedented scale Sheharbano Khattak

For all the controversy it caused, Fitna is not a great film. The 17-minute short, by the Dutch far-right politician Geert Wilders, was a way for him to express his opinion that Islam is an inherently violent religion. Understandably, the rest of the world did not see things the same way. In advance of its release in 2008, the film received widespread condemnation, especially within the Muslim community.

When a trailer for Fitna was released on YouTube, authorities in Pakistan demanded that it be removed from the site. YouTube offered to block the video in Pakistan, but would not agree to remove it entirely. When YouTube relayed this decision back to the Pakistan Telecommunications Authority (PTA), the decision was made to block YouTube.

Although Pakistan has been intermittently blocking content since 2006, a more persistent blocking policy was implemented in 2011, when porn content was censored in response to a media report that highlighted Pakistan as the top country in terms of searches for porn. Then, in 2012, YouTube was blocked for three years when a video, deemed blasphemous, appeared on the website. Only in January this year was the ban lifted, when Google, which owns YouTube, launched a Pakistan-specific version, and introduced a process by which governments can request the blocking of access to offending material.

All of this raises the thorny issue of censorship. Those censoring might raise objections to material on the basis of offensiveness or incitement to violence (more than a dozen people died in Pakistan following widespread protests over the video uploaded to YouTube in 2012). But when users aren’t able to access a particular site, they often don’t know whether it’s because the site is down, or if some force is preventing them from accessing it. How can users know what is being censored and why?

“The goal of a censor is to disrupt the flow of information,” says Sheharbano Khattak, a PhD student in Cambridge’s Computer Laboratory, who studies internet censorship and its effects. “internet censorship threatens free and open access to information. There’s no code of conduct when it comes to censorship: those doing the censoring – usually governments – aren’t in the habit of revealing what they’re blocking access to.” The goal of her research is to make the hidden visible.

She explains that we haven’t got a clear understanding of the consequences of censorship: how it affects different stakeholders, the steps those stakeholders take in response to censorship, how effective an act of censorship is, and what kind of collateral damage it causes.

Because censorship operates in an inherently adversarial environment, gathering relevant datasets is difficult. Much of the key information, such as what was censored and how, is missing. In her research, Khattak has developed methodologies that enable her to monitor censorship by characterising what normal data looks like and flagging anomalies within the data that are indicative of censorship.

She designs experiments to measure various aspects of censorship, to detect censorship in actively and passively collected data, and to measure how censorship affects various players.

The primary reasons for government-mandated censorship are political, religious or cultural. A censor might take a range of steps to stop the publication of information, to prevent access to that information by disrupting the link between the user and the publisher, or to directly prevent users from accessing that information. But the key point is to stop that information from being disseminated.

Internet censorship takes two main forms: user-side and publisher-side. In user-side censorship, the censor disrupts the link between the user and the publisher. The interruption can be made at various points in the process between a user typing an address into their browser and being served a site on their screen. Users may see a variety of different error messages, depending on what the censor wants them to know.

“The thing is, even in countries like Saudi Arabia, where the government tells people that certain content is censored, how can we be sure of everything they’re stopping their citizens from being able to access?” asks Khattak. “When a government has the power to block access to large parts of the internet, how can we be sure that they’re not blocking more than they’re letting on?”

What Khattak does is characterise the demand for blocked content and try to work out where it goes. In the case of the blocking of YouTube in 2012 in Pakistan, a lot of the demand went to rival video sites like Daily Motion. But in the case of pornographic material, which is also heavily censored in Pakistan, the government censors didn’t have a comprehensive list of sites that were blacklisted, so plenty of pornographic content slipped through the censors’ nets.

Despite any government’s best efforts, there will always be individuals and publishers who can get around censors, and access or publish blocked content through the use of censorship resistance systems. A desirable property, of any censorship resistance system is to ensure that users are not traceable, but usually users have to combine them with anonymity services such as Tor.

“It’s like an arms race, because the technology which is used to retrieve and disseminate information is constantly evolving,” says Khattak. “We now have social media sites which have loads of user-generated content, so it’s very difficult for a censor to retain control of this information because there’s so much of it. And because this content is hosted by sites like Google or Twitter that integrate a plethora of services, wholesale blocking of these websites is not an option most censors might be willing to consider.”

In addition to traditional censorship, Khattak also highlights a new kind of censorship – publisher-side censorship – where websites refuse to offer services to a certain class of users. Specifically, she looks at the differential treatments of Tor users by some parts of the web. The issue with services like Tor is that visitors to a website are anonymised, so the owner of the website doesn’t know where their visitors are coming from. There is increasing use of publisher-side censorship from site owners who want to block users of Tor or other anonymising systems.

“Censorship is not a new thing,” says Khattak. “Those in power have used censorship to suppress speech or writings deemed objectionable for as long as human discourse has existed. However, censorship over the internet can potentially achieve unprecedented scale, while possibly remaining discrete so that users are not even aware that they are being subjected to censored information.”

Professor Jon Crowcroft, who Khattak works with, agrees: “It’s often said that, online, we live in an echo chamber, where we hear only things we agree with. This is a side of the filter bubble that has its flaws, but is our own choosing. The darker side is when someone else gets to determine what we see, despite our interests. This is why internet censorship is so concerning.”

“While the cat and mouse game between the censors and their opponents will probably always exist,” says Khattak. “I hope that studies such as mine will illuminate and bring more transparency to this opaque and complex subject, and inform policy around the legality and ethics of such practices.”

Read this next

A visualisation of one of the design scenarios highlighted in the latest paper

Call for safeguards to prevent unwanted ‘hauntings’ by AI chatbots of dead loved ones

Emissions and evasions

Lights could be the future of the internet and data transmission

The Misinformation Susceptibility Test

Barbed wire

Credit: Hernán Piñera

Search research

Our selection of the week's biggest Cambridge research news sent directly to your inbox. Enter your email address, confirm you're happy to receive our emails and then select 'Subscribe'.

I wish to receive a weekly Cambridge research news summary by email.

The University of Cambridge will use your email address to send you our weekly research news email. We are committed to protecting your personal information and being transparent about what information we hold. Please read our email privacy notice for details.

digital technology
social media
Digital society
Sheharbano Khattak
Jon Crowcroft
Computer Laboratory
School of Technology

Connect with us

Contact the University
Accessibility statement
Freedom of information
Privacy policy and cookies
Statement on Modern Slavery
Terms and conditions
University A-Z
Undergraduate
Postgraduate
Cambridge University Press & Assessment
Research news
About research at Cambridge
Spotlight on...

We’re fighting to restore access to 500,000+ books in court this week. Join us!

Internet Archive Audio

This Just In
Grateful Dead
Old Time Radio
78 RPMs and Cylinder Recordings
Audio Books & Poetry
Computers, Technology and Science
Music, Arts & Culture
News & Public Affairs
Spirituality & Religion
Radio News Archive

Flickr Commons
Occupy Wall Street Flickr
NASA Images
Solar System Collection
Ames Research Center

All Software
Old School Emulation
MS-DOS Games
Historical Software
Classic PC Games
Software Library
Kodi Archive and Support File
Vintage Software
CD-ROM Software
CD-ROM Software Library
Software Sites
Tucows Software Library
Shareware CD-ROMs
Software Capsules Compilation
CD-ROM Images
ZX Spectrum
DOOM Level CD

Smithsonian Libraries
FEDLINK (US)
Lincoln Collection
American Libraries
Canadian Libraries
Universal Library
Project Gutenberg
Children's Library
Biodiversity Heritage Library
Books by Language
Additional Collections

Prelinger Archives
Democracy Now!
Occupy Wall Street
TV NSA Clip Library
Animation & Cartoons
Arts & Music
Computers & Technology
Cultural & Academic Films
Ephemeral Films
Sports Videos
Videogame Videos
Youth Media

Search the history of over 866 billion web pages on the Internet.

Mobile Apps

Wayback Machine (iOS)
Wayback Machine (Android)

Browser Extensions

Archive-it subscription.

Explore the Collections
Build Collections

Save Page Now

Capture a web page as it appears now for use as a trusted citation in the future.

Please enter a valid web address

Donate Donate icon An illustration of a heart shape

Threat modeling and circumvention of Internet censorship

Bookreader item preview, share or embed this item, flag this item for.

Graphic Violence
Explicit Sexual Content
Hate Speech
Misinformation/Disinformation
Marketing/Phishing/Advertising
Misleading/Inaccurate/Missing Metadata

Research on Internet censorship is hampered by poor models of censor behavior. Censor models guide the development of circumvention systems, so it is important to get them right. A censor model should be understood not just as a set of capabilities—such as the ability to monitor network traffic—but as a set of priorities constrained by resource limitations.

My research addresses the twin themes of modeling and circumvention. With a grounding in empirical research, I build up an abstract model of the circumvention problem and examine how to adapt it to concrete censorship challenges. I describe the results of experiments on censors that probe their strengths and weaknesses; specifically, on the subject of active probing to discover proxy servers, and on delays in their reaction to changes in circumvention. I present two circumvention designs: domain fronting, which derives its resistance to blocking from the censor’s reluctance to block other useful services; and Snowflake, based on quickly changing peer-to-peer proxy servers. I hope to change the perception that the circumvention problem is a cat-and-mouse game that affords only incremental and temporary advancements. Rather, let us state the assumptions about censor behavior atop which we build circumvention designs, and let those assumptions be based on an informed understanding of censor behavior.

David Fifield's PhD thesis. Home page is at https://www.bamsoftware.com/papers/thesis/ .

plus-circle Add Review comment Reviews

Download options.

For users with print-disabilities

IN COLLECTIONS

Uploaded by David Fifield on January 7, 2018

SIMILAR ITEMS (based on metadata)

This is the HTML version of my thesis.

PDF version

See info.html for errata, source code, work-in-progress versions, and other information.

David Fifield [email protected] Published 2017-12-15 This page last updated 2024-07-07

Threat modeling and circumvention of Internet censorship

By David Fifield

A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley

Committee in charge: Professor J.D. Tygar, Chair Professor Deirdre Mulligan Professor Vern Paxson

Threat modeling and circumvention of Internet censorship by David Fifield Doctor of Philosophy in Computer Science University of California, Berkeley Professor J.D. Tygar, Chair

I wish to express special appreciation to those who have guided me: my advisor Doug Tygar, who helped me out of a tough spot; Vern Paxson; the other two caballeros, Sadia Afroz and Michael Tschantz; Xiao Qiang; Dan Boneh; and Steve Beaty.

I am grateful to those who offered me kindness or assistance in the course of my research: Angie Abbatecola; Barbara Goto; Nick Hopper; Lena Lau-Stewart; Heather Levien; Gordon Lyon; Deirdre Mulligan; Audrey Sillers; David Wagner; Philipp Winter, whose CensorBib is an invaluable resource; the Tor Project and the tor-dev and tor-qa mailing lists; OONI; the traffic-obf mailing list; the Open Technology Fund and the Freedom2Connect Foundation; and the SecML, BLUES, and censorship research groups at UC Berkeley. Thank you.

The opinions expressed herein are solely those of the author and do not necessarily represent any other person or organization.

My thesis is dedicated in opposition to the California State loyalty oath, a shameful relict of an un-American era.

Source code and information related to this document are available at https://www.bamsoftware.com/papers/thesis/ .

Chapter 1 Introduction

This is a thesis about Internet censorship. Specifically, it is about two threads of research that have occupied my attention for the past several years: gaining a better understanding of how censors work, and fielding systems that circumvent their restrictions. These two topics drive each other: better understanding leads to better circumvention systems that take into account censors’ strengths and weaknesses; and the deployment of circumvention systems affords an opportunity to observe how censors react to changing circumstances. The output of my research takes two forms: models that describe how censors behave today and how they may evolve in the future, and tools for circumvention that are sound in theory and effective in practice.

Censorship is a big topic, and even adding the “Internet” qualifier makes it hardly less so. In order to deal with the subject in detail, I must limit the scope. The subject of this work is an important special case of censorship, which I call the “border firewall.” See Figure 1.1 .

A client resides within a network that is entirely controlled by a censor . Within the controlled network, the censor may observe, modify, inject, or block any communication along any link. The client’s computer, however, is trustworthy and not controlled by the censor. The censor tries to prevent some subset of the client’s communication with the wider Internet, for instance by blocking those that discuss certain topics, that are destined to certain network addresses, or that use certain protocols. The client’s goal is to evade the censor’s controls and communicate with some destination that lies outside the censor’s network; successfully doing so is called circumvention . Circumvention means somehow safely traversing a hostile network, eluding detection and blocking. The censor does not control the network outside its border; it may send messages to the outside world, but it cannot control them after they have traversed the border.

This abstract model is a good starting point, but it is not the whole story. We will have to adapt it to fit different situations, sometimes relaxing and sometimes strengthening assumptions. For example, the censor may be weaker than assumed: it may observe only the links that cross the border, not those that lie wholly inside; it may not be able to fully inspect every packet; or there may be deficiencies or dysfunctions in its detection capabilities. Or the censor may be stronger: while not fully controlling outside networks, it may perhaps exert outside influence to discourage network operators from assisting in circumvention. The client may be limited, for technical or social reasons, in the software and hardware they can use. The destination may knowingly cooperate with the client’s circumvention effort, or may not. There are many possible complications, reflecting the messiness and diversity of dealing with real censors. Adjusting the basic model to reflect real-world actors’ motivations and capabilities is the heart of threat modeling . In particular, what makes circumvention possible at all is the censor’s motivation to block only some, but not all, of the incoming and outgoing communications—this assumption will be a major focus of the next chapter.

It is not hard to see how the border firewall model relates to censorship in practice. In a common case, the censor is the government of a country, and the limits of its controlled network correspond to the country’s borders. A government typically has the power to enforce laws and control network infrastructure inside its borders, but not outside. However this is not the only case: the boundaries of censorship do not always correspond to the border of a country. Content restrictions may vary across geographic locations, even within the same country—Wright et al. [ 202 ] identified some reasons why this might be. A good model for some places is not a single unified regime, but rather several autonomous service providers, each controlling and censoring its own portion of the network, perhaps coordinating with others about what to block and perhaps not. Another important case is that of a university or corporate network, in which the only outside network access is through a single gateway router, which tries to enforce a policy on what is acceptable and what is not. These smaller networks often differ from national- or ISP-level networks in interesting ways, for instance with regard to the amount of overblocking they are willing to tolerate, or the amount of computation they can afford to spend on each communication.

Here are examples of forms of censorship that are in scope:

blocking IP addresses
blocking specific network protocols
blocking DNS resolution for certain domains
blocking keywords in URLs
parsing application-layer data (“deep packet inspection”)
statistical and probabilistic traffic classification
bandwidth throttling
active scanning to discover the use of circumvention

Some other censorship-related topics that are not in scope include:

domain takedowns (affecting all clients globally)
server-side blocking (servers that refuse to serve certain clients)
forum moderation and deletion of social media posts
anything that takes place entirely within the censor’s network and does not cross the border
deletion-resistant publishing in the vein of the Eternity Service [ 10 ] (what Köpsell and Hillig call “censorship resistant publishing systems” [ 120 §1 ] ), except insofar as access to such services may be blocked

Parts of the abstract model are deliberately left unspecified, to allow for the many variations that arise in practice. The precise nature of “blocking” can take many forms, from packet dropping, to injection of false responses, to softer forms of disruption such as bandwidth throttling. Detection does not have to be purely passive. The censor may to do work outside the context of a single connection; for example, it may compute aggregate statistics over many connections, make lists of suspected IP addresses, and defer some analysis for offline processing. The client may cooperate with other parties inside and outside the censor’s network, and indeed almost all circumvention will require the assistance of a collaborator on the outside.

It is a fair criticism that the term “Internet censorship” in the title overreaches, given that I am talking only about one specific manifestation of censorship, albeit an important one. I am sympathetic to this view, and I acknowledge that far more topics could fit under the umbrella of Internet censorship. Nevertheless, for consistency and ease of exposition, in this document I will continue to use “Internet censorship” without further qualification to mean the border firewall case.

1.2 My background

This document describes my research experience from the past five years. The next chapter, “ Principles of circumvention ,” is the thesis of the thesis, in which I lay out opinionated general principles of the field of circumvention. The remaining chapters are split between the topics of modeling and circumvention.

One’s point of view is colored by experience. I will therefore briefly describe the background to my research. I owe much of my experience to collaboration with the Tor Project, producers of the Tor anonymity network. whose anonymity network has been the vehicle for deployment of my circumvention systems. Although Tor was not originally intended as a circumvention system, it has grown into one thanks to pluggable transports , a modularization system for circumvention implementations. I know a lot about Tor and pluggable transports, but I have less experience (especially implementation experience) with other systems, particularly those that are developed in languages other than English. And while I have plenty of operational experience—deploying and maintaining systems with real users—I have not been in a situation where I needed to circumvent regularly, as a user.

Chapter 2 Principles of circumvention

In order to understand the challenges of circumvention, it helps to put yourself in the mindset of a censor. A censor has two high-level functions: detection and blocking. Detection is a classification problem: the censor prefers to permit some communications and deny others, and so it must have some procedure for deciding which communications fall in which category. Blocking follows detection. Once the censor detects some prohibited communication, it must take some action to stop the communication, such as terminating the connection at a network router. Censorship requires both detection and blocking. (Detection without blocking would be called surveillance, not censorship.) The flip side of this statement is that circumvention has two ways to succeed: by eluding detection, or, once detected, by somehow resisting the censor’s blocking action.

A censor is, then, essentially a traffic classifier coupled with a blocking mechanism. Though the design space is large, and many complications are possible, at its heart a censor must decide, for each communication, whether to block or allow, and then effect blocks as appropriate. Like any classifier, a censor is liable to make mistakes. When the censor fails to block something that it would have preferred to block, it is an error called a false negative ; when the censor accidentally blocks something that it would have preferred to allow, it is a false positive . Techniques to avoiding detection are often called “obfuscation,” and the term is an appropriate one. It reflects not an attitude of security through obscurity; but rather a recognition that avoiding detection is about making the censor’s classification problem more difficult, and therefore more costly. Forcing the censor to trade false positives for false negatives is the core of all circumvention that is based on avoiding detection. The costs of misclassifications cannot be understood in absolute terms: they only have meaning relative to a specific censor and its resources and motivations. Understanding the relative importance that a censor assigns to classification errors—knowing what it prefers to allow and to block—is key to knowing what what kind of circumvention will be successful. Through good modeling, we can make the tradeoffs less favorable for the censor and more favorable for the circumventor.

The censor may base its classification decision on whatever criteria it finds practical. I like to divide detection techniques into two classes: detection by content and detection by address . Detection by content is based on the content or topic of the message: keyword filtering and protocol identification fall into this class. Detection by address is based on the sender or recipient of the message: IP address blacklists and DNS response tampering fall into this class. An “address” may be any kind of identifier: an IP address, a domain name, an email address. Of these two classes, my experience is that detection by address is harder to defeat. The distinction is not perfectly clear because there is no clear separation between what is content and what is an address: the layered nature of network protocols means that one layer’s address is another layer’s content. Nevertheless, I find it useful to think about detection techniques in these terms.

The censor may block the address of the destination, preventing direct access. Any communication between the client and the destination must therefore be indirect. The indirect link between client and destination is called a proxy , and it must do two things: provide an unblocked address for the client to contact; and somehow mask the contents of the channel and the eventual destination address. I will use the word “proxy” expansively to encompass any kind of intermediary, not only a single host implementing a proxy protocol such an HTTP proxy or SOCKS proxy. A VPN (virtual private network) is also a kind of proxy, as is the Tor network, as may be a specially configured network router. A proxy is anything that acts on a client’s behalf to assist in circumvention.

Proxies solve the first-order effects of censorship (detection by content and address), but they induce a second-order effect: the censor must now seek out and block proxies, in addition to the contents and addresses that are its primary targets. This is where circumvention research really begins: not with access to the destination per se, but with access to a proxy, which transitively gives access to the destination. The censor attempts to deal with detecting and blocking communication with proxies using the same tools it would for any other communication. Just as it may look for forbidden keywords in text, it may look for distinctive features of proxy protocols; just as it may block politically sensitive web sites, it may block the addresses of any proxies it can discover. The challenge for the circumventor is to use proxy addresses and proxy protocols that are difficult for the censor to detect or block.

The way of organizing censorship and circumvention techniques that I have presented is not the only one. Köpsell and Hillig [ 120 §4 ] divide detection into “content” and “circumstances”; their “circumstances” include addresses and also features that I consider more content-like: timing, data transfer characteristics, and protocols. Winter [ 198 §1.1 ] divides circumvention into three problems: bootstrapping, endpoint blocking, and traffic obfuscation. Endpoint blocking and traffic obfuscation correspond to my detection by address and detection by content; bootstrapping is the challenge of getting a copy of circumvention software and discovering initial proxy addresses. I tend to fold bootstrapping in with address-based detection; see Section 2.3 . Khattak, Elahi, et al. break detection into four aspects [ 113 §2.4 ] : destinations, content, flow properties, and protocol semantics. I think of their “content,” “flow properties,” and “protocol semantics” as all fitting under the heading of content. My split between address and content mostly corresponds to Tschantz et al.’s “setup” and “usage” [ 182 §V ] and Khattak, Elahi, et al.’s “communication establishment” and “conversation” [ 113 §3.1 ] . What I call “detection” and “blocking,” Khattak, Elahi, et al. call “fingerprinting” and “direct censorship” [ 113 §2.3 ] , and Tschantz et al. call “detection” and “action” [ 182 §II ] .

A major difficulty in developing circumvention systems is that however much you model and try to predict the reactions of a censor, real-world testing is expensive. If you really want to test a design against a censor, not only must you write and deploy an implementation, integrate it with client-facing software like web browsers, and work out details of its distribution—you must also attract enough users to merit a censor’s attention. Any system, even a fundamentally broken one, will work to circumvent most censors, as long as it is used only by one or only a few clients. The true test arises only after the system has begun to scale and the censor to fight back. This phenomenon may have contributed to the unfortunate characterization of censorship and circumvention as a cat-and-mouse game: deploying a flawed circumvention system, watching it become more popular and then get blocked, then starting over again with another similarly flawed system. In my opinion, the cat-and-mouse game is not inevitable, but is a consequence of inadequate understanding of censors. It is possible to develop systems that resist blocking—not absolutely, but quantifiably, in terms of costs to the censor—even after they have become popular.

2.1 Collateral damage

What prevents the censor from shutting down all connectivity within its network, trivially preventing the client from reaching any destination? The answer is that the censor derives benefits from allowing network connectivity, other than the communications which it wants to censor. Or to put it another way: the censor incurs a cost when it overblocks: accidentally blocks something it would have preferred to allow. Because it wants to block some things and allow others, the censor is forced to run as a classifier. In order to avoid harm to itself, the censor permits some measure of circumvention traffic.

The cost of false positives is of so central importance to circumvention that researchers have a special term for it: collateral damage . The term is a bit unfortunate, evoking as it does negative connotations from other contexts. It helps to focus more on the “collateral” than the “damage”: collateral damage is any cost experienced by the censor as a result of incidental blocking done in the course of censorship. It must trade its desire to block forbidden communications against its desire to avoid harm to itself, balance underblocking with overblocking. Ideally, we force the censor into a dilemma: unable to distinguish between circumvention and other traffic, it must choose either to allow circumvention along with everything else, or else block everything and suffer maximum collateral damage. It is not necessary to reach this ideal fully before circumvention becomes possible. Better obfuscation drives up the censor’s error rate and therefore the cost of any blocking. Ideally, the potential “damage” is never realized, because the censor sees the cost as being too great.

Collateral damage, being an abstract “cost,” can take many forms. It may come in the form of civil discontent, as people try to access web sites and get annoyed with the government when unable to do so. It may be reduced productivity, as workers are unable to access resources they need to to their job. This is the usual explanation offered for why the Great Firewall of China has never blocked GitHub for for more than a few days, despite GitHub’s being used to host and distribute circumvention software: GitHub is so deeply integrated into software development, that programmers cannot get work done when it is blocked.

Collateral damage, as with other aspects of censorship, cannot be understood in isolation, but only in relation to a particular censor. Suppose that blocking one web site results in the collateral blocking of a hundred more. Is that a large amount of collateral damage? It depends. Are those other sites likely to be visited by clients in the censor’s network? Are they in the local language? Do professionals and officials rely on them to get their job done? Is someone in the censorship bureau likely to get fired as a result of their blocking? If the answers to these question is yes, then yes, the collateral damage is likely to be high. But if not, then the censor could take or leave those hundred sites—it doesn’t matter. Collateral damage is not just any harm that results from censorship, it is harm that is felt by the censor.

Censors may take actions to reduce collateral damage while still blocking most of what they intend to. (Another way to think of it is: reducing false positives without increasing false negatives.) For example, Winter and Lindskog [ 199 ] , observed that the Great Firewall preferred to block individual ports, entire IP addresses, probably in a bid to reduce collateral damage. Local circumstances may serve to reduce collateral damage: for example if a domestic replacement exists for a foreign service, the censor may block the foreign service more easily.

The censor’s reluctance to cause collateral damage is what makes circumvention possible in general. (There are some exceptions, discussed in the next section, where the censor can detect but for some reason cannot block.) To deploy a circumvention system is to make a bet: that the censor cannot field a classifier that adequately distinguishes the traffic of the circumvention system from other traffic which, if blocked, would result in collateral damage. Even steganographic circumvention channels that mimic some other protocol ultimately derive their blocking resistance from the potential of collateral damage. For example, a protocol that imitates HTTP can be blocked by blocking HTTP—the question then is whether the censor can afford to block HTTP. And that’s in the best case, assuming that the circumvention protocol has no “tell” that enables the censor to distinguish it from the cover protocol it is trying to imitate. Indistinguishability is a necessary but not sufficient condition for blocking resistance: that which you are trying to be indistinguishable from must also have sufficient collateral damage. It’s no use to have a perfect steganographic imitation of a protocol that the censor doesn’t mind blocking.

In my opinion, collateral damage provides a more productive way to think about the behavior of censors than do alternatives. It takes into account different censors’ differing resources and motivations, and so is more useful for generic modeling. Moreover, it gets to the heart of what makes traffic resistant to blocking. There are other ways of characterizing censorship resistance. Many authors—Burnett et al. [ 25 ] , and Jones et al. Jones2014a, for instance—call the essential element “deniability,” meaning that a client can plausibly claim to have been doing something other than circumventing when confronted with a log of their network activity. Khattak, Elahi, et al. [ 113 §4 ] consider “deniability” separately from “unblockability.” Houmansadr et al. [ 103 , 104 , 105 ] used the term “unobservability,” which I feel fails to capture the censor’s essential function of distinguishing, not only observation. Brubaker et al. [ 23 ] used the term “entanglement,” which I found enlightening. What they call entanglement I think of as indistinguishability—keeping in mind that that which you are trying to be indistinguishable from must be valued by the censor. Collateral damage provides a way to make statements about censorship resistance quantifiable, at least in a loose sense. Rather than saying, “the censor cannot block X ,” or even, “the censor is unwilling to block X ,” it is better to say “in order to block X , the censor would have to do Y ,” where Y is some action bearing a cost for the censor. A statement like this makes it clear that some censors may be able to afford the cost of blocking and others may not; there is no “unblockability” in absolute terms. Now, actually quantifying the value of Y is a task in itself, by no means a trivial one. A challenge for future work in this field is to assign actual numbers (e.g., in dollars) to the costs borne by censors. If a circumvention system becomes blocked, it may simply mean that the circumventor overestimated the collateral damage or underestimated the censor’s capacity to absorb it.

We have observed that the risk of collateral damage is what prevents the censor from shutting down the network completely—and yet, censors do occasionally enact shutdowns or daily “curfews.” Shutdowns are costly—West [ 191 ] looked at 81 shutdowns in 19 countries in 2015 and 2016, and estimated that they collectively cost $2.4 billion in losses to gross domestic product. Deloitte [ 40 ] estimated that shutdowns cost millions of dollars per day per 10 million population, the amount depending on a country’s level of connectivity. This does not necessarily contradict the theory of collateral damage. It is just that, in some cases, a censor reckons that the benefits of a shutdown outweigh the costs. As always, the outcome depends on the specific censor: censors that don’t benefit as much from the Internet don’t have as much to lose by blocking it. The fact that shutdowns are limited in duration shows that even censors that can afford to a shutdown cannot afford to keep it up forever.

Complicating everything is the fact that censors are not bound to act rationally. Like any other large, complex entity, a censor is prone to err, to act impetuously, to make decisions that cause more harm than good. The imposition of censorship in the first place, I suggest, is exactly such an irrational action, retarding progress at the greater societal level.

2.2 Content obfuscation strategies

There are two general strategies to counter content-based detection. The first is to mimic some content that the censor allows, like HTTP or email. The second is to randomize the content, making it dissimilar to anything that the censor specifically blocks.

Tschantz et al. [ 182 ] call these two strategies “steganography” and “polymorphism” respectively. It is not a strict categorization—any real system will incorporate a bit of both. The two strategies reflect they reflect differing conceptions of censors. Steganography works against a “whitelisting” or “default-deny” censor, one that permits only a set of specifically enumerated protocols and blocks all others. Polymorphism, on the other hand, fails against a whitelisting censor, but works against a “blacklisting” or “default-allow” censor, one that blocks a set of specifically enumerated protocols and allows all others.

This is not to say that steganography is strictly superior to polymorphism—there are tradeoffs in both directions. Effective mimicry can be difficult to achieve, and in any case its effectiveness can only be judged against a censor’s sensitivity to collateral damage. Whitelisting, by its nature, tends to cause more collateral damage than blacklisting. And just as obfuscation protocols are not purely steganographic or polymorphic, real censors are not purely whitelisting or blacklisting. Houmansadr et al. [ 103 ] exhibited weaknesses in “parrot” circumvention systems that imperfectly mimic a cover protocol. Mimicking a protocol in every detail, down to its error behavior, is difficult, and any inconsistency is a potential feature that a censor may exploit. Wang et al. [ 186 ] found that some of the proposed attacks against parrot systems would be impractical due to high false-positive rates, but offered other attacks designed for efficiency and low false positives. Geddes et al. [ 95 ] showed that even perfect imitation may leave vulnerabilities due to mismatches between the cover protocol and the carried protocol. For instance, randomly dropping packets may disrupt circumvention more than normal use of the cover protocol. It’s worth noting, though, that apart from active probing and perhaps entropy measurement, most of the attacks proposed in academic research have not been used by censors in practice.

Some systematizations (for example those of Brubaker et al. [ 23 §6 ] ; Wang et al. [ 186 §2 ] ; and Khattak, Elahi, et al. [ 113 §6.1 ] ) further subdivide steganographic systems into those based on mimicry (attempting to replicate the behavior of a cover protocol) and tunneling (sending through a genuine implementation of the cover protocol). I do not find the distinction very useful, except when discussing concrete implementation choices. To me, there is no clear division: there are various degrees of fidelity in imitation, and tunneling only tends to offer higher fidelity than does mimicry.

I will list some circumvention systems that represent the steganographic strategy. Infranet [ 62 ] , way back in 2002, built a covert channel within HTTP, encoding upstream data as crafted requests and downstream data as steganographic images. StegoTorus [ 190 ] uses custom encoders to make traffic resemble common HTTP file types, such as PDF, JavaScript, and Flash. SkypeMorph [ 139 ] mimics a Skype video call. FreeWave [ 105 ] modulates a data stream into an acoustic signal and transmits it over VoIP. Format-transforming encryption, or FTE [ 58 ] , force traffic to conform to a user-specified syntax: if you can describe it, you can imitate it. Despite receiving much research attention, steganographic systems have not been as used in practice as polymorphic ones. Of the listed systems, only FTE has seen substantial deployment.

There are many examples of the randomized, polymorphic strategy. An important subclass of these comprises the so-called look-like-nothing systems that encrypt a stream without any plaintext header or framing information, so that it appears to be a uniformly random byte sequence. A pioneering design was the obfuscated-openssh of Bruce Leidl [ 122 ] , which aimed to hide the plaintext packet metadata in the SSH protocol. obfuscated-openssh worked, in essence, by first sending an encryption key, and then sending ciphertext encrypted with that key. The encryption of the obfuscation layer was an additional layer, independent of SSH’s ordinary encryption. A censor could, in principle, passively detect and deobfuscate the protocol by recovering the key and using it to decrypt the rest of the stream. obfuscated-openssh could optionally incorporate a pre-shared password into the key derivation function, which would protect against this attack. Dust [ 195 ] , similarly randomized bytes (at least in its v1 version—later versions permitted fitting to distributions other than uniform). It was not susceptible to passive deobfuscation because it required an out-of-band key exchange to happen before each session. Shadowsocks [ 170 ] is a lightweight encryption layer atop a simple proxy protocol.

There is a line of successive look-like-nothing protocols—obfs2, obfs3, ScrambleSuit, and obfs4—which I like because they illustrate the mutual advances of censors and circumventors over several years. obfs2 [ 110 ] , which debuted in 2012 in response to blocking in Iran [ 43 ] , uses very simple obfuscation inspired by obfuscated-openssh: it is essentially equivalent to sending an encryption key, then the rest of the stream encrypted with that key. obfs2 is detectable, with no false negatives and negligible false positives, by even a passive censor who knows how it works; and it is vulnerable to active probing attacks, where the censor speculatively connects to servers to see what protocols they use. However, it sufficed against the keyword- and pattern-based censors of its era. obfs3 [ 111 ] —first available in 2013 but not really released to users until 2014 [ 152 ] —was designed to fix the passive detectability of its predecessor. obfs3 employs a Diffie–Hellman key exchange that prevents easy passive detection, but it can still be subverted by an active man in the middle, and remains vulnerable to active probing. (The Great Firewall of China had begun active-probing for obfs2 by January 2013, and for obfs3 by August 2013—see Table 4.2 .) ScrambleSuit [ 200 ] , first available to users in 2014 [ 29 ] , arose in response to the active-probing of obfs3. Its innovations were the use of an out-of-band secret to authenticate clients, and traffic shaping techniques to perturb the underlying stream’s statistical properties. When a client connects to a ScrambleSuit proxy, it must demonstrate knowledge of the out-of-band secret before the proxy will respond, which prevents active probing. obfs4 [ 206 ] , first available in 2014 [ 154 ] , is an incremental advancement on ScrambleSuit that uses more efficient cryptography, and additionally authenticates the key exchange to prevent active man-in-the-middle attacks.

There is an advantage in designing polymorphic protocols, as opposed to steganographic ones, which is that every proxy can potentially have its own characteristics. ScrambleSuit and obfs4, in addition to randomizing packet contents, also shape packet sizes and timing to fit random distributions. Crucially, the chosen distributions are consistent within each proxy, but vary across proxies. That means that even if a censor is able to build a profile for a particular proxy, it is not necessarily useful for detecting other instances.

2.3 Address blocking resistance strategies

The first-order solution for reaching a destination whose address is blocked is to instead route through a proxy. But a single, static proxy is not much better than direct access, for circumvention purposes—a censor can block the proxy just as easily as it can block the destination. Circumvention systems must come up with ways of addressing this problem.

There are two reasons why resistance to blocking by address is challenging. The first is due to the nature of network routing: the client must, somehow, encode the address of the destination into the messages it sends. The second is the insider attack: legitimate clients must have some way to discover the addresses of proxies. By pretending to be a legitimate client, the censor can learn those addresses in the same way.

Compared to content obfuscation, there are relatively few strategies for resistance to blocking by address. They are basically five:

sharing private proxies among only a few clients
having a large population of secret proxies and distributing them carefully
having a very large population of proxies and treating them as disposable
proxying through a service with high collateral damage
address spoofing

The simplest proxy infrastructure is no infrastructure at all: require every client to set up and maintain a proxy for their own personal use, or for a few of their friends. As long as the use of any single address remains low, it may escape the censor’s notice [ 49 §4.2 ] . The problem with this strategy, of course, is usability and scalability. If it were easy for everyone to set up their own proxy on an unblocked address, they would do it, and blocking by address would not be a concern. The challenge is making such techniques general so they are usable by more than experts. uProxy [ 184 ] is now working on just that: automating the process of setting up a proxy on a server.

What Köpsell and Hillig call the “many access points” model [ 120 §5.2 ] has been adopted in some form by many circumvention systems. In this model, there are many proxies in operation. They may be full-fledged general-purpose proxies, or only simple forwarders to a more capable proxy. They may be operated by volunteers or coordinated centrally. In any case, the success of the system hinges on being able to sustain a population of proxies, and distribute information about them to legitimate users, without revealing too many to the censor. Both of these considerations pose challenges.

Tor’s blocking resistance design [ 49 ] , based on secret proxies called “bridges,” was of this kind. Volunteers run bridges, which report themselves to a central database called BridgeDB [ 181 ] . Clients contact BridgeDB through some unblocked out-of-band channel (HTTPS, email, or word of mouth) in order to learn bridge addresses. The BridgeDB server takes steps to prevent the easy enumeration of its database [ 124 ] . Each request returns only a small set of bridges, and repeated requests by the same client return the same small set (keyed by a hash of the client’s IP address prefix or email address). Requests through the HTTPS interface require the client to solve a captcha, and email requests are honored only from the domains of email providers that are known to limit the rate of account creation. The population of bridges is partitioned into “pools”—one pool for HTTPS distribution, one for email, and so on—so that if an adversary manages to enumerate one of the pools, it does not affect the bridges of the others. But even these defenses may not be enough. Despite public appeals for volunteers to run bridges (for example Dingledine’s initial call in 2007 [ 44 ] ), there have never been more than a few thousand of them, and Dingledine reported in 2011 that the Great Firewall of China managed to enumerate both the HTTPS and email pools [ 45 §1 , 46 §1 ] .

Tor relies on BridgeDB to provide address blocking resistance for all its transports that otherwise have only content obfuscation. And that is a great strength of such a system. It enables, to some extent, content obfuscation to be developed independently, and rely on an existing generic proxy distribution mechanism in order to produce an overall working system. There is a whole line of research, in fact, on the question of how best to distribute information about an existing population of proxies, which is known as the “proxy distribution problem” or “proxy discovery problem.” Proposals such as Proximax [ 134 ] , rBridge [ 188 ] , and Salmon [ 54 ] aim to make proxy distribution robust by tracking the reputation of clients and the unblocked lifetimes of proxies.

A way to make proxy distribution more robust against censors (but at the same time less usable by clients) is to “poison” the set of proxy addresses with the addresses of important servers, the blocking of which would result in high collateral damage. VPN Gate employed this idea [ 144 §4.2 ] , mixing into the their public proxy list the addresses of root DNS servers and Windows Update servers.

Apart from “in-band” discovery of bridges via subversion of a proxy distribution system, one must also worry about “out-of-band” discovery, for example by mass scanning [ 46 §6 , 49 §9.3 ] . Durumeric et al. found about 80% of existing (unobfuscated) Tor bridges [ 57 §4.4 ] by scanning all of IPv4 on a handful of common bridge ports. Matic et al. had similar results in 2017 [ 133 §V.D ] , using public search engines in lieu of active scanning. The best solution to the scanning problem is to do as ScrambleSuit [ 200 ] , obfs4 [ 206 ] , and Shadowsocks [ 170 ] do, and associate with each proxy a secret, without which a scanner cannot initiate a connection. Scanning for bridges is closely related to active probing, the topic of Chapter 4 .

Another way of achieving address blocking resistance is to treat proxies as temporary and disposable, rather than permanent and valuable. This is the idea underlying flash proxy [ 84 ] and Snowflake ( Chapter 7 ). Most proxy distribution strategies are designed around proxies lasting at least on the order days. In contrast, disposable proxies may last only minutes or hours. Setting up a Tor bridge or even something lighter-weight like a SOCKS proxy still requires installing some software on a server somewhere. The proxies of flash proxy and Snowflake have a low set-up and tear-down cost: you can run one just by visiting a web page. These designs do not need a sophisticated proxy distribution strategy as long as the rate of proxy creation is kept higher than the censor’s rate of discovery.

The logic behind diffusing many proxies widely is that a censor would have to block large swaths of the Internet in order to effectively block them. However, it also makes sense to take the opposite tack: have just one or a few proxies, but choose them to have high enough collateral damage that the censor does not dare block them. Refraction networking [ 160 ] puts proxy capability into network routers—in the middle of paths, rather than at the end. Clients cryptographically tag certain flows in a way that is invisible to the censor but detectable to a refraction-capable router, which redirects from its apparent destination to some other, covert destination. In order to prevent circumvention, the censor has to induce routes that avoid the special routers [ 168 ] , which is costly [ 106 ] . Domain fronting [ 89 ] has similar properties. Rather than a router, it uses another kind of network intermediary: a content delivery network. Using properties of HTTPS, a client may request one site while appearing (to the censor) to request another. Domain fronting is the topic of Chapter 6 . The big advantage of this general strategy is that the proxies do not need to be kept secret from the censor.

The final strategy for address blocking resistance is address spoofing. The notable design in this category is CensorSpoofer [ 187 ] . A CensorSpoofer client never communicates directly with a proxy. It sends upstream data through a low-bandwidth, indirect channel such as email or instant messaging, and downstream data through a simulated VoIP conversation, spoofed to appear as if it were coming from some unrelated dummy IP address. The asymmetric design is feasible because of the nature of web browsing: typical clients send much less than they receive. The client never even needs to know the actual address of the proxy, meaning that CensorSpoofer has high resistance to insider attack: even running the same software as a legitimate client, the censor does not learn enough information to effect a block. The idea of address spoofing goes back farther; as early as 2001, TriangleBoy [ 167 ] employed lighter-weight intermediate proxies that simply forwarded client requests to a long-lived proxy at a static, easily blockable address. In the downstream direction, the long-lived proxy would, rather than route back through the intermediate proxy, only spoof its responses to look as if they came from proxy. TriangleBoy did not match CensorSpoofer’s resistance to insider attack, because clients still needed to find and communicate directly with a proxy, so the whole system basically reduced to the proxy discovery problem, despite the use of address spoofing.

2.4 Spheres of influence and visibility

It is usual to assume, conservatively, that whatever the censor can detect, it also can block; that is, to ignore blocking per se and focus only on the detection problem. We know from experience, however, that there are cases in practice where a censor’s reach exceeds its grasp: where it is able to detect circumvention but for some reason cannot block it. It may be useful to consider this possibility when modeling. Khattak, Elahi, et al. [ 113 ] express it nicely by subdividing the censor’s network into a sphere of influence within which the censor has active control, and a potentially larger sphere of visibility within which the censor may only observe, but not act.

A landmark example of this kind of thinking is the 2006 research on “Ignoring the Great Firewall of China” by Clayton et al. [ 31 ] . They found that the firewall would block connections by injecting phony TCP RST packets (which cause the connection to be torn down) or SYN/ACK packets (which cause the connection to become unsynchronized), and that simply ignoring the anomalous packets rendered blocking ineffective. (Why did the censor choose to inject its own packets, rather than drop those of the client or server? The answer is probably that injection is technically easier to achieve, highlighting a limit on the censor’s power.) One can think of this ignoring as shrinking the censor’s sphere of influence: it can still technically act within this sphere, but not in a way that actually achieves blocking. Additionally, intensive measurements revealed many failures to block, and blocking rates that changed over time, suggesting that even when the firewall intends a policy of blocking, it does not always succeed.

Another fascinating example of “look, but don’t touch” communication is the “filecasting” technique used by Toosheh [ 142 ] , a file distribution service based on satellite television broadcasts. Clients tune their satellite receivers to a certain channel and record the broadcast to a USB flash drive. Later, they run a program on the recording that decodes the information and extracts a bundle of files. The system is unidirectional: clients can only receive the files that the operators choose to provide. The censor can easily see that Toosheh is in use—it’s a broadcast, after all—but cannot identify users, or block the signal in any way short of continuous radio jamming or tearing down satellite dishes.

There are parallels between the study of Internet censorship and that of network intrusion detection. One is that a censor’s detector may be implemented as a network intrusion detection system or monitor, a device “on the side” of a communication link that receives a copy of the packets that flow over the link, but that, unlike a router, is not responsible for forwarding the packets onward. Another parallel is that censors are susceptible to the same kinds of evasion and obfuscation attacks that affect network monitors more generally. In 1998, Ptacek and Newsham [ 158 ] and Paxson [ 149 §5.3 ] outlined various attacks against network intrusion detection systems—such as manipulating the IP time-to-live field or sending overlapping IP fragments—that cause a monitor either to accept what the receiver will reject, or reject what the receiver will accept. A basic problem is that a monitor’s position in the middle of the network does not enable it to predict exactly how each packet will be interpreted by the endpoints. Cronin et al. [ 36 ] posit that the monitor’s conflicting goals of sensitivity (recording all that is relevant) and selectivity (recording only what is relevant) give rise to an unavoidable “eavesdropper’s dilemma.”

Monitor evasion techniques can be used to reduce a censor’s sphere of visibility—remove certain traffic features from its consideration. Crandall et al. [ 33 ] in 2007 suggested using IP fragmentation to prevent keyword matching. In 2008 and 2009, Park and Crandall [ 148 ] explicitly characterized the Great Firewall as a network intrusion detection system and found that a lack of TCP reassembly allowed evading keyword matching. Winter and Lindskog [ 199 ] found that the Great Firewall still did not do TCP segment reassembly in 2012. They released a tool, brdgrd [ 196 ] , that by manipulating the TCP window size, prevented the censor’s scanners from receiving a full response in the first packet, thereby foiling active probing. Anderson [ 9 ] gave technical information on the implementation of the Great Firewall as it existed in 2012, and observed that it is implemented as an “on-the-side” monitor. Khattak et al. [ 114 ] applied a wide array of evasion experiments to the Great Firewall in 2013, identifying classes of working evasions and estimating the cost to counteract them. Wang et al. [ 189 ] did further evasion experiments against the Great Firewall a few years later, finding that the firewall had evolved to prevent some previous evasion techniques, and discovering new ones.

2.5 Early censorship and circumvention

Internet censorship and circumvention began to rise to importance in the mid-1990s, coinciding with the popularization of the World Wide Web. Even before national-level censorship by governments became an issue, researchers investigated the blocking policies of personal firewall products—those intended, for example, for parents to install on the family computer. Meeks and McCullagh [ 138 ] reported in 1996 on the secret blocking lists of several programs. Bennett Haselton and Peacefire [ 100 ] found many cases of programs blocking more than they claimed, including web sites related to politics and health.

Governments were not far behind in building legal and technical structures to control the flow of information on the web, in some cases adapting the same technology originally developed for personal firewalls. The term “Great Firewall of China” first appeared in an article in Wired [ 15 ] in 1997. In the wake of the first signs of blocking by ISPs, people were thinking about how to bypass filters. The circumvention systems of that era were largely HTML-rewriting web proxies: essentially a form on a web page into which a client would enter a URL. The server would fetch the desired page on behalf of the client, and before returning the response, rewrite all the links and external references in the page to make them relative to the proxy. CGIProxy [ 131 ] , SafeWeb [ 132 ] , Circumventor [ 99 ] , and the first version of Psiphon [ 28 ] were all of this kind.

These systems were effective against their censors of their day—at least with respect to the blocking of destinations. They had the major advantage of requiring no special client-side software other than a web browser. The difficulty they faced was second-order blocking as censors discovered and blocked the proxies themselves. Circumvention designers deployed some countermeasures; for example Circumventor had a mailing list [ 49 §7.4 ] which would send out fresh proxy addresses every few days. A 1996 article by Rich Morin [ 140 ] presented a prototype HTML-rewriting proxy called Rover, which eventually became CGIProxy. The article predicted the failure of censorship based on URL or IP address, as long as a significant fraction of web servers ran such proxies. That vision has not come to pass. Accumulating a sufficient number of proxies and communicating their addresses securely to clients—in short, the proxy distribution problem—turned out not to follow automatically, but to be a major sub-problem of its own.

Threat models had to evolve along with censor capabilities. The first censors would be considered weak by today’s standards, mostly easy to circumvent by simple countermeasures, such as tweaking a protocol or using an alternative DNS server. (We see the same progression play out again when countries first begin to experiment with censorship, such as in Turkey in 2014, where alternative DNS servers briefly sufficed to circumvent a block of Twitter [ 35 ] .) Not only censors were changing—the world around them was changing as well. In field of circumvention, which is so heavily affected by concerns about collateral damage, the milieu in which censors operate is as important as the censors themselves. A good example of this is the paper on Infranet, the first academic circumvention design I am aware of. Its authors argued, not unreasonably for 2001, that TLS would not suffice as a cover protocol [ 62 §3.2 ] , because the relatively few TLS-using services at that time could all be blocked without much harm. Certainly the circumstances are different today—domain fronting and all refraction networking schemes require the censor to permit TLS. As long as circumvention remains relevant, it will have to change along with changing times, just as censors do.

Chapter 3 Understanding censors

The main tool we have to build relevant threat models is the study of censors. The study of censors is complicated by difficulty of access: censors are not forthcoming about their methods. Researchers are obligated to treat censors as a black box, drawing inferences about their internal workings from their externally visible characteristics. The easiest thing to learn is the censor’s what —the destinations and contents that are blocked. Somewhat harder is the investigation into where and how , the specific technical mechanisms used to effect censorship and where they are deployed in the network. Most difficult to infer is the why , the motivations and goals that underlie an apparatus of censorship.

From past measurement studies we may draw a few general conclusions. Censors change over time, and not always in the direction of more restrictions. Censorship differs greatly across countries, not only in subject but in mechanism and motivation. However it is reasonable to assume a basic set of capabilities that many censors have in common:

blocking of specific IP addresses and ports
control of default DNS servers
blocking DNS queries
injection of false DNS responses
injection of TCP RSTs
keyword filtering in unencrypted contents
application protocol parsing (“deep packet inspection”)
participation in a circumvention system as a client
scanning to discover proxies
throttling connections
temporary total shutdowns

Not all censors will be able—or motivated—to do all of these. As the amount of traffic to be handled increases, in-path attacks such as throttling become relatively more expensive. Whether a particular act of censorship even makes sense will depend on a local cost–benefit analysis, a weighing of the expected gains against the potential collateral damage. Some censors may be able to tolerate a brief total shutdown, while for others the importance of Internet connectivity is too great for such a blunt instrument.

The Great Firewall of China (GFW), because of its unparalleled technical sophistication, is tempting to use as a model adversary. There has indeed been more research focused on China than any other country. But the GFW is in many ways an outlier, and not representative of other censors. A worldwide view is needed.

Building accurate models of censor behavior is not only needed for the purpose of circumvention. It also has implications for ethical measurement [ 108 §2 , 202 §5 ] . For example, a common way to test for censorship is to ask volunteers to run software that connects to potentially censored destinations and records the results. This potentially puts volunteers at risk. Suppose the software accesses a destination that violates local law. Could the volunteer be held liable for the access? Quantifying the degree of risk depends on modeling how a censor will react to a given stimulus [ 32 §2.2 ] .

3.1 Censorship measurement studies

A large part of research on censorship is composed of studies of censor behavior in the wild. In this section I summarize past studies, which, taken together, present a picture of censor behavior in general. They are based on those in an evaluation study done by me and others in 2016 [ 182 §IV.A ] . The studies are diverse and there are many possible ways to categorize them. Here, I have divided them into one-time experiments and generic measurement platforms.

One-shot studies

One of the earliest technical studies of censorship occurred in a place you might not expect, the German state of North Rhein-Westphalia. Dornseif [ 52 ] tested ISPs’ implementation of a controversial legal order to block web sites circa 2002. While there were many possible ways to implement the block, none were trivial to implement, nor free of overblocking side effects. The most popular implementation used DNS tampering, which is returning (or injecting) false responses to DNS requests for the blocked sites. An in-depth survey of DNS tampering found a variety of implementations, some blocking more and some blocking less than required by the order. This time period seems to mark the beginning of censorship by DNS tampering in general; Dong [ 51 ] reported it in China in late 2002.

Zittrain and Edelman [ 208 ] used open proxies to experimentally analyze censorship in China in late 2002. They tested around 200,000 web sites and found around 19,000 of them to be blocked. There were multiple methods of censorship: web server IP address blocking, DNS server IP address blocking, DNS poisoning, and keyword filtering.

Clayton [ 30 ] in 2006 studied a “hybrid” blocking system, CleanFeed by the British ISP BT, that aimed for a better balance of costs and benefits: a “fast path” IP address and port matcher acted as a prefilter for the “slow path,” a full HTTP proxy. The system, in use since 2004, was designed to block access to any of a secret list of web sites. The system was vulnerable to a number of evasions, such a using a proxy, using an alternate IP address or port, and obfuscating URLs. The two-level nature of the blocking system unintentionally made it an oracle that could reveal the IP addresses of sites in the secret blocking list.

In 2006, Clayton, Murdoch, and Watson [ 31 ] further studied the technical aspects of the Great Firewall of China. They relied on an observation that the firewall was symmetric, treating incoming and outgoing traffic equally. By sending web requests from outside the firewall to a web server inside, they could provoke the same blocking behavior that someone on the inside would see. They sent HTTP requests containing forbidden keywords that caused the firewall to inject RST packets towards both the client and server. Simply ignoring RST packets (on both ends) rendered the blocking mostly ineffective. The injected packets had inconsistent TTLs and other anomalies that enabled their identification. Rudimentary countermeasures, such as splitting keywords across packets, were also effective in avoiding blocking. The authors brought up an important point that would become a major theme of future censorship modeling: censors are forced to trade blocking effectiveness against performance. In order to cope with high load at a reasonable costs, censors may employ the “on-path” architecture of a network monitor or intrusion detection system; i.e., one that can passively monitor and inject packets, but cannot delay or drop them.

Contemporaneous studies of the Great Firewall by Wolfgarten [ 201 ] and Tokachu [ 175 ] found cases of DNS tampering, search engine filtering, and RST injection caused by keyword detection. In 2007, Lowe, Winters, and Marcus [ 125 ] did detailed experiments on DNS tampering in China. They tested about 1,600 recursive DNS servers in China against a list of about 950 likely-censored domains. For about 400 domains, responses came back with bogus IP addresses, chosen from a set of about 20 distinct IP addresses. Eight of the bogus addresses were used more than the others: a whois lookup placed them in Australia, Canada, China, Hong Kong, and the U.S. By manipulating the IP time-to-live field, the authors found that the false responses were injected by an intermediate router, evidenced by the fact that the authentic response would be received as well, only later. A more comprehensive survey [ 12 ] of DNS tampering occurred in 2014, giving remarkable insight into the internal structure of the censorship machines. DNS injection happened only at border routers. IP ID and TTL analysis showed that each node was a cluster of several hundred processes that collectively injected censored responses. They found 174 bogus IP addresses, more than previously documented, and extracted a blacklist of about 15,000 keywords.

The Great Firewall, because of its unusual sophistication, has been an enduring object of study. Part of what makes it interesting is its many blocking modalities, both active and passive, proactive and reactive. The ConceptDoppler project of Crandall et al. [ 33 ] measured keyword filtering by the Great Firewall and showed how to discover new keywords automatically by latent semantic analysis, using the Chinese-language Wikipedia as a corpus. They found limited statefulness in the firewall: sending a naked HTTP request without a preceding SYN resulted in no blocking. In 2008 and 2009, Park and Crandall [ 148 ] further tested keyword filtering of HTTP responses. Injecting RST packets into responses is more difficult than doing the same to requests, because of the greater uncertainty in predicting TCP sequence numbers once a session is well underway. In fact, RST injection into responses was hit or miss, succeeding only 51% of the time, with some, apparently diurnal, variation. They also found inconsistencies in the statefulness of the firewall. Two of ten injection servers would react to a naked HTTP request; that it, one sent outside of an established TCP connection. The remaining eight of ten required an established TCP connection. Xu et al. [ 204 ] continued the theme of keyword filtering in 2011, with the goal of discovering where filters are located at the IP and autonomous system levels. Most filtering is done at border networks (autonomous systems with at least one peer outside China). In their measurements, the firewall was fully stateful: blocking was never triggered by an HTTP request outside an established TCP connection. Much filtering occurred at smaller regional providers, rather than on the network backbone. Anderson [ 9 ] gave a detailed description of the design of the Great Firewall in 2012. He described IP address blocking by null routing, RST injection, and DNS poisoning, and documented cases of collateral damage affecting clients inside and outside China.

Dainotti et al. [ 37 ] reported on the total Internet shutdowns that took place in Egypt and Libya in the early months of 2011. They used multiple measurements to document the outages as they occurred. During the shutdowns, they measured a drop in scanning traffic (mainly from the Conficker botnet). By comparing these different measurements, they showed that the shutdown in Libya was accomplished in more than one way, both by altering network routes and by firewalls dropping packets.

Winter and Lindskog [ 199 ] , and later Ensafi et al. [ 60 ] did a formal investigation into active probing, a reported capability of the Great Firewall since around October 2011. They focused on the firewall’s probing of Tor and its most common pluggable transports.

Anderson [ 6 ] documented network throttling in Iran, which occurred over two major periods between 2011 and 2012. Throttling degrades network access without totally blocking it, and is harder to detect than blocking. Academic institutions were affected by throttling, but less so than other networks. Aryan et al. [ 14 ] tested censorship in Iran during the two months before the June 2013 presidential election. They found multiple blocking methods: HTTP request keyword filtering, DNS tampering, and throttling. The most usual method was HTTP request filtering; DNS tampering (directing to a blackhole IP address) affected only the three domains facebook.com , youtube.com , and plus.google.com . SSH connections were throttled down to about 15% of the link capacity, while randomized protocols were throttled almost down to zero, 60 seconds into a connection’s lifetime. Throttling seemed to be achieved by dropping packets, which causes TCP to slow down.

Khattak et al. [ 114 ] evaluated the Great Firewall from the perspective that it works like an intrusion detection system or network monitor, and applied existing techniques for evading a monitor to the problem of circumvention. They looked particularly for ways to evade detection that are expensive for the censor to remedy. They found that the firewall was stateful, but only in the client-to-server direction. The firewall was vulnerable to a variety of TCP- and HTTP-based evasion techniques, such as overlapping fragments, TTL-limited packets, and URL encodings.

Nabi [ 141 ] investigated web censorship in Pakistan in 2013, using a publicly available list of banned web sites. Over half of the sites on the list were blocked by DNS tampering; less than 2% were additionally blocked by HTTP filtering (an injected redirect before April 2013, or a static block page after that). They conducted a small survey to find the most commonly used circumvention methods; the most common was public VPNs, at 45% of respondents. Khattak et al. [ 115 ] looked at two censorship events that took place in Pakistan in 2011 and 2012. Their analysis is special because unlike most studies of censorship, theirs uses traffic traces taken directly from an ISP. They observe that users quickly switched to TLS-based circumvention following a block of YouTube. The blocks had side effects beyond a loss of connectivity: the ISP had to deal with more ciphertext than before, and users turned to alternatives for the blocked sites. Their survey found that the most common method of circumvention was VPNs. Aceto and Pescapè [ 2 ] revisited Pakistan in 2016. Their analysis of six months of active measurements in five ISPs showed that blocking techniques differed across ISPs; some used DNS poisoning and others used HTTP filtering. They did their own survey of commonly used circumvention technologies, and again the winner was VPNs with 51% of respondents.

Ensafi et al. [ 61 ] employed an intriguing technique to measure censorship from many locations in China—a “hybrid idle scan.” The hybrid idle scan allows one to test TCP connectivity between two Internet hosts, without needing to control either one. They selected roughly uniformly geographically distributed sites in China from which to measure connectivity to Tor relays, Tor directory authorities, and the web servers of popular Chinese web sites. There were frequent failures of the firewall resulting in temporary connectivity, typically occurring in bursts of hours.

In 2015, Marczak et al. [ 129 ] investigated an innovation in the capabilities of the border routers of China, an attack tool dubbed the Great Cannon. The cannon was responsible for denial-of-service attacks on Amazon CloudFront and GitHub. The unwitting participants in the attack were web browsers located outside of China, who began their attack when the cannon injected malicious JavaScript into certain HTTP responses originating inside of China. The new attack tool was noteworthy because it demonstrated previously unseen in-path behavior, such as packet dropping.

A major aspect of censor modeling is that many censors use commercial firewall hardware. Dalek et al. [ 39 ] , Dalek et al. [ 38 ] , and Marquis-Boire et al. [ 130 ] documented the use of commercial firewalls made by Blue Coat, McAfee, and Netsweeper in a number of countries. Chaabane et al. [ 27 ] analyzed 600 GB of leaked logs from Blue Coat proxies that were being used for censorship in Syria. The logs cover 9 days in July and August 2011, and contain an entry for every HTTP request. The authors of the study found evidence of IP address blocking, DNS blocking, and HTTP request keyword blocking; and also evidence of users circumventing censorship by downloading circumvention software or using cache feature of Google search. All subdomains of .il, the top-level domain for Israel, were blocked, as were many IP address ranges in Israel. Blocked URL keywords included “proxy”, which resulted in collateral damage to the Google Toolbar and the Facebook like button because they included the string “proxy” in HTTP requests. Tor was only lightly censored: only one of several proxies blocked it, and only sporadically.

Generic measurement platforms

For a decade, the OpenNet Initiative produced reports on Internet filtering and surveillance in dozens of countries, until it ceased operation in 2014. For example, their 2005 report on Internet filtering in China [ 146 ] studied the problem from many perspectives, political, technical, and legal. They tested the extent of filtering of web sites, search engines, blogs, and email. They found a number of blocked web sites, some related to news and politics, and some on sensitive subjects such as Tibet and Taiwan. In some cases, entire domains were blocked; in others, only specific URLs within the domain were blocked. There were cases of overblocking: apparently inadvertently blocked sites that happened to share an IP address or URL keyword with an intentionally blocked site. The firewall terminated connections by injecting a TCP RST packet, then injecting a zero-sized TCP window, which would prevent any communication with the same server for a short time. Using technical tricks, the authors inferred that Chinese search engines indexed blocked sites (perhaps having a special exemption from the general firewall policy), but did not return them in search results [ 147 ] . Censorship of blogs included keyword blocking by domestic blogging services, and blocking of external domains such as blogspot.com [ 145 ] . Email filtering was done by the email providers themselves, not by an independent network firewall. Email providers seemed to implement their filtering rules independently and inconsistently: messages were blocked by some providers and not others.

Sfakianakis et al. [ 169 ] built CensMon, a system for testing web censorship using PlanetLab, a distributed network research platform. They ran the system for 14 days in 2011 across 33 countries, testing about 5,000 unique URLs. They found 193 blocked domain–country pairs, 176 of them in China. CensMon was not run on a continuing basis. Verkamp and Gupta [ 185 ] did a separate study in 11 countries, using a combination of PlanetLab nodes and the computers of volunteers. Censorship techniques varied across countries; for example, some showed overt block pages and others did not.

OONI [ 92 ] and ICLab [ 107 ] are dedicated censorship measurement platforms. Razaghpanah et al. [ 159 ] provide a comparison of the two platforms. They work by running regular network measurements from the computers of volunteers or through VPNs. UBICA [ 3 ] is another system based on volunteers running probes; its authors used it to investigate several forms of censorship in Italy, Pakistan, and South Korea.

Anderson et al. [ 8 ] used RIPE Atlas a globally distributed Internet measurement network, to examine two case studies of censorship: Turkey’s ban on social media sites in March 2014 and Russia’s blocking of certain LiveJournal blogs in March 2014. Atlas allows 4 types of measurements: ping, traceroute, DNS resolution, and TLS certificate fetching. In Turkey, they found at least six shifts in policy during two weeks of site blocking. They observed an escalation in blocking in Turkey: the authorities first poisoned DNS for twitter.com , then blocked the IP addresses of the Google public DNS servers, then finally blocked Twitter’s IP addresses directly. In Russia, they found ten unique bogus IP addresses used to poison DNS.

Pearce, Ensafi, et al. [ 150 ] made Augur, a scaled-up version of the hybrid idle scan of Ensafi et al. [ 61 ] , designed for continuous, global measurement of disruptions of TCP connectivity. The basic tool is the ability to detect packet drops between two remote hosts; but expanding it to a global scale poses a number of technical challenges. Pearce et al. [ 151 ] built Iris, as system to measure DNS manipulation globally. Iris uses open resolvers and evaluates measurements against the detection metrics of consistency (answers from different locations should the same or similar) and independent verifiability (checking results against other sources of data like TLS certificates) in order to decide when they constitute manipulation.

3.2 The evaluation of circumvention systems

Evaluating the quality of circumvention systems is tricky, whether they are only proposed or actually deployed. The problem of evaluation is directly tied to threat modeling. Circumvention is judged according to how well it works under a given model; the evaluation is therefore meaningful only as far as the threat model reflects reality. Without grounding in reality, researchers risk running an imaginary arms race that evolves independently of the real one.

I took part, with Michael Carl Tschantz, Sadia Afroz, and Vern Paxson, in a meta-study [ 182 ] of how circumvention systems are evaluated by their authors and designers, and comparing those to empirically determined censor models. This kind of work is rather different than the direct evaluations of circumvention tools that have happened before, for example those done by the Berkman Center [ 162 ] and Freedom House [ 26 ] in 2011. Rather than testing tools against censors, we evaluated how closely aligned designers’ own models were to models derived from actual observations of censors.

This research was partly born out of frustration with some typical assumptions made in academic research on circumvention, which we felt placed undue emphasis on steganography and obfuscation of traffic streams, while not paying enough attention to the perhaps more important problems of proxy distribution and initial rendezvous between client and proxy. We wanted to help bridge the gap by laying out a research agenda to align the incentives of researchers with those of circumventors. This work was built on extensive surveys of circumvention tools, measurement studies, and known censorship events against Tor. Our survey included over 50 circumvention tools.

One outcome of the research is that that academic designs tended to be concerned with detection in the steady state after a connection is established (related to detection by content), while actually deployed systems cared more about how the connection is established initially (related to detection by address). Designers tend to misperceive the censor’s weighting of false positives and false negatives—assuming a whitelist rather than a blacklist, say. Real censors care greatly about the cost of running detection, and prefer cheap, passive, stateless solutions whenever possible. It is important to guard against these modes of detection before becoming too concerned with those that require sophisticated computation, packet flow blocking, or lots of state.

Chapter 4 Active probing

The Great Firewall of China rolled out an innovation in the identification of proxy servers around 2010: active probing of suspected proxy addresses. In active probing, the censor pretends to be a legitimate client, making its own connections to suspected addresses to see whether they speak a proxy protocol. Any addresses that are found to be proxies are added to a blacklist so that access to them will be blocked in the future. The input to the active probing subsystem, a set of suspected addresses, comes from passive observation of the content of client connections. The censor sees a client connect to a destination and tries to determine, by content inspection, what protocol is in use. When the censor’s content classifier is unsure whether the protocol is a proxy protocol, it passes the destination address to the active probing subsystem. Active prober then checks, by connecting to the destination, whether it actually is a proxy. Figure 4.1 illustrates the process.

Active probing makes good sense for the censor, whose main restriction is the risk of false-positive classifications that result in collateral damage. Any classifier based purely on passive content inspection must be very precise (have a low rate of false positives). Active probing increases precision by blocking only those servers that are determined, through active inspection, to really be proxies. The censor can get away with a mediocre content classifier—it can return a superset of the set of actual proxy connections, and active probes will weed out its false positives. A further benefit of active probing, from the censor’s point of view, is that it can run asynchronously, separate from the firewall’s other responsibilities that require a low response time.

Active probing, as I use the term in this chapter, is distinguished from other types of active scans by being reactive, driven by observation of client connections. It is distinct from proactive, wide-scale port scanning, in which a censor regularly scans likely ports across the Internet to find proxies, independent of client activity. The potential for the latter kind of scanning has been appreciated for over a decade. Dingledine and Mathewson [ 49 §9.3 ] raised scanning resistance as a consideration in the design document for Tor bridges. McLachlan and Hopper [ 136 §3.2 ] observed that the bridges’ tendency to run on a handful of popular ports would make them more discoverable in an Internet-wide scan, which they estimated would take weeks using then-current technology. Dingledine [ 46 §6 ] mentioned indiscriminate scanning as one of ten ways to discover Tor bridges—while also bringing up the possibility of reactive probing which the Great Firewall was then just beginning to use. Durumeric et al. [ 57 §4.4 ] demonstrated the effectiveness of Internet-wide scanning, targeting only two ports to discover about 80% of public Tor bridges in only a few hours, Tsyrklevich [ 183 ] and Matic et al. [ 133 §V.D ] later showed how existing public repositories of Internet scan data could reveal bridges, without even the necessity of running one’s own scan.

The Great Firewall of China is the only censor known to employ active probing. It has increased in sophistication over time, adding support for new protocols and reducing the delay between a client’s connection and the sending of probes. The Great Firewall has the documented ability to probe the plain Tor protocol and some of its pluggable transports, as well as certain VPN protocols and certain HTTPS-based proxies. Probing takes place only seconds or minutes after a connection by a legitimate client, and the active-probing connections come from a large range of source IP addresses. The experimental results in this chapter all have to do with China.

Active probing occupies a space somewhere in the middle of the dichotomy, put forward in Chapter 2 , of detection by content and detection by address. An active probing system takes suspected addresses as input and produces to-be-blocked addresses as output. But it is content-based classification that produces the list of suspected addresses in the first place. The existence of active probing is The use of active probing is, in a sense, a good sign for circumvention: it only became relevant content obfuscation had gotten better. If a censor could easily identify the use of circumvention protocols by mere passive inspection, then it would not go to the extra trouble of active probing.

Contemporary circumvention systems must be designed to resist active probing attacks. The strategy of the look-like-nothing systems ScrambleSuit [ 200 ] , obfs4 [ 206 ] , and Shadowsocks [ 126 , 156 ] is to authenticate clients using a per-proxy password or public key; i.e., to require some additional secret information beyond just an IP address and port number. Domain fronting ( Chapter 6 ) deals with active probing by co-locating proxies with important web services: the censor can tell that circumvention is taking place but cannot block the proxy without unacceptable collateral damage. In Snowflake ( Chapter 7 ), proxies are web browsers running ordinary peer-to-peer protocols, authenticated using a per-connection shared secret. Even if a censor discovers one of Snowflake’s proxies, it cannot verify that the proxy is running Snowflake or something else, without having first negotiated a shared secret through Snowflake’s broker mechanism.

4.1 History of active probing research

Active probing research has mainly focused on Tor and its pluggable transports. There is also some work on Shadowsocks. Table 4.2 summarizes the research covered in this section.

	Nixon notices unusual, random-looking connections from China in SSH logs [ ].
–	Nixon’s random-looking probes are temporarily replaced by TLS probes before changing back again [ ].
	hrimfaxi reports that Tor bridges are quickly detected by the GFW [ ].
	Nixon publishes observations and hypotheses about the strange SSH connections [ ].
	Wilde investigates Tor probing [ , , ]. He finds two kinds of probe: “garbage” random probes and Tor-specific ones.
	The obfs2 transport becomes available [ ]. The Great Firewall is initially unable to probe for it.
	Winter and Lindskog investigate Tor probing in detail [ ].
	The Great Firewall begins to active-probe obfs2 [ , §4.3]. The obfs3 transport becomes available [ ].
–	Majkowski observes TLS and garbage probes and identifies fingerprintable features of the probers [ ].
	The Great Firewall begins to active-probe obfs3 [ Figure 8].
	The ScrambleSuit transport, which is resistant to active probing, becomes available [ ].
	The obfs4 transport (resistant to active probing) becomes available [ ].
	BreakWa11 finds an active-probing vulnerability in Shadowsocks [ , §2].
	Ensafi et al. [ ] publish results of multi-modal experiments on active probing.
	Shadowsocks changes its protocol to better resist active probing [ ].
	Wang et al. [ §7.3] find that bridges that are discovered by active probing are blocked on the entire IP address, not an individual port.

Nixon [ 143 ] published in late 2011 an analysis of suspicious connections from IP addresses in China that his servers had at that point been receiving for a year. The connections were to the SSH port, but did not follow the SSH protocol; rather they contained apparently random bytes, resulting in error messages in the log file. Nixon discovered a pattern: the random-looking “garbage” probes were preceded, at an interval of 5–20 seconds, by a legitimate SSH login from some other IP address in China. The same pattern was repeated at three other sites. Nixon supposed that the probes were triggered by legitimate SSH users, as their connections traversed the firewall; and that the random payloads were a simple form of service identification, sent only to see how the server would respond to them. For a few weeks in May and June 2011, the probes did not look random, but instead looked like TLS.

In October 2011, Tor user hrimfaxi reported that a newly set up, unpublished Tor bridge would be blocked within 10 minutes of their first being accessed from China [ 41 ] . Moving the bridge to another port on the same IP address would work temporarily, but the new address would also be blocked within another 10 minutes. Wilde systematically investigated the phenomenon in December 2011 and published an extensive analysis of active probing that was triggered by connections from inside China to outside [ 193 , 194 ] . There were two kinds of probes: “garbage” random probes like those Nixon had described, and specialized Tor probes that established a TLS session and inside the session sent the Tor protocol. The garbage probes were triggered by TLS connections to port 443, and were sent immediately following the original connection. The Tor probes, in contrast, were triggered by TLS connections to any port, as long as the TLS client handshake matched that of Tor’s implementation [ 48 ] . The Tor probes were not sent immediately, but in batches of 15 minutes. The probes came from diverse IP addresses in China: 20 different /8 networks [ 192 ] . Bridges using the obfs2 transport were, at that time, neither probed nor blocked.

Winter and Lindskog revisited the question of Tor probing a few months later in 2012 [ 199 ] . They used open proxies and a server in China to reach bridges and relays in Russia, Singapore, and Sweden. The bridges and relays were configured so that ordinary users would not connect to them by accident. They confirmed Wilde’s finding that the blocking of one port did not affect other ports on the same IP address. Blocked ports became reachable again 12 hours. By simulating multiple Tor connections, they collected over 3,000 active probe samples in 17 days. During that time, there were about 72 hours which where mysteriously free of active probing. Half of the probes came from a single IP address, 202.108.181.70; the other half were almost all unique. Reverse-scanning the probes’ source IP addresses, a few minutes after the probes were received, sometimes found a live host, though usually with a different IP TTL than was used during the probing, which the authors suggested may be a sign of address spoofing by the probing infrastructure. Because probing was triggered by patterns in the TLS client handshake, they developed a server-side tool, brdgrd [ 196 ] , that rewrote the TCP window so that the client’s handshake would be split across packets. The tool sufficed, at the time, to prevent active probing, but stopped working in 2013 [ 197 §Software ] .

The obfs2 pluggable transport, first available in February 2012 [ 43 ] , worked against active probing for about a year. The first report of its being probing arrived in March 2013 [ 47 ] . I found evidence for an even earlier onset, in January 2013, by analyzing the logs of my web server [ 60 §4.3 ] . At about the same time, the obfs3 pluggable transport became available [ 68 ] . It was, in principle, as vulnerable to active probing as obfs2 was, but the firewall did not gain the ability to probe for it until August 2013 [ 60 Figure 8 ] .

Majkowski [ 128 ] documented a change in the GFW between June and July 2013. In June, he reproduced the observations of Winter and Lindskog: pairs of TLS probes, one from 202.108.181.70 and one from some other IP address. He also provided TLS fingerprints for the probers, which differed from those of ordinary Tor clients. In July, he began to see pairs of probes with apparently random contents, like the garbage probes Wilde described. The TLS fingerprints of the July probes differed from those seen earlier, but were still distinctive.

The ScrambleSuit transport, designed to be immune to active-probing attacks, first shipped with Tor Browser 4.0 in October 2014 [ 153 ] . The successor transport obfs4, similarly immune, shipped in Tor Browser 4.5 in April 2015 [ 154 ] .

In August 2015, developer BreakWa11 described an active-probing vulnerability in the Shadowsocks protocol [ 19 , 156 §2 ] . The flaw had to do with a lack of integrity protection, allowing a prober to introduce errors into ciphertext and watch the server’s reaction. As a stopgap, the developers deployed a protocol change that proved to have its own vulnerabilities to probing. They deployed another protocol in February 2017, adding cryptographic integrity protection and fixing the problem [ 102 ] . Despite the long window of vulnerability, I know of no evidence that the Great Firewall tried to probe for Shadowsocks servers.

Ensafi et al. (including me) [ 60 ] did the largest controlled study of active probing to date throughout early 2015. We collected data from a variety of sources: a private network of our own bridges, isolated so that only we and active probers would connect to them; induced intensive probing of a single bridge over a short time period, in the manner of Winter and Lindskog; analysis of server log files going back to 2010; and reverse-scanning active prober source IP addresses using tools such as ping, traceroute, and Nmap. Using these sources of data, we investigated many aspects of active probing, such as the types of probes the firewall was capable of sending, the probers’ source addresses, and potentially fingerprintable peculiarities of the probers’ protocol implementations. Observations from this research project appear in the remaining sections of this chapter.

Wang et al. [ 189 §7.3 ] tried connecting to bridges from 11 networks in China. They found that connections from four of the networks did not result in active probing, while connections from the other seven did. A bridge that was probed became blocked on all ports, a change from the single-port blocking that had been documented earlier.

4.2 Types of probes

Our experiments confirmed the existence of known probe types from prior research, and new types that had not been documented before. Our observations of the known probe types were consistent with previous reports, with only minor differences in some details. We found, at varying times, these kinds of probes:

We found probing of the Tor protocol, as expected. The probes we observed in 2015, however, differed from those Wilde described in 2011, which proceeded as far as building a circuit. The ones we saw used less of the Tor protocol: after the TLS handshake they only queried the server’s version and disconnected. Also, in contrast to what Winter and Lindskog found in 2012, the probes were sent immediately after a connection, not batched to a multiple of 15 minutes.

The obfs2 protocol is meant to look like a random stream, but it has a weakness that makes it trivial to identify, passively and retroactively, needing only the first 20 bytes sent by the client. We turned the weakness of obfs2 to our advantage. It allowed us to distinguish obfs2 from other random-looking payloads, isolating a set of connections that could belong only to legitimate circumventors or to active probers.

The obfs3 protocol is also meant to look like a random stream; but unlike obfs2, it is not trivially identifiable passively. It is not possible to retroactively recognize obfs3 connections (from, say, a packet capture) with certainty: sure classification requires active participation in the protocol. In some of our experiments, we ran an obfs3 server that was able to participate in the handshake and so confirm that the protocol really was obfs3. In the passive log analysis, we labeled “obfs3” any probes that looked random but were not obfs2.

We unexpectedly found evidence of probe types other than Tor-related ones. One of these was an HTTPS request:

Both the path “/vpnsvc/connect.cgi”, and the body being a GIF image despite having a Content-Type of “image/jpeg”, are characteristic of the client handshake of the SoftEther VPN software that underlies the VPN Gate circumvention system [ 144 ] .

This type of probe is also an HTTPS request:

where the ‘ XX ’ is a number that varies. The intent of this probe seems to be the discovery of servers that are capable of domain fronting for Google services, including Google App Engine, which runs at appspot.com . (See Chapter 6 for more on domain fronting.) At one time, there were simple proxies running at webncsproxyXX.appspot.com .

This probe type is new since our 2015 paper. I discovered it while re-analyzing my server logs in order to update Figure 4.3 . It is a particular request that was sent over both HTTP and HTTPS:

The urllib requests are unremarkable except for having been sent from an IP address that at some other time send another kind of active probe. The User-Agent “Python-urllib/2.7” and appears many other places in my logs, not in an active probing context. I cannot guess what this probe’s purpose may be, except to observe that Nobori and Shinjo also caught a “Python-urllib” client scraping the VPN Gate server list [ 144 §6.3 ] .

These probe types are not necessarily exhaustive. The purpose of the random “garbage” probes is still not known; they were not obfs2 and were too early to be obfs3, so they must have had some other purpose.

Most of our experiments were designed around exploring known Tor-related probe types: plain Tor, obfs2, and obfs3. The server log analysis, however, unexpectedly turned up the other probe types. The server log data set consisted of application-layer logs from my personal web and mail server, which was also a Tor bridge. Application-layer logs lack much of the fidelity you would normally want in a measurement experiment; they do not have precise timestamps or transport-layer headers, for example, and web server logs truncate the client’s payload at the first ‘\0’ or ‘\n’ byte. But they make up for that with time coverage. Figure 4.3 shows the history of probes received at my server since 2013 (there were no probes before that, though the logs go back to 2010). We began by searching the logs for definite probes: those that were classifiable as obfs2 or otherwise looked like random garbage. Then we looked for what else appeared in the logs for the IP addresses that had, at any time, sent a probe. In a small fraction of cases, the other logs lines appeared to be genuine HTTP requests from legitimate clients; but usually they were other probe-like payloads. We continued this process, adding new classifiers for likely probes, until reaching a fixed point with the probe types described above.

4.3 Probing infrastructure

The most striking feature of active probes is the large number of source addresses from which they are sent, or appear to be sent. The 13,089 probes received by the HTTP and HTTPS ports of my server came from 11,907 distinct IP addresses, representing 47 /8 networks and 26 autonomous systems. 96% of the addresses appeared only once. There is one extreme outlier, the address 202.108.181.70, which by itself accounted for 2% of the probes. (Even this substantial fraction stands in contrast to previous studies, where that single IP address accounted for roughly half the probes [ 199 §4.5.1 ] .) Among the address ranges are ones belonging to residential ISPs.

Despite the many source addresses, the probes seems to be managed by only a few underlying processes. The evidence for this lies in shared patterns in metadata: TCP initial sequence numbers and TCP timestamps. Figure 4.4 shows clear patterns in TCP timestamps, from about six months during which we ran a full packet capture on my web server, in addition to application-layer logging.

We tried connecting back to the source address of probes. Immediately after receiving a probe, the probing IP address would be completely unresponsive to any stimulus we could think to apply. In some cases though, within an hour the address became responsive. The responsive hosts looked like what you would expect to find if you scanned such address ranges, with a variety of operating systems and open ports.

4.4 Fingerprinting the probers

A potential countermeasure against active probing is for each proxy, when it receives a connection, to somehow decide whether the connection comes from a legitimate client, or from a prober. Of course, the right way to identify legitimate clients is with cryptographic authentication, whether at the transport layer (like BridgeSPA [ 172 ] ) or at the application layer (like ScrambleSuit, obfs4, and Shadowsocks). But when that is not possible, one might hope to distinguish probers by their fingerprints, idiosyncrasies in their implementation that make them stand out from ordinary clients. In the case of the Great Firewall, the source IP address does not suffice as a fingerprint because of the great diversity of source addresses the system makes use of. And in a reversal of the usual collateral damage, the source addresses include those where we might expect legitimate clients to reside. The probes do, however, exhibit certain fingerprints at the application layer. While none of the ones we found were robust enough to effectively exclude active probers, they do hint at how the probing is implemented.

The active probers have an unusual TLS fingerprint, TLSv1.0 with a peculiar list of ciphersuites. Tor probes sent only a VERSIONS cell [ 50 §4.1 ] , waited for a response, then closed the connection. The format of the VERSIONS cell was that of a “v2” Tor handshake that has been superseded since 2011, though still in use by a small number of real clients. The Tor probes described by Wilde in 2011 went further into the protocol. It hints at the possibility that at one time, the active probers used a (possibly modified) Tor client, and later switched to a custom implementation.

The obfs2 probes were conformant with the protocol specification, and unremarkable except for the fact that sometimes payloads were duplicated. obfs2 clients are supposed to use fresh randomness for each connection, but a small fraction, about 0.65%, of obfs2 probes shared an identical payload with one other probe. The two probes in a pair came from different source IP addresses and arrived within a second of each other. The apparently separate probers must therefore share some state—at least a shared pseudorandom number generator.

The obfs3 protocol calls for the client to send a random amount of random bytes as padding. The active probers’ implementation of the protocol gets the probability distribution wrong, half the time sending too much padding. This feature would be difficult to exploit for detection, though, because it would rely on application-layer proxy code being able to infer TCP segment boundaries.

The SoftEther probes seem to have been based on an earlier version of the official SoftEther client software than was current at the time, differing from current version in that they lack an HTTP Host header. They also differed from the official client in that their POST request was not preceded by a GET request. The TLS fingerprint of the official client is much different from that of the probers, again hinting at a custom implementation.

The AppSpot probes have a User-Agent header that claims to be a specific version of the Chrome browser; however the rest of the header, and the TLS fingerprint are inconsistent with Chrome.

Chapter 5 Time delays in censors’ reactions

Censors’ inner workings are mysterious. To the researcher hoping to understand them they present only a hostile, black-box interface. However some of their externally visible behaviors offers hints about their internal decision making. In this chapter I describe the results of an experiment that is designed to shed light on the actions of censors; namely, a test of how quickly they react to and block a certain kind of Tor bridge.

Tor bridges are secret proxies that help clients get around censorship. The effectiveness of bridges depends on their secrecy—a censor that learns a bridge’s address can simply block its IP address. Since the beginning, the designers of Tor’s bridge system envisioned that users would learn of bridges through covert or social channels [ 49 §7 ] , in order to prevent any one actor from learning about and blocking a large number of them.

But as it turns out, most users do not use bridges in the way envisioned. Rather, most users who use bridges use one of a small number of default bridges hardcoded in a configuration file within Tor Browser. (According to Matic et al. [ 133 §VII.C ] , over 90% of bridge users use a default bridge.) At a conceptual level, the notion of a “default” bridge is a contradiction: bridges are meant to be secret, not plainly listed in the source code. Any reasonable threat model would assume that default bridges are immediately blocked. And yet in practice we find that they are often not blocked, even by censors that otherwise block Tor relays. We face a paradox: why is it that censors do not take blocking steps that we find obvious? There must be some quality of censors’ internal dynamics that we do not understand adequately.

The purpose of this chapter is to begin to go beneath the surface of censorship for insight into why censors behave as they do—particularly when they behave contrary to expectations. We posit that censors, far from being unitary entities of focused purpose, are rather complex organizations composed of human and machine components, with perhaps conflicting goals; this project is a small step towards better understanding what lies under the face that censors present. The main vehicle for the exploration of this subject is the observation of default Tor bridges to find out how quickly they are blocked after they first become discoverable by a censor. I took part in this project along with Lynn Tsai and Qi Zhong; the results in this chapter are an extension of work Lynn and I published in 2016 [ 91 ] . Through active measurements of default bridges from probe sites in China, Iran, and Kazakhstan, we uncovered previously undocumented behaviors of censors that hint at how they operate at a deeper level.

It was with a similar spirit that Aase, Crandall, Díaz, Knockel, Ocaña Molinero, Saia, Wallach, and Zhu [ 1 ] looked into case studies of censorship with a focus on understanding censors’ motivation, resources, and time sensitivity. They “had assumed that censors are fully motivated to block content and the censored are fully motivated to disseminate it,” but some of their observations challenged that assumption, with varied and seemingly undirected censorship hinting at behind-the-scenes resource limitations. They describe an apparent “intern effect,” by which keyword lists seem to have been compiled by a bored and unmotivated worker, without much guidance. Knockel et al. [ 117 ] looked into censorship of keywords in Chinese mobile games, finding that censorship enforcement in that context is similarly decentralized, different from the centralized control we commonly envision when thinking about censorship.

Zhu et al. [ 207 ] studied the question of censor reaction time in a different context: deletion of posts on the Chinese microblogging service Sina Weibo. Through frequent polling, they were able to measure—down to the minute—the delay between when a user made a post and when a censor deleted it. About 90% of deletions happened within 24 hours, and 30% within 30 minutes—but there was a long tail of posts that survived several weeks before being deleted. The authors used their observations to make educated guesses about the inner workings of the censors. Posts on trending topics tended to be deleted more quickly. Posts made late at night had a longer average lifetime, seemingly reflecting workers arriving in the morning and clearing out a nightly backlog of posts. King et al. [ 116 ] examined six months’ worth of deleted posts on Chinese social networks. The pattern of deletions seemed to reveal the censor’s motivation: not to prevent criticism of the government, as might be expected, but to forestall collective public action.

Nobori and Shinjo give a timeline [ 144 §6.3 ] of circumventor and censor actions and reactions during the first month and a half of the deployment of VPN Gate in China. Within the first four days, the firewall had blocked their main proxy distribution server, and begun scraping the proxy list. When they blocked the single scraping server, the firewall began scraping from multiple other locations within a day. After VPN Gate deployed the countermeasure of mixing high-collateral-damage servers into their proxy list, the firewall stopped blocking for two days, then resumed again, with an additional check that an IP addresses really was a VPN Gate proxy before blocking it.

Wright et al. [ 202 §2 ] motivated a desire for fine-grained censorship measurement by highlighting limitations that tend to prevent a censor from begin equally effective everywhere in its controlled network. Not only resource limitations, but also administrative and logistical requirements, make it difficult to manage a system as complex as a national censorship apparatus.

There has been no prior long-term study dedicated to measuring time delays in the blocking of default bridges. There have, however, been a couple of point measurements that put bounds on what blocking delays in the past must have been. Tor Browser first shipped with default obfs2 bridges on February 11, 2012 [ 43 ] ; Winter and Lindskog tested them 41 days later [ 199 §5.1 ] and found all 13 of them blocked. (The bridges then were blocked by RST injection, a different blocking technique than the timeouts we have seen more recently.) In 2015 I used public reports of blocking and non-blocking of the first batch of default obfs4 bridges to infer a blocking delay of not less than 15 and not more than 76 days [ 70 ] .

As security researchers, are accustomed to making conservative assumptions when building threat models. For example, we assume that when a computer is compromised, it’s game over: the attacker will cause the worst possible outcome for the computer’s owner. But the actual effects of a compromise can vary from grave to almost benign, and it is an interesting question, what really happens and how severe it is. Similarly, it is prudent to assume while modeling that the disclosure of any secret bridge will result in its immediate blocking by every censor everywhere. But as that does not happen in practice, it is an interesting question, what really does happen, and why?

5.1 The experiment

Our experiment primarily involved frequent, active test of the reachability of default bridges from probe sites in China, Iran, and Kazakhstan (countries well known to censor the network), as well as a control site in the U.S. We used a script that, every 20 minutes, attempted to make a TCP connection to each default bridge. The script recorded, for each attempt, whether the connection was successful, the time elapsed, and any error code. The error code allows us to distinguish between different kinds of failures such as “timeout” and “connection refused.” The control site in the U.S. enables us to distinguish temporary bridge failures from actual blocking.

The script only tested whether it is possible to make a TCP connection, which is a necessary but not sufficient precondition to actually establishing a Tor circuit through the bridge. In Kazakhstan, we deployed an additional script that attempted to establish a full Tor-in-obfs4 connection, in order to better understand the different type of blocking we discovered there.

The experiment was opportunistic in nature: we ran from China, Iran, and Kazakhstan not only because they are likely suspects for Tor blocking, but because we happened to have access to a site in each from which we could run probes over some period of time. Therefore the measurements cover different dates in different countries. We began at a time when Tor was building up its stock of default bridges. We began monitoring each new bridges as it was added, coordinating with the Tor Browser developers to get advance notice of their addition when possible. Additionally we had the developers run certain more controlled experiments for us—such as adding a bridge to the source code but commenting it out—that are further detailed below.

We were only concerned with default bridges, not secret ones. Our goal was not to estimate the difficulty of the proxy discovery problem, but to better understand how censors deal with what should be an easy task. We focused on bridges using the obfs4 pluggable transport [ 206 ] , which not only is the most-used transport and the one marked “recommended” in the interface, but also has properties that help in our experiment. The content obfuscation of obfs4 reduces the risk of its passive detection. More importantly, it resists active probing attacks as described in Chapter 4 . We could not have done the experiment with obfs3 bridges, because whether default or not, active probing would cause them to be blocked shortly after their first use.

Bridges are identified by a nickname and a port number. The nickname is an arbitrary identifier, chosen by the bridge operator. So, for example, “ndnop3:24215” is one bridge, and “ndnop3:10527” is another on the same IP address. We pulled the list of bridges from Tor Browser and Orbot, which is the port of Tor for Android. Tor Browser and Orbot mostly shared bridges in common, though there were a few Orbot-only bridges. A list of the bridges and other destinations we measured appears in Table 5.1 . Along with the fresh bridges, we tested some existing bridges for comparison purposes.

There are four stages in the process of deploying a new default bridge. At the beginning, the bridge is secret, perhaps having been discussed on a private mailing list. Each successive stage of deployment makes the bridge more public, increasing the number of places where a censor may look to discover it. The whole process takes a few days to a few weeks, mostly depending on Tor Browser’s release schedule.

The process begins with the filing of a ticket in Tor’s public issue tracker. The ticket includes the bridge’s IP address. A censor that pays attention to the issue tracker could discover bridges as early as this stage.

After review, the ticket is merged and the new bridge is added to the source code of Tor Browser. From there it will begin to be included in nightly builds. A censor that reads the bridge configuration file from the source code repository, or downloads nightly builds, could discover bridges at this stage.

Just prior to a public release, Tor Browser developers send candidate builds to a public mailing list to solicit quality assurance testing. A censor that follows testing releases would find ready-made executables with embedded bridges at this stage. Occasionally the developers skip the testing period, such as in the case of an urgent security release.

After testing, the releases are made public and announced on the Tor Blog. A censor could learn of bridges at this stage by reading the blog and downloading executables. This is also the stage at which the new bridges begin to have an appreciable number of users. There are two release tracks of Tor Browser: stable and alpha. Alpha releases are distinguished by an ‘a’ in their version number, for example 6.5a4. According to Tor Metrics [ 180 ] , stable downloads outnumber alpha downloads by a factor of about 30 to 1.

We advised operators to configure their bridges so that they would not become public except via the four stages described above. Specifically, we made sure the bridges did not appear in BridgeDB [ 181 ] , the online database of secret bridges, and that the bridges did not expose any transports other than obfs4. We wanted to ensure that any blocking of bridges could only be the result of their status as default bridges, and not a side effect of some other detection system.

5.2 Results from China

We had access to probe sites in China for just over a year, from December 2015 to January 2017. Due to the difficulty of getting access to hosts in China, we used four different IP addresses (all in the same autonomous system) at different points in time. The times during which we had control of each IP address partially overlap, but there is a 21-day gap in the measurements during August 2016.

Our observations in China turned up several interesting behaviors of the censor. Throughout this section, refer to Figure 5.2 , which shows the timeline of reachability of every bridge, in context with dates related to tickets and releases. Circled references in the text ( ⓐ , ⓑ , etc.) refer to marked points in the figure. A “batch” is a set of Tor Browser releases that all contained the same default bridges.

The most significant single event—covered in detail in Section 5.2.7 —was a change in the censor’s detection and blocking strategy in October 2016. Before that date, blocking was port-specific and happened only after the “public release” stage. After, bridges began to be blocked on all ports simultaneously, and were blocked soon after the “ticket merged” stage. We believe that this change reflects a shift in how the censor discovered bridges, a shift from running the finished software to see what addresses it accesses, to extracting the addresses from source code. More details and evidence appear in the following subsections.

5.2.1 Per-port blocking

In the first few release batches, the censor blocked individual ports, not an entire IP address. For example, see point ⓐ in Figure 5.2 : after ndnop3:24215 was blocked, we opened ndnop3:10527 on the same IP address. The alternate port remained reachable until it, too, was blocked in the next release batch. We used this technique of rotating ports in several release batches.

Per-port blocking is also evident in the continued reachability of non-bridge ports. For example, many of the bridges had an SSH port open, in addition to their obfs4 ports. After riemann:443 (obfs4) was blocked (point ⓒ in Figure 5.2 ), riemann:22 (SSH) remained reachable for a further nine months, until it was finally blocked at point ⓜ . Per-port blocking would give way to whole-IP blocking in October 2016.

5.2.2 Blocking only after public release

In the first six batches, blocking occurred only after public release—despite the fact that the censor could potentially have learned about and blocked the bridges in an earlier stage. In the 5.5.5/6.0a5/6.0 batch, the censor even seems to have missed the 5.5.5 and 6.0a5 releases (point ⓔ in Figure 5.2 ), only blocking after the 6.0 release, 36 days later. This observation hints that, before October 2016 anyway, the censor was somehow extracting bridge addresses from the release packages themselves. In subsections 5.2.3 and 5.2.6 we present more evidence that supports the hypothesis that the censor extracted bridge addresses only from public releases, not reacting at any earlier phase.

An evident change in blocking technique occurred around October 2016 with the 6.0.6/6.5a4 batch, when for the first time bridge were blocked before a public or testing release was available. The changed technique is the subject of Section 5.2.7 .

5.2.3 Simultaneous blocking of all bridges in a batch

The first five blocking incidents were single events: when a batch contained more than one bridge, all were blocked at the same time; that is, within one of our 20-minute probing periods. These incidents appear as crisp vertical columns of blocking icons in Figure 5.2 , for example at point ⓒ . This fact supports the idea that the censor discovered bridges by examining released executables directly, and did not, for example, detect bridges one by one by examining network traffic.

The 6.0.5/6.5a3 batch is an exception to the pattern of simultaneous blocking. In that batch, one bridge (LeifEricson:50000) was already blocked, three were blocked simultaneously as in the previous batches, but two others (GreenBelt:5881 and Azadi:4319) were temporarily unscathed. At the time, GreenBelt:5881 was experiencing a temporary outage—which could explain why it was not blocked—but Azadi:4319 was operational. This specific case is discussed further in Section 5.2.6 .

5.2.4 Variable delays before blocking

During the time when the censor was blocking bridges simultaneously after a public release, we found no pattern in the length of time between the release and the blocking event. The blocking events did not seem to occur after a fixed length of time, nor did they occur on the same day of the week or at the same time of day. The delays were 7, 2, 18, 10, 35, and 6 days after a batch’s first public release—up to 57 days after the filing of the first ticket. Recall from Section 4.3 that the firewall was even at that time capable of detecting and blocking secret bridges within minutes. Delays of days or weeks stand out in contrast.

5.2.5 Inconsistent blocking and failures of blocking

There is a conspicuous on–off pattern in the reachability of certain bridges from China, for example in ndnop3:24215 throughout February, March, and April 2016 (point ⓑ in Figure 5.2 ). Although the censor no doubt intended to block the bridge fully, 47% of connection attempts were successful during that time. On closer inspection, we find that the pattern is roughly periodic with a period of 24 hours. The pattern may come and go, for example in riemann:443 before and after March 27, 2016 . The predictable daily variation in reachability rates makes us think that, at least at the times under question, the Great Firewall’s effectiveness was dependent on load—varying load at different times of day leads to varying bridge reachability.

Beyond the temporary reachability of individual bridges, we also see what are apparent temporary failures of firewall, making all bridges reachable for hours or days at a time. Point ⓓ in Figure 5.2 marks such a failure. All the bridges under test, including those that had already been blocked, became available between 10:00 and 18:00 UTC on March 27, 2016 . Further evidence that these results indicate a failure of the firewall come from a press report [ 101 ] that Google services—normally blocked in China—were also unexpectedly available on the same day, from about 15:30 to 17:15 UTC. A similar pattern appears across all bridges for nine hours starting on June 28, 2016 at 17:40 UTC .

After the switch to whole-IP blocking, there are further instances of spotty and inconsistent censorship, though of a different nature. Several cases are visible near point ⓙ in Figure 5.2 . It is noteworthy that not all ports on a single host are affected equally. For example, the blocking of GreenBelt is inconsistent on ports 5881 and 12166, but it is solidly blocked on ports 80, 443, 7013, and 60873. Similarly, Mosaddegh’s ports 1984 and 15937 are intermittently reachable, in the exact same pattern, while ports 80, 443, 2934, and 9332 remain blocked. These observations lead us to suspect a model of two-tiered blocking: one tier for per-port blocking, and a separate tier for whole-IP blocking. If there were a temporary failure of the whole-IP tier, any port not specifically handled by the per-port tier would become reachable.

5.2.6 Failure to block all new bridges in a batch

The 6.0.5/6.5a2 release batch was noteworthy in several ways. Its six new bridges were all fresh ports on already-used IP addresses. For the first time, not all bridges were blocked simultaneously. Only three of the bridges—Mosaddegh:2934, MaBishomarim:2413, and JonbesheSabz:1894—were blocked in a way consistent with previous release batches. Of the other three:

LeifEricson:50000 had been blocked since we began measuring it. The LeifEricson IP address is one of the oldest in the browser. We suspect the entire IP address had been blocked at some point. We will have more to say about LeifEricson in Section 5.2.8 .
GreenBelt:5881 (point ⓕ ) was offline at the time when other bridges in the batch were blocked. We confirmed this fact by talking with the bridge operator and through control measurements: the narrow band in Figure 5.2 shows that connection attempts were timing out not only from China, but also from the U.S. The bridge became reachable again from China as soon as it came back online.
Azadi:4319 (point ⓖ ), in contrast, was fully operational at the time of the other bridges’ blocking, and the censor nevertheless failed to block it.

We take from the failure to block GreenBelt:5881 and Azadi:5881 that the censor, as late as September 2016, was most likely not discovering bridges by inspecting the bridge configuration file in the source code, because if it had been, it would not have missed two of the bridges in the list. Rather, we suspect that the censor used some kind of network-level analysis—perhaps running a release of Tor Browser in a black-box fashion, and making a record of all addresses it connected to. This would explain why GreenBelt:5881 was not blocked (it couldn’t be connected to while the censor was harvesting bridge addresses) and could also explain why Azadi:4319 was not blocked (Tor does not try every bridge simultaneously, so it simply may not have tried to connect to Azadi:4319 in the time the censors allotted for the test). It is consistent with the observation that bridges were not blocked before a release: the censor’s discovery process needed a runnable executable.

Azadi:4319 remained unblocked even after an additional port on the same host was blocked in the next release batch. This tidbit will enable us, in the next section, to fairly narrowly locate the onset of bridge discovery based on parsing the bridge configuration file in October 2016.

5.2.7 A switch to blocking before release

The 6.0.6/6.5a4 release batch marked two major changes in the censor’s behavior:

For the first time, newly added bridges were blocked before a release. (Not counting LeifEricson, an old bridge which we had never been able to reach from China.)
For the first time, new blocks affected more than one port. (Again not counting LeifEricson.)

The 6.0.6/6.5a4 batch contained eight new bridges. Six were new ports on previously used IP addresses (including LeifEricson:50001, which we expected to be already blocked, but included for completeness). The other two—Lisbeth:443 and NX01:443—were fresh IP addresses. However one of the new bridges, NX01:443, had a twist: we left it commented out in the bridge configuration file, thus:

pref(..., "obfs4 192.95.36.142:443 ..."); // Not used yet // pref(..., "obfs4 85.17.30.79:443 ...");

Six of the bridges—all but the exceptional LeifEricson:50000 and NX01:443—were blocked, not quite simultaneously, but within 13 hours of each other (see point ⓗ in Figure 5.2 ). The blocks happened 14 days (or 22 days in the case of Lisbeth:443 and NX01:443) after ticket merge, and 27 days before the next public release.

We hypothesize that this blocking event indicates a change in the censor’s technique, and that in October 2016 the Great Firewall began to discover bridge addresses either by examining newly filed tickets, or by inspecting the bridge configuration file in the source code. A first piece of evidence for the hypothesis is that the bridges were blocked at a time when they were present in the bridge configuration file, but had not yet appeared in a release. The presence of the never-before-seen Lisbeth:443 in the blocked set removes the possibility that the censor spontaneously decided to block additional ports on IP addresses it already knew about, as does the continued reachability of certain blocked bridges on further additional ports.

A second piece of evidence comes from a careful scrutiny of the timelines of the Azadi:4319 and Azadi:6041 bridges. As noted in Section 5.2.6 , Azadi:4316 had unexpectedly been left unblocked in the previous release batch, and it remained so, even after Azadi:6041 was blocked in this batch.

New Tor Browser default obfs4 bridges
ndnop3	:	24215, 10527
ndnop5	:	13764
riemann	:	443
noether	:	443
Mosaddegh	:	41835, 80, 443, 2934, 9332, 15937
MaBishomarim	:	49868, 80, 443, 2413, 7920, 16488
GreenBelt	:	60873, 80, 443, 5881, 7013, 12166
JonbesheSabz	:	80, 1894, 4148, 4304
Azadi	:	443, 4319, 6041, 16815
Lisbeth	:	443
NX01	:	443
LeifEricson	:	50000, 50001, 50002
cymrubridge31	:	80
cymrubridge33	:	80
Orbot-only default obfs4 bridges
Mosaddegh	:	1984
MaBishomarim	:	1984
JonbesheSabz	:	1984
Azadi	:	1984
Already existing default bridges
LeifEricson	:	41213 (obfs4)
fdctorbridge01	:	80 (FTE)
Never-published bridges
ndnop4	:	27668 (obfs4)

	September	Azadi:4319 enters the source code
	September	Azadi:4319 appears in public release 6.0.5
	October	Azadi:4319 is deleted from the source code, and Azadi:6041 is added
	October	Azadi:6041 (among others) is blocked
	November	Azadi:6041 appears in public release 6.0.6

The same ticket that removed Azadi:4319 on October 6 also added Azadi:6041. On October 20 when the bridges were blocked, Azadi:4319 was gone from the bridge configuration file, having been replaced by Azadi:6041. It appears that the yet-unused Azadi:6041 was blocked merely because it appeared in the bridge configuration file, even though it would have been more beneficial to the censor to instead block the existing Azadi:4319, which was still in active use.

The Azadi timeline enables us to locate fairly narrowly the change in bridge discovery techniques. It must have happened during the two weeks between October 6 and October 20, 2016 . It cannot have happened before October 6 , because at that time Azadi:4319 was still listed, which would have gotten it blocked. And it cannot have happened after October 20 , because that is when bridges listed in the file were first blocked.

A third piece of evidence supporting the hypothesis that the censor began to discover bridges through the bridge configuration file is its treatment of the commented-out bridge NX01:443. The bridge was commented out in the 6.0.6/6.5a4 batch, in which it remained unblocked, and uncommented in the following 6.0.8/6.5a6 batch. The bridge was blocked four days after the ticket uncommenting it was merged, which was still 11 days before the public release in which it was to have become active (see point ⓘ in Figure 5.2 ).

5.2.8 The onset of whole-IP blocking

The blocking event of October 20, 2016 was noteworthy not only because it occurred before a release, but also because it affected more than one port on some bridges. See point ⓗ in Figure 5.2 . When GreenBelt:7013 was blocked, so were GreenBelt:5881 (which had escaped blocking in the previous batch) and GreenBelt:12166 (which was awaiting deployment in the next batch). Similarly, when MaBishomarim:7920 and JonbesheSabz:4148 were blocked, so were the Orbot-reserved MaBishomarim:1984 and JonbesheSabz:1984 (point ⓚ ), ending an eight-month unblocked streak.

The blocking of Mosaddegh:9332 and Azadi:6041 also affected other ports, though after a delay of some days. We do not have an explanation for why some multiple-port blocks took effect faster than others. The SSH port riemann:22 was blocked at about the same time (point ⓜ ), 10 months after the corresponding obfs4 port riemann:443 had been blocked; there had been no changes to the riemann host in all that time. We suspected that the Great Firewall might employ a threshold scheme: once a certain number of individual ports on a particular IP address have been blocked, go ahead and block the entire IP address. But riemann with its single obfs4 port is a counterexample to that idea.

The Great Firewall has been repeatedly documented to block individual ports (or small ranges of ports), for example in 2006 by Clayton et al. [ 31 §6.1 ] , in 2012 by Winter and Lindskog [ 199 §4.1 ] , and in 2015 by Ensafi et al. [ 60 §4.2 ] . The onset of all-ports blocking is therefore somewhat surprising. Worth nothing, though, is that Wang et al. [ 189 §7.3 ] , in another test of active probing in May 2017, also found that newly probed bridges became blocked on all ports. The change we saw in October 2016 may therefore be a sign of a more general change in tactics.

This was the first time we saw blocking of multiple ports on bridges that had been introduced during our measurements. LeifEricson may be an example of the same phenomenon happening in the past, before we even began our experiment. The host LeifEricson had, since February 2014, been running bridges on multiple ports, and obfs4 on port 41213 since October 2014. LeifEricson:41213 remained blocked (except intermittently) throughout the entire experiment (see point ⓛ in Figure 5.2 ). We asked its operator to open additional obfs4 ports so we could rotate through them in successive releases; when we began testing them on August 30, 2016 , they were all already blocked. To confirm, on October 4 we asked the operator privately to open additional, randomly selected ports, and they too were blocked, as was the SSH port 22.

In Section 5.2.5 , we observed that ports that had been caught up in whole-IP blocking exhibited different patterns of intermittent reachability after blocking, than did those ports that had been blocked individually. We suspected that a two-tiered system made certain ports double-blocked—blocked both by port and by IP address—which would make their blocking robust to a failure of one of the tiers. The same pattern seems to happen with LeifEricson. The newly opened ports 50000, 50001, and 50002 share brief periods of reachability in September and October 2016, but port 41213 during the same time remained solidly down.

5.2.9 No discovery of Orbot bridges

Orbot, the version of Tor for Android, also includes default bridges. It has its own bridge configuration file, similar to Tor Browser’s, but in a different format. Most of Orbot’s bridges are borrowed from Tor Browser, so when a bridge gets blocked, it is blocked for users of both Orbot and Tor Browser.

There were, however, a few bridges that were used only by Orbot (see the “Orbot bridges” batch in Figure 5.2 ). They were only alternate ports on IP addresses that were already used by Tor Browser, but they remained unblocked for over eight months, even as the ports used by Tor Browser were blocked one by one. The Orbot-only bridges were finally blocked—see point ⓚ in Figure 5.2 —as a side effect of the whole-IP blocking that began in October 2016 ( Section 5.2.8 ). (All of the Orbot bridges suffered outages, as Figure 5.2 shows, but they were the result of temporary misconfigurations, not blocking. They were unreachable during those outages from the control site as well.)

These results show that whatever mechanism the censor had for discovering and blocking the default bridges of Tor Browser, it lacked for discovering and blocking those of Orbot. Again we have a case of our assumptions not matching reality—blocking that should be easy to do, and yet is not done. A lesson is that there is a benefit to some degree of compartmentalization between sets of default bridges. Even though they are all, in theory, equally easy to discover, in practice the censor has to build separate automation for each set.

5.2.10 Continued blocking of established bridges

We monitored some bridges that were already established and had been distributed before we began our experiments. As expected, they were already blocked at the beginning, and remained so (point ⓛ in Figure 5.2 ).

5.2.11 No blocking of unused bridges

As a control measure, we reserved a bridge in secret. ndnop4:27668 (see point ⓝ in Figure 5.2 ) was not published, neither in Tor Browser’s bridge configuration file, nor in BridgeDB. As expected, it was never blocked.

5.3 Results from Iran

We had a probe site in Iran from December 2015 to June 2016, a virtual private server, which a personal contact could only provide for us for a limited time.

In contrast to the situation in China, in Iran we found no evidence of blocking. See Figure 5.3 . Although there were timeouts and refused connections, they were the result of failures at the bridge side, as confirmed by a comparison with control measurements. This, despite the fact that Iran is a notorious censor [ 14 ] , and has in the past blocked Tor directory authorities [ 7 ] .

It seems that Iran has overlooked the blocking of default bridges. Tor Metrics shows thousands of simultaneous bridge users in Iran since 2014 [ 178 ] , so it is unlikely that the bridges were simply blocked in a way that our probing script could not detect. However, in Kazakhstan we did find such situation, with bridges being effectively blocked despite the firewall allowing TCP connections to them.

5.4 Results from Kazakhstan

We had a single probe site in Kazakhstan between December 2016 and May 2017. It was a VPN node with IP address 185.120.77.110 . It was in AS 203087, which belongs to GoHost.kz, a Kazakh hosting provider. The flaky VPN connection left us with two extended gaps in measurements.

The bridge blocking in Kazakhstan had a different nature than that which we observed in China. Refer to Figure 5.4 : every measurement agreed with the control site, with the sole exception of LeifEricson:41213 (not shown), which was blocked as it had been in China. However there had been reports of the blocking of Tor and pluggable transports since June 2016 [ 88 §obfs blocking ] . The reports stated that the TCP handshake would succeed, but the connection would stall (with no packets received from the bridge) a short time after the connection was underway.

We deployed an additional probing script in Kazakhstan. This one tried not only to make a TCP connection, but also establish a full obfs4 connection and build a Tor circuit. Tor reports its connection progress as a “bootstrap” percentage: progression from 0% to 100% involves first making an obfs4 connection, then downloading directory information and the consensus, and finally building a circuit. Figure 5.5 shows the results of the tests. What we found was consistent with reports: despite being reachable at the TCP layer, some bridges would fail bootstrapping at 10% (e.g., Mosaddegh:80 and GreenBelt:80) or 25% (e.g., Mosaddegh:443 and GreenBelt:443). For three of the bridges (Mosaddegh:9332, Lisbeth:443, and NX01:443) we caught the approximate moment of blocking. Initially they bootstrapped to 100% and agreed with the control, but later they reached only 25% and disagreed with the control. Incidentally, these results suggest that Kazakhstan, too, blocks on a per-port basis, because for a time Mosaddegh:80 and Mosaddegh:443 were blocked while Mosaddegh:9332 was unblocked. Two more bridges (cymrubridge31:80 and cymrubridge33:80) remained unblocked.

ndnop3:10527 and ndnop5:13764, in the 5.5/6.0a1 batch, are a special case. Their varying bootstrap percentages were caused by a misconfiguration on the bridge itself (a file descriptor limit was set too low). Even from the control site in the U.S., connections would fail to bootstrap to 100% about 35% of the time. Still, it appears that both bridges were also blocked in Kazakhstan, because from the control site the bootstrap percentage would oscillate between 10% and 100%; while from Kazakhstan it would oscillate between 10% to 25%.

The bridges in the 6.0.6/6.5a4 and 6.0.8/6.5a6 batches were blocked on or around January 26, 2017 . This sets the blocking delay at either 71 or 43 days after public release, depending on which release you compare against.

Chapter 6 Domain fronting

Domain fronting is a general-purpose circumvention technique based on HTTPS. It disguises the true destination of a client’s messages by routing them through a large web server or content delivery network that hosts many web sites. From the censor’s point of view, messages appear to go not to their actual (presumably blocked) destination, but to some other front domain , one whose blocking would result in high collateral damage. Because (with certain caveats) the censor cannot distinguish domain-fronted HTTPS requests from ordinary HTTPS requests, it cannot block circumvention without also blocking the front domain. Domain fronting primarily addresses the problem of detection by address ( Section 2.3 ), but also deals with detection by content ( Section 2.2 ) and active probing ( Chapter 4 ). Domain fronting is today an important component of many circumvention systems.

The core idea of domain fronting is the use of different domain names at different protocol layers. When you make an HTTPS request, the domain name of the server you’re trying to access normally appears in three places that are visible to the censor:

the DNS query
the client’s TLS Server Name Indication (SNI) extension [ 59 §3 ]
the server’s TLS certificate [ 42 §7.4.2 ]

and in one place that is not visible to the censor, because it is encrypted:

the HTTP Host header [ 65 §5.4 ]

In a normal request, the same domain name appears in all four places, and all of them except for the Host header afford the censor an easy basis for blocking. The difference in a domain-fronted request is that the domain name in the Host header, on the “inside” of the request, is not the same as the domain that appears in the other places, on the “outside.” Figure 6.1 shows the first steps of a client making a domain-fronted request.

The SNI extension and the Host header serve similar purposes. They both enable virtual hosting, which is when one server handles requests for multiple domains. Both fields allow the client to tell the server which domain it wants to access, but they work at different layers. The SNI works at the TLS layer, telling the server which certificate to send. The Host header works at the HTTP layer, telling the server what contents to serve. It is something of an accident that these two partially redundant fields both exist. Before TLS, virtual hosting required only the Host header. The addition of TLS creates a chicken-and-egg problem: the client cannot send the Host header until the TLS handshake is complete, and the server cannot complete the TLS handshake without knowing which certificate to send. The SNI extension resolves the deadlock by sending the domain name in plaintext in the TLS layer. Domain fronting takes advantage of decoupling the two normally coupled values. It relies on the server decrypting the TLS layer and throwing it away, then routing requests according to the Host header.

Virtual hosting, in the form of content delivery networks (CDNs), is now common. A CDN works by placing an “edge server” between the client and the destination, called an “origin server” in this context. When the edge server receives an HTTP request, it forwards the request to the origin server named by the Host header. The edge server receives the response from the origin server and forwards it back to the client. The edge server is effectively a proxy: the client never contacts the destination directly, but only through the intermediary CDN, which foils address-based blocking of the destination the censor may have imposed. Domain fronting also works on application hosting services like Google App Engine, because one can upload a simple application that emulates a CDN. The contents of the client’s messages, as well as the domain name of the true destination, are protected by TLS encryption. The censor may, in an attempt to block domain fronting, block CDN edge servers or the front domain, but only at the cost of blocking all other, non-circumvention-related traffic to those addresses, with whatever collateral damage that entails.

Domain fronting may be an atypical use of HTTPS, but it is not a way to get free CDN service. A CDN does not forward requests to arbitrary domains, only to domains belonging to one of its customers. Setting up domain fronting requires becoming a customer of a CDN and paying for service—and the cost can be high, as Section 6.3 shows.

It may seem at first that domain fronting is only useful for accessing HTTPS web sites, and then only when they are hosted on a CDN. But extending the idea to work with arbitrary destinations only requires the minor additional step of running an HTTPS-based proxy server and hosting it on the web service in question. The CDN forwards to the proxy, which then forwards to the destination. Domain fronting shields the address of the proxy, which does not pose enough risk of collateral damage, on its own, to resist blocking. Exactly this sort of HTTPS tunneling underlies meek, a circumvention system based on domain fronting that is discussed further in Section 6.2 .

One of the best features of domain fronting is that it does not require any secret information, completely bypassing the proxy distribution problem ( Section 2.3 ). The address of the CDN edge server, the address of the proxy hidden behind it, the fact that some fraction of traffic to the edge server is circumvention—all of these may be known by the censor, without diminishing the system’s blocking resistance. This is not to say, of course, that domain fronting is impossible to block—as always, a censor’s capacity to block depends on its tolerance for collateral damage. But the lack of secrecy makes the censor’s choice stark: allow circumvention, or block a domain. This is the way to think about circumvention in general: not “can it be blocked?” but “what does it cost to block?”

6.1 Work related to domain fronting

Date: Wed Aug 29 21:30:46 2012 +0800 merge 2.0 code --> Earlier in 2012, Bryce Boe wrote a blog post [ 17 ] outlining how to use Google App Engine as a proxy, and suggested that sending a false SNI could bypass SNI whitelisting. Even farther back, in 2004, when HTTPS and CDNs were less common, Köpsell and Hillig [ 120 §5.2 ] foresaw the possibilities of a situation such as exists today: “Imagine that all web pages of the United States are only retrievable (from abroad) by sending encrypted requests to one and only one special node. Clearly this idea belongs to the ‘all or nothing’ concept because a blocker has to block all requests to this node.”

Refraction networking is the name for a class of circumvention techniques that share similarities with domain fronting. The idea was introduced in 2011 with the designs Cirripede [ 104 ] , CurveBall [ 112 ] , and Telex [ 203 ] . In refraction networking, it is network routers that act as proxies, lying at the middle of network paths rather than at the ends. The client “tags” its messages in a way that the censor cannot detect (analogously to the way the Host header is encrypted in domain fronting). When the router finds a tagged message, it shunts the message away from its nominal destination and towards some other, covert destination. Refraction networking derives its blocking resistance from the collateral damage that would result from blocking the cover channel (typically TLS) or the refraction-capable network routers. Refraction networking has the potential to be the basis of exceptionally high-performance circumvention, as a test deployment in Spring 2017 demonstrated [ 94 ] .

CloudTransport [ 23 ] , proposed in 2014, is like domain fronting in many respects. It uses HTTPS to a shared server (in this case a cloud storage server). The specific storage area being accessed—what the censor would like to know—is encrypted, so the censor cannot block CloudTransport without blocking the storage service completely.

In 2015 I published a paper on domain fronting [ 89 ] with Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. In it, we described the experience of deploying domain fronting on Tor, Lantern [ 121 ] , and Psiphon [ 157 ] , and began an investigation into side channels, such as packet size and timing, that a censor might use to detect domain fronting. The Tor deployment, called meek, is the subject of Sections 6.2 and 6.3 .

Later in 2015 there were a couple of papers on the detection of circumvention transports, including meek. Tan et al. [ 174 ] measured the Kullback–Leibler divergence between the distributions of packet size and packet timing in different protocols. (The paper is written in Chinese and my understanding of it is based on an imperfect translation.) Wang et al. [ 186 ] built classifiers for meek among other protocols using entropy, timing, and transport-layer features. They emphasized practical classifiers and tested their misclassification rates against real traffic traces.

6.2 A pluggable transport for Tor

I am the main author and maintainer of meek, a pluggable transport for Tor based on domain fronting. meek uses domain-fronted HTTP POST requests as the primitive operation to send or receive chunks of data up to a few kilobytes in size. The intermediate CDN receives domain-fronted requests and forwards them to a Tor bridge. Auxiliary programs on the client and the bridge convert the sequence of HTTP requests to the byte stream expected by Tor. The Tor processes at either end are oblivious to the domain-fronted that is going on between them. Figure 6.2 shows how the components and protocol layers interact.

When the client has something to send, it issues a POST request with data in the body; the server sends data back in the body of its responses. HTTP/1.1 does not provide a way for a server to preemptively push data to a client, so the meek server buffers its outgoing data until it receives a request, then includes the buffered data in the body of the HTTP response. The client must poll the server periodically, even when it has nothing to send, to give the server an opportunity to send back whatever buffered data it may have. The meek server must handle multiple simultaneous clients. Each client, at the beginning of a session, generates a random session identifier string and sends it with its requests in a special X-Session-Id HTTP header. The server maintains separate connections to the local Tor process for each session identifier. Figure 6.3 shows a sequence of requests and responses.

meek client		meek server
	→
	←
	→
	←

Even with domain fronting to hide the destination request, a censor may try to distinguish circumventing HTTPS connections by their TLS fingerprint. TLS implementations have a lot of latitude in composing their handshake messages, enough that it is possible to distinguish different TLS implementations through passive observation. For example, the Great Firewall used Tor’s TLS fingerprint for detection as early as 2011 [ 48 ] . For this reason, meek strives to make its TLS fingerprint look like that of a browser. It does this by relaying its HTTPS requests through a local headless browser (which is completely separate from the browser that the user interacts with).

meek first appeared in Tor Browser in October 2014 [ 153 ] , and continues in operation to the present. It is Tor’s second-most-used transport (behind obfs4) [ 176 ] . The next section is a detailed history of its deployment.

6.3 An unvarnished history of meek deployment

Fielding a circumvention system and keeping it running is full of unexpected challenges. At the time of the publication of the domain fronting paper [ 89 ] in 2015, meek had been deployed for only a year and a half. Here I will recount the history of the project from its inception to the present, a period of four years. As the main developer and project leader, I have a unique perspective that I hope to share. As backdrops to the narrative, Figure 6.4 shows the estimated concurrent number of users of meek over its existence, and Table 6.5 shows the monthly cost to run it.

		Google	Amazon	Azure	total
2014		$0.00	—	—	$0.00
		$0.09	—	—	$0.09
		$0.00	—	—	$0.00
		$0.73	—	—	$0.73
		$0.69	—	—	$0.69
		$0.65	—	—	$0.65
		$0.56	$0.00	—	$0.56
		$1.56	$3.10	—	$4.66
		$4.02	$4.59	$0.00	$8.61
		$40.85	$130.29	$0.00	$171.14
		$224.67	$362.60	$0.00	$587.27
		$326.81	$417.31	$0.00	$744.12
	total	$600.63	$917.89	$0.00	$1,518.52
		Google	Amazon	Azure	total
2015		$464.37	$669.02	$0.00	$1,133.39
		$650.53	$604.83	$0.00	$1,255.36
		$690.29	$815.68	$0.00	$1,505.97
		$886.43	$785.37	$0.00	$1,671.80
		$871.64	$896.39	$0.00	$1,768.03
		$601.83	$820.00	$0.00	$1,421.83
		$732.01	$837.08	$0.00	$1,569.09
		$656.76	$819.59	$154.89	$1,631.24
		$617.08	$710.75	$490.58	$1,818.41
		$672.01	$110.72	$300.64	$1,083.37
		$602.35	$474.13	$174.18	$1,250.66
		$561.29	$603.27	$172.60	$1,337.16
	total	$8,006.59	$8,146.83	$1,292.89	$17,446.31
		Google	Amazon	Azure	total
2016		$771.17	$1,581.88	$329.10	$2,682.15
		$986.39	$977.85	$445.83	$2,410.07
		$1,079.49	$865.06	$534.71	$2,479.26
		$1,169.23	$1,074.25	$508.93	$2,752.41
		$525.46	$1,097.46	$513.56	$2,136.48
		—	$1,117.67	$575.50	$1,693.17
		—	$1,121.71	$592.47	$1,714.18
		—	$1,038.62	$607.13	$1,645.75
		—	$932.22	$592.92	$1,525.14
		—	$1,259.19	$646.00	$1,905.19
		—	$1,613.00	$597.76	$2,210.76
		—	$1,569.84	$1,416.10	$2,985.94
	total	$4,531.74	$14,248.75	$7,360.01	$26,140.50
		Google	Amazon	Azure	total
2017		—	$1,550.19	$1,196.28	$2,746.47
		—	$1,454.68	$960.01	$2,414.69
		—	$2,298.75	?	$2,298.75
		—	?	?	?
		—	?	?	?
		—	?	?	?
		—	?	?	?
		—	?	?	?
		—	?	?	?
		—	?	?	?
		—	?	?	?

	total	—	$5,303.62	$2,156.29	$7,459.91
grand total		$13,138.96	$28,617.09	$10,809.19	$52,565.24

2013 : Precursors; prototypes

The prehistory of meek begins in 2013 with flash proxy [ 84 ] , a circumvention system built around web browser–based proxies. Flash proxy clients need a secure rendezvous, a way to register their address to a central facilitator, so that flash proxies may connect back to them. Initially there were only two means of registration: flashproxy-reg-http, which sent client registrations as HTTP requests; and flashproxy-reg-email, which sent client registrations to a distinguished email address. We knew that flashproxy-reg-http was easily blockable; flashproxy-reg-email had good blocking resistance but was somewhat slow and complicated, requiring a server to poll for new messages. At some point, Jacob Appelbaum showed me an example of using domain fronting—though we didn’t have a name for it then—to access a simple HTML-rewriting proxy based on Google App Engine. I eventually realized that the same trick would work for flash proxy rendezvous. I proposed a design [ 21 ] in May 2013 and within a month Arlo Breault had written flashproxy-reg-appspot, which worked just like flashproxy-reg-http, except that it fronted through www.google.com rather than contacting the registration server directly. The fronting-based registration became flash proxy’s preferred registration method, being faster and simpler than the email-based one.

The development of domain fronting, from a simple rendezvous technique to a full-fledged bidirectional transport, seems slow in retrospect. All the pieces were there; it was a matter of putting them together. I did not immediately appreciate the potential of domain fronting when I first saw it. Even after the introduction of flashproxy-reg-appspot, months passed before the beginning of meek. The whole idea behind flash proxy rendezvous is that the registration channel can be of low quality—unidirectional, low-bandwidth, and high-latency—because it is only used to bootstrap into a more capable channel (WebSocket, in flash proxy’s case). Email fits this model well: not good for a general-purpose channel, but just good enough for rendezvous. The fronting-based HTTP channel, however, was more capable than needed for rendezvous, being bidirectional and reasonably high-performance. Rather than handing off the client to a flash proxy, it should be possible to carry all the client’s traffic through the same domain-fronted channel. It was around this time that I first became aware of the circumvention system GoAgent through the “Collateral Freedom” [ 163 ] report of Robinson et al. GoAgent used an early form of domain fronting, issuing HTTP requests directly from a Google App Engine server. According to the report, GoAgent was the most used circumvention tool among a group of users in China. I read the source code of GoAgent in October 2013 and wrote ideas about writing a similar pluggable transport [ 73 ] , which would become meek.

I dithered for a while over what to call the system I was developing. Naming things is the worst part of software engineering. My main criteria were that the name should not sound macho, and that it should be easier to pronounce than “obfs.” I was self-conscious that the idea at the core of the system, domain fronting was a simple one and easy to implement. Not wanting to oversell it, I settled on the name “meek,” in small letters for extra meekness.

I lost time in the premature optimization of meek’s network performance. I was thinking about the request–response nature of HTTP, and how requests and responses could conceivably arrive out of order (even if reordering was unlikely to occur in practice, because of keepalive connections and HTTP pipelining). I made several attempts at a TCP-like reliability and sequencing layer, none of which were satisfactory. I wrote a simplified experimental prototype called “meeker,” which simply prepended an HTTP header before the client and server streams, but meeker only worked for direct connections, not through an HTTP-aware intermediary like App Engine. When I explained these difficulties to George Kadianakis in December 2013, he advised me to forget the complexity and implement the simplest thing that could work, which was good advice. I started implementing a version that strictly serialized HTTP requests and responses.

2014 : Development; collaboration; deployment

According to the Git revision history, I started working on the source code of meek proper on January 26, 2014 . I made the first public announcement on January 31, 2014 , in a post to the tor-dev mailing list titled “A simple HTTP transport and big ideas” [ 66 ] . (If the development time seems short, it’s only because months of prototypes and false starts cleared the way.) In the post, I linked to the source code, described the protocol, and explained how to try it, using an App Engine instance I set up shortly before. At this time there was no web browser TLS camouflage, and only App Engine was supported. I was not yet using the term “domain fronting.” The big ideas of the title were as follows: we could run one big public bridge rather than relying on multiple smaller bridges as other transports did; a web server with a PHP “reflector” script could take the place of a CDN, providing a diversity of access points even without domain fronting; we could combine meek with authentication and serve a 404 to unauthenticated users; and Cloudflare and other CDNs are alternatives to App Engine. We did end up running a public bridge for public benefit (and later worrying over how to pay for it), and deploying on platforms other than App Engine (with Tor we use other CDNs, but not Cloudflare specifically). Arlo Breault would write a PHP reflector, though there was never a repository of public meek reflectors as there were for other types of Tor bridges. Combining meek with authentication never happened; it was never needed for our public domain-fronted instances because active probing doesn’t help the censor in those cases anyway.

During the spring 2014 semester (January–May) I was enrolled in Vern Paxson’s Internet/Network Security course along with fellow student Chang Lan. We made the development and security evaluation of meek our course project. During this time we built browser TLS camouflage extensions, tested and polished the code, and ran performance tests. Our final report, “Blocking-resistant communication through high-value web services,” became the kernel of our later research paper.

I began the process of getting meek integrated into Tor Browser in February 2014 [ 85 ] . The initial integration would be completed in August 2014. In the intervening time, along with much testing and debugging, Chang Lan and I wrote browser extensions for Chrome and Firefox in order to hide the TLS fingerprint of the base meek client. I placed meek’s code in the public domain (Creative Commons CC0 [ 34 ] ) on February 8, 2014 . The choice of (non-)license was a strategic decision to encourage adoption by projects other than Tor.

In March 2014, I met some developers of Lantern at a one-day hackathon sponsored by OpenITP [ 24 ] . Lantern developer Percy Wegmann and I realized that the meek code I had been working on could act as a glue layer between Tor and the HTTP proxy exposed by Lantern, in effect allowing you to use Lantern as a pluggable transport for Tor. We worked out a prototype and wrote a summary of the process [ 75 ] . In that specific application, we used meek not for its domain-fronting properties but for its HTTP-tunneling properties; but the early contact with other circumvention developers was valuable.

June 2014 brought a surprise: the Great Firewall of China blocked all Google services [ 4 , 96 ] . It would be vain to think that it was in response to the nascent deployment of meek on App Engine; a much more likely cause was Google’s decision to begin using HTTPS for web searches, which would foil keyword-based URL filtering. Nevertheless, the blocking cast doubt on the feasibility of domain fronting: I had believed that blocking all of Google would be too costly in terms of collateral damage to be sustained for long by any censor, even the Great Firewall, and that belief was wrong. In any case, we now needed fronts other than Google in order to have any claim of effective circumvention in China. I set up additional backends: Amazon CloudFront and Microsoft Azure. When meek made its debut in Tor Browser, it would offer three modes: meek-google, meek-amazon, and meek-azure.

Google sponsored a summit of circumvention researchers in June 2014, at which I presented domain fronting. (By this time I had started using the term “domain fronting,” realizing that what I had been working on needed a specific name. I have tried to the idea “domain fronting” separate from the implementation “meek,” but the two terms have sometimes gotten confused.) Developers from Lantern and Psiphon where there—I was pleased to learn that Psiphon had already implemented and deployed domain fronting after reading my mailing list posts. The meeting started a fruitful collaboration between the developers of Tor, Lantern, and Psiphon.

Chang, Vern, and I submitted a paper on domain fronting to the Network and Distributed System Security Symposium in August 2014, whence it was rejected. One reviewer said the technique was already well known; the others generally wanted to see more on the experience of deployment, and a deeper investigation into resistance against traffic analysis attacks based on packet sizes and timing.

The first public release of Tor Browser that had a built-in easy-to-use meek client was version 4.0-alpha-1 on August 12, 2014 [ 29 ] . This was an alpha release, used by fewer users than the stable release. I made a blog post explaining how to use it a few days later [ 74 ] . The release and blog post had a positive effect on the number of users, however the absolute numbers from around this time are uncertain, because of a mistake I made in configuring the meek bridge. I was running the meek bridge and the flash proxy bridge on the same instance of Tor; and because of how Tor’s statistics are aggregated, the counts of the two transports were spuriously correlated [ 78 ] . I switched the meek bridge to a separate instance of Tor on September 15 ; numbers after that date are more trustworthy. In any case, the usage before this first release was tiny: the App Engine bill, at a rate of $0.12/GB with one GB free each day, was less than $1.00 per month for the first seven months of 2014 [ 137 §Costs ] . In August, the cost began to be nonzero every day, and would continue to rise from there. See Table 6.5 for a history of monthly costs.

Tor Browser 4.0 [ 153 ] was released on October 15, 2014 . It was the first stable (not alpha) release to have meek, and it had an immediate effect on the number of users: which jumped from 50 to 500 within a week. (The increase was partially conflated with a failure of the meek-amazon bridge to publish statistics before that date, but the other bridge, servicing both meek-google and meek-azure, individually showed the same increase.) It was a lesson in user behavior: although meek had been available in an alpha release for two months already, evidently a large number of users did not know of it or chose not to try it until the first stable release. At that time, the other transports available were obfs3, FTE, ScrambleSuit, and flash proxy.

2015 : Growth; restraints; outages

Through the first part of 2015, the estimated number of simultaneous users continued to grow, reaching about 2,000, as we fixed bugs and Tor Browser had further releases. The first release of Orbot that included meek appeared in February [ 93 ] .

We submitted a revised version of the domain fronting paper [ 89 ] , now with contributions from Psiphon and Lantern, to the Privacy Enhancing Technologies Symposium, where it was accepted and appeared on June 30 at the symposium.

The increasing use of domain fronting by various circumvention tools began to attract more attention. A March 2015 article by Eva Dou and Alistair Barr in The Wall Street Journal [ 53 ] described domain fronting and “collateral freedom” in general, depicting cloud service providers as being caught in the crossfire between censors and circumventors. The journalists contacted me but I declined to be interviewed; I thought it was not the right time for extra publicity, and anyway personally did not want to deal with doing an interview. Shortly thereafter, GreatFire, an anticensorship organization that was mentioned in the article, experienced a new type of denial-of-service attack [ 171 ] , caused by a Chinese network attack system later known as the Great Cannon [ 129 ] . They blamed the attack on the attention brought by the news article. As further fallout, Cloudflare, a CDN which Lantern used for fronting and whose CEO was quoted in the article, stopped supporting domain fronting [ 155 ] , by beginning to enforce a match between the SNI and the Host header

Since its first deployment, the Azure backend had been slower, with fewer users, than the other two options, App Engine and CloudFront. For months I had chalked it up to limitations of the platform. In April 2015, though, I found the real source of the problem: the component I wrote that runs on Azure, receives domain-fronted HTTP requests and forwards them to the meek bridge, was not reusing TCP connections. For every outgoing request, the code was doing a fresh TCP and TLS handshake—causing a bottleneck at the bridge as its CPU tried to cope with all the incoming TLS. When I fixed the code to reuse connections [ 67 ] , the number of users (overall, not only for Azure) had a sudden jump, increasing from 2,000 to reaching 6,000 in two weeks. Evidently, we had been leaving users on the table by having one of the backends not run as fast as possible.

The deployment of domain fronting was being partly supported by a $500/month grant from Google. Already in February 2015, the monthly cost for App Engine alone began to exceed that amount [ 137 §Costs ] . In an effort to control costs, in May 2015 we began to rate-limit the App Engine and CloudFront bridges, deliberately slowing the service so that fewer would use it. Until October 2015, the Azure bridge was on a research grant provided by Microsoft, so we allowed it to run as fast as possible. When the grant expired, we rate-limited the Azure bridge as well. This rate-limiting explains the relative flatness of the user graph from May to the end of 2015.

Google changed the terms of service governing App Engine in 2015. (I received a message announcing the change in May, but it seems the changes had been changed online since March.) The updated terms included a paragraph that seemed to prohibit running a proxy service [ 97 ] :

Networking . Customer will not, and will not allow third parties under its control to: (i) use the Services to provide a service, Application, or functionality of network transport or transmission (including, but not limited to, IP transit, virtual private networks, or content delivery networks); or (ii) sell bandwidth from the Services.

This was a stressful time: we seemed to have Google’s support, but the terms of service said otherwise. I contacted Google to ask for clarification or guidance, in the meantime leaving meek-google running; however I never got an answer to my questions. The point became moot a year later, when Google shut down our App Engine project, for another reason altogether; see below.

By this time we had not received reports of any attempts to block domain fronting. We did, however, suffer a few accidental outages (which are just as bad as blocking, from a client’s point of view). Between July 20 and August 14 , an account transition error left the Azure configuration broken [ 77 ] . I set up another configuration on Azure and published instructions on how to use it, but it would not be available to the majority of users until the next release of Tor Browser, which happened on August 11 . Between September 30 and October 9 , the CloudFront bridge was effectively down because of an expired TLS certificate. When it rebooted on October 9 , an administrative oversight caused its Tor relay identity fingerprint to change—meaning that clients expecting the former fingerprint refused to connect to it [ 87 ] . The situation was not fully resolved until November 4 with the next release of Tor Browser: cascading failures led to over a month of downtime.

In October 2015 there appeared a couple of research papers that investigated meek’s susceptibility to detection via side channels. Tan et al. [ 174 ] used Kullback–Leibler divergence to quantify the differences between protocols, with respect to packet size and interarrival time distributions. Their paper is written in Chinese; I read it in machine translation. Wang et al. [ 186 ] published a more comprehensive report on detecting meek (and other protocols), emphasizing practicality and precision. They showed that some previously proposed classifiers would have untenable false-positive rates, and constructed a classifier for meek based on entropy and timing features. It’s worth noting that since the first reported efforts to block meek in 2016, censors have preferred, as far as we can tell, to use techniques other than those described in these papers.

A side benefit of building a circumvention system atop Tor is easy integration with Tor Metrics—the source of the user number estimates in this section. Since the beginning of meek’s deployment, we had known about a problem with the way it integrates with Tor Metrics. Tor pluggable transports geolocate the client’s IP address in order to aggregate statistics by country. But when a meek bridge receives a connection, the “client IP address” it sees is not that of the true client, but rather that of some cloud server, the intermediary through which the client’s domain-fronted traffic passes. So the total user counts were fine, but the per-country counts were meaningless. For example, because App Engine’s servers were located in the U.S., every meek-google connection was being counted as if it belonged to a client in the U.S. By the end of 2015, meek users were a large enough fraction (about 20%) of all bridge users that they were skewing the overall per-country counts. I wrote a patch [ 90 ] to have the client’s true IP address forwarded through the network intermediary in a special HTTP header, which fixed the per-country counts from then on.

2016 : Taking off the reins; misuse; blocking efforts

In mid-January 2016 the Tor Project asked me to raise the rate limits on the meek bridges, in anticipation of rumored attempts to block Tor in Egypt. I asked the bridge operators raise the limits from approximately 1 MB/s to 3 MB/s. The effect of the relaxed rate limits was immediate: the count shot up as high 15,000 simultaneous users, briefly making meek Tor’s most-used pluggable transport, before settling in at around 10,000.

The first action that may have been a deliberate attempt to block domain fronting came on January 29, 2016 , when the Great Firewall of China blocked one of the edge servers of the Azure CDN. The blocking was by IP address, a severe method: not only the domain name we were using for fronting, but thousands of other names became inaccessible. The block lasted about four days. On February 2 , the server changed its IP address (simply incrementing the final octet from .200 to .201), causing it to become unblocked. I am aware of no other incidents of edge server blocking.

The next surprise was on May 13, 2016 . meek’s App Engine backend stopped working and I got a notice:

We’ve recently detected some activity on your Google Cloud Platform/API Project ID meek-reflect that appears to violate our Terms of Service. Please take a moment to review the Google Cloud Platform Terms of Service or the applicable Terms of Service for the specific Google API you are using. Your project is being suspended for committing a general terms of service violation. We will delete your project unless you correct the violation by filling in the appeals form available on the project page of Developers Console to get in touch with our team so that we can provide you with more details.

My first thought—which turned out to be wrong—was that it was because of the changes to the terms of service that had been announced the previous year. I tried repeatedly to contact Google and learn the nature of the violation, But none of my inquiries received even an acknowledgement. It was not until June 18 that I got some insight, through an unofficial channel, about what happened. Some botnet had apparently been misusing meek for command and control purposes. Its operators had not even bothered to set up their own App Engine project; they were free-riding on the service we had been operating for the public. Although we may have been able to reinstate the meek-google service, seeing as the suspension was the result of someone else’s actions, not ours, with the existing uncertainty around the terms of service I didn’t have the heart to pursue it. meek-google remained off, and users migrated to meek-amazon or meek-azure. It turned out, later, that it had been no common botnet misusing meek-google, but an organized political hacker group, known as Cozy Bear or APT29. The group’s malware would install a backdoor that operated over a Tor onion service, and used meek for camouflage. Dunwoody and Carr presented these findings at DerbyCon in September 2016 [ 56 ] , and in a blog post [ 55 ] in March 2017 (which is where I learned of it).

The year 2016 brought the first reports of efforts to block meek. These efforts all had in common that they used TLS fingerprinting in conjunction with SNI inspection. In May, a Tor user reported that Cyberoam, a firewall company, had released an update that enabled detection and blocking of meek, among other Tor pluggable transports [ 109 ] . Through experiments we determined that the firewall was detecting meek whenever it saw a combination of two features: a specific client TLS fingerprint, and an SNI containing any of our three front domains: www.google.com , a0.awsstatic.com , or ajax.aspnetcdn.com [ 69 ] . We verified that changing either the TLS fingerprint or the front domain was sufficient to escape detection. Requiring both features to be present was a clever move by the firewall to limit collateral damage: it did not block those domains for all clients, but only for the subset having a particular TLS fingerprint. I admit that I had not considered the possibility of using TLS and SNI together to make a more precise classifier. We had known since the beginning of the possibility of TLS fingerprinting, which is why we took the trouble to implement browser-based TLS camouflage. The camouflage was performing as intended: even an ordinary Firefox 38 (the basis of Tor Browser, and what meek camouflaged itself as) would be blocked by the firewall when accessing one of the three listed domains. However, Firefox 38 was by that time a year old. I found a source [ 69 ] saying that at that time, Firefox 38 made up only 0.38% of desktop browsers, compared to 10.69% for the then-latest Firefox 45 My guess is that the firewall makers considered the small amount of collateral blocking of genuine Firefox 38 users to be acceptable.

In July I received a report of similar behavior by a FortiGuard firewall [ 72 ] from Tor user Kanwaljeet Singh Channey. The situation was virtually the same as in the Cyberoam case: the firewall would block connections having a specific TLS fingerprint and a specific SNI. This time, the TLS fingerprint was that of Firefox 45 (which by then Tor Browser had upgraded to); and the specific SNIs were two, not three, omitting www.google.com . As in the previous case, changing either the TLS fingerprint or the front domain was sufficient to get through the firewall.

For reasons not directly related to domain fronting or meek, I had been interested in the blocking situation in Kazakhstan, ever since Tor Metrics reported a sudden drop in the number of users in that country in June 2016 [ 88 ] . (See Section 5.4 for other results from Kazakhstan.) I worked with an anonymous collaborator, who reported that meek was blocked in the country since October 2016 or earlier. According to them, changing the front domain would evade the block, but changing the TLS fingerprint didn’t help. I did not independently confirm these reports. Kazakhstan remains the only case of country-level blocking of meek that I am aware of.

Starting in July 2016, there was a months-long increase in the number of meek users reported from Brazil [ 177 ] . The estimated count went from around 100 to almost 5,000, peaking in September 2016 before declining again. During parts of this time, over half of all reported meek users were from Brazil. We never got to the bottom of why there should be so many users reported from Brazil in particular. The explanation may be some kind of anomaly; for instance some third-party software that happened to use meek, or a malware infection like the one that caused the shutdown of meek-google. The count of users from Brazil dropped suddenly, from 1,500 almost to zero, on March 3, 2017 , which happened also to be the day that I shut down meek-azure pending a migration to new infrastructure. The Brazil count would remain low until rising again in June 2017.

In September 2016, I began mentoring Katherine Li in writing GAEuploader [ 122 ] , a program to simplify and automate the process of setting up domain fronting. The program automatically uploads the necessary code to Google App Engine, then outputs a bridge specification ready to be pasted into Tor Browser or Orbot. We hoped also that the code would be useful to other projects, like XX-Net [ 205 ] , that require users to perform the complicated task of uploading code to App Engine. GAEuploader had beta releases in January [ 121 ] and November [ 123 ] 2017; however the effect on the number of users has so far not been substantial.

Between October 19 and November 10, 2016 , the number of meek users decreased globally by about a third [ 86 ] . Initially I suspected a censorship event, but the other details didn’t add up: the numbers decreased and later recovered simultaneously across many countries, including ones not known for censorship. Discussion with other developers revealed the likely cause: a botched release of Orbot that left some users unable to use the program [ 79 ] . Once a fixed release was available, user numbers recovered. As an side effect of this event, we learned that a majority of meek users were using Orbot rather than Tor Browser.

2017 : Long-term support

In January 2017, a grant I had been using to pay meek-azure’s bandwidth bills ran out. Lacking the means to keep it running, I announced my intention to shut it down [ 76 ] . Shortly thereafter, Team Cymru offered to set up their own instances and pay the CDN fees, and so we made plans to migrate meek-azure to the new setup in the next releases. For cost reasons, though, I still had to shut down the old configuration before the new releases of Tor Browser and Orbot were fully ready. I shut down my configuration on March 3 . The next release of Tor Browser was on March 7 , and the next release of Orbot was on March 22 : so there was a period of days or weeks during which meek-azure was non-functional. It would have been better to allow the two configurations to run concurrently for a time, so that users of the old would be able to transparently upgrade to the new—but for cost reasons it was not possible. Perhaps not coincidentally, the surge of users from Brazil, which had started in July 2016, ceased on March 3 , the same day I shut down meek-azure before its migration. Handing over control of the infrastructure was a relief to me. I had managed to make sure the monthly bills got paid, but it took more care and attention than I liked. A negative side effect of the migration was that I stopped writing monthly summaries of costs, because I was no longer receiving bills.

Also in January 2017, I became aware of the firewall company Allot Communications, thanks to my anonymous collaborator in the work Kazakhstan work. Allot’s marketing materials advertised support for detection of a wide variety of circumvention protocols, including Tor pluggable transports, Psiphon, and various VPN services [ 81 ] . They claimed detection of “Psiphon CDN (Meek mode)” going back to January 2015, and of “TOR (CDN meek)” going back to April 2015. We did not have any Allot devices to experiment with, and I do not know how (or how well) their detectors worked.

In June 2017, the estimated user count from Brazil began to increase again [ 177 ] , similarly to how it had between July 2016 and March 2017. Just as before, we did not find an explanation for the increase.

The rest of 2017 was fairly quiet. Starting in October, there were reports from China of the disruption of look-like-nothing transports such as obfs4 and Shadowsocks [ 80 ] , perhaps related to the National Congress of the Communist Party of China that was then about to take place. The disruption did not affect meek or other systems based on domain fronting; in fact the number of meek users in China roughly doubled during that time.

Chapter 7 Snowflake

Snowflake is a new circumvention system currently under development. It is based on peer-to-peer connections through ephemeral proxies that run in web browsers. Snowflake proxies are lightweight: activating one is as easy as browsing to a web page and shutting one down only requires closing the browser tab. They serve only as temporary stepping stones to a full-fledged proxy. Snowflake derives its blocking resistance from having a large number of proxies. A client may use a particular proxy for only seconds or minutes before switching to another. If the censor manages to block the IP address of one proxy, there is little harm, because many other temporary proxies are ready to take its place.

Snowflake [ 98 , 173 ] is the spiritual successor to flash proxy [ 84 ] , a system that similarly used browser-based proxies, written in JavaScript. Flash proxy, with obfs2 and obfs3, was one of the first three pluggable transports for Tor [ 68 ] , but since its introduction in 2013 it never had many users [ 179 ] . I believe that its lack of adoption was a result mainly of its incompatibility with NAT (network address translation): its use of the TCP-based WebSocket protocol [ 64 ] required clients to follow complicated port forwarding instructions [ 71 ] . For that reason, flash proxy was deprecated in 2016 [ 13 ] .

Snowflake keeps the basic idea of in-browser proxies, but replaces WebSocket with WebRTC [ 5 ] , a suite of protocols for peer-to-peer communications. Importantly, WebRTC uses UDP for communication, and includes facilities for NAT traversal, allowing most clients to use it without manual configuration. WebRTC mandatorily encrypts its channels, which as a side effect obscures any keywords or byte patterns in the tunneled traffic. (Still leaving open the possibility of detecting the use of WebRTC itself—see Section 7.2 .)

Aside from flash proxy, the most similar existing design was a former version of uProxy [ 184 ] (an upcoming revision will work differently). uProxy required clients to know a confederate outside the censor’s network who could run a proxy. The client would connect through the proxy using WebRTC; the proxy would then directly fetch the client’s requested URLs. Snowflake centralizes the proxy discovery process, removing the requirement to arrange one’s own proxy outside the firewall. Snowflake proxies are merely dumb pipes to a more capable proxy, allowing them to carry traffic other than web traffic, and preventing them from spying on the client’s traffic.

The name Snowflake comes from one of WebRTC’s subprotocols, ICE (Interactive Connectivity Establishment) [ 164 ] , and from the temporary proxies, which resemble snowflakes in their impermanence and uniqueness.

Snowflake now exists in an experimental alpha release, incorporated into Tor Browser. My main collaborators on the Snowflake project are Arlo Breault, Mia Gil Epner, Serene Han, and Hooman Mohajeri Moghaddam.

There are three main components of the Snowflake system. Refer to Figure 7.1 .

many snowflake proxies , which communicate with clients over WebRTC and forward their traffic to the bridge
many clients , responsible for initially requesting service and then establishing peer-to-peer connections with snowflake proxies
a broker , an online database that serves to match clients with snowflake proxies
a bridge (so called to distinguish it from the snowflake proxies), a full-featured proxy capable of connecting to any destination

The architecture of the system is influenced by the requirement that proxies run in a browser, and the nature of WebRTC connection establishment, which uses a bidirectional handshake. In our implementation, the bridge is really a Tor bridge. Even though a Tor circuit consists of multiple hops, that fact is abstracted away from the Tor client’s perspective; Snowflake does not inherently depend on Tor.

A Snowflake connection happens in multiple steps. In the first phase, called rendezvous , the client and snowflake exchange information necessary for a WebRTC connection.

The client registers its need for service by sending a message to the broker. The message, called an offer [ 166 ] , contains the client’s IP address and other metadata needed to establish a WebRTC connection. How the client sends its offer is further explained below.
At some point, a snowflake proxy comes online and polls the broker. The broker hands the client’s offer to the snowflake proxy, which sends back its answer [ 166 ] , containing its IP address and other connection metadata the client will need to know.
The broker sends back to the client the snowflake’s answer message.

At this point rendezvous is finished. The snowflake has the client’s offer, and the client has the snowflake’s answer, so they have all the information needed to establish a WebRTC connection to each other.

The client and snowflake proxy connect to each other using WebRTC.
The snowflake proxy connects to the bridge (using WebSocket, though the specific type of channel does not matter for this step).

The snowflake proxy then copies data back and forth between client and bridge until it is terminated. The client’s communication with the bridge is encrypted and authenticated end-to-end through the WebRTC tunnel, so the proxy cannot interfere with it. When the snowflake proxy terminates, the client may request a new one. Various optimizations are possible, such as having the client maintain a pool of proxies in order to bridge gaps in connectivity, but we have not implemented and tested them sufficiently to state their effects.

The rendezvous phase bears further explanation. Steps 1, 2, and 3 actually happen synchronously, using interleaved HTTP requests and responses: see Figure 7.2 . The client’s single request uses domain fronting, but the requests of the snowflake proxies are direct. In Step 1, the client sends a request containing its offer. The broker holds the connection open but does not immediately respond. In Step 2, a snowflake proxy makes a polling request (“do you have any clients for me?”) and the broker responds with the client’s offer. The snowflake composes its answer and sends it back to the broker in a second HTTP request (linked to the first by a random token). In Step 3, the broker finally responds to the client’s initial request by passing on the snowflake proxy’s answer. From the client’s point of view, it has sent a single request (containing an offer) and received a single response (containing an answer). If no proxy arrives within a time threshold of the client sending its offer, the broker replies with an error message instead. We learned from the experience of running flash proxy that it is not difficult to achieve a proxy arrival rate of several per second, so timeouts ought to be exceptional.

One may ask, if the domain-fronted rendezvous channel is bidirectional and already assumed to be difficult to block, doesn’t it suffice for circumvention on its own? The answer is that it does suffice—that’s the idea behind meek ( Section 6.3 ). The disadvantage of building a system exclusively on domain fronting, though, is high monetary cost (see Table 6.5 ). Snowflake offloads the bulk of data transfer onto WebRTC, and uses expensive domain fronting only for rendezvous.

There are two reasons why the snowflake proxies forward client traffic to a separate bridge, rather than connecting directly to the client’s desired destination. The first is generality: a browser-based proxy can only do the things a browser can do; it can fetch web pages but cannot, for example, open sockets to arbitrary destinations. The second is privacy: the proxies are operated by untrusted, potentially malicious strangers. If they were to exit client traffic directly, they would be able to tamper with it. Furthermore, a malicious client could cause a well-meaning proxy to connect to suspicious destinations, potentially getting its operator in trouble. This “many proxies, one bridge” model is essentially untrusted messenger delivery [ 63 ] , proposed by Feamster et al. in 2003.

WebRTC offers two features that are necessary for Snowflake: 1. it is supported in web browsers, and 2. it deals with NAT. In other respects, though, WebRTC is a nuisance. Its close coupling with browser code makes it difficult to use as a library outside of a browser; a big part of the Snowflake project was to extract the code into a reusable library, go-webrtc [ 22 ] . WebRTC comes with a lot of baggage around audio and video codecs, which is useful for some of its intended use cases, but which we would prefer not to have to deal with. Working within a browser environment limits our flexibility, because we cannot access the network directly, but only at arm’s length through some API. This has implications for detection by content, as discussed in the next section.

7.2 WebRTC fingerprinting

Snowflake primarily tackles the problem of detection by address. The pool of temporary proxies changes too quickly for a censor to keep up with—or at least that’s the idea. Equally important, though, is the problem of detection by content. If Snowflake’s protocol has an easily detectable “tell,” then it could be blocked despite its address diversity. Just as with meek we were concerned about TLS fingerprinting ( Section 6.2 ), with Snowflake we are concerned with WebRTC fingerprinting.

Snowflake will always look like WebRTC—that’s unavoidable without a major change in architecture. Therefore the best we can hope for is to make Snowflake’s WebRTC hard to distinguish from other applications of WebRTC. And that alone is not enough—it also must be that the censor is reluctant to block those other uses of WebRTC.

Mia Gil Epner and I began an investigation into the potential fingerprintability of WebRTC [ 20 , 83 ] . While preliminary, we were able to find many potential fingerprinting features, and a small survey of applications revealed a diversity of implementation choices in practice.

WebRTC is a stack of interrelated protocols, and leaves implementers much freedom to combined them in different ways. We checked the various protocols in order to find places where implementation choices could facilitate fingerprinting.

Signaling is WebRTC’s term for the exchange of metadata and control data necessary to establish the peer-to-peer connection. WebRTC offers no standard way to do signaling [ 5 §3 ] ; it is left up to implementers. For example, some implementations do signaling via XMPP, an instant messaging protocol. Snowflake does signaling through the broker, during the rendezvous phase.

ICE (Interactive Connectivity Establishment) [ 164 ] is a combination of two protocols. STUN (Session Traversal Utilities for NAT) [ 165 ] helps hosts open and maintain a binding in a NAT table. TURN (Traversal Using Relays around NAT) [ 127 ] is a way of proxying through a third party when the end hosts’ NAT configurations are such that they cannot communicate directly. In STUN, both client and server messages have a number of optional attributes, including one called SOFTWARE that directly specifies the implementation. Furthermore, the very choice of which STUN and TURN servers to use is a choice made by the client.

WebRTC offers media channels (used for audio and video) as well as two kinds of data channels (stream-oriented reliable and datagram-oriented unreliable). All channels are encrypted, however they are encrypted differently according to their type. Media channels use SRTP (Secure Real-time Transport Protocol) [ 16 ] and data channels use DTLS (Datagram TLS) [ 161 ] . Even though the contents of both are encrypted, an observer can easily distinguish a media channel from a data channel. Applications that use media channels have options for doing key exchange: some borrow the DTLS handshake in a process called DTLS-SRTP [ 135 ] and some use SRTP with Security Descriptions (SDES) [ 11 ] . Snowflake uses reliable data channels.

DTLS, as with TLS, offers a wealth of fingerprintable features. Some of the most salient are the protocol version, extensions, the client’s offered ciphersuites, and values in the server’s certificate.

Snowflake uses a WebRTC library extracted from the Chromium web browser, which mitigates some potential dead-parrot distinguishers [ 103 ] . But WebRTC remains complicated and its behavior on the network depends on more than just what library is in use.

We conducted a survey of some WebRTC-using applications in order to get an idea of the implementation choices being made in practice. We tested three applications that use media channels, all chat services: Google Hangouts ( https://hangouts.google.com ), Facebook Messenger ( https://www.messenger.com ), and OpenTokRTC ( https://opentokrtc.com/ ). We also tested two applications that use data channels: Snowflake itself and Sharefest ( https://github.com/Peer5/ShareFest ), a now-defunct file sharing service. Naturally, the network fingerprints of all five applications were distinguishable at some level. Snowflake, by default, uses a Google-operated STUN server, which may be a good choice because so do Hangouts and Sharefest. All applications other than Hangouts used DTLS for key exchange. While the client portions differed, the server certificate was more promising, in all cases having a Common Name of “WebRTC” and a validity of 30 days.

Finally, we wrote a script [ 82 ] to detect and fingerprint DTLS handshakes. Running the script on a day’s worth of traffic from Lawrence Berkeley National Laboratory turned up only seven handshakes, having three distinct fingerprints. While it is difficult to generalize from one measurement at one site, these results suggest that WebRTC use—at least the forms that use DTLS—is not common. We guessed that Google Hangouts would be the main source of WebRTC connections; however our script would not have found Hangouts connections because Hangouts does not use DTLS.

Bibliography

I strive to provide a URL for each reference whenever possible. On December 15, 2017 , I archived each URL at the Internet Archive; or, when that didn’t work, at archive.is . If a link is broken, look for an archived version at https://web.archive.org/ or https://archive.is/ . Many of the references are also cached in CensorBib, https://censorbib.nymity.ch/ .

.il (top-level domain of Israel) , ¶ 87
185.120.77.110 (Kazakh VPN node) , ¶ 198
200 (HTTP status code) , Figure 6.3 , Figure 7.2
202.108.181.70 (active prober) , ¶ 106 , ¶ 108 , ¶ 128
404 (HTTP status code) , ¶ 228
a0.awsstatic.com , ¶ 255
Aase, Nicholas , ¶ 141
Abbatecola, Angie , ¶ 4
Aben, Emile , ¶ 80
Accept (HTTP header) , ¶ 121
Accept-Encoding (HTTP header) , ¶ 121 , ¶ 124
Aceto, Giuseppe , ¶ 84
proactive versus reactive , ¶ 99
see also port scanning
address spoofing , ¶ 48 , ¶ 57 , ¶ 106
address, detection/blocking by , see detection/blocking by address
Afroz, Sadia , ¶ 3 , ¶ 26 , ¶ 38 , ¶ 73 , ¶ 94
Ahmad, Tahir , ¶ 84
ajax.aspnetcdn.com , ¶ 255
Akella, Aditya , ¶ 39 , ¶ 40 , ¶ 218 , ¶ 246
Allot Communications , ¶ 262
see also meek-amazon
An, Anne , ¶ 225
Anderson, Collin , ¶ 82 , ¶ 91
Anderson, Daniel , ¶ 62
Anderson, Philip D. , ¶ 62 , ¶ 83
see also Orbot
Anonymous , ¶ 257
answer (Snowflake) , Figure 7.1 , ¶ 275 , ¶ 276 , ¶ 279 , Figure 7.2
App Engine , see Google App Engine
Appelbaum, Jacob , ¶ 224
see also Google App Engine
APT29 , see Cozy Bear
archive.is , ¶ 294
arms race , ¶ 93
Aryan, Homa , ¶ 82
Aryan, Simurgh , ¶ 82
AS , see autonomous system
Athanasopoulos, Elias , ¶ 89
Augur , ¶ 92
Australia , ¶ 78
see also integrity
AS 203087 , ¶ 198
Awan, M. Faheem , ¶ 84
Azadi (Tor bridge) , Table 5.1 , Figure 5.2 , ¶ 166 , ¶ 172 – 174 , ¶ 181 – 183 , ¶ 186 , Figure 5.3
Azure , see Microsoft Azure
Balakrishnan, Hari , ¶ 41 , ¶ 281
Balazinska, Magdalena , ¶ 41 , ¶ 281
Barr, Alistair , ¶ 239
Barr, Earl , ¶ 62 , ¶ 79
Beaty, Steve , ¶ 3
blacklist , ¶ 23 , ¶ 38 , ¶ 39 , ¶ 76 , ¶ 78 , ¶ 96 , ¶ 97 , Figure 4.1
Blaze, Matt , ¶ 61
block page , ¶ 84 , ¶ 89
by address , ¶ 14 , ¶ 23 , ¶ 56 , ¶ 69 , ¶ 75 , ¶ 79 , ¶ 87 , ¶ 88 , ¶ 97 , Figure 4.1 , ¶ 101 , ¶ 138 , ¶ 162 , ¶ 170 , ¶ 191 , ¶ 208 , ¶ 210 , ¶ 212 , ¶ 214 , Figure 6.2 , ¶ 249 , ¶ 255 , ¶ 256
by content , ¶ 14 , ¶ 141 , ¶ 149 , ¶ 255 , ¶ 256
versus detection , ¶ 21 , ¶ 58
blogs , ¶ 88 , ¶ 91 , ¶ 156 , ¶ 235
Blue Coat , ¶ 87
BLUES research group , ¶ 4
Boe, Bryce , ¶ 214
Boneh, Dan , ¶ 3
border firewall , ¶ 9 , Figure 1.1 , ¶ 10 – 12
Borisov, Nikita , ¶ 34
botnet , ¶ 80 , ¶ 254
Botta, Alessio , ¶ 84
Brazil , ¶ 258 , ¶ 261 , ¶ 263
brdgrd , ¶ 62 , ¶ 106
BreakWa11 , Table 4.2 , ¶ 110
Breault, Arlo , ¶ 224 , ¶ 228 , ¶ 270
bridge , see Tor bridge
bridge configuration file , ¶ 139 , ¶ 154 , ¶ 173 , ¶ 174 , ¶ 177 , ¶ 180 , ¶ 182 , ¶ 184 , ¶ 190 , ¶ 194
BridgeDB , ¶ 51 , ¶ 52 , ¶ 157 , ¶ 194
BridgeSPA , ¶ 131
broker (Snowflake) , ¶ 102 , Figure 7.1 , ¶ 272 , ¶ 275 , ¶ 279 , Figure 7.2 , ¶ 287
Brown, Ian , ¶ 12 , ¶ 144
Brubaker, Chad , ¶ 34 , ¶ 39 , ¶ 40
Burnett, Sam , ¶ 34
Byrd, Michael , ¶ 62 , ¶ 79
Caballero, Juan , ¶ 54 , ¶ 99 , ¶ 139
Caesar, Matthew , ¶ 34
California State loyalty oath , ¶ 6
Canada , ¶ 78
Cao, Yue , ¶ 62 , Table 4.2 , ¶ 112 , ¶ 187
captcha , ¶ 51
Carr, Nick , ¶ 254
cat-and-mouse game , ¶ 27
CC0 , ¶ 230
CDN , ¶ 203 , ¶ 210 – 214 , ¶ 219 , Figure 6.2 , ¶ 228 , ¶ 239 , ¶ 243 , ¶ 249 , ¶ 261
CensMon , ¶ 89
censor , ¶ 10
CensorBib , ¶ 4 , ¶ 294
CensorSpoofer , ¶ 57
see also common name (X.509); TLS
CGIProxy , ¶ 64 , ¶ 65
Chaabane, Abdelberi , ¶ 87
Chang, Lan , ¶ 234
Channey, Kanwaljeet Singh , ¶ 256
Chen, Terence , ¶ 87
Chiesa, Marco , ¶ 80
see also Great Firewall of China
Chinese language , ¶ 79 , ¶ 218 , ¶ 246
Chrome web browser , ¶ 121 , ¶ 136 , ¶ 230 , ¶ 291
ciphersuite , see TLS ciphersuite
circumvention , ¶ 10
Circumventor , ¶ 64 , ¶ 65
Cirripede , ¶ 215
Claffy, Kimberly C. , ¶ 80
see also detection; false positive; false negative
Clayton, Richard , ¶ 59 , ¶ 76 , ¶ 77 , ¶ 187
CleanFeed , ¶ 76
client , ¶ 10
Cloudflare , ¶ 228 , ¶ 239
CloudFront , see Amazon CloudFront
CloudTransport , ¶ 216
collateral damage , ¶ 28 – 36 , ¶ 48 , ¶ 53 , ¶ 56 , ¶ 66 , ¶ 70 , ¶ 87 , ¶ 98 , ¶ 102 , ¶ 131 , ¶ 143 , ¶ 203 , Figure 6.1 , ¶ 210 , ¶ 212 , ¶ 213 , ¶ 215 , ¶ 232 , ¶ 255
“collateral freedom” , ¶ 225 , ¶ 239
command and control , ¶ 254
common name (X.509) , ¶ 205 , Figure 6.1 , ¶ 292
ConceptDoppler , ¶ 79
Conficker , ¶ 80
Connection (HTTP header) , ¶ 118 , ¶ 121 , ¶ 124
content delivery network , see CDN
content, detection/blocking by , see detection/blocking by content
Content-Length (HTTP header) , ¶ 118 , Figure 6.3
Content-Type (HTTP header) , ¶ 118 , ¶ 119
Cozy Bear , ¶ 254
Crandall, Jedidiah R. , ¶ 62 , ¶ 79 , ¶ 85 , ¶ 92 , ¶ 141 , ¶ 142
Creative Commons , ¶ 230
Crete-Nishihata, Masashi , ¶ 87 , ¶ 141
Cristofaro, Emiliano De , ¶ 87
Cronin, Eric , ¶ 61
CS261N (network security course) , ¶ 229
Cunche, Mathieu , ¶ 87
CurveBall , ¶ 215
Cyberoam , ¶ 255 , ¶ 256
cymrubridge31 (Tor bridge) , Table 5.1 , Figure 5.4 , Figure 5.5 , ¶ 200
cymrubridge33 (Tor bridge) , Table 5.1 , Figure 5.4 , Figure 5.5 , ¶ 200
Dainotti, Alberto , ¶ 80
Dalek, Jakub , ¶ 86 , ¶ 87
dead-parrot attacks , ¶ 39 , ¶ 291
decoy routing , see refraction networking
deep packet inspection , ¶ 14 , ¶ 69
default bridge , see Tor bridge, default
Deibert, Ronald , ¶ 86 , ¶ 87
Deloitte , ¶ 35
deniability , ¶ 34
denial of service , ¶ 86 , ¶ 239
DerbyCon , ¶ 254
destination , ¶ 10
by address , ¶ 23 , ¶ 25 , ¶ 45 – 57 , ¶ 65 , ¶ 101 , ¶ 203 , ¶ 283
by content , ¶ 23 , ¶ 25 , ¶ 37 – 44 , ¶ 97 , Figure 4.1 , ¶ 98 , ¶ 101 , ¶ 115 , ¶ 150 , ¶ 203 , ¶ 267 , ¶ 282 , ¶ 283
versus blocking , ¶ 21 , ¶ 58
Diffie–Hellman key exchange , ¶ 43
Dingledine, Roger , ¶ 51 , ¶ 99
distinguishability , ¶ 29 , ¶ 33 , ¶ 34 , ¶ 115 , ¶ 131 , ¶ 203 , ¶ 221 , ¶ 284 , ¶ 289 , ¶ 292
poisoning , ¶ 23 , ¶ 69 , ¶ 74 , ¶ 75 , ¶ 78 , ¶ 79 , ¶ 82 , ¶ 84 , ¶ 91
costs of , ¶ 211 , Table 6.5 , ¶ 280
in Snowflake rendezvous , Figure 7.1 , ¶ 279 , Figure 7.2
see also front domain; meek
Domain Name System , see DNS
Dong, Bill , ¶ 74
Dornseif, Maximillian , ¶ 74
Dou, Eva , ¶ 239
DPI , see deep packet inspection
fingerprinting , ¶ 293
see also TLS
DTLS-SRTP , ¶ 289
Dunwoody, Matthew , ¶ 254
Durumeric, Zakir , ¶ 54 , ¶ 99
Dust , ¶ 42
Dyer, Kevin P. , ¶ 39 , ¶ 40 , ¶ 218 , ¶ 246
Díaz, Álvaro , ¶ 141
East, Rich , ¶ 62 , ¶ 79
eavesdropper’s dilemma , ¶ 61
Edelman, Benjamin G. , ¶ 75
edge server , ¶ 210 , ¶ 213 , ¶ 249
Egypt , ¶ 80 , ¶ 248
Elahi, Tariq , ¶ 26 , ¶ 34 , ¶ 40 , ¶ 58
email , ¶ 23 , ¶ 37 , ¶ 51 , ¶ 57 , ¶ 88 , ¶ 127 , ¶ 224 , ¶ 225
encryption , ¶ 42 , ¶ 43 , ¶ 69 , ¶ 206 , Figure 6.1 , ¶ 209 , ¶ 210 , ¶ 214 – 216 , ¶ 267 , ¶ 278 , ¶ 289
end-to-middle proxying , see refraction networking
English language , ¶ 20
Ensafi, Roya , ¶ 81 , ¶ 85 , ¶ 86 , ¶ 92 , Table 4.2 , ¶ 111 , ¶ 187
entanglement , ¶ 34
see also Kullback–Leibler divergence
Eternity Service , ¶ 16
ethics , ¶ 72
like button , ¶ 87
Messenger , ¶ 292
false negative , ¶ 22 , ¶ 22 , ¶ 29 , ¶ 32 , ¶ 43 , ¶ 218
see also collateral damage
Fang, Binxing , ¶ 218 , ¶ 246
fdctorbridge01 (Tor bridge) , Table 5.1 , Figure 5.2 , Figure 5.3
Feamster, Nick , ¶ 34 , ¶ 41 , ¶ 81 , ¶ 92 , Table 4.2 , ¶ 111 , ¶ 187 , ¶ 281
Fifield, David , ¶ 26 , ¶ 38 , ¶ 73 , ¶ 81 , ¶ 86 , ¶ 94 , Table 4.2 , ¶ 111 , ¶ 140 , ¶ 187 , ¶ 217 , ¶ 234 , ¶ 238 , ¶ 285
Filastò, Arturo , ¶ 90
file descriptor limit , ¶ 201
filecasting , ¶ 60
see also TLS/DTLS fingerprinting
Firefox web browser , ¶ 230 , ¶ 255 , ¶ 256
flash proxy , ¶ 55 , ¶ 224 , ¶ 225 , ¶ 235 , ¶ 236 , ¶ 266 , ¶ 268 , ¶ 279
format-transforming encryption , see FTE
FortiGuard , ¶ 256
forum moderation , ¶ 16 , ¶ 142
fragmentation , ¶ 61 , ¶ 62 , ¶ 77 , ¶ 83 , ¶ 106
Freedom2Connect Foundation , ¶ 4
FreeWave , ¶ 41
Friedman, Arik , ¶ 87
front domain , ¶ 203 , Figure 6.1 , ¶ 210 , ¶ 255 – 257
FTE , ¶ 41 , Table 5.1 , ¶ 236
GAEuploader , ¶ 259
garbage probes , Table 4.2 , ¶ 104 , ¶ 105 , ¶ 108 , ¶ 126 , ¶ 127
Geddes, John , ¶ 39
geolocation , ¶ 247
Germany , ¶ 74
GET (HTTP method) , ¶ 121 , ¶ 124 , ¶ 135 , Figure 7.2
GFW , see Great Firewall of China
Gil Epner, Mia , ¶ 270 , ¶ 285
Gill, Phillipa , ¶ 87 , ¶ 90
Git , ¶ 228
GitHub , ¶ 30 , ¶ 86
GoAgent , ¶ 214 , ¶ 225
GoHost.kz , ¶ 198
Goldberg, Ian , ¶ 26 , ¶ 34 , ¶ 40 , ¶ 58
see also meek-google
Hangouts , ¶ 292 , ¶ 293
Plus , ¶ 82
Goto, Barbara , ¶ 4
Great Cannon , ¶ 86 , ¶ 239
Great Firewall of China , ¶ 30 , ¶ 32 , ¶ 43 , ¶ 51 , ¶ 59 , ¶ 62 , ¶ 64 , ¶ 71 , ¶ 77 – 79 , ¶ 81 , ¶ 83 , ¶ 97 , ¶ 99 , ¶ 100 , Table 4.2 , ¶ 107 , ¶ 110 , Figure 4.3 , ¶ 131 , ¶ 143 , ¶ 168 , ¶ 180 , ¶ 186 , ¶ 187 , ¶ 221 , ¶ 232 , ¶ 249
GreatFire , ¶ 239
GreenBelt (Tor bridge) , Table 5.1 , Figure 5.2 , ¶ 166 , ¶ 170 , ¶ 172 , ¶ 173 , ¶ 185 , Figure 5.3 , Figure 5.4 , Figure 5.5 , ¶ 200
Guo, Li , ¶ 218 , ¶ 246
Gupta, Minaxi , ¶ 89
Halderman, J. Alex , ¶ 54 , ¶ 79 , ¶ 82 , ¶ 99
Han, Serene , ¶ 270
Harfst, Greg , ¶ 41
Haselton, Bennett , ¶ 63 , ¶ 87
Hillig, Ulf , ¶ 16 , ¶ 26 , ¶ 50 , ¶ 214
Hong Kong , ¶ 78
Hopper, Nicholas , ¶ 4 , ¶ 39 , ¶ 99
Host (HTTP header) , ¶ 121 , ¶ 124 , ¶ 135 , ¶ 207 – 210 , ¶ 215 , Figure 6.2 , Figure 6.3 , ¶ 239
Houmansadr, Amir , ¶ 34 , ¶ 39 , ¶ 40
hrimfaxi , Table 4.2 , ¶ 105
HTML-rewriting proxy , ¶ 64 , ¶ 65 , ¶ 224
proxy , ¶ 24 , ¶ 76
HTTPS , ¶ 51 , ¶ 56 , ¶ 100 , ¶ 118 , ¶ 120 , ¶ 123 , Figure 4.3 , ¶ 128 , ¶ 203 , ¶ 204 , ¶ 211 , ¶ 212 , ¶ 214 , ¶ 216 , ¶ 221 , ¶ 232
hybrid idle scan , ¶ 85
Hynes, Rod , ¶ 217 , ¶ 238
ICE , ¶ 269 , ¶ 288
ICLab , ¶ 90
idle scan , see hybrid idle scan
indistinguishability , see distinguishability
Infranet , ¶ 41 , ¶ 66
injection , see packet injection
insider attack , ¶ 46 , ¶ 57 , ¶ 69
instant messaging , ¶ 57 , ¶ 287
see also authentication
Interactive Connectivity Establishment , see ICE
intern effect , ¶ 141
Internet Archive , ¶ 294
“Internet censorship” , ¶ 18
Internet service provider , see ISP
intrusion detection , ¶ 61 , ¶ 62 , ¶ 77 , ¶ 83
Ioannidis, Sotiris , ¶ 89
Iran , ¶ 43 , ¶ 82 , ¶ 140 , ¶ 147 , ¶ 149 , ¶ 195 , Figure 5.3 , ¶ 196 , ¶ 197
Iris , ¶ 92
ISP , ¶ 12 , ¶ 64 , ¶ 74 , ¶ 76 , ¶ 128
Israel , ¶ 87
Italy , ¶ 90
JavaScript , ¶ 41 , ¶ 86 , ¶ 266
Javed, Mobin , ¶ 62 , ¶ 83 , ¶ 84
JonbesheSabz (Tor bridge) , Table 5.1 , Figure 5.2 , ¶ 171 , ¶ 185 , Figure 5.3
Jones, Ben , ¶ 92
Kaafar, Mohamed Ali , ¶ 87
Kadianakis, George , ¶ 227
Karger, David , ¶ 41 , ¶ 281
Kazakhstan , ¶ 140 , ¶ 147 – 149 , ¶ 197 , ¶ 198 , Figure 5.4 , Figure 5.5 , ¶ 199 – 202 , ¶ 257 , ¶ 262
see also blocking by content
Khattak, Sheharbano , ¶ 26 , ¶ 34 , ¶ 40 , ¶ 58 , ¶ 62 , ¶ 83 , ¶ 84
Khayam, Syed Ali , ¶ 84
King, Gary , ¶ 142
Knockel, Jeffrey , ¶ 141
Krishnamurthy, Srikanth V. , ¶ 62 , Table 4.2 , ¶ 112 , ¶ 187
Kullback–Leibler divergence , ¶ 218 , ¶ 246
Köpsell, Stefan , ¶ 16 , ¶ 26 , ¶ 50 , ¶ 214
Lan, Chang , ¶ 217 , ¶ 229 , ¶ 230 , ¶ 238
Lantern , ¶ 217 , ¶ 231 , ¶ 233 , ¶ 239
Lau-Stewart, Lena , ¶ 4
Lawrence Berkeley National Laboratory , ¶ 293
Leidl, Bruce , ¶ 42
LeifEricson (Tor bridge) , Table 5.1 , Figure 5.2 , ¶ 166 , ¶ 172 , ¶ 176 , ¶ 177 , ¶ 179 , ¶ 188 , ¶ 189 , Figure 5.3 , ¶ 199
Levien, Heather , ¶ 4
Li, Anke , ¶ 90
Li, Frank , ¶ 92
Li, Katherine , ¶ 259
Libya , ¶ 80
Lindskog, Stefan , ¶ 32 , ¶ 62 , ¶ 81 , Table 4.2 , ¶ 106 , ¶ 108 , ¶ 111 , ¶ 114 , ¶ 145 , ¶ 187
Lisbeth (Tor bridge) , Table 5.1 , Figure 5.2 , ¶ 177 , ¶ 179 , ¶ 180 , Figure 5.4 , Figure 5.5 , ¶ 200
LiveJournal , ¶ 91
look-like-nothing transport , ¶ 42 , ¶ 43 , ¶ 82 , ¶ 102 , ¶ 115 , ¶ 116
Lowe, Graham , ¶ 78
Lyon, Gordon , ¶ 4
MaBishomarim (Tor bridge) , Table 5.1 , Figure 5.2 , ¶ 171 , ¶ 185 , Figure 5.3
Majkowski, Marek , Table 4.2 , ¶ 108
man in the middle , ¶ 43
Mao, Z. Morley , ¶ 79
Marcus, Michael L. , ¶ 78
Marczak, Bill , ¶ 86
Marquis-Boire, Morgan , ¶ 87
Mathewson, Nick , ¶ 99
Matic, Srdjan , ¶ 54 , ¶ 99 , ¶ 139
McAfee , ¶ 87
McCullagh, Declan B. , ¶ 63
McKune, Sarah , ¶ 86 , ¶ 87
McLachlan, Jon , ¶ 99
costs of , Table 6.5 , ¶ 235 , ¶ 261
history of , ¶ 223 , Figure 6.4 , Table 6.5 , ¶ 224 – 264
meek-amazon , ¶ 232 , ¶ 236 , ¶ 240 , ¶ 241 , ¶ 245 , ¶ 254
meek-azure , ¶ 232 , ¶ 236 , ¶ 240 , ¶ 241 , ¶ 245 , ¶ 254 , ¶ 258 , ¶ 261
meek-google , ¶ 232 , ¶ 236 , ¶ 240 , ¶ 241 , ¶ 244 , ¶ 250 , ¶ 254 , ¶ 258
meeker , ¶ 227
Meeks, Brock N. , ¶ 63
see also Twitter; Sina Weibo
see also meek-azure
MITM , see man in the middle
modeling , ¶ 11 , ¶ 12 , ¶ 17 , ¶ 19 , ¶ 22 , ¶ 27 , ¶ 34 , ¶ 67 , ¶ 72 , ¶ 77 , ¶ 146
Mohajeri Moghaddam, Hooman , ¶ 270
Morin, Rich , ¶ 65
Mosaddegh (Tor bridge) , Table 5.1 , Figure 5.2 , ¶ 170 , ¶ 171 , ¶ 186 , Figure 5.3 , Figure 5.4 , Figure 5.5 , ¶ 200
Mueen, Abdullah , ¶ 85 , ¶ 92
Mulligan, Deirdre , ¶ 4
Murdoch, Steven J. , ¶ 26 , ¶ 34 , ¶ 40 , ¶ 58 , ¶ 59 , ¶ 77 , ¶ 187
Nabi, Zubair , ¶ 84
NAT , ¶ 266 , ¶ 267 , ¶ 282 , ¶ 288
National Congress (Communist Party of China) , ¶ 264
ndnop3 (Tor bridge) , ¶ 151 , Table 5.1 , Figure 5.2 , ¶ 161 , ¶ 168 , Figure 5.3 , Figure 5.4 , Figure 5.5 , ¶ 201
ndnop4 (Tor bridge) , Table 5.1 , Figure 5.2 , ¶ 194 , Figure 5.3
ndnop5 (Tor bridge) , Table 5.1 , Figure 5.2 , Figure 5.3 , Figure 5.4 , Figure 5.5 , ¶ 201
NDSS , see Network and Distributed System Security Symposium
Netsweeper , ¶ 87
network address translation , see NAT
Network and Distributed System Security Symposium , ¶ 234
network intrusion detection system , see intrusion detection
network monitor , ¶ 61 , ¶ 62 , ¶ 77 , ¶ 83
Newsham, Timothy N. , ¶ 61
Nguyen, Giang T. K. , ¶ 34
nickname , see Tor bridge, nicknames
NIDS , see intrusion detection
Nithyanand, Rishab , ¶ 90
Nixon, Leif , Table 4.2 , ¶ 104
Nmap , ¶ 111
Nobori, Daiyuu , ¶ 143
noether (Tor bridge) , Table 5.1 , Figure 5.2 , Figure 5.3
Noman, Helmi , ¶ 87
North Rhein-Westphalia , ¶ 74
NX01 (Tor bridge) , Table 5.1 , Figure 5.2 , ¶ 177 , ¶ 179 , ¶ 184 , Figure 5.4 , Figure 5.5 , ¶ 200
obfs2 , ¶ 43 , Table 4.2 , ¶ 105 , ¶ 107 , ¶ 115 , ¶ 116 , ¶ 126 , Figure 4.3 , ¶ 127 , ¶ 133 , ¶ 145 , ¶ 266
obfs3 , ¶ 43 , Table 4.2 , ¶ 107 , ¶ 116 , ¶ 126 , Figure 4.3 , ¶ 127 , ¶ 134 , ¶ 150 , ¶ 236 , ¶ 266
obfs4 , ¶ 43 , ¶ 54 , ¶ 102 , Table 4.2 , ¶ 109 , ¶ 131 , ¶ 145 , ¶ 148 , ¶ 150 , Table 5.1 , ¶ 157 , ¶ 162 , ¶ 186 , ¶ 188 , ¶ 200 , ¶ 222
obfuscated-openssh , ¶ 42
Ocaña Molinero, Jorge , ¶ 141
offer (Snowflake) , Figure 7.1 , ¶ 275 , ¶ 276 , ¶ 279 , Figure 7.2
onion service , ¶ 254
OONI , ¶ 4 , ¶ 90
open proxy , ¶ 75 , ¶ 106
Open Technology Fund , ¶ 4
OpenITP , ¶ 231
OpenNet Initiative , ¶ 88
OpenSSH , see obfuscated-openssh
OpenTokRTC , ¶ 292
Orbot , ¶ 151 , Table 5.1 , ¶ 185 , ¶ 190 – 192 , ¶ 237 , ¶ 259 – 261
origin server , ¶ 210
overblocking , see false positive
packet dropping , ¶ 17 , ¶ 39 , ¶ 59 , ¶ 77 , ¶ 80 , ¶ 82 , ¶ 86
packet injection , ¶ 17 , ¶ 59 , ¶ 69 , ¶ 74 , ¶ 77 – 79 , ¶ 86 , ¶ 88 , ¶ 145
packet size and timing , ¶ 26 , ¶ 43 , ¶ 44 , ¶ 217 , ¶ 218 , ¶ 234 , ¶ 246
Pakistan , ¶ 84 , ¶ 90
Pan, Jennifer , ¶ 142
Park, Jong Chun , ¶ 62 , ¶ 79
Paxson, Vern , ¶ 3 , ¶ 26 , ¶ 38 , ¶ 61 , ¶ 62 , ¶ 73 , ¶ 81 , ¶ 83 , ¶ 84 , ¶ 86 , ¶ 92 , ¶ 94 , Table 4.2 , ¶ 111 , ¶ 187 , ¶ 217 , ¶ 229 , ¶ 234 , ¶ 238
Peacefire , ¶ 63
Pearce, Paul , ¶ 92
Pescapè, Antonio , ¶ 80 , ¶ 84
PETS , see Privacy Enhancing Technologies Symposium
Phipps, David , ¶ 142
PHP , ¶ 228
ping , ¶ 111
PlanetLab , ¶ 89
see also flash proxy; FTE; meek; obfs2; obfs3; obfs4; ScrambleSuit; Snowflake
polymorphism , ¶ 38 , ¶ 42 – 44
see also active probing; hybrid idle scan
POST (HTTP method) , ¶ 118 , ¶ 135 , ¶ 219 , ¶ 220 , Figure 6.3 , Figure 7.2
precision , see false positive
Pridgen, Adam , ¶ 142
Privacy Enhancing Technologies Symposium , ¶ 238
Proximax , ¶ 52
proxy , ¶ 24
proxy discovery , ¶ 150
proxy distribution , ¶ 48 , ¶ 52 , ¶ 57 , ¶ 65 , ¶ 95 , ¶ 213 , ¶ 268
Psiphon , ¶ 64 , ¶ 217 , ¶ 233 , ¶ 238 , ¶ 262
Ptacek, Thomas H. , ¶ 61
public domain , ¶ 230
Python , ¶ 124
Qaisar, Saad , ¶ 84
Qian, Zhiyun , ¶ 62 , Table 4.2 , ¶ 112 , ¶ 187
radio jamming , ¶ 60
randomization , ¶ 37 , ¶ 42 , ¶ 44 , ¶ 82 , ¶ 133 , ¶ 134
rate limiting , ¶ 241 , ¶ 248
Razaghpanah, Abbas , ¶ 90
rBridge , ¶ 52
recall , see false negative
refraction networking , ¶ 56 , ¶ 66 , ¶ 215
relative entropy , see Kullback–Leibler divergence
of flash proxy , ¶ 224 , ¶ 225
of Snowflake , ¶ 102 , ¶ 274 , ¶ 279 , Figure 7.2 , ¶ 287
reset , see RST
Rey, Arn , ¶ 86
Riedl, Thomas , ¶ 34
riemann (Tor bridge) , Table 5.1 , Figure 5.2 , ¶ 162 , ¶ 168 , ¶ 186 , Figure 5.3
RIPE Atlas , ¶ 91
Ristenpart, Thomas , ¶ 39 , ¶ 40 , ¶ 218 , ¶ 246
Roberts, Margaret E. , ¶ 142
Robinson, David , ¶ 225
Rover , ¶ 65
RST , ¶ 59 , ¶ 69 , ¶ 77 – 79 , ¶ 88 , ¶ 145
Ruan, Lotus , ¶ 141
Russia , ¶ 91 , ¶ 106
Russo, Michele , ¶ 80
SafeWeb , ¶ 64
Saia, Jared , ¶ 141
Salmon , ¶ 52
satellite television , ¶ 60
Schuchard, Max , ¶ 39
Scott, Will , ¶ 90
Scott-Railton, John , ¶ 86
ScrambleSuit , ¶ 43 , ¶ 54 , ¶ 102 , Table 4.2 , ¶ 109 , ¶ 131 , ¶ 236
SDES , ¶ 289
SecML research group , ¶ 4
Secure Sockets Layer , see TLS
security through obscurity , ¶ 22
Senft, Adam , ¶ 87
Server Name Indication , see SNI
Sfakianakis, Andreas , ¶ 89
Shadowsocks , ¶ 42 , ¶ 54 , ¶ 102 , ¶ 103 , Table 4.2 , ¶ 110 , ¶ 131
Sharefest , ¶ 292
Sherr, Micah , ¶ 61
Shi, Jinqiao , ¶ 218 , ¶ 246
Shinjo, Yasushi , ¶ 143
Shmatikov, Vitaly , ¶ 34 , ¶ 39 , ¶ 40
Shrimpton, Thomas , ¶ 39 , ¶ 40 , ¶ 218 , ¶ 246
shutdowns , ¶ 28 , ¶ 35 , ¶ 69 , ¶ 70 , ¶ 80
Sillers, Audrey , ¶ 4
Simon, Laurent , ¶ 26 , ¶ 34 , ¶ 40 , ¶ 58
Sina Weibo , ¶ 142
Singapore , ¶ 106
Singer, Andrew , ¶ 34
Skype , ¶ 41
SkypeMorph , ¶ 41
SNI , ¶ 205 , ¶ 209 , ¶ 214 , Figure 6.2 , ¶ 239 , ¶ 255 , ¶ 256
Snowflake , ¶ 55 , ¶ 102 , ¶ 265 – 270 , Figure 7.1 , ¶ 271 – 279 , Figure 7.2 , ¶ 280 – 293
social media , ¶ 16 , ¶ 66 , ¶ 91 , ¶ 142
SOCKS , ¶ 24 , ¶ 55
SoftEther VPN , ¶ 119 , ¶ 135
SOFTWARE (STUN attribute) , ¶ 288
Song, Chengyu , ¶ 62 , Table 4.2 , ¶ 112 , ¶ 187
source code , ¶ 7
South Korea , ¶ 90
Souza, Tulio de , ¶ 12 , ¶ 144
sphere of influence/visibility , ¶ 58 – 62
spoofing , see address spoofing
Squarcella, Claudio , ¶ 80
SRTP , ¶ 289
SSH , ¶ 42 , ¶ 82 , Table 4.2 , ¶ 104 , Table 5.1 , ¶ 162 , ¶ 186 , ¶ 188
SSL , see TLS
steganography , ¶ 33 , ¶ 38 – 41 , ¶ 44 , ¶ 95
StegoTorus , ¶ 41
STUN , ¶ 288 , ¶ 292
Swanson, Colleen M. , ¶ 26 , ¶ 34 , ¶ 40 , ¶ 58
Sweden , ¶ 106
SYN , ¶ 59 , ¶ 79
Syria , ¶ 87
Taiwan , ¶ 88
Tan, Qingfeng , ¶ 218 , ¶ 246
flags , see ACK; SYN; RST
reassembly , ¶ 62
sequence numbers , ¶ 79 , ¶ 129
timestamps , Figure 4.3 , ¶ 129
window , ¶ 62 , ¶ 88 , ¶ 106
Team Cymru , ¶ 261
television , ¶ 60
Telex , ¶ 215
terms of service , ¶ 242 , ¶ 251 , ¶ 254
threat modeling , see modeling
throttling , ¶ 14 , ¶ 17 , ¶ 69 , ¶ 70 , ¶ 82
Tibet , ¶ 88
time to live , see TTL
ciphersuite , ¶ 132 , ¶ 290
fingerprinting , ¶ 105 , ¶ 106 , ¶ 108 , ¶ 132 , ¶ 135 , ¶ 136 , ¶ 221 , ¶ 228 – 230 , ¶ 255 – 257 , ¶ 283
see also DTLS
Tokachu , ¶ 78
Toosheh , ¶ 60
Blog , ¶ 156
bootstrapping , Figure 5.5 , ¶ 200 , ¶ 201
default , ¶ 137 , ¶ 139 , ¶ 140 , ¶ 145 , ¶ 150 , Table 5.1 , ¶ 152 – 157
nicknames , ¶ 151 , Table 5.1
see also Azadi; cymrubridge31; cymrubridge33; fdctorbridge01; GreenBelt; JonbesheSabz; LeifEricson; Lisbeth; MaBishomarim; Mosaddegh; ndnop3; ndnop4; ndnop5; noether; NX01; riemann
releases of , ¶ 155 , ¶ 156 , ¶ 235 , ¶ 236
circuit , ¶ 114 , ¶ 148 , Figure 5.5 , ¶ 200 , ¶ 273
directory authorities , ¶ 85 , ¶ 196
Metrics , ¶ 156 , ¶ 197 , Figure 6.4 , ¶ 247 , ¶ 257
Project , ¶ 4 , ¶ 20 , ¶ 149 , ¶ 153 , ¶ 248
protocol , ¶ 81 , ¶ 87 , ¶ 100 , ¶ 103 , Table 4.2 , ¶ 105 , ¶ 114 , Figure 4.3 , ¶ 127 , ¶ 132 , ¶ 149 , ¶ 199
tor-dev mailing list , ¶ 4 , ¶ 228
tor-qa mailing list , ¶ 4 , ¶ 155
traceroute , ¶ 111
traffic-obf mailing list , ¶ 4
TriangleBoy , ¶ 57
Troncoso, Carmela , ¶ 54 , ¶ 99 , ¶ 139
Tsai, Lynn , ¶ 140
Tschantz, Michael Carl , ¶ 3 , ¶ 26 , ¶ 38 , ¶ 73 , ¶ 94
Tsyrklevich, Vladislav , ¶ 99
TTL , ¶ 61 , ¶ 77 , ¶ 78 , ¶ 83 , ¶ 106
tunneling , ¶ 40 , ¶ 212 , ¶ 231 , ¶ 267 , ¶ 278
Turkey , ¶ 66 , ¶ 91
TURN , ¶ 288
Twitter , ¶ 66 , ¶ 91
Tygar, J.D. , ¶ 3
type I error , see false positive
type II error , see false negative
U.S. , see United States of America
UBICA , ¶ 90
UDP , ¶ 267
unblockability , ¶ 34 , ¶ 213
United Kingdom , ¶ 76
United States of America , ¶ 6 , ¶ 78 , ¶ 147 , ¶ 172 , ¶ 201 , ¶ 214 , ¶ 247
University of California, Berkeley , ¶ 4
unobservability , ¶ 34
untrusted messenger delivery , ¶ 281
uProxy , ¶ 49 , ¶ 268
encoding , ¶ 83
filtering , ¶ 87 , ¶ 88 , ¶ 232
urllib , ¶ 125
usability , ¶ 49 , ¶ 53 , ¶ 266
User-Agent (HTTP header) , ¶ 121 , ¶ 124 , ¶ 136
Uzmi, Zartash Afzal , ¶ 84
Vempala, Santosh , ¶ 34
Verkamp, John-Paul , ¶ 89
VERSIONS (Tor cell) , ¶ 132
Ververis, Vasilis , ¶ 90
virtual hosting , ¶ 209 , ¶ 210
virtual private network , see VPN
voice over IP , see VoIP
VoIP , ¶ 41 , ¶ 57
VPN , ¶ 24 , ¶ 84 , ¶ 90 , ¶ 100 , ¶ 198 , ¶ 243 , ¶ 262
VPN Gate , ¶ 53 , ¶ 119 , ¶ 125 , ¶ 143
Wagner, David , ¶ 4
Wall Street Journal , ¶ 239
Wallach, Dan , ¶ 141 , ¶ 142
Wang, Liang , ¶ 39 , ¶ 40 , ¶ 218 , ¶ 246
Wang, Winston , ¶ 281
Wang, Xuebin , ¶ 218 , ¶ 246
Wang, Zhongjie , ¶ 62 , Table 4.2 , ¶ 112 , ¶ 187
Watson, Robert N. M. , ¶ 59 , ¶ 77 , ¶ 187
Weaver, Nicholas , ¶ 81 , ¶ 86 , ¶ 92 , Table 4.2 , ¶ 111 , ¶ 187
see also Chrome; Firefox; Tor Browser
fingerprinting , ¶ 283 – 293
media versus data channels , ¶ 289 , ¶ 292
signaling , ¶ 287
WebSocket , ¶ 225 , ¶ 266 , ¶ 267 , ¶ 277
Wegmann, Percy , ¶ 217 , ¶ 231 , ¶ 238
Wei, Bingjie , ¶ 218 , ¶ 246
West, Darrell M. , ¶ 35
whitelist , ¶ 38 , ¶ 39 , ¶ 96 , ¶ 214
Wikipedia , ¶ 79
Wilde, Tim , Table 4.2 , ¶ 105 , ¶ 106 , ¶ 108 , ¶ 114 , ¶ 132
Windows Update , ¶ 53
Winter, Philipp , ¶ 4 , ¶ 26 , ¶ 32 , ¶ 62 , ¶ 81 , ¶ 85 , ¶ 91 , ¶ 92 , Table 4.2 , ¶ 106 , ¶ 108 , ¶ 111 , ¶ 114 , ¶ 145 , ¶ 187
Winters, Patrick , ¶ 78
Wired , ¶ 64
Wolfgarten, Sebastian , ¶ 78
see also HTTP; HTTPS; web browser
Wright, Joss , ¶ 12 , ¶ 144
Wustrow, Eric , ¶ 54 , ¶ 99
www.google.com , ¶ 224 , ¶ 255 , ¶ 256
X-Session-Id (HTTP header) , ¶ 220 , Figure 6.3
Xiao, Qiang , ¶ 3
XMPP , ¶ 287
Xu, Xueyang , ¶ 79
XX-Net , ¶ 259
YouTube , ¶ 82 , ¶ 84
Yu, Harlan , ¶ 225
Zhang, Wentao , ¶ 218 , ¶ 246
Zhong, Qi , ¶ 140
Zhu, Tao , ¶ 141 , ¶ 142
Zinn, Daniel , ¶ 62 , ¶ 79
Zittrain, Jonathan , ¶ 75

University of Pittsburgh Technology Law & Policy

Internet Control or Internet Censorship? Comparing the Control Models of China, Singapore, and the United States to Guide Taiwan’s Choice

Jeffrey (Chien-Fei) Li

How to Cite

Endnote/Zotero/Mendeley (RIS)

Authors who publish with this journal agree to the following terms:

The Author retains copyright in the Work, where the term “Work” shall include all digital objects that may result in subsequent electronic publication or distribution.
Upon acceptance of the Work, the author shall grant to the Publisher the right of first publication of the Work.
Attribution—other users must attribute the Work in the manner specified by the author as indicated on the journal Web site;
Noncommercial—other users (including Publisher) may not use this Work for commercial purposes;
No Derivative Works—other users (including Publisher) may not alter, transform, or build upon this Work,with the understanding that any of the above conditions can be waived with permission from the Author and that where the Work or any of its elements is in the public domain under applicable law, that status is in no way affected by the license.
The Author is able to enter into separate, additional contractual arrangements for the nonexclusive distribution of the journal's published version of the Work (e.g., post it to an institutional repository or publish it in a book), as long as there is provided in the document an acknowledgement of its initial publication in this journal.
Authors are permitted and encouraged to post online a pre-publication manuscript (but not the Publisher’s final formatted PDF version of the Work) in institutional repositories or on their Websites prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work. Any such posting made before acceptance and publication of the Work shall be updated upon publication to include a reference to the Publisher-assigned DOI (Digital Object Identifier) and a link to the online abstract for the final published Work in the Journal.
Upon Publisher’s request, the Author agrees to furnish promptly to Publisher, at the Author’s own expense, written evidence of the permissions, licenses, and consents for use of third-party material included within the Work, except as determined by Publisher to be covered by the principles of Fair Use.
The Author represents and warrants that:
the Work is the Author’s original work;
the Author has not transferred, and will not transfer, exclusive rights in the Work to any third party;
the Work is not pending review or under consideration by another publisher;
the Work has not previously been published;
the Work contains no misrepresentation or infringement of the Work or property of other authors or third parties; and
the Work contains no libel, invasion of privacy, or other unlawful matter.
The Author agrees to indemnify and hold Publisher harmless from Author’s breach of the representations and warranties contained in Paragraph 6 above, as well as any claim or proceeding relating to Publisher’s use and publication of any content contained in the Work, including third-party content.

More information about the publishing system, Platform and Workflow by OJS/PKP.

All Stories
Journalists
Expert Advisories
Media Contacts
X (Twitter)
Arts & Culture
Business & Economy
Education & Society
Environment
Law & Politics
Science & Technology
International
Michigan Minds Podcast
Michigan Stories
Back to school: U-M experts
2024 Elections
Artificial Intelligence
Mental Health

‘Extremely aggressive’ internet censorship spreads in the world’s democracies

Kate McAlpine

Censored Planet by salvey on Sketchfab

The largest collection of public internet censorship data ever compiled shows that even citizens of the world’s freest countries are not safe from internet censorship.

A University of Michigan team used Censored Planet, an automated censorship tracking system launched in 2018 by assistant professor of electrical engineering and computer science Roya Ensafi, to collect more than 21 billion measurements over 20 months in 221 countries. They will present the findings Nov. 10 at the 2020 ACM Conference on Computer and Communications Security.

“We hope that the continued publication of Censored Planet data will enable researchers to continuously monitor the deployment of network interference technologies, track policy changes in censoring nations, and better understand the targets of interference,” Ensafi said. “While Censored Planet does not attribute censorship to a particular entity, we hope that the massive data we’ve collected can help political and legal scholars determine intent.”

News websites blocked in networks in Poland; social networking sites in Sudan

Ensafi’s team found that censorship is increasing in 103 of the countries studied, including unexpected places like Norway, Japan, Italy, India, Israel and Poland—countries which the paper notes are rated as some of the freest in the world by advocacy group Freedom House. They were among nine countries where Censored Planet found significant, previously undetected censorship events between August of 2018 and April of 2020. Previously undetected events were also identified in Cameroon, Ecuador and Sudan.

While the study observed an increase in blocking activity in these countries, most were driven by organizations or internet service providers filtering content. The study did not observe any nationwide censorship policies such as those in China. While the United States saw a smaller uptick in blocking activity, Ensafi points out that the groundwork for such blocking has been put in place in the United States.

“When the United States repealed net neutrality, they created an environment in which it would be easy, from a technical standpoint, for internet service providers to interfere with or block internet traffic,” Ensafi said. “The architecture for greater censorship is already in place and we should all be concerned about heading down a slippery slope.”

It’s already happening abroad, the study shows.

“What we see from our study is that no country is completely free,” said Ram Sundara Raman, a PhD candidate in computer science and engineering at U-M and the first author on the paper. “Today, many countries start with legislation that compels internet service providers to block something that’s obviously bad like child sex abuse material. But once that blocking infrastructure is in place, governments can block any websites they choose, and it’s usually a very opaque process. That’s why censorship measurement is crucial, particularly continuous measurements that show trends over time.”

Norway, for example—tied with Finland and Sweden as the world’s freest country according to Freedom House—passed a series of laws requiring internet service providers to block some gambling and pornography content, beginning in early 2018. But in Norway, Censored Planet’s measurements also identified network inconsistencies across a broader range of content, including human rights websites like Human Rights Watch and online dating sites like match.com.

Similar tactics show up in other countries, often in the wake of large political events, social unrest or new laws. While Censored Planet can detect increases in censorship, it cannot identify any direct connection to political events. It’s also important to note that it’s not always government-demanded network censorship that leads to websites being unreachable, though.

Some news websites were blocked in a few networks in Japan during the G20 Summit in June of 2019. News, human rights, and government websites saw a censorship spike in certain networks in Poland while a series of protests occurred in July of 2019, and social media websites were blocked in Sri Lanka after a series of bomb blasts in the country in January 2019. Some online dating websites were blocked in India after the country repealed laws against gay sex in September of 2018.

Censored Planet releases technical details for researchers, activists

Roya Ensafi. Image credit: Joseph Xu, Michigan Engineering

The researchers say the findings show the effectiveness of Censored Planet’s approach, which turns public internet servers across the globe into automated sentries that can monitor and report when access to websites is being blocked. Running continuously, it takes billions of automated measurements and then uses a series of tools and filters to analyze the data, removing noise and teasing out trends.

The paper also makes public technical details about the workings of Censored Planet that Sundara Raman says will make it easier for other researchers to draw insights from the project’s data. It will also help activists make more informed decisions about where to focus their efforts.

“It’s very important for people who work on circumvention to know exactly what’s being censored on which network and what method is being used,” Ensafi said. “That’s data that Censored Planet can provide, and tech experts can use it to devise circumventions for censorship efforts.”

Censored Planet’s constant, automated monitoring is a departure from traditional approaches that rely on volunteers to collect data manually from inside the countries being monitored. Manual monitoring can be dangerous for volunteers, who may face reprisals from governments. The limited scope of these approaches also means that efforts are often focused on countries already known for censorship, enabling nations that are perceived as freer to fly under the radar. While censorship efforts generally start small, Sundara Raman says they could have big implications in a world that is increasingly dependent on the internet for essential communication needs.

“We imagine the internet as a global medium where anyone can access any resource, and it’s supposed to make communication easier, especially across international borders,” he said. “We find that if this upward trend of increasing censorship continues, that won’t be true anymore. We fear this could lead to a future where every country has a completely different view of the internet.”

The paper is titled “ Censored Planet: An Internet-wide, Longitudinal Censorship Observatory. ” The research team also included former U-M computer science and engineering student Prerana Shenoy, and Katharina Kohls, an assistant professor at Radboud University in Nijmegen, Netherlands. The research was supported in part by the U.S. National Science Foundation, Award CNS-1755841.

Clarifications: This story has been updated to include additional nuance about the research, including: The names of the Wall Street Journal and Washington Post websites were removed from the subhead and the body of the story because the instance of blocking was only observed in one network and may be a case of misconfiguration rather than censorship.

More information:

Roya Ensafi
Ram Sundara Raman

412 Maynard St. Ann Arbor, MI 48109-1399 Email [email protected] Phone 734-764-7260 About Michigan News

Engaged Michigan
Global Michigan
Michigan Medicine
Public Affairs

Publications

Michigan Today
The University Record

Search Menu
Sign in through your institution
Advance articles
Author Guidelines
Submission Site
Open Access
Why Submit?
About International Studies Perspectives
About the International Studies Association
Editorial Board
Advertising and Corporate Services
Journals Career Network
Self-Archiving Policy
Dispatch Dates
Journals on Oxford Academic
Books on Oxford Academic

Article Contents

Protocols in practice, conclusion: moving forward, online surveillance, censorship, and encryption in academia.

Article contents
Figures & tables
Supplementary Data

Leonie Maria Tanczer, Ronald J Deibert, Didier Bigo, M I Franklin, Lucas Melgaço, David Lyon, Becky Kazansky, Stefania Milan, Online Surveillance, Censorship, and Encryption in Academia, International Studies Perspectives , Volume 21, Issue 1, February 2020, Pages 1–36, https://doi.org/10.1093/isp/ekz016

Permissions Icon Permissions

The Internet and digital technologies have become indispensable in academia. A world without email, search engines, and online databases is practically unthinkable. Yet, in this time of digital dependence, the academy barely demonstrates an appetite to reflect upon the new challenges that digital technologies have brought to the scholarly profession. This forum's inspiration was a roundtable discussion at the 2017 International Studies Association Annual Convention, where many of the forum authors agreed on the need for critical debate about the effects of online surveillance and censorship techniques on scholarship. This forum contains five critiques regarding our digitized infrastructures, datafied institutions, mercenary corporations, exploitative academic platforms, and insecure online practices. Together, this unique collection of articles contributes to the research on academic freedom and helps to frame the analysis of the neoliberal higher education sector, the surveillance practices that students and staff encounter, and the growing necessity to improve our “digital hygiene.”

Resumen: Internet y las tecnologías digitales se han tornado indispensables en el ámbito académico. Resulta prácticamente imposible pensar en un mundo sin correo electrónico, motores de búsqueda y bases de datos en línea. Así y todo, en esta era de dependencia digital, los académicos apenas demuestran un deseo de reflexionar sobre los nuevos retos que las tecnologías digitales han traído consigo a las profesiones especializadas. La inspiración de este foro fue una discusión planteada en una mesa redonda en el marco de la Convención Anual de 2017 de la Asociación de Estudios Internacionales, donde muchos de los autores del foro coincidieron en la necesidad de un debate crítico acerca de los efectos de las técnicas de vigilancia y censura en línea que enfrentan los académicos. Este foro contiene cincos reseñas relacionadas con nuestras infraestructuras digitalizadas, instituciones datificadas, corporaciones mercenarias, plataformas académicas explotadoras y prácticas en línea inseguras. En su conjunto, esta colección única de artículos contribuye a la investigación sobre la libertad académica y ayuda a enmarcar el análisis del sector neoliberal de la enseñanza superior, las prácticas de vigilancia con las que se encuentran los estudiantes y el personal, y la necesidad cada vez mayor de mejorar nuestra «higiene digital».

Extrait: Internet et les technologies digitales sont devenus indispensables dans le milieu universitaire. Un monde sans e-mails, moteurs de recherche et bases de données en ligne est pratiquement impensable. Cependant, dans cette ère de dépendance digitale, le milieu universitaire ne semble pas préoccupé par les nombreux défis que posent les technologies digitales dans les professions universitaires. Cette tribune a été inspirée par le débat d'une table ronde lors de la Convention annuelle de l'Association d’études internationales de 2017, où un grand nombre d'auteurs dans l'assemblée ont convenu de la nécessité de lancer un débat critique sur les effets de la surveillance et des méthodes de censure en ligne sur le savoir universitaire. Cette tribune formule cinq critiques à l'encontre de nos infrastructures numérisées, des institutions pilotées par les données, des entreprises mercenaires, des plateformes universitaires abusives et des pratiques en ligne non sécurisées. L'ensemble des articles de cette collection unique contribue à la recherche sur la liberté universitaire et aide à encadrer l'analyse du secteur néolibéral de l'enseignement supérieur, les pratiques de surveillance rencontrées par les étudiants et le personnel et la nécessité grandissante d'améliorer notre «hygiène digitale».

Articles in This Forum

Introduction

Leonie Maria Tanczer

Rescuing the Internet for Academic Freedom

Ronald J. Deibert

Digital Communication, Surveillance and Academic Freedom in The Transnational Universes of Competing Homo Academicus(es) Institutions

Didier Bigo

University Life Corporatizing the Digital: Academic Agency Interrupted?

M.I. Franklin

Surveillance and The Quantified Scholar: A Critique of Digital Academic Platforms

Lucas Melgaço and David Lyon

Infrastructure and Protocols for Privacy-Aware Research

Becky Kazansky and Stefania Milan

L eonie M aria T anczer

University College London

This forum on online surveillance, censorship, and encryption is more than overdue. The Internet and the use of digital technologies have become indispensable in academia. A world without email, search engines, and online databases is practically unthinkable, and scholars and students are equally reliant on the ability to collect, store, and distribute data as well as post, tweet, and upload their work. Yet, in this time of digital dependence, the academy barely demonstrates an interest in reflecting upon the new challenges that information and communication technologies have brought to the scholarly profession. While some of us may study the misuse of technological capabilities by state and nonstate actors, critique border technologies, or examine global surveillance structures, we have been rather silent about the potential detriments that the Internet and data's inadvertent use have brought to our field, our students, and our participants.

This discussion goes also hand in hand with the threat to academic freedom that the higher education sector, and international relations in particular, are experiencing. Academic freedom implies that both faculty members and students can engage in intellectual debates without fear of censorship or retaliation. It means that the political, religious, or philosophical beliefs of politicians, administrators, and members of the public cannot be imposed on students or staff ( Mills 2002 ; Falk 2007 ). However, an eerie and uncomfortable feeling arises when observing the creeping interference and rising managerial oversight at universities across the globe. While threats to academics are certainly not new ( Mittelman 2007 ) and well-known social scientists have been subject to surveillance already in the past ( White 2008 ), the scale and extent of risks that scholars presently face has significantly risen.

Indeed, the examples of such dangers are stockpiling. In the United Kingdom, the “prevent” duty as part of the Counter Terrorism and Security Act 2015 led to chilling effects on campuses ( Bentley 2018 ; Cram and Fenwick 2018 ; Spiller, Awan, and Whiting 2018 ) and fostered a climate of fear especially among Muslim students and staff ( Gilmore 2017 ). In autumn 2018, an essay by the political theorist Norman Geras was deemed “security-sensitive” because his argument that people may legitimately revolt against tyranny and grave social injustice was seen as potentially drawing students into terrorism ( Courea 2018 ). Similarly, in Australia, the expanding counterterrorism reach led to a Sri Lankan student being falsely arrested on terror charges ( Fattah 2018 ). The new “national interest test” gives ministers the right to block funding applications standing in alleged opposition to Australia's security, strategic interests, and foreign policy ( Koziol 2018 ).

In addition to these measures built upon suspicions held against minorities, US academics report increased online harassment by right-wing white supremacist groups ( Ciccariello-Maher 2017 ). Scholars further fear the adverse consequences—especially for women—arising from the recording of lectures and conferences ( Galpin 2018 ). These developments are happening along with the drive for “smart” campuses and classrooms that permit the monitoring of both students and staff ( Muhamad et al. 2017 ; Edwards, Martin, and Henderson 2018 ; Hope 2018 ) and are promoted on the premise of “student protection” or the “personalization” of learning experiences ( Herold 2018 ).

Looking to other parts of the world, cases such as the death of the Italian PhD student Giulio Regeni in Egypt ( Peter and Strazzari 2017 ), the imprisonment of the UK PhD student Matthew Hedges in the United Arab Emirates ( BBC News 2018b ), and the dismissal of more than 6,000 Turkish academics cause great concern ( Anonymous 2017 ; Namer and Razum 2018 ). In fact, I could go on: there are the ominous implications of the Protection of State Information Bill on researchers in South Africa ( Duncan 2018 ); the censure of academics by the General Intelligence and Security Service in the Netherlands ( Van Der Sloot 2017 ); the expansion of the Chinese censorship and surveillance apparatus into academic partnerships, professorships, and publishers ( Brady 2017 ; Else 2017 ; Dukalskis 2018 ); the forced relocation of the Central European University (CEU) from Budapest to Vienna ( Enyedi 2018 ); or the recent confiscation of higher education teaching materials by the military police in Brazil ( Guardian 2018 ). Nonetheless, I would not be done and the examples continue.

This Relates to All of US

The examples of threats to academic freedom stretch from the Global North to the Global South, and in recent years they have steadily become the norm. What many of these instances have in common is not only the perceived hazard that critical research, students, and scholars pose to the status quo, but the fundamental need by state authorities to control and to manage. For states, administrators, and industry actors the surveillance of the higher education sector has become so much easier with the rise of technological capabilities. One does not need to worry that criticism, subversion, and unionism are left unnoticed and potentially even go unpunished.

Digital communication systems, online learning and storage platforms, and, most recently, the pervasiveness of Internet-connected devices simplify the monitoring of our activities and viewpoints. Additionally, what we share, read, and reference in our research and what we say, critique, and do in our teaching are all subject to scrutiny. Just as academics have become in essence replaceable numbers—whether our staff identifier, our ORCID iD, or our h-index—our metrics are there to be compared and contrasted, to steadily justify the higher education sector's surveillance and censorship means on the premise of quality assurance, efficiency, as well as impact generation (see the essays by Bigo and Melgaço and Lyon in this forum).

Unfortunately, we are far too often blissfully ignorant to online privacy and security considerations. Many scholars will disregard this forum on the assumption that “this will never affect me.” They will feel assured about their status, comfortable with the academy's widespread “technophobia,” and believe their research is “unimportant” and “uncontroversial” enough to be of little concern to anyone. They will thereby overlook their colleagues in less secure employment situations, discounting the changing social, geopolitical, and technological transformations, or perhaps forget that their own students or coworkers are operating their laptops when going on fieldwork in conflict regions and use their phone to audiotape interviews with subject at risks.

While certain academics might not feel concerned or moved by the examples discussed above, digitally supported censorship and surveillance take many forms, including having one's work and data accidentally or deliberately tampered with, stolen for their intellectual and commercial value, or unwillingly released, held ransom, or locked behind a paywall or nationally imposed restrictions ( Peisert and Welch 2017 , 94). In our posttruth era where simplistic slogans, anti-expert sentiments, and disinformation persist, dealing with these developments proves particularly challenging when studying politically sensitive or controversial topics.

Some of us may have considered the abuse, attacks, and online harassment directed at female, black, Asian, and minority researchers ( Marwick, Blackwell, and Lo 2016 ). Some of us may think more than twice before publishing a particular article or hitting send on an email or tweet. Some of us may have already given in and begun to actively practice self-censorship and risk aversion for the sake of not being perceived as controversial. With all this in mind, we should no longer ask the “why me?” but rather the “what if?” question ( Peisert and Welch 2017 , 94).

Why This Forum and Why Now?

This forum was sparked by a roundtable discussion at the 2017 International Studies Association Annual Convention in Baltimore. In the course of it, many of the featured authors discussed the challenges for the academic profession arising from information and communication technologies. The growing reliance on digital tools to collect, store, and distribute data was at the heart of our conversation, as were the potential detriments of their inadvertent use. The panelists agreed that current technological developments require a critical debate on the way scholars potentially can be affected by online surveillance and censorship techniques. The roundtable discussion aimed to pinpoint some of these dangers and assess the technical and legal boundaries for scholarly work; not all of these topics are addressed here.

In line with our conversations in 2017, in this forum we hope to continue the conversation on the implementation of encryption tools in the daily academic profession. As recent events and the many cases featured here show, the incautious use of digital tools cannot only impede research participants, but also academics themselves. Raising awareness of the issue is particularly important for scholars who work in countries where online surveillance is omnipresent and where researchers engage with vulnerable groups.

The forum situates itself next to publications released in recent years, ranging from the special issue in International Studies Perspectives on “Academic Freedom in International Studies” (2007), the forum in the Journal of Global Security Studies on “Censorship in Security Studies” (2016), as well the issue on “Academic Freedoms in Turkey” in Globalizations (2017). This forum also embeds itself within the myriads of articles on the topics of which, unfortunately, only a small fraction are discussed here. Additionally, this forum fosters the expansion of digital skills and privacy and security best practices in academia ( Tanczer 2017 ). Since the roundtable in 2017, three so-called “CryptoParties”—digital security trainings—for academics have occurred at the ISA annual convention (2017, 2018, 2019).

The Current Forum

The forum centers around five concrete themes and aims to speak to all actors within the higher education sector, including established academics, early career scholars, PhD candidates, undergraduate students, as well as university administrators. Each article emphasizes a different issue: an extensive critique of our digitized infrastructures (Deibert), datafied institutions (Bigo), mercenary corporations (Franklin), exploitative academic platforms (Melgaço and Lyon), and insecure online practices (Kazansky and Milan). Due to this diverse focus, the essays fundamentally question the neoliberal academy, reveal the daily surveillance practices that students and staff encounter, and point to the necessity to improve our digital practices. In many ways, the forum is a commentary on the marketized regime that has hit the academic community with its dataficaton, digitalization, and managerialism and found a flourishing breeding ground in our halls, classrooms, and campuses.

The first essay by Deibert focuses on the fundamental question of how the Internet, which was created in and prospered through its use by universities, is no longer the same infrastructure nor based on the same principles it once was. Deibert articulates concerns on the growing scale of Internet surveillance and censorship, which is routinely practiced in both public and private spaces, including universities and libraries. He sees a need for more digital security awareness in the scholarly profession. The latter has become prone to phishing schemes ( Changchit 2017 ) and targeted espionage ( BBC News 2018a ). Despite these risks and the expansion of third-party intermediaries, academics still seem to perceive digital security as something left to IT departments. Deibert therefore calls the higher education sector into action.

Shifting the focus away from the technical infrastructure, Bigo's essay critiques the move toward surveillant forms of governance and evaluation in research. The rise of administrative control over academics finds particular manifestation in the United Kingdom, where metrics such as the Research Excellence Framework, the Teaching Excellence Framework, and the Knowledge Exchange Framework assess, among others, scholars’ publication output, income generation, student evaluations, and policy impact. This “audit culture” equally affects academics across Europe, the United States, New Zealand, and Australia ( Ruth et al. 2018 ). For Bigo, this transformation decreases the freedom and autonomy upon which universities were built and solidifies a fetishism of numbers that reinforces a dominance of the average. In this climate, the surveillance of the “academic worker” is eased by technological means that have become tools to restrain, manage, and censor.

The third contribution by Franklin emphasizes the role that commercial actors such as Google , Amazon , and Facebook play in the datafication of the university and the monitoring of students and staff. Tech giants are increasingly subcontracted to offer services to academic institutions. They have made the higher education sector reliant on their products, including email clients, cloud storage facilities, and analysis programs. Despite businesses’ intrusive data collection, the seamless convenience that these systems provide as well as the “technophobia” that scholars frequently uphold hamper the adoption of better security and privacy practices. Franklin consequently defends the implementation of encryption tools and technical skills into the scholarly profession. We should not see good digital security and encryption as a hindrance to our work, Franklin argues, but rather as an enabler that guarantees independent research.

Melgaço and Lyon follow up on Franklin's critique and hone in on digital academic platforms such as ResearchGate and similar sites such as Academia.edu. The authors do not only consider them as services that academics voluntarily engage in, but as manifestations of self-branding dynamics to increase one's own as well as one's institutions visibility. Melgaço and Lyon use the concepts of surveillance capitalism and surveillance culture to analyze the success of these publishing platforms, on which teachers and students have become reliant. Together, the forum contributions by Bigo, Franklin, and Melgaço and Lyon focus on “function” or “surveillance creep” ( Marx 1988 ). The essays showcase how part of the control imposed upon academia is deriving from the use of technologies for purposes that they were not originally designed for nor envisioned ( Edwards et al. 2018 , 8).

The final contribution by Kazansky and Milan effectively closes this forum. The authors share a set of privacy-conscious digital security practices that can help academics to engage in responsible research amid the surveillance and censorship processes other authors have highlighted. Their article follows on previous publications that provide digital security advice to academics ( Marwick et al. 2016 ; Tanczer et al. 2016 ; Owens 2017 ; Reeder, Ion, and Consolvo 2017 ) and publications that emphasize how to conduct empirical research, especially fieldwork in authoritarian regimes ( Peter and Strazzari 2017 ; van Baalen 2018 ). Kazansky and Milan discuss the responsibility of scholars for protecting vulnerable groups and their networks that must be shielded from present or future means of surveillance and repression. The essay offers an important contribution especially to those actively engaged in ethnographic research and ends the forum on a hands-on, practical note that future work in this space can update and amend as apps and programs will change.

Read, Enjoy, Reflect

Together, this unique collection of essays contributes to the growing body of research on the topic of academic freedom, as well as the imperative work on digital censorship and surveillance. The forum represents different voices, perspectives, and experience, all of which echo an increasingly panopticon state of the academy. Each contribution concludes with practical recommendations to guide scholars’ future action. Collectively all authors invite each and every researcher, student, and interested party to question practices and assumptions about the use of technology in our academic profession. We encourage readers to reflect upon held assumptions and to engage in meaningful as well as privacy- and security-sensitive behaviors that do not endanger academics or other members of our departments, academic community, and society. The forum, therefore, hopes to frame a discussion of how our reliance on insecure infrastructures, commercial tech giants, and controlling university administrations threatens free and independent research.

R onald J. D eibert

University of Toronto

Twenty years ago, I published an article in the journal International Organization entitled “Virtual Resources: International Relations Research Resources on the Web” ( Deibert 1998 ). The article was a guide for IR theorists to the (at the time) new medium of communications called “the World Wide Web.” It is hard to believe how recently such an article was written that describes a communications system we now take entirely for granted as something novel and almost entirely beneficial. How times have changed.

The Internet was largely born of the university and designed as a means to facilitate networking, collaboration, information access, and sharing of scarce resources ( Abbate 1999 ). Over time, however, the Internet has been vastly transformed. It exploded in popularity outside of the academic community to include businesses, civil society, government, and many others. Most of this dramatic growth occurred because of commercialization and systems that facilitated ease of use. While the basic protocols that underpin the Internet remain in place, the devices and applications we deploy, and the large companies that run them, have fundamentally reoriented the infrastructure in ways that would be unrecognizable to the Internet's early pioneers. Today our Internet experiences are principally mediated by always-connected mobile devices containing dozens of applications that push content and services while collecting information about us and our habits ( Zittrain 2008 ).

The political and security context surrounding the Internet has also changed dramatically. In its early days, most governments took a hands-off approach to Internet policy to encourage economic innovation. Over time, as Internet security issues mounted, and as the Internet spread beyond the United States and to the developing world, governments have become far more interventionist ( Deibert 2013 ). The Internet has become an object of intense struggle for geopolitical advantage and the exercise of political power. Many governments have already or are in the process of developing cyberwarfare capabilities. Internet censorship and surveillance have become normalized, and a huge market for cybersecurity products and services has provided authorities with means to undertake extensive information controls.

In short, what started as an infrastructure for academics has become something entirely different within which students and researchers are now completely enmeshed. That infrastructure may no longer serve academic scholarship in ways the original designers envisioned; indeed, it threatens to undermine it. In what follows, I review some of these more troubling trends and make recommendations for mitigating them.

Growing Internet Censorship

The Internet was designed to facilitate seamless sharing of information. As it has grown, so too have concerns around access to controversial content and, thus, restrictions. Internet censorship is practiced routinely now in schools, libraries, businesses, and on a national scale. A growing number of countries routinely filter, throttle, or otherwise interfere with access to the Internet, including liberal democratic countries ( Deibert et al. 2008 ). Controlling information is also big business: cybersecurity companies make millions selling technologies that shape, restrict, and deny access to information on behalf of governments.

Internet censorship can take place at different points across the network. In many countries, keywords and websites are filtered as they pass through Internet gateways at national borders. However, these national-level firewalls can be prone to under- and overblocking and bypassed using circumvention technologies. As a consequence, it is now common for governments to mandate that Internet companies police their own networks, effectively “downloading” Internet censorship to the private sector. In China, for example, Internet companies are required to police their users, monitor chats and forums, and share information with the government's security services on demand ( Liang et al. 2018 ). This requirement not only means that information controls extend deeper into the application layer of the Internet, but also that Internet users experience a diversity of information controls.

Restricted content can vary widely as well, from pornography to religious material, to content critical of governments such as human rights reports or opposition websites. In many countries, including China, Saudi Arabia, Turkey, and Uzbekistan, access to portions, or even the entirety, of Wikipedia are filtered ( Zittrain et al. 2017 ). Many liberal democratic countries also censor the Internet for hate speech, extremism, and copyright violations. Internet service companies such as Google , Facebook , and Twitter now routinely struggle with incessant demands from governments for removal of content or policing of networks, particularly content related to terrorism.

Internet censorship may happen in response to specific events, such as controversial anniversaries, elections, demonstrations, or discussion of sensitive topics. The most drastic form of information control is when the Internet is shut down entirely, defined as “just-in-time” blocking ( Deibert et al. 2008 , 7). Just-in-time blocking reflects a recognition that information has its most strategic value at critical moments. Access Now, an Internet advocacy group, has been tracking Internet shutdowns as part of its #KeepitOn campaign. It found more than 55 instances of Internet shutdowns in 2016 alone and 61 in the first three-quarters of 2017 ( Dada and Micek 2017 ). Shutdowns can occur in specific regions or even neighborhoods. They can affect specific services or applications, such as when mobile services are disconnected. Governments have given many reasons for these disruptions, from quelling unrest to stopping students from cheating on high school exams. The latter is particularly noteworthy for its impact on academia. Access Now has documented more than 30 intentional disruptions to the Internet by authorities ostensibly to prevent cheating on exams ( Olukotun 2017 ).

Interferences with Internet access can have varying degrees of transparency. In some cases, when users attempt to access banned content, they are presented with a block page. In other cases, no information is provided at all, or block pages are presented as network errors in order to disguise censorship. For instance, a report in the wake of the death of human rights activist Liu Xiabo found that WeChat silently removed images of Liu that were sent on one-to-one and group chat messages ( Crete-Nishihata et al. 2017 ). Neither sender nor recipients were notified that images were removed, leaving both in the dark as to what had occurred.

University networks are the entry points for both students and staff to connect to the wider Internet, but they are, in turn, embedded within a country's infrastructure and subject to the information controls described above. What was once envisioned as a seamless web of information has become, instead, something much more fragmented and distorted. These barriers have tangible impacts on academic freedom, frustrating and denying the pursuit of information. Scholars can experience entirely different “Internets” depending not only on the country in which they are located, but also the internet service provider, device, or even application they use. Restrictions on access to controversial content, such as that related to terrorism, can inhibit important research on the topic itself ( Tanczer et al. 2016 ). The most basic of functions that the Internet was meant to provide for academics—an entry point to a common pool of shared resources—is now littered with a growing thicket of opaque barriers.

Growing Role of Internet Intermediaries

One of the biggest changes associated with the Internet has been the emergence of large private companies in which data and services are concentrated: companies such as Facebook , Google , and Twitter . These companies have become important gatekeepers of information. They are the principal avenues through which information is accessed, archived, and shared—with important implications for academic research.

First, their proprietary algorithms can shape, distort, and limit access to information and freedom of speech in critical ways. Beyond compliance with government regulations described earlier, companies push and pull information as part of their core business model that involves fine-grained surveillance of users for advertisement promotion ( Flyverbom, Deibert, and Matten 2017 ). The implications of this for academic inquiry can be seen most simply in the use of search engines. Whereas, a few decades ago, an academic's search might have begun in the indexes of the library, today they begin with a search engine such as Google . Google's and other companies’ search engines do not produce unbiased results but rather results on the basis of proprietary algorithms (i.e., the rules that govern the search methods). Algorithm inputs can include browsing history, prior search results, user geolocation, and more. The actual results of specific searches can thus vary by user and location, shaped by the company's commercially driven algorithms ( Epstein and Robertson 2015 ).

A second way in which these companies affect academic inquiry is through reliance on their services. Many academics and universities use Google , Microsoft , Dropbox , and other cloud service providers to host their information or email services (see Franklin in this forum). Information that used to be stored on desktops or behind locked doors has been pushed to the “cloud.” While the metaphor of the “cloud” suggests something intangible, in practice it means data stored on servers in some specific physical location, transmitted through cables or other media, in some cases crossing several national jurisdictions. While there are unquestionable gains in one form of security and convenience, there are substantial tradeoffs in privacy and other types of security. The Snowden disclosures showed vividly how American and other national security agencies access customer data contained in clouds through lawful access requests and other means ( Bohaker et al. 2015 ). Academics who rely on cloud services can unwittingly expose their sensitive data not only to governments, but also to numerous third parties with whom companies share that information.

Third, these companies control massive repositories of data that are actually relevant to critical research topics. The less researchers know about how this data is used to shape and limit users’ communications experiences, the less they can authoritatively claim to know about what are arguably some of the most important public policy issues of the day, from privacy, to censorship and surveillance, to disinformation, or radical extremism. Who exactly can access information companies consider proprietary is something that the companies themselves dictate, not always transparently or fairly ( Boyd and Crawford 2011 ).

Lastly, and relatedly, companies can affect the nature of research more directly, by funding certain types of research while excluding support for others. Internet companies have become among the wealthiest companies in the world. Apple , Alphabet (the parent company of Google and YouTube ), Facebook , and Microsoft have market valuations in excess of hundreds of billions of dollars. As recent controversies have shown ( Solon 2017 ), companies whose business model rests on surveillance of users’ online behaviors are unlikely to sponsor research that undermines that model or helps users become aware of just how much they are giving away. Companies will also not likely look favorably on research that highlights embarrassing collusion with governments on surveillance or censorship.

Mass Surveillance

The Internet's initial architects almost certainly did not foresee the way it has become one of the greatest tools of mass surveillance in human history. There were three separate but complementary driving forces in this unintended development. The first is the explosion in state surveillance practices in which digital data analysis is a key component—a trend accelerated with the events of September 11, 2001, and continuing with the seemingly unending war on terror. The second is the rise of the “datafication” economy, at the heart of which is the exchange of personal information for free services and the value-added analysis of that data for advertisement ( Dijck 2014 ). The third is a new culture of auto-surveillance—the voluntary sharing of fine-grained details of personal lives. Internet users leave digital traces wherever they go and whatever they do, even traces of which they are unconscious, such as the metadata that is broadcast by their mobile devices as they carry them in their pockets. These digital traces are vacuumed up, analyzed, shared, and sold by both states and governments, fueling a new cybersecurity industry where big data meets big brother ( Deibert 2013 ).

Although it is too early to conclude definitively about its impact, there are signs this new era of mass surveillance will negatively influence academic freedom. In a pioneering study of the topic, Penney (2016) analyzed editorial contributions to sensitive Wikipedia topics and found that those contributions markedly declined in the wake of the June 2013 Snowden disclosures. People behave differently when they suspect observation. They are less likely to take risks for fear of legal or other sanctions. Overall, this chilling effect induces conformity and self-censorship, both contrary to principles of academic freedom.

While the climatic impacts observed by Penney (2016) are noteworthy, there may be other more direct implications of mass surveillance for academic freedom and security. Governments or companies that know what a person is studying can take steps to “neutralize” the research, even if a scholar or student resides in a different country. In this instance, academics communication patterns could put study subjects or partners at risks, and result in adverse consequences for individuals in places abroad ( van Baalen 2018 ).

Targeted Digital Espionage

Mass surveillance refers to wholesale collection of large volumes of data. Targeted digital espionage refers to clandestine operations aimed at collecting data from specific individuals or organizations by compromising networks or devices. Numerous governments are known to conduct targeted digital espionage, against each other, businesses, and civil society. Over the last ten years, the interdisciplinary Citizen Lab (2014) has documented an epidemic of targeted digital espionage campaigns against a broad cross-section of civil society groups, including journalists, activists, lawyers, human rights defenders, and academics. These operations undermine civil society organizations’ core missions, sometimes as a nuisance or resource drain, more seriously as a major risk to individuals ( Scott-Railton 2016 ).

Academics are especially vulnerable to targeted digital espionage. Scholars share information, click on attachments, open emails, and access online resources perhaps more intensively than any other sector of society. As a professor in a typical day, I may receive dozens of emails containing attachments from students, fellow researchers, foundations, or others, many of whom I do not know personally or trust. As a professional expert on digital security, I am aware of the risks and take precautions. But many of my colleagues are not. Meanwhile, there is very little systematic digital security support for academics ( Tanczer et al. 2016 ). Some departments have a single IT person who is overwhelmed with a range of tasks, while others may have no one. Trainings are virtually nonexistent, and those that do happen are often one-off experiences with little ongoing support. Folk wisdom is passed around, not all of which is reliable and some of which is counterproductive. Ironically, the very principles that underpinned the Internet's original success—the sharing of scarce resources in a largely neutral fashion on the basis of trust—have become vectors for large-scale insecurity. Academics involved in or researching controversial topics are particularly at risk of targeted digital espionage and may not even know it.

Scholars find themselves working in an infrastructure no longer of their own choosing. While that infrastructure can still facilitate research, it has also become a hindrance and even a threat. It might be tempting in light of these trends to become a Luddite, to question the utility of all technology and detach from the digital world altogether. Not only would that choice be highly impractical, it would do a disservice to the original motivating principles that gave rise to the Internet in the first place. In a tightly compressed world with many shared problems, academics need a shared and secure commons of information and communications. Rather than reject the Internet, we need to rehabilitate and rescue it.

First and at a most basic level, digital security requires more systematic attention. Fortunately, some companies have already started to raise the security bar for all users, which in turn will affect academics. There are also more security products being designed that are user friendly, which will empower users to be safer online. But new products and applications alone will not suffice; academic behavior needs to change as well. Academics are accustomed to freely sharing digital information and clicking on documents, attachments, and links with carefree abandon. Sharing is still essential, but norms and practices around exactly how we share will require systematic rethinking. Digital hygiene—as discussed in more depth by Kazansky and Milan (in this forum)—must be seen as foundational to, rather than an accessory to, academic life. Universities and departments should make the necessary investments in digital security accordingly to protect academic inquiry from the threats described above. Professional associations and journals also have an important role to play as norm entrepreneurs in this respect.

Second, the broader trends described will require a longer-term and more comprehensive approach. Here it is important to remind ourselves as academics that the Internet was largely born out of the university. The university as an institution, and each of the specific disciplines that comprise it, have a special obligation to play to protect and preserve the commons of information as an arena of access to information, freedom of speech, and privacy. This will require more direct engagement with Internet governance from the international level through all layers of the Internet, down to the forums within which standards and regulations are set. The headlong rush into cybersecurity has securitized these forums in ways that have privileged private sector and secretive government agencies ( Deibert 2015 ). Academics must reinsert themselves into these processes and push for greater transparency and accountability (Franklin in this forum).

Beyond advocating for principles, academics should work collaboratively to expose rights-infringing practices of both states and companies. Rigorous, evidence-based research is a powerful means to shed light on what is happening beneath the surface, whether the latter involves proprietary algorithms, commercial spyware, or nation-state surveillance ( Bodo et al. 2017 ). Part of this effort should involve shoring up defenses against emerging threats to certain modes of analyses that will be essential to such a mission. Reverse engineering—broadly construed as “hacking” in the original sense of the term—should not only be seen as a right of inquiry but an essential ingredient of a critical democratic society. You cannot question what you cannot see or know.

Engaging in scientific research of all kinds is inextricably linked to access to information, free expression, and privacy. While the Internet was created by academics to help facilitate these principles, it has transmogrified into an entirely different creature that now threatens to undermine them. The time has come to take it back.

Digital Communication, Surveillance, and Academic Freedom in the Transnational Universes of Competing Homo Academicus(es) Institutions

D idier B igo

King's College London, Sciences Po Paris

In line with my fellow coauthors, I consider it is central for academics to learn how to manage their digital communications and to have an informed knowledge about the technical measures required to protect their and their participant's data from third-party intrusions. However, too few understand that we do not only have to train researchers on the requisite for digital security in sensitive domains of inquiry, but we also must question how universities’ administrative authority over academics may itself turn into a form of control and be reframed for the purpose of internal surveillance.

We are far from a social universe in which education is considered a “public service” and a necessary public expenditure; where one's mother tongue is defended against the hegemonic position of large-scale, English-speaking education institutions ( Altbach 2008 ); or where pedagogy takes precedence over global branding techniques. Rather, education has become a profitable activity—one where competition on delivering diplomas has converted teaching and learning into a “sale” ( Jessop 2018 ) and where the top universities invest increasingly in noneducational resources and introduce mediated administrative specialists that intervene into the face-to-face relation between teachers and students.

This reconfiguration of power inside the university—with its top administration more or less independent from its academic staff—has played out around the mastering of digital and distant technologies ( Lupton, Mewburn, and Thomson 2017 ). Thus, I want to highlight why surveillance in academia is the result of the previous acceptance of digitization, datafication, and evaluation. The present essay embeds this surveillant transformation within the context of the Anglo-American higher education sector and is split into two parts.

First, I discuss the importance of protecting scholarly communication from the danger of external commercial and malicious access or internal bureaucratic oversight and recording. Tools of countersurveillance for complicating the collection of personal data and protecting privacy against institutional logics exist (Kazansky and Milan in this forum). Yet, these techniques are by themselves not the solution against online surveillance within the higher education sector and will not save “academic freedom” as such.

Second, I will question the conditions allowing academics to critique institutional powers in the contemporary climate. Indeed, an internal bureaucracy of surveillance and evaluation practices of pedagogic activities are prevalent. Yet, they are only a visible part of some more profound transformations of the everyday life of the different “homo academicus(es)” that populate the transnational field of higher education to date ( Bourdieu 1988 ).

Together, both points direct scholars to scrutinize the neoliberal, controlling changes academic institutions are undergoing. But, in terms of reflexivity, this is not enough. Researchers and professors have to critically evaluate the forms of symbolic power and violence existing inside the university and untangle a discourse presenting the academy as either a “community” led by the pastorate of top administration or as the innocent “prey” of external forces of capitalism. To achieve this, we have to use and defend our academic freedom to act collectively in order to alter our conditions of work and accept that compliance is not the only way of behaving in this surveillant environment.

When Online Communication Becomes Online Surveillance

Academic freedom means a positive liberty, an “obligation” for scholars to be creative, original, and even dissident in their research and teachings. A scholar is not a coach nor a repeater; our independence implies an intellectual obligation to challenge conformist majorities, be they from government, companies, or civil society. Yet, academic freedom is increasingly being contested, especially online ( Falk 2007 ; Mittelman 2007 ; Tanczer et al. 2016 ). Universities manage the traffic as well as monitor the metadata and content of emails or web searches of students and staff ( Perrino 2013 ). The surveillance in terms of the interpretation of previous data has the possibility to build up suspicion of engaging in political behavior.

In particular, the situation of academics in Turkey, Mexico, and Cameroon has been worrying, with scholars spied upon, censored, and even imprisoned ( Chuh 2018 ). These chilling effects impact liberal democracies as much as others, and digital technologies have made state control quicker and easier than ever before. The Scholars at Risk monitor report restrictions across many states in which online discussions are kept and read as indicators of allegiance or political defiance ( Scholars at Risk Network 2017 ).

Framed under legal requirements, the collated information is also used to assess the degree of obedience of academics to some administrative decisions by reporting declaration of dissent. This allows contemporary universities to become places where mundane technologies are transformed into sociopolitical instruments and forms of symbolic power asserting a certain kind of governance. For example, during the 2017–2018 UK industrial actions, British universities created a chilling environment by obliging their staff to declare through electronic means whether they were planning to participate in the strike. Some institutions were accused of registering the presence of staff members by monitoring electronically the opening of office doors, with such measures used to destabilize the solidarity between academics. Despite their illegitimacy ( University and College Union 2013 ), such techniques of both off- and online surveillance have become accepted as a “normal” practice across many institutions.

The use of “safe and integrated” technologies that trace pedagogical activities such as “lecture capture” are hereby noteworthy. Justified in the name of commendable impetuses such as widening access and support for handicapped students, the gathered video and audio recordings are kept for months, even years. In the current competitive academic environment, the footage has also been repurposed for scholars’ performance assessment and shown to function as strike-breaking material, with some UK universities reportedly having attempted to “replace” striking academics with recordings of their courses made previously ( Edwards et al. 2018 ). Similarly, many universities use emails systems provided by major US companies such as Microsoft or Google and disregard privacy concerns deriving from reliance on commercial vendors in the name of cost effectiveness (Franklin in this forum).

Such surveillant digitized practices are implemented under the terminology of “community,” used to refer to the collectivity of people working at the university. This description has been reinforced by the utilization of multiple email lists, as if they were a manifestation of the existence of such a shared understanding. However, the idea of a “community” plays into the hands of a managerial surveillance capitalist logic to disregard disagreements and to discipline individuals that dissent. The “solutionism” by the “community” has replaced the notion of the distribution of wealth and a fair repartition for the workers all along the line. Hence, we have seen the differential of money and privileges at the top administration going hand in hand with this “community” discourse, especially when online technologies have become effectively a substitute for face-to-face relations. This shift deriving from neoliberal ideals allows for a concentration of power in certain buildings and places and a culture of “managing at distance by spreadsheets.”

Counter practices as discussed by my coauthors certainly disrupt parts of this dynamic, and alternative communication channels outside the university control exist. Yet, a call to counter practices supposes consciousness about the multiple tactics used to trace digital content and inherently contradicts our acceptance of surveillance in the name of necessity of digitization. Academics in the Global North may consider themselves as privileged by having access to speedy Internet and diverse technologies that help them to manipulate large amount of data swiftly. However, we cannot universalize the positions of Global North academics as if they represent the global higher education sector, nor are they better than others in terms of pedagogy. More, we must discuss digitization in terms of what we lose rather than solely what we win.

The unreflective strive for digitization is best seen in the preparations of lectures via PowerPoint and other presentation software. Even if slideshows are loved by students, they do not prepare them with better understanding of content and disincentivizes critique and inquiry ( Worthington and Levasseur 2015 ). Indeed, one has to remember that PowerPoint was invented for commercial purposes, with the sequence of the slides aimed at creating an unconscious acceptance of the text by the audience ( Marx 2006 ). The calibration of pedagogy via online PowerPoint lectures is—in some ways—the first attack on academic freedom by normalizing easiness and by creating the earlier mentioned reproducibility of lecture content. The use of PowerPoints is a move away from the Socratic method in which questioning drives the importance of learning, which fundamentally refuses any form of standardization.

The reliance on digital tools and virtual environments also centers on a belief in efficiency, democracy, and accessibility. Nonetheless, they are more a dramaturgy of the scene of higher education playing a world utopia of knowledge for everyone than the description of local and international practices. The latter are constituted of symbolic struggles in the field of higher education and its transnationalization whose effect has been a reconfiguration of power and the development of “palace wars” between Anglo-American universities ( Dezalay and Garth 2002 ).

Administrative Logics in the Digitized Environment

The abovementioned digitization, which allows for the monitoring and controlling of scholars’ communication and practices, goes together with administrative logics of university managements that flourish on entrepreneurial ideals, internal bureaucratic oversight, and a generalized institutional competition. Datafication and evaluation are the outcome of this trend toward “academic capitalism” ( Jessop 2018 , 104) and give scholars the impression of being permanently under observation and affected by a series of modalities that operate mundanely.

For instance, Kauppi and Erkkilä (2011) show how this competitive doxa is the effect of the struggle over higher education and the practices of ranking. An industry of ranking has emerged and transformed the relations of symbolic capital between researchers and professors as well as their sense to belong to a collective scholarly group ( Erkkilä 2013 ). Individual rewards are far easier to win by academics’ simply adjusting their ideas to the institution they operate in and by following the suggestions and requirements of their administration. This creates barriers for allying with colleagues faced with different realities or located in non-English-speaking universities such as in the Global South.

In addition, the managerial hypocrisy over academics also works at the heart of some ethics committees and other governance mechanisms. Review boards often mainly act as insurance policies or “institutions of censorship and control” for administrators keen on pushing any fault on staff or students’ shoulders if they have taken too much risk for themselves in a specific situation ( Sluka 2018 , 1). Additionally, rising organizational regulations change the symbolic powers between students, academics, and the university executive and further lead to a form of control that deprives scholars of their judgments and opportunities for action. Thus, by disaggregating the direct asymmetric relations one might actually uncover the introduction of “parasitic” logics that justify an exponential growth of levels of administrators ( Serres 2007 ).

The other structural transformation that works against academic freedom is the process of normalization induced by the mechanism of permanent evaluations at multiple scales ( MacDonald 2017 ). Like the increasing digitization of data, “evaluation” seems by definition a democratic tool and is, as such, always considered positive. It allegedly limits “mandarinate” (clientelism) of old professors, creates “fair conditions,” and narrows discrepancies by assuring equality between different actors including students and staff. And indeed, the reliance on statistical tools together with the disaggregation of education into measurable parts is steadily becoming an element of the doxa that underpins the transnational field of higher education.

Yet, evaluation processes applied to “pedagogy” have shown to create forms of disciplinarization and surveillance embedded in the logic of competition between universities as much as students and staff. Numbers and statistics are there to “correct” the effects of practices of pedagogy. Everything needs to be transferred into figures and graphs, with institutions striving for a smooth ascending curve of success that will never turn back. In the course of this, distant administrators and their technologies of ranking, indicators, and matrices supersede face-to-face relations, creating hierarchies of “best producers” on this profiled market for diplomas ( Erkkilä 2013 ).

Evaluation is, therefore, not a neutral technique and has the capacity to disembody and dissociate human relations. It is a politics that works against education and implies an asymmetry of power, in particular between professors and students. Clients or consumers—as some universities call their students—have certainly the right to feel protected against discretionary logics. However, what does it mean for the freedom of academics when the latter implies a reliance on practices that foster the “harmonization of marks,” where administrative bodies do not accept heterogeneities and rather govern by “regularities,” where discrepancies between the marking of diverse academics is erased, and where the grade distribution is dependent on previous years’ statistics, independently of the inner quality of a year's cohort ( Bachan 2017 )?

The competition via ranking and evaluation is not only happening in the space of our classrooms. It upsets also the space of publications by trying to impose through the popularity of an audience an inner differentiation of excellence where older journals that had time to build their reputations profit from a structural advantage over new ones. In this surveillant climate, heterodox positions—that often can be the most creative ones—are marginalized and orthodox positions—that frequently align with the logic of certain “old” universities—are reinforced ( Hamati-Ataya 2011 ). This finds its repercussion in citation practices, where references to innovative ideas barely move beyond a small circle of scholars and creates an impetus for academics to curb their ideas along the lines of the “most important” journals of their disciplines. Hence, the scientometry, which was promoted as an allegedly equalitarian tool, imposes—discipline by discipline—a restricted and hierarchized list of publications.

Individual researchers are not safe from the effects of evaluations either. By scoring individuals online with a personal record (Melgaço and Lyon in this forum) and asking for their impact, private companies challenge universities on their control over personnel. This datafication of academia affects recruitment by constructing specific profiles adjusted to each “job.” Young scholars with some of the most original trajectories are excluded from interviews because they have not yet ticked the boxes of the long list of requirements, with some scholars even being disregarded because they are too qualified for the job. This politics of numbers results in a dehumanization and shows what “unfreedom” means in “advanced liberal societies” where no one is “responsible” for the structural conditions that govern higher education institutions.

Academic freedom is certainly a value at stake in such an environment that some have called the “neoliberalization and marketization” of the university ( Chubb and Watermeyer 2017 , 2360). Many authors have traced the sociogenesis of such practices ( Bennett 2017 ); they insist on the specificity of the subtle modes of coercion that modern education continue to use in its different pedagogical models ( Lenoir 2006 ). Evaluation and datafication, thus, rhyme with practices of distinction as much as the search for the average, and build on the idea that “authority” must be controlled, and that the freedom of academics has to be regulated if it does not fit the goals of the institutions. Hence, academics may better begin to adjust to their new economic roles with recipes on how to succeed in this environment most likely coming from industry.

All the discussed factors around digitization, datafication, and evaluation explain the loss of freedom and the development of online surveillance internally in universities. They are products of the competition between universities who want to become “profitable” and hope to attract (international) students who can pay fees. Dispositions of academics have therefore guided toward an allegiance to their “company,” their “community”—the university. Academics must feel that they struggle together against other entities. They must build team spirit not on an intellectual basis, but by belonging to a physical place. They must participate in the race on ranking as their own future may depend on the rating of their (previous) university.

The embeddedness of this “inside and outside” dynamic and the effects of this competition both obliges and accelerates compliance. New lecturers may believe they have to give in to this administrative authority and its surveillant practices. This in turn also limits the resistance of old professors’ hysteresis of dispositions in an environment that begins to be hostile to the very idea of education and is more concerned with the sale of diploma as a product in a global market of higher education.

As this essay and the contributions of my coauthors show, this reconfiguration of power inside the university plays out around the mastering of digital technologies as well as datafied practices and inherently is underpinned by a doxa of “deresponsibilization.” This “unfreedom” comes from the acceptance that no one has a choice to go against the system and its rapid transformations. It assumes that resistance is useless and that academia has to adjust to the client's desire and the expectations of its administrators. And indeed, soon artificial intelligence may be the deus ex machina of higher education, but let me end by a proposal to fight back collectively. First, academic freedom begins with the patient deconstruction of these digitized and marketized “necessities,” using the memories of what the institution of the university has been in the past as a model for what it should be in the future. Second, academic freedom revives by the rejecting of administrative authorities and allying with younger colleagues, students, and colleagues and students in non-English-speaking universities. Third, academic freedom wins by critically engaging with online and digital technologies that are increasingly used against us to monitor our outputs, control our processes, and manage us by distance. I am not sure if we will win, but at least we will finally oppose our surveillant conditions.

M.I. F ranklin

Goldsmiths University of London

Despite the furor around the Snowden revelations of mass online surveillance in 2013, state-sanctioned, data-gathering, and long-term storage of communications records have become the norm in liberal, capitalist polities. Not only government agencies but also commercial service providers now hoover up and store vast amounts of personal information, ostensibly for our own good. The “chilling,” (self-)censoring effects these practices create, have gained a foothold in the increasingly porous domains of digitized, networked scholarly research, knowledge exchange, and university teaching.

However, academia as a whole has been alarmingly slow in responding to the corrosive consequences that disproportionate levels of surveillance have on individual rights and freedoms and those that relate to scholarship (e.g., freedom of association, of information, and of expression). In everyday university life, a creeping paralysis underpins the relative diffidence of many academics, departments, and institutional managements toward these issues. While student assignments, research proposals, scholarly writing, and the myriad of communications that sustain these activities become predominately digital, the time and resources needed to consider the institutional, personal, and professional implications of state-led and corporatized practices of online surveillance are in short supply.

One immediate response to the prying eyes of 24/7 digitized management tools and the ubiquity of mobile, commercial services is the deployment of readily available and constantly improving encryption tools across the spectrum of research, learning, and teaching. These can help to better protect our and other people's privacy when emailing, browsing, and researching. Yet, the important work done by so-called Cryptoparty events notwithstanding ( Tanczer 2017 ), the working knowledge of staff and students about why encryption may be relevant and which tools work best for particular contexts and needs is still not widespread. On-campus and curriculum-based opportunities to learn, debate, and acquire the requisite level of know-how go begging.

An increase in the prominence and proactiveness of government agencies within Internet policy-making has been throwing these “disconnects” into relief. This shift encapsulates Foucault-influenced historiography of how liberal institutions—schools, hospitals, prisons, and universities—operate as disciplining agents for the purposes of state-sanctioned surveillance, security, and population control, practices that are now digital and networked, by design ( Dawson 2006 ; Franklin 2013 ; Haskins and Jacobsen 2017 ). It signals a different trajectory after the twinning of government disinvestment in public service media and public education with the embedding of corporate ideas and its related consumer goods that connect personal, digital communications with business and learning. The “neoliberal university” has been coming-of-age as commercial social media platforms corner the global market, “linking in” the hearts and minds of students and scholars in so doing ( Giroux 2013 ; Ergül and Coşar 2017 ; Bigo in this forum).

The civil liberties implications of this partnership between commercial and governmental actors has been a primary focus of digital privacy and human rights advocacy for the online environment ( Internet Rights and Principles Coalition 2018 ). The relationship also goes to the heart of what is happening at universities around the globe: managements unilaterally automate (“centralize”) fundamental aspects to the working academic environment (from recruitment through to attendance registers, through to marking and feedback) and to outsource the core information and communications services to sustain university life at the infrastructural level of operations (Deibert in this forum). However, as I and other contributors to this forum argue (Bigo; Melgaço and Lyon in this forum), the subcontracting of data-storage and core-service provisions such as email, calendars, or academic reference lists to private companies undermines the ethos of public education, intellectual freedoms, as well as our (digital) autonomy.

Within this context, how can we—students and academic staff—(re)discover our autonomy as humans but also digital, networked agents? How can we gain the requisite knowledge to counteract? Indeed, how can we refresh our ability to tackle the lack of transparency and accountability in decision-making about internet design, terms of access and use, and data management? Becoming more tech-savvy is certainly one way to provide alternatives and increase our room for maneuver ( Reeder et al. 2017 ). That said, this sort of approach is neither self-explanatory nor immediately available for staff and students who consider themselves “not techie.”

How Did We Get Here?

Global businesses, the tech giants of today— Google , Amazon , Facebook , Apple , and Microsoft —have been consolidating their influence across the education sector ( Redmond 2014 ; Kaelin 2017 ). Corporate marketing on the “convenience” of cloud-based data access and storage has reached cash-strapped university managements and the individual “Internet users” comprising of academic staff as much as students.

We have been made to believe that our data—our scholarly imaginations and, by association, the outputs of our labor—are more secure in commercial hands than they could possibly be in-house, on campus servers, or local forms of storage. This move away from internal, publicly funded services to outsourced, privately run providers had major implications for the power geometries that underpin the relationship between teaching and learning, research and knowledge exchange, and access to resources and information.

The increasing reliance on external proprietary services to facilitate where and how teaching and learning takes place, but also to manage the knowledge—as data—that is produced by these interactions is a key factor in any discussion of the interconnection between surveillance, censorship, and encryption. Take, for example, “old-school” email. Far from becoming obsolete, emails are an essential feature of university life. Email interactions are booming and so is the big business of gate-keeping email-server and data-storage facilities accordingly (Melgaço and Lyon in this forum). The volume of traffic is expected to reach 12,864 petabytes per month in 2018 ( Statistica 2018 ), with one forecast projecting that a total of 246 billion emails will be sent in 2019, equaling an increase of 3 percent ( Radicati Group 2015 , 2).

Daily email exchanges span the spectrum from banal to sensitive information. Their content may include—frequently unwittingly—personal information about students (ID or name), admissions and enrolment documentation (digital scans of passports), examination results (marks and comments), mitigating circumstances evidence (health records), and geolocation information (from automated attendance registrars). Hence, decisions around the management of these expanding datasets, their terms of use and access, as well as the compliance with a range of national and international regulations have important implications—implications for those who generate these data, those who are the subjects of the information produced, and those who would like to access these data at a later date. Changes in the governance of email services alone affect not just teaching and research staff or departmental and senior managers. It also covers students as their “lifelong,” outsourced, yet university-branded email addresses become corporate proxies.

Moving from the classical, office-based computer screen to the classroom, halls of residence, and libraries, there too an array of web-based teaching tools are in use. Students operate their mobile phones or other networked devices at will and during class. They also tend to opt for easy-to-use, commercial technologies such as Google Scholar rather than institutional services such as academic journal aggregators ( Flavin 2016 ). This means that locational data, student information, copyrighted content, alongside a plethora of metadata are being circulated beyond the campus and frequently spread across commercial apps that now drive how we learn and how we teach. This amounts to a corrosion of institutional autonomy and of global academia's digital archive. Although this is a foregone conclusion in technological terms, it is a political and economic decision—in which powerful corporate actors join forces with law enforcement and intelligence agencies—at the design and public policy level.

In addition to the expansion of industrial influences, the UK Investigatory Powers Act (2016) exemplifies the return of the state in the once “deregulated” domain of telecommunications and media. The gathering and storing of communications data before probable cause has been established is now enabled ( Necessary and Proportionate Campaign 2014 ; Pillay 2014 ). It does so under the guise of national security, with effects for civil liberties and the higher education sector specifically ( Tanczer 2016 ). While the Act has been challenged, ruled incompatible with EU law in 2018, such legislations are tantamount to the criminalization of everyday life and exposes intellectual endeavor and scholarly exchange to unnecessary and excessive forms of scrutiny. These measures also govern the conditions under which university managements make decisions, how university-based Internet access is provided, which devices (computers, library cards) are issued, and have ethical implications for funded research.

The erosion of our capabilities to want and know how to take action, let alone having the time and resources to do so, accompanies the ways in which ordinary “users” become positioned as ignorant and passive rather than active agents. Meanwhile, as the workplace goes mobile, the cost-attractiveness of private cloud storage sees IT departments—whose managements engage with and consider the priorities of service “providers” and senior administrators—take procurement decisions without fully informed consent of students and staff. Put another way: we are seeing the ceding of both institutional and personal agency; “data actors” are being positioned and conditioned into behaving like passive “data consumers” as vested interests dictate the terms of Internet-dependent scholarship ( Feenberg 1999 ; Tanczer et al. 2016 ; Alim et al. 2017 ).

The geopolitical and technoeconomic context in which all contributors to this series are writing is one marked by, what I have argued is an emerging (global) Internet governmentality complex ( Franklin 2013 ). In it, states are but one—and not even the most powerful—actor making decisions about the Internet's design, use, access, and content management. As students, teaching staff, and the university managements continue to exchange not just implicitly but explicitly sensitive information with one another, the gap between those becoming aware of encryption as a personal and political issue and those who do not know—or care to know—is widening. The main obstacle at the individual level—and with that to organizing any forms of collective action—is that most people take the path of least resistance. Convenience is a powerful form of persuasion in this respect.

This is one reason why advocating the need for encryption, or providing “to-do” lists for changing our privacy settings, will not go far without preparing the ground first. As predominately technical, behavioral responses at the individual rather than the institutional or epistemic-community level, these moves imply changes of routine, habits, and time-investment, in order to learn how to use encryption tools. It requires we consider how and where we manage our files and how we compile content or maintain online correspondence. We have arguably reached an historical conjuncture in which crypto-skills are becoming a necessity for the sustaining of a healthy scholarly life. It is time for educating, mobilizing, and organizing ways to address the widespread state of digital inertia among academics and student bodies.

By way of contributing to recommendations from other authors, allow me to make the following observations for the ordinary, cryptophobic scholar/student: first, recall that encryption is a technique that need not be deployed immediately. Knowing how to does not require you to have to . As Foucault (1977) reminds us, knowledge is power. Thus, simply considering the pros and cons of any form of encryption, or even how to enact low-tech forms of obfuscation ( Brunton and Nissenbaum 2015 ), can be a form of reempowerment at the individual level, as part of research collaborations, and in the classroom.

Second, we need to include these considerations as part of the ethical dimensions to research design, especially when working in precarious research fields ( Peter and Strazzari 2017 ; Sluka 2018 ; Kazansky and Milan in this forum). In this regard we need to consider privacy settings and encryption tools as more than techniques. They are also an imaginary, comprising elements of both resistance and concession to the big business and geopolitics of our digital, networked times (Bigo in this forum).

Third, note that encryption is already part of our daily lives. All sorts of transactions are made possible by its deployment in online services for banks, insurance companies, local and national governments, inland-revenue departments, as well as the health and education sectors. This puts things in perspective, prevents people from rejecting the idea out-of-hand (e.g., students have expressed unease with encryption training) or from insisting that we must proceed to encrypt everything we do. Making this clear offers an opportunity to open up the “black box” of online privacy and to take stock of our needs and knowledge together.

Fourth, this also means finding ways to mobilize around any departmental or institutional decisions that move access to and control of data into the hands of private forces without due consultation or considerations of viable alternatives. We thereby need to keep abreast of the negative consequences that are possible, what advantages and disadvantages these tools offer, and the short- and long-term implications they may have on our own work. As time-consuming as any changes in our logging-on and logging-off habits may be, as critical scholars, mentors, and educators, we have not only a legal but also an ethical responsibility toward those we engage with and encounter. Conversely, departmental and institutional managers also need to be able to defend decisions to outsource, downgrade, or upgrade staffs’ computing provisions. Statutory and voluntary programs for ensuring privacy and information security need to be developed in association with staff and students, and the time required to discuss these issues and implement these changes have to be factored in to the working and teaching week. It further demands that universities’ IT departments need to become much more familiar with emerging jurisprudence around rights and freedoms online in globally networked settings.

Knowledge about these four dynamics and their relevance can contribute to inculcating better information-security practices in the higher education sector and to regain a sense of agency in this emerging Internet governmentality apparatus. Learning hands-on skills such as how to install or set up a particular encryption software is and should be part of our teaching and wider conversation as well as daily practice. Yet, we have yet to create constructive and supportive rather than punitive educational encounters, and our responses need to be diverse and adaptable.

Privacy may be a universal right, but it is not culturally absolute. Even within Western, liberal settings there needs to be space for robust debates and dissent within any proposed “training,” for instance, around the broader human rights implications of local, institutional, and national policy decisions that affect how we access and use the Internet and our personal devices. Taking a cue from Feenberg (1999) , as educators and researchers we need to consider the interrelationship between the normalization of online surveillance, concomitant developments in forms of digital/networked censorship, and citizens’ responses through encryption as one form of resistance ad civil disobedience at the online-offline nexus. With this in mind, we may generate a momentum and the amount of energy required for a “renewal of agency in the technical sphere” ( Feenberg 1999 , 102).

To sum up, encryption is part of a larger whole in the debate on surveillance and censorship in academia. All of us need to make the first step in raising awareness at our own desktop, in our workplace, and in the classroom. Through these means, we may create spaces that ultimately lead to changes in altering passive mind-sets and fatalist attitudes that let private gatekeepers dictate the terms of access and use to our own scholarly imaginations, and those of others. And to achieve this, we should be reminded that like all human rights, those supporting academic freedoms, were hard won. Their legal and political sustainability remains fragile and under threat from 24/7 online surveillance.

Surveillance and the Quantified Scholar: A Critique of Digital Academic Platforms

L ucas M elgaço

Vrije Universiteit Brussel

D avid L yon

Queen's University

The daily work of an academic today—whether professor, researcher, student, or other staff member—increasingly is mediated by digital platforms. Yet, while these platforms claim to, in different ways, increase scholars “efficiency” and “impact,” in this essay we argue that they also increase the quantification of academic labor, the “microentrepreneurship of the self” ( Hall 2016 ), and the presence of intrusive surveillance.

Three dystopian examples, two from popular media and one from a trendy academic digital platform, set the tone for our argumentation. In Dave Eggers's novel The Circle (2013), Mae Holland, a new employee at a tech company, is welcomed with a score of 10,328: her participation ranking. Still low, she will be able to push it up through active engagement on social media. Her goal is to reach the “T2K,” the select group of the top 2,000 employees. In “Nosedive,” a Black Mirror episode, Lacie, a young and seemingly successful woman, is on her way to an interview for her dream apartment. She has a score of 4.2, awarded to her on social media following interactions she has had with people, posts she published, and positive comments she received. She can only be selected as a tenant if she manages to increase her rating to 4.5. On ResearchGate , we see David, senior professor, and Lucas, assistant professor, with scores of 27.08 and 13.48, respectively. David's score is higher than 82.5 percent of ResearchGate's members; Lucas's 55 percent. Their ranking depends mainly on publications, citations, online interactions, and their quantity of followers. To many readers these examples may appear to be fiction. But for the more than 13 million scholars (according to ResearchGate ’s claimed subscribers), the last case is a “reality” that they should presumably take seriously.

ResearchGate is only one of the many platforms that have become an integral part of university life. These range from multipurpose production platforms such as Microsoft Office365 , to platforms that help students rank their professors ( Rate my Professors, Professor Performance ), assist teachers in their educational activities (e-learning platforms such as Moodle , Canvas , or Brightspace ), or facilitate the job of administrative staff ( PeopleSoft, Banner ERP ). The use of many of these platforms is often unavoidable or mandatory as it might be the only means of communication offered by a specific institution.

Scholars may voluntarily engage with other platforms, not only because they are useful instruments that make academia more efficient, but also because they have become inherent to their identity within the higher education sector. Today, the virtual presence of scholars in cyberspace seems to be considered almost as important as their physical presence ( Herrmann 2015 ). Additionally, the disclosure of their research and its visibility is comparable to their actual production. Publish or perish gives way to upload or perish. While for some this “digital performance” may be critical, for others the reasons for using these platforms is more prosaically practical: wishing to share their work and to be aware of others ( Van Noorden 2014 ).

Publishing platforms are clearly not unique illustrations of the surveillance dimensions of contemporary universities ( Dawson 2006 ; Lorenz 2012 ; Melgaço 2015 ). Obvious other examples include the proliferation of campus video systems; the use of badges, ID cards, and electronic keys (that generate an access log to labs and offices); as well as the increasing use of e-learning platforms ( Edwards et al. 2018 ). Scholars such as Burrows (2012) and MacDonald (2017) have also highlighted the controlling aspect of academic audit procedures.

Yet, rather than focusing on how surveillant higher education has become, this essay examines the consequences and the impacts of this scholarly surveillance system. First, we discuss the banalization of digital platforms and argue that university surveillance is a typical example of both Zuboff's (2015 , 2019 ) “surveillance capitalism” and Lyon's (2017 , 2018 ) “surveillance culture.” Surveillance capitalism is an economic system that monetizes data acquired through surveillance. Surveillance culture is the product of everyday experience of and engagement with surveillance. Second, we look at platforms that are aimed at fostering networking and the visibility of academic publications. We discuss how they relate to visibility, scoring, and control. The essay concludes with a reflection on the potential alternatives to for-profit platforms and more broadly the future of a quantified academia. It also asks further questions to demonstrate why this is an area badly demanding thorough research and analyses.

University Surveillance as Surveillance Capitalism and Surveillance Culture

In an age of surveillance capitalism, it is hardly surprising that universities would be implicated in the rampant quantification and scoring typical to social media and other platforms. Surveillance capitalism, according to Zuboff (2015 , 2019 ), is constituted by “unexpected and often illegible mechanisms of extraction, commodification, and control that effectively exile persons from their own behavior while producing new markets of behavioral prediction and modification.” She argues that reliance on the electronic text helps create a new “division of learning,” a nexus of power common to all corporate entities today. The logic of accumulation organizes the field, defining “objectives, successes, failures, and problems” ( Zuboff 2015 , 77). It then determines what is measured and is passed over, as well as who is valued, and how resources are allocated.

Hall (2015) points out that despite the name Academia.edu —which sounds like a network created by academics—this site is constructed for corporate profit. As its founder and CEO Richard Price says, the goal is to provide “trending research data to R&D institutions that can improve the quality of their decisions by 10–20 percent” ( Hall 2015 ). Hall (2016) further critiques that universities, such as the global taxi technology company Uber and the online hospitality service Airbnb , encourage everyone to become “microentrepreneurs of the self.” The latter describes exactly what the scholarly platforms represent. For Sterne, a professor who felt “obliged” to set up an Academia.edu account, the issue is rather the “gamification of research” in which scholarly progress is seen akin to Facebook “likes” or Twitter retweets ( Wagman 2016 ).

From what little evidence exists, it appears that some scholars are concerned about the effects this “dataveillance” ( Clarke 1988 ) has on their careers or about the possibility that these platforms may take unfair advantage of their information. Others, however, are content with the academic platforms and ask few questions about them. This is consistent with the use of social media in general: there is a gratitude for the affordances that these platforms offer and barely any serious concern about the negative consequences they create for users. Similarly, a critique of the limits of academic freedom or the power the university (or the companies that run such platforms) has over a scholar's everyday life is essentially absent ( Lyon 2018 ).

The problem, of course, is that many of us face the same dilemma in our engagement with Academia.edu that we experience with Facebook. Just about everyone hates Facebook on some level: we hate its intrusiveness, the ways it tracks and mines and manipulates us, the degree to which it feels mandatory. But that mandatoriness works: those of us who hate Facebook and use it anyway do so because everyone we're trying to connect with is there . . . I've heard many careful, thoughtful academics note that they're sharing their work there because that's where everybody is.

Despite their seductive aspect, one should bear in mind that all such platforms are created to make profit, especially from users who participate without pay. This monetizing potential is an example of surveillance capitalism at universities. At the same time, the familiarity of social media platforms and other aspects of digital life mean that their existence within the university seem less incongruous. Today, a culture of surveillance exists ( Lyon 2017 , 2018 ) within which many practices that may once have been eschewed by the academy are being normalized.

The major difficulties accompanying this development have yet to be fully researched, not least, because the algorithms underpinning these platforms are not publicly available. However, as seen with other social media, there is plenty of evidence that such platforms are addictive in character and unfair in outcomes. Due to their for-profit nature, incentives to join and return frequently are structurally built-in and created to stimulate the brain in specific ways ( Alter 2017 ). Thus, what invites scholars into publishing platforms such as ResearchGate is the logic underpinning all social media: they seek exposure, affirmation, and prestige through the increase of their research score.

Additionally, the inequalities baked in to academic media need exploring in more depth. However, the very fact that “reputational” scores can be raised simply by interacting more frequently with the platform indicates fundamental flaws in fairness. Like university rankings themselves, such platforms may produce bizarre outcomes, ones that could disadvantage certain professors, just as some universities lose out ( O'Neil 2016 , chap. 3; Bigo in this forum).

Another aspect of academic platform usage is that the drive for “efficiency” may prompt more publishing but less interest in the quality of the content released. Of course, measurements such as the impact factor exist supposedly to raise quality over quantity. But the validity of measurements that only consider how often someone was cited is dubious when there is no indication of why this person was quoted. Also, books and other smaller publications (like newspaper articles or other more accessible texts directed to practitioners and the lay audience) are normally not included in this count. Thus, the surveilled university (or the surveilled publishing process) pushes scholars to produce outcomes in one specific way—that of alleged “impact,” with performance being everything.

Publishing Platforms and the Search for Impact

Publishing platforms are networking tools that allow for the global connection of scholars and universities and serve as a display for academic production. They are not only virtual spaces for researchers to make their publications more visible, but also are comprised of other social media functions ( Lupton et al. 2017 ). These include functionalities such as the announcement of events and job opportunities, the publishing of questionnaires and quizzes, and the direct chat between members.

Similar to other social networking sites, publishing platforms require that users create and feed their avatar with personal data. They are also comparable in their strategies to get users increasingly connected and engaged—hooked—by sending reminders and all sorts of notifications. Most importantly, they have very similar business models in which users do not pay for the service with cash but by donating their valuable personal (or academic) information. The focus is on the user and how they will benefit from increased interaction with the system, and not on the constant monitoring of users, let alone the algorithms that determine their “reputations.”

As far as scholars are concerned, the main purpose of such research platforms remains, nonetheless, in maximizing the so-called impact of academics’ publications. Through such sites, academics can monitor the performance of their publications by following how many views, downloads, and citations their publications generated. Both Google Scholar and ResearchGate go a step further and offer tools to quantify scholars’ production and “impact” by showing their h-index (an author metric based on the scholar's most cited works and the number of citations they have received by peers). In possession of these scores, scholars can not only evaluate and self-surveil their own performance but also compare it to and monitor that of their peers.

Not satisfied with the h-index alone, ResearchGate also created the “RG Score.” It includes other variables beyond publications such as scholars’ engagement with the platform (participation by asking questions or giving answers in the platform forums) or their popularity, which is calculated by the number of followers they have ( Yu et al. 2016 ). According to the ResearchGate website, the “RG Score takes all your research and turns it into a source of reputation.” A scholar's RG score is highly visible on the platform as it appears right after someone's name (even before the person's academic affiliation). It is a sort of digital business card that, according to the website, “[a]s an integral feature of ResearchGate, . . . can't be turned off or hidden.” Such academic metrics are consequently not so different from the fictional cases of Mae and Lacie and their struggle with imposed scores mentioned at the start of this essay.

The criticism around the lack of transparency of the RG score ( Kraker, Jordan, and Lex 2015 ) does not seem to prevent it being used in the course of job selection processes. As the site explains, once someone posts a new job ad, the platform will help with the sorting of candidates by displaying not only their publications, but also by ranking them based on quantifiable measures like the h-index and the RG score. Furthermore, it seems very plausible to infer that such scores have an impact not only on the way scholars are perceived by their peers, but also by the way scholars see themselves. Still, those suffering from what Clance and Imes (1978) named the impostor phenomenon could find some consolation by following ResearchGate tips on how to increase their result: “[s]hare anything from negative results to raw data or full-fledged publications; [c]reate a project, or add an update to your existing project(s); [a]sk a question or give another researcher a helpful answer; [f]ollow other researchers; [c]omment on and recommend your peer's research, projects, and questions.” There is room to “game” the RG score.

Publishing platforms should be considered in their complexity. They are certainly a means of connecting with other like-minded scholars and of overcoming the limitations of distance in seeing where networks of similar scholarship emerge. They may also offer incentives to research and publish in particular areas and provide some sense of satisfaction in discovering that others are interested in one's work. Yet, here again, we see the surveillance culture in operation. At the same time, these academic platforms may simply support the growing consensus of the corporate-style, metrics-driven university with its pressure to publish and its particular obsession with research that might make money through patents and business deals. And without the researchers in question even knowing about it, the platforms may already be profiting from the knowledge gained through prepublished information and that of cutting-edge research in some areas.

Surveillance at universities is a major issue in this era of surveillance capitalism and its corresponding surveillance culture. It involves many different aspects, actors, and types, with the focus of this essay having centered on the use of platforms in the higher education realm. The main reason for our reliance on these systems seems to be a strive for efficiency and impact, whether in regard to platforms for teaching, e-learning, publication, and project management, or simply the sharing of information. Current pressures for universities to increase their relevance, efficacy, and research outputs further intensifies this pursuit of quantification and the reliance on scores.

The currently available platforms are largely profit-making enterprises that encourage academics to market themselves as “microentrepreneurs” and are in their very nature highly surveillant. At the same time, as these platforms increase productivity and heighten the level of academic production, they can also overwhelm scholars with notifications and requests, incentivizing them to upload all sorts of data and reports.

The surveillance that occurs is organized by the companies that run these platforms. Their privileged access and overview allow them to sell information about “trending” research to other corporations. Users with access can merely “follow” what academics are doing. While these controlling processes are ambiguous, the situation could be improved if more transparency were offered and if opportunities were given for academics to help run these platforms democratically. Thus, a move to open access and alternative nonprofit platforms—which have been already proposed ( Geltner 2015 )—would definitely be welcomed.

Further research is also badly needed. For example, how do the scores that platforms such as ResearchGate attribute to scholars change the way they see themselves and the way their peers refer to them? Do the scores change the chances of someone getting a new position or being considered for a job interview? Given the relative lack of research in this area, it is difficult to come to firm conclusions. Nevertheless, it is clear that ambivalence about these new tools will continue as long as the platforms themselves remain uncommunicative about their business models and as long as academics see the perceived advantages without the likely downsides.

Within the university, the quest for research metrics are unabated and reflected in both internal rankings of scholars and the external rankings of universities both nationally and internationally. The existence of commercial academic platforms that echo such features simply serves to normalize such processes without necessarily raising questions about the quality of research thus created and promoted. Worryingly, academics themselves increasingly will be seen primarily in terms of their scores rather than in terms of other more qualitative factors. If this pattern continues, peer-review may give way to ranking systems less amenable to checking and verification, tending toward professor popularity and celebrity status.

What can be read about in fiction such as The Circle or watched in Black Mirror has now found its counterparts in university life. Performance and productivity become the keys to university teachers’ “success,” seen in constant feedback loops provided by systems such as Google Scholar , ResearchGate , or Academia.edu . This is the surveillance culture we face in higher education. Monetization and behavioral modification occur as the platform corporations scrape data donated by prestige-seeking academics, bringing profits to the companies and changing practices to scholars. This is the surveillance capitalism we are subjected to inside higher education.

However, not all is hopeless, considering that changes discussed above are at an early stage and not set in stone. Positive transformations may occur, given the potential promises also noted above. But these will require a deeper understanding of what is happening along with the determination to seek platform transparency and opportunities for faculty governance. At present, the here-mentioned systems are all-too-often merely reflecting the erosion of academic influence and reach within the university sector. However, they may well offer potential affordances and could be a starting point for genuine scholarly activities and improved teaching methods that, if organized imaginatively and democratically, could revitalize the university as a place for creative, independent, and critical thought and action.

B ecky K azansky and S tefania M ilan

University of Amsterdam

In 2014, a group of human rights defenders known as the “Zone 9 bloggers” was detained and later prosecuted in Ethiopia over their use of a learning resource on privacy and digital security called “Security in a Box” ( Amnesty International 2017 ). In 2017, a number of human rights defenders from organizations such as Amnesty International were imprisoned in Turkey for participating in training on information management. In both cases, individuals engaged in human rights work were faced with legal charges over teaching or learning how to encrypt communications, a practice considered increasingly essential by transnational civil society amid pervasive surveillance ( Front Line Defenders 2017 ). This worrying development stretches beyond so-called high-risk contexts. In the last few years, we have seen an upsurge of “cryptowars,” and even countries with strong rule of law are questioning whether “ordinary” individuals should have the right to keep their communications confidential ( Ball 2015 ).

As academics, we are not immune to these debates. Our own research tools and practices may be subject to monitoring and censorship, with various scholars warning about the increasing “securitization” of research ( Tanczer 2016 ; Peter and Strazzari 2017 ). Building on the earlier contributions to this forum, we therefore reflect on the challenges that derive from operating in an environment of pervasive “surveillance capitalism” ( Zuboff 2015 , 2019 ), where—at least potentially—“social science is police science,” as “it is never clear who is going to use” data generated through scientific research ( Hintz and Milan 2010 , 839). As the final essay in this forum, we explore a set of practices that may help academia to engage in responsible empirical research amid the surveillance and censorship processes our fellow coauthors have highlighted.

We draw on the insights gained from our research into the consequences of surveillance on democratic agency and citizen participation. 1 The many ways in which users seek to resist monitoring practices prompt researchers to carefully consider the ethics of engagement with “the field” and to treat ethics as an exercise that must be resilient over time and different geographies. This entails recursively interrogating and adopting routines and habits throughout the research cycle, considering factors such as risk assessment and mitigation, data protection and privacy, as well as data management and storage ( Sluka 2018 ).

While our particular research interests may “force” us to actively consider privacy and security, we argue that any researcher working with human subjects must take this subject matter seriously. Our engagement with participants exposes them to vulnerabilities of various kinds—ranging from the datafication and reification of their behavior to surveillance. Far from prescribing a formula for privacy-aware research, and much like Franklin in this forum, we invite scholars to adapt their infrastructure and practices to their respective contexts, expertise, resources, and needs.

Over the next pages, we offer our experience of examining actions by politically engaged people who are made vulnerable through the nature of their work and their technological dependencies, catalog some of the steps taken to set up our digital infrastructure and workflow to address privacy and security priorities, and reflect on the role of “engaged research” and the question of infrastructure in the neoliberal university (see the essays by Deibert and Bigo in this forum).

Engaged Research as Situated, Context-Aware Research

Our point of departure is the questioning of the category “vulnerable subjects.” According to the European Commission, “[v]ulnerable categories of individuals” include “children, patients, people subject to discrimination, minorities, people unable to give consent, people of dissenting opinion, immigrant or minority communities, sex workers, etc.” ( European Commission Directorate-General for Research & Innovation 2016 , 9). While political activists per se are not explicitly included in this definition, we argue that vulnerability is context-dependent. What might be a perfectly acceptable practice today might not be tomorrow. And what is allowed in a given country might not be in another. Think of encryption technologies: tools such as the instant messaging app Telegram are restricted in countries such as Russia and Iran ( Deahl 2018 ), but usable—albeit sometimes under political scrutiny—in most Western democracies.

Due to this ambiguity around the consequences of our research and actions, we include all our participants without distinction into the “vulnerable subjects” category. This implies that we accept all the consequences this move entails—some of which have the power to slow down our analysis and add red tape to our work. It should also be said that, while the choice of the term “vulnerable” mirrors its use in data-protection language, it is not intended to minimize the agency and autonomy of the individuals and communities designated as such; instead, the classification is meant to help accord additional protections in response to long-standing inequalities and emergent risks.

To account for the sensitivity and awareness of time, geography, and context vis-à-vis the vulnerability of our subjects, our team adopts an “engaged” approach to research ( Milan 2010 , 2014 ). Thus, we carefully and continuously interrogate the impact that our empirical inquiry might have on the people and communities we study, while striving to indirectly contribute to their causes. Engaged research is therefore inherently situated . It brings the researchers to the same level of those being researched and anchors the research process to the evolving challenges of the field. This necessitates, for example, that we focus as much as possible on research questions that are relevant to both the researchers and the research subjects. We further seek appropriate opportunities for coinquiry, exchange, and collaboration and take great care with how we collect, handle, and present data about identities, projects, and networks.

Most importantly though, this engaged research dynamic alters the timeline of our commitment to ethics. This is specifically important for international relations and security studies scholars who often face serious ethical challenges in their practice ( Baele et al. 2018 ). Research ethics is no longer merely a series of “box-ticking exercises” at the inception of a project, but become a permanent interrogation and an ongoing dialogue ( Milan and Milan 2016 ). In this respect, engaged research is context-aware : on the one hand, it dialogues with and listens to the concerns of the field, while on the other hand, it is—by its own nature—dynamic and elastic, forcing academics to keep alert and to respond to novel challenges as they arise.

The Question of Infrastructure

As discussed at length by our colleagues in this forum, universities have migrated their digital infrastructure, including email, learning systems, and shared drives to the platforms of major corporations that unilaterally set their terms of service. How can researchers respect the privacy of research subjects if, for instance, data is not securely stored?

For our research project, we devised a “secure” infrastructure and protocols for our work. Many of these practices echo and complement guidance provided by other scholars and institutions ( Aldridge, Medina, and Ralphs 2010 ; Marwick et al. 2016 ; Tanczer et al. 2016 ; van Baalen 2018 ). To this end, the team engaged in a particular kind of risk assessment , working through a number of scenarios for how the life cycle of collection and dissemination of data might take place. This exercise allowed us to note points along the research process at which privacy and security concerns may arise and to discuss contingencies that could appear during fieldwork and travel. We evaluated our storage and communication needs and then assessed possible Free/Libre Open-Source Software (FLOSS) tools that would meet them. FLOSS’ openness and ability to respond to security threats made us consider it over proprietary competitors ( Boulanger 2005 ).

The infrastructure for our research—including servers, mailboxes, and mailing lists—are now stored outside the university network with a local, privacy-aware provider. OwnCloud , an open-source alternative to commercial cloud services such as Dropbox , allows us to store data and files in a decentralized manner on our private server. Instead of industry-led collaborative writing platforms such as Google Docs , we set up a password-protected etherpad , whose contents are not retrievable by search engines. Using some of this infrastructure requires patience and dedication on our part, as the user interfaces are not as developed as those of their commercial counterparts. Yet, taking infrastructure seriously permits us to considerably reduce vulnerabilities and points of exposure.

Devising Working Protocols for Engagement with the Field

But securing infrastructure alone—especially when its use is not immediately self-evident—is not sufficient enough to protect the privacy and security of our participants. Thus, we have collectively developed communication, fieldwork, and data-handling protocols and implemented an internal workflow requiring members to use encryption to communicate as well as to share and store data. These rules of conduct are applicable to IR scholars working empirically and can be implemented by individuals as well as members of a large research team.

First Contact

Our communication protocol outlines steps to can be taken for contacting research subjects. We offer participants a secure channel for communication contingent on their particular situation and needs, while always aiming for the option that exposes data the least. Due to the earlier-mentioned concerns over the use of encryption when planning correspondence with people from different regions, it is important to first research the legality of privacy-enhancing tools in any given context. Following this due diligence check, should the use of encryption technologies be available, then we seek initial contact using the open-source implementation of Pretty Good Privacy to encrypt our email. We consequently search for retrievable, publicly broadcasted encryption keys, which often can be found on personal websites or on so-called “Public Key Servers.” The latter is a database where individuals can upload their public key and equals a searchable phonebook.

When such a key is not available, the team attaches their own encryption key to the message. We invite and encourage participants to make use of secure communication technologies and also offer to move the discussion to alternate communication channels such as a secure FLOSS-messaging application ( Signal ) or an online video-calling system ( Jit. si, TOX ). When an email needs to be sent “in clear”—meaning unencrypted—we leave out details such as travel information, location, and meeting time. Such sensitive information is only communicated over secure channels. This specifically applies for sites other than large conferences, such as meetings with organizations and informal gatherings.

Academics also must pay attention to the security of their data and communications when travelling. We, thus, ask researchers to pay close attention any time their laptops, mobile phones, or recording devices are moved to a different location. We operate on the premise that data is not physically transported across borders but is backed up to an encrypted server prior to the start of a journey. Under particular circumstances, scholars may even choose to travel with a different, newly configured device.

Data Anonymization

Data collected for research purposes tends to “proliferate” ( Aldridge et al. 2010 , 3), amplifying the vulnerabilities for research subjects. To counter this spread of data across different devices, individuals, and physical locations, the team addresses issues around privacy, anonymity, and deidentification of research subjects from the beginning of the research process all the way to publication. As soon as interviews are completed, data is backed up and stored encrypted and so are transcripts. Full anonymization is ensured by a code system; interviewee names are securely stored in an analogue manner and presided over by the principal investigator. Avoiding reidentification goes beyond simply taking the names out of a dataset. Rather, it means anticipating how the aggregation of specific details may give away the identity of research subjects even when names are not mentioned explicitly or solely quantitative data is reported ( Goroff 2015 ). This is particularly important when a study's underlying research data is made publicly available (G. Alter and Gonzalez 2018 ).

Open-ended Debriefing

Following fieldwork and travel, the team also reflects on the experiences and challenges with these protocols, allowing for modifications to be made. This process continues throughout the data analysis phase up to the completion of the project, allowing us to abide to our engaged research approach.

A fundamental caveat is that the here-mentioned tools are a secondary consideration to the research protocols we implement. Like Tanczer et al. (2016 , 351) have previously emphasized, as technology changes, “instruments, practices, and procedures have to adapt.” Continuous diligence is required to respond to their shifting utility and security settings. This also means staying abreast of technological developments and continuously updating our software and infrastructure providers. We thereby rely on the latest recommendations of digital rights organizations such as the Electronic Frontier Foundation's Surveillance Self-Defense tool or Tactical Technology Collective's Security in a Box .

Of course, many of the available encryption tools continue to be difficult to use and oftentimes attract controversy among security experts over their relative merits ( Schneier, Seidel, and Vijayakumar 2016 ). As indicated by digital rights organizations as well as by our own research ( Kazansky 2015 , 2016 ), privacy-aware instruments should be selected by weighing the contextual details against the skill level and requirements of researchers and participants. A priority is placed on well-maintained and vetted FLOSS. Thus, we abstain from presenting our protocols as “hard and fast” rules. Research is by its very own nature messy, with such processes also calling for continuous renegotiation.

Academics should also anticipate that some participants might not be familiar with many of the encryption systems or find them inappropriate or even unsafe in their context. Our own experiences with more than 200 informants to date teach us that using encryption tools entails navigating different comfort levels, requirements, and workflows. While many informants have responded with encrypted emails, a significant number of informants have not. Some have instead responded back through commercial platforms or secure messaging services. However, we do not want to read these results too pessimistically: ambivalence around the use of encryption tools is well-documented ( Whitten and Tygar 2005 ) and may also be attributable to the nature of correspondence as interlocutors might not always have their encryption keys on hand (e.g., when using a smartphone). Indeed, it may not even be a matter of literacy or expertise, for even preeminent security experts do not use reliably the tools they invented ( Franceschi-Bicchierai 2015 ).

Hence, finding the balance between the mechanics of data collection and analysis as well as the imperative to protect participants from monitoring and repression is tricky. While our team studies a realm of social action that by its own nature exposes politically engaged individuals to vulnerabilities of various kinds, we believe it rests upon the entire research community to find ways in which academia can be mindful of the increasing risks to our research subjects.

To conclude, we want to emphasize three takeaways in the hope that the higher education sector will change its practices and include some “digital hygiene” measures in its research toolbox. First, although it might take some time to amend established ways of organizing research and fieldwork, digital security and privacy concerns and potential solutions should be an essential concern for all institutional review boards. Advocating for institutional changes to create the necessary conditions, including funding, to engage in “secure” research will therefore be an important step. Second, there is no single best protocol for protecting research from censorship or surveillance. Processes and tools have to be integrated into our routines and will always be dependent upon contingent priorities and constraints—whether institutional, financial, temporal, or a lack of expertise. However, and third, the lack of resources and expertise are not necessarily barriers. Many solutions are not “high-tech”; for instance, preferring privacy-respecting services such as email providers or collecting and storing data purely offline are valid, low-tech measures accessible to anyone. Thus, the choice to secure our subjects data is ours, and many academics already are actively making this choice.

Research for this essay was supported by a Starting Grant of the European Research Council awarded to Stefania Milan as Principal Investigator (StG-2014_639379 DATACTIVE). We thank the DATACTIVE team for contributing to designing the infrastructure and protocols described here and the DATACTIVE Ethics Advisory Board for their feedback. Both authors have equally contributed to this article.

Abbate Janet . 1999 . Inventing the Internet . Inside Technology . Cambridge, MA : MIT Press .

Google Scholar

Google Preview

Aldridge Judith , Medina Juanjo , Ralphs Robert . 2010 . “The Problem of Proliferation: Guidelines for Improving the Security of Qualitative Data in a Digital Age.” Research Ethics Review 6 : 3 – 9 .

Alim Frida , Cardozo Nate , Gebhart Gennie , Gullo Karen , Kalia Amul . 2017 . “Spying on Students: School Issued-Devices and Student Privacy.” San Francisco: Electronic Frontier Foundation. Accessed August 8, 2019. https://www.eff.org/files/2017/04/13/student-privacy-report.pdf .

Altbach Philip G. 2008 . “The Imperial Tongue: English As the Dominating Academic Language.” International Educator 17 : 56 .

Alter Adam . 2017 . Irresistible: The Rise of Addictive Technology and the Business of Keeping Us Hooked . New York : Random House .

Alter George , Gonzalez Richard . 2018 . “Responsible Practices for Data Sharing.” American Psychologist 73 : 146 – 56 .

Amnesty International . 2017 . “Ethiopia: Fresh Trial for Two Zone-9 Bloggers Flies in the Face of Justice.” Amnesty International , April 6. Accessed August 8, 2019. https://www.amnesty.org/en/press-releases/2017/04/ethiopia-fresh-trial-for-two-zone-9-bloggers-flies-in-the-face-of-justice/ .

Anonymous . 2017 . “State Vs. Academy: The Academy Under Surveillance.” Surveillance & Society 15 : 550 – 56 .

Bachan Ray . 2017 . “Grade Inflation in UK Higher Education.” Studies in Higher Education 42 : 1580 – 600 .

Baele Stephane J. , Lewis David , Hoeffler Anke , Sterck Olivier C. , Slingeneyer Thibaut . 2018 . “The Ethics of Security Research: An Ethics Framework for Contemporary Security Studies.” International Studies Perspectives 19 : 105 – 27 .

Ball James . 2015 . “Cameron Wants to Ban Encryption – He Can Say Goodbye to Digital Britain.” Guardian , January 13. Accessed August 8, 2019. https://www.theguardian.com/commentisfree/2015/jan/13/cameron-ban-encryption-digital-britain-online-shopping-banking-messaging-terror .

BBC News . 2018a . “US Sanctions Iranian Hackers for ‘Stealing University Data.’” BBC News , March 23. Accessed August 8, 2019. http://www.bbc.com/news/world-us-canada-43519437 .

BBC News . 2018b . “Matthew Hedges: British Academic Pardoned By UAE.” BBC News , November 26. Accessed August 8, 2019. https://www.bbc.com/news/uk-46341310 .

Bennett Liz . 2017 . “Social Media, Academics’ Identity Work, and the Good Teacher.” International Journal for Academic Development 22 : 245 – 56 .

Bentley Michelle . 2018 . “Enough Is Enough: The UK Prevent Strategy and Normative Invalidation.” European Journal of International Security 3 : 326 – 43 .

Bodo Balázs , Helberger Natali , Irion Kristina , Borgesius Frederik Zuiderveen , Moller Judith , van de Velde Bob , Bol Nadine , van Ess Bram , de Vreese Claes . 2017 . “Tackling the Algorithmic Control Crisis -the Technical, Legal, and Ethical Challenges of Research Into Algorithmic Agents.” Yale Journal of Law and Technology 19 : 133 – 80 .

Bohaker Heidi , Austin Lisa , Clement Andrew , Perrin Stephanie . 2015 . “Seeing Through the Cloud: National Jurisdiction and Location of Data, Servers, and Networks Still Matter in a Digitally Interconnected World.” Toronto: University of Toronto. Accessed August 13, 2019. https://tspace.library.utoronto.ca/handle/1807/73096 .

Boulanger Aymen . 2005 . “Open-Source Versus Proprietary Software: Is One More Reliable and Secure than the Other?” IBM Systems Journal 44 : 239 – 48 .

Bourdieu Pierre . 1988 . Homo Academicus . Translated by Peter Besselaar . Cambridge : Polity Press .

Boyd Danah , Crawford Kate . 2011 . “Six Provocations for Big Data.” In A Decade in Internet Time: Symposium on the Dynamics of the Internet and Society , 1 – 17 . Oxford : Oxford Internet Institute . https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1926431 .

Brady Anne-Marie . 2017 . “Magic Weapons: China's Political Influence Activities Under Xi Jinping.” Woodrow Wilson Center. Accessed August 8, 2019. https://www.wilsoncenter.org/article/magic-weapons-chinas-political-influence-activities-under-xi-jinping .

Brunton Finn , Nissenbaum Helen . 2015 . Obfuscation: A User's Guide for Privacy and Protest . Cambridge, MA : MIT Press .

Burrows Roger . 2012 . “Living with the H-Index? Metric Assemblages in the Contemporary Academy.” Sociological Review 60 : 355 – 72 .

Changchit Chuleeporn . 2017 . “Interview with Lionel Cassin. Information Security Officer, Texas A&M University-Corpus Christi on Security and Privacy Issues Facing the University.” Journal of Information Privacy and Security 13 : 97 – 98 .

Chubb Jennifer , Watermeyer Richard . 2017 . “Artifice or Integrity in the Marketization of Research Impact? Investigating the Moral Economy of (Pathways To) Impact Statements within Research Funding Proposals in the UK and Australia.” Studies in Higher Education 42 : 2360 – 72 .

Chuh Kandice . 2018 . “Pedagogies of Dissent.” American Quarterly 70 : 155 – 72 .

Ciccariello-Maher George . 2017 . “After December 31st, 2017, I Will No Longer Work At Drexel University.” Twitter (blog). December 28. Accessed August 13, 2019. https://twitter.com/ciccmaher/status/946435825755148288 .

Citizen Lab . 2014 . “Communities @ Risk: Targeted Digital Threats Against Civil Society.” Citizen Lab. Accessed August 13, 2019. https://targetedthreats.net/ .

Clance Pauline Rose , Imes Suzanne . 1978 . “The Imposter Phenomenon in High Achieving Women: Dynamics and Therapeutic Intervention.” Psychotherapy Theory, Research, and Practice 15 : 241 – 47 .

Clarke Roger . 1988 . “Information Technology and Dataveillance.” Communications of the ACM 31 : 498 – 512 .

Courea Eleni . 2018 . “University Alerts Students to Danger of Leftwing Essay.” Observer , November 11. Accessed August 8, 2019. https://www.theguardian.com/education/2018/nov/11/reading-university-warns-danger-left-wing-essay .

Cram Ian , Fenwick Helen . 2018 . “Protecting Free Speech and Academic Freedom in Universities.” Modern Law Review 81 : 825 – 73 .

Crete-Nishihata Masashi , Knockel Jeffrey , Miller Blake , Ng Jason Q. , Ruan Lotus , Tsui Lokman , Xiong Ruohan . 2017 . “Remembering Liu Xiaobo: Analyzing Censorship of the Death of Liu Xiaobo on WeChat and Weibo.” Citizen Lab. Accessed August 13, 2019. https://citizenlab.ca/2017/07/analyzing-censorship-of-the-death-of-liu-xiaobo-on-wechat-and-weibo/ .

Dada Tinuola , Micek Peter . 2017 . “Launching STOP: The #KeepItOn Internet Shutdown Tracker.” Access Now , September 7. Accessed August 8, 2019. https://www.accessnow.org/keepiton-shutdown-tracker/ .

Dawson Shane . 2006 . “The Impact of Institutional Surveillance Technologies on Student Behaviour.” Surveillance & Society 4 : 69 – 84 .

Deahl Dani . 2018 . “Iran Has Banned Telegram After Claiming the App Encourages ‘Armed Uprisings.’” Verge , May 1. Accessed August 8, 2019. https://www.theverge.com/2018/5/1/17306792/telegram-banned-iran-encrypted-messaging-app-russia .

Deibert Ronald J. 1998 . “Virtual Resources: International Relations Research Resources on the Web.” International Organization 52 : 211 – 21 .

Deibert Ronald J. . 2013 . Black Code: Inside the Battle for Cyberspace . Toronto : Random House .

Deibert Ronald J. . 2015 . “Authoritarianism Goes Global: Cyberspace Under Siege.” Journal of Democracy 26 : 64 – 78 .

Deibert Ronald J. , Palfrey John , Rohozinski Rafal , Zittrain Jonathan . 2008 . Access Denied: The Practice and Policy of Global Internet Filtering . Cambridge, MA : MIT Press .

Dezalay Yves , Garth Bryant G. . 2002 . The Internationalization of Palace Wars: Lawyers, Economists, and the Contest to Transform Latin American States . Chicago : University of Chicago Press .

Dijck Jose van . 2014 . “Datafication, Dataism, and Dataveillance: Big Data Between Scientific Paradigm and Ideology.” Surveillance & Society 12 : 197 – 208 .

Dukalskis Alexander . 2018 . “The Chinese Communist Party Has Growing Sway in Western Universities.” Democratic Audit UK, January 4. Accessed August 13, 2019. http://www.democraticaudit.com/2018/01/04/the-chinese-communist-party-has-growing-sway-in-western-universities/ .

Duncan Jane . 2018 . “Criminalising Academia: The Protection of State Information Bill and Academic Freedom.” Communication 44 : 107 – 29 .

Edwards Lilian , Martin Laura , Henderson Tristan . 2018 . “Employee Surveillance: The Road to Surveillance Is Paved with Good Intentions.” APC 2018, 1–30. Accessed August 13, 2019. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3234382 .

Else Holly . 2017 . “CUP Row ‘Shows Need for New Approach to Chinese Censors.’” Times Higher Education (THE) , August 21. Accessed August 13, 2019. https://www.timeshighereducation.com/news/cup-row-shows-need-for-new-to-approach-chinese-censors .

Enyedi Zsolt . 2018 . “Democratic Backsliding and Academic Freedom in Hungary.” Perspectives on Politics 16 : 1067 – 74 .

Epstein Robert , Robertson Ronald E. . 2015 . “The Search Engine Manipulation Effect (SEME) and Its Possible Impact on the Outcomes of Elections.” Proceedings of the National Academy of Sciences 112 : E4512 – 21 .

Ergül Hakan Coşar Simten , eds. 2017 . Universities in the Neoliberal Era: Academic Cultures and Critical Perspectives . London : Palgrave Macmillan .

Erkkilä Tero , ed. 2013 . Global University Rankings Challenges for European Higher Education . Basingstoke : Palgrave Macmillan .

European Commission Directorate-General for Research & Innovation . 2016 . “H2020 Programme Guidance: How to Complete Your Ethics Self-Assessment.” European Commissions. Accessed August 13, 2019. http://ec.europa.eu/research/participants/data/ref/h2020/grants_manual/hi/ethics/h2020_hi_ethics-self-assess_en.pdf .

Falk Richard . 2007 . “Academic Freedom Under Siege.” International Studies Perspectives 8 : 369 – 75 .

Fattah Randa Abdel . 2018 . “How a Sri Lankan Student's Arrest on Terror Charges Exposes a System Built to Suspect Minorities.” Conversation , November 9. Accessed August 13, 2019. https://theconversation.com/how-a-sri-lankan-students-arrest-on-terror-charges-exposes-a-system-built-to-suspect-minorities-106613 .

Feenberg Andrew . 1999 . Questioning Technology . London; New York : Routledge .

Fitzpatrick Kathleen . 2015 . “Academia, Not Edu.” Last modified October 26, 2015. Accessed August 13, 2019. https://kfitz.info/academia-not-edu/ .

Flavin Michael . 2016 . “Home and Away: The Use of Institutional and Non-Institutional Technologies to Support Learning and Teaching.” Interactive Learning Environments 24 : 1665 – 73 .

Flyverbom Mikkel , Deibert Ronald J. , Matten Dirk . 2017 . “The Governance of Digital Technology, Big Data, and the Internet: New Roles and Responsibilities for Business.” Business & Society , August: 1–17 .

Foucault M. 1977 . Discipline and Punish . London: Tavistock .

Franceschi-Bicchierai Lorenzo . 2015 . “Even the Inventor of PGP Doesn't Use PGP.” Motherboard , September 2. Accessed August 13, 2019. https://motherboard.vice.com/en_us/article/vvbw9a/even-the-inventor-of-pgp-doesnt-use-pgp .

Franklin M.I. 2013 . Digital Dilemmas: Power, Resistance, and the Internet . Oxford : Oxford University Press .

Front Line Defenders . 2017 . “Free Human Rights Defenders Detained in Turkey.” Front Line Defenders , July 12. Accessed August 13, 2019. https://www.frontlinedefenders.org/en/free-human-rights-defenders-detained-turkey .

Galpin Charlotte . 2018 . “Video Must Not Kill the Female Stars of Academic Debate.” Times Higher Education (THE) , November 8. Accessed August 13, 2019. https://www.timeshighereducation.com/opinion/video-must-not-kill-female-stars-academic-debate .

Geltner G. 2015 . “Upon Leaving Academia.edu.” Mittelalter: Interdisziplinäre Forschung und Rezeptionsgeschichte , December 7. Accessed August 13, 2019. https://mittelalter.hypotheses.org/7123 .

Gilmore Joanna . 2017 . “Teaching Terrorism: The Impact of the Counter-Terrorism and Security Act 2015 on Academic Freedom.” Law Teacher 51 : 515 – 24 .

Giroux Henry A. 2013 . “Public Intellectuals Against the Neoliberal University.” Truthout , October 29. Accessed August 13, 2019. https://truthout.org/articles/public-intellectuals-against-the-neoliberal-university/ .

Goroff Daniel L. 2015 . “Balancing Privacy Versus Accuracy in Research Protocols.” Science 347 : 479 .

Hall Gary . 2015 . “Does Academia.Edu Mean Open Access Is Becoming Irrelevant?” Last modified October 18, 2015. Accessed August 13, 2019. http://www.garyhall.info/journal/2015/10/18/does-academiaedu-mean-open-access-is-becoming-irrelevant.html .

Hall Gary . 2016 . The Uberfication of the University . Minneapolis : University of Minnesota Press .

Hamati-Ataya Inanna . 2011 . “Contemporary ‘Dissidence’ in American IR: The New Structure of Anti-Mainstream Scholarship?” International Studies Perspectives 12 : 362 – 98 .

Haskins Anna R. , Jacobsen Wade C. . 2017 . “Schools As Surveilling Institutions? Paternal Incarceration, System Avoidance, and Parental Involvement in Schooling.” American Sociological Review 82 : 657 – 84 .

Herold Benjamin . 2018 . “How (and Why) Ed-Tech Companies Are Tracking Students’ Feelings - Education Week.” Education Week , June 20. Accessed August 13, 2019. https://www.edweek.org/ew/articles/2018/06/12/how-and-why-ed-tech-companies-are-tracking.html .

Herrmann Rachel . 2015 . “Why Your Department Needs Social Media.” Chronicle of Higher Education . August 31. Accessed August 13, 2019. https://www.chronicle.com/article/Why-Your-Department-Needs/232759 .

Hintz Arne , Milan Stefania . 2010 . “‘Social Science Is Police Science.’ Researching Grassroots Activism.” International Journal of Communication 4 : 837 – 344 .

Hope Andrew . 2018 . “Creep: The Growing Surveillance of Students’ Online Activities.” Education and Society 36 : 55 – 72 .

Internet Rights and Principles Coalition . 2018 . “The Charter of Human Rights and Principles for the Internet” 6th Edition, Accessed August 13, 2019. internetrightsandprinciples.org/site/wp-content/uploads/2019/09/IRP_booklet_Eng_6ed_4Nov2018.pdf .

Jessop Bob . 2018 . “On Academic Capitalism.” Critical Policy Studies 12 : 104 – 9 .

Kaelin Mark . 2017 . “Microsoft Office 365: The Smart Person's Guide.” TechRepublic, May 31. Accessed August 13, 2019. https://www.techrepublic.com/article/microsoft-office-365-the-smart-persons-guide/ .

Kauppi Niilo , Erkkilä Tero . 2011 . “The Struggle Over Global Higher Education: Actors, Institutions, and Practices.” International Political Sociology 5 : 314 – 26 .

Kazansky Becky . 2015 . “Privacy, Responsibility, and Human Rights Activism.” Fibreculture Journal 26 : 189 – 207 .

Kazansky Becky . 2016 . “Digital Security in Context: Learning How Human Rights Defenders Adopt Digital Security Practices.” Tactical Technology Collective. Accessed August 13, 2019. https://secresearch.tacticaltech.org/digital-security-in-context-learning-how-human-rights-defenders-adopt-digital-security-practices.html .

Koziol Michael . 2018 . “‘National Interest Test’ to Align Research with Security and Strategic Priorities.” Sydney Morning Herald , November 10. Accessed August 13, 2019. https://www.smh.com.au/politics/federal/national-interest-test-to-align-research-with-security-and-strategic-priorities-20181110-p50f89.html .

Kraker Peter , Jordan Katy , Lex Elizabeth . 2015 . “The ResearchGate Score: A Good Example of a Bad Metric.” LSE Impact Blog , December 9. Accessed August 13, 2019. http://blogs.lse.ac.uk/impactofsocialsciences/2015/12/09/the-researchgate-score-a-good-example-of-a-bad-metric/ .

Lenoir Remi . 2006 . “Scientific Habitus: Pierre Bourdieu and the Collective Intellectual.” Theory, Culture & Society 23 : 25 – 43 .

Liang Fan , Das Vishnupriya , Kostyuk Nadiya , Hussain Muzammil M. . 2018 . “Constructing a Data-Driven Society: China's Social Credit System As a State Surveillance Infrastructure.” Policy & Internet 10 : 415 – 53 .

Lorenz Chris . 2012 . “If You're So Smart, Why Are You Under Surveillance? Universities, Neoliberalism, and New Public Management.” Critical Inquiry 38 : 599 – 629 .

Lupton Deborah , Mewburn Inger , Thomson Pat . 2017 . “The Digital Academic: Identities, Contexts and Politics.” In The Digital Academic: Critical Perspectives on Digital Technologies in Higher Education , edited by Lupton Deborah Mewburn Inger Thomson Pat , 1 – 19 . Abingdon : Routledge .

Lyon David . 2017 . “Surveillance Culture: Engagement, Exposure, and Ethics in Digital Modernity.” International Journal of Communication 11 : 824 – 42 .

Lyon David . 2018 . The Culture of Surveillance: Watching as a Way of Life . Cambridge, MA : Polity Press .

MacDonald Robert . 2017 . “‘Impact,’ Research and Slaying Zombies: The Pressures and Possibilities of the REF.” Journal of Sociology and Social Policy 37 : 696 – 710 .

Marwick Alice E , Blackwell Lindsay , Lo Katherine . 2016 . “Best Practices for Conducting Risky Research and Protecting Yourself from Online Harassment.” Data & Society Research Institute. Accessed August 13, 2019. https://datasociety.net/pubs/res/Best_Practices_for_Conducting_Risky_Research-Oct-2016.pdf .

Marx Gary T. 1988 . Undercover: Police Surveillance in America . Berkeley : University of California Press .

Marx Gary T. . 2006 . “Mots Et Mondes De Surveillance, Contrôle Et Contre-Contrôle à L’ère Informatique.” Criminologie 39 : 43 – 62 .

Melgaço Lucas . 2015 . “Multiple Surveillance on the Digitized Campus.” Radical Pedagogy 12 : 27 – 51 .

Milan Chiara , Milan Stefania . 2016 . “Involving Communities As Skilled Learners: The STRAP Framework.” In Methodological Reflections on Researching Communication and Social Change , edited by Wildermuth Norbert Ngomba Teke , 9 – 28 . Basingstoke : Palgrave Macmillan .

Milan Stefania . 2010 . “Towards an Epistemology of Engaged Research.” International Journal of Communication 4 : 856 – 58 .

Milan Stefania . 2014 . “The Ethics of Social Movement Research.” In Methodological Practices in Social Movement Research , edited by Porta Donatella della , 446 – 64 . Oxford : Oxford University Press .

Mills Kurt . 2002 . “Cybernations: Identity, Self-Determination, Democracy, and the ‘Internet Effect’ in the Emerging Information Order.” Global Society 16 : 69 – 87 .

Mittelman James H. 2007 . “Who Governs Academic Freedom in International Studies?” International Studies Perspectives 8 : 358 – 68 .

Muhamad Wardani , Kurniawan Novianto Budi , Suhardi , Yazid Setiadi . 2017 . “Smart Campus Features, Technologies, and Applications: A Systematic Literature Review.” In 2017 International Conference on Information Technology Systems and Innovation , 384 – 91 . Bandung : IEEE .

Namer Yudit , Razum Oliver . 2018 . “Academic Freedom Needs Active Support.” Lancet 392 : 556 .

Necessary and Proportionate Campaign . 2014 . “International Principles on the Application of Human Rights to Communications Surveillance.” Necessary and Proportionate , May 2014. Accessed August 13, 2019. https://necessaryandproportionate.org/ .

Olukotun Deji . 2017 . “We Need to Stop Shutting Down the Internet for School Exams.” Access Now , May 16. Accessed August 13, 2019. https://www.accessnow.org/need-stop-shutting-internet-school-exams/ .

O'Neil Cathy . 2016 . Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy . New York : Broadway Book .

Owens Brian . 2017 . “Cybersecurity for the Travelling Scientist.” Nature News 548 : 123 .

Peisert Sean , Welch Von . 2017 . “The Open Science Cyber Risk Profile: The Rosetta Stone for Open Science and Cybersecurity.” IEEE Security Privacy 15: 94 – 95 .

Penney Jon . 2016 . “Chilling Effects: Online Surveillance and Wikipedia Use.” Berkeley Technology Law Journal 31 : 1 – 58 .

Perrino Nico . 2013 . “Universities: Where You Go to Learn – and Be Monitored | Nico Perrino.” Guardian , October 22. Accessed August 13, 2019. https://www.theguardian.com/commentisfree/2013/oct/22/online-social-media-surveillance-university-campuses .

Peter Mateja , Strazzari Francesco . 2017 . “Securitisation of Research: Fieldwork Under New Restrictions in Darfur and Mali.” Third World Quarterly 38 : 1531 – 50 .

Pillay Navi . 2014 . “The Right to Privacy in the Digital Age: Report of the Office of the United Nations High Commissioner for Human Rights.” A/HRC/27/37. Geneva: Human Rights Council .

Redmond Tony . 2014 . “Office 365 By the Numbers - an Ever-Increasing Trajectory.” IT Pro, July 31. Accessed August 13, 2019. https://www.itprotoday.com/office-365/office-365-numbers-ever-increasing-trajectory .

Reeder Robert W. , Ion Iulia , Consolvo Sunny . 2017 . “152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users.” IEEE Security Privacy 15 : 55 – 64 .

Ruth Damian , Wilson Suze , Alakavuklar Ozan , Dickson Andrew . 2018 . “Anxious Academics: Talking Back to the Audit Culture Through Collegial, Critical and Creative Autoethnography.” Culture and Organization 24 : 154 – 70 .

Schneier Bruce , Seidel Kathleen , Vijayakumar Saranya . 2016 . “A Worldwide Survey of Encryption Products (February 11, 2016). Berkman Center Research Publication No. 2016-2.” Berkman Center Research. Accessed August, 13, 2019. https://www.schneier.com/academic/paperfiles/worldwide-survey-of-encryption-products.pdf .

Scholars at Risk Network . 2017 . “Academic Freedom Media Review Archive.” Scholars at Risk. Accessed August 13, 2019. https://www.scholarsatrisk.org/academic-freedom-media-review-archive-2017/ .

Scott-Railton John . 2016 . “Security for the High-Risk User: Separate and Unequal.” IEEE Security & Privacy 14 : 79 – 87 .

Serres Michel . 2007 . The Parasite . Minneapolis : University of Minnesota Press .

Sluka Jeffrey Alan . 2018 . “Too Dangerous for Fieldwork? The Challenge of Institutional Risk-Management in Primary Research on Conflict, Violence, and ‘Terrorism.’ ” Contemporary Social Science 1 – 17 . DOI: 10.1080/21582041.2018.1498534 .

Solon Olivia . 2017 . “Google Spends Millions on Academic Research to Influence Opinion, Says Watchdog.” Guardian , July 13. https://www.theguardian.com/technology/2017/jul/13/google-millions-academic-research-influence-opinion .

Spiller Keith , Awan Imran , Whiting Andrew . 2018 . “‘What Does Terrorism Look Like?’ University Lecturers’ Interpretations of Their Prevent Duties and Tackling Extremism in UK Universities.” Critical Studies on Terrorism 11 : 130 – 50 .

Statistica . 2018 . “Data Volume of Global Consumer Web Usage, e-Mails and Data Traffic from 2016 to 2021.” Statista. Accessed August 13, 2019. https://statinvestor.com/data/35224/global-e-mail-and-web-traffic/ .

Tanczer Leonie Maria . 2016 . “The ‘Snooper's Charter’ is a Threat to Academic Freedom.” Guardian , December 1. Accessed August 13, 2019. https://www.theguardian.com/higher-education-network/2016/dec/01/the-snoopers-charter-is-a-threat-to-academic-freedom .

Tanczer Leonie Maria . 2017 . “Digital Skills in Academia: Let's CryptoParty! ” OpenDemocracy , April 6. Accessed August 13, 2019. https://www.opendemocracy.net/leonie-tanczer/digital-skills-in-academia-let-s-cryptoparty .

Tanczer Leonie Maria , McConville Ryan , Maynard Peter . 2016 . “Censorship and Surveillance in the Digital Age: The Technological Challenges for Academics.” Journal of Global Security Studies 1 : 346 – 55 .

Guardian . 2018 . “We Deplore This Attack on Freedom of Expression in Brazil's Universities.” Guardian , November 1. Accessed August 13, 2019. https://www.theguardian.com/world/2018/nov/01/we-deplore-this-attack-on-freedom-of-expression-in-brazils-universities .

Radicati Group . 2015 . “Email Statistics Report 2015–2019.” Radicati Group. Accessed August 13, 2019. https://www.radicati.com/wp/wp-content/uploads/2015/02/Email-Statistics-Report-2015-2019-Executive-Summary.pdf .

University and College Union . 2013 . “Do I Have to Tell My Employer That I Am Taking Strike Action?” UCU, October 24. Accessed August 13, 2019. https://www.ucu.org.uk/article/5299/Do-I-have-to-tell-my-employer-that-I-am-taking-strike-action .

van Baalen Sebastian . 2018 . “‘Google Wants to Know Your Location’: The Ethical Challenges of Fieldwork in the Digital Age.” Research Ethics 24 : 1 – 17 .

Van Der Sloot Bart . 2017 . “Als Wetenschapper Op ‘goed Gesprek’ Bij De AIVD: Mag Het Een Tandje Professioneler?” De Volkskrant , August 29. Accessed August 13, 2019. https://www.volkskrant.nl/gs-bbb7d87a .

Van Noorden Richard . 2014 . “Online Collaboration: Scientists and the Social Network.” Nature 512 : 126 .

Wagman Shawna . 2016 . “Some Academics Remain Skeptical of Academia.Edu.” University Affairs (blog), April 12. Accessed August 13, 2019. https://www.universityaffairs.ca/news/news-article/some-academics-remain-skeptical-of-academia-edu/ .

White Scott G. 2008 . “Academia, Surveillance, and the FBI: A Short History.” Surveillance and Governance: Crime Control and Beyond 10 : 151 – 74 .

Whitten Alma , Tygar J.D. . 2005 . “Why Johnny Can't Encrypt. A Usability Evaluation of PGP 5.0.” In Security and Usability: Designing Secure Systems That People Can Use , edited by Cranor Lorrie Faith Garfinkel Simson , 679 – 702 . Sebastopol, CA : O'Reilly .

Worthington Debra L. , Levasseur David G. . 2015 . “To Provide Or Not to Provide Course PowerPoint Slides? The Impact of Instructor-Provided Slides Upon Student Attendance and Performance.” Computers & Education 85 : 14 – 22 .

Yu Min-Chun , Wu Yen-Chun Jim , Alhalabi Wadee , Kao Hao-Yun , Wu Wen-Hsiung . 2016 . “ResearchGate: An Effective Altmetric Indicator for Active Researchers?” Computers in Human Behavior 55 : 1001 – 6 .

Zittrain Jonathan . 2008 . The Future of the Internet. And How to Stop It . New Haven, CT : Yale University Press .

Zittrain Jonathan L. , Faris Robert , Noman Helmi , Clark Justin , Tilton Casey , Morrison-Westphal Ryan . 2017 . “The Shifting Landscape of Global Internet Censorship.” Internet Monitor 2017–4. Berkman Klein Center for Internet & Society .

Zuboff Shoshana . 2015 . “Big Other: Surveillance Capitalism and the Prospects of an Information Civilization.” Journal of Information Technology 30 : 75 – 89 .

Zuboff Shoshana . 2019 . The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power . New York : Public Affairs .

Month:	Total Views:
October 2019	2,073
November 2019	890
December 2019	377
January 2020	742
February 2020	492
March 2020	477
April 2020	349
May 2020	355
June 2020	404
July 2020	490
August 2020	351
September 2020	566
October 2020	631
November 2020	821
December 2020	498
January 2021	391
February 2021	522
March 2021	532
April 2021	601
May 2021	396
June 2021	180
July 2021	276
August 2021	212
September 2021	236
October 2021	389
November 2021	314
December 2021	505
January 2022	320
February 2022	229
March 2022	277
April 2022	288
May 2022	243
June 2022	156
July 2022	173
August 2022	147
September 2022	192
October 2022	334
November 2022	308
December 2022	476
January 2023	133
February 2023	131
March 2023	171
April 2023	124
May 2023	161
June 2023	112
July 2023	104
August 2023	70
September 2023	97
October 2023	169
November 2023	282
December 2023	324
January 2024	141
February 2024	165
March 2024	245
April 2024	262
May 2024	171
June 2024	136
July 2024	114
August 2024	130

Email alerts

Citing articles via.

Recommend to your Library

Affiliations

Online ISSN 1528-3585
Print ISSN 1528-3577
About Oxford Academic
Publish journals with us
University press partners
What we publish
New features
Open access
Institutional account management
Rights and permissions
Get help with access
Accessibility
Advertising
Media enquiries
Oxford University Press
Oxford Languages
University of Oxford

Oxford University Press is a department of the University of Oxford. It furthers the University's objective of excellence in research, scholarship, and education by publishing worldwide

Cookie settings
Cookie policy
Privacy policy
Legal notice

This Feature Is Available To Subscribers Only

This PDF is available to Subscribers Only

For full access to this pdf, sign in to an existing account, or purchase an annual subscription.

Information

Author Services

Initiatives

You are accessing a machine-readable page. In order to be human-readable, please install an RSS reader.

All articles published by MDPI are made immediately available worldwide under an open access license. No special permission is required to reuse all or part of the article published by MDPI, including figures and tables. For articles published under an open access Creative Common CC BY license, any part of the article may be reused without permission provided that the original article is clearly cited. For more information, please refer to https://www.mdpi.com/openaccess .

Feature papers represent the most advanced research with significant potential for high impact in the field. A Feature Paper should be a substantial original Article that involves several techniques or approaches, provides an outlook for future research directions and describes possible research applications.

Feature papers are submitted upon individual invitation or recommendation by the scientific editors and must receive positive feedback from the reviewers.

Editor’s Choice articles are based on recommendations by the scientific editors of MDPI journals from around the world. Editors select a small number of articles recently published in the journal that they believe will be particularly interesting to readers, or important in the respective research area. The aim is to provide a snapshot of some of the most exciting work published in the various research areas of the journal.

Original Submission Date Received: .

Active Journals
Find a Journal
Proceedings Series
For Authors
For Reviewers
For Editors
For Librarians
For Publishers
For Societies
For Conference Organizers
Open Access Policy
Institutional Open Access Program
Special Issues Guidelines
Editorial Process
Research and Publication Ethics
Article Processing Charges
Testimonials
Preprints.org
SciProfiles
Encyclopedia

Article Menu

Subscribe SciFeed
Recommended Articles
Google Scholar
on Google Scholar
Table of Contents

Find support for a specific problem in the support section of our website.

Please let us know what you think of our products and services.

Visit our dedicated information section to learn more about MDPI.

JSmol Viewer

Estimating the cost of internet censorship in china: evidence from a gamified remote platform.

1. Introduction

2. background information and data, 2.1. ingress and the online voluntary job, 2.2. the great firewall, 2.3. censorship and the ingress gameplay friction, 4. empirical design, 5.1. effects on work performance, 5.2. effects on participation and working time, 5.3. placebo tests, 5.4. discussion, 6. conclusions, author contributions, institutional review board statement, informed consent statement, data availability statement, acknowledgments, conflicts of interest, appendix a. survey questionnaire.

1	accessed on 21 March 2023 for a detailed introduction to the portals.
2
3
4

Bartoš, Vojtěch, Michal Bauer, Julie Chytilová, and Filip Matějka. 2016. Attention discrimination: Theory and field experiments with monitoring information acquisition. American Economic Review 106: 1437–75. [ Google Scholar ] [ CrossRef ] [ Green Version ]
Busse, Kristina. 2015. Fan labor and feminism: Capitalizing on the fannish labor of love. Cinema Journal 54: 110–15. [ Google Scholar ] [ CrossRef ] [ Green Version ]
Chen, Yuyu, and David Y. Yang. 2019. The impact of media censorship: 1984 or brave new world? American Economic Review 109: 2294–332. [ Google Scholar ] [ CrossRef ] [ Green Version ]
Cox, David R. 1972. Regression models and life-tables. Journal of the Royal Statistical Society: Series B (Methodological) 34: 187–202. [ Google Scholar ]
Ding, Rong, Wenxuan Hou, Yue Lucy Liu, and John Ziyang Zhang. 2018. Media censorship and stock price: Evidence from the foreign share discount in China. Journal of International Financial Markets, Institutions and Money 55: 112–33. [ Google Scholar ] [ CrossRef ] [ Green Version ]
Dwass, Meyer. 1957. Modified randomization tests for nonparametric hypotheses. The Annals of Mathematical Statistics 28: 181–87. [ Google Scholar ] [ CrossRef ]
Faccio, Mara, and John J. McConnell. 2020. Death by pokémon go: The economic and human cost of using apps while driving. Journal of Risk and Insurance 87: 815–49. [ Google Scholar ] [ CrossRef ]
Goggin, Joyce. 2011. Playbour, farming and leisure. Ephemera: Theory & Politics in Organization 11: 357–68. [ Google Scholar ]
Goux, Dominique, Eric Maurin, and Barbara Petrongolo. 2014. Worktime regulations and spousal labor supply. American Economic Review 104: 252–76. [ Google Scholar ] [ CrossRef ] [ Green Version ]
Guryan, Jonathan, Erik Hurst, and Melissa Kearney. 2008. Parental education and parental time with children. Journal of Economic Perspectives 22: 23–46. [ Google Scholar ] [ CrossRef ] [ Green Version ]
Hassib, Bassant, and James Shires. 2021. Manipulating uncertainty: Cybersecurity politics in egypt. Journal of Cybersecurity 7: 1–16. [ Google Scholar ]
Hassid, Jonathan. 2020. Censorship, the media, and the market in China. Journal of Chinese Political Science 25: 285–309. [ Google Scholar ] [ CrossRef ]
Hoang, Nguyen Phong, Arian Akhavan Niaki, Jakub Dalek, Jeffrey Knockel, Pellaeon Lin, Bill Marczak, Masashi Crete-Nishihata, Phillipa Gill, and Michalis Polychronakis. 2021. How great is the great firewall? measuring China’s dns censorship. Paper presented at the 30th USENIX Security Symposium, Virtual, August 11–13. [ Google Scholar ]
King, Gary, Jennifer Pan, and Margaret E. Roberts. 2013. How censorship in China allows government criticism but silences collective expression. American Political Science Review 107: 326–43. [ Google Scholar ] [ CrossRef ] [ Green Version ]
Kücklich, Julian. 2005. Precarious playbour: Modders and the digital games industry. Fibreculture Journal . [ Google Scholar ]
Lawson, Chappell, and Joseph Chappell H. Lawson. 2002. Building the Fourth Estate: Democratization and the Rise of a Free Press in Mexico . Berkeley: University of California Press. [ Google Scholar ]
Lorentzen, Peter. 2014. China’s strategic censorship. American Journal of Political Science 58: 402–14. [ Google Scholar ] [ CrossRef ]
Mölsä, Jarmo. 2005. Mitigating denial of service attacks: A tutorial. Journal of Computer Security 13: 807–37. [ Google Scholar ] [ CrossRef ]
Ptacek, Thomas H., and Timothy N. Newsham. 1998. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection . Technical Report. Calgary: Secure Networks Inc. [ Google Scholar ]
Qiu, Jack Linchuan. 1999. Virtual censorship in China: Keeping the gate between the cyberspaces. International Journal of Communications Law and Policy 4: 25. [ Google Scholar ]
Taylor, Nicholas, Kelly Bergstrom, Jennifer Jenson, and Suzanne de Castell. 2015. Alienated playbour: Relations of production in eve online. Games and Culture 10: 365–88. [ Google Scholar ] [ CrossRef ]
Xu, Beina, and Eleanor Albert. 2014. Media censorship in China. Council on Foreign Relations 25: 243. [ Google Scholar ]
Yang, Qinghua, and Yu Liu. 2014. What is on the other side of the great firewall? Chinese web users’ motivations for bypassing the internet censorship. Computers in Human Behavior 37: 249–57. [ Google Scholar ] [ CrossRef ]
Zarwan, Elijah. 2005. False Freedom: Online Censorship in the Middle East and North Africa . New York: Human Rights Watch, vol. 10. [ Google Scholar ]

Click here to enlarge figure

Location	Mainland China	Other
GFW Censorship	Restricted Access	Unrestricted Access
Panel A: Review Records
Number of Weekly Agreements	179.73	173.51
(Self-reported)	(158.38)	(125.27)
Number of Weekly Agreements	178.94	172.58
(Spot-checked)	(157.82)	(126.38)
Average Survival Weeks	12.4	11.09
	(10.04)	(8.45)
Number of Volunteers	180	31
%	85%	15%
Number of People Survived (%)
Week 9	115 (64%)	18 (58%)
Week 26	65 (26%)	7 (23%)
Week 30 (Completion)	45 (25%)	6 (19%)
Number of Observations	2813	416
Panel B: Questionnaire Survey
Number of Replies	66	14
Event Completion	33	5
Weekly Hours Spent Reviewing
Average During Event	3.88	2.37
	(2.17)	(1.74)
Maximum During Event	6.03	4.71
	(2.23)	(2.51)
Average After Event	1.65	1.14
	(1.33)	(0.53)


Panel A
Dep. Variable: Number of Agreements	Self-Reported		Spot-Checked
	−19.50		−18.44
	(12.13)		(11.86)
		−24.32 **		−24.25 **
		(10.43)		(10.63)
Mean Dependent Var.	178.56	175.54	177.73	174.55
Individual Fixed Effect	X	X	X	X
Time (Week) Fixed Effect	X	X	X	X
Observations	3229	3087	3228	3086
	0.123	0.110	0.124	0.109
Panel B
Dep. Variable: Natural Log of Agreements Number	Self-Reported		Spot-Checked
	−0.08 *		−0.08 *
	(0.04)		(0.04)
		−0.09 **		−0.08 *
		(0.04)		(0.05)
Mean Dependent Var.	5.01	5.00	5.00	4.98
Individual Fixed Effect	X	X	X	X
Time (Week) Fixed Effect	X	X	X	X
Observations	3229	3087	3228	3086
	0.215	0.175	0.201	0.162


Panel A
Dep. Variable: Number of Agreements	Self-Reported		Spot-Checked
	−27.73 **		−24.84 **
	(10.90)		(10.78)
		−19.55 **		−19.65 **
		(7.62)		(8.37)
Mean Dependent Var.	162.70	162.70	162.22	162.22
Individual Fixed Effect	X	X	X	X
Time (Week) Fixed Effect	X	X	X	X
Observations	2057	2057	2056	2056
	0.066	0.065	0.067	0.067
Panel B
Dep. Variable: Natural Log of Agreements Number	Self-Reported		Spot-Checked
	−0.13 **		−0.12 *
	(0.06)		(0.06)
		−0.10 ***		−0.09 **
		(0.03)		(0.04)
Mean Dependent Var.	4.96	4.96	4.95	4.95
Individual Fixed Effect	X	X	X	X
Time (Week) Fixed Effect	X	X	X	X
Observations	2057	2057	2056	2056
	0.100	0.098	0.091	0.091

	(1)
	Hazard Ratio
	0.12
	(0.14)
	0.13 **
	(0.06)
	−1.15 ***
	(0.13)
Number of Observations	6417
Number of Failures	3178

	(1)	(2)	(3)
Weekly Hours Spent Reviewing	After Competition	During Competition
	Average	Average	Maximum
Restricted	0.52	1.48 **	1.32 *
	(0.37)	(0.63)	(0.68)
Complete	−0.10	0.23	−0.03
	(0.28)	(0.48)	(0.52)
Mean Dependent Var.	1.56	3.62	5.80
Observations	80	80	80
	0.026	0.073	0.047

The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

Fan, J.; Guan, R. Estimating the Cost of Internet Censorship in China: Evidence from a Gamified Remote Platform. Journal. Media 2023 , 4 , 413-429. https://doi.org/10.3390/journalmedia4020027

Fan J, Guan R. Estimating the Cost of Internet Censorship in China: Evidence from a Gamified Remote Platform. Journalism and Media . 2023; 4(2):413-429. https://doi.org/10.3390/journalmedia4020027

Fan, Jijian, and Runquan Guan. 2023. "Estimating the Cost of Internet Censorship in China: Evidence from a Gamified Remote Platform" Journalism and Media 4, no. 2: 413-429. https://doi.org/10.3390/journalmedia4020027

Article Metrics

Article access statistics, further information, mdpi initiatives, follow mdpi.

Subscribe to receive issue release notifications and newsletters from MDPI journals

Internet Censorship and Freedom of Press Right essay

The introduction of censorship in internet raises the problem of the open access of individuals to information and the freedom of mass media. Therefore, the current debate on the necessity of the introduction and enhancement of censorship in internet is unnecessary and dangerous for basic human rights of users. This is why the current study focuses on the problem of censorship and internet.

Thesis statement: the development of internet raises new threats and challenges but the introduction of the government censorship over internet contradicts to basic human rights and primarily violates the freedom of press right because censorship will limit the access of the public to information, while the public should have the right to know everything to prevent the misuse of power by the government and other actions of the government that may be harmful for public interests.

2 Reasons for the introduction of internet censorship

2.1 Key issues which are relevant today and may affect people now and in the future.

2.1.1 The progress of technology creates numerous precedents and problems in regard to the observation of human rights. The development of online technologies contributes to the emergence of new problems, such as the problem of the identity theft, information breaches, misuse of information technologies to get access to the private information of users.

2.1.2 Many issues related to the violation of the copyright law online are among major concerns that raise the pro-censorship debate. The development of internet opened the way for audio- and video-records sharing, including music and films and other audio-visual products that were protected by copyright laws and legal norms. As a result, owners of copyright and intellectual property rights suffered from substantial losses caused by such misusing of their property.

2.1.3 Numerous cases of unethical behavior of users online is another reason for the development of censorship to limit the violation of ethical norms. For instance, the emergence of online pornography is offensive in regard to the existing legal and ethical norms but often sexually explicit content may be available freely to all users, including children. In such a situation, the censorship turns out to be very important in terms of the prevention of possible risks of the violation of ethical norms of users.

2.1.4 Mass media also report on numerous cases of child abuse online committed by predators. Children are vulnerable to the impact of predators online because they cannot identify users, whom they communicate with online. Internet creates ample opportunities for predators and other online offenders to misuse internet to create false identities and to reach their ends.

2.1.5 The idea of the introduction and enhancement of censorship in relation to internet naturally emerges from the existing threats and risks associated with the uncontrollable use of internet.

2.2 Government censorship can protect users

2.2.1 Government can introduce censorship and allow law enforcement agencies to conduct the investigation of cases that may be dangerous for the public or individuals

2.2.2 Government has more tools to maintain the censorship effectively compared to public or non-public organizations. Therefore, there are presumably no alternatives to the government censorship in internet.

3 Negative effects of internet censorship introduced and maintained by the government

3.1 Consequences of such censorship are negative and dangerous for democratic societies. The introduction and enhancement of online censorship by the government will raise another problem related to the violation of basic human rights and freedom of press.

3.2 There is a risk of misusing the power by the authorities to ‘filter’ information flow via internet. As a result, the government can have excessive control over users and information flow. Such control is dangerous since the public may have limited access to certain information, while the government will play with information flows to meet its interests or interest groups supporting the government.

3.3 People using internet turn out to be under the surveillance of the government, since the information is censored and, therefore, controlled and studied by law enforcement agencies.

3.4 Censorship is the violation of the privacy right along with the right of freedom of press.

4 Alternatives to the government censorship

4.1 The development of software aiming at the enhancement of the individual information safety. For instance, users can set parameters of their information security using the software developed specifically for the protection of information of users. In such a way, they can determine which threats they want to protect themselves from

4.2 The development of secure networks is another way to protect private information and avoid information security threats. In fact, today, many companies have already started implementing such solutions to secure their networks. In such a situation, the government censorship becomes unnecessary because secured network can protect users from numerous threats and risks associated with information breaches and other issues related to the information security.

4.3 Individual responsibility of users is particularly important in terms of the protection of users. In fact, information security problems emerge mainly because users are careless and do not pay much attention to the problem of their information security. As a result, when users take responsibility and are careful, they may decrease the risk of information breaches. For instance, users should not provide their private information to unreliable websites, but many users do it that leads to information breaches, identity thefts and other problems.

4.4 Corporate responsibility is also important because companies developing and providing IT and online services should act responsibly. They should be aware that they may expose their customers to risks and threats associated with the violation of information security. In this regard, the corporate responsibility could have become an effective tool that could have helped to secure internet making government censorship unnecessary. In addition, companies offering reliable information security services could attract more customers seeking for secure online services.

5 Conclusion

Thus, the introduction of the government censorship that will monitor and control internet and information flow transmitted via internet will have a negative impact on the society because it violates basic human rights, such as the privacy right or the freedom of press right. This is why the government should refuse from the introduction of censorship in internet because the public should have the right to have access to the information, while the government has no right to decide what people should know and what they should not. Instead, people should have the free access to the information and they may choose how to secure themselves from possible threats, for instance, with the help of special information security software.

Do you like this essay?

Our writers can write a paper like this for you!

Order your paper here .

IMAGES

Internet Censorship Should it be allowed
Internet Censorship
Censorship on the Internet Necessary Free Essay Example
Internet Censorship Research Paper Example
PPT
ISYS100 Final Research Paper on Internet Censorship

VIDEO

Is the Internet… Dead?

COMMENTS

Modeling and Characterization of Internet Censorship Technologies
The proliferation of Internet access has enabled the rapid and widespread exchange of information globally. The world wide web has become the primary communications platform for many people and has surpassed other traditional media outlets in terms of reach and influence. However, many nation-states impose various levels of censorship on their citizens' Internet communications. There is little ...
Running head: INTERNET CENSORSHIP: AN INTEGRATIVE REVIEW 1 Internet
A Senior Thesis submitted in partial fulfillment of the requirements for graduation in the Honors Program Liberty University Spring 2020 . ... Internet Censorship: A Meta-Analysis of Technologies Employed to Limit Access to the Internet and their Ensuing Effects on Culture
Freedom of expression in the Digital Age: Internet Censorship
Internet is regarded as an important issue that shapes free expression in today's volatile nature of human rights world (Momen 2020 ). In the digital age, authoritarian governments in the world always attempt to undermine political and social movement through the complete shutdown of the Internet or providing partial access to it.
PDF Understanding Internet Censorship in Democracies
Indeed, the internet in Western democracies was, initially, somewhat of a wild west in which anything was possible—including, of course, some of society's worst ills. At the same time, some of the world's most authoritarian states— including China, Saudi Arabia, Tunisia, and Turkmenistan—had early on implemented measures to block any ...
113 Censorship Essay Topics & Examples
In your censorship essay, you might want to focus on its types: political, religion, educational, etc. Another idea is to discuss the reasons for and against censorship. One more option is to concentrate on censorship in a certain area: art, academy, or media. Finally, you can discuss why freedom of expression is important.
Internet censorship: making the hidden visible
Internet censorship takes two main forms: user-side and publisher-side. In user-side censorship, the censor disrupts the link between the user and the publisher. The interruption can be made at various points in the process between a user typing an address into their browser and being served a site on their screen. Users may see a variety of ...
PDF Threat modeling and circumvention of Internet censorship
this document I will continue to use \Internet censorship" without further quali cation to mean the border rewall case. 1.2 My background This document describes my research experience from the past ve years. The next chapter, \Principles of circumvention," is the thesis of the thesis, in which I lay out opinionated general
Regulation and Censorship of the Internet
1.3.4 Censorship in China. China is the most populous nation on earth and also one of the most censored nations on earth. There are so many regulatory apparatus and laws that are used for regulation in China, though there isn't any direct or specific rule that the censoring body follows.
PDF ANALYSIS OF INTERNET CENSORSHIP IN MAINLAND CHINA (THE GREAT ...
Bachelor's thesis Published Autumn 2019 Number of pages 53 Title of publication Analysis of Internet Censorship in mainland China (the Great Firewall) Name of Degree Bachelor of Business Administration, International Business Abstract This study aims to discover the reasons behind China's Internet censorship,
Threat modeling and circumvention of Internet censorship
Research on Internet censorship is hampered by poor models of censor behavior. Censor models guide the development of circumvention systems, so it is important to get them right. ... fifield-thesis Identifier-ark ark:/13960/t0200mm2w Ocr ABBYY FineReader 11.0 (Extended OCR) Pages 96 Ppi 300 Scanner Internet Archive Python library 1.0.10 Year ...
Internet Censorship Thesis Statement
Internet Censorship Thesis Statement - Free download as PDF File (.pdf), Text File (.txt) or read online for free. Crafting an effective thesis statement on internet censorship is challenging due to the complex and multifaceted nature of the topic. The broad scope of issues involved in internet censorship like freedom of expression, privacy, and government control require extensive research to ...
Predicting Large-Scale Internet Censorship
A thesis presented to the faculty of the School of Engineering and Applied Science University of Virginia in partial fulfillment of ... due to Internet censorship, has received little direct attention in light of the ongoing media censorship in China. Exposing this aspect of censorship allows citizens to better understand the
Walking Through Firewalls: Circumventing Censorship of Social Media and
Although authoritarian governments often employ a mix of increasingly sophisticated censorship tactics (e.g., removing a tweet versus demonizing the act of tweeting) belonging to different "generations of control" (Deibert & Rohozinski, 2010), restricting access to content and social media platforms through a variety of technical means (e.g., blocking internet protocols [IPs], removing ...
Threat modeling and circumvention of Internet censorship
This is a thesis about Internet censorship. Specifically, it is about two threads of research that have occupied my attention for the past several years: gaining a better understanding of how censors work, and fielding systems that circumvent their restrictions. ... Internet censorship and circumvention began to rise to importance in the mid ...
The Internet, Censorship, and China
Internet Industry." While many observers had expected the Internet to weaken censorship in China, the oppo-publish an article, "Modernization and History Books," which discussed the foreign occupation of China at the end of the nineteenth century.5 But it is the concessions by U.S. Internet giants that have caught the public's attention. Google ...
Internet Control or Internet Censorship? Comparing the Control Models
Internet censorship refers to a government's unjustified scrutiny and control of online speech or government-approved control measures. The danger of Internet censorship is its chilling effect and substantial harm on free speech, a cornerstone of democracy, in cyberspace. This article compares China's blocking and filtering system, Singapore's class license system, and the United States ...
'Extremely aggressive' internet censorship spreads in the world's
The largest collection of public internet censorship data ever compiled shows that even citizens of the world's freest countries are not safe from internet censorship. A University of Michigan team used Censored Planet, an automated censorship tracking system launched in 2018 by assistant professor of electrical engineering and computer ...
Online Surveillance, Censorship, and Encryption in Academia
The essays showcase how part of the control imposed upon academia is deriving from the use of technologies for purposes that they were not originally designed for nor envisioned (Edwards et al. 2018, 8). ... Internet censorship and surveillance have become normalized, and a huge market for cybersecurity products and services has provided ...
Internet Censorship Essay
Internet Censorship Student's Name: Institution Name: Internet Censorship Internet censorship refers to the suppression and control of what people can access, publish, or view on the cyberspace (Reynolds, 2014). It may be done by regimes or private firms at the command of the government. It can be a government's initiative is or carried out ...
Estimating the Cost of Internet Censorship in China: Evidence ...
We exploit internet censorship intensity changes due to political events to study the impact of internet censorship on online laboor work in China. With a unique dataset from the Ingress (video game) community platform, a difference-in-differences design shows that an increase in China's internet censorship intensity during politically sensitive dates, while not affecting the amount of ...
PDF Cracks in The Golden Shield: the Rising Challenge of Expanding Chinese
THE RISING CHALLENGE OF EXPANDING CHINESE INTERNET CENSORSHIP TECHNOLOGIES A Thesis Submitted to the Faculty of the Edmund A. Walsh School of Foreign Service of Georgetown University in partial fulfillment of the requirements for the degree of Master of Arts In Security Studies By Elizabeth Kathleen Dodson, B.A. Washington, D.C. April 19, 2010
Internet Development, Censorship, and Cyber Crimes in China
The Internet, censorship, and China. Georgia Journal of International Affairs, 7, 111-119. Google Scholar. Endeshaw, A. ( 2004). Internet regulation in China: The never-ending cat and mouse game. Information & Communications Technology Law, 13(1), 41-57. Google Scholar. Fan, Q. ( 2005). Regulatory factors influencing Internet access in ...
Internet Censorship and Freedom of Press Right essay
Thesis statement: the development of internet raises new threats and challenges but the introduction of the government censorship over internet contradicts to basic human rights and primarily violates the freedom of press right because censorship will limit the access of the public to information, while the public should have the right to know ...