2015: The Year the Great Firewall went Global
Image credit: Larry Salibra

2015: The Year the Great Firewall went Global

TL;DR: 2015 marked a changing point in China’s relationship with the global Internet. This post takes a look back at 2015 and 16 events in which the effects of China’s Internet control and censorship regime started being felt outside of its borders.

I spent much of the past week on holiday in Mainland China…my longest stint behind the Great Firewall (GFW) in a couple years. Even after living behind the Great Firewall for the better part of a decade, I was surprised at how cut off the Chinese internet has become from the rest of the world compared to how it was just three years ago when I ended my residence in Guangzhou.

It used to be that you had to turn on your VPN to access certain websites. Now the censorship, website blocking, and deliberate interference with encrypted protocols has gotten to the point where a computer or phone normally configured for use outside of the country doesn’t really work properly in China.

Life behind the Great Firewall

Life online behind the Great Firewall is like life anywhere else, except:

  • You can’t search for things.
  • Your email doesn’t arrive.
  • You can’t communicate with friends, family and business colleagues.
  • Your calendar and contacts won’t sync.
  • Your phone or computer won’t back up.
  • It’s slow, hard or impossible to download or update apps.
  • You won’t get any likes on your selfie because you can’t even share it.
  • You can’t even figure out where you are.

You can’t really do much of anything unless you use services provided by local, government approved companies like Tencent, Baidu or Sina.

Permits required
In China’s vision of the Internet, permits are always required.

Back in the good old days of Chinese internet censorship, you could leave your VPN always on and have a relatively “normal” uncensored Internet experience. These days, you can still try to use a VPN and it will sometimes work…for a while. But more than likely, you’ll connect just long enough to get started doing whatever you need to do only to have the connection die ten minutes or 20 megabytes into your session. Frustrating.

It used to be that leaving Mainland China let you escape the effects of China’s internet censorship and control policies. In 2015 that changed. China’s economic importance and global political ambitions have grown to the point that the effects of its Internet policy are now regularly felt outside of its geographic borders. No longer is China content to exercise its Internet sovereignty by controlling technology and its use within its own borders, but like our favorite red, white, blue superpower, China sees no problem in taking actions with extraterritorial consequences to achieve its goals. 

Bridge across Shenzhen River at Futian
This short bridge across the Shenzhen River between Shenzhen and Hong Kong also spans the Internet chasm created by the Great Firewall.

Let’s take a look back at 2015 and 17 events that marked the year the Great Firewall went global.

January 2015

1. As WeChat gained traction overseas, users found themselves subject to Chinese censorship

WeChat is a messaging that has the de facto monopoly on mobile messaging in China. It also happens to be very well designed and a lot of fun to use. Unsurprisingly, the friendly design and features that make it attractive to Chinese users are also appreciated in many non-Chinese communities. Since other messaging apps are blocked in China, it’s also the only choice for communities that span both sides of the Great Firewall. 1

A well thought out user interface doesn’t help, however, when your posts are censored, blocked, deleted or silently not delivered because they’ve run afoul of the censor’s sensibilities.

It also doesn’t help activists, like those pushing for rights for women, whose WeChat messages are read by Chinese authorities before ending up in jail.

Censored WeChat post Uncensored WeChat post confirming censorship
In the first post I thank Xi Dada for China Immigration’s kind birthday wishes. Notice how there are no comments or likes. The second post, a post of a screenshot of the first, censored post, asking if anyone saw the first post, has immediate engagement and everyone replies they can’t see the first post.

2. Apple gives Chinese government access to its source code

Chinese state media reported that Apple agreed to let the Chinese government inspect its products for 3rd party backdoors and to make sure it protects user data. Many media sources interpreted this to mean that Apple was providing China with access to its source code.

3. GFW upgrade fail causes attack on Korean Government website and porn sites

DNS poisoning is a censorship technique used by the Great Firewall where visitors to blocked domain names are sent to the wrong servers. For a period of time, the GFW was sending users trying to visit blocked sites like Facebook to a site owned by the Korean government causing a distributed denial of service attack (DDOS attack) .

I had a first hand view of these attacks in action here in Hong Kong when a popular, independent English language news site targeted by the GFW came to me for assistance in mitigating the crippling GFW directed DDOS attack that they were experiencing.

February 2015

4. China Considers Banning Western Tech from Banking

As usual, the excuse for excluding Western firms is “security”, but the motivation appears to protectionism. Either way, foreign companies, their customers and shareholders pay the price.

March 2015

5. CNNIC certificates found to be used for MITM attack on Google, Apple, Microsoft, others

The China Internet Network Information Center (CNNIC), a Chinese government organization is also holder of a SSL root certificate that up until now was trusted by major web browsers and operating systems. This meant that they could create SSL certificates that let any website pretend it’s another website and these would be trusted by almost all phones and computers worldwide.

The temptation to use this power to impersonate popular sites like Google and Apple’s iCloud in order to spy on otherwise private communication was too much. Google caught CNNIC compromising security of customers worldwide and outed them.

Don’t trust CNNIC's root certificate
You can configure your computer to never trust CNNIC.

6. China’s Great Cannon attacks Github

A new offensive set of capabilities in the Great Firewall came to light in an attack against Github. These capabilities became known as the Great Cannon. In this attack, Baidu’s network was hijacked by the Great Firewall and malware was injected in their analytics code, which turned unsuspecting overseas visitors to Chinese sites into a giant bot network programmed to attack Github.

This wasn’t the first attack on Github, which is seen as largely unblockable by China because of its importance in the tech industry because many widely used open source projects and libraries are hosted on it. Because of its economic importance and unblockable status, dissidents have taken to hosting information China finds unacceptable on the site. The Great Cannon attack on Github can be interpreted as a way to put economic pressure on the site to stop hosting content China finds objectionable.

It’s important to note that this was not China’s first attempt to compromise Github and it probably won’t be the last.

April 2015

7. Great Firewall blocks Login with Facebook

Build your app or website so that users have to login with Facebook (or Google)? Congratulations! Your app doesn’t work in China! The future is decentralized - next time, better use the Blockchain!.

June 2015

8. Google, Firefox, Apple block CNNIC certificate

Google, Firefox, and Apple block CNNIC root certificate…but instruct their software to continue trusting a list of domain names that have SSL certificates signed by CNNIC.

September 2015

The Great Firewall makes downloading apps from outside of China a slow and frustrating experience. Apple’s developer tool XCode, required for creating and building iOS and Mac apps, is a very large download, with a size in the many gigabytes. It also is updated very frequently, with a new version appearing every time a Mac OS X or iOS beta version is released. Apple developers in China were quickly frustrated by the hours of time it would take to download each new version of XCode from Apple’s servers and searched for other domestic sources of the software.

It turned out that the versions of XCode downloaded by these developers in China were infected with code that inserted malware into the apps that they made and submitted to Apple’s App Store. This malware cause apps downloaded by users to connect to a command and control server - like one used in a bot net - and send back personal information.

Many apps used by people both inside and outside of China were affected including WeChat, Angry Birds 2 and Uber competitor Didi Kuaiche.

October 2015

10. XYZ Domain Registry to automatically censor domains for China

The XYZ Domain Registry submitted a proposal to ICANN that was interpreted by the EFF and others as being a statement that they will prohibit registration of words banned by China on top level domains that they control. The CEO eventually denied the allegation but that it seemed so plausible and would be technically trivial to implement, indicates how fragile current Internet infrastructure is to resisting censorship.

XYZ's ICANN proposal
Proposal submitted to ICANN by XYZ for a Chinese gateway that would maintain compliance with Chinese law.

November 2015

11. China Eastern installs inflight Wifi that censors Internet outside of China

If it wasn’t bad enough that US and other airlines disable inflight wifi while flying over Mainland China, now passengers on China Eastern flights outside of Mainland China will be able to enjoy the behind the Great Firewall experience without even needing a China Visa!

China Eastern 777
You can access all of the Internet from this China Eastern 777 except for most of sites and apps you want to use.

12. Apple News censored in China

I discovered that Apple includes code in iOS that disables Apple News whenever it detects a Chinese mobile network signal. This China Kill Switch also disables the global version of Apple Maps and replaces it with a version approved by the Chinese government. The China Kill Switch is present in versions of iOS included on all iPhones, iPod Touches and iPads, including those sold outside of China.

Apple News Censored
No news is not good news. It’s censored news.

December 2015

13. GFW makes Chinese Bitcoin miners unable to support large block sizes

At Phase 2 of the Scaling Bitcoin conference in Hong Kong, a major concern of the Chinese mining community was that larger block sizes would put them at a disadvantage because of how the Great Firewall slows down connections to the rest of the world. Empirical research was presented that showed that the Great Firewall quickly throttles encrypted data, like a Bitcoin block, when it is sent out of the country.

The Scaling Bitcoin Genesis Block
The technical constrains imposed by the Great Firewall present a problem even for stateless Bitcoin.

14. China Passes Antiterrorism Law That Critics Fear May Overreach

Opponents who had seen a draft version said it grants broad new powers that could be abused to monitor peaceful citizens and steal commercial secrets. The US and UK governments want similar legislation and by doing so have given the Chinese government credibility in taking the same actions.

Chinese counterterrorism police vehicle
In recent years, counterterrorism police vehicles are a common sight outside Chinese railway stations and border crossings.

15. Microsoft failed to warn victims of Chinese email hack: former employees

Microsoft’s hotmail email service was hacked by purported Chinese state actors and the company decided not to tell the victims and allowed the hackers to continue their campaign.

Microsoft’s China business is far from what one would call “successful” since most of their products in Chinese are pirated, not purchased. One has to wonder how a large company that depends on China for much of their revenue and growth (perhaps a certain fruit company?) would behave under similar circumstances. Perhaps something like this has already happened to other large foreign tech companies and we just haven’t yet found out. 

January 2016

Mere hours into the new year, the long arm of Great Firewall was already in action…this time affecting Microsoft’s search engine.

16. Bing Goes Full-on Censorship in English Search Results Within China

Some internet users in China using Microsoft’s Bing search engine found skewed results that reflected only a positive perspective of China.  

Questions for 2016

China under Xi Jinping has seen internal crackdowns on both corruption and dissent over the past few years. It has also been much more assertive in its foreign policy. China’s Internet policy of control and censorship will increasingly affect users outside in China as the country follows US lead in extraterritorial policy enforcement. As we’ve already seen with Apple products and Hollywood movies, design decisions for products, software, and services sold globally will be heavily influenced by a desire to maintain access to and succeed in the Chinese market.

How will this influence play out? Will companies take the Apple Maps approach and build with two versions of their product, a China and a global one? Will companies leave out functionality and content Beijing doesn’t approve, like Hollywood?

Will we see more offensive attacks like the Great Cannon attacks and hacking of consumer services? Will China play a larger roll in Internet regulatory agencies? Will decentralization and censorship resistant technologies like those built on the Bitcoin blockchain gain traction? If so, how will the Chinese government react?

Now that Hong Kong booksellers have started disappearing will owners of VPNs and creators of GFW circumvention technologies outside of Mainland China start to have the same pressure their Mainland counterparts already face?

Want answers? You’ll have to wait until 2017! In the meantime, subscribe to my newsletter or get in touch!

  1. For example, the Bitcoin community makes heavy use of WeChat despite its anti-establishment tilt since most Bitcoin mining and trading happens in Mainland China

  Updated
Larry Salibra

About

I'm the Founder & CEO of Pay4Bugs, the crowdsourced testing service that finds product bugs before they cost you sales. More about me.