Internet censorship circumvention is the use of various methods and tools by technically skilled users to bypassInternet censorship—the legal control or suppression of access to, publication of, or viewing of content on theInternet. Commonly used software tools includeLantern andPsiphon, which can bypass multiple types of restriction. Some methods evade less sophisticated blocking tools by using alternateDomain Name System (DNS) servers, falseIP addresses, or address lookup systems.[1][2] However, such methods become ineffective if censors block not only the DNS but also the IP addresses of restricted domains, thereby rendering a potential bypass ineffective. Other tools can tunnel the network traffic to proxy servers in jurisdictions that don't have censorship. Through pluggable transports, traffic obscuration,website mirrors, orarchive sites, users can access copies of websites even in areas having Internet censorship.[3][4]
An "arms race" (or competition) has developed between censors and developers of circumvention software. This competition leads to two types of innovation: more sophisticated blocking techniques by censors, and less detectable tools by circumvention developers.[5] While estimates of user adoption for circumvention tools vary, it is widely accepted that tens of millions of people use them each month.[6][7][8][9] Barriers to adoption include usability issues; difficulty in finding reliable information on circumvention; limited motivation to access censored content; and risks from breaking the law.[10][11][12][4]
Major circumvention methods include alternate names and addresses; mirrors, caches, and copies; alternative platforms; proxying; and traffic obfuscation.
Censorship filters may block specific domain names, using eitherDNS hijacking or URL filtering. Websites can sometimes be accessed through alternate names and addresses that may not be blocked.[1]
Some websites offer the same content at multiple pages or domain names.[2] For example, the English Wikipedia is available at two locations: themain page and themobile version.
If a website's DNS resolution is disrupted, but the site is not blocked in other ways, it may be possible to access the site directly through its IP address or by modifying a computer'shosts file. It may be possible to bypass DNS-based blocking by using alternative DNS servers orpublic recursive name servers (especially via an encrypted DNS client).[1]
Censors may block specific IP addresses. Depending on how such filtering is implemented, it may be possible to use different forms of a blocked IP address, for example, by specifying the address in a differentnumeral system.[13] For example, the following URLs all access the same site, but only some browsers will recognize all forms of the URL:
Blockchain technology—a distributed data store for digital transactions—is an attempt to decentralize Internet namespaces beyond the control of any single entity.[14][15] Decentralized namespaces enable domains to resist censorship. Discussion of the BitDNS project began in 2010 with a desire to achieve names that are decentralized, secure, and human readable.[16]
Certain online services allow users to access content that is blocked on the Internet through cached or mirrored copies:
Cached pages: Some search engines retain copies of previously indexed webpages, orcached pages, which are often hosted by search engines; these may not be blocked.[4]
Mirror and archive sites: Copies of websites or pages may be available atmirror orarchive sites such asWayback Machine (by theInternet Archive) orArchive.today. TheDocker registry image repository is anHTTP public service that has centralized storage, is application stateless, and isnode scalable; the service has a performance bottleneck in the scenario of multinational uploading and downloading. The decentralized Docker registry (DDR) avoids this disadvantage of centralization. DDR uses anetwork-structuredP2P network to store and query mirrormanifest file and blob routing; each node serves as an independent mirror repository to provide mirror uploading and downloading for the entire network.[17][18][19]
RSS aggregators:RSS aggregators such asFeedly may be able to receive and then forward RSS feeds that are blocked if accessed directly.[4]
Alternative types of Internet hosting platform can provide options for circumventing Internet censorship. Such alternatives include decentralized hosting, anonymity networks, federated platforms, providers with different policies, anddarknets:
Decentralized hosting: Content creators may publish to an alternative platform that is willing to host this content.Napster was the earliestpeer-to-peer (P2P) platform, but it was closed because of vulnerabilities with centralizedbootstrapping.Gnutella was the first sustainable P2P platform that featured hosting by decentralization. The motto of theFreenet P2P platform is that "true freedom requires true anonymity." Later, theBitTorrent P2P protocol was developed to allocate resources with high performance and fairness.[20]ZeroNet P2P web hosting was the firstdistributed hash table (DHT) system to support dynamic and updateable webpages. TheYaCy P2P search engine is the leading distributed search.GNUnet is rebuilding the internet framework from the ground up for resilience technologically idealized.
Anonymity networks: TheTor andInvisible Internet Project (I2P) networks result in increased willingness to host content that would otherwise be censored. However, hosting implementation and server location may cause challenges, and the content is still hosted by a single entity that can be controlled.
Federated: Semi-decentralized, federated platforms such asNextcloud andPeerTube make it easier for users to find an instance where they are welcome.
Providers with different policies: Some platforms that rely oncloud computing may have laxerterms of service (TOS). However, cloud computing does not in principle innovate fundamental laxness.
A variety of techniques support a user in leveraging technical proxies to circumvent Internet censorship:
Web proxy server: A Webproxy server (or web proxy) allow users to load external web pages through a server that makes and receives requests on behalf of the user, rather than directly from the blocked original server (or source).[4] Depending on how a proxy is configured, a censor may be able to determine if a user is accessing the proxy, and if so, which pages the user loads.[2]
Example: The mobileOpera Mini browser uses proxies that employ encryption and compression to accelerate downloads. This process has the side effect of circumventing several approaches to Internet censorship. In 2009, this situation led the Chinese government to ban all versions of the Opera Mini browser except for a special Chinese version.[21]
Domain fronting:Domain fronting hides the destination of a network connection by passing initial requests through acontent delivery network or other popular site that censors may be unwilling to block.[22] This technique was used by messaging applications such as Signal and Telegram. Similarly, Tor'smeek system uses Microsoft's Azure cloud. However, large cloud providers such asAmazon Web Services andGoogle Cloud no longer supportmeek.[23] As another option, a website owner can create a free account to use aCloudflare domain for fronting.[24][25]
Tunneling protocol: By employing atunneling protocol such asSecure Shell (SSH), a user can forward all of their traffic over an encrypted channel; as a result, both outgoing requests to blocked sites and incoming responses from those sites are hidden from censors, for whom it appears as unreadable SSH traffic.[26]
Virtual private network (VPN): Through avirtual private network (VPN), a user can create secure connections to more permissive countries, letting users browse as if they were located in one of those countries.[1] Some VPN services are offered for a monthly fee; others are supported by advertising. According toGWI, an audience research company, there were more than 400 million people using VPNs to circumvent censorship or obtain increased privacy in 2014 (although this number cannot be verified).[9]
Tor anonymity network: A more advanced tool such as theTor anonymity network routes encrypted traffic through multiple servers to make the source and destination of this traffic less traceable. In some cases, Tor can be used to avoid censorship, especially when it is configured to use traffic obfuscation techniques.[5]
Instructions for using Tor's pluggable transports, which employ traffic obfuscation techniques to increase censorship resistance
A censor may be able to detect and block the use of circumvention tools throughdeep packet inspection.[27] Ongoing work aims to make circumvention tools less detectable in several ways: randomizing the traffic; attempting to mimic a whitelisted protocol; or tunnelling traffic through a whitelisted site by using domain fronting or Tor'smeek system.[5] Tor and other circumvention tools have adopted multiple obfuscation techniques that users can employ, depending on the nature of their network connection; these techniques are sometimes calledpluggable transports.[28]
Functionality desired by users may overlap with that of services that are not based on the Internet, such as postalmail,Bluetooth-based data exchange, orwalkie-talkie devices. The following are some detailed examples:
Alternative data transport:Datacasting allows transmission of Web pages and other information via satellite broadcast channels, bypassing the Internet entirely. This process requires a satellite dish and suitable receiver hardware, but it provides a powerful means of avoiding censorship. Because the user only receives data through this process but transmits no data, a suitablyair-gapped computer can be impossible to detect.[29]
Sneakernets: Asneakernet is the transfer of electronic information, especially computer files, by physically carrying data on storage media from one place to another. A sneakernet can move data regardless of network restrictions, simply by avoiding the network entirely.[30] One example of a widely adopted sneakernet isEl Paquete Semanal, an underground content market in Cuba.[31]
Circumvention tools have undergone spikes in adoption rates in response to high-profile attempts to block the Internet.[32][33][34] Nevertheless, mixed results have been reported by studies that measure the adoption of circumvention tools in countries with persistent and widespread censorship.[6] Knowledge of and comfort with using censorship circumvention tools varies widely and depends on factors such as the local censorship environment, public awareness of circumvention alternatives, language accessibility, usability, and legal risks.[35][36][37] Such tools can include VPNs, international SIM cards,Short Message Service (SMS), Bluetooth-based communication apps, and mesh networking applications.[38] In some contexts, individuals may be aware of circumvention tools but reluctant to use them due to the risk of severe legal penalties.[37]
Measures and estimates of circumvention tool adoption have varied widely. A 2010 study by Harvard University estimated that few users employ tools for censorship circumvention—likely less than 3% of users, even in countries that consistently implement widespread censorship.[6] Other studies have reported substantially larger rates, but these have been disputed.[7][8]
In China, anecdotal reports suggest that adoption of circumvention tools is particularly high in certain communities, such as universities; a survey by the research instituteFreedom House found that users generally did not find circumvention tools to be difficult to use.[39][40][1] Market research firmGlobalWebIndex reported more than 35 million Twitter users and 63 million Facebook users in China (where both services are blocked).[7] However, these estimates have been disputed;[41] Facebook's advertising platform estimates 1 million users in China,[8] and other reports of Twitter adoption estimate 10 million users.[42] Other studies have found that efforts to block circumvention tools in China have reduced adoption of those tools; the Tor network previously had more than 30,000 users connecting from China, but as of 2014, the network had only about 3,000 Chinese users.[43]
An 2013 study of 1,175 Chinese Internet users found that participants primarily circumvented censorship to access search engines, social media platforms, and blocked news sources. The study reported that users tended to rely on services that were easy to use and economically costly for authorities to block. For example, the most widely used tool operated through Google’s cloud hosting infrastructure, which also supported a range of other services. A smaller subset of users, consisting mainly of journalists and activists, cited privacy as their primary motivation for using a tool.[44]
InThailand, Internet censorship has occurred since 2002, through sporadic and inconsistent filtering.[45] In a small-scale survey of 229 Thai Internet users, a research group at the University of Washington found that 63% of surveyed users attempted to use circumvention tools, and 90% were successful in using those tools. Users often made on-the-spot decisions about the use of circumvention tools on the basis of limited or unreliable information; these users had a variety of perceived threats, some more abstract and others based on personal experience.[11]
In response to the blocking of Twitter inTurkey during 2014, information about alternateDNS servers was widely shared, since using another DNS server (such asGoogle Public DNS) allowed users to access Twitter.[46] The day after the block was imposed, the total number of posts made in Turkey had increased by 138%, according toBrandwatch, an Internet measurement firm.[32]
After ban on theTelegram messaging app in Iran during April 2018, web searches for VPN and other circumvention software increased by as much as 48 times for some search terms, but there was evidence that users were downloading unsafe software. As many as a third of Iranian Internet users used thePsiphon tool in the days immediately following the block; in June 2018, as many as 3.5 million Iranian users continued to use the tool.[33]
Systems for circumvention andanonymity are different. Circumvention systems are designed to bypass Internet blocking, but they do not usually protect user identities. Anonymous systems protect a user's identity, but while they can contribute to censorship circumvention, this is not their primary function. Public proxy sites do not provide anonymity, since they can view and record the location of computers making requests, in addition to the websites accessed.[4]
In many jurisdictions, accessing blocked content is a seriouscrime, particularly for content that is considered to bechild pornography, a threat tonational security, or an incitement to violence. For this reason, it is important to understand circumvention technologies—and the protections that they do (or do not) provide—and to use only tools that are appropriate in a particular context. Significant care must be taken to install, configure, and use circumvention tools properly. People associated withdissident, protest, or reform groups, or high-profile rights organizations, should take extra precautions to protect their online identities.[4]
Circumvention sites and tools should be provided and operated by trusted third parties, located outside the censoring jurisdiction, who do not collect identities and other personal information. Trusted family and friends known personally by the circumventor are best; but when family and friends are unavailable, sites and tools provided by individuals or organizations that are known only by their reputations, or through recommendations and endorsements by other people, may need to be used. Commercial circumvention services may provide anonymity during Internet surfing, but these services could be legally compelled to make their records and users' personal information available to law enforcement authorities.[4]
There are five general types of software for circumventing Internet censorship:
CGI proxies: ACommon Gateway Interface (CGI) proxy server uses a script running on aweb server to provide proxying functionality. A CGI proxy client (typically the user's computer) sends a requested web address orURL, embedded within the data ofHTTP protocol requests, to the CGI proxy server. The CGI proxy server sends its own HTTP request to the ultimate destination server, and then the proxy server returns the result to the proxy client. A CGI proxy tool's security can be trusted to the extent that the operator of the proxy server is trustworthy. CGI proxy tools do not require a user to manually configure a web browser or install client software, but they do require the user to use an alternative, potentially confusing user interface within the existing web browser.
HTTP proxies: HTTP proxies send HTTP requests through an intermediate proxying server. When a client (typically the user's computer) is connecting through an HTTP proxy, this client sends exactly the same HTTP request to the proxy as it would send to the destination server if unproxied. The HTTP proxy parses the HTTP request; this proxy sends its own HTTP request to the ultimate destination server; and then the proxy server returns the response back to the proxy client. An HTTP proxy tool's security can be trusted to the extent that the operator of the proxy server is trustworthy. To employ an HTTP proxy tool, a user must either manually configure the web browser or install client-side software that performs this configuration. Once configured, an HTTP proxy tool allows the user to transparently use their browser's normal user interface.
Application proxies: Application proxies are similar to HTTP proxies but support a wider range of online applications.
Peer-to-peer systems: Peer-to-peer systems store content across a number of participating volunteer servers; this storage is combined with techniques such as rerouting, to reduce the level of reliance placed on volunteer servers or social networks to establish trust relationships between servers and clients. A peer-to-peer system can be trusted to the extent that the operators of participating servers are trustworthy, or that its architecture limits the information available to any single server—provided that server operators do not collude to combine their knowledge.
Rerouting systems: Rerouting systems send requests and responses through a series of proxying servers, re-encrypting the data at each proxy, so that a given proxy knows at most either the source or the destination of the data, but not both. This approach decreases the amount of trust required of the individual proxy hosts.
Below is a list of software for circumventing Internet censorship:
Usessplit tunneling to redirect to proxy servers only when blocking is encountered. Is not a general circumvention solution and only allows access to certain blocked websites. In particular, it does not allow access to blocked websites that contain pornography, nudity or similar adult content.
Turns a computer into a personal, encrypted proxy server capable of retrieving and displaying web pages to users of the server. CGIProxy is the engine used by many other circumvention systems.
A simple-to-administer, open-source system for circumventing Internet censorship; in wide-scale use, with a cloud-based infrastructure serving millions of users.
An encrypted, public, web-based circumvention system. Because the site is public, it is blocked in many countries and by most filtering applications.mousematrix.com is a similar site based on the same software.
Open Technology Fund (OTF)—funded by the American government, a program created in 2012 at Radio Free Asia to support technologies for global Internet freedom.
Tactical Technology Collective—a non-profit foundation promoting the use of free and open source software for non-governmental organizations; also producers of NGO-in-a-Box.
^abGebhart, Genevieve; Kohno, Tadayoshi (26 April 2017). "Internet Censorship in Thailand: User Practices and Potential Threats".2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE. pp. 417–432.doi:10.1109/eurosp.2017.50.ISBN9781509057627.S2CID11637736.
^Shahbar, K.; Zincir-Heywood, A. N. (9 November 2015). "Traffic flow analysis of tor pluggable transports".2015 11th International Conference on Network and Service Management (CNSM). pp. 178–181.doi:10.1109/CNSM.2015.7367356.ISBN978-3-9018-8277-7.S2CID1199826.
^Deibert, Ronald, ed. (2012).Access contested : security, identity, and resistance in Asian cyberspace information revolution and global politics. Cambridge, MA: MIT Press. p. 85.ISBN9780262298919.OCLC773034864.
^"Flash proxies", Applied Crypto Group in the Computer Science Department at Stanford University, accessed 21 March 2013.Archived 10 March 2013 at theWayback Machine.
^"About D.I.T."Dynamic Internet Technology. Archived fromthe original on 26 September 2011. Retrieved16 September 2011.
^"Revocable Anonymity"Archived 25 September 2011 at theWayback Machine, Stefan Köpsell, Rolf Wendolsky, Hannes Federrath, inProc. Emerging Trends in Information and Communication Security: International Conference, Günter Müller (Ed.), ETRICS 2006, Freiburg, Germany, 6–9 June 2006, LNCS 3995, Springer-Verlag, Heidelberg 2006, pp.206-220
Censorship Wikia, an anti-censorship site that catalogs past and present censored works, using verifiable sources, with a forum to discuss organizing against and circumventing censorship
"Circumvention Tool Usage Report: 2010", Hal Roberts, Ethan Zuckerman, Jillian York, Robert Faris, and John Palfrey, Berkman Centre for Internet & Society, 14 October 2010
