Feeds

China's anti-censor software pimps user data

Dissident data for sale

Internet Security Threat Report 2014

Harvard researchers have accused the developers of tools for dodging the Great Firewall of China of selling data harvested by the software, potentially giving the authorities in Beijing an easy way to identify dissidents.

As well as selling aggregate usage data, software developers were also offering to sell detailed surfing histories of individual surfers for a fee, something that poses an even greater privacy risk, according to an analysis by Hal Roberts from The Berkman Center for Internet Society at Harvard University.

However, the developers of the circumvention tools deny this and say that a poorly-worded FAQ, which has since been amended, has been misinterpreted. Representatives of the firms explain that all their services simply offer a means for webmasters to get a detailed breakdown on surfers visiting the site using anonymity tools. Contentious passages in the FAQ have been rewritten since the controversy blew up last week.

Harvard's Roberts looked at three Great Firewall of China circumvention tools - DynaWeb FreeGate, GPass, and FirePhoenix - which together account for the majority of the market, with a combined user base running into millions.

Users of these packages have gone out of their way to obtain a way to get around the Chinese government internet controls. Time and again Chinese authorities have demonstrated their willingness to chase down, prosecute and imprison cyberdissidents. Even to collect surfing histories on those using censorship circumvention tools is misguided; to offer individually-identifiable clickstream data for sale to anyone prepared to pay who is able to pass a "screening test" (as implied by the original FAQ) is far worse.

But the developers of DynaWeb FreeGate, GPass, and FirePhoenix (all partners in the Global Internet Freedom Consortium (GIFC)) appeared to be offering just that from a beta site called edoors.com, maintained by an firm called World's Gate, Inc, as an early version of a FAQ on the site explained. GPass and FirePhoenix are maintained by World’s Gate, while DynaWeb FreeGate is published by an affiliated organisation.

Q: I am interested in more detailed and in-depth visit data. Are they available?

A: Yes, we can generate custom reports that cover different levels of details for your purposes, based on a fee. But data that can be used to identify a specific user are considered confidential and not shared with third parties unless you pass our strict screening test. Please contact us if you have such a need.

The origins of this data are openly explained:

Q: Where did you get the raw data for the analysis?

A: The raw data came from the server log of GIFC member companies. Right now, data from three of the five tools of GIFC (DynaWeb, GPass, and FirePhoenix) are included for analysis.

Even if we take the promises of screening tests at face value, the slightest risk that the Chinese authorities could get information on who's been trying to bypass its controls to reach websites associated with dissident movements in Tibet, for example, makes for a frightening thought. Simply using the tools might be considered an offense in an authoritarian country like China and the authorities would surely be interesting in knowing who is using tools to bypass the Great Firewall.

None of the circumvention tools vendors is open about its business practices, according to Roberts.

"These projects are not only storing the data. They are actively offering to sell it," he writes. "None of the projects has anything like a privacy policy that I can find, and none of them provides any notice anywhere on the site or during the installation process that the project will be tracking and selling user browsing activity. But all of the sites have deceptive language."

We emailed the administrators of edoors.com and the firms involved with a list of questions, stemming from Roberts' analysis. Bill Xia, a representative of Dynamic Internet Technology (DIT), the developer of DynaWeb FreeGate, apologised for concerns that the edoors FAQ has created, and said on Monday that it would shortly be publishing a new users' agreement.

DIT will release an End User License Agreement soon. DIT cut off service to non-China IPs since 1/1/2009. DIT will release fee based software to non-China user and will need an EULA anyway. Those will happen in this week. I will keep you updated on those.

DIT feels sorry about the concerns this has caused. We will allocate more resources to address those concerns.

In a response to Roberts' initial analysis, GIFC claimed that their offer has been misunderstood. It is offering visitor breakdowns for web masters, not surfing histories on what would normally be understood to be its users.

Peter Li of the Global Internet Freedom Consortium explains:

We apologize for the confusion here. The anti-censorship ranking service is provided by one of the GIFC partners. It only publishes the popularity ranks of destination websites users visit through our anti-censorship tools. It is similar to alexa.com but is only limited to anti-censorship web traffic.

The ranking service is not authorized to access, nor can it access, the data users transmit on the wire. It is not authorized to release logs containing information on the websites any individual user visits either.

The FAQ for the ranking service was not written properly, as originally “user” there meant website owners who may be interested in getting detailed statistics on how their websites are visited through our anti-censorship tools. We apologize that we have overlooked the wording.

The edoors FAQ has now been rewritten, but the implications of the original wording - in particular the claim that "data that can be used to identify a specific user are considered confidential and not shared with third parties unless you pass our strict screening test" - has sparked a lively debate.

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.