Feeds

China's anti-censor software pimps user data

Dissident data for sale

Beginner's guide to SSL certificates

Harvard researchers have accused the developers of tools for dodging the Great Firewall of China of selling data harvested by the software, potentially giving the authorities in Beijing an easy way to identify dissidents.

As well as selling aggregate usage data, software developers were also offering to sell detailed surfing histories of individual surfers for a fee, something that poses an even greater privacy risk, according to an analysis by Hal Roberts from The Berkman Center for Internet Society at Harvard University.

However, the developers of the circumvention tools deny this and say that a poorly-worded FAQ, which has since been amended, has been misinterpreted. Representatives of the firms explain that all their services simply offer a means for webmasters to get a detailed breakdown on surfers visiting the site using anonymity tools. Contentious passages in the FAQ have been rewritten since the controversy blew up last week.

Harvard's Roberts looked at three Great Firewall of China circumvention tools - DynaWeb FreeGate, GPass, and FirePhoenix - which together account for the majority of the market, with a combined user base running into millions.

Users of these packages have gone out of their way to obtain a way to get around the Chinese government internet controls. Time and again Chinese authorities have demonstrated their willingness to chase down, prosecute and imprison cyberdissidents. Even to collect surfing histories on those using censorship circumvention tools is misguided; to offer individually-identifiable clickstream data for sale to anyone prepared to pay who is able to pass a "screening test" (as implied by the original FAQ) is far worse.

But the developers of DynaWeb FreeGate, GPass, and FirePhoenix (all partners in the Global Internet Freedom Consortium (GIFC)) appeared to be offering just that from a beta site called edoors.com, maintained by an firm called World's Gate, Inc, as an early version of a FAQ on the site explained. GPass and FirePhoenix are maintained by World’s Gate, while DynaWeb FreeGate is published by an affiliated organisation.

Q: I am interested in more detailed and in-depth visit data. Are they available?

A: Yes, we can generate custom reports that cover different levels of details for your purposes, based on a fee. But data that can be used to identify a specific user are considered confidential and not shared with third parties unless you pass our strict screening test. Please contact us if you have such a need.

The origins of this data are openly explained:

Q: Where did you get the raw data for the analysis?

A: The raw data came from the server log of GIFC member companies. Right now, data from three of the five tools of GIFC (DynaWeb, GPass, and FirePhoenix) are included for analysis.

Even if we take the promises of screening tests at face value, the slightest risk that the Chinese authorities could get information on who's been trying to bypass its controls to reach websites associated with dissident movements in Tibet, for example, makes for a frightening thought. Simply using the tools might be considered an offense in an authoritarian country like China and the authorities would surely be interesting in knowing who is using tools to bypass the Great Firewall.

None of the circumvention tools vendors is open about its business practices, according to Roberts.

"These projects are not only storing the data. They are actively offering to sell it," he writes. "None of the projects has anything like a privacy policy that I can find, and none of them provides any notice anywhere on the site or during the installation process that the project will be tracking and selling user browsing activity. But all of the sites have deceptive language."

We emailed the administrators of edoors.com and the firms involved with a list of questions, stemming from Roberts' analysis. Bill Xia, a representative of Dynamic Internet Technology (DIT), the developer of DynaWeb FreeGate, apologised for concerns that the edoors FAQ has created, and said on Monday that it would shortly be publishing a new users' agreement.

DIT will release an End User License Agreement soon. DIT cut off service to non-China IPs since 1/1/2009. DIT will release fee based software to non-China user and will need an EULA anyway. Those will happen in this week. I will keep you updated on those.

DIT feels sorry about the concerns this has caused. We will allocate more resources to address those concerns.

In a response to Roberts' initial analysis, GIFC claimed that their offer has been misunderstood. It is offering visitor breakdowns for web masters, not surfing histories on what would normally be understood to be its users.

Peter Li of the Global Internet Freedom Consortium explains:

We apologize for the confusion here. The anti-censorship ranking service is provided by one of the GIFC partners. It only publishes the popularity ranks of destination websites users visit through our anti-censorship tools. It is similar to alexa.com but is only limited to anti-censorship web traffic.

The ranking service is not authorized to access, nor can it access, the data users transmit on the wire. It is not authorized to release logs containing information on the websites any individual user visits either.

The FAQ for the ranking service was not written properly, as originally “user” there meant website owners who may be interested in getting detailed statistics on how their websites are visited through our anti-censorship tools. We apologize that we have overlooked the wording.

The edoors FAQ has now been rewritten, but the implications of the original wording - in particular the claim that "data that can be used to identify a specific user are considered confidential and not shared with third parties unless you pass our strict screening test" - has sparked a lively debate.

Remote control for virtualized desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.