Feeds

China's anti-censor software pimps user data

Dissident data for sale

Top 5 reasons to deploy VMware with Tegile

Harvard researchers have accused the developers of tools for dodging the Great Firewall of China of selling data harvested by the software, potentially giving the authorities in Beijing an easy way to identify dissidents.

As well as selling aggregate usage data, software developers were also offering to sell detailed surfing histories of individual surfers for a fee, something that poses an even greater privacy risk, according to an analysis by Hal Roberts from The Berkman Center for Internet Society at Harvard University.

However, the developers of the circumvention tools deny this and say that a poorly-worded FAQ, which has since been amended, has been misinterpreted. Representatives of the firms explain that all their services simply offer a means for webmasters to get a detailed breakdown on surfers visiting the site using anonymity tools. Contentious passages in the FAQ have been rewritten since the controversy blew up last week.

Harvard's Roberts looked at three Great Firewall of China circumvention tools - DynaWeb FreeGate, GPass, and FirePhoenix - which together account for the majority of the market, with a combined user base running into millions.

Users of these packages have gone out of their way to obtain a way to get around the Chinese government internet controls. Time and again Chinese authorities have demonstrated their willingness to chase down, prosecute and imprison cyberdissidents. Even to collect surfing histories on those using censorship circumvention tools is misguided; to offer individually-identifiable clickstream data for sale to anyone prepared to pay who is able to pass a "screening test" (as implied by the original FAQ) is far worse.

But the developers of DynaWeb FreeGate, GPass, and FirePhoenix (all partners in the Global Internet Freedom Consortium (GIFC)) appeared to be offering just that from a beta site called edoors.com, maintained by an firm called World's Gate, Inc, as an early version of a FAQ on the site explained. GPass and FirePhoenix are maintained by World’s Gate, while DynaWeb FreeGate is published by an affiliated organisation.

Q: I am interested in more detailed and in-depth visit data. Are they available?

A: Yes, we can generate custom reports that cover different levels of details for your purposes, based on a fee. But data that can be used to identify a specific user are considered confidential and not shared with third parties unless you pass our strict screening test. Please contact us if you have such a need.

The origins of this data are openly explained:

Q: Where did you get the raw data for the analysis?

A: The raw data came from the server log of GIFC member companies. Right now, data from three of the five tools of GIFC (DynaWeb, GPass, and FirePhoenix) are included for analysis.

Even if we take the promises of screening tests at face value, the slightest risk that the Chinese authorities could get information on who's been trying to bypass its controls to reach websites associated with dissident movements in Tibet, for example, makes for a frightening thought. Simply using the tools might be considered an offense in an authoritarian country like China and the authorities would surely be interesting in knowing who is using tools to bypass the Great Firewall.

None of the circumvention tools vendors is open about its business practices, according to Roberts.

"These projects are not only storing the data. They are actively offering to sell it," he writes. "None of the projects has anything like a privacy policy that I can find, and none of them provides any notice anywhere on the site or during the installation process that the project will be tracking and selling user browsing activity. But all of the sites have deceptive language."

We emailed the administrators of edoors.com and the firms involved with a list of questions, stemming from Roberts' analysis. Bill Xia, a representative of Dynamic Internet Technology (DIT), the developer of DynaWeb FreeGate, apologised for concerns that the edoors FAQ has created, and said on Monday that it would shortly be publishing a new users' agreement.

DIT will release an End User License Agreement soon. DIT cut off service to non-China IPs since 1/1/2009. DIT will release fee based software to non-China user and will need an EULA anyway. Those will happen in this week. I will keep you updated on those.

DIT feels sorry about the concerns this has caused. We will allocate more resources to address those concerns.

In a response to Roberts' initial analysis, GIFC claimed that their offer has been misunderstood. It is offering visitor breakdowns for web masters, not surfing histories on what would normally be understood to be its users.

Peter Li of the Global Internet Freedom Consortium explains:

We apologize for the confusion here. The anti-censorship ranking service is provided by one of the GIFC partners. It only publishes the popularity ranks of destination websites users visit through our anti-censorship tools. It is similar to alexa.com but is only limited to anti-censorship web traffic.

The ranking service is not authorized to access, nor can it access, the data users transmit on the wire. It is not authorized to release logs containing information on the websites any individual user visits either.

The FAQ for the ranking service was not written properly, as originally “user” there meant website owners who may be interested in getting detailed statistics on how their websites are visited through our anti-censorship tools. We apologize that we have overlooked the wording.

The edoors FAQ has now been rewritten, but the implications of the original wording - in particular the claim that "data that can be used to identify a specific user are considered confidential and not shared with third parties unless you pass our strict screening test" - has sparked a lively debate.

Beginner's guide to SSL certificates

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.