Feeds

China's anti-censor software pimps user data

Dissident data for sale

Securing Web Applications Made Simple and Scalable

Harvard researchers have accused the developers of tools for dodging the Great Firewall of China of selling data harvested by the software, potentially giving the authorities in Beijing an easy way to identify dissidents.

As well as selling aggregate usage data, software developers were also offering to sell detailed surfing histories of individual surfers for a fee, something that poses an even greater privacy risk, according to an analysis by Hal Roberts from The Berkman Center for Internet Society at Harvard University.

However, the developers of the circumvention tools deny this and say that a poorly-worded FAQ, which has since been amended, has been misinterpreted. Representatives of the firms explain that all their services simply offer a means for webmasters to get a detailed breakdown on surfers visiting the site using anonymity tools. Contentious passages in the FAQ have been rewritten since the controversy blew up last week.

Harvard's Roberts looked at three Great Firewall of China circumvention tools - DynaWeb FreeGate, GPass, and FirePhoenix - which together account for the majority of the market, with a combined user base running into millions.

Users of these packages have gone out of their way to obtain a way to get around the Chinese government internet controls. Time and again Chinese authorities have demonstrated their willingness to chase down, prosecute and imprison cyberdissidents. Even to collect surfing histories on those using censorship circumvention tools is misguided; to offer individually-identifiable clickstream data for sale to anyone prepared to pay who is able to pass a "screening test" (as implied by the original FAQ) is far worse.

But the developers of DynaWeb FreeGate, GPass, and FirePhoenix (all partners in the Global Internet Freedom Consortium (GIFC)) appeared to be offering just that from a beta site called edoors.com, maintained by an firm called World's Gate, Inc, as an early version of a FAQ on the site explained. GPass and FirePhoenix are maintained by World’s Gate, while DynaWeb FreeGate is published by an affiliated organisation.

Q: I am interested in more detailed and in-depth visit data. Are they available?

A: Yes, we can generate custom reports that cover different levels of details for your purposes, based on a fee. But data that can be used to identify a specific user are considered confidential and not shared with third parties unless you pass our strict screening test. Please contact us if you have such a need.

The origins of this data are openly explained:

Q: Where did you get the raw data for the analysis?

A: The raw data came from the server log of GIFC member companies. Right now, data from three of the five tools of GIFC (DynaWeb, GPass, and FirePhoenix) are included for analysis.

Even if we take the promises of screening tests at face value, the slightest risk that the Chinese authorities could get information on who's been trying to bypass its controls to reach websites associated with dissident movements in Tibet, for example, makes for a frightening thought. Simply using the tools might be considered an offense in an authoritarian country like China and the authorities would surely be interesting in knowing who is using tools to bypass the Great Firewall.

None of the circumvention tools vendors is open about its business practices, according to Roberts.

"These projects are not only storing the data. They are actively offering to sell it," he writes. "None of the projects has anything like a privacy policy that I can find, and none of them provides any notice anywhere on the site or during the installation process that the project will be tracking and selling user browsing activity. But all of the sites have deceptive language."

We emailed the administrators of edoors.com and the firms involved with a list of questions, stemming from Roberts' analysis. Bill Xia, a representative of Dynamic Internet Technology (DIT), the developer of DynaWeb FreeGate, apologised for concerns that the edoors FAQ has created, and said on Monday that it would shortly be publishing a new users' agreement.

DIT will release an End User License Agreement soon. DIT cut off service to non-China IPs since 1/1/2009. DIT will release fee based software to non-China user and will need an EULA anyway. Those will happen in this week. I will keep you updated on those.

DIT feels sorry about the concerns this has caused. We will allocate more resources to address those concerns.

In a response to Roberts' initial analysis, GIFC claimed that their offer has been misunderstood. It is offering visitor breakdowns for web masters, not surfing histories on what would normally be understood to be its users.

Peter Li of the Global Internet Freedom Consortium explains:

We apologize for the confusion here. The anti-censorship ranking service is provided by one of the GIFC partners. It only publishes the popularity ranks of destination websites users visit through our anti-censorship tools. It is similar to alexa.com but is only limited to anti-censorship web traffic.

The ranking service is not authorized to access, nor can it access, the data users transmit on the wire. It is not authorized to release logs containing information on the websites any individual user visits either.

The FAQ for the ranking service was not written properly, as originally “user” there meant website owners who may be interested in getting detailed statistics on how their websites are visited through our anti-censorship tools. We apologize that we have overlooked the wording.

The edoors FAQ has now been rewritten, but the implications of the original wording - in particular the claim that "data that can be used to identify a specific user are considered confidential and not shared with third parties unless you pass our strict screening test" - has sparked a lively debate.

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.