On Friday Hal Roberts at the Berkman Center for Internet and Society wrote a blog post that has a lot of people rightly worried: Popular Chinese Filtering Circumvention Tools DynaWeb FreeGate, GPass, and FirePhoenix Sell User Data.
Hal has spent quite a lot of time analyzing various circumvention tools: software or systems created to help people get around Internet filtering, or blocking as it's more colloquially known. He has spent some time looking at this Edoors service, which aggregates the web-browsing data of people who use DynaWeb FreeGate, GPass, and FirePhoenix. These tools are all part of the Global Internet Freedom Consortium (GIFC). What many Chinese users of these tools don't seem to know is that the GIFC is an organization founded by Falun Gong practitioners. It is also no secret, but not well known for some reason, that members of the GIFC receive U.S. government funding. According to this 2005 report, "Since 2003, the IBB [International Broadcasting Bureau] has primarily funded Dynamic Internet Technology (DynaWeb) and UltraReach, which have each developed software to enable Chinese Internet users to access VOA and RFA websites." Human Rights in China and the FLG-affiliated Epoch Times are also clients of DynaWeb.
So the web-surfing activity of people using FLG-developed and operated tools promoted by the VOA, RFA, and HRIC is among the data being aggregated by Edoors. Hal noticed the following language in the service's FAQ:
Read Hal's blog post for his full reaction explaining how dangerous it is to users if these services are indeed selling "data that can be used to identify a specific user," even if only to people they like...
Q: I am interested in more detailed and in-depth visit data. Are they available?
A: Yes, we can generate custom reports that cover different levels of details for your purposes, based on a fee. But data that can be used to identify a specific user are considered confidential and not shared with third parties unless you pass our strict screening test. Please contact us if you have such a need.
In response, Peter Li of the Global Internet Freedom Consortium posted this comment on Hal's blog:
We apologize for the confusion here. The anti-censorship ranking service is provided by one of the GIFC partners. It only publishes the popularity ranks of destination websites users visit through our anti-censorship tools. It is similar to alexa.com but is only limited to anti-censorship web traffic.
The ranking service is not authorized to access, nor can it access, the data users transmit on the wire. It is not authorized to release logs containing information on the websites any individual user visits either.
The FAQ for the ranking service was not written properly, as originally “user” there meant website owners who may be interested in getting detailed statistics on how their websites are visited through our anti-censorship tools. We apologize that we have overlooked the wording.
The GIFC partner who runs the ranking service, the World Gates’ Inc, has been notified, and that FAQ entry has been removed. Thank you for discovering the problem.
Global Information Freedom Consortium
As of this writing, the FAQ entry is still there, but perhaps it will be removed soon?
I got in touch with Bill Xia of Dynamic Internet Technology (DIT) which runs DynaWeb and Freegate. VOA, RFA, and Human Rights in China are DIT clients in addition to the FLG-affiliated newspaper Epoch Times. He said that regardless of what that Edoors FAQ says, "DIT never gives out "personal-identifying user data."
I also e-mailed with Peter Li and asked him, given that some GIFC members get U.S. government funding, whether special access to user data has been given to the U.S. government. His response:
Yes, in some cases FBI asked us to provide logs for certain websites or destination IPs in some particular time periods, for example, they would request something like the original IPs who visited xyz.com at Jan 12, 2007, 12:20-30 EST, and the visited web pages. We provided such information as we feel we are obligated to work with law enforcement agencies in the free world.So if you're using Freegate, etc. from China, your data could be shared with the FBI on request. Same as if you're using any U.S. information service provider.
Now that GIFC has denied selling user-identifying data, despite an FAQ that states that they do sell it, the problem is that users are left with no way to ascertain the absolute facts about usage of their data independently. They have to take GIFC's word for it. Or decide not to. Ethan Zuckerman reacted briefly to Hal's initial post on his blog, pointing out that this whole situation is a "powerful reminder of how much sensitive data circumvention sites end up holding about their users." Hal makes an important point that when using most circumvention tools - be it Freegate, or the Witopia VPN or any other tool that sends your data through a fairly centralized service - you are not safe from all snooping. You're just making a decision about who to trust more than whom, based on what your needs and concerns are:
This sort of thing demonstrates that there is no way to eliminate points of control from a network. You can only move them around so that you trust different people. In this case, Chinese users are replacing some of the trust in their local Chinese ISPs with trust in theThere are a few tools, however, which are designed in such a way that data linking an individual user's point of origin (IP address) with their destination website is un-collectible. Tor (albeit slower in China than a VPN or Freegate) is one of them. Perhaps not coincidentally, they pointed this out on their blog on Monday:
circumvention projects through which they are proxying their traffic. But those tools are acting as virtual ISPs themselves and so have all the potential for control (and abuse) that the local ISPs have. They can snoop on user activity; they can filter and otherwise tamper with connections; they can block P2P traffic.
Our architecture and design don't force the user to assume trust in us. One doesn't have to trust us. Our code is accessible and licensed under an open license. Our specifications are clearly detailed and published. Our packages follow a defined build process so the user can create the same binaries we do. Independent researchers can and do test the properties Tor provides [and help us to improve]. Moreover, The Tor software runs on a distributed network, where a single operator cannot capture or be forced to capture all users' traffic information, even under legal or coercive threat.
All of these should allow the user to trust The Tor Project as a non-for-profit company and to trust that Tor isn't surreptitiously watching the very information you're trying to protect and isn't gathering information we could be forced to disclose.
(Full disclosure: I used to be on Tor's board of directors.) It's very important to note, though, that while Tor will help you circumvent censorship, disguise your location from the websites you visit and disguse your destination from your ISP, it should not be used as a privacy solution: the exit nodes aren't secure and malicious people can capture unencrypted data going across them. The Tor people are very open about this and the reasons for it. They warn users to use end-to-end encryption for e-mail or any other sensitive communications, on top of Tor which helps to circumvent and anonymize (hide where you're coming from and where you're going).
The moral of this long story is important: when using circumvention tools, make sure you understand enough about how they work, what they're meant to be used for, and who runs them, so that you're not taking a leap of faith with people you would rather not trust.
The decision about who to trust is a personal one: I am more inclined to trust a VPN operating in the U.S. which is subject to FBI requests than a Beijing Telecom connection subject to Beijing public security bureau requests, but that's just me. Other people might feel very differently and make different choices. Some people may feel very comfortable trusting the Falun Gong... others, well, might not... It appears that the VOA, RFA, and HRIC have decided to trust them and to recommend these services to their users. Whether this concerns you or not depends on your opinion of the FLG... which is a debate beyond the scope of this post...