Who Lost China's Internet?
From the February 25, 2002 issue: Without U.S. assistance, it will remain a tool of the Beijing government, not a force for democracy.
11:00 PM, Feb 14, 2002 • By ETHAN GUTMANN
Michael was hired in 1996 by the Chinese government and Global One (a Sprint-France Telecom-Deutsche Telekom joint venture) to build the first network in China providing public access to the Internet. One day sticks in his mind. The Chinese engineers working with him suddenly convened a special meeting, demanding to know if it would be possible to do keyword searching inside e-mails and web addresses on the Chinese Internet. Not really, Michael replied; all information that travels the Net is broken up into little packets. It's hard to "sniff" packets of information, particularly coded packets. You would need to intercept packets as they travel, and then there's the problem of collating the information they contain, actually making sense of it. Yes, yes, they said, but can you do it? On the third go-round, it dawned on Michael that his fellow computer geeks wanted to end the meeting, too. But at a higher level, someone required assurance. Before Internet construction proceeded further, they would need to monitor what Chinese users did with it. For the engineers, this was just cover-your-ass stuff. As long as the foreigner assured them that down the road the Chinese would be able to build an Internet firewall against the world and conduct surveillance on its own citizens, the engineers could continue working with him. Yes, yes, it can be done, Michael told them, and they went back to work.
Americans make dreams, and every generation carries new ones to China. Since 1979 that dream has been the fall of the Chinese Communist party and the rise of the world's largest market, an event that U.S. businessmen and China hands keep predicting is on the horizon or even imminent. Yet Michael was not naive. He understood the self-serving nature of much of the democracy-is-just-around-the-corner rhetoric. Working inside, he sensed the Chinese leadership's true motives in building an Internet. One of his friends, Peter Lovelock, author of the "Made For China Internet Update," puts it this way: "These are Marxists. Control the means of communication; embrace the means of communication. Fill it with Chinese voices. If they can block the outside, and block relationships between Chinese forces, no one will listen."
But for Michael, any reservations over complicity with Chinese government objectives were outweighed by a bedrock faith in the Internet's ingenious architecture. A system created to relay U.S. command messages over a damaged network after sustaining a Soviet nuclear strike could surely find a way to get messages through, securely, amid the white noise of millions of Chinese users. Resistance would be futile--even the Chinese Borg could not stop it. With the genie of free speech out of the bottle, it would just be a matter of time before those predictions of democracy in China come true.
That vision has now been called into question, not by a failure of the Internet's architecture, but in several cases, by a failure of American corporate values. Let's start where Michael left off, with the expansion of the Chinese Internet. I treated a top Chinese engineer (who wishes to remain anonymous) to a 30-course imperial meal in Beijing. As hoped, the shark's fin soup loosened his tongue--on the subject of Cisco Systems. In the United States, Cisco is known (among other things) for building corporate firewalls to block viruses and hackers. In China, the government had a unique problem: how to keep a billion people from accessing politically sensitive websites, now and forever.
The way to do it would be this: If a Chinese user tried to view a website outside China with political content, such as CNN.com, the address would be recognized by a filter program that screens out forbidden sites. The request would then be thrown away, with the user receiving a banal message: "Operation timed out." Great, but China's leaders had a problem: The financial excitement of a wired China quickly led to a proliferation of eight major Internet service providers (ISPs) and four pipelines to the outside world. To force compliance with government objectives--to ensure that all pipes lead back to Rome--they needed the networking superpower, Cisco, to standardize the Chinese Internet and equip it with firewalls on a national scale. According to the Chinese engineer, Cisco came through, developing a router device, integrator, and firewall box specially designed for the government's telecom monopoly. At approximately $20,000 a box, China Telecom "bought many thousands" and IBM arranged for the "high-end" financing. Michael confirms: "Cisco made a killing. They are everywhere."
Cisco does not deny its success in China. Nor does it deny that it may have altered its products to suit the special needs of the Chinese "market"--a localization scheme the company avoided elsewhere in the world--but it categorically rejects any responsibility for how the government uses its firewall boxes. David Zhou, a systems engineer manager at Cisco, Beijing, told me flat out, "We don't care about the [Chinese government's] rules. It's none of Cisco's business." I replied that he has a point: It's not the gun but the way it's used, and how can a company that builds firewalls be expected to, well, not build firewalls? Zhou relaxed, then confidently added that the capabilities of Cisco's routers can be used to intercept information and to conduct keyword searches: "We have the capability to look deeply into the packet." He admitted that Cisco is under the direct scrutiny of State Security, the Public Security Bureau, and the People's Liberation Army (PLA).
Does Cisco allow the PLA to look into packets? Zhou didn't know or wouldn't say. But consider, for example, the arrest of veteran activist Chi Shouzhu last April. He was picked up in a crowded train station minutes after printing out online materials promoting Chinese democracy. Incidents such as this have mushroomed in China, suggesting that Cisco may not be the only one capable of looking deeply into the packets. In fact, Cisco's ability to thrive in China may well depend on cooperation with the Public Security Bureau and the PLA.
Cisco's firewall has proven to be far from foolproof. New sites on forbidden topics crop up daily, and with the proliferation of ISPs who just want more subscribers surfing, the lag time between updating the government's list of banned sites and implementation can be erratic. So Chinese security organs also needed to control the search engines through which new sites can be found.
Enter Yahoo! The business press has painted a picture of a thriving, home-grown Chinese market for portals and search engines--mirroring such companies as AOL, Google, and Excite--with names like Sohu, Netease, and Sina fighting for the top spots. Chinese Yahoo!, the American outrider, trails in fifth place. A top Yahoo! representative spoke to me on the condition that I would not use his name or give identifying details other than that he had recently left the company. He admitted that Yahoo! is actually the most popular portal in China by a mile. Management had fudged the hit rate, because "we were viewed as extremely aggressive. We were seen as too foreign."
Chinese xenophobia has led many other U.S. companies to play similar games, but Yahoo! was particularly eager to please. All Chinese chat rooms or discussion groups have a "big mama," a supervisor for a team of censors who wipe out politically incorrect comments in real time. Yahoo! handles things differently. If in the midst of a discussion you type, "We should have nationwide multiparty elections in China!!" no one else will react to your comment. How could they? It appears on your screen, but only you and Yahoo!'s big mama actually see your thought crime. After intercepting it and preventing its transmission, Mother Yahoo! then solicitously generates a friendly e-mail suggesting that you cool your rhetoric--censorship, but with a New Age nod to self-esteem.
The former Yahoo! rep also admitted that the search phrase "Taiwan independence" on Chinese Yahoo! would yield no results, because Yahoo! has disabled searches for select keywords, such as "Falun Gong" and "China democracy." Search for VIP Reference, a major overseas Chinese dissident site, and you will get a single hit, a government site ripping it to shreds. How did Yahoo! come up with these policies? He replied, "It was a precautionary measure. The State Information Bureau was in charge of watching and making sure that we complied. The game is to make sure that they don't complain." By this logic, when Yahoo! rejected an attempt by Voice of America to buy ad space, they were just helping the Internet function smoothly. The former rep defended such censorship: "We are not a content creator, just a medium, a selective medium." But it is a critical medium. The Chinese government uses it to wage political campaigns against Taiwan, Tibet, and America. And of course the great promise of the Internet in China was supposed to be that it was unfettered, not selective. The Yahoo! rep again: "You adjust. The crackdowns come in waves; it's just the issue du jour. It's normal."
But what is "normal" in China can be altered under duress. When Chinese authorities ordered Microsoft to surrender its software's underlying source codes--the keys to encryption--as the price of doing business there, Microsoft chose to fight, spearheading an unprecedented Beijing-based coalition of American, Japanese, and European Chambers of Commerce. Faced with being left behind technologically, the Chinese authorities dropped their demands. Theoretically, China's desire to be part of the Internet should have given the capitalists who wired it similar leverage. Instead, the leverage all seems to have remained with the government, as Western companies fell all over themselves bidding for its favor. AOL, Netscape Communications, and Sun Microsystems all helped disseminate government propaganda by backing the China Internet Corporation, an arm of the state-run Xinhua news agency.
Not to be outdone, Sparkice, a Canadian Internet colossus, splashily announced that it would serve up only state-sanctioned news on its website. Nortel provides software for voice and closed-circuit camera recognition--technology that the Public Security Bureau has already put to good use, according to the Chinese press. AOL is quietly weighing the pros and cons of informing on dissidents if the Public Security Bureau so requests; the right decision would clearly speed Chinese approval for AOL to offer Internet services and perhaps get a foothold in the Chinese television market. In fact, AOL signed a landmark deal with a Chinese station at the end of October. Smaller American companies and smaller nations smell the blood. Along with Chinese officials, they dominate Chinese Internet-security trade shows. China Telecom is considering purchasing software from iCognito, an Israeli company that invented a program called "artificial content recognition," which surfs along just ahead of you, learning as it censors in real time. It was built to filter "gambling, shopping, job search, pornography, stock quotes, or other non-business material," but the first question from the Chinese buyers is invariably: Can it stop Falun Gong?
In the wake of terrorist attacks on America, some of the byplay between Beijing and its entrepreneurial suitors has taken on new significance. According to James Mulvenon of Rand Corporation, Network Associates, a U.S. web security firm, gained entry to the Chinese market by helpfully donating 300 live computer viruses to the Public Security Bureau. The U.S. embassy has already monitored the picture.exe virus, which worms into a user's computer and then quietly sabotages the widely available encryption software Pretty Good Privacy by sending the personal encryption keys to China. Last August's notorious Code Red worm, which some thought originated in China, appears to have been little more than an amateur nuisance. But Chinese military reports on unconventional warfare explicitly advocate coordinated virus attacks to debilitate U.S. communication and financial systems during a crisis. America may expect a more sophisticated visit from the offspring of a Network Associates sample virus in the future.
Why has there been so little oversight of such corporate activity? As Michael Robinson puts it, for the first four years of the Net era, those with paranoid visions of China's government were never quite able to square their suspicions with the rapid expansion of the Chinese Internet. Although it was widely rumored in Beijing that up to 30,000 state security employees were monitoring the Internet in that city alone, the monitoring was also laughed at. Apparently the bureaucrats liked monitoring pornography so much that they had a massive backlog. State security was said to be lax, corrupt, full of holes. Chinese whiz kids could still surf through the firewall and beyond. Associations could flourish among the patrons of the cybercaf s, using anonymous monikers. Many saw the Internet as a populist river leading to the ocean of the global community. Then, the Chinese government abruptly built a cyber-version of the Three Gorges Dam.
In October 2000, the State Council ordered Internet Service Providers to hold all Chinese user data--phone numbers, time, and surfing history--for at least 60 days. In November, commercial news sites were banned. In December, the National People's Congress decreed all unauthorized online political activity illegal. January 2001 saw the criminalization of Internet transfer of "state secret information," such as reports of human rights violations. February brought "Internet Police 110," software blocking "cults, sex, and violence" while monitoring users' attempts to access such sites. By March, the surveillance started to work; hundreds of e-mails on the controversy surrounding a schoolhouse bombing in Jiangxi disappeared. Around the same time, Chinese authorities announced near completion of a "black box" to collect all information flowing across the Internet. In April, arrests of democracy activists using the web and a nationwide crackdown on cybercaf s reached critical mass. Surviving caf s had to install internal monitoring software. E-mail to Tibet now took three days to get through, if at all, and Falun Gong e-mail was completely eradicated. By October 2001, when President George W. Bush flew to Shanghai for the Asia-Pacific Economic Cooperation Summit, he was entering an Internet police state. To deflect criticism, but perhaps also as a demonstration of power, blocks on U.S. news websites were magically lifted by Chinese authorities. The minute Bush went airborne, the blocks were back in place. During Bush's current visit to China, any attempt to discuss loosening Chinese Internet controls is likely to be brushed aside using the rhetoric of our own struggle against terrorism (what, you're against surveillance?). But if the Chinese take this tack, they are of course being dishonest about their own motives.
There were urgent reasons for the Chinese Internet crackdown; fighting terrorism wasn't one of them. Instead, look to the slow-motion crisis of a leadership transition, the release of the Tiananmen papers, the emergence of a cyber-Falun Gong, and a stirring--you could feel it on the street--for greater freedom of expression, if not genuine democracy. Then again, there may be a more elaborate game afoot. Chairman Mao knew the utility of briefly loosening controls to create a dragnet. In effect, the current Chinese leadership promoted a "hundred flowers" period of relative Internet freedom--again, not to capture terrorists, but to expose anyone who disagreed with the legitimacy of their rule and to attract massive Western investment. American technologies of surveillance, encryption, firewalls, and viruses have now been transferred to Chinese partners--and might even one day be turned against our own ludicrously open Internet. We funded, built, and pushed into China what we thought was a Trojan Horse, but we forgot to build the hatch.
Consider a Chinese user in search of an unblocked news site (weeklystandard.com, for example). He won't expect to get through, and if he does, it will be cause for alarm, for the site may be a tripwire--not for spam, but for state security. Everything he does on the web might conceivably be used against him. Pornography? Potentially, a two-year sentence. Political? Possible permanent loss of career, family, and freedom. E-mail may be the most risky: Two years ago, working from my office in a Chinese TV studio, I received an e-mail from a U.S. friend (in a browser-based Hotmail account, no less, which in theory should be difficult to monitor) with the words "China," "unrest," "labor," and "Xinjiang" in queer half-tone brackets, as if the words had been picked out by a filter. I now realize that it was a warning; any savvy Chinese user would have sensed it instantly.
Before the crackdown one could escape and surf anonymously in a cybercaf or use a proxy server--another computer that acts as an intermediary between surfers and websites, helping to hide their web footprints and evade the filters. Not surprisingly, the most common search words in China were not "Britney" and "hooters," but "free" and "proxy." Fully 10 percent of Chinese users--about two million people--used proxies regularly in an attempt to circumvent government controls. In what Michael calls "the first sign of cleverness" by the government, a proxy pollution campaign began last spring when the Chinese authorities either developed or imported a system that sniffs the networks for signs of proxies. A user, frantically typing in proxy addresses until he finds one that isn't blocked, effectively provides the government with a tidy blacklist. After a few of these tedious sessions, many of my Chinese friends simply gave up climbing over the firewall. For a small fee, expat users could turn to a web-based proxy browser, such as Anonymizer. But credit cards are effectively blocked for Chinese citizens. Just for good measure, Anonymizer was finally blocked as well.
IS CHINA'S Internet beyond redemption? Is it destined to be a tool of surveillance and repression, managed by the Chinese government and serviced by cynical Western partners? Maybe not. The Great Firewall might be vulnerable to a few physicists at the University of Oregon. I spent a day watching Stephen Hsu diagram the Chinese web and its weaknesses. Hsu and his company, SafeWeb, have developed a proxy server system called Triangle Boy. The triangle refers to the Chinese user, to a fleet of servers outside of the firewall, and to a mothership which the servers report to, but the Chinese government cannot find. Already tens of thousands of Chinese users have connected with it; five of the top twenty Triangle Boy search sites are in the Chinese language. Every day, the Chinese user receives an e-mail listing new addresses of Triangle Boy servers, which allow the user to visit websites that they would otherwise be unable to reach. Because the addresses of the servers change constantly, the system is practically unbeatable. Any attack, especially on the mothership, requires enormous resources.
But as surely as Triangle Boy works to liberate the surfing Chinese masses, you can bet State Security is looking for a way to pounce on this latest proxy rebellion. The simplest one will be to enlist American companies, still eager to curry favor in Beijing, and get them to develop software allowing the Public Security Bureau to sniff out and block proxies as quickly as they are created.
The only practical solution to this puzzle is for the Bush administration to make Internet freedom in China a high priority. At the moment it is a laughably small priority. The Voice of America, whose website has been a high-profile target of Chinese blocking, last summer began funding Triangle Boy to the tune of $10,000 per month. VOA officials undertook that small effort in frustration; they attempt to send daily news via e-mail to some 800,000 addresses in China, with no guarantee that they are getting through. Hsu estimates that supplying one million Chinese users with Triangle Boy (approximately 600 million page views a month) would require just $1 million annually. Budgeted at $300 million a year, VOA has the means and is wisely looking at several other solutions as well. But for VOA to justify an anti-blocking effort on a scale that will make a difference, it will need to be seen as carrying out an important plank of American foreign policy, not just acting on the margins as it is now.
And why not make this a higher profile U.S. policy? Cracking the Chinese firewall is at least as technically interesting as strategic defense. Triangle Boy is still theoretically vulnerable to spoof sites, authorization problems, or a Code Red-style worm attacking the servers. That implies a need for a highly technical layering operation, involving an endless and ever-changing supply of low-key web-based proxies, mirror sites, and encrypted e-mail and instant messenger services in Mandarin, Cantonese, and English, in sufficient volume to overwhelm the Chinese firewall.
Creative engineers, unleashed to solve the problem of bringing Internet freedom to China, might take any number of approaches. They might go through Hong Kong, where illicit cables are said to run to Guangzhou. They might cut some deals with a "loose" Chinese ISP, such as Jitong. They might use messages formatted as images to defeat software that sniffs out characters. They might exploit the fact that Chinese Internet addresses were originally configured in peculiar blocks. Or the fact that the government's proxy-hunters come from only a few locations. A shrewd native engineer could probably root out and defeat 99 percent of these government agents.
None of these measures will be cheap. Nor can we expect the U.S. government to fully manage such a multi-pronged private-and-public defense of Internet freedom. Even if they back the overall concept, administration officials will inevitably want deniability about certain parts of such an operation. This means the project will need to attract the support of foundations, human rights groups, religious organizations--any group that cares about a free China.
But it will be worth it. Given the willingness of capitalists to work hand in hand with the Chinese regime, the Internet may be the only force left that is potentially anti-hierarchical. Think of it as a way to levy a web-based democracy tax on the Chinese government. Think of it also as a way around the university students and the intelligentsia, who are overrated as agents for democratic change in China.
As the father of the Chinese Internet Michael Robinson notes, "In the Chinese Internet's infancy, the first three sites that the government blocked were two anti-government sites--and one Maoist site. What threatens them? . . . The heartland." Ultimately, it won't be the intellectuals who are key to bringing democracy to China. Irate overtaxed peasants with Internet-enabled cell phones ten years from now are the real target market. And those whose dream is democracy in China are operating with diminishing points of entry. The American business presence in China is deeply, perhaps fatally, compromised as an agent for liberalizing change. The Internet remains the strongest force for democracy available to the Chinese people. But it remains a mere potentiality, yet another American dream, unless we first grapple with the question: Who lost China's Internet? Well, we did. But we can still repair the damage. We can, in Michael's words, "lay down the communication network for revolution." If we don't, his progeny may not forgive us.
Ethan Gutmann, a visiting fellow at the Project for the New American Century, is completing a book, "Beijing Boot Camp."
Correction Appended, 2/19/02: In the original version of this article, Network Associates was mistakenly identified as Network-1 Security Solutions.