The basic idea of circumventing Internet censorship is to route the requests over a third server which is not blocked and is connected to the Internet through a non filtered connection. This chapter explains some of the tools which make it possible to use such a server in order to defeat Internet blocking, filtering, and monitoring. The choice of which tool might best accomplish your objectives should be based on an initial assessment on the type of content you want to access, your available resources, and the risks of doing so.
Tools to defeat Internet blocking, filtering and monitoring are designed to deal with different obstacles and threats. They may facilitate:
- Circumventing censorship: enabling you to read or author content, send or receive information, or communicate with particular people, sites or services by bypassing attempts to prevent you from doing so. Similar to the operation of the Google cache or an RSS aggregator which can be used to access a blocked Web site indirectly.
- Preventing eavesdropping: keeping communications private, so that nobody can see or hear the content of what you're communicating (even if they might still be able to see with whom you're communicating). Tools that try to circumvent censorship without also preventing eavesdropping may remain vulnerable to censorship by keyword filters that block all communications containing certain prohibited words. For example, various forms of encryption, such as HTTPS or SSH, make the information unreadable to anyone other than the sender and receiver. An eavesdropper will see which user is connecting to which Web server, but from the content he can only see a string of characters that looks like nonsense.
- Remaining anonymous: the ability to communicate so that no one can connect you to the information or people you are connecting with – neither the operator of your Internet connection nor the sites or people with whom you're communicating. Many proxy servers and proxy tools don't offer perfect, or any, anonymity: the proxy operator is able to observe the traffic going into and out of the proxy and easily determine who is sending it, when they're sending it, and how often they're sending it; a malicious observer on either side of the connection is able to gather the same information. Tools like Tor are designed to make it difficult for attackers to gather this kind of information about users by limiting the amount of information any node in the network can have about the user's identity or location.
- Concealing what you are doing: disguising the communications you send so that someone spying on you will not be able to tell that you are trying to circumvent censorship. For example, steganography, the hiding of text messages within an ordinary image file, may conceal that you are using a circumvention tool at all. Using a network with many kinds of users means that an adversary can not tell what you are doing because of your choice of software. This is especially good when others are using the same system to get to uncontroversial content.
Some tools protect your communications in only one of these ways. For example, many proxies can circumvent censorship but don't prevent eavesdropping. It's important to understand that you may need a combination of tools to achieve your goal.
Each kind of protection is relevant to different people in different situations. When you choose tools that bypass Internet censorship, you should keep in mind what kind of protection you need and whether the particular set of tools you're using can provide that sort of protection. For example, what will happen if someone detects that you are attempting to circumvent a censorship system? Is accessing your main concern, or do you need to remain anonymous while doing so?
Sometimes, one tool can be used to defeat censorship and protect anonymity, but the steps for each are different. For instance, Tor software is commonly used for both purposes, but Tor users who are most concerned with one or the other will use Tor differently. For anonymity reasons, it is important that you use the Web browser bundled with Tor, since it has been modified to prevent leaking of your real identity.
An important warning
Most circumvention tools can be detected with sufficient effort by network operators or government agencies, since the traffic they generate may show distinctive patterns. This is certainly true for circumvention methods that don't use encryption, but it can also be true for methods that do. It's very difficult to keep secret the fact that you're using technology to circumvent filtering, especially if you use a fairly popular technique or continue using the same service or method for a long period of time. Also, there are ways to discover your behavior that do not rely on technology: in-person observation, surveillance, or many other forms of traditional human information-gathering.
We cannot provide specific advice on threat analysis or the choice of tools to meet the threats. The risks are different in each situation and country, and change frequently. You should always expect that those attempting to restrict communications or activities will continue to improve their methods.
If you are doing something that may put you at risk in the location where you are, you should make your own judgments about your security and (if possible) consult experts.
- Most often, you will have to rely on a service provided by a stranger. Be aware that they may have access to information about where you are coming from, the sites you are visiting and even the passwords you enter on unencrypted Web sites. Even if you know and trust the person running a single-hop proxy or VPN, they may be hacked or forced to compromise your information.
- Remember that the promises of anonymity and security made by different systems may not be accurate. Look for independent confirmation. Open source tools can be evaluated by tech-savvy friends. Security flaws in open source tools can be discovered and fixed by volunteers. It is difficult to do the same with proprietary software.
- Achieving anonymity or security may require you to be disciplined and carefully obey certain security procedures and practices. Ignoring security procedures may dramatically reduce the security protections you receive. It is dangerous to think that it is possible to have a "one click solution" for anonymity or security. For instance, routing your traffic through a proxy or through Tor is not enough. Be sure to use encryption, keep your computer safe and avoid leaking your identity in the content you post.
- Be aware that people (or governments) may set up honeypots – fake Web sites and proxies that pretend to offer secure communication or censorship circumvention but actually capture the communications from unwitting users.
- Sometimes even "Policeware" may be installed on users' computers – either remotely or directly – that acts like malware, monitoring all activities on the computer even when it is not connected to the Internet and undermining most other preventive security measures.
- Pay attention to non-technical threats. What happens if someone steals your computer or mobile phone or that of your best friend? What if an Internet café staff member looks over your shoulder or points a camera to your screen or keyboard? What happens if someone sits down at a computer in a café somewhere where your friend has forgotten to log out and sends you a message pretending to be from her? What if someone in your social network is arrested and forced to give up passwords?
- If there are laws or regulations that restrict or prohibit the materials you are accessing or the activities you are undertaking, be aware of the possible consequences.
To learn more about digital security and privacy, read: