The first workshop I attended was on circumvention – and it was a real roll-call of the various projects involved in providing for circumvention of filtering and blocking. We had Peacefire, Anonymizer, TOR, Psiphon, DynaWeb, Tactical Tech and more…

Note: this post needs links, but is otherwise mostly complete

Some highlights:

Peacefire – two tools, CGI-proxy on Windows machine (if you have a friend outside that you can run through). Second one is emailing out new circumvention sites (assumes infiltration, so only works for a while).

Dynaweb – Having problems in sustaining the network (finance needed).

Psiphon (personal proxy system, similar to other projects) – collapsed into one, installable application (for the uncensored application) and info forwarded to the colleague in the censored country. Upcoming – support for YouTube/GMail. Has to parse/rewrite for the user and this was difficult. Virtually you have to offer such service for every

Tor: anonymity network – 800 volunteer servers around 100k to 200k users. Funded by US Navl Research Lab, EFF, VoA, etc. Plan: Take volunteer users, give them a button, sign up as ‘bridge’ volunteer – China connects to bridge to rest of Tor network – 10kb/s (nothing on broadband) simple passthrough. 30,000 volunteers. How do we let the good guys get access without letting the bad guys learn all the addresses. We should separate the two parts – (a) relay and (b) discovery.

Gives us idea of the arms race – China not cracking down on every possible approach – just the more popular!

How do we solve the discovery problem. 1 – private bridge (social network) – you can give multiple and as long as one is reachable, they can then report the errors (and automated through client). 2 – open sign up is dangerous. The smarter approach is to divide the bridge operator into different pools. Limit through time, resources, etc. Email list approach (every three days).

US filtering companies are better at blocking than the governments. (Hardly a surprise!)

Commercial entitles also blocking anonymizer etc. Anonymizer’s CEO said that businesses who want to reach them often can’t (due to corporate filtering) so they circulate an alternative URL!

James (author of CGIProxy) spoke: script first written in 1996 (when China/Singapore announced first intention)…demonstrated for magazine, then returned to it. Basically it is similar to psiphon etc – freely distributable to anyone – anyone can then install their own, with small technical help. Javascript support, works pretty well for most of the email services. Very modifiable, written in Perl, open-sourced etc.

I asked about problems that emerge from the tightening of restrictions on users in ‘uncensored states’ (i.e. the people who will act as bridges/friends for those in the censored states). I.e. if ISPs restrict things like filesharing, servers, connection-sharing etc they can (and do) restrict your ability to do pass-through by contract/terms of use. Michael (Citizen Lab, U of T) explained how the Psiphon project tries to keep it simple, but that they need to build ‘bigger friends’. (I discussed this problem in more detail with Nart Villeneuve after the session – it’s related to data retention, the power of ISPs, etc in that it does have the potential – if there is a will – to be a problem. Protections include market power (people won’t go with restrictive ISPs), neutrality legislation, continuing to keep it simple, advocacy, etc.

A very interesting point: “Encryption is allowed because it helps e-commerce” – so we need a case for circumvention that is not just about circumvention! i.e. legitimate use that can allow a Chinese user to point to a non-restricted use. A few people mentioned that circumvention/anonymising should be built in as a default – and that ‘Western’ users should use the software too as a normal, everyday thing (even as simple as a proxy to protect against spyware).

Anonymizer mentioned that the utilisation (of their software) by commercial interests has gone from 1-2% to 80% of revenue!

On anti-anti-circumvention techniques, it was noted that developers don’t necessarily want to show all their tricks until it is needed – hold back as long as you can while being effective.