The Great (Fire)Wall of China: Internet Security and Information Policy Issues in the People's Republic of China William Yurcik ** Zixiang Tan *** University of Pittsburgh Syracuse University Abstract: In an attempt to tighten control over information flow, the People's Republic of China has initiated a clamp-down policy on Internet users. This policy has resulted in several 1996 government regulations including a circular issued by the Ministry of Public Security on February 14, 1996 which ordered all users of the Internet and other international computer networks to register with the police. This registration approach is also being complemented with a technology approach so as to ensure control over the information flow in PRC's fledgling computer networks. The technology approach includes "firewall" technology which will be used to create a national "intranet" likely to become the largest intranet in the world if implemented successfully. In this paper we discuss the concepts of firewalls and intranets, public policy issues concerning information security and censorship in China*, the state of awareness of insecurity of present-generation computer networks in China, Chinese security planning for future information systems, specific technologies that Chinese professionals hold promising, and unique problems in the Chinese context. This research is a result of a joint United States/United Kingdom Computer Security Delegation which visited China May 18, 1996 - May 31, 1996 at the invitation of the Chinese Association for Science and Technology (CAST). Dr. Ravi Sandhu, Chairman of the ACM's Special Interest Group on Security, Audit, and Control (SIGSAC) lead the delegation (which also included Mr. Yurcik) in professional exchanges. * for the remainder of this paper, we refer to the People's Republic of China as "China" ** corresponding author: yurcik@tele.pitt.edu +1 412-624-9411 FAX +1412-624-2788 mailing address: University of Pittsburgh, Department of Information Science and Telecommunications, 742 LIS Bldg., 135 North Bellefield Avenue, Pittsburgh PA. 15260 USA *** Assistant Professor, School of Information Studies, Syracuse University 1.0 Introduction At a recent conference sponsored by the Internet Society in Montreal Canada (INET '96) where Internet leaders from around the world convened to discuss technical issues, a new discussion emerged which focused on the increasing number of governments intent on erecting barriers to free speech on the Internet.[25] These barriers to free speech have occurred in over 20 countries including Germany, Singapore, New Zealand, China and the United States. The form of these barriers to free speech has been to restrict network access, limit content, criminalize some forms of communication, and new technological barriers that are still being developed. The Internet as a new medium is at a relatively early stage of development and these barriers to free speech represent a significant trend which will shape future communications. This paper will focus exclusively on Internet security and information policy issues in the People's Republic of China (China). China's computer policies are important not only because they appear on face value to be the most "orwellian" in the world but also because China has close to one fifth of the world's population (1.2 billion).[28] China has the third largest economy behind the U.S. and Japan (with an average 10% growth rate since 1990), the world's largest armed forces, and the largest potential consumer market in the world. China is seen by many as the key to stability in Asia and peace in the world. The emerging importance of trade with China increasingly depends on developments in electronic commerce and the compatibility of China's Internet policies with global Internet policies may either accelerate or slow these developments. China is the sixth largest trading partner with the U.S. and the U.S. Central Intelligence Agency estimates the Pacific Rim will contain five of the world's six largest economies (China, U.S., Japan, India, Indonesia, and South Korea) in the near future.[43] In particular, the opening of Chinese markets has accounted for a substantial rise in U.S. telecommunications equipment exports with the fastest growing telecommunications markets in 1995 being Hong Kong, up 119% to $890M and China, up 36% to $870M.[according to Telecommunications Industry Association (TIA)] The China Association for Science and Technology (CAST) is the largest association of scientists and engineers in China (2 million members), having grown to several hundred affiliated associations since the end of the cultural revolution in the 1970s. In an attempt to seek continued expansion of its relationships with foreign universities, government agencies, international standards organizations and businesses, CAST invited an international delegation to visit China for professional exchanges focused on computer security. Dr. Ravi Sandhu, Chairman of the ACM's Special Interest Group on Security, Audit, and Control (SIGSAC) lead the delegation which included experts from the United States and United Kingdom. From May 18, 1996 to May 31, 1996 we participated in professional exchanges with our Chinese counterparts. The Internet is still a very young technology in China but there are already powerful forces at work seeking to exert control over the flow of information within the Chinese portion on the Internet and between the Chinese portion of the Internet and the rest of the global Internet. The information from professional exchanges expressed here seek to highlight different attempts at Internet censorship by the Chinese and the information policy ramifications for the rest of the Internet. These issues of Internet censorship are common to all participating countries. Just as no one country can solve the problem alone, one country's policies will affect the transborder information flows to all countries. 2.0 Chinese Internet Infrastructure Since the Internet depends on underlying infrastructure, understanding telecommunications, language encoding, and computer networks in China will frame the issues. For instance, given that the government controls all the mass media in China (newspapers, broadcast stations, films, recordings), it should be no surprise that they are now regulating the Internet.[34] China's security infrastructure is equipped to selectively monitor telephone calls and FAXes. The Chinese government has even banned paging companies from "editing and disseminating news" in the message function of their pagers.[40] 2.1 Telecommunications in China Due to the shear size of its markets, China is expected to have more telephones, more cellular telephones, more beepers, and more fiber optic transmission capacity than any other nation within 25 years. The analogy that has been made in the literature is that every two years China adds a telephone network equal to France's entire national system.[40] This is slightly misleading, however, if you consider that average telephone penetration in China was 0.7% in 1988, 3.25% in 1995, and only projected to reach 8.0% by 2000.[39] This is among the worst telephone penetration rates in the world for an industrialized nation. Since telephone service prior to 1980 was non-existent or inadequate, China has been able to "leapfrog" generations of intermediate technology. The speed of construction has been attributed to the low cost of labor in China (about 5% of a telecommunications installation compared to about 50% in the U.S.).[31] As a result of rapid construction of new technology, a high percentage of China's telephone lines that now exist are less than five years old and provide an excellent channel for modem dial-in Internet access of the kind typically used by individuals in their homes. Dynamic changes occurred in the Eighth Five-year Post and Telecommunications Plan Period (1991-1995) when China's Ministry of Post and Telecommunications (MPT) began building a three-tier network consisting of fiber optic systems, satellite ground stations, and microwave trunks. By 1995, China had established 23 ground satellite stations, 22 fiber optic backbone cables, completed more than 50,000 km of digital microwave systems, and constructed several international fiber optic cables (Sino-Japan submarine cable, Sino-South Korea submarine cable, and the trans-Asia-Europe continental cable expected 1997).[42] The MPT is responsible for regulating all post office, telecommunications, telegraph, and wire services. MPT is also a traditional telecommunications monopoly operator of telecommunications services. MPT is in the process of flattening the hierarchical structure of the public network from three levels (interprovincial transport network, intraprovincial transport network, and local access network) to two levels (long distance transport and local access). The Ministry of Electronic Industries (MEI) disseminates policy, conducts research, and manufactures telecommunications equipment. MEI also has strong political power. China's President Jiang Zemin is a former Minister of MEI and Premier Li Peng is a former head of the Leading Group for Revitalization of the Electronics Industry.[39] The MPT and MEI are both contending for administrative authority to provide telecommunications leadership, but as the Chinese economy shifts from a central command system to a market-oriented system, there is a question whether it is possible for any one organization to be able to control the forces unleashed.[39] With the rise of the Chinese Internet built on MPT facilities, information censorship may be the decisive function which will determine who will provide telecommunications leadership. At present it appears that MPT's bottleneck control of international Internet connections gives MPT the edge. As of 1993, two new telecommunications organizations have been licensed to operate nationwide services to compete with the MPT: Lian Tong and Ji Tong. Lian Tong, also known as China United Telecommunications, was formed by a group of government agencies and other organizations. Its primary offerings include fixed line, mobile, paging, satellite, and value-added services. Ji Tong is a joint venture established as a data communications competitor to the MPT. MPT has responded by lowering prices and increasing investment. MPT operates several data networks. The China National Public Data Network (CHINAPAC) is an X.25 network started in 1989 and upgraded in 1994. CHINAPAC now has access nodes in all areas covered by the telephone network (700 cities).[5] CHINAPAC can be accessed at leased line speeds up to 64 Kbps as well as through the public telephone network. MPT also operates a nationwide digital data transmission network called the Digital Data Network (DDN). Built in 1994, the DDN provides data services from 30 Mbps to 2 Gbps with more than 3,000 nodes. The DDN is the backbone of China's information highway plans. The Chinese Government has concentrated on funding telecommunications projects that lead to more efficient centralized government planning.[39] These projects are referred to collectively as "Golden Projects". Starting in 1992 when three Golden Projects were initially introduced, several more Golden Projects have been added each year. These Golden Projects rely mostly on MPT public network circuits, CHINAPAC, DDN, and CHINANET for transport. A partial list of currently active Golden Projects is listed in Table 1. TABLE 1: THE GOLDEN PROJECTS Golden Bridge......... public economic information processing network Golden Customs...... foreign trade information sources Golden Card........... electronic monetary and modern payment system Golden Tax............ electronic taxation system Golden Enterprises.... industrial production information network Golden Agriculture.... management and service information system Golden Intellectual.... education and research computer network Golden Policy......... economic micro-policy making support system The Chinese government prohibits foreign operation of telecommunications networks. MPT officials cite national security reasons as their justification to ban foreign investment in operating telecommunications networks but a more compelling reason would suggest that any such foreign investment would be in direct competition with the MPT. However, telecommunications product vendors such as Motorola, AT&T, Nortel, Nokia, Ericsson, and Siemens are making significant profits in China. Only a few telecommunication service corporations such as Ameritech, McCaw, Singapore Telecom, and Siemens-Deutsche Telekom have managed to forge joint venture agreements in which they are defined not as telecommunications service providers but rather as engineering advisors. Such joint venture agreements offer little legal protection. In fact there is no telecommunications law in China. The absence of telecommunications law bolsters the influence of the MPT as both the dominant telecommunications common carrier and the telecommunications regulatory agency. In summary, the Chinese telecommunications infrastructure is a study in contrast. China has deployed nearly every technology currently available and yet has a low level of penetration; it is a highly regulated monopoly yet has strong competition and foreigners trying to enter; since it has no policy of universal service there are barren service areas but some areas have state-of-the-art services. The communist leaders of China have long adhered to a centralized, secure, and propagandized approach to governance. The implications of the Internet, where millions of Chinese people will soon have access to the wealth of information from the global community, questions whether this approach to governance will be able to continue. 2.2 Chinese Language Encoding Language is an important but often overlooked factor in Internet communications. Chinese written languages can be divided into two groups: (1) simplified Chinese used in mainland China and (2) traditional Chinese used in Taiwan and Hong Kong. Both represent ideas with many different picture symbols (ideograms). Simplified Chinese originates from traditional Chinese but is easier to write, using fewer strokes. Readers of traditional Chinese have difficulty distinguishing simplified Chinese because the reduced number of strokes decreases the difference between similar ideograms. Readers of simplified Chinese have extreme difficulty interpreting traditional Chinese because ideograms can be totally different with no shared characteristics. There are also written phonetic forms of Chinese language, known as pinyin, that uses the Latin alphabet to transliterate the language but this is not universal and vital indicators of pitch movement (high-low, low-high, steady, high-low-high) are often not incorporated. Pitch movement is important in Chinese because the same sound can have very different meanings depending on the pitch movement used when spoken. These Chinese language characteristics have presented significant problems to computer usage and now Internet communications. English language computer keyboards and computer hardware/software expect ASCII symbols (American Standard Code for Information Exchange) in which each symbol is represented in 8 bits. Thus ASCII can represent a maximum of 256 (2^8) symbols which is much less than the approximately 19,000 unique symbols needed for all Chinese languages. To a certain extent, this problem of representing a large set of ideograms has locked out a large population from the computer age since typing is a foreign notion. Most Asians have not been familiar with the concept of a keyboard until just recently. A proposed global standard, Unicode, would solve this problem by representing all symbols in sixteen bits instead of eight bits thus allowing for 65,536 total symbols. However, Unicode has not yet gathered unanimous international support from standards bodies and corporations and any transition to Unicode if adopted would be have far-reaching consequences, since it would instantly double computer memory requirements among other computer architecture impacts. In the interim before Unicode or a competing standard is eventually adopted, the Chinese have submitted Chinese exchanging codes ISO-2022-CN and ISO-2022OCN/EXT to the Internet Engineering Task Force (IETF) as proposed standards.[15,32] In addition, searching and indexing tools for Chinese language-coded documents are being developed.[24] PC manufacturers have approached the challenge of encoding the Chinese language as an opportunity. Many PC packages use either: (1) the phonetic form of Chinese, pinyin, and the user selects from a menu of possibilities or (2) a combination of up to four keystrokes to generate a single ideogram with the memorization of the four exact keystrokes being the limitation. Chinese version Windows 3.2 is bundled with 10 input methods and Apple's Macintosh has four input methods. The Chinese government has been supporting the development of Chinese language encoding standards. This represents a potential vulnerability to government control of Internet communications since the encoding standards are vital for interoperability. The Chinese government is aware of the importance of language use on the Internet. A recent article in the Communist Party newspaper urged Chinese to work hard to make Chinese the main language on the Internet.[35] Recently there have been efforts to encourage the study of the Chinese language abroad and the Chinese foreign ministry has stopped English translations at news briefings.[21] There is speculation that as large numbers of Chinese begin using the Internet that the Chinese language could begin to dominate Internet communications. 2.3 Computer Networks With Internet Connectivity in China "Over the past few years, with the growth of a market economy and progress in spreading information, computer information networks have been playing an active role in accelerating China's economic, scientific, technological, and educational development" - as reported by The New China News Agency February 1996 [12] The Internet has developed in China in two short years. The Asia-Pacific Network Information Center (APNIC) database lists 190 registered networks under country domain code .CN of which 19 are self-defined as Internet Service Providers (ISPs). Although China prohibits foreign companies from operating telecommunications networks within its borders, China does allow operational interconnection between its national data networks and foreign-run data networks. The first direct link from China to the Internet was established in 1993 by the Institute of High Energy Physics (IHEP) which is part of the Chinese Academy of Sciences (CAS). IHEP connected to Stanford University via a 64 Kbps leased satellite circuit from AT&T. In March 1994 this link was formally provided full Internet access and in July 1994 the connectivity was changed to a submarine circuit through KEK (National Laboratory for High Energy Physics, Japan).[42] In parallel with IHEP, the National Computing and Networking Facility Center (NCFC) within CAS was also funded by the World Bank and the Chinese government to interconnect three campus networks with their supercomputer site. CAS's campus network (CASNET) was extended to Beijing University and Tsinghua University at 10 Mbps. As CASNET grew, NCFC was designated as the network center, designated China's top domain server, and connected to the Internet (64 Kbps). CASNET has now grown to 30 research institutions (20,000 users).[27] In September 1994 the Beijing University of Chemical Technology (BUCT) became the third institution in China to have full Internet connectivity via a 64 Kbps MCI satellite circuit connected to CAREN (Consortium of Asian Research and Education Network) and JVNCnet (John von Neumann Center Network - Princeton University).[42] The largest Chinese network to connect to the Internet is the Chinese Education and Research Network (CERNET). Government-funded and managed by the Chinese State Education Commission, CERNET is charted to connect all Chinese universities and institutes in the near future and all K12 schools by 2000. CERNET was started in 1993 and within the first two years more than 100 universities have been connected (with each campus averaging about 2,000 computers). Most Chinese universities must first build their campus networks before connecting to CERNET, which is the exact opposite order of development from most other countries where networked campuses organize subsequently to form wide area networks. It is predicted that CERNET will become the world's largest education and research backbone connected to the Internet. CERNET is configured in three layers: (1) the national backbone, (2) eight regional networks, and (3) university campus networks. CERNET uses DDN circuits ranging from 64 Kbps to 2 Mbps to interconnect these three layers with CHINAPAC circuits used as backup. CERNET, centered at Tsinghua University, was originally connected to the Internet through (NCFC/CASNET) but obtained a separate Internet connection via a 128 Kbps circuit in May 1995. Although CERNET is an academic network, Internet security was a major design criteria. Firewalls and access lists have been set up on different levels to ensure the "safety" of the network. CERNET traffic is recorded and analyzed for network performance and security analysis. In particular, CERNET's analysis of the traffic over their Internet connection is that inbound traffic (Internet to China) has been capacity constrained since original connection while outbound traffic (China to Internet) has been increasing and will soon also be capacity constrained.[24] CHINANET is China's commercial ISP operated by the government via the MPT. Individuals have been able to purchase Internet accounts directly from CHINANET since mid-1995. CHINANET has two international links to the Internet and uses DDN and CHINAPAC circuits to form its domestic network. In addition to CHINANET, there are a handful of private commercial companies now beginning to offer access to the Internet to individuals in China. Recent regulations have allowed new private ISPs to connect to CHINANET if minimum quality of service standards are met. Connecting private ISPs to the centrally administered CHINANET enables government authorities to monitor and potentially censor Internet services and content offered by the new private ISPs. Private ISPs not only need CHINANET for their international Internet connectivity but also to coordinate the following technical requirements in order for interoperability to take place: network access point (NAP) / Internet exchange (IX) establishment; network information center (NIC) services; network operation center (NOC) services; and domain naming system (DNS) standardization. Examples of the new private ISPs include 1+Net which owns COMPUNET and the China Internet Company (CIC). COMPUNET started in October 1995 with $600,000 in capital and provides dial-up service with Chinese language software. After much success, COMPUNET has expanded to 20 cities with $20M in new capital and has also opened a Cybercafe in the lobby of the Beijing Concert Hall.[20,29,33] CIC is managed by James Chu, a U.S. trained computer scientist. Based in Hong Kong, CIC is owned 60% by Xinhua News Agency (China's official government news agency). With the Chinese government indirectly overseeing the operation, CIC offers a business-oriented Internet environment with controlled content access to the Internet.[18] 3.0 Chinese Internet Policy It is reported that Chinese Internet regulation began in late December 1995 when Guangen Ding, head of the Communist Party's propaganda department, installed Microsoft's Windows 95 on his home computer. Roughly two weeks after Ding began browsing, CHINANET stopped issuing new Internet accounts. Guangen Ding had supposedly found Playboy's web site as well as several Chinese dissident homepages and protest newsletters.[38] While this appears to be a match to the timing of events that unfolded in 1996, Internet regulation has its roots in Tiananmen Square 1989. On June 4, 1989, the day that government troops entered Tiananmen Square in Beijing to end the democracy movement taking place there, the government also ordered monitors deployed at every FAX machine in China to intercept foreign reports about the events. The protesters had been using FAX machines to communicate with each other both internal and external to China. The Internet, as a more functional means of communication, soon replaced FAX machines for those protesting Chinese Government policies. Until this year, the only official response from the Chinese Government has been to covertly shut down the Chinese portion of the Internet on the June 4th anniversary of Tiananmen Square each year. On February 18, 1994, a computer protection law was announced by Premier Li Peng.[16] The Safety and Protection Regulations of the Computer Information System of the People's Republic of China dictates that each organization has to create their own specific procedures to implement computer protection. For example an organization must develop access controls, administrative controls, and personnel controls.[16] This law was the first official regulation on computer security and was issued before Internet access was a reality in China. In May 1995, CHINANET in Beijing and Shanghai began selling Internet accounts to individuals but with restrictions. Each user had to register with the MPT and Usenet newsgroups "alt." "rec." and "soc." were blocked ("comp." and "sci." Usenet newsgroups were not blocked). The cost of an Internet account was relatively expensive and this combined with registration lead quickly to the creation of a black market in Internet accounts. The Minister of Posts and Telecommunications, Wu Jichuan, is quoted as saying not all information on the Internet would be allowed to flow into the country "as a sovereign nation, China must strengthen information management."[30] On January 1, 1996, the Xinhua News Agency reported that the government called for a crackdown on the Internet to rid the country of unwanted pornography and detrimental information. This is several days after CompuServe cut off access to 200 Usenet newsgroups as part of unrelated litigation in Germany. A joint statement issued by the State Council and the Communist Party Central Committee said effective measures had to be adopted to solve the problem of uncontrolled information. Ten days later on January 10, 1996, the State Council (this time with representation from all networks with international Internet connections) decided no additional permits for international Internet connections would be granted and new user registration should be postponed indefinitely. Five days later, CHINANET announced a moratorium on new user accounts. Official press reports stated that a high volume was more than CHINANET could handle, with an estimated 70,000 people using only 7,000 registered accounts. On January 23, 1996, a government cabinet meeting chaired by Premier Li Peng adopted rules governing international Internet connections. The cabinet reiterated its provisional approval for international computer links but declared it imperative to formulate rules to govern China's use of the new technology. On February 1st, the following new regulations promulgated by this meeting were announced by the Xinhua News Agency: - all ISPs have to liquidate and reregister - all computer information networks making international connections must use a channel designated by the Ministry of Post and Telecommunications - all networks will be supervised by one of four branches of the Government: (1) the Ministry of Post and Telecommunications (general) (2) the Ministry of Electronics (computer companies) (3) the State Education Commission (universities) (4) the Academy of Sciences (scientific research) - any organization applying for an Internet node must have legal status: appropriate equipment, technical personnel, & safety/security control measures. - no organization or individual may engage in activities at the expense of state security. producing, retrieving, duplicating, or spreading information that may hinder public order is forbidden; pornography is explicitly banned At this point, ISP providers began asking users to sign an agreement to abide by the new Internet regulations, not endanger state security, promise not to put business advertisements on the Internet (spamming), and not delay their monthly payments.[11] It was also reported at this time that the MPT was developing software to filter pornography and counter-revolutionary ideas from Internet traffic.[17,18] On February 14, 1996, the Ministry of Public Security (MPS) issued a circular requiring all Internet users to register with them within 30 days. Users must also report to MPS if they switch accounts with a different ISP or cancel their account.[8] The MPS's primary function is policing with branches at the federal, provincial, county, city, and village level. The MPS is also in charge of computer security where it investigates computer crime, provides computer security training, and issues computer security regulations. MPS has regulations for computer rooms, computer security products, international communications, and the import/export of information in any medium. For example, International Email Privacy Article 12 states that all software entering China must be declared to Customs officials.[16] The Internet user registration regulation is actually a modification of the CERNET student Internet account registration form.[23] The CERNET administration board, composed of government officials and in charge of policy making, has three documents which comprise CERNET's "Acceptable Use Policy" for users: [24] Management Regulations of China Education and Research Network China Education and Research Network Safety Management Contract China Education and Research Network User's Regulations The 1996 Internet regulations coincide with 1996 Chinese regulations to restrict foreign news services from offering international economic information (i.e. Dow Jones, Reuters).[17] Xinhua News Agency now has a monitoring room to censor foreign news service.[12] Providing real-time financial information generates tens of millions of dollars in the developing Chinese stock, bond, and commodity markets as well as allowing banks and trading houses to hedge risks on markets abroad. Whether these foreign news service restrictions represent a simple economic motive or whether they are another manifestation of Internet control is not clear.[13] The Internet has many such financial news sources who have global marketing plans. These are the first business information restrictions since the early days of China reform (post 1949) when Communist authorities banned residential telephones.[17] In September 1996, the State Council Information Leading Group ordered the MPT to block access to about 100 Internet sites "suspected of carrying spiritual pollution" with a second group to be blocked at a later date. The blocked sites can be categorized into U.S. news media sites; Taiwanese Chinese- language sites; Hong Kong news media sites; dissident sites external to China; and pornographic sites. This censorship has been implemented and independently verified.[9,26] As the Internet proves its utility in China, it will not only promote economic growth but also provide a new channel for freedom of speech. While China attempts to officially control freedom of speech within China, the overseas Chinese dissident community is not so easily controlled and is already sending and posting information over the Internet which is objectionable to the Chinese government.[17] One prominent example are three groups (Human Rights in China, The Center for Modern China, and China Spring) who each publish reports every Sunday accessible in China via the Internet.[12] Another example is Wei Jingsheng, a leading democracy campaigner, who was resentenced to a second long prison term in 1995 for a text authored 16 years ago entitled "Fifth Modernization." At about the same time Mr. Wei was being resentenced, the U.S.-based China News Digest Emailed its 40,000+ Internet subscribers, including many subscribers inside China, the full text of "Fifth Modernization".[18] It is ironic that the announcement of these Internet policies was simultaneous with announcements of CHINANET plans to expand Internet access to all provinces in China and announcements of additional Golden Projects. While China's Internet regulations have been seen by most western observers as negative, many Chinese see the government actions as positive. "China is not closing its door to all information. It's just requiring that all information coming in has to follow Chinese laws," states James Chu of CIC.[34] Although the Chinese government is wary of the Internet, the information it carries is simply too important for economic development.[34] No modern economy can do without a national information infrastructure and these regulations can be interpreted as the Chinese government's acceptance of the Internet given it was not entirely outlawed as it could have been. "We should find a way for the Internet to work for our nation," states Jiang Lintao an Internet specialist at the MPT.[17] 4.0 Internet Censorship "One can regard the Internet in some of the same ways as radio waves with respect to the abilities of the medium to transparently flow across national boundaries." - Tony Rutkowski, former Head of the Internet Society [22] Nations have been jamming radio and television broadcast signals, censoring news reports, and spreading propaganda via official channels for many years. With the advent of wired computer communications, completely new forms of broadcasting have evolved. The digital nature of these new signals now make it easier to instantly control transborder communications flows.[22] From a technical feasibility point of view, it is becoming possible to segment Internet communications country by country. The Internet promotes flow of ideas and the ability to freely and instantly communicate. In contrast, an authoritarian nation's very survival may depend upon its ability to control information, information citizens have about their country and the outside world as well as information the outside world knows about the internal situation of the country. The very fact that authoritarian governments are among the first attempting to control the Internet shows an indication of the potential importance of the Internet.[14] 4.1 Non-Technological Internet Censorship Strategies As witnessed by China's 1996 Internet regulations, nations are not passively observing the powerful new influence of the Internet. Rather governments are attempting to extend their power from the physical world into the Internet. Before examining the new censorship strategies made possible by the digital nature of the Internet, we first examine the applicability of non- technological strategies to censor the Internet. These non-technological strategies have evolved in other contexts over the past century and proven themselves extremely effective. Despite the attractiveness of new sterile technological censorship solutions, non-technological solutions are still the predominant and maybe the most effective censorship techniques available. While Internet censorship is already taking place in many countries, we will confine our examples to the use of these non-technological Internet censorship strategies in China. The following list extends discussion found in [14]. (1) Legislate illegal content {Internet regulations, for Chinese examples see Section 3.0} (2) Control the physical land and sea right-of-ways and spectrum allocation rights [14] This will provide sovereign authority over telecommunications projects, set conditions for network construction and operation, and allow access to communications facilities as needed for censorship. In China the government controls all right-of-ways and spectrum allocation and thus controls network topology and access to network equipment. (3) Ban or regulate the equipment necessary for users to communicate [14] China regulates satellite dishes, FAX machines, pagers, and Internet accounts. The MEI manufactures most of the telecommunications equipment used in China and the MPT regulates and operates DDN, CHINAPAC, and the public telephone network which underlies most computer networks in China. Equipment control is also access control. (4) Control access It is impossible to control content without also controlling access. The best way to control access is by becoming the only access provider. In China, there are already multiple ISPs but private commercial ISPs are mandated to use CHINANET and MPT facilities and all ISPs are regulated by the government. In addition, the MPS is attempting to control Internet access via both user registration and control of international Internet connections. (5) Special business restrictions for foreign corporations [14] The most celebrated use of this technique by China is in dealing with Rupert Murdoch. Mr. Murdoch had publicly predicted in 1993 that satellite TV would prove to be the undoing of totalitarian regimes; "Satellite broadcasting makes it possible for information-hungry residents of many closed societies to bypass state-controlled television channels."[3,17] In order for Murdoch to operate satellite broadcasts into China, the Chinese Government forced Murdoch to remove the BBC World Service Television newscasts from his Star TV's satellite broadcasts into the China, Hong Kong, and Taiwan. Mr. Murdoch also had to agree to pay $5.4 M to the Chinese Communist Party's flagship newspaper.[3] In response to other international satellite entrepreneurs, China also outlawed the sale of satellite dishes, launched a nationwide cable laying plan to expand its own programming, and launched its own satellite-based pay TV China Central Television Network (CCTV).[3] (6) Domestic regulations to influence organizations internationally [14] For example, government threats from different countries have inhibited the New York Times and Washington Post from running critical articles in their globally distributed International Herald Tribune.[14] (7) Apply government pressure on organizations to reveal information [14] Although encrypted information may not be practically decipherable by "sniffing Internet packets", the government can place various forms of pressure on organizations to reveal information or create incentives to reveal information. The Chinese government has been studying the Singapore government's technique of "community gatekeeping" where users who notice undesirable material on the Internet are encouraged to immediately alert authorities.[2] There is pressure on new private ISPs in China to self-censor their services to operate within the limit of Internet regulations. Threats of severe punishment increase the incentive of ISPs to be responsive and vigilant to Internet regulations. (8) Assert diplomatic pressure [14] Nations can assert diplomatic pressure via economic sanctions, contract awards, boycotts, and military exercises (blockades, mining, no-fly restrictions) to modify the behavior of other nations. Examples include China's war games in the Taiwan Strait in an effort to intimidate the Taiwanese elections process and the 1996 $1.5 B airplane purchase agreement lost by Boeing to European Airbus in protest against U.S. statements about human rights and intellectual property rights violations in China. (9) Control pertinent technological standards via non-technological means Control of a standard can mean control of the technology and the international standards process can be manipulated given appropriate means. We have already mentioned the importance of the Chinese language encoding standard in Section 2.2. Another example is the MPS. The MPS defines standards for databases and information management and network security, approves encryption products and smart cards, and sets national computer security policy.[16] These standards are key to any potential monitoring of Internet content. Before leaving these non-technological techniques, we need to expand on strategy 5 (special business restrictions) since China is both centrally controlled yet has some open markets. As China continues to operate under the command model, it has incorporated lessons from failed communist models and implemented uniquely Chinese-favored open markets. Foreign firms cannot simply buy from and sell to any Chinese firms and individuals. China grants the right to trade only to designated firms, largely state monopolies. China will grant trading rights to foreign firms but only in joint ventures with Chinese companies. This reinforces the Chinese notion that access to a market is a political gift to be handed out as a reward to firms. China's main tactic in attempting to discourage foreign meddling in its internal affairs has been to threaten foreign firms with the loss of contracts and trade. This situation appears inviting to a situation in which market access is a reward for facilitating Internet censorship. Since China prohibits foreign firms from operating telecommunications networks within its national borders, foreign firms seeking Internet business in China must enter into a joint venture agreement with a Chinese organization. Finding the right joint venture partner is absolutely critical to success. Strong Chinese partners can insulate joint ventures from government regulation but strong Chinese partners may also apply pressure for Internet censorship. In summary, these non-technological Internet censorship strategies are the established techniques used by nations to control information. The techniques are based on the use of power. Whether they alone will be successful in controlling information over the Internet is an open question. 4.2 Technological Internet Censorship Strategies "The Internet interprets censorship as damage and routes around it." - an Internet axiom credited to John Gilmore, Silicon Valley network engineer [22] While there are strong motivations for a nation-state to censor the Internet, Internet information flow is difficult to control. Although interorganizational coordination is needed for address and routing management, Internet (TCP/IP) networking is essentially plug-and-play with low-end access available via a computer, a modem, and a telephone line. Once connected to the Internet, a user can access information from around the world and become an author by publishing a web page or posting to a Usenet newsgroup or an Internet mail distribution list. The main obstacle to Internet censorship is the basic design of the Internet itself. The Internet was built for fault tolerance of unreliable network links and computers, such that if a link or a computer fails then packets can adaptively recover and automatically detour around faults. If access to information on one computer is blocked on one route, a user can simply use an alternate route via another computer. A user concerned about censorship can encrypt information making the level of intervention necessary to intercept and decipher information such that it is virtually unreadable except for the intended recipient. It is possible to bypass censors simply by changing names of newsgroups, using an Email alias, or sending Email via chains of anonymous remailers.[22] New commercial hardware and software tools provide Internet censorship abilities without limiting network access or the prospect of employing masses of censors to monitor all Internet traffic. These tools do not attempt to censor transmissions within the network but rather attempt to block undesired content at each user's computer. Software could block information by using content descriptive tags developed by third parties to select what can and cannot be retrieved or transmitted. When using most Internet services users must take an affirmative action and control of this affirmative action is a focus of censorship activities. In an attempt to empower users with this type of Internet censorship capability, a group called the Platform for Internet Content Selection (PICS) is creating an Internet content ratings system similar to movie ratings. Niche Internet vendors have produced PICS filtering software which an adult or a boss can use to keep children or employees from accessing parts of the Internet. The PICS motivation is to move governments from their traditional censorship role toward a new role as a content rating police ensuring Internet information sources do not falsely represent themselves.[4,22] If a feasible content rating system is eventually agreed upon, it will be challenged by the many new Internet information sites that are created every day. Even with frequent upgrades, any Internet censorship software will always be at least partly out of date. PICS filters identify only the well-known and relatively permanent sites of objectionable material but content within an acceptable site or newsgroup can change to unacceptable at any time.[22] When a well-known web site is blocked, content can be distributed and stored on multiple "mirror" sites throughout the Internet. This puts censors in the position of detecting and blocking each mirrored web site. Web sites also can be cleverly disguised and placed beyond the legal jurisdiction of governments.[14] Besides blocking web sites directly, the results of numerous powerful search engines will also need to be censored. Lastly, when implementing any technological Internet censorship strategy, unforeseen consequences will be exposed by human users. Two examples of such unforeseen consequences are substitutability and tunneling. In substitutability, when one Internet service is blocked or censored, users will migrate to another service or set of services that can provide similar functionality. For example, if FTP is blocked or censored, users will transfer files via Email (files broken up in pieces) or if Email is blocked or censored, users will send messages via FTP or the web. Thus Internet services must be viewed collectively for an effective technological censorship strategy. In tunneling, users can combine multiple Internet services that are uncensored to create the functionality of Internet services that are censored. In technical terms, tunneling encapsulates the information of a censored protocol within an uncensored protocol, wrapped by header/trailer packet information fields. The uncensored protocol then traverses the network to the destination point where the uncensored protocol headers/trailers fields are then stripped away leaving only the information of the censored protocol. In summary, these arguments are not meant to imply that governments are powerless or will not try to censor the Internet but they do imply that it will take more than one simple automated tool to do so. Many governments are already attempting to scale proven technologies designed for private networks to a larger national scale. Creating controlled Internet environments using combinations of new technologies such as intranets and firewalls represent the state-of-the-art in technological Internet censorship strategies. We will now examine intranets and firewalls in the Chinese context. 4.2.1 Intranets The initial reaction to a problem that can be traced to the Internet is to disconnect the organization's Internet connection, breaking all physical network links between internal networked computers and the Internet. This is essentially what an intranet is: an enterprise network (spanning geographical boundaries to connect different types of computers in various parts of an organization) that provides users with Internet application tools (i.e. web browsers) to access organizational information. Note that an intranet is an internal network to link organizational members to organizational information. An intranet is completely controlled by the organization. If any Internet connection does exist (one does not have to exist) a "firewall" (which will be discussed in the next section) prevents outside computers anywhere on the Internet from accessing computers on the intranet. Intranets are popular now for four reasons: (1) the infrastructure is in place, in terms of computers, software, and connectivity for any networks with Internet access; (2) they work, allowing all organizational members instant and uniform access to broadcast organizational information, internal databases, and internal collaboration; (3) they scale well, because the technology is the same as that used in the Internet; and (4) intranets are secure from the Internet. Due to the popularity of the world wide web, most intranets are implementations of an enterprise network providing access to web server(s). In the web context, to create an intranet requires the following: (1) establishing a web server, requiring hardware and software; (2) establishing web server access by building a TCP/IP network (Transmission Control Protocol / Internet Protocol which is the protocol suite that providesinteroperability on the Internet); (3) loading client web browsers on each user's computer; and (4) creating a web homepage document using HTML (hypertext markup language). If China is attempting to build a national intranet to take advantage of established network connectivity while limiting access to information forbidden by Chinese Internet regulations, it would become the largest intranet in the world if successfully implemented.[14] One private ISP, CIC, is creating an intranet using filtering technology from Sun Microsystems. CIC provides unlimited network access within China but has screened menus to access the Internet. Users will be able to petition to open a channel to any international ISP subject to review by the MPT and MPS. CIC is being periodically inspected by the MPS.[17] The overwhelming majority of Internet traffic originating in China (90%) is now destined outside of China. The Chinese authorities (MPT and MPS) have set a future target of diminishing the proportion of outbound Internet traffic from China to the Internet to 30%.[12] One technique to accomplish this is by blocking access to all sites which have not been reviewed by Chinese officials. The new private ISPs are in a vulnerable position to cooperate, not wanting to violate Chinese Internet regulations and be closed down. One advantage of a web-based intranet to an organization seeking to control information is the developing ability to track aggregate web traffic and individual user web traffic. Emerging intranet products are developing methods to infer user information from web server requests logs. Two current products include WebTrends from Software Inc. and Market Focus from Interse Corp.. Each product logs information in files that can be used with relational databases for specific queries. Other products are starting to be released that track web pages users access, the path users take to get to web pages, and the amount of Email an individual user sends and receives (Internet SnapShot by Tinwald Networking Technologies and Net Analysis by Net.Genesis Corp.). Two popular web-based search engines, Lycos and Infoseek, plan to launch systems that will keep track of search topics requested by an individual user and compile databases that will allow tailored content and advertising designed for individual users each time they search. Most of these web-based surveillance tools use the concept of a "cookie". The cookie was originally designed to maintain state information within a session of "hits" (a single web client/server transaction) since each hit is independent. The cookie has become a mechanism that a web server can use to store and retrieve information on a client. Individual browsers are identified by electronic tags stored in the browser's "cookie", a sector on the client's hard disk that can be used by web servers to deposit an identification (ID) tag. The web server could keep track of every client, but this is not practical due to storage limitations and the server also does not know how long to retain the information about each session; therefore, the use of cookies to distribute storage among clients is one solution. New surveillance systems will borrow from the "cookies" approach of transparently collecting information. Unlike the limited capabilities associated with cookies which just record ID tags, new systems are expected to collect a wider range of information. In summary, a national Chinese intranet with little or no access to the Internet provides one model for Chinese authorities who want to control Internet information. Intranet surveillance tools currently exist which allow Chinese authorities to track web-based information flows. 4.2.2 Firewalls "Better to kill 1,000 in error than let even one slip through." - China's Vice Premier Zhu Rongji on the need to censor the Internet, February 1996. [29] A firewall is a computer or group of computer systems that enforces an access control policy between two networks by blocking traffic or permitting traffic. Typically a firewall is one computer that sits between an internal network and the Internet, filtering packets between the Internet and the internal network according to various criteria. Firewalls simplify security management because network security can be consolidated on firewall systems rather than being distributed on systems all over an internal network. Firewalls thus offer a convenient point where logging and auditing functions can provide summaries about traffic flows passing through, traces of inbound and outbound connections, attempts to break through, and alarms for attacks as they occur. Without a firewall, protection defaults to individual computer security mechanisms implemented on each internal computer and network device. Theoretically, a firewall would not be needed if each computer on the internal network is well-managed and properly secured with sophisticated authentication but this is seldom the case.[19] The primary difference between a firewall and the more common network router is that firewalls can actually run applications including mail daemons, FTP servers, web servers, and proxy applications. The term "firewall" is an analogy to the concrete block firewalls used in building construction which are designed to stop fires from spreading between parts of a building. This term is misleading, however, since concrete firewalls are intended to stop all fires while computer network firewalls generally permit most traffic to pass through. A better analogy might a fire door that opens for permitted data to flow from one side to the other while preventing a fire from spreading. A national firewall system for all computer networks with Internet access within China has served as one of the main motivations of this research. During the process of writing this paper, evidence for the existence of just such a national firewall system for China has been independently verified by several sources.[ 9, 26, personal correspondence] The Chinese motivation of Internet censorship for a national firewall system is different from the typical function served by firewalls in most organizations. The following general firewall concepts presented in this section are designed to illuminate the possible techniques being used by the Chinese national firewall system. A firewall itself must be immune to penetration. If a firewall is compromised then not only is its protection ability eliminated but the firewall itself can be turned against its original owner. The most effective way to ensure firewall security is to use a trusted system as the basis for a firewall. Firewalls have traditionally been built on computers using the UNIX operating system. There are standards for security extensions to UNIX and UNIX has the largest most extensive set of available tools.[16] Our professional exchanges uncovered a well-established effort to develop a secure Chinese-UNIX called COSIX (Chinese Operating System based on UNIX-version 2.4). This is consistent with the development of a Chinese firewall which would require a trusted system platform. The primary advantage of the Chinese building their own UNIX is that they will have complete control over the end product firewall features. A firewall can not control traffic that is not routed through it. Traffic that can go around a firewall represents a significant back-door security hole for which a firewall cannot defend. A simple example of this is a dial- up connection from inside the firewall to the Internet or from the Internet to inside the firewall. In the Chinese context, dialing-up an international Internet connection to go around a firewall to get access to the uncensored Internet would be prohibitively expensive for most Chinese. It is also likely that this would be detected by the MPT since telephone calls, especially international telephone calls, are monitored in China. Before implementing a firewall, an organization must control its traffic routing such that external connections to the Internet are identified and managed. In China, some computer network traffic between two domestic locations has been routed via international Internet links in the U.S. due to lack of bandwidth in China and inefficient routing. In 1996, these problems appear to have been corrected. Table 2 lists China's six current international links to the Internet. Where the number of international Internet connections is small as it is in China, it is relatively easy for a government to control a handful of Internet routers and use them as firewalls.[14] TABLE 2: CHINA'S INTERNATIONAL LINKS TO THE INTERNET [10,23] {for more details see Section 2.3} No. Since China Speed Internet 1 1994 IHEP------ 64 Kbps------KEK 2 1994 NCFC------ 64 Kbps------Sprint 3 1995 CERNET--- 128 Kbps------Sprint 4 1995 BUCT------ 64 Kbps------CAREN 5 1995 MPT------- 64 Kbps------Sprint 6 1995 MPT-------256 Kbps------Sprint Rather than attempting to completely block Internet access in an intranet model, Chinese Internet regulations instead appear aimed at steering the flow of traffic through officially controlled firewalls on these international connections.[12] Officially, the MPT says it does not want to limit points of access into China but make more efficient use of expensive international circuits linking China's networks to the Internet (gaining economies of scale over fewer "fat pipes" versus many smaller pipes).[10] Generally, firewalls function at two different levels. The first level is IP packet filtering at the network level. Internet communications is implemented in packets which transmit information. There are five pieces of information in each IP packet on a network that are guaranteed to be unique for each session, collectively referred to as a full association. A full association is: (1) a protocol number (identifies upper layer protocol which is most often TCP but there are possible multiple protocols and services); (2) a source IP address (globally-unique IP address of source computer); (3) a source port number (next available port number from a pool, used to help identify session); (4) a destination IP address (globally-unique IP address of destination computer); and (5) a destination IP port number (identifies the Internet service requested). There are fixed "well-known" destination port numbers that are standard conventions for Internet services. Using full associations, a firewall using packet filtering can filter on source computers, source networks, destination computers, destination networks, Internet services, and inbound/outbound direction (based on network interfaces). There are two philosophies of firewall packet filtering: (1) "that which is not expressly prohibited is permitted" and (2) "that which is not expressly permitted is prohibited." In the first philosophy, services are denied on a case-by-case basis allowing users considerable freedom. Filters may only be implemented in reaction to specific penetrations that have already occurred. In the second philosophy, services are approved on a case-by-case basis which has a restrictive effect on services. Filters are implemented proactively in an attempt to prevent penetrations from occurring in the first place.[41] Some Internet services can be more effectively handled with packet filtering (i.e. telnet, Email) while other Internet services can be more effectively handled at the a higher level (ftp, gopher, web). A variant of packet filtering and a relatively new technique is called dynamic route filtering. In dynamic route filtering the firewall has the ability to dynamically add or delete entire sets of packet filters when a particular set of circumstances occur. Possibilities of triggering events for dynamic route filtering include day and time restrictions, traffic load shedding (maximum number of simultaneous connections), and known suspicious events.[1] With this technique, it is possible to have a firewall that detects suspicious activity to automatically deny a computer access for a period of time. In the Chinese context, this technique can be used to dynamically alter filters in order to track and censor user communications that are likely to migrate to different network connections. The second level at which a firewall can function is the application level. An application level firewall has more control of a session since it creates and manages the actual connection. A firewall operating at the application level does not allow any packets to pass directly between two networks. Instead the firewall creates a special-purpose application called a proxy application. The proxy application then determines whether to actually establish a connection to the requested destination computer on behalf of the originating computer. Proxies can perform sophisticated functions such as logging or user authentication and because they are built to monitor specific protocols, proxies can enforce customized security options. The major limitation of an application-level firewall is that it requires a separate proxy for each Internet service to be supported. For every new protocol or Internet service that is developed, the firewall will have to add another proxy. Proxies affect transparency and degrade performance. The user interface for an Internet service might have to modified to operate through a proxy and, because the proxies are executing on a firewall, there are a limit to the number of active simultaneous connections that can be supported. Network address translation (NAT) is one type of proxy service that executes on firewalls because a firewall is typically located at the ideal point to provide its services (the juncture between networks). NAT was developed to ease the shortage of IP addresses by allowing private numbering schemes on private networks. In IP addressing, each computer is given a globally unique address consisting of 32 bits but the explosive growth in TCP/IP networking has resulted in the rapid depletion of the available IP address space. NAT is based on the concept of IP address reuse by private networks (similar in concept to cellular telephone frequency reuse). NAT works by mapping private non-globally unique IP addresses to reusable globally unique addresses required for Internet communications. In NAT, mapping between local and global addresses is done dynamically. An Internet-bound packet sent by an internal computer in the private network follows default routes to the NAT. Upon receipt of the outbound packet, the source address is extracted and compared to an internal table of existing translations. If the internal computer's address does not appear in the translation table, a new entry is created for that computer and it is assigned a globally unique IP address from the pool of available IP addresses. After a time-out period during which no packets are translated, the global address is freed for another internal computer. The NAT maintains a table of the destination address, port numbers, sequencing information, byte counts, and internal flags for each TCP connection associated with a particular computer's address translation. Inbound packets from the Internet will be compared against entries in the connection table and only permitted if an appropriate connection exists. There has been speculation about China being allocated a large globally-unique address space (i.e. class A addresses) or maybe using a private Chinese addressing scheme behind a firewall running a NAT.[10] A NAT proxy running on a firewall would enable Internet censorship because this would mean that China's networks could have a private IP address scheme and might not be interoperable with the rest of the Internet without going through a NAT. So a NAT implemented in firewalls would effectively force China's users through firewalls and discourage attempts to circumvent the firewall since this would only result in lack of interoperability. A NAT would, however, require DNS (domain naming system) coordination of all Chinese ISPs. There are performance tradeoffs depending on which level a firewall functions. A firewall operating at the network level can operate faster, is transparent to users, and processes more packets per second (pps) especially if few filters are defined. Packet filtering is stateless, however, decisions are made without session context and this may allow packets to slip by which are meant to censored. In contrast, a firewall operating at the application level provides stronger session security and will not have to consider the complex interactions between potentially many packet filter rules.[7] A proxy, however, may not be transparent to users, only specific Internet services may be supported, and its performance will be heavily dependent on the number of simultaneous connections. The decision of which level is the most effective to operate a firewall for censorship is subjective. The Singapore Broadcasting Authority (SBA) uses a firewall operating at the application level. SBA now requires all Internet users in Singapore to connect to the Internet through a proxy. By using a firewall at the application level allows the Singapore government to censor "dangerous" web sites discussing politics, religion, and pornography.[36] Chinese firewall developments are said to be relying on a Sun Microsystems firewalls to selectively block access to the Internet. At CIC, Herman Ho of Sun Microsystems says Sun software is being configured for firewall use where it will effectively filter information.[17] By using a firewall, the Chinese authorities intend to make it at least difficult and risky to violate the new Chinese Internet regulations. James Chu of CIC reassures his Chinese users that Internet Email will not be screened or read "unless you have broken the law".[37] In forming a national firewall system, how fast will the firewalls need to process packets? Back of the envelope calculations can provide some insights on this question. Packet filtering is a per packet operation. The smallest possible TCP/IP packet (no data) is 40 bytes. Based on this packet size, the packet filtering speeds needed for China's current wide area serial connections to the Internet are: 200 pps for the 64 Kbps connection, 400 pps for the 128 Kbps connection, and 800 pps for the 256 Kbps connection. These packet filtering rates are well below the maximum speeds of available firewalls. Actual TCP/IP packets will not be empty thus further reducing the maximum packet per second rate required. At higher speed wide area serial connections to the Internet, firewalls will need to process 4,825 pps for a 1.544 Mbps connection (T1) and 140,625 pps for a 45 Mbps connection (T3). At these speeds and higher, requirements for firewall processing speeds will begin to constraint Internet service performance. A firewall with more than two connections will have even higher processing speed requirements.[6] For the foreseeable future, new "third generation" firewalls will begin to synergistically combine network and application level filtering.[6] In the next generation network technology, ATM, it is not clear if it will be possible to implement firewalls. The problem is that once an ATM virtual connection is set up, no intermediate devices process any of the transmitted cells. There have been proposals that an ATM firewall could be implemented at connection set-up time with special information elements defined within signaling messages to indicate the actual higher layer application binding such that intermediate switches could filter based on higher layer information. In this section we have illuminated general firewall concepts and their applicability to the Chinese Internet context. While not directly stating what specific firewall technique are being used by the Chinese authorities, the functionality is nonetheless clear - China has implemented a national firewall system. We challenge the Internet community to further describe the capabilities of China's national firewall system through experimentation and presentation of findings. 5.0 Conclusions Internet censorship is not a Chinese or even Asian issue but rather a global issue. While this research has looked exclusively at China, at the World Economic Forum's annual meeting in February 1996, Microsoft's Bill Gates noted that all countries felt the need to control what they perceived to be undesirable material: Germany with neo-Nazi newsgroups, United Kingdom with national security information, France with medical/privacy laws and the United States with the Communications Decency Act within the Telecommunications Act of 1996.[2] For all the free speech potential that the Internet makes possible, if few people in China have access to the Internet due to lack of network access, bandwidth, a language encoding standard, or a registered Internet account then the global Internet community will suffer from the lack of participation of one fifth of the world's population. If the people of China do gain access to the Internet but the information flow is censored then it is debatable whether what was really gained is full Internet access after all. In this paper we have described that status of Internet infrastructure in China and Internet policies that are being implemented by the Chinese government. We have described non-technological and technological strategies that are being used to censor the Internet in China and other countries. We focused on a firewall-restricted intranet and described the potential censorship strategies that are likely in this environment. The Great Wall is one of the most recognized symbols of China through the ages. A less visible yet equally significant (fire)wall has now emerged as a current symbol of a China. A Chinese national firewall system threatens to impede not only Chinese Internet development but also set a precedent for international transborder information flows. The Great Wall failed to prevent invaders and censoring the Internet appears to be an equally futile exercise to limit free speech. Just as the Great Wall is no longer a symbol of war but a meeting point for ideas and goods which binds China's many ethnic groups, each nation should reconsider the function of computer firewalls from Internet censorship to routing functions as Internet exchange points. To do otherwise will lead to segmenting the Internet and whither the global Internet community that has been evolving. Acknowledgments: We would like to thank the following experts on Chinese computer networking who made our professional exchanges so successful: Delegation Leader Ravi Sandhu, Professor and Associate Chairman, Information and Software Systems Engineering (ISSE) Department, George Mason University and Chairman ACM Special Interest Group on Security, Audit, and Control (SIGSAC); our exceptional national guide and Mandarin translator Ruiman (Raymond) Weng/CICCST; our Beijing city guide Ma Jing/CICCST; our Guangzhou city guide and Cantonese translator Meikuan Li/GICCSTC; Harold Chen/Shanghai Software Center; David Conrad/APNIC; Huang Degen/MPT(DCTRI); JunHua Fang/Shanghai Institute of Computing Technology; Wang Guihai/South China Normal University; Daoyuan Hu/Tsinghua University; L. K. Hwang/Shanghai University; Yin Cai Hua/CS&S; Qian Li/Shanghai Securities Exchange; Xing Li/CERNET/Tsinghua University; Xinming Li/CS&S; Xu Feng Li/Industrial & Commercial Bank of China; Qiyuan Liu/CS&S; Ma Xian-Yu - Chairman of the Committee on Computer Security/Shanghai Computer Society; Qin Guang and his entire staff/Shanghai Public Security Bureau; Yunlin Su/Jinan University; GuiHai Wang/South China Normal University; Jingyin Wang/Shanghai Institute of Computing Technology; Jianping Wu/CERNET; Xiao Xianxun and his entire staff - Beijing Division Chief/Ministry of Public Security; Ying Dong Luo/Public Security; Zhansheng Zhao/Beijing University; Xu Gui Zhen - Deputy Secretary General/Shanghai Computer Society; Zhang Zhiheng/MPT(DCTRI); Zong-Gui/Jiao Tong University; and a special thanks to the members of our delegation: Kathleen Harvey/Datapro; Edwin Heinlein/AVCOIN; Deborah Knowles/Deloitte and Touche; Eugene Kozik/Pennsylvania State University; James Morris/Trident Data Systems; Kevin Priest/Intel; Earnest Reigstad/Warner Lambert; Patricia Smith/Temple Junior College; James Snaith/South Bank University; and Thomas Wesley/University of Bradford. References: [1] Amoroso, Edward and Rondal Sharp. Intranet and Internet Firewall Strategies. Ziff-Davis Press, Emeryville CA, 1996. [2] Ang, Peng Hwa and Berlinda Nadarajan. "Censorship and the Internet: A Singapore Perspective." Communications of the ACM, Vol. 39, No. 6, June 1996, pp. 72-78. [3] Brauchli, Marcus W. et. al. "Murdoch's Plans Could Aid China In Media Control." The Wall Street Journal, January 31, 1996, p. A6. [4] Browning, John. "The Internet is Learning to Censor Itself." Scientific American, September 1996, p. 38. [5] Carstens, Andrew. "International Networking - The Great WANs of China." LAN Magazine, August 1996, pp. 35-38. [6] Chapman, D. Brent and Elizabeth Zwicky. Building Internet Firewalls. O'Reilly & Associates, Sebastopol CA, 1995. [7] Cheswick, William and Steven Bellovin. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading MA, 1994. [8] "China Tells Internet Users To Register With Police." The Wall Street Journal, February 15, 1996, p. A11. [9] Chen, Kathy. "China Bars Access To As Many As 100 Internet Web Sites." The Wall Street Journal, September 5, 1996, p. B12. [10] David R. Conrad, personnel correspondence, APNIC - Asia Pacific Network Information Center United Nations University Headquarters, Tokyo Japan. [11] "Controlling the Internet, Chinese Style." The New York Times, February 5, 1996. [12] Faison, Seth. "China Issues Rules to Control Internet." The New York Times, February 5, 1996. [13] Frezza, Bill. "China Begins Building The Great Wall of Cyber." CommunicationsWeek, February 26, 1996, p. 43. [14] Greenburg, L.T. and S.E. Goodman. "Is Big Brother Hanging By His Bootstraps?" Communications of the ACM, July 1996/Vol. 39, No. 7, pp. 11-15. [15] Internet Draft draft-freed-charset-reg-00.txt IANA Character Set Registration Process ftp://ds.internic.net/internet-drafts/ {associates a name with a registered character set} [16] Kabay, Michel E. et. al. Journal of the Citizen Ambassador Program Computer Security Delegation To The People's Republic of China April 7 -21, 1994. Citizen Ambassador Program: Dr. Michel E. Kabay Delegation Leader, Spokane, WA 1994. [17] Kahn, Joseph et. al. "Chinese Firewall: Beijing Seeks to Build Version of the Internet That Can Be Censored." The Wall Street Journal, January 31, 1996, p. A1, A4. [18] Kahn, Joseph, et. al. "Beijing Seeks To Build Censored Version of the Internet." The Wall Street Journal Classroom Edition, April 1996, p. 23. [19] Kaufman, Charlie, R. Perlman and M. Speciner. Network Security: Private Communication in a Public World. PTR Prentice Hall, Englewood Cliffs, New Jersey, 1995. [20] Krantz, Michael. "China, Wired." Time, April 22, 1996, p. 73. [21] "Lessons from China, In Chinese" The Economist. August 31, 1996, p. 32. [22] Lewis, Peter H. "The Internet's Very Nature Defies Censorship by Government or Individual." The New York Times, January 15, 1996. [23] Xing Li, personnel correspondence, CERNET (China Education and Research Network Center) / Tsinghua University, Professor, Electronic Engineering Department, Beijing. [24] Li, Xing. "China Education and Research Network: A Continuous Report." Inet'96 Conference Proceedings, Montreal Canada, 1996. http://info.isoc.org/isoc/events/inet/96/proceedings/ [25] Nemey, Chris. " 'Net Freedom Limited Abroad." Network World, July 1, 1996, Vol. 13 No. 27, pp. 1,10. [26] "NetNanny States." The Economist, September 14, 1996, p. 34. [27] Ning, Yutian."Present Situation and Development Framework of CSTNET." Proceedings of the 1996 International Conference on Information Infrastructure (ICII'96), April 1996, pp. 706-710. [28] Orwell, George. 1984. originally published 1949. [29] Parker, Jeffrey. "China and the Internet: Pushing the Limits of Tolerance." The New York Times. February 21, 1996. [30] Press, Larry. "Eye on Emerging Nations: China - Cisco to Provide Internet Access in 30 Provinces in China." OnTheInternet, January/February, 1996. [31] Rausch, Howard. "China's Great Leap in Telecom." Photonics Spectra, May 1996 pp. 25-26. [32] RFC 1922 - Chinese Character Encoding for Internet Messages ftp://ds.internic.net/rfc/rfc1922.txt {describes method of transporting Chinese characters in Internet services} [33] Richburg, Keith B. "A Great Wall of China Slowly Gives Way." The Washington Post, April 8, 1996, pp. A1, A18. [34] Schoof, Renee. "Chinese Government Sole Access to Internet." Los Angeles Times, May 12, 1996, p. A12. [35] Schoof, Renee. "Entrepreneur Wants All China In Her Net." Los Angeles Times, July 7, 1996, p. D7. [36] "Singapore's Single Point of Censorship." InformationWeek, September 9, 1996, p. 10. [37] Sorenson, Karen. "Silencing the Net: The Threat to Freedom of Expression On-Line." Human Rights Watch, Vol. 8, No. 2 (G), May 1996. [38] "Surfing Censor." Far Eastern Economic Review, February 8, 1996. [39] Tan, Zixiang. "China's Information Superhighway: What Is It and Who Controls It." Telecommunications Policy, Vol. 19,, No. 9, 1995, pp. 721-731. [40] Tempest, Rone. "Wiring China." Los Angeles Times, July 1, 1996, p. D1. [41] Weiss, Martin. Communications Security and Vulnerability. Custom Course Material Packet for TELCOM 2101, University of Pittsburgh, Fall 1995. [42] Zhu, Qiang. "Latest Development of Internet in Mainland China." CALA 1995 Annual Conference Proceedings, Chicago, June 1995. [43] http://www.odci.gov/cia/publications/95fact/index.html. APPENDIX A Partial List of Professional Exchanges Locations Data and Computer Security Delegation to the People's Republic of China May 18 - May 31, 1996 * China National Computer Software and Technology Service Corporation (CS&S), Beijing. * The Industrial and Commercial Bank of China Guangzhou Branch, Guangzhou. * Jiao Tong University, Shanghai. * Ministry of Posts and Telecommunications, Data Communications Technology Institute, Beijing * Ministry of Public Security, Computer Management and Inspection Bureau, Beijing. * Shanghai Computer Society, Shanghai. * Shanghai Computer Technology Institute, Shanghai. * Shanghai Securities Exchange, Shanghai. * Tsinghua University / CERNET Network Research Center, Beijing. APPENDIX B Registration Form for International Networking of Computer Information System in P. R. C. {graphic not linked}