In countries like U.S. and UK, virtual private networks (VPN) are the tools of cybersecurity experts, activists, whistleblowers, investigative journalists and privacy-aware users.
But for many in China, VPNs are part of the everyday life. Millions of users depend on them every day to circumvent the government-imposed block on Facebook, YouTube, Twitter, Gmail, Google Search and hundreds of other popular online services and publications such as New York Times.
However, those days might soon come to an end. According to Chinese authorities, by the end of March 2018, the government will shut down or ban all VPN services it hasn’t authorized, which means all services it doesn’t have visibility into.
While this is not the first clampdown on VPN services by the Chinese government, it’s by far the most severe, and it raises new worries for the privacy of the country’s citizens.
China’s strict censorship regime
Famously known as the Great Firewall, a reference to the historical structure built to protect the country’s borders, China’s internet censorship and surveillance started in 2000 and eventually developed to become the most sophisticated and comprehensive system of censorship in the world.
The Chinese government closely controls and monitors its citizens’ access to the endless sea of information available on the internet through close cooperation with the country’s largest technology and telecommunications companies.
China isn’t the only country to set blocks and restrictions on the internet, but it is by far the most capable.
China is the most powerful and effective censor and internet snoop in the world
Part of that is because it houses large tech firms such as Baidu, Alibaba and Tencent. These companies provide alternate services to substitute those provided by companies such as Google and Facebook. But what makes them different is their willingness to openly share their users’ data with the government.
In response to the government ban, Chinese users have flocked to VPN services, which help circumvent the government censors and monitors by encrypting internet traffic and channeling it through intermediate servers.
The clampdown on VPN services
China has periodically tightened up its censorship measures during events and situations that are politically sensitive.
For instance, last July, after the death of dissident and Nobel Peace Prize winner Liu Xiabao, the Chinese government engaged in widespread efforts to censor news of his death and to delete posts on Chinese social media that sympathized with Xiabao and supported his activism.
Later in October, ahead of the Communist Party gathering, China began blocking the WhatsApp, one of the few foreign messaging services available in the country.
While China has officially banned the use of VPNs, it has, to some extent, allowed VPN providers to operate on its soil partly because it can’t shut off its businesses and institutions completely from the outside world.
Approved individuals and businesses can obtain access to the global internet through state-run telecom services such as China Mobile and China Unicom.
However, those providers share their data with the Chinese government and will only provide access to entities that have obtained permission from the government.
That’s why many users use unlicensed VPN services that are not controlled by the government.
China long turned a blind eye to unofficial VPN use but is now only permitting access to state-run and -monitored services
Like other internet services, access to VPNs has fluctuated over time. Last year, a report by Bloomberg revealed that Chinese authorities had ordered state-run telecommunication firms to completely block their customers from using unlicensed VPN services by February 2018.
Around the same time, several VPN services declared to their clients they would be halting their services, and shortly after, China ordered Apple to remove VPN apps from the Chinese version of its App Store. Apple, which had resisted an FBI order to help circumvent the security locks of iPhones, yielded to the demands of China.
In December, a man in southern China was fined 500,000 yuan and sentenced to five and a half years in prison for running an unlicensed VPN service.
China’s cat-and-mouse game with VPN services
In addition to an army of specialist who work to disrupt the use of VPNs, the Chinese government also has the cooperation of internet service providers (ISPs) such as China Mobile, China Unicom and China Telecom.
The Chinese government uses several methods to detect VPN traffic. The first involves identifying the internet protocol (IP) addresses of the servers of VPN services and blocking all incoming and outgoing traffic.
This method is effective against VPNs that work on a limited set of IP addresses. Several VPN services are renting extra servers on Amazon Web Services and other public cloud providers to circumvent the blocks.
A second method to block VPN services is by analyzing internet traffic. As it happens, VPN traffic stands out like a torch in darkness.
Any computer that has is exchanging a constant stream of encrypted data with a single IP address is suspect of using a VPN service. ISPs are in a favorable position to detect and block VPN traffic since they’re the gatekeepers to internet.
VPN services such as VyprVPN, ExpressVPN and NordVPN, which remain accessible – for now – in China, are working on new techniques to make their users’ activities look like permitted traffic.
This includes renting IP addresses that are also being used for government-approved services or mixing VPN traffic with dummy traffic to unblocked services.
The alternatives to the handful of foreign VPNs still outsmarting the censors are far from consumer-friendly options
Tech-savvy users are taking matters into their own hands and setting up their own personal VPN servers in the cloud. Finding personal VPNs is a lot harder for the government, but the setup process is also more difficult and a lot costlier.
Another popular workaround against government censorship Tor, a network of volunteer computers that encrypt and circulate internet traffic to circumvent surveillance and censorship.
Tor traffic is generally blocked in China, but there are relatively complicated solutions such as redirecting traffic through Amazon or Microsoft Azure cloud.
Another method is SSH tunneling, a technique that creates an ad-hoc encrypted communications channel between two remote computers and channels all internet traffic through it.
What’s the outlook for China?
VPN providers are constantly coming up with new methods to help circumvent censorship. But countering the Chinese government’s block on VPNs is becoming increasingly difficult and costly.
While Beijing knows that nothing short of completely cutting off the internet will enable it to totally block VPN traffic, it knows that if it raises the costs and barriers enough, most users will give up using VPN services, and only a marginal few who are stubborn and savvy enough will continue to circumvent its censorship.
China’s escalating war on VPN services happens against the backdrop of a President Xi Jinping’s “cyber sovereignty” program, a campaign that follows a trend of tighter controls on online speech and civil society.
Blocking VPN services will also enable Beijing to pursue its ambitious and creepy Social Credit System (SCS) program.
The VPN ban is a critical part of the creepy looming social credit system
Slated to roll out in 2020, the SCS, which is being developed in cooperation with the country’s largest tech firms, will rate each citizen based on all their online activities, including the websites they visit, their interactions on social media platforms, their shopping habits, their private conversations and correspondences and more.
Ratings will determine things such as whether a citizen is eligible for loan, government jobs and traveling abroad. The program will hinge on Chinese authorities having full visibility into the online activities of the country’s citizens, especially those they try to hide from the government.
This makes the VPN ban a crucial element of the SCS.
The consequences of China’s clampdown on VPN services will be especially dire for activists and dissidents, who will find themselves with increasingly limited means to access information and express their thoughts and opinions.
But the effects will also expand to the average citizens who had been using VPNs for apolitical purposes, such as accessing Netflix and YouTube.
Without the protection of VPN and with the shadow of government surveillance and the citizen rating program looming, Chinese users will be pushed toward self-censorship, fearing that anything they do will negatively affect their access to social and government services.
This can affect people who have relatives in foreign countries, or whose business depends on communications with foreign organizations and firms.
With everything being channeled exclusively through the Chinese government, users might forgo many of their activities for the sake of privacy or fear of future government backlashes.
How will this affect access to VPN elsewhere in the world?
Analysts are afraid that China’s battle on VPN service will set a dangerous precedent across the world.
To be fair, few countries have China’s resources and conditions to fight against VPNs.
For instance, the U.S. and UK governments both have comprehensive surveillance programs, but the constitution prevents them from adopting measures like those of the Chinese government.
However, Beijing’s war of attrition on VPN and technologies that cloak internet traffic might give these and other states ideas for their own surveillance and censorship programs.
Russia, which is also implementing its own set of restrictions on VPN and proxy services, will be looking at how China’s ban unfolds.
The privacy and digital freedom community won’t be sitting idly either.
Privacy advocates and experts, and organizations such as the Electronic Frontier Foundation will be closely following the situation and will develop tools and guides to help Chinese citizens to maintain their free access to the internet.
While this battle is being fought in China, the impact and outcome might affect many more netizens across the world.