As more countries crack down on Internet use, people around the world are turning to anti-censorship software that lets them reach blocked websites. Many types of software, also known as circumvention tools, have been created to answer the threat to freedom online. These tools provide different features and levels of security, and it is important for users to understand the tradeoffs.
This article lays out ten features you should consider when evaluating a circumvention tool. The goal is not to advocate for any specific tool, but to point out what kinds of tools are useful for different situations. I have chosen the order of features based on ease of presentation, so you should not conclude that the first feature is the most critical.
One caveat to start out: I am an inventor and developer of a tool called Tor that is used both for privacy and for circumvention. While my bias for more secure tools like Tor shows through here based on which features I have picked (meaning I raise issues that highlight Tor’s strengths and that some other tool developers may not care about), I have also tried to include features that other tool developers consider important.
Internet-based circumvention software consists of two components: a relaying component and a discovery component. The relaying component is what establishes a connection to some server or proxy, handles encryption, and sends traffic back and forth. The discovery component is the step before that—the process of finding one or more reachable addresses.
Some tools have a simple relaying component. For example, if you are using an open proxy, the process of using the proxy is straightforward: you configure your web browser or other application to use the proxy. The big challenge for open proxy users is finding an open proxy that is reliable and fast. On the other hand, some tools have much more sophisticated relaying components, made up of multiple proxies, multiple layers of encryption, and so on.
One of the simplest questions you can ask when looking at a circumvention tool is who else uses it. A wide variety of users means that if somebody finds out you are using the software, they cannot conclude much about why you are using it. A privacy tool like Tor has many different classes of users around the world (ranging from ordinary people and human rights activists to corporations, law enforcement, and militaries), so the fact that you have Tor installed does not give people much additional information about who you are or what sorts of sites you might visit. On the other hand, imagine a group of Iranian bloggers using a circumvention tool created just for them. If anybody discovers that one of them is using it, they can easily guess why.
Beyond technical features that make a given tool useful to a few people in one country or people all over the world, marketing plays a big role in which users show up. A lot of tools spread through word of mouth, so if the first few users are in Vietnam and they find it useful, the next users will tend to be from Vietnam too. Whether a tool is translated into some languages but not others can also direct (or hamper) which users it will attract.
The next question to consider is whether the tool operator artificially restricts which countries can use it. For several years, the commercial tool Anonymizer.com made its service free to people in Iran. Thus connections coming from Anonymizer’s servers were either paying customers (mostly in America) or people in Iran trying to get around their country’s filters.
For more recent examples, Your Freedom restricts free usage to a few countries like Burma, while systems like Freegate and Ultrasurf outright block connections from all but the few countries that they care to serve (China and, in the case of Ultrasurf, recently Iran). On the one hand, this strategy makes sense in terms of limiting the bandwidth costs. But on the other hand, if you are in Saudi Arabia and need a circumvention tool, some otherwise useful tools are not an option for you.
If you are going to invest the time to figure out how to use a given tool, you want to make sure it is going to be around for a while. There are several ways that different tools ensure their long-term existence. The three main approaches are the use of volunteers, making a profit, and getting funds from sponsors.
Networks like Tor rely on volunteers to provide the relays that make up the network. Thousands of people around the world have computers with good network connections and want to help make the world a better place. By joining them into one big network, Tor ensures that the network is independent from the organization writing the software; so the network will be around down the road even if The Tor Project as an entity ceases to exist. Psiphon takes the second approach: collecting money for service. They reason that if they can create a profitable company then that company will be able to fund the network on an ongoing basis. The third approach is to rely on sponsors to pay for the bandwidth costs. The Java Anon Proxy, or JAP, project relied on government grants to fund its bandwidth; now that the grant has finished, they are investigating the for-profit approach. Ultrareach and Freegate use the “sponsor” model to good effect, though they are constantly hunting for more sponsors to keep their network operational.
After asking about the long-term survival of the network, the next question to ask is about sustainability of the software itself. The same three approaches apply here, but the examples change. While Tor’s network is operated by volunteers, Tor relies on sponsors (governments and NGOs) to fund new features and software maintenance. Ultrareach and Freegate, which also receive some government funding, are in a more sustainable position with respect to software updates: they have a team of individuals around the world, mostly volunteers, devoted to making sure the tools are one step ahead of censors.
Each of the three approaches can work, but understanding the approach a tool uses can help you predict what problems it might encounter in the future.
The first step to transparency and reusability of the tool’s software and design is to distribute the software (not just the client-side software, but also the server-side software) under an open source license. Open source licenses mean that you can examine the software to see how it really operates, and you have the right to modify the program. Even if not every user takes advantage of this opportunity (many people just want to use the tool as-is), the fact that some users can makes it much more likely that the tool will remain safe and useful. Without this option, you are forced to trust that a small number of developers have thought of and addressed every possible problem.
Just having an open software license is not enough. Trustworthy circumvention tools need to provide clear, complete documentation for other security experts— not just how it is built but what features and goals its developers aimed for. Do they intend for it to provide privacy? What kind and against what attackers? In what way does it use encryption? Do they intend for it to stand up to attacks from censors? What kinds of attacks do they expect to resist and how will their tool resist them? Without seeing the source code and knowing what the developers meant for it to do, it is harder to decide whether there are security problems in the tool, or to evaluate whether it will reach its goals.
In the field of cryptography, Kerckhoffs’ principle explains that you should design your system so the amount you need to keep secret is as small and well-understood as possible. That is why crypto algorithms have keys (the secret part) and the rest can be explained in public to anybody. Historically, any crypto design that has a lot of secret parts has turned out to be less safe than its designers thought. Similarly, in the case of secret designs for circumvention tools, the only groups examining the tool are its original developers and its attackers; other developers and users who could help to make it better and more sustainable are left out.
Ideas from one project could be reusable beyond that project’s lifetime. Too many circumvention tools keep their designs secret, hoping that government censors will have a harder time figuring out how the system works, but the result is that few projects can learn from other projects and the field of circumvention development as a whole moves forward too slowly.
Another feature to look for in a circumvention tool is whether its network is centralized or decentralized. A centralized tool puts all of its users’ requests through one or a few servers that the tool operator controls. A decentralized design like Tor or JAP sends the traffic through multiple different locations, so there is no single location or entity that gets to watch what websites each user is accessing.
Another way to look at this division is based on whether the trust is centralized or decentralized. If you have to put all your trust in one entity, then the best you can hope for is “privacy by policy”—meaning they have all your data and they promise not to look at it, lose it, or sell it. The alternative is what the Ontario Privacy Commissioner calls “privacy by design”—meaning the design of the system itself ensures that users get their privacy. The openness of the design in turn lets everybody evaluate the level of privacy provided.
This concern is not just theoretical. In early 2009, Hal Roberts from the Berkman Center ran across a FAQ entry for a circumvention tool that offered to sell its users’ clicklogs. I later talked to a different circumvention tool provider who explained that they had all the logs of every request ever made through their system “because you never know when you might want them.”
I have left out the names of the tools here because the point is not that some tool providers may have shared user data; the point is that any tool with a centralized trust architecture could share user data, and its users have no way to tell whether it is happening. Worse, even if the tool provider means well, the fact that all the data flows through one location creates an attractive target for attackers to come snooping. Therefore, centralized designs also present serious privacy concerns in terms of what protections users can expect and verify on their own.
Many of these tools see circumvention and user privacy as totally unrelated goals. This separation is not necessarily bad, as long as you know what you are getting into—for example, we hear from many people in censoring countries that just reading a news website is not going to get you locked up. But as we have been learning in many other contexts over the past few years, large databases of personal information tend to end up more public than we would like.
Privacy is not only about whether the tool operator can log your requests. It is also about whether the websites you visit can recognize or track you. Remember the case of Yahoo turning over information about one of its Chinese webmail users? What if a blog aggregator wants to find out who is posting to a blog, or who added the latest comment, or what other websites a particular blogger reads? Using a safer tool to reach the website means the website will not have as much to hand over.
Some circumvention tools are safer than others. At one extreme are open proxies. They often pass along the address of the client with their web request, so it is easy for the website to learn exactly where the request is coming from. At the other extreme are tools like Tor that include client-side browser extensions to hide your browser version, language preference, browser window size, time zone, and so on; segregate cookies, history, and cache; and prevent plugins like Flash from leaking information about you.
This degree of application-level protection comes at a cost though: some websites do not work correctly. As more websites move to the latest “web 2.0” fads, they require more and more invasive features with respect to browser behavior. The safest answer is to disable the dangerous behaviors—but if somebody in Turkey is trying to reach Youtube and Tor disables his Flash plugin to keep him safe, his videos will not work.
No tools have solved this tradeoff well yet. Psiphon manually evaluates each website and programs its central proxy to rewrite each page. Mostly they do this rewriting not for privacy but to make sure all links on the page lead back to their proxy service. However, the result is that if they have not manually vetted your destination site yet, it probably will not work for you. As an example, they seem to be in a constant battle to keep up with Facebook’s changing frontpage. Tor currently disables some content that is probably safe in practice because we have not figured out a good interface to let the user decide in an informed way. Still other tools just let through any active content, meaning it is a trivial task to unmask their users
I should draw a distinction here between encryption and privacy. Most circumvention tools (all but the really simple ones like open proxies) encrypt the traffic between the user and the circumvention provider. They need this encryption to avoid the keyword filtering done by such censors as China’s firewall. But none of the tools can encrypt the traffic between the provider and the destination websites—if a destination website does not support encryption, there is no magic way to make the traffic encrypted.
The ideal answer would be for everybody to use https (also known as SSL) when accessing websites, and for all websites to support https connections. When used correctly, https provides encryption between your web browser and the website. This “end-to-end” encryption means nobody on the network (not your ISP, not the backbone Internet providers, and not your circumvention provider) can listen in on the contents of your communication. But for a wide variety of reasons, pervasive encryption has not taken off. If the destination website does not support encryption, the best you can do is 1) not send identifying or sensitive information, such as a real name in a blog post or a password you do not want other people to learn, and then 2) use a circumvention tool that does not have any trust bottlenecks that allow somebody to link you to your destinations despite the precautions in step 1.
Alas, things get messy when you cannot avoid sending sensitive information. Some people have expressed concern over Tor’s volunteer-run network design, reasoning that at least with the centralized designs you know who runs the infrastructure. But in practice it is going to be strangers reading your traffic either way—the tradeoff is between volunteer strangers who do not know it is you (meaning they cannot target you), or dedicated strangers who get to see your entire traffic profile (and link you to it). Anybody who promises “100 percent security” is overselling something.
The next feature you might look for in a circumvention tool is speed. Some tools tend to be consistently fast, some consistently slow, and some provide wildly unpredictable performance. Speed is based on many factors, including how many users the system has, what the users are doing, how much capacity there is, and whether the load is spread evenly over the network.
The centralized-trust designs have two advantages here. First, they can see all their users and what they are doing, meaning they have a head start at spreading them out evenly and discouraging behaviors that tax the system. Second, they can buy more capacity as needed, so the more they pay the faster the tool is. The distributed-trust designs on the other hand have a harder time tracking their users, and if they rely on volunteers to provide capacity, then getting more volunteers is a more complex process than just paying for more bandwidth.
The flip side of the performance question is flexibility. Many systems ensure good speed by limiting what their users can do. While Psiphon prevents you from reaching sites that they have not manually vetted, Ultrareach and Freegate may actively censor which destination websites you are allowed to reach so they can keep their bandwidth costs down. Tor, by contrast, lets you access any protocol and destination, meaning, for example, you can instant message through it too, but the downside is that the network is often overwhelmed by users doing bulk transfer.
Once a circumvention tool becomes well-known, its website is going to get blocked. If it is impossible to get a copy of the tool itself, who cares how good it is? The best answer here is to not require any specialized client software. Psiphon, for example, relies on a normal web browser so it does not matter if the censors block their website. Another approach is a tiny program like Ultrareach or Freegate that you can instant message to your friends. Option three is Tor’s Browser Bundle: it comes with all the software you need preconfigured, but since it includes large programs like Firefox it is harder to pass around online. In that case distribution tends to be done through social networks and USB sticks, or using our email auto-responder that lets you download Tor via Gmail.
Then you need to consider the tradeoffs that come with each approach. First, which operating systems are supported? Psiphon does well here too by not requiring any extra client software. Ultrareach and Freegate are so specialized that they only work on Windows, whereas Tor and its accompanying software can run pretty much everywhere. Next, consider that client-side software can automatically handle failover from one proxy to the next, so you do not need to manually type in a new address if your current address disappears or gets blocked.
Last, does the tool have a track record for responding to blocking? For example, Ultrasurf and Freegate have a history of releasing quick updates when the current version of their tool stops working. They have a lot of experience at this particular cat-and-mouse game, so it is reasonable to assume they are ready for the next round. Along these lines, Tor prepared for its eventual blocking by streamlining its network communications to look more like encrypted web browsing, and introducing unpublished “bridge relays” that are harder for an attacker to find and block than Tor’s public relays. Tor tries to separate software updates from proxy address updates—if the bridge relay you are using gets blocked, you can stick with the same software and just configure it to use a new bridge address. Our bridge design was put to the test in China in September of 2009, and tens of thousands of users seamlessly moved from the public relays to bridges.
Many circumvention tools launch with a huge media splash. The media loves this approach, and they end up with front page articles like “American hackers declare war on China!” But while this attention helps attract support (volunteers, profit, sponsors), the publicity also attracts the attention of the censors.
Censors generally block two categories of tools: 1) the ones that are working really well, meaning they have hundreds of thousands of users, and 2) the ones that make a lot of noise. In many cases censorship is less about blocking all sensitive content and more about creating an atmosphere of repression so people end up self-censoring. Articles in the press threaten the censors’ appearance of control, so they are forced to respond.
The lesson here is that we can control the pace of the arms race. Counterintuitively, even if a tool has many users, as long as nobody talks about it much, it tends not to get blocked. But if nobody talks about it, how do users learn about it? One way out of the paradox is to spread through word of mouth and social networks rather than the more traditional media. Another approach is to position the tool in a different context— for example, we present Tor primarily as a privacy and civil liberties tool rather than a circumvention tool. Alas, this balancing act is tough to maintain in the face of increasing popularity.
This article explains some of the issues you should consider when evaluating the strengths and weaknesses of circumvention tools. I have intentionally avoided drawing up a table of different tools and scoring them on each category. No doubt somebody will do that eventually and sum up how many check marks each tool gets, but the point here is not to find the “best” tool. Having a diversity of circumvention tools in wide use increases robustness for all the tools since censors have to tackle every strategy at once.
Last, we should keep in mind that technology will not solve the whole problem. After all, firewalls are socially very successful in some countries. As long as many people in censored countries are saying, “I’m so glad my government keeps me safe on the Internet,” the social challenges are at least as important. But at the same time, there are people in all of these countries who want to access and spread information online, and a strong technical solution remains a critical piece of the puzzle.
[This article is licensed under the Creative Commons Attribution 3.0 United States License. Originally written for the March 2010 Index on Censorship. Last updated January 23, 2010.]