Egypt does something similar. They do "soft blocks" where a site they don't like will be sporadically blocked and unblocked on different ISPs, on-and-off. Visitors of that site learn to expect that the site may or may not load when they try to access it, so they bleed away and just stop trying to access it.
And the government can just say they're not blocking anyone and that it's ISP-related technical issues.
Source: am originally from Egypt and my previous startup, an independent news aggregate, is suffering this fate.
I mean, they are in the case where the trick applies equally to everybody and there’s no single person who can be rubber-hosed to put a stop to it. (Cloudflare wouldn’t be an example of this, but IPFS would.)
Secret-ballot elections are a good, clear example of a “technical trick” that works out for real political effects. You can’t rubber-hose people into voting for you, if you can’t know where to spend your resources; and you can’t know where to spend your resources, if you can’t spy on the polls. So every individual poll just needs to choose to set up the “technology” of secret ballots (voting screens, ballot boxes, separate sign-in and vote steps, etc.) and, in aggregate, your attempt at manipulation will be stymied. And you can’t just shut down the people who make (voting screens, ballot boxes, clipboards and lists, etc.) because all those things are easy DIY projects with no monopolist producer†.
† This is an under-reported reason why we shouldn’t be using voting machines. They put us in the precarious situation where there’s a centralized supply-side to secret-ballot elections, that could be choked off by a nascent dictator.
"Secret-ballot elections are a good, clear example of a “technical trick” that works out for real political effects. You can’t rubber-hose people into voting for you.."
That's an easy one to solve with a rubber hose and a bit of politics: Get people to approve vote-by-mail. Just scream at any opponent that he's suppressing votes and don't mention any reasonable non-mail related alternative solutions to that.
Once there's sufficient voting by mail (make ballot access difficult if it's not popular enough), you can directly apply all the things you mention by controlling USPS.
Is this something site owners themselves can set up, or does it require that users use a special client or special DNS config? If you have any links, I'm sure a lot of people reading this thread would really appreciate it.
The CDN (Cloudflare etc) is something the sites set up. Encryption of DNS happens on the users’ side, but I believe it’s something browsers are starting to enable by default.
This is actually a pretty common tactic among Internet censors. The Chinese have been using this for a few years; whenever it detected an unknown protocol that looked like tunneling or VPN, it just throttles it (introducing high packet loss) without necessarily completely cutting off the connection.
The most insidious part of this is I've never been sure if use of the site was being discouraged by the powers that be or if a more mundane, sensible explanation existed. It could be the authorities effectively censoring, it could be Chinese internet companies wanting Western competitors to have a reputation for being slow and unreliable, it could just be mundane technicalities like not bothering with peerage agreements for economic reasons, or it could be an alignment of interests between all of the above. I think not knowing who or what to blame, or even if there is a problem other than your personal connection, is the point. "My connection to certain sites seems inconveniently slow and maybe the government is doing it" is just way less sharp than "the government won't let me see this and likely has something to hide."
As counter-intuitive as it is, throttling without blocking is a more effective form of information control than blatantly blocking. The flow of information, like the flow of a river, cannot be stopped but it can be diverted and otherwise engineered.
There is certainly a push to use websites and infrastructure hosted in China. As it's no surprise a number of non-China popular websites don't even resolve properly from a DNS perspective there. So for most of the population the sites just don't exist.
> As counter-intuitive as it is, throttling without blocking is a more effective form of information control than blatantly blocking.
This is equally true for removing problematic users from a site. Outright banning them might anger them to the point of becoming a bigger nuisance, but throttling them (without their knowledge) is more likely to just bore them into targeting another service.
I know I've seen others here talk about this technique too, but I'm blanking on specific examples.
> A slowbanned user has delays forcibly introduced into every page they visit. From their perspective, your site has just gotten terribly, horribly slow. And stays that way. They can hardly disrupt the community when they're struggling to get web pages to load. There's also science behind this one, because per research from Google and Amazon, every page load delay directly reduces participation. Get slow enough, for long enough, and a slowbanned user is likely to seek out greener and speedier pastures elsewhere on the internet.
>Chinese internet companies wanting Western competitors to have a reputation for being slow and unreliable
Someone from US chamber of commerce Shanghai mentioned one of the disadvantages of expats working in China is slower workflow due to dependence on throttled western internet. Foreign companies are already structurally slow compare to domestic companies, frequently having to negotiate management structures between different time zones and generally less agile due to having more bureaucratic layers. It's an assymetric problem for Chinese companies abroad, much less western expats have mandarin fluency compared to Chinese expats who tend to be multilingual. Sometimes English as modern lingua franca backfires. Similarly, many Chinese sites are banned or throttled from access when you live in the west, Chinese diaspora hilariously depend VPN to access many Chinese websites while abroad. One would think the Chinese government would want to make it less hard to stay connected with the diaspora, but it's probably weighted against risk of foreign influence.
The only Chinese sites I know of that are blocked abroad are the ones that are distributing TV shows and other media without paying for the IP. I don't really think of those as the same thing, but if I were to put on my contrarian hat I suppose I would say there is no such thing as a priori illegitimate content which is universally accepted as ok to block. It is legitimate to block things which break the law, and the stuff which is blocked in either country breaks the laws of the respective regions.
Taking my hat off, I think this is a false equivalence. Every country, nay every civilization ever, has laws against stealing. Theft is universally acknowledged as an illegitimate activity.
Chinese streaming sites like Bilibili that block non-Chinese users from watching certain shows are probably paying for the IP, but only have a license for China, so they need to block everyone else.
You seem to be thinking about foreign governments blocking Chinese sites, but that's pretty insignificant compared to Chinese sites blocking foreign IPs from accessing them.
In fact this does not have to be intentional. Transit through other network cost money and Chinese ISPs rarely enter into peering aggrements with other ISPs because there is relatively little inbound traffic from abroad (notwithstanding a lot of lot of outbound ddos traffic, but I digress). Hence the situation is that even without any overt political motive, it is in the ISP's financial interest to throttle connections to anywhere outside their own infrastructure. Until a few years ago it's not common for Chinese datacenters to rent several drops each connected to a different ISP because interconnection between them is very limited.
There are three main carriers into China. China Telecom (CT), China Unicom (CU) and China Mobile (CM). Each one of them runs their intl connectivity hot during peak hours (they buy from a number of other carriers): in both directions and DDoS is part of that. They're slow to upgrade and when they do it fills up fast. That said, the China GFW runs even hotter. There are several GFW complexes in China that the govt runs and each carrier has to run circuits thru them and give access to the govt to login and config mode to the routers that surround the GFW middle boxes (which are Huawei or ZTE boxes). The govt steer specific IP prefixes/subnets to diff fws due to the fact that they can't store all the rules on every box within that layer. The GFW is the biggest bottleneck as the govt upgrades them maybe twice a year. I've seen it run hot for 16+ hours a day in certain cities.
This is quite true. About a decade ago GFW was a simple IDS that occasionally sent RST packets down the pipes. Nowadays it's much more complicated. I've witnessed the GFW upgrade in process several times in which they default to drop every cross border connection over port 80 but allow everything else through, then gradually going back to normal one route at a time.
However I'm not sure if the GFW is the blame for every case of passive throttling. Certain provinces have it better than others and there is no obvious pattern, especially CMCC which constantly have issues connecting to domestic services, but otherwise has very little throttling once you know how to get past the GFW. The same cannot be said for other providers which throttles home users extra hard so their capacity can be sold to business customers.
The RST cannons still exist and they usually offload that in the domestic China networks to take the load off the GFW. The operators have to pay for them, though :(
As for the GFWs tactics they've certainly expanded things into jacking with TLS in addition to a few other things.
Nice to meet another person who struggles with China and knows what they're talking about and doesn't spread fud like most of the people I deal with on a regular basis.
Interesting article. Considering 80% packet loss, would a custom UDP tunnel with 500% error correction packets be a feasible workaround to bypass latency issues?
Same thing they do in Kazakhstan for more popular sites like YouTube. I have also noticed encrypted tunnels (like WireGuard) being intolerably slow. Best thing is, you can always write this off as a problem with the network (which is the defense local politicians use most often).
In that case Kazaks should be petition to introduce a legally binding SLA for network performance in order for companies to qualify for the license to operate.
I honestly can't tell if you're joking or just not very familiar with what's happening here. What companies? There are only two major ISPs here, one of which is considered a "natural monopoly" and operates almost all networking equipment which connects us to the outside world. Other ISPs route most or all of their traffic through the major one. Needless to say, they maintain a very close connection to law enforcement agencies and to the royal family itself.
Though I must ask: if you're going to petition the government to regulate carriers so that you can see government censorship, why not just ask the government to tell you when they're censoring you. Surely they will be just as helpful.
Starlink internet can't come soon enough... Seems like the only real technical solution. (In some of these places a political solutions seems to be centuries off...)
Starlink doesn't talk directly to handsets, so you'd still need a pretty large and noticeable antenna that would draw unwanted attention from the local authorities. If this style of censorship works by raising friction for your typical internet user, well your typical internet user is also not going to import a large and expensive transceiver from abroad.
I could see expats bringing a Starlink system with them into a country with questionable internet to maintain a low latency VPN connection to company servers back home, but that's about the only people that would or could use Starlink. Even Musk has said that Starlink doesn't have the bandwidth to provide service for all the users that might want to access it from an urban area like Beijing.
From my understanding, as Starlink density increases, the needed antenna should get a bit more simple and more compact. Since the satellites are intended to be geostationary, you should be able to use a very directional antenna which will also save on size versus a radome or dish.
I suspect users will also grow clever and learn how to hide antennas - more out of aesthetics than anything - which will help. More than a few Ham operators have figured out that a regular fence can hide a very large coaxial antenna.
You're going in the opposite direction of what starlink is at least based on what I heard. Starlink isn't geostationary, it's LEO. That's how they get latency down to something comparable to your typical broadband network because wireless signals don't have to travel up to geostationary orbit and back. However, LEO satellites orbit faster than the earth's rotation, so you need a whole web of mini satellites to ensure that as one satellite dips below the horizon, your antenna can switch to another satellite that's orbiting past. As you said, this needs a very directional antenna that can track a satellite. Antennas get larger the more directional they are, not smaller. I have doubts Starlink can shrink their phased array antennas smaller than their current pizza box without a host of other issues. Also, authorities aren't going to be looking for starlink antennas by sight. They'll be flying drones around listening for unauthorized wireless transmissions on starlinks frequency bands and homing in from that. Ask those ham operators how well a fence can hide their antennas from the FCC if they decide to start a pirate radio station.
Woops, you're correct re it being non-geostationary. This is what I get for reading too quickly.
Actually if the satellites are moving you may not want a heavily directional antenna since that adds in a fair bit of mechanical complexity. There are several antenna designs which have relatively wide radiation patterns, but that depends on the needed strength.
> They'll be flying drones around listening for unauthorized wireless transmissions on starlinks frequency bands and homing in from that
That would obviously work for detection, but would be complex and expensive. I would be surprised to see such complexity from the CCP in short order unless Starlink turns out to really disrupt the firewall in a widespread way.
Check out how phased array antennas work. No mechanical parts needed. Those things are used to precisely track missiles in defense systems. The accuracy and versatility will blow your mind.
A phased array pizza box would be significantly easier to hide than an omnidirectional pirate radio station, but point taken. Maybe you could set something up that watched for drones within the line of sight and shut off the connection quickly if anything breached the fence.
At this point you're getting to a level of technological sophistication that would make widescale adoption in authoritarian countries unlikely. The whole point of the article is that you don't have to completely block something, just make it too annoying to use for the average person.
Edit: actually, an even easier solution for the government would be to perform uplink jamming of starlink satellites. Any satellite that orbits into sight of an authoritarian regime gets a directional antenna pointed at it that pumps noise into its receiver and keeps it from detecting base stations on the ground. Once it orbits out of range it continues to operate as usual. Since no satellites are damaged and only operation above the authoritarian country is effected (since starlink operates at LEO and each satellite only sees a small part of the Earth's surface, compared to jamming a geostationary satellite that would knock out service on an entire side of the planet) there would be significantly less political pressure to stopping this jamming.
I am from Kashmir (Indian Administered), the unprecedented internet blockade that happened here has gone to become the longest in history, whole IT sector in kashmir got collapsed, thousands of poeple lost jobs, before this it used to be random internet shutdowns for a couple of days but now it is six months and it was only after 5 months we have been given access to 2G internet , which too initially was whitelisted.
The Philippines also has very slow internet, and lots of throttling and intermittent package loss. They don't have a lot of their own infrastructure and their backbone seems to be dependent on China. There is also an almost-monopoly with ISPs, just enough 'competition' to allow plausible deniability regarding monopoly.
Whatsapp is also completely unusable in Jordan because of this throttling. But I don't believe it's a political decision, it's the cell phone companies way of dealing with the competition.
Only if satellite internet providers are so anti-censorship they are willing to put it on the line and use their tech and altitude to wantonly break local laws—so probably not.
And the government can just say they're not blocking anyone and that it's ISP-related technical issues.
Source: am originally from Egypt and my previous startup, an independent news aggregate, is suffering this fate.