Inside China's Golden Shield

"The connection was reset." That's the message Firefox gives me when I try to connect to a link posted by a Chinese commenter to this blog. A similar error message is the title of a fascinating piece by James Fallows in The Atlantic.

"The connection was reset." That's the message Firefox gives me when I try to connect to a link posted by a Chinese commenter to this blog.

A similar error message is the title of a fascinating piece by James Fallows in The Atlantic, in which he explains exactly how China censors the Internet in the country, how simple it is to get around the system -- often known as the Great Firewall but officially, if "creepily," described as the "Golden Shield Project" -- and why the system works anyway. To backtrack -- I posted here ('So the net routes around censorship? Tell it to China') about Chinese censorship of news about the Tibetan protests/riots and the official response/repression/murder to those protests. And I got some interesting responses. Most interesting, though not for reasons the poster intended was this:
I am in China and I find your artical by Google News. How can you say it's blocked!! I don't know why westen news agency keep saying all Tibet news are blocked in China. Liars! Watch this on the site of biggest TV station in China Yes, all about tibet!

So I followed that link and sure enough a Chinese page started to load -- and then something odd: after a few seconds, it stopped loading only to replaced with a "Problem loading page" message. Yes, the connection had been reset.

Doing a TCP reset is exactly what Comcast does to BitTorrent uploaders -- and it's a standard tool in China's censorship arsenal, Fallows explains. It appears that when my Chinese friend first viewed that page it hadn't yet been blocked, but at some point thereafter it was.

Fallows explains that China can erect the Golden Shield because all Internet traffic comes into the country through three chokepoints. The government has set up a sophisicated (literally) mirror system to copy all incoming traffic to government servers, where an Army of bureaucrats reviews for content it doesn't like. From that point there are four main ways to block content:

  • DNS block. "Typing in the URL for the BBC’s main news site often gets the no-address treatment: if you try, you may get a “Site not found” message on the screen. For two months in 2002, Google’s Chinese site,, got a different kind of bad-address treatment, which shunted users to its main competitor, the dominant Chinese search engine, Baidu."
  • TCP Reset. "While your signal is going out, and as the other system is sending a reply, the surveillance computers within China are looking over your request, which has been mirrored to them. They quickly check a list of forbidden IP sites. If you’re trying to reach one on that blacklist, the Chinese international-gateway servers will interrupt the transmission by sending an Internet “Reset” command both to your computer and to the one you’re trying to reach."
  • URL keyword block. "The numerical Internet address you are trying to reach might not be on the blacklist. But if the words in its URL include forbidden terms, the connection will also be reset. Here the GFW’s programming technique is not a reset command but a “black-hole loop,” in which a request for a page is trapped in a sequence of delaying commands."
  • Content blocking. "When you reach a favorite blog or news site and ask to see particular items, the requested pages come to you—and to the surveillance system at the same time. The GFW scanner checks the content of each item against its list of forbidden terms. If it finds something it doesn’t like, it breaks the connection to the offending site and won’t let you download anything further from it."
This last is most fascinating; GFW imposes increasing time-out penalties the more you try to access blocked content. The first time out is two minutes. If you try again within that time, a five-minute block is imposed. Violate that blackout and you might be locked out for an hour.
Users who try hard enough or often enough to reach the wrong sites might attract the attention of the authorities. At least in principle, Chinese Internet users must sign in with their real names whenever they go online, even in Internet cafés. When the surveillance system flags an IP address from which a lot of “bad” searches originate, the authorities have a good chance of knowing who is sitting at that machine.
OK, so that's how it works. But you say, it's easy enough to get around. Proxy servers trick the censors into thinking the request is not coming from China at all. VPNs encrypt the content so the censors can't scan it. In either case, you could get through with some trouble. But, says Fallows, authorities don't care about blocking all access; they're happy if most people won't bother.
What the government cares about is making the quest for information just enough of a nuisance that people generally won’t bother. Most Chinese people, like most Americans, are interested mainly in their own country. All around them is more information about China and things Chinese than they could possibly take in. The newsstands are bulging with papers and countless glossy magazines. The bookstores are big, well stocked, and full of patrons, and so are the public libraries. Video stores, with pirated versions of anything. Lots of TV channels. And of course the Internet, where sites in Chinese and about China constantly proliferate. When this much is available inside the Great Firewall, why go to the expense and bother, or incur the possible risk, of trying to look outside? All the technology employed by the Golden Shield, all the marvelous mirrors that help build the Great Firewall—these and other modern achievements matter mainly for an old-fashioned and pre-technological reason. By making the search for external information a nuisance, they drive Chinese people back to an environment in which familiar tools of social control come into play.