Skip to main content

Our Jackson School operations have moved online and staff will be teleworking starting on March 9, 2020. Please email jsis@uw.edu for general information.

For students needing advising, please visit the advising page or email jsisadv@uw.edu for general advising questions.

For the most up-to-date information about the UW’s COVID-19 response, please consult the university’s coronavirus resources page at uw.edu/coronavirus.

China’s New Cybersecurity Regulations: Analyzing the Ban on VPN Services

April 12, 2017

Author:

Yuxi Wei

Following the new Chinese cybersecurity law, which was approved by Chinese government in November 2016, China’s Ministry of Industry and Information Technology released a new announcement on January 22 intended to tighten China’s control over its cyber domain. The November 2016 law was widely criticized for its requirement that foreign companies localize data storage and undergo the government’s annual security review.

The new announcement follows in this vein and it is broadly focused on “cleaning up” internet access services in China. It is particularly controversial as the regulations suggest there will be a ban on Virtual Private Network (VPN) services, which have been an alternative tool for Chinese netizens to maneuver around with the Great Firewall and gain access to government-blocked foreign websites, such as YouTube, Twitter and Google.

Growing Government Control and VPNs

The new regulation discusses VPN services in Section 3 Clause 4, where it covers trans-border services. According to the regulation, without approval from major telecommunication offices, any self-constructed or leased lines will be prohibited for trans-border business operations, and VPNs are used as an example. Furthermore, the telecommunication enterprises which provide such international lines will need to establish user files and make clear to the users that such services are only for communications among departments within a same company. In other words, the regulation requires all network access services to be registered with the government for inspection. The announcement, unlike any other laws, also hints at some enforcement mechanisms, such as demanding local communication administration agencies engage in “thorough investigation” in their regions to “completely eradicate” illegal business operations.

While the new regulation comes just two months after the new November 2016 cybersecurity law was approved, the major issue addressed by the regulation corresponds to the new cybersecurity law — indicating growing government control over information protection and a firm step into the realization of the concept of “Internet sovereignty” invented by the Chinese government.

The 2016 law made it a special requirement for all foreign companies to store their data obtained within China locally and to cooperate with the government’s annual inspections in order to prevent espionage episodes such as the ones exposed by Snowden in 2014. Government surveillance over user information was also hinted at in the law, for example, according to Section 3 Clause 23 and Chapter 6 Clause 61 all Internet service providers are obliged to request real-name information from their users and to hand that data over to the government for legal enforcement purpose. Similarly, the new regulation regarding VPNs emphasizes acquiring formal registration with the government, in other words, it is a requirement that the records of VPN services will have to be kept in file by the government for surveillance.  As a result, the regulation along with the new cybersecurity law raises concerns over freedom of speech in China and is sometimes interpreted as a ban on VPN services and a move towards an exclusively “Chinese Intranet.”

Less Change Than It Appears

However, while the government surveillance hinted by the regulation does signal tightened censorship in China, it is far from a complete ban and no fundamental changes have been made to previous legislation regarding VPN control. According to Leonhard Weese, the Chinese government prefers to make changes slowly and then legitimize the policies in retrospect, but there is little evidence in the news and on social social media of increasing blocking attempts. Hence, Weese argues that the regulation is less meaningful than people fear.

Another update to the regulation is an announcement issued on March 27 by the local government in Chongqing, a state-direct controlled municipality in Southwest China, which specifies the possible penalties in light of illegal uses of VPNs, including fines up to 15,000 yuan (USD 2,178). However, in response to public concerns, Chongqing municipal explains such announcement is a restatement of the Interim Regulation issued by the State Council in 1996. Although Internet access covers half of Chongqing’s over 30 million population and there is continuous use of VPNs by most Chongqing Internet users, there have been no reports of being warned or fined in the news or on social media. Therefore, whether such penalties in Chongqing are executed is questionable.

The Chinese government has been aware of the use of VPN by Chinese netizens to circumvent the so-called Great Firewall for a long time and cannot deny the necessity of such tools for academics and businesses. Because major academic research sites, such as Google Scholar and JSTOR, are blocked in China, Chinese academics have to use VPNs to access to sources produced by their foreign counterparts. Even the founder of Chinese Great Firewall, Fang Binxing, the former president of the Beijing University of Posts and Telecommunications and currently the head of the Cyber Security Association of China, has revealed that he has to use VPNs to gain access to foreign websites. The inaccessibility of Google Drive has also drawn complaints from western businesses in China.

Meanwhile, even if Chinese government requires domestic VPN providers to register with the government, the most popular and effective VPNs normally don’t have servers in mainland China, and, thus, are technically not Chinese businesses that can be regulated by Chinese government. Some might argue that it is reasonable that the domestic commercial VPN services are required to keep files with the government, as they are businesses in China.

Foreign VPNs Remain the Most Popular

The new regulation targets broadly the IDC (International Data Corporation), ISP (Internet Service Provider) and CDN(Content Delivery Network) services in which the ISP service is the one used to establish VPN. The primary commercial ISP services are only provided by the three state-owned telecom operators, China Telecom, China Mobile, and China Unicom (China Netcom merged with China Unicom in 2008 and China Tietong Telecom merged with China Mobile in the same year).  All other ISP providers in China are secondary and have to hire access to Internet backbones from one of the three state-owned telecom enterprises, which means they ultimately have to gain authorization from the government to operate as legal businesses and to access to Internet backbones.

Both primary and secondary ISP providers could be hired as VPN services; however, it is much harder to apply through the primary providers, as the state-owned enterprises have stricter screening process and only provide services to trans-national companies for business purposes, not to individuals for private uses. While the management over ISP market was relatively relaxed prior to the new regulation, the secondary ISP providers would lease their services to private personals to establish VPN services, but it was much less stable and constantly interrupted by the government.

As a result, foreign VPNs are ranked as the most popular in China. According to an evaluation published by StartUpLivingChina in February 2017, the best VPN for China based on speed and reliability are ExpressVPN, VyprVPN and Astrill. Another evaluation done by a Chinese language website, BestVPNChina in 2016, the most effective VPN providers are ExpressVPN, VyprVPN, PureVPN, StrongVPN and HideMyAss. None of the VPNs listed above are based in mainland China.

VPNs Remain, Provide Surveillance Opportunities

Chinese government has made constant effort to block foreign VPNs. However, technical difficulties make it hard to completely eliminate the use of VPNs in China. As early as in 2011, the Chinese government started launching crackdowns on VPNs, especially the foreign ones. In 2011, Internet users from China Telecom and China Unicom reported their connections had become unstable with intermittent access using VPNs, and in 2012, it became obvious that China Unicom would drop connections where a VPN was detected.

According to Xiao Qiang, a leading Chinese Internet researcher at the University of California, Berkeley, the Chinese government had been developing new methods since 2010 to detect and block VPNs, and the new regulatory technology  is suspected to be able to “learn, discover and block.” Also in 2012, the Global Times, the government mouthpiece focusing on international affairs, turned attention towards foreign VPNs that are hard for the government to surveil and control, and published quotes from officials indicating foreign-run VPNs were illegal. The attempts of Chinese authorities to circumvent foreign VPNs became apparent in 2015, Astrill, one of the most popular VPN providers, was reported to be interfered with by the government, and a number of VPN companies had reported their services were disrupted with “unprecedented sophistication.” The interference peaked during the Chinese military parade commemorating the victory of WWII in September 2015, as Astrill warned its users that Chinese government was blocking all VPN protocols “using machine learning.” This pattern continued into 2016 during the major political meetings of national People’s Congress and the national committee of the Chinese People’s Political Consultative Conference, as Astrill users again reported disrupted service.

Despite the persistent effort of the Chinese government to extinguish VPNs, this goal is never achieved. The list of effective VPNs for China in 2017 mentioned earlier displays an array of VPNs that seem beyond Chinese government’s grasp. As suggested by a post on Hacker News, disguising VPN traffic into HTTPS sessions will evade the detection of Chinese government since it doesn’t block HTTPS. However, according to an experiment done by an former Google information security engineer when he traveled to China in January 2016, ExpressVPN, one of the most popular VPNs to use in China, only used a 1024-bit RSA key — encryption that the government is completely capable of decrypting. Therefore, it is intriguing why the Chinese government keeps ExpressVPN available. It also led suspicion and confirmed the rumor that the Chinese government tracks and spies on VPN traffic without interfering.

Given that Chinese government’s Internet censorship mainly targets to prohibit nationwide mass protests and generally tolerates the call for local demonstrations, the new regulations’ main focus is to prevent not-government-approved information from spreading on massive scale. The Great Firewall and VPNs serve as a filter that only people with urgent need and the necessity of accessing foreign websites can browse the uncensored materials; the rest of the population which is much more inwardly focused is excluded from gaining access due to the increasing troublesomeness of “climbing to the other side of the wall.”

Thus, it is plausible to speculate that this is what the government interference with VPN services is aiming to do. People, who continuously browse the foreign websites, are generally well-educated enough to read sources in foreign languages and the most possible people to lead future protests. The Great Firewall narrows this group so that the government could surveil their activities online.

Conclusion

In conclusion, the new regulation to “clean up” Internet access services in China implies Chinese government’s intent to tighten its control on VPN services and suggests a possible step up in interfering with VPN traffic in the next 13 months. However, it is far from a complete ban.

While the Great Firewall impedes public access to diversified information on foreign websites, connections with the world Internet and communication with foreign counterparts are necessary for Chinese scholars and transnational businesses with offices in China. Therefore, building a “intranet” in China will severely damage Chinese economic interests and draw complaints from scholars associated with the government and even from government officials.

Moreover, the new regulation targets VPN providers domestically, but as domestic VPNs are never the popular options on the market, it has little impact on the VPN market as a whole. Additionally, the crackdown on foreign VPNs has started a long time ago, but the use of foreign VPNs still flourishes in China. It may be a result of technical difficulty to detect; however, evidence suggests government tolerates certain foreign VPN services and track their traffic.

The new regulations certainly erode free speech and privacy in China, but in combination with the new cybersecurity law which emphasizes the increasing government presence in information control, it is a logical step for the Chinese government. Even in light of that, it is unlikely that the Chinese government will prohibit the use of VPNs and cut from the world Internet completely — rather, it may just want to know what its people are browsing.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.