Understanding and Circumventing Network Censorship
This is an overview of network censorship, but it is not comprehensive.
Governments, companies, schools, and Internet providers sometimes use software to prevent their users from accessing certain websites and services that are otherwise available on the open web. This is called Internet filtering or blocking, and it is a form of censorship. Filtering comes in different forms. Even with encryption, censors can block entire websites, hosting providers, or Internet technologies. Sometimes, content is blocked based on the keywords it contains. When sites aren’t encrypted, censors can also block individual web pages.
There are different ways of beating Internet censorship. Some protect you from surveillance, but many do not. When someone who controls your net connection filters or blocks a site, you can almost always use a circumvention tool to get to the information you need.
Note: Circumvention tools that promise privacy or security are not always private or secure. And tools that use terms like “anonymizer” do not always keep your identity completely secret.
The circumvention tool that is best for you depends on your security plan. If you’re not sure how to create a security plan, start here. While creating a security plan, be aware that someone who controls your Internet connection may notice that you are using a particular circumvention tool or technique, and take action against you or others.
In this article, we’ll talk about understanding Internet censorship, who can perform it, and how it happens.
Understanding Internet censorship and surveillance
- Censorship and surveillance: two sides of the same coin
- The Cost of Surveillance
Where and how network censorship and surveillance happen
- Where is the blocking happening?
- How is it happening?
- Changing your DNS provider to access blocked websites or services
- Using a Virtual Private Network (VPN) or encrypted web proxy to access blocked websites or services.
- Using the Tor Browser to access a blocked website or to protect your identity.
Understanding Internet censorship and surveillance anchor link
The Internet has a lot of processes that all have to work together properly in order to get your communications from one place to another. If someone is trying to block parts of the Internet, or particular activities, they may target many different parts of the system. The methods they use may depend on what technology and devices they have control over, their knowledge, their resources, and whether they are in a position of power to tell others what to do.
Surveillance and Censorship: Two Sides of the Same Coin anchor link
Internet surveillance and censorship go hand-in-hand. Internet censorship is a two-step process:
- Spot “unacceptable” activity
- Block “unacceptable” activity
Spotting “unacceptable” activity is the same as Internet surveillance. If network administrators can see where you’re going on the Internet, they can decide whether to block it. By advocating for Internet and data privacy tools and technologies, we can also make Internet filtering and blocking more difficult.
Many circumvention techniques likewise have the additional benefit of protecting your information from network eavesdroppers when you go online.
The Cost of Surveillance anchor link
Blocking Internet traffic comes at a cost, and over-blocking can come at an even greater cost. A popular example is that the Chinese government does not censor GitHub’s website, even though many anti-government newsletters are hosted on the website. Software developers need access to GitHub to perform work that is beneficial to the Chinese economy. Right now, these censors have decided that it will cost them more to block Github than they would gain by blocking it.
Not all censors would make the same decision. For example, temporary Internet blackouts are becoming increasingly common, even though these measures can seriously harm local economies.
Where and how censorship and surveillance happen anchor link
Where is the blocking happening? anchor link
Your computer tries to connect to https://eff.org, which is at a listed IP address (the numbered sequence beside the server associated with EFF’s website). The request for that website is made and passed along to various devices, such as your home network router and your Internet Service Provider (ISP), before reaching the intended IP address of https://eff.org. The website successfully loads for your computer.
(1) Blocking or filtering on your devices. This is especially common in schools and workplaces. Someone who sets up or manages your computers and phones can put software on them that limits how they can be used. The software changes how the device works and can make it unable to access certain sites, or to communicate online in certain ways. Spyware can work in a very similar way.
(2) Local network filtering. This is especially common in schools and workplaces. Someone who manages your local network (like a WiFi network) enforces some limits on your Internet activity, like monitoring or controlling where you go online or when searching for certain keywords.
(3) Blocking or filtering by Internet Service Providers (ISPs). Your ISP can generally perform the same type of filtering as the administrator of your local network. ISPs in many countries are compelled by their government to perform regular Internet filtering and censorship. Commercial ISPs can perform filtering as a service for households or employers. Particular residential Internet service providers may market filtered connections directly to customers as an option, and automatically apply specific censorship methods (like those described below) to all connections on their ISPs. They may do this even if it isn’t required by a government, because some of their customers want it.
How is the blocking happening? anchor link
IP address blocking. “IP addresses” are the locations of computers on the Internet. Every piece of information that is sent over the Internet has a “To” address and a “From” address. Internet Service Providers or network administrators can create lists of locations that correspond with services they want to block. They can then block any pieces of information on the network that are being delivered to or from those locations.
This can lead to overblocking, since many services can be hosted at the same location, or IP address. Similarly, many people wind up sharing any given IP address for their Internet access.
In this diagram, the Internet Service Provider cross-checks the requested IP address against a list of blocked IP addresses. It determines that the IP address for eff.org matches that of a blocked IP address, and blocks the request to the website.
DNS blocking. Your device asks computers called “DNS resolvers” where sites are located. When you connect to the Internet, the default DNS resolver your device uses typically belongs to your Internet Service Provider. An ISP can program its DNS resolver to give an incorrect answer, or no answer, whenever a user tries to look up the location of a blocked site or service. If you change your DNS resolver, but your DNS connection isn’t encrypted, your ISP can still selectively block or change answers for blocked services.
In this diagram, the request for eff.org’s IP address is modified at the Internet Service Provider level. The ISP interferes with the DNS resolver, and the IP address is redirected to give an incorrect answer or no answer.
Keyword filtering. If traffic is unencrypted, Internet Service Providers can block web pages based on their contents. With a general increase in encrypted sites, this type of filtering is becoming less popular.
One caveat is that administrators can decrypt encrypted activity if users install a trusted “CA certificate” provided by the administrators of their device. Since the user of a device must install the certificate, this is a more common practice for local networks at workplaces and schools, but less common at the ISP-level.
On an unencrypted website connection, an Internet Service Provider (ISP) is able to check the content of a site against its blocked content types. In this example, mentioning free speech leads to an automatic block of a website.
HTTPS site filtering. When accessing sites over HTTPS, all of the content is encrypted except the name of the site. Since they can still see the site name, Internet Service Providers or local network administrators can decide which sites to block access to.
In this diagram, a computer attempts to access eff.org/deeplinks. The network administrator (represented by a router) is able to see domain (eff.org) but not the full website address after the slash. The network administrator can decide which domains to block access to.
Protocol and port blocking. A firewall or router might try to identify what kind of Internet technology someone is using to communicate, and block certain ones by recognizing technical details of how they communicate (protocols and port numbers are examples of information that can be used to identify what technology is being used). If the firewall can correctly recognize what kind of communication is happening or what technology is being used, it can be configured not to pass that communication along. For example, some networks might block the technologies used by certain VoIP (Internet phone call) or VPN applications.
In this diagram, the router recognizes a computer attempting to connect to an HTTPS site, which uses Port 443. Port 443 is on this router’s list of blocked protocols.
Other types of blocking anchor link
Usually, blocking and filtering is used to prevent people from accessing specific sites or services. However, different types of blocking are becoming more common as well.
Network shutdown. A network shutdown could also involve physically unplugging network infrastructure, like routers, network cables, or cellular towers, so that connections are physically prevented or are so bad that they are unusable.
This can be a special case of IP address blocking, in which all or most IP addresses are blocked. Because it’s often possible to tell what country an IP address is used in, some countries have also experimented with temporarily blocking all or most foreign IP addresses, allowing some connections within the country but blocking most connections going outside the country.
A computer attempts to connect to eff.org’s US-based IP address. At the Internet Service Provider’s level, the request is checked: the IP address for eff.org is checked against a list of blocked international IP addresses, and is blocked.
Throttling. Internet Service Providers can selectively throttle, or slow down, different types of traffic. Many government censors have started to slow down connections to certain sites rather than block them altogether. This type of blocking is harder to identify, and lets the ISP deny that it is restricting access. People might think their own Internet connection is just slow, or that the service they’re connecting to is not working.
A computer tries to connect to eff.org. Their Internet Service Provider slows down their connection.
Circumvention techniques anchor link
Generally, if there is less information about your Internet activity, it can be harder for your Internet Service Provider or network administrator to selectively block particular types of activity. That’s why using Internet-wide encryption standards can help.
HTTP protects little of your browsing information...
...HTTPS protects much more...
…encrypted DNS and other protocols will protect the site name, too.
Changing your DNS provider and using encrypted DNS anchor link
If Internet Service Providers are only relying on DNS blocking, changing your DNS provider and using encrypted DNS may restore your access.
Changing your DNS provider. This can be done in the “network settings” of your device (phone or computer). Note that your new DNS provider will obtain the information about your browsing activity that your ISP once had, which can be a privacy concern depending on your threat model. Mozilla compiles a list of DNS providers that have strong privacy policies and commitments to not share your browsing data.
Using encrypted DNS. Encrypted DNS technologies are currently being rolled out. This prevents any network actor from seeing (and filtering) your DNS traffic. You can configure DNS-over-HTTPS easily on Firefox and configure DNS-over-TLS on Android.
Right now, there aren’t easy ways for users to do this in other applications.
Using a VPN or Encrypted Proxy anchor link
In this diagram, the computer uses a VPN, which encrypts its traffic and connects to eff.org. The network router and Internet Service Provider might see that the computer is using a VPN, but the data is encrypted. The Internet Service Provider routes the connection to the VPN server in another country. This VPN then connects to the eff.org website.
A Virtual Private Network (VPN) encrypts and sends all Internet data from your computer through a server (another computer). This computer could belong to a commercial or nonprofit VPN service, your company, or a trusted contact. Once a VPN service is correctly configured, you can use it to access webpages, e-mail, instant messaging, VoIP, and any other Internet service. A VPN protects your traffic from being spied on locally, but your VPN provider can still keep records (also known as logs) of the websites you access, or even let a third party look directly at your web browsing. Depending on your threat model, the possibility of a government eavesdropping on your VPN connection or getting access to your VPN logs may be a significant risk. For some users, this could outweigh the short-term benefits of using a VPN.
Check out our guide about choosing specific VPN services.
Using the Tor Browser anchor link
Tor is open-source software designed to give you anonymity on the web. Tor Browser is a web browser built on top of the Tor anonymity network. Because of how Tor routes your web browsing traffic, it also allows you to circumvent censorship. (See our How to: Use Tor guides for Linux, macOS, Windows, and Android).
The computer uses Tor to connect to eff.org. Tor routes the connection through several “relays,” which can be run by different individuals or organizations all over the world. The final “exit relay” connects to eff.org. The ISP can see that you’re using Tor, but cannot easily see what site you are visiting. The owner of eff.org, similarly, can tell that someone using Tor has connected to its site, but does not know where that user is coming from.
When you first start the Tor Browser, you can choose an option specifying that you are on a network that is censored:
Tor will not only bypass some national censorship, but, if properly configured, can also protect your identity from an adversary listening in on your country’s networks. However, it can be slow and difficult to use, and anyone who can see your network activity may notice that you are using Tor.
Note: Make sure you’re downloading the Tor Browser from the official website.