The first news stories are coming out about Internet censorship in Hong Kong. These are (correctly) focusing on the implications of the so-called National Security Law in Hong Kong and its applicability to compel Internet Service Providers to attempt to deny access to websites.
This story, a compelling and an important milestone to mark, is only the first part of the story.
The next questions that need to be answered are more technical, more difficult to get answers to, and more important for understanding where we are along the progression toward a broadly censored Internet in Hong Kong.
Here are some proposed questions that, if answered for each instance of future censorship, will help us identify where we are.
1. How was the request conveyed to Hong Kong ISPs?
If the request was conveyed to the ISPs in a one-off manner this is a good thing. It implies that there is no regular process for making these types of requests. Each request will necessarily have a non-trivial amount of communication overhead, dramatically limiting the rate at which web properties can be blocked.
A more-worrying—and faster—approach would be a “push” to the ISPs, where the government uses a form to make a request to the ISP to implement a change. Creating a regular process reduces communication overhead, increasing the number of web properties that can be blocked.
A more-advanced version of this is “pull”-based, in which an ISP checks a central list every N seconds to identify if there are new web properties that should be blocked. This would allow zero-communication updates.
A centralized blocklist could even be populated dynamically in a way that monitors Internet traffic to identify content which the government desires to block. A dynamic blocklist would not even require manual intervention for sites to be included.
2. How was the request implemented by Hong Kong ISPs?
If the request is implemented by manually configuring a bunch of servers this is the best case scenario. The evidence of a manual approach would be changes not immediately covering the entire ISP, changes showing up at different times on different ISPs, using different techniques to accomplish the block, and non-comprehensive blocking.
If the the request is implemented quickly, comprehensively, and universally across the entire network of the ISP it implies that tooling has been built to support requests of this nature. At one end of this spectrum is an internal interface that makes it easier to process these requests by just filling in a form and pressing a submit button to guarantee consistent outcomes for every desired blocked web property. This still requires human intervention (and communication overhead) and inserts a practical limit into the number of web properties that can be blocked.
The other end of the spectrum is each ISP building an internal tool that consumes an externally-provided list and requires no human interaction in order to update the blocklist. This “pull”-based mechanism would require no human interaction or communication and would enable the largest number of web properties to be blocked.
It is also possible that we see direct exports of pre-existing tools developed by mainland ISPs to implement the Great Firewall, enabling HK ISPs to rapidly move on from manual handling to full automation.
3. How easy is is the blocklist to circumvent?
This is really a list of subquestions:
– Can you simply select a different DNS server?
– Is a VPN enough to enable access?
– Is “Collateral Freedom” a viable method for gaining access to a site?
The more ways can you access blocked content from a Hong Kong ISP, the less-comprehensive the tooling is for implementing the blocklist. If all VPN or otherwise encrypted traffic is prevented from exiting HK ISP networks then we have reached the far end of the spectrum.
Where are we now?
I have been describing the current state of Internet Censorship in Hong Kong as “Internet censorship amateur hour.” I believe that this—the first request—was implemented manually. Not only that, but it was handled inconsistently by many parties across each of the ISPs in Hong Kong. This is mildly reassuring as to where we stand.
However, the messaging that we have seen from the government representatives in Hong Kong about their ability to compel ISPs to perform this action has been one of celebration. We should expect them to work to increase their power and competency.
This post is a proposed rubric to help us carefully monitor where we are in the progression toward full Internet censorship in Hong Kong. For each newly censored web property in Hong Kong, we should attempt to answer as many of these questions as possible. Investigative reporters, this is where you can provide tremendous value. If reporting can no longer keep up with the rate of additions to the blocklist that is also a good indicator as to the progression of tooling to enable Internet censorship in Hong Kong.
The Internet is for everyone.