Here's my translation as a Chinese native, though I'm no technical expert.
Companies that provide IDC, ISP, CDN services, without authorization, are prohibited to set up or lease connections (including virtual private networks), to conduct business operations across borders.
I guess it means if you're a ISP etc, you're not allowed to sell VPN services without authorization.
It says nothing about individuals purchasing VPN services from foreign providers.
It's nonetheless a chilling sign that they're restricting VPN access, which is consistent with the overall tightening of internet control that's been going on for quite a while.
It comes as no surprise though, given 2017 will see the Party's 19th national congress. A lot will happen to make sure the internet does absolutely nothing remotely similar to what happened in the Middle East in 2010.
> It's nonetheless a chilling sign that they're restricting VPN access, which is consistent with the overall tightening of internet control that's been going on for quite a while.
It is also consistent with the worldwide tightening of internet. Trump and May are much more likely to applaud the latest Chinese effort than criticise.
Chinese internet management is the model that will lead the West. Quite a reversal, quite depressing too.
Years ago, I was saying that China's Great Firewall was the prototype. Meaning, on an international scale, involving international participation including especially the companies then selling them the equipment and services.
Nothing I've seen has changed this basic perception.
P.S. Although, now, an increasing amount of the expertise and technology are internal.
As much as I hate regulations on Internet access, the title as of now is an inaccurate description of the regulations in terms of the target audience. I hope someone can summarize the translation above as a more accurate title.
End user access starts in a provincial/regional network, which is connected to a national "backbone", which maybe allows the traffic out of the country. In my experience there's massive packet loss between the province and "backbone". 40% loss is regular throughout the day. Stuff within China mostly works, but anything outside is flaky at best.
Now obviously enterprise can't put up with that crap, so there's better routes out. Say a datacenter in Guangdong province that has direct peering with Hong Kong where licensed companies are colocating. Those companies with access can take money, (or under the table their sysadmins can) to terminate a VPN or MPLS connection there, giving unfiltered access to the internet and bypassing the lossy path.
The going rate I've found for this is about USD $300 per megabit per month, plus whatever the costs are to get there. (eg. Your regular broadband connection if using a VPN or cost of MPLS/Lan extension type service from the telco) Too expensive for most individuals, but definitely worth it if you're a hotel catering to foreign guests who will be pissed off if Google, Facebook, and pretty much everything they recognize about the internet doesn't work.
In my view this document is calling for, among other things, rooting out of this kind of activity.
If anyone is familiar with this market for unfiltered internet in China I'd like to learn more about it.
I buy unfiltered Internet for my org. We don't use VPN. It's super expensive. Email me if anyone likes. I prefer not to discuss it in public here because I'm not sure what the ramifications could be. It's a grey area in the market here.
It's not a black market, it's an awkward grey market. Deal only with the big ISPs. Everyone who emailed me, gee, give me time to reply... more emails than I expected. :) I'll email everyone at the same time later, bcc everyone.
To get an idea of how much $300/mo is, I just had a quote for a 1 gig dedicated ethernet from our office (not a datacentre) in Delhi to our rack in Telehouse Docklands North for $18k a month, or $18/mbit. For datacentre-datacentre I had a quote from Seoul KINX for $5k/month, or $5/mbit. Layer 2 links in both cases. These are fairly long haul links.
You must be doing relatively small commits (100mbit on a 1Gbps commit?), though I suppose connecting from India may be more expensive than intra-EU. I've been quoted <$2/mbit for UK-Hong Kong for 40Gbps on a 100Gbps commit
> "No unauthorized use of VPNs through March 2018."
I was wondering, "what just happened internally in China that they want to censor for a year or so?" Then it dawned on me...they want to censor everything until the 2018 Winter Olympics is over with. I was wondering if Trump had tweeted, "free Tibet," or something like that.
This notice is something like a "campaign" in English, which starts now and lasts for one year until March 2018. The assumption here is that these issues would have been addressed by then.
The timing March 2018 does not carry significant value here, it just means the campaign period is slightly longer than one year.
> I was wondering, "what just happened internally in China that they want to censor for a year or so?"
I think, in general, they've observed the rise of populist movements in other countries and have decided they're not going to let that happen in China.
The 2018 games are in S. Korea, which could be problematic since China has banned all kpop, and Korean entertainment in general in response to S. Korea's missile defense upgrades [1].
It would be very difficult to cover the games without any singing or tv drama stars being on screen at some point. Not sure if the Olympics themselves would fall under "Korean entertainment" or not.
But 2018 Winter Olympics are in South Korea. Not sure if you thought Beijing was hosting 2018, or if you thought that Beijing ups the censors every Olympics each time. https://www.pyeongchang2018.com
Just want to mention Streisand here; it's an opensource project that helps you to "setup a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists".
It should be noted that the GFW currently has the ability to detect most or all of those. Long gone are the days when OpenVPN over TCP 443 could fool them.
This seems more ominous to me than it normally would...
All this sort of thing worldwide makes me wonder why there isn't more of an exponential growth in movement to decentralized or federated platforms. It's definitely seen a lot of growth, but with concerns about centralized censorship and monitoring in various places, it seems like it should be getting more attention.
Maybe it's irrelevant in the case of China, or maybe it's a good place to use as a thought experiment because censorship strategies have been played out so thoroughly there.
Probably because in a lot of the places where this happens, the owners/operators of the infrastructure have to actually live there and deal with the consequences of undermining the powers that be. On top of that, sometimes it pays to play -- thereby be a human rights cost but there's a real payout whether it's monetary, accruing favor with the local powers, or just being able to operate.
I think it's very easy to look at the state of the world and judge it to be an egregious violation of human rights, and the solution is simple. Implementing it, however, is complicated by external factors and always is in these situations.
When my daughter was in Beijing last year in school, virtually all of the U.S. students in her class used VPNs to access Youtube and other american content. I got the impression they were quite common amongst the Beijingers too.
Every hotel I've stayed at in China that caters to Westerners had a VPN in place. You could check your Gmail at the hotel but not outside of it (unless you had your own VPN).
Ive never seen a vpn in shanghai or Beijing, while I get them by default in Guangzhou. They definitely aren't legal for the hotel to provide (if you setup a conference in Beijing, they'll deny this service as an option), but china isn't really a rule of law country (laws are only Enforced selectively).
This is because historically most Chinese revolts and movements started with the inlanders getting frustrated with the amount of trade the coast enjoys.
People in Beijing and Shanghai have it much better and do not have much reason to cause problems bad for business.
Not to mention Xinjiang. By the time I got out there communication was basically a black hole. Out there apparently the police were actually enforcing the no-VPN rule kicking locals off the internet for extended periods of time.
every other web page you see (as a foreigner) from China seems to have a VPN ad on it, and of course you can roll your own. Strangely if you roam on your phone (or mine at least) there's no need you get unfiltered data .... and most importantly Google rather than (ugh) bing
Is something getting lost in translation or is this targeted at businesses and not individuals? (Still a big deal, but I thought VPNs were already banned?)
I'm not sure about today, but at least a year ago, there's still a lot of small/private ISPs selling _private networks_ with _global_ internet access, the notice itself sounds like the Ministry is trying to reform the businesses like this. There's a good reason (other than censorship) to do so because the market is a real mess and most of the bandwidth used by them wasn't acquired from a _proper_ way.
Not entirely sure, seemed banned, have vague memories of people being harassed for using proxies.
In any case proxied have definitely been soft banned. If you try searching for vpn/proxy you'll get dead connections. If a url has the same, you'll also get a dead connection (as opposed to a "this is banned" page)
Also perhaps of note... When a law isn't working (ie indoor smoking ban) they have been known to just re-issue it.
>Also perhaps of note... When a law isn't working (ie indoor smoking ban) they have been known to just re-issue it.
This is interesting. Do they re-issue it with a minor change (double penalties, increasing the radius of "indoors" by 10ft, etc) or do they just re-issue it word for word?
I'm not sure about their legality over the years, but I do know that they were in fact largely accessible and were and extremely important avenue for academic researchers to engage with the broader community. This ban will likely disproportionally effect China's elites, who have long used VPNs for many reasons unrelated to politics.
It's very frustrating. I had a VPN but they were even blocking that. Thankfully I was able to access Google and Gmail while on international roaming with Verizon. We're certainly seeing a separation of internets.
About a 6 months ago, all of our open VPN and softether VPNs was blocked, setting up new ones where blocked in 10 minutes. So we changed to shadowsock and it's been working since, it seems harder for them to detect.
Chinese company Opera Software has VPN client built in developer version of Opera browser. I assume they have all the necessary licenses from the government and their software is safe to use from mainland China.
Ugh, the general tightening of the Firewall will not have many short-term ramifications on the startup scene in China (it'll probably lead to a fair bit of protectionist lift actually for mainstream service providers) but the long-term issues of closeness will lead to inferior service providers thriving under the protection of the government.
Regardless of the research dollars China is throwing at technology, this is no way to build a successful/enduring technology infrastructure.
I'm in Shanghai as an exchange student and I get very different connection quality depending on whether I'm using the WLAN on campus (fast, some Google-owned services work even without VPN), using my mobile connection specifically catering to foreigners (4G, no noticeable slowdown with VPN) or the "citizen grade" connection at the flat I'm renting. I have observed speeds of 10 MiB/s connecting to servers on campus, but VPN is usually capped at 10 KiB/s.
Ironically, I was downloading a YouTube video overnight (using a VPN, of course) and after midnight the speed skyrocketed to breathtaking 200 KiB/s! No idea whether that has anything to do with this announcement.
This might sound like a naive or stupid question, so please help me out here:
Let's say I live in Shenzhen. Isn't it possible to connect via a normal phone line to a dial-up service in Hong Kong and enjoy an almost uncensored (albeit very slow) internet? Or is that a bit far-fetched?
It would probably be quite expensive as, in most cases, calls to +852 are considered to be long-distance. I don't think internet access is as restricted in SZ as other parts of the mainland, as I am pretty sure that I bought an unrestricted SIM at the HK-SZ border last time I crossed.
Internet access in SZ is also restricted, but you are right that you can buy an unrestricted SIM on the border, but that is actually a HK SIM (or dual network sim) so your data connections are terminated in HK and hence not filtered.
You are right that it will be very expensive. Thanks for the tip about buying an unrestricted SIM-card at the border with HK. Will the SIM-card also work in remote parts of China? Or is it only usable in Shenzhen?
VPNs have so many uses besides subverting censorship. How are off site workers supposed to connect to their intranets? Or individuals to secure public wifis, etc. Isn't VPN just an encrypted connection to another computer.
As a Chinese student,most of my friends(if he need visit blocked website)are using shadowsocks,it is easy 、fast and more stable than vpn,and I also installed shadowsocks in my openwrt router.
Last time I was trying to `bootstrap` a new OS with my ownVPN, it's been quite difficult if without commercial services. Most materials you need for a brand new computer to freely surf the internet can't easily be found on the Chinternet, it's quite difficult to filter out the malware from a legit.
They've given a quite (technically) reasonable timeline for this, so believe they are serious on this one. If they put punitive, even the slightest like cut the wire or urge your ISP to stop service.
What about RDP into a remote VM? Surely they can't block RDP, techcos in China need to be able to run servers outside of China. Would that go around VPN restrictions?
I heard that Baidu and some other Internet companies in China have these kind of unfiltered connection (maybe to use Google? Haha). I don't if these are "authorized" or not.
They are authorized.
All companies has to apply this "specialized line" for Internet accessing. If there's anything they do not like, they could find the person responsible for this easily.
Doing a bit more digging it seems like they're using several proxies under the name \*.mhgs.co, which looks suspiciously like a whole lot of Linode boxes.
Companies that provide IDC, ISP, CDN services, without authorization, are prohibited to set up or lease connections (including virtual private networks), to conduct business operations across borders.
I guess it means if you're a ISP etc, you're not allowed to sell VPN services without authorization.
It says nothing about individuals purchasing VPN services from foreign providers.
It's nonetheless a chilling sign that they're restricting VPN access, which is consistent with the overall tightening of internet control that's been going on for quite a while.
It comes as no surprise though, given 2017 will see the Party's 19th national congress. A lot will happen to make sure the internet does absolutely nothing remotely similar to what happened in the Middle East in 2010.