(Bloomberg Businessweek) -- For years, thousands of virtual private networks (VPNs) have allowed people in China to circumvent restrictions on internet access and visit Facebook, Google, YouTube, Twitter, and other sites blacklisted by the government. That’s changing. Chinese authorities say that starting on March 31 they’ll shut down or simply ban any providers of unauthorized VPN services and apps. Sunday Yokubaitis, president of VPN provider Golden Frog in Austin, says he has an idea of what the censors can do.
On a quiet day in January 2015, Yokubaitis says, his computer erupted with system alerts and emailed complaints from Chinese customers. Something was jamming Golden Frog’s popular VyprVPN service with targeted blocks of its server addresses, rendering it essentially unusable in China. “They blocked all of our servers at the same time,” he says. He calls it a random crackdown and says things have gotten worse since then.
Beijing has officially decried the use of VPNs to evade its Great Firewall for about as long as such networks have existed, but its March 31 deadline represents a new phase in its sweeping commitment to en masse crackdowns like the taste Yokubaitis got three years ago. By the end of the month, the government says, people in China must stop using unauthorized workarounds and stick with government-licensed channels. It’s a key plank of China’s biggest push against freedom of speech in the internet era, a campaign that over the past year has aggressively censored TV programming, violent video games, and even celebrity gossip.
Censors have already eliminated hundreds of VPNs, which route user requests for sites through virtual networks located on the providers’ servers, disguising their users’ true locations or destinations. A few operators have been jailed, and over the summer Apple Inc. began removing VPN software from the Chinese version of its App Store. VyprVPN, ExpressVPN, NordVPN, and a shrinking number of others are still working to outpace the government, renting extra cloud servers from Amazon Web Services Inc. and the like to buoy their networks. They’re also working on software that can make user activity look like permitted internet traffic, sometimes by renting internet protocol addresses that have also been used by government-approved services.
Playing defense keeps getting tougher, says Yokubaitis. In the past two months his team has deflected six attacks like the one on Vypr in 2015. “Before, we would see attacks once every three or four months,” he says. Ruby Gonzalez, head of communications at Panama-based NordVPN, says her company has seen a similar escalation and expects more after the deadline.
The Chinese government employs thousands of specialists to find ways to thwart VPN software. It’s begun compelling China Telecom Corp. and other state-controlled carriers to block any unauthorized VPN traffic they detect, even when those connections visit approved sites such as Alibaba Group Holding Ltd.’s huge online mall Taobao. “It’s a novel technique, and it’s an example of them trying to degrade experience on a VPN so you’re less likely to use it,” says Harold Li, a vice president at ExpressVPN, which is officially based in the British Virgin Islands.
There are two principal ways to sniff out and block VPN services. The first is to sign up for a provider, check the IP address used, then order telecommunications providers to block it. The second is to scour internet traffic for connections with telltale encryption protocols. Like an armored car, most secure VPN traffic is easily identifiable as such even if you can’t see what exactly is inside. “It’s an arms race,” says Ralph Holz, a lecturer in networks and cybersecurity at the University of Sydney. And, he adds, the government is getting better every day.
Most of the leading VPN services cost $6 to $12 a month, and some offer free versions with fewer features. The profitable ones owe their survival in large part to the hungry Chinese audience using them to watch banned cartoons, read controversial news stories, access scientific research on services such as Google Scholar, or simply safeguard their communications. Users can create their own VPNs on cloud servers provided by Amazon Web Services and its competitors. Such personal networks manage so little traffic that they’re difficult to detect and shut down, but they’re also more costly and require a higher level of expertise.
State regulators say certain companies, including China Telecom, will be allowed to provide access to government-approved VPNs once the deadline passes. Such a system won’t provide the same levels of privacy and freedom that VPN users have grown accustomed to, says Bryce Boland, regional chief technology officer at cybersecurity firm FireEye Inc. It’s reasonable to bet, he says, that the Apples and Alibabas of the world will make any compromise they need to keep operating in China.
China’s crackdown has boosted the remaining VPNs. Sales at NordVPN have grown by “hundreds of percent” since the government started targeting other services last summer, Gonzalez says. Golden Frog says sales have jumped by half in six months; ExpressVPN says it got a 50 percent bump in October. What about joining forces? “If it does get bad enough, maybe we do need to talk to some other VPN providers and get some technology,” Yokubaitis says. “But I don’t think we’re there yet. It’s better to have an armada of little ships instead of one big battleship.”
To contact Bloomberg News staff for this story: David Ramli in Beijing at dramli1@bloomberg.net.
To contact the editor responsible for this story: Jeff Muskus at jmuskus@bloomberg.net.
©2018 Bloomberg L.P.
