 So today, Nathan Freitas, the element to my left, is going to speak about China and the Great Firewall. A few quick introductory remarks. The so-called Great Firewall is a term that we first encountered sometime in the late 1990s and has defined an understanding of China's relationship to the internet as a metaphor ever since. And it's a pretty problematic metaphor. There's a lot of controversy and discussion around whether it makes sense as an accurate way of talking about what is going on with the Chinese internet, whether a defensive posture that protects China from the world is really an appropriate way of understanding what is occurring in the context of China's organization and structuring and censoring of content on the internet. And a big issue in that context is whether outside information is really the problem or whether Chinese talking to each other is really the problem. And we've observed and participated in this debate at the Berkman Center pretty much since its inception. And within Global Voices, the organization that I'm affiliated with, we've also reported on and documented and paid a lot of attention to the nuances around the conversations of how actually Chinese are talking to each other, how they're talking to the world, and how the world is engaging and thinking about the Chinese. Nathan is one of the sort of a rare and interesting thinker in this space in that he doesn't have an ideological approach. He's very interested in the individuals, in my opinion, much more interested in the individual's approach to understanding and building communications than he is to create power games around national influence and national authority. And he's also a wonderfully patient and attentive trainer and guide and somebody in our community who we all look up to in terms of understanding how technology works and how the dynamics of censorship are actually playing out in the world. So without further ado, Nathan. Thank you so much. Thanks everybody for coming. This is a really honor to have you all here. I wanted to just start with this illustration that Willow Blue, who's another Berkman fellow did for the recent Internet Monitor Report, which you should read that Berkman's published in various formats. You know, it starts with this problematic metaphor and shows it to you right there. But really the shift is that we're going to talk about today is the number of people who want to cross the Great Firewall metaphor from the outside and going back into China, right? Beijing welcomes you, the Great Firewall welcomes you. That's the inversion that I'm focusing on. So who am I? I'm obviously not Chinese. I'm a foreigner. But I have traveled and lived in Asia over the last 10 years. Unfortunately, I can't go to China anymore, or at least I haven't tried recently. But based on work I do politically with Tibetan groups, the kind of work I do with the Tor Project technology work. So a lot of my work now is studying from the outside. I've been a software developer pretty much my entire life, and there's video evidence of that. But really I've also been an activist doing nonviolent direct action training and strategy within the Tibetan movement and working with other human rights movements. And then moving towards building free and open software for security for individuals and privacy controls with Tor and the Guardian Project. So millions of people use software I write. And you know, in some ways I guess I'm a competitor to apps like WeChat or other mobile messaging startups. And I've been really enjoying my time here at Berkman and giving me a little space to step back from the code and the compiler and think about the large implications. So I wanted to start by saying that, you know, this isn't kind of a China bashing talk or a, you know, cyber war alarmist talk. This is really about core feelings I have about the planet, about earth, about the rights of everyone. And I, you know, as much as you might have heard language about cyber war or heard language about WeChat as a spy tool for this or, you know, different malware attacks, that's not what we're going to be talking about today because I don't think it's productive. War is a terrible thing and cyber war is equally terrible to other kinds of warfare. So starting with the Great Firewall and you'll see me use some of these kind of funny dancing animated emojis. These are from WeChat, we'll talk about them more later. This has been around for a while, most of us understand it. It's interesting that the terminology that birthed it was around crime and criminals and evil and kind of, you know, these things that are often used to invoke fear. This is a technical diagram produced by Tor that shows, you know, in a sense there's a place in the middle where traffic is split and disrupted. And historically this was thought of as I am inside of China trying to go to a website. When I try to access this website the domain name lookup to find the address of the website is disrupted, the packets are disrupted, something is blocked, right? Google is blocked. That's the main, you know, premise that we've all been working from. And if you want to learn about this kind of system or view, GreatFire.org is by far the premier organization these days tracking this from inside China and outside. And using a new kind of technology they've developed called collateral freedom to use this unblockable sites on the internet like Akamai or Amazon Web Services that maybe raise the bar for China to say, you know, taunts them, hey, I want to see you block Akamai, right? I want to see you block these important infrastructure services. And they use that to put content from, say, China Digital Times or Weibo, censored posts or the BBC. So that model is, again, epitomized by everything you can learn at GreatFire.org. So if that's what you're interested in, I recommend going there. There's also a great history of tools that are used to circumvent censorship of the web and the internet known as proxies or virtual private networks, VPNs. And these are range from commercial services to free services that are open source. Two that I like to highlight, first on the right is the Tor project, which I am a participant in and a supporter of. And most recently, the version four of Tor browser works very well in China. In the arms race of blocking and filtering and who can stay ahead of each other, Tor has just pulled ahead with some really interesting new technology. On the left is a project that comes from a Chinese native team. I mean, its origins are somewhat mysterious, but it uses the Google App Engine cloud to build kind of a roll your own proxy system called Go agent. And this has been the basis of a number of other systems, but it's because GitHub, the open source developer tool is not blocked in China generally. It's a gathering place for this kind of information. And so there's lots of capability in China to, you know, build their own and run their own proxies now. And again, that's kind of a known quantity for the most part. One of the most interesting shifts that you may not be as aware of is that, you know, at some point, maybe five years ago, users, fewer and fewer Chinese mainland users were attempting to leave the Chinese national network, national internet. And that's because the services that are natively offered in China were getting better, right? We're getting to the point that they were equal replacements and not only just replacements technically, but were more relevant to the Chinese audiences, even if they do have more censorship built into them. So Sina launched their Twitter kind of clone called Weibo. YouTube has its own counterpart, Youku. And Google has a competitor in Baidu, right? And these, there's many, many others. But these represent, you know, first rate, first rate services that are not just clones that do something more. And again, they have all of the content that people want. If we look at them, maybe they're not exactly the same in terms of, you know, maybe they weigh way more heavily on commercial content and licensed content. But I think in terms of the user experience, they are equal. One of the things that the Great Firewall can do is it can shape traffic, right? So one of the reasons also people stopped using YouTube, even if they could get to it, is that it was slow, right? Oh, this is terribly slow. It's so bad, right? It's not YouTube's fault. It's that the throttling of the network kind of chokes the experience. And so the domestic services are better. So a metaphor that I love, I just, I love this drawing, is that instead of a Great Firewall, what we're seeing is, you know, cameras as weapons pointed at individual users, right? So you can use these wonderful services. Everyone has. There's ways to communicate. But as Simon says, the problem is more how are Chinese being allowed to communicate with each other than how are they being blocked from going outside? And that's the main shift, I think, in the metaphor and maybe the actuality. All right, so we're going to take a little detour now and go back to a realization between 2009 and 2011 that a number of people were having. And that SMS, short message service text messaging, is a total ripoff. So to send one megabyte of data to the Hubble Space Telescope cost $14. But to send it by text messaging cost $560, right? Two gigabytes data plan could send 15 million messages with two gigabytes. So the business model that the carriers had built around text messaging was totally out of sync with internet protocol. And users started to realize this. And they couldn't do much about it. But developers could. And into that space is where apps like WhatsApp and WeChat and Line and Viber and these unlimited free global text messaging services came. And they took off like crazy around the globe, right? So Skype has been there for quite a while. But because their mobile app didn't work very well. And in fact, their marketing was just confusing. And you use a username instead of a phone number, right? So one of the key things is WhatsApp, Line, Viber, WeChat, you use your phone number, right? So it's unlimited global text messaging. And then calling, right? And it works. So if any of you have traveled in other places, in India, for example, it's really tricky to, if you're trying to text someone on a different carrier, is it 0, 0, 6, or plus, or what's the number? And it often doesn't work. There's five or six different carriers. And if you're trying to text internationally, it's a horrible user experience. And it's very expensive. And so these apps just come into place in these places that make it free, and it works perfectly. And it's perfect for connecting a diaspora, right? And as we know, the story of China is in large part about the diaspora of China, right? And how they're everywhere. Students and people and traveling and business are a global phenomenon. And so people staying connected at home, obviously WeChat becomes something that is very relevant and valuable. With WhatsApp, it's the same story. And maybe more of you are familiar with WhatsApp. The sad truth is that North America is farthest behind the times on using apps like these. Maybe use Facebook Messenger, but that's quite different. So what is WeChat? And why does it deserve the focus of my talk today? So it means micro-message in the Chinese name Weixin. And it's gone from 2011 zero users to 400 million plus users on Mainland China and 70 million outside. So it's essentially replaced the telephone companies for texting and calling and picture messaging and everything. I mean, just wholesale. And more importantly, well, and feature-wise, as I said, it kind of combines lots of features. It's not just a text messaging app, right? It's essentially a social network. And it now has video calling and a bunch of other features we'll talk about. It also has grown very well outside of China. So it has the typical kind of features you might expect. Send a message. You can send a push to talk audio message, which is actually was a huge innovation. With one button, you can just send a quick thing, and that's it. And you start to learn in this world that if it takes three taps to do something versus one tap, the app that is one tap will win. That's how subtle the difference is. It's just a little bit faster at sending picture messages than Viber or Line, which are made in other countries. And that might be for a number of reasons. And it also has this really fun feature of shake your phone. And if someone else is shaking their phone at the exact same time, you'll be connected with them and have a meetup, right? Or look for people nearby, right? And nearby is within 100 meters or within 3 miles. And it shows you a cute picture. And you can say, just show girls, just show boys, men. And it's very social. And it's as much about meeting. It's both about the people you know and the people you don't know, right? It actually has both of that. We began as a side project, a sort of R&D effort at a company called Tencent. And Tencent's been around for a while. They created an app called QQ, which was a clone of ICQ, which is one of the first internet messaging services. So it was a Chinese clone of ICQ. They created that. And that's been around forever. And QZone is sort of a social network web extension of that, and then WeChat. So collectively, Tencent has a huge amount of users, so I imagine there's some overlap. You can import users from QQ into WeChat. But they are a known quantity. And QQ itself has actually had a long history with censorship and some of the other problematic things we'll get into. I think it's both, I don't know. It's kind of like WeChat, right? It's like Weixion. It sort of fits, right? So yeah. They're good. That'll come up like Xiaomi is now called me. Me UI. So I think a lot of us were saying, wow, this is exciting, a new round of technology, a new way of connecting, and as opposed to Sina Weibo, which is a whole other topic, there were people that thought Weibo was a problem because it was in the public. And people would use it like Twitter and post things in the public, and they couldn't be free to say what they wanted. But WeChat, on the other hand, was private. Private messaging, so I could say things and maybe I'll have a little more breathing room to communicate with my friends and share pain or frustrations, right? But it was clearly from, this is a number of years ago now, when Hugh Jaws said, oh, I tried it. My friend said we should use it. And his experience was that it made this surveillance of him, at least, as a targeted, known person, more efficient. It was more quick, right? Internet protocol is easier to monitor than GSM, telco equipment. Once you turn everything into packets, you can do so much in terms of surveillance and censorship. So the sort of high-profile Chinese dissidents already quickly realized this is not a platform for them. With Lawton and I do work with the Tibetan exiles, but also Tibetans inside and supporting their struggles for freedom and independence. And over the last number of years, there's been a terribly tragic series of hundreds of self-immolations. And what China began to criminalize was just talking about the self-immolation, sharing a photo, saying something about it, right? And so not only was there scrutiny, and this is screen captured from a CCTV video about this sort of crackdown on WeChat, but they actually sent out work groups to inspect mobile phones of monks in monasteries to see if they had certain messages as well. And some of these were targeted, where they clearly knew a person that they were looking for. So arrests have already occurred based on having WeChat conversations of these extremist, evil religious groups, as the old Cisco slide called them. And many of these conversations are now happening between the diaspora outside and inside. And then most recently, Operation Thunderstrike was launched. And Thunderstrike was an attempt to clean the web of 2014 to create a healthy cyberspace. And they really took down things such as pornography, salacious fan fiction, and the Big Bang Theory television show apparently was problematic. But WeChat is being seen as a place where they had to delete 250 accounts, 20 million messages that were related to perhaps prostitution had found a home on WeChat, right? So in some ways, WeChat is being treated as the dark web in China, this place where salacious things are happening, and it needs to be even more closely monitored. And understand that if they're able to pick out which account should be deleted and which accounts can, it means they're watching every account, right? Censorship means everything is surveilled. That's how it works. There isn't a magic thing that says, just give me the ones that are bad. And I don't want to see the others, right? So this is important when we go to the kind of claims that Tencent's making in the future. So when you install the app on your phone, right? So this is an app. And this gets into another new twist. We're not talking about the web. We're talking about apps. And apps are these closed blobs of binary code that you run on a closed operating system that you know very little about and have very little control of. And when you install, this is from my phone. This is my Xiaomi Note phone with WeChat on it. And it shows you the permissions that it gives. Save your contact data. Malicious apps may share your contact data. Basically give us access to your address book. And you know, you seemingly choose when to give the app access to your address book on your phone. But if you're monitoring this, the app is kind of constantly reading it. Now it's probably doing that for a very generic programmer designed it to access it at a certain time. Who knows the motive? But it does access your address book quite a bit. And it has the permission to do that. You give it the permission when you run the app. They also upload your data to a server, though there are claims that they keep it private and they encrypt it. And these are claims that we can talk about verifying. And I think that's one area we'll touch base on. Location tracking is a feature. Real time or sending any location. And in fact, you give precise location tracking. When you grant an app this permission, and on Android you grant it once. On iPhone, it says a few times. Then after you give it permission a few times, it just has the permission. The Apple way is sort of make sure you really want to give it permission first. So this is a feature. And of course access to your microphone and camera. And I mentioned the push to talk feature is great. You pop open the app. You hold down a button. And you say, oh, I didn't have it open. I'm giving my talk right now. Isn't that exciting? And this just sent to my friend in India. And that's all I have to do. And we can send messages back and forth. That's what all those little green messages are. Oh, here we go. Let's see. Anyway, he heard it. My friend in India had sent a message back. So essentially WeChat and many other apps, WhatsApp, Viber, Line, Skype, are equivalent to these Android spy applications that stalkers use. Or what Ron Debert in the Citizen Lab might call a remote access trojan. In the background, can monitor data, store data. So what it comes down to is that you have to trust WeChat. You trust Tencent. They'll say, we're not doing that. Trust us. Facebook will say the same thing. And Google will say the same thing. But the capability of the app is the same as a mobile spy app. And these are really horrific as a whole other topic, by the way, these apps. So all of this wouldn't, I'd probably not be giving this talk today if WeChat was just concerned with staying within the borders of China. If Tencent said, you know what? I would say, great. This is just another domestic Chinese app that's going to have a billion users. But that's their world. That's their country. The difference is that Tencent is ready to enter the world stage. This is a direct quote. And that WeChat, in the year 2013, it slowed down a little. But in 2013 was the fastest growing mobile chat app. If you look compared to Instagram and WhatsApp, and you look through, particularly driven by India, which is a really interesting one, that Indians are eating up this service. And that's where I experienced it firsthand. I said, wait, we're spending this whole time being nervous about China. I mean, there's a lot of India's telecom is kind of powered by China already, so maybe it fits. But there's a huge growth in WeChat abroad. And this was backed by a lot of marketing dollars. So you've got Indian celebrities. You've got Messi. You've got kind of lots of English language marketing. And you even have John Cusack, who last time I saw him was with the Electronic Frontier Foundation concerned about the NSA. But somehow he doesn't know. He's being marketed here. But you can scan these codes and follow celebrities. So it's got the Twitter thing. You can chat with different people and get the updates. And there's really, there's marketing in every country now. I had hoped that maybe, well, at American universities, they've been hiring WeChat brand ambassadors to throw pizza parties to invite students to use WeChat. And if you sign five of your friends up, you get a $25 gift card. So I had hoped that the WeChat ambassador for Harvard was going to come today. But apparently they didn't hear about my talk. But maybe they're here. So marketing dollars have been huge. Now, of course, instantly this caused a problem, which the marketing department was way ahead of the technology department. And as soon as words were banned, words were blocked on WeChat, just like words are blocked in all the other domestic Chinese services, all of the messages of users abroad who might have mentioned those things were also blocked. And people started realizing that just because Ivan's sitting next to me and we're using WeChat doesn't mean our message goes from me to Ivan. It means it goes to Shanghai, or Shenzhen, or Beijing first, and then all the way back to Ivan. Everything was routing through the centralized infrastructure, which means that I am essentially opting into the Great Firewall. I'm opting into the infrastructure of surveillance, the laws of China, all of these things by participating in that. Now, instantly they came out and said, oh, it's a mistake. We didn't mean to do that. And I'm sure it was. But it was kind of like they didn't even conceive of it as a problem initially. And it was almost sometimes I think they were testing the water to see, well, will people know? Will they care? What we've seen since then with a number of other studies is that more and more there are now features for tuning keyword censorship lists based on SIM cards or geography or carriers. So while they might say we don't censor global users now, the truth is we're using the infrastructure we have in our app to provide selective keyword filtering based on local laws and local countries. And this is a huge problem of any export of Chinese technology is that censorship and surveillance is a feature. The best features in the world are built in because they've been already tested in China, and now they're easy to export. So if WeChat wants to be in Turkey, it's very easy for them to comply with Turkish law to censor things. If WeChat wants to be in France and the UK have their own censorship issues now as well, and it's easy to comply there. So censorship and surveillance are a feature, and that's what this showed. With Occupy Central, this was a very obvious moment where there were lots of people in Hong Kong, a more free space, trying to communicate with people in the mainland using WeChat. And the blogging system called WeChat Moments was being blocked, clearly, easily. And WeChat Moments has its own whole separate censorship capability from the core system because it uses a web-based technology. So this is happening now, and it's still happening. And primarily, yes, it's happening between people outside of China to people inside of China. The problem is that because WeChat is so good and so nice to use, and it looks so great, people just want to use it. And so rather than saying, hey, friend inside of China, maybe you should learn how to use a proxy or VPN and use WhatsApp or Line or figure out how to use this other app, people from the outside are saying, well, I'll just use WeChat because it's easier, and then we'll deal with the censorship. It's not a big deal. Now, as part of this global expansion, WeChat has said, OK, we're going to set up servers in every country, and we're going to hire people, and we're going to do this right. We want to be a global player. And as far as I can tell, they mostly hired marketing and spokesperson type people. And I was quoted in a bit of an alarmist piece from nextgov.com about cyberspace and cyberwar and WeChat, which is a good research piece. But the topic was almost like if you're a Chinese-American using WeChat and you work for the government, is that a problem, which I hated. But what was interesting was that an American spokesperson appears from Tencent or WeChat. And it's interesting because they also say, well, No chats outside of China go through a Chinese server in any way, shape, or form. No chats. They also say WeChat and WeChat are separate apps, totally separate products, which is not true. They're making these claims, and they're really trying to divorce the brand of WeChat from a Chinese brand at all. So this is a test I ran literally yesterday. And I started WeChat up, and I logged all the IP addresses it was connecting to. And the majority of them went from Boston through a Trans-Pacific Cable to Australia up into China. This is how the app works. Now, maybe my chat message isn't flowing that way, but all sorts of other data is flowing that way. And I don't even know. I mean, I basically have to do a black box reverse engineering to understand what's even happening. And whether they have servers here or there, it's all just press releases, and there's no real information. So again, it's trust us. And looking at the data, I don't trust them. The servers are owned by a Chinese corporation. The IPs are owned. All of these things are, I can show you this right here. Now, when pressed about surveillance, the spokesperson instantly pivoted to crime and criminals. Classic. People are worried about surveillance. But what about those criminals? We are really all about blocking criminals. Band fiction writers, Big Bang Theory fans, these are the people that we need to take down. And she ends with, it seems like a great person, very smart, educated at Harvard, speaks Mandarin. Based on LinkedIn, I did a little surveillance. So she ends with a statement that basically says, are there criticisms of Chinese social media? There's criticisms of American social media, US social media, the same. Facebook is the same as Weibo. WhatsApp is the same as WeChat. And this is a fundamental question I'm posing to you. This is their viewpoint. We'll talk more about that. So let's then say, you know what? We're going to take them at their work. We're going to believe they're good people. And I'm going to talk more about the fact that I think there are many, many good people working in the WeChat team in the 10 cent sort of a global technoradi class that I feel a lot of affinity for. But remember, this is a diagram that initially came to light from Edward Snowden. And this was the SSL added and removed here for Google moment, where Google had this private fiber that they were running between data centers. They thought it was their fiber. And they didn't put much security onto it. And that's where the NSA went in, where they were whole sale, extracting data, because that was the point when it left domestic soil and went to international. And they felt they had legally the right to do that. And when a Google engineer saw this, he said, F those guys. And he had this sort of like, this is just wrong. I might be an American citizen. I love my country, but this is wrong. And so imagine, if you will, the power that the Chinese internet authority has. Every one of these devices, including your phones bought here in the US, contains a root certificate authority from Scenic, which means they can easily add and remove SSL at will for any site that is authorized by Scenic. They have the ability to do this. And imagine the Great Firewall is not blocking, but it's our exfiltration point. It's the point of extracting data, as you're connecting into servers. And a lot of those connections, if you look back on here, actually you're using port 80, which is not secure. They're not always using SSL. My point is, even if we want to believe in the development team or Wation or Tencent or whoever they are, the location within this, the most sophisticated surveillance regime that, well, sorry, one of the two most sophisticated surveillance regimes on the planet, it's problematic if they are your adversary. So we'll get into this about who do you trust. But they might be honestly saying, that's not something we're doing. You don't have to be complicit. So I'm an optimist. I do believe that things can have a good outcome or that we can. There's always something to do. And I get really excited about a lot of the excellent work that comes out of communities like Berkman and also our colleagues at the Citizen Lab at the University of Toronto, Ron Debert. So they've been doing a really excellent project called Asia Chats, where they're looking at all of these Asia based chat apps, Line, Viber, Kakao, WeChat, and reverse engineering their protocols, their code, their infrastructure, and discovering, for instance, that when Line, which is a Japanese app, when you use Line in Thailand, all of the security, all the SSL just turns off. And you have no way of knowing when this happens or not. It's just that's the rule of Thailand's lawful intercept rule. And they also were able to start hacking SIM cards and IDs to make a phone appear to be in China so they could test how keyword censorship lists changed based on what the SIM card was reporting to the phone. They had an idea as well. If you can make your SIM card say you were not in China, could you use these apps in China without censorship? So they're doing amazing work. And I have a short story I'll tell about another outcome in a second. So that's the kind of work that needs to be done. More of this needs to be done. I think Berkman needs to do more of this kind of app analysis, protocol analysis, and mobile space, which is very different than the kind of historic work at Berkman around the web. My colleague Lawdan is here. And we've been working for five years in digital security training around mobile technology and just teaching people to be aware. To say, you know what? OK, use WeChat to organize, because you think it's the best place to organize or connect or communicate. I mean, it really does bring the Tibetan diaspora together in a new way. We won't deny that. But you make people smart about it and say, use it for that thing. Use it for talking to your cousin in Lhasa, but don't use it for your human rights documentation team communication, for instance. Or just making people aware in the same way that the work that we do with the Guardian Project makes people aware of security issues in the US in Europe. So this is happening. We'll be participating at the Global Voices Summit in the Philippines this month, doing a bunch of training and awareness there. And really, again, the issue, a lot of what we're concerned about is WeChat's growth in Southeast Asia as a whole, where people have a lot of choice. I didn't mention that often line and Viber and WhatsApp are blocked in China, as well as Facebook and Twitter. So Chinese mainland users don't have much of a choice. But in the rest of Asia, they do. And they're still choosing WeChat. So more awareness, curriculum for training, security. And we have a lot of this. Lots of other people have this. And people are listening. They really are. So when the Citizen Lab was doing their reverse engineering of WeChat, they discovered something which was a complete shock. And they took me in, I was up for a meeting, and they sort of said, hey, we have something to share with you. And they popped open a computer and showed me some code. And I saw the WeChat code. And then I saw some code that said Guardian Project. And I said, wait, why is there Guardian Project, my code, in the WeChat code? And it turns out that WeChat uses our encrypted database. All of the messages are stored in something called encryptedmicromessage.dp using a project called SQLCypher, which is a state-of-the-art mobile database encryption. I have no idea how this happened. I gave a talk at Google ILO, which is the global Google Android Developer Conference. And I just hope maybe they were there. Or this is just how the world works with this kind of, again, global technoradi community that gathers on GitHub in places. And we throw our code out there. And we see where it sticks. So WeChat, which has 400 million-plus users, is using my encrypted database, which makes me very happy. And what that means is that here's a comment from October. A forensic extraction company was given a phone, although they were able to extract WhatsApp and all the other text messages, they couldn't extract any of the WeChat messages. Now, they figured out how to crack it, because they actually did a bad job of implementing it. Sadly, WeChat should have hired us to do it for them, but it's there. The seed is there, that they need better security. The app needs better security. And WhatsApp recently implemented true end-to-end encryption for Android. It's flowing into all the other apps using an amazing new protocol by Moxie Marlin Spike called Axi-Otl. Axolotl. So WhatsApp and iMessage and other mainstream apps, Apple's iMessage actually has very good security, end-to-end encryption. The bar is being raised for these mobile messaging apps with regard to the privacy and security they must provide, because we all need it. Think of Sony, right? So I had this idea of doing a marketing campaign to the Chinese Communist Party saying, you don't want to be the next Sony, do you? Or to Chinese corporate business leaders who have lots of scandals and lots of issues, you don't want to be the next Sony, right? Support encryption. And it's strange, bedfellows, for sure, when you get into the security and privacy space. It's very strange, the people you allow yourselves with. But you either have a secure system or not. And WeChat right now is full of back doors, obviously. So this is a call to arms for all the WeChat developers out there. You need to implement and end encryption if they're watching on the camera. There's another example of a Chinese company who's doing it, better, Xiaomi, right? This is the hottest, one of the hottest phones right now in the world in India. Xiaomi is a $45 billion valued startup, the most valuable startup in the world. Is it Chinese startup? Former Google engineers? They make great hardware. This is a beautiful device that costs $180. And they don't market. That they save a ton of money on marketing and other things, but they've mastered the system. Obviously, they live in the manufacturing system. They're in Shenzhen, right? They want to sell to India. They want India to be their big market. And so they were getting feedback saying, we don't trust you. You're copying data. You're doing all this stuff. And they laid out their principles. We won't back up your data unless you ask. We will encrypt it all. Even Xiaomi employees can't get to it. We're using data centers in other places in the world and eventually in India. And they just, bam, they responded. They laid it out. They're transparent. They have a lot of open source code. So there's a Chinese company who's doing it right. And Tencent is not. So I'm hopeful that others will step up there. And ultimately, these companies want to be major global brands, right? They want to be Apple and Google and Facebook and eBay and Amazon. And from what I've seen with Xiaomi, they deserve, I mean, they are not just an Apple knockoff. And they are a Samsung destroyer. Alibaba's amazing for getting anything you want built by anybody at any time. And WeChat is a really beautiful product to use with all its flaws. So they want you to do this because they need your money, right? To sustain the valuations, their IPOs, market caps. They need your money. All of these services, the next stage is how do we become your bank? So if you can't trust them for your messages, are you going to trust them to be your bank? That's a big question. And for my contribution and many others, the great news is that open source free, truly secure apps exist. They're easy to use. They're available pretty much anywhere in the world for any device. And the Electronic Frontier Foundation recently did a secure messaging scorecard review. And so these top three apps, ChatSecure is one my team builds, TechSecure and CryptoCat, received seven out of seven check marks for good security. Sreema is one that people like. It's closed source, but it's gotten good regards. Telegram is a very interesting story because it's built by a Russian entrepreneur who was fed up with his own country's censorship and surveillance. But it doesn't quite have all the pieces. But it's still a very good system. And then Apple iMessage Surprise, which is a whole other topic of how is Apple complicit with the Chinese surveillance that I can't get into today. But they do have end-to-end encryption. So these are out there. And how do we get users of WeChat who need this kind of security to be aware of it and the rest of the world? All right, so I'm mostly done talking. I'm going to leave four questions kind of seed the discussion now. I work with a lot of people in the Arab world or in Latin America who don't necessarily think America as a friend or an ally. And so to them, they may not think that different between WeChat and WhatsApp. China, US, what's the difference? Maybe I should use WeChat, because the Chinese don't really have anything against me. Though the Chinese relationship to the Muslim world is very complex, it's a complicated subject. So is there really any difference anymore? Post-notin, is there any fundamental difference in terms of the kind of crackdown we're seeing of censorship and surveillance on social media in the US versus in China? So that's question about one. In the Indian military leaders for a while, we're really calling this a cyber war attack. WeChat is kind of this really violent threat. But maybe alternatively, it's kind of a positive entanglement. But remember that WeChat is essentially a telephone, it's the phone company. So the idea that phone companies are giving up their control is complex when you think if you're a war planner. So is this a real threat? Am I being too casual about this? And is there ways that we can hold these Chinese? If we say that we want to accept WeChat, how do we hold them accountable? We have things like the GNI and other projects that are meant to hold companies for transparency. And is there any effort to do that? And finally, in the same way, how can we pressure software developers in China to make their apps world class when it comes to security and privacy? Is that a route? So these are kind of four routes of self-introspection, the cyber war angle, the accountability of a public company, and the technical cryptography is the answer. So if anyone has any thoughts, I would love to hear them. Thanks for your patience. I'm trying to understand at what point this sort of censorship or surveillance is happening. Is it your contention that it's happening within the corporation of Tencent and WeChat as a sort of self-sensoring because they know the government wouldn't like it? Or is the government looped in in some way where it is also getting a chance to see the various keywords that it blocks on its own systems? I think it's both. This slide kind of contends both. So in this one, I'm saying that based on the sophistication we know of the US system and others, it's likely that there's kind of wholesale extraction and sampling and storage of data. In addition, we know that the keyword list, delivery of lists, words you must ban, is done inside the corporations themselves. That's a software feature based on knowing about the user. So those are the two areas. And so generally, the thought was, if you need to know about a specific user in a specific place and you kind of have a legal warrant or some sort of rule of law process, you go to the company. If you're looking for just kind of chatter, then you're infiltrating at the wire level. And what we've seen with the X-key score software is a big change in assumption around what's possible to pick out of that noise. Because before, it's like, well, you're just going to have tons of packets. But now we know that it's so easy to pick out data off of fiber, essentially. Related questions, one on software apps and the other on hardware. Maybe this is just naive user end impressions. But I felt that a lot of people were switching from WayBoard to WeChat precisely because the censorship on WayBoard seemed so much more prevalent. Frequently, links that you want to click on have disappeared. Keywords that you want to type in aren't there. Whereas on WeChat, even through Occupy Central and things that happened yesterday, I get my news mostly from my friends posting pictures or messages or political jokes. And I'm surprised that those things are never canceled. And maybe only a handful of times, I've tried to say something or type something and felt that the message wasn't sending through. So can you talk a little bit about how exactly, what do you think the ratio of censorship or how that works between WeChat and WayBoard? So that's one question. And the other is on Xiaomi, which from a technology point of view, you like the product. You seem to trust the company. And I do recognize that the tech sector is the anomaly in China where politics and business are somewhat separate. However, it is hardware made by a Chinese company. Their ability to fundraise, to list, to do all kinds of things depend on being somewhat compliant with what the government wants. So how do you think about the risks of your hardware as a user going forward? Yeah, I would say that WeChat seems to still have a greater bubble of perceived bubble of freedom. And this is a more complex, maybe, Chinese cultural issue around what you can say in public versus what you can say with friends. But I think there is, for people that are being watched, it's not based on the basic evidence. But I do think that there is a difference between Twitter and WhatsApp in terms of you can make a bad joke on WhatsApp with friends, potentially. Sometimes we've seen where someone will say, I'm going to blow up a school. That's a quote, I'm not. On an app, and then someone will take a screenshot and send that to the police. And they say, oh, I just said that to my friends. Or you'll send something on Snapchat recently. There was an inappropriate picture sent by a coach to students on Snapchat. And he lost his job and went to jail. And it wasn't a public thing. It was the people in the bubble kind of reporting it. So I think I would say that everyone has an equal perception about Weibo in terms of the censorship. But on WeChat, it's more variant dependent on where you are and who you are and what you're talking about. So we've seen a lot more with Tibetans in terms of monitoring and censorship there. So recordings of the Dalai Lama speaking have caused a lot of problems, for instance. The second one is, yeah, you're right about there is a difference still between foreign companies using the Chinese manufacturing system versus mainland companies themselves. I want to find a way to get beyond that. I mean, it's almost unavoidable to, for a while, Motorola was manufacturing phones in the United States. And that was like, wow, that's maybe an alternative to the hardware manufacturing in China. But now they are bought by Lenovo. And now they're all manufactured in China again. So for me, I don't actually trust this phone. This phone has no SIM card. And I don't use my real name. This phone is a secure Moto E that I've stripped down and has all of my more sensitive work. So I use two phones. And that's kind of my own personal trust. For whatever reason, I have a feeling that Xiaomi is the one that might change things in terms of trust. And I think in the same way that I think foreigners should trust Google. So a lot of people would say the same thing, Google is just an American company. They're fully complicit with the NSA. And I wholeheartedly believe that enough people in Google I know who do security aren't. So I think there is a turning point that has to happen. And I think Xiaomi is poised to do that, maybe. Can you phone or a Huawei phone? Could it do what the NSA was doing? Could your phone that you're using in America take videos and send it to them? Yes, and Xiaomi's MIUI operating system has actually better privacy controls than basic Android. So there's actually some things they're doing better around that. But it doesn't have encryption of the whole device. So they've disabled some things as well. So it's a moving target a bit. I'd love to talk about it more. What do we know about, if anything, about the nature of pressure that the Chinese government puts on its technology companies to leave open possibilities for balance and so on. So if companies like WeChat or Xiaomi decided they wanted to build in strong end-to-end security, do we have any indication that that would be problematic for them? I think it would be very problematic. And I think mostly, I mean, I think the language you saw Xiaomi using was probably only for international customers as well. And so the idea that encryption would be allowed, this idea, we can decrypt the data, would not be allowed. What we've seen with a lot of, say, Tibetan sites and blogs is you'll see a message go up like, oh, we're down for maintenance or holiday. And it's a very, the idea of when a site kind of gets taken down or reaches a point of being not acceptable anymore, the behavior is, it changes quite a bit with the current temperature of the situation. I think that given that 10 Downing Street this morning said that they might want to ban end-to-end encryption in the United Kingdom, we're at a very complicated time for end-to-end encryption anywhere. And I've told my own software development team that the work we do might become illegal in the United States in the foreseeable future. This is something that's a reality. So I think there's a window where people that can do the code and make the code into reality should do it now before people know that it's possible. So the same thing with using the SQL Cypher encryption, I'm hoping that they say, well, this protocol exists. Let's do it before they know anything. It can't be HTTPS, though, because of that scenic root server authority. And so if they just use the kind of traditional HTTPS security of the web, it won't be strong in China because of the whole hierarchy there. So they do need to do something like what SAP is doing. And what SAP is doing is amazing. If what SAP deploys end-to-end encryption worldwide for everybody, they will be breaking many laws in many countries. But they say they're doing it. So that'll be another litmus test for the strength of a corporation into protecting user rights. Things we said about talking to people in India about using the chat remind me a little bit of some of the discussions that we've had here about people wanting to get off of Facebook but finding it almost impossible to get off of Facebook because everyone you know is on Facebook. And the infrastructure is all there as part of your social life. And it just kind of starts to bring up that sort of impossible problem of how do you step away from something that is so fully integrated into your social life that by stepping away from it, you're kind of hermiting yourself in a way. Which kind of leads me to the question I actually have, which is, I mean, how would you frame this for the public? I mean, at what level of concern should people actually have about this? Because I totally understand kind of the impotence, not impotence, but like the tendency to want to frame this in a way that's, oh my god, China's reading your text messages if you use this app. But that seems like not quite the right way to take it and I'm sort of curious about how best to talk about it. For the Tibetan diaspora, being connected is huge, right? It used to take months to get a postcard, right? And now you're sending real-time messages. And for people in a fragile diaspora, you can't overestimate what you've said. It's not just hermiting, it's your life, your family, your connections, your culture. And so this can't be valued enough. Ultimately, we try to teach people a little bit about threat modeling. So if you are a reporter or a journalist or a human rights activist or something and then you need to understand that the threat exists that you could be targeted and this data could be taken from you and used against your network and your family. And I think the best thing we can do is educate and not dictate. We can't say, you're an idiot. Stop using it. We can say, here are all the threats. Let's talk through them. And wow, you could get another phone for $100 and use that phone for WeChat and this one for WhatsApp. There are some basic things that we try to teach people to do on this front. The thing that makes this more insidious is that it's not just your Facebook friends. It's that by using the app on your phone, it gets access to the rest of your data, your photos and your location. And we've seen attacks for years on the Tobend Aspera with malware that were designed just to do that. So by we've been teaching people for years, don't click on that attachment. You're going to get infected with malware that we know does X, Y, Z. And now they say, OK, I'm not opening attachments, but I'm using WeChat. Isn't this awesome? And so we're still kind of stuck without saying, I think there's lots of people that use this talk to their grandmothers and their cousins and their friends. But I also had a very interesting discussion with a Vietnamese activist. And I said, well, of course, WeChat's huge in Vietnam, right? She was like, no. No one in Vietnam will use it, because it's from China. So we use WhatsApp. And it was just like, this is beyond me. This is anthropological. This is cultural studies, which is how can this whole country here and the whole country here have totally different opinions on the threat? And it's a little bit beyond me. So what we do is we educate. We try to teach people simple countermeasures. There's actually a lot of technical countermeasures to not have stuff in your phone book. So that's what I can do. And beyond that, I think not calling people like idiots or traders, basically, and just treating them as humans who want to connect with their culture and their family and trying to sort it out from there. Thanks for this issue. I was wondering if you can speak a little bit more about just unpacking the vagueness of how the censorship actually works in China, to what extent do they actually actually monitor and what they look for, and what level of government they actually access, what kind of data? Or is it very segregated, very IT cluster within the government? And also, my second question is, what kind of channels are actually relatively safe for communicating to and out of China? So I will just summarize the first one, because it's a great, big topic. But there are regional censorship, which is we're going to turn off the internet in Xinjiang. We're going to turn off the internet in this area. So that happens. Then there's the next level, which is we are going to issue regulations to operators of websites that makes them legally responsible for anything on their site. So if we go to their site and see someone posting something we don't like, then we will arrest or find them. So that's a political or legal pressure. And then there's the distribution of keyword lists or banned topics. And these are regularly sent out that says, these are things that you need to implement a censorship filter on your site. So a lot of this is decentralized and through this pressure. And then you get up to the higher level, which is we are scanning the packets at the Great Firewall Exchange. There are many. We're looking for words in the packet like Falun Gong or Taiwan or Occupy. And we will break the connection if we see that word. So that's a next level. And then they're tracking you to your, anytime they say, well now let's track the person who did this. Because SIM cards and IPs are tracked to real names, everything is real name based, then they can easily go back to your identity. So if you're at a cyber cafe, you show your identity, your SIM card is your real name, they've banned phones that don't have a real tracking number, IMEI. So you combine all of this observance with the fact that everything is tied to a real identity and it makes very easy to connect people. So that's what's happening on the one side. The ways around it are various, because there's so many technical people in China who need to access the web, the solutions like virtual private networks and proxy systems, like I mentioned Tor project, Siphon, various open VPN systems. I mean it's sort of, there isn't one system because anytime one system gets too big, it gets blocked. The most interesting thing that happened working with Tor is we would set up lots and lots of new IPs, like entrance ways into our network, secure network. And the firewall would see that and start scanning our ports to see that we were almost like a little bot crawling through all these IPs and not in China and prodding us to see if we were a proxy or a real website. So that's another level of sophistication of censorship. So in summary, the safe tools, if you look at that eff.org scorecard, all of these are safe. And if you go to eff.org and look for them. So Telegram works, chat secure is in the Chinese app store on iTunes. And it's on the MOBO. And we're going to have it in the MIUI app store soon. So a lot of these, iMessage is very safe, actually. No? I kind of understand the technical aspects of it, but I was more wondering the political nature of it. Like, see if someone has a certain level within the government as an individual, to what extent do they have access to some of this data? Or do we not know anything about that? I mean, we've seen plenty of level instances where city corruptions at the city level have given people the ability to make money or kill people or things. So I fully believe that that's happening. As a counter example to this in Mexico, in many cases, the drug cartels have access to the telecommunication systems through corruption. They sell, someone works there. They pay them, and they get all the data of who called who. And then they're able to find who's spying or narking on them. So I think we know there's corruption in China. We know that the telecommunication systems are not very secure. Combine those things. So it's not always from the very top down. It can often be a local threat. I don't think it's North Korea. And I think Sony had very bad operational security. And I think corporate America has been sold a bill of goods around what security really is. And our whole system is very weak. And the only thing that will solve it is end-to-end encryption and open source systems that don't have backdoors, basically. So I think it was just a combination of bad security. And it also demonstrates the power of non-state actors. So whoever these guys are, gals, people are, you don't have to be a state to attack at that level. And a lot of the attacks we see in the Tibetan diaspora, people want to say it must be China, right? Well, maybe they're in China. But it might be a kid in China with a bunch of other kids who don't like what we said. And they saw it online and decided to attack us. It's still a mystery. But I would say it's not. The state department said that they tracked it to us real soon. I think most people at the Berkman Center feel there isn't enough compelling evidence yet to say that. And that it's a bit of a, it's easier for us to blame a state than not to. And then last month, on a train, a high-speed train, and I was arguing with a friend. And we said, well, let's see if we can look it up. And I took out my iPhone and went to Google and got it. Not Google Hong Kong. I mean, just Google.com. Straight, Google.com. And he had a Xiaomi. He took out his phone and did the same thing. What's the permeability? And though, is it Google is bad? Google.com is bad. What's the permeability of that system that allows that to happen? And then a second, smaller question, just what's happened to Weibo? In other words, as WeChat, I mean, I'm told that Weibo is declining in use. But in some ways, Weibo has actually opened up more than WeChat. Because if you take something like the Wenzhou train accident, the fact that pictures were on Weibo meant that the initial effort by the government to close down all the information didn't work. So even though they took down things, it was too late. And so the fact that Weibo exists, it may do more for openness in China than WeChat. It does. Absolutely. So what's happening to Weibo as a result of two separate questions? I mean, has your behavior changed based on feeling that WeChat is less censored? I'd say over the last 18 to 24 months almost everyone in my circle, and that's some kind of a sociological niche. But everyone I know switched from Weibo to WeChat. There are studies also about, I think, demographics. People who are more educated, more affluent, tend to use WeChat. And people who are less affluent, less educated, stick with Weibo. And in terms of permeability, I mean, Google.com actually, for a long time, wasn't actually blocked. And it just was. I mean, it changes quite a bit. Were you roaming on a foreign SIM card? So that actually helps quite a bit if you have an international SIM card. The factors, where you are in the country, lots of things change. But it's more things like the Gmail and Drive and some of these other things that were censored. So there is the most interesting topic going, if you go to thegreatfire.org, is this collateral freedom system, where they're using Akamai, Edgecash, all of these cloud caching things that are really the secret backbones of the internet. You may not see, but they power the web. They're sort of too important to block. And so using those as sort of mirrors and little oasis of data is quite a really cool trick, really. And that's kind of. Was it possible that I was through Google.com was getting into Akamai? Yes, or some other front end system. You, I think your search, Google.com would return you censored search results still. But again, it might just have been because of your foreign SIM card. There's a great essay by Ursula Kaila-Gwinn called The Stalin and the Soul, which I think is what governments more and more want to do. And I advise you to read it. She also has a speech that you just made, which she won a master's award as a writer. Another literary reference is Alan Morphin's V for Victory, right, or V for Vendetta. Citizens shouldn't be afraid of the government. The government should be afraid of the citizens. And what it seems to me that you're talking about not only in reference to China, but also Thailand, England, the United States, this is all a question not of difference in kind, but difference in degree. And there are commercial reasons and commercial drivers for security, as we see in the sounding app. There are personal reasons and drivers for security, as in I want to feel that my communications are safe and secure. But you have governments which want to know everything, which feel that they have the right and the duty to know everything. So we're having this very unequal quote arms race, unquote, towards security. And this is what I'm getting out of what you're talking. So I'm asking you, am I getting the right impression? Yes, I mean, I grew up in the time of the Cypher War, the first generation of cryptography trying to be banned, essentially, right. And the heroes of that movement are people that are advising projects I'm on today. And to think that, well, we didn't really necessarily actually win that. And the idea that I should have equal privacy in my communication through networks, as I do in a room in my house is kind of the way I think of it often. And there's people that believe that, and maybe people that don't. But I think most people believe they should have the ability to communicate privately in a room in their house. And so I think it's also a battle of kind of metaphor or the way you visualize this network. But you're absolutely right that it is a difference in sort of degree. And that's mostly the most shocking thing right now, be it the FBI in the US and the language they're using. Because I feel that it tends to be in everything we've seen that it's overblown in terms of what the benefits of giving up that control of your information would bring. Doesn't seem to do it. Last question. The way that we had thought about this a couple years ago was that in addition to monitoring and tracking and surveilling individuals that might present a threat to the Chinese government, people who are interested in organizing or mobilizing in some way and therefore had a reason to be targeted, there was a kind of managed authoritarianism process at work with the surveillance of the Chinese community, with communities in which you would, which the observation of different kinds of conversations and speech was also a way to proactively manage or anticipate different kinds of unrest or concerns or grievances or desires on the part of the population. And that had been a pretty distinct way of thinking about surveillance in the context of the Chinese versus the context of the democratic process in which surveillance was more targeted and much more specifically around crime and around terror. I'm wondering whether that distinction still applies in your mind. Sounds like you're thinking that's less illicit in case, but I think to be specifically specific about that, how would you be thinking about that originally? Again, I think regionally it depends on which part of China you're talking about really in terms of, if you have areas with unrest where there needs to be targeted surveillance to kind of attack terrorism or splitism or things, then you have that type. But I think you're right that in large part it's about having, how can we have a dashboard to our countries, the feelings. And I think if you look at this, when you kind of come at the, when you treat your citizens as you would assets in a corporation as these units of things that need to be managed with as maximum efficiency as possible, someone just said this recently. So I'm quoting something I don't even remember who. When you treat them that way, that's what you get, which is we need a dashboard that has sensors and spines and things tied into everything that tell us what people are feeling and what they need to do and this is, we've talked about the connected cities and stuff kind of as being part of that. And we all want to have efficiency and prosperity and safety and, but I think the China experiment is, if you look at what they've been doing in places like Shenzhen with camera networks and facial recognition, right, and then you take that same sort of thinking of crime management or city management, apply it into what something like WeChat gives you, this dashboard of locations and moods and people, then yeah, it becomes a, I just, well, just, what questions do you do? Okay, you'd, yeah, yes, I, it's, and that's why I'm trying not to say bad China in this talk, that's the end of last slide. I'm not saying bad China, I'm saying let's look at ourselves as well in this process and what are we enabling or what are we not enabling it and technology companies in the West are making hard decisions about taking a gamble and saying we're going to stop this, right? As much as they can, though, you know, the value of Facebook and Google in large part comes from their ability to sense these things. So, you know, for me, at a broad level, I still have a lot of open questions. I think you're, I think you're onto something with that observation and I think more people should explore it, but at a very specific level, you know, when I go to India shortly and do trainings with Tibetan activists, you know, there's a WeChat still represents a threat and so I think you need to consider it that way and a lot of these apps do and, you know, it's an interesting, if you go back to the whole set of apps available, WeChat is China, Line is Japan, Viber is Korea or KakaoTalk is Korea, WhatsApp is USA, Telegram was Russia and you have this interesting side of who's, which nation do I choose to use their phone company? So you're not just choosing Verizon or AT&T anymore, you're choosing, am I gonna use the WeChat? And that's a new thing, too, is that you can kind of choose a global position to your communications and all of the problems that come from those countries come along with it. All right, thank you very much. Thank you. Thank you.