Remain anonymous and bypass censorship on the Internet

Updated11 December, 2018

Table of Contents

...Loading Table of Contents...

    Many countries maintain infrastructure that prevents Internet users within those countries from accessing particular websites and online services. Businesses, schools, libraries and other institutions often rely on similar techniques to "protect" their employees, students and customers from material they consider harmful or distracting. This filtering technology comes in a number of different forms. Some filters block sites based on their IP addresses, while others blacklist particular domain names. Some block all services until they are added to an official whitelist, and others search through all unencrypted traffic and drop requests that include specific keywords.

    You can often bypass these filters by installing software that relies on intermediary servers, located in other countries, to relay content between your device and the blocked services you are trying to reach. This process is often called censorship circumvention, or simply circumvention. Those intermediary computers are often called proxies, and they too come in many different forms.

    This guide includes a brief introduction to the Tor anonymity network and a more thorough description of basic circumvention proxies, including Virtual Private Networks (VPNs). Both techniques have advantages and disadvantages. Tor is a good option if it works in your country, if its use is not criminalised and if you are willing to sacrifice speed in order to keep your online activity anonymous. Otherwise, a VPN — or some other encrypted circumvention proxy — might serve you better, as long as you trust the individual or organisation that operates the service.

    What you can learn from this guide

    • How to access a website that is blocked from within your country
    • How to prevent websites that you visit from knowing your location
    • How to ensure that neither your ISP nor a surveillance organisation in your country can determine which websites and Internet services you visit

    Understanding Internet censorship

    Research carried out by organisations like the Open Observatory of Network Interference (OONI) and Reporters Without Borders (RSF) indicates that many countries filter a wide variety of social, political and 'national security' content, while rarely publishing precise lists of what they block. Naturally, those who wish to control their citizens' access to the Internet also make a special effort to block known proxies and websites that offer tools and instructions to help people circumvent these filters.

    Despite the guarantee of free access to information enshrined in Article 19 of the Universal Declaration of Human Rights, the number of countries engaged in Internet censorship continues to increase. As this practice spreads throughout the world, however, so does access to the circumvention tools that have been created, deployed and publicised by activists, programmers and volunteers.

    Before exploring the various ways to bypass Internet censorship, you should first develop a basic understanding of how these filters work. In doing so, it may be helpful to consider a simplified model of your connection to the Internet.

    Your Internet connection

    When requesting a webpage or interacting with some other online service, your device first uses its wired, wireless or mobile data connection to reach your Internet Service Provider (ISP). If you are home, this is probably a company you pay every month. If you are using mobile data, it is probably your mobile service provider. If you are working from an office, a school, an Internet cafe or some other public space, it may be difficult to determine who your ISP is.

    Whoever they are, your ISP will have assigned an external IP address to your network. Online services can use this address to send you data, such as the emails you receive and the webpages you request. (Your device will have an internal IP address, as well — which is how your router tries to ensure that everybody on your network receives their own traffic — but it is not used when connecting to the Internet.)

    Anyone who learns your IP address can figure out what city or region you are in, but certain institutions can determine your precise location:

    • Your ISP will likely know what building you are in. Unless you are using mobile data, in which case your service provider already knows your precise physical location.
    • Your Internet cafe, library or business will know which of their computers you were using at any given time. Or, if you brought your own device, they will know which port or wireless access point you used.
    • Government agencies may know all of the above. And, even if they do not, they can often use their influence to find out.

    Your ISP relies on the network infrastructure in your country to connect its users with the rest of the world. And, on the other end of that connection, the website or Internet service you are accessing will have gone through a similar process, having received its own IP addresses from an ISP in its own country.

    Internet communication is a bit more complex than the description above would suggest, but even such a simplified model can prove useful when evaluating anonymity and circumvention tools.

    How websites are blocked

    When you go to view a webpage, your device uses the Domain Name Service (DNS) to lookup the IP address (something like 213.108.108.217) associated with the site's domain name (something like securityinabox.org). In this example, it would then ask your ISP to send a request through to the ISP in charge of 213.108.108.217. If you make it that far, your device will then ask the webserver at 213.108.108.217 for the securityinabox.org content.

    If you are in a country that censors securityinabox.org, however, your request will be dropped or rerouted at some point during that process. This might happen when you try to lookup the IP address, when you request the content or as the content is being sent to your device. In some countries, ISPs are asked to handle this directly by consulting a national blacklist or by developing one of their own. Other countries rely on filtering infrastructure that monitors all requests from within the country and compares them to a centralised blacklist. These lists can contain domain names, IP addresses or both.

    In some countries, filtering software scans your unencrypted Internet traffic for blacklisted keywords, even if those keywords are not part of the Web address. Software like this can scan the pages returned to you as well as the requests you make.

    Finally, you might not always know when you have requested a blocked webpage. Some filtering tools display a message that explains why a particular page has been censored, but others display misleading error messages. They may imply that the page cannot be found, for example, or that the address was misspelled.

    Each filtering technique has its own strengths and weaknesses. When attempting to circumvent online censorship, however, it is often easier to assume the worst than to figure out what techniques are being used in your country. In other words, you might as well assume:

    • That filtering is implemented nationally, at the ISP level and on your local network;
    • That DNS lookups and content requests are blocked;
    • That blacklists are maintained for both domain names and IP addresses;
    • That your unencrypted Internet traffic is monitored for keywords; and
    • That you will be given a misleading reason when a blocked site fails to load.

    The safest and most effective circumvention tools should work regardless.

    Understanding censorship circumvention

    There are many reasons why you might not be able to view a webpage or communicate with some other online resource. If Internet censorship is the culprit, a device somewhere between you and that resource has probably decided to block your communication. We typically rely on physical metaphors like circumventing and bypassing to describe how we get around such obstacles. Unfortunately, to reach your destination without sending traffic through the filtering infrastructure of the country where you are located, you would actually have to construct your own Internet. (Or perhaps use a satellite network, which come with their own significant risks.)

    In reality, circumvention tools work by ensuring that the destination of each request is encrypted until it arrives at a proxy server in another country. That proxy then decrypts it, sends the request for you, accepts the response, encrypts it and relays it back to your device. Tunneling is perhaps a better metaphor than circumvention. Technically, your traffic is still passing through your country's blocking infrastructure, but the filters are unable to read it or determine where it goes after it leaves the tunnel. All they know is that you are interacting with an unknown computer — sometimes called a proxy — somewhere on the Internet.

    Blocking resistance

    Of course, the government agency in charge of Internet censorship in your country — or the company that provides updates for its filtering software — might some day identify that unknown computer as a circumvention proxy. If that happens, the proxy's own IP address may be added to the blacklist, making it just as unreachable as the content you were using it to access.

    It usually takes some time for proxies to be blocked like this, however, and those who maintain circumvention tools typically fight back using one or more of the following techniques:

    • Hidden proxies can be distributed to new users in a way that prevents censors from learning about all of them at once;
    • Disposable proxies can be replaced more quickly than they can be blocked;
    • Obfuscation is used by various tools to prevent censors from identifying unknown proxies based on the metadata of the traffic they send and receive; and
    • Domain fronting is a way to ensure that a proxy cannot be blocked without also blocking access to some other popular service (such as https://www.google.com).

    The Tor anonymity network

    Tor is the most well known and thoroughly tested public anonymity network. It works a bit like a VPN except that, each time you use it, your device selects three proxies — more or less at random — and relays traffic through all three of them. These proxies are called Tor relays. They are run by volunteers, and there are several thousand of them. By adding a separate layer of encryption for each relay, Tor ensures that neither your ISP nor the relays themselves can determine both your device's IP address and the location of the websites you are visiting.

    As a result of this design, Tor also manages to bypass Internet censorship in most countries. You can learn more about the Tor Browser from the corresponding Tool Guide:

    Hands-on: get started with the Tor Browser - Online anonymity and censorship circumvention [Windows] [Mac] [Linux]

    While the Tor Browser is slower than many other circumvention tools, it has a few unique features. First, it saves you from having to worry about whether or not you can trust the individuals and organisations who operate the proxies you use. Second, it does a much better job of preventing the websites you visit from figuring out who you are. These are technically privacy features, not circumvention features, but they are important to many people who are forced to contend with online filtering.

    Using Tor does not hide the fact that you are using Tor. Doing so could put you at risk even if nobody can tell what you are using it for. Also, you still need to ensure that you have a secure (HTTPS) connection to the website you are visiting before you send or receive sensitive information.

    Basic circumvention tools

    If the Tor Browser does not work in your country, if using it would put you at risk, or if it is too slow for your needs, then you might need to find another option.

    Virtual Private Networks (VPNs)

    In some countries, it is enough just to sign up for a free or commercial VPN service run by an individual, organisation or company you trust. Some VPN services rely on functionality that is built into the Windows, Mac, Linux, Android and iOS operating systems. Others require that you install and configure the OpenVPN software. In some cases, your provider will offer a customised installer that handles everything for you.

    The only problem with this approach is that basic VPNs rarely have built-in blocking resistance features, as described above. As a result, once your VPN service is blocked, you may have to find a new one.

    Below are two secure, private, free, open-source VPN options from the Riseup Collective.

    OpenVPN and Riseup's "VPN Red"

    If you have a Riseup email account, you can use it to proxy through Riseup's VPN Red service. To do so, you will need to install and configure an OpenVPN client for Windows, Mac or Linux. (On Android, you can use the OpenVPN for Android app, but you will have to configure it manually.)

    If you do not have a Riseup account, but you know someone who does, you can ask them for an invite code and use it to create a new account.

    Bitmask and Riseup's "VPN Black"

    Bitmask is a FOSS VPN client similar to OpenVPN but with additional security features. It works with Riseup's VPN Black service, for which you can create an account without an invite code.

    Bitmask is extremely easy to install and configure for Android devices ([Google Play] [F-Droid]). It also works on some Mac and Linux devices. It does not currently work on Windows or iOS devices.

    Circumvention-specific proxy tools

    If you work from a country that aggressively blocks Tor bridges and VPN services, you might have to use software that is optimised for blocking resistance. Different tools attempt to solve this problem in different ways, but you should always consider the following questions before choosing one:

    • Is the tool secure? Can you trust the people who operate it? We strongly recommend using tools that encrypt the connection between your device and your proxy. If you stick with open source software, you will probably find experts who have evaluated this aspect of the tools you are considering. Finally, remember that encryption does nothing to prevent an unscrupulous administrator from maintaining a full list of the websites you visit through their service. (The only way to avoid this particular risk is to use the Tor Browser.)
    • Is it a web-based proxy or standalone software that must be installed? A Web-based proxy is just a webpage with a built-in address bar that works like a browser within a browser. Web-based proxies can be convenient, at times — such as when you are unable to install software or when doing so might put you at risk — but reputable standalone circumvention tools are both more secure and more reliable. You should never use a web-based proxy through an insecure (HTTP) connection. And you should avoid entering passwords or exchanging sensitive information through a web-based proxy, even if it does support HTTPS.
    • Is it public or private? Public proxies can be used by anyone, free-of-charge, but they tend to become overcrowded more quickly. This slows them down and increases the likelihood that they will be blocked. Private proxies limit access in some way, often by charging a monthly or yearly fee. If you are able to get an account on a reliable, secure, trusted, private proxy, it will probably continue working longer than a public proxy. Even the Tor Browser, which is public, sometimes requires users to obtain new bridge relays. (You can learn more about bridge relays from the Tor Browser Tool Guide for Windows, Mac or Linux.)

    Psiphon3

    Psiphon3 is a secure, open source, public, ad-funded circumvention tool that uses VPN and SSH proxies to provide uncensored access to online content. It is available for Windows, Android and iOS.

    If the download pages themselves are blocked, you can email get@psiphon3.com, and they will send you an alternate link that is more likely to work. Be aware, however, that the Direct Download link for Android requires that you allow your device to Install Unknown Apps, which is quite risky. You can learn more about these risks from the Tactics Guide on how to Use your smartphones as securely as possible.

    Lantern

    Lantern is a secure, open source, public circumvention tool that uses HTTPS proxies to provide uncensored access to online content. It is available for Windows, Mac, Linux and Android devices.

    Further reading