Want CNET to notify you of price drops and the latest stories?

Cracking the great firewall of China

Bennett Haselton made headlines as an advocate for preserving the rights of young people to surf an unfiltered Web. Now, in a partnership with the U.S. government, he's working on finding a way to circumvent Internet censorship restrictions in China.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
10 min read
"You'll understand when you're younger."

That's the rallying cry of Bennett Haselton's advocacy group, Peacefire, founded to preserve the rights of young people to surf an unfiltered Web. The group's preferred method? Sabotaging the software ostensibly designed to protect kids.

Haselton and his group may wind up in search of a broader motto as they take on a censor even more fearsome than the typical American parent: The People's Republic of China.

For the last six years, Bennett Haselton has fought a wide range of adversaries with Peacefire, which now employs a staff of 12 and boasts 7,000 members. Haselton started with Web filtering applications like Net Nanny and CyberSitter ("censorware" to Haselton and other critics), then devoted some time to software bug hunting, and more recently began an education campaign to teach the masses how to use state law to sue spammers--something Haselton himself has done with mixed results.

Now Haselton, 24, has gone back to his free-speech roots, working at the behest of the U.S. government to circumvent China's restrictive firewall.

A native of Oklahoma, Haselton lived in Denmark and England before returning to the United States for college at age 16. At 20, he had his master's degree in math from Vanderbilt University in Nashville, Tenn., with which he landed a job at Microsoft, where he lasted 7 months working on Visual Basic before he quit. He has collected security hole bounties from companies including Netscape Communications, Macromedia and iDefense. He launched Peacefire in 1996.

This month, Haselton released his software designed to breach China's firewall and other governmental filtering software, a commission from the International Broadcasting Bureau (IBB), which produces the famed Voice of America news and propaganda media service through which the U.S. government disseminates its point of view around the world. That software, Haselton and the IBB acknowledge, could have other uses here at home--for instance, by young people looking to get around content filters at home or at school.

Haselton spoke and e-mailed with CNET News.com from his home in Seattle, where he is a freelance computer programmer.

Q: When did you first get interested in computers?
A: I moved to the U.S. when I was 16 to go to college. At the time, I thought that Windows was the operating system on a Macintosh and I had a lot of catching up to do. My first year in college, I didn't absorb as much about computers as I did about online culture, where it seemed that there was a lot of passion about free speech but not a lot of discussion of how the rights of people under 18 were affected.

The issue of free speech for people under 18 is complicated.

The issue of free speech for people under 18 is complicated. The bottom line is that we've made a lot of social progress because of past generations that rejected the ideas of their parents while they were still teenagers, so free-speech rights of people under 18 are important.

Why and when did you found Peacefire?
It was founded in 1996 because there were no groups advocating for the rights of people under 18 in the Internet censorship debate. It was almost a taboo subject. People would say, "Well, if you're using your parents' computer then you have no rights." But what if it's a minor using someone else's computer, or a computer at a public library that essentially "belongs to everybody"? Now you're getting into complex issues about rights and responsibilities. There wasn't much debate about it in 1996, and there still isn't, but we stimulate the discussion as much as we can.

I think that the Internet is increasing respect for teenagers' rights in at least three ways. First, you can't always tell someone's real age online, so you can be taken by surprise if the articulate person you were talking with turns out to be much younger than you thought. Second, technology changes so quickly that young people can catch up by learning new technologies as they're emerging, and get jobs or work on projects where they know almost as much as their adult peers, which wouldn't be possible in other industries like medicine. Third, the Internet fosters the kind of back-and-forth written debate that wouldn't be possible anywhere else.

It takes years to change people's attitudes, but I think that the more the issue of minors' rights is discussed in that kind of unmoderated format, the more arguments will be made in favor of increasing rights for people under 18.

What does the name "Peacefire" mean?
The name doesn't mean anything. I actually think it sounds pretentious, and I probably would have picked a better one if I thought it would get so big. The only remedy at this point is for the name to become so well-known that people associate it with the group, instead of with the meaning of the component words.

How has the group's mission, and yours, evolved since the beginning?
We started by publishing information about what kind of sites were really blocked by blocking software. This was unusual because it was a loosely organized group of teenagers who were doing original research and advocacy work, in an area that no other group had explored yet. We weren't a "junior" version of some other group.

People asked how anyone could believe that a teen had the right to disable software on a computer that someone else paid for.

There are a couple of reasons why I think we were in a position to be the first group to focus on blocking software. First of all, the work wasn't very rewarding--you could spend all this time coming up with a list of sites blocked by mistake, and then if you publish them, the blocking company can take those sites off the list. Then if someone downloads the blocking program and sees these sites aren't blocked, they might not believe you that they were ever blocked at all. Blocking companies will often unblock individual errors, but there has never been an instance where they publicly said they would fix the underlying problem with their process that got those sites blocked in the first place. So to a lot of skilled researchers, it wasn't worth their time to find these blocked sites at all, but we were willing to do the tedious part.

Second, most people were reluctant to criticize blocking software, because it was widely perceived that more content could be legally allowed on the Internet as long as it was possible to censor people under 18. This was not how it played out in court--it was actually the government who argued in favor of blocking software, saying that it would make it possible to comply with Internet censorship laws--but the misconception was still widespread.

Third, there was a risk that you could be labeled as a pervert if you came out against software that was advertised to "protect children." Because we were a teen-run group coming out against it, that just made us sound like whiners. However, it's better to be a labeled a whiner than a pervert, so it was easier for us to criticize the software.

In 1998 we started posting information on the site about how to disable blocking programs. That intensified the debate because people asked how anyone could believe that a teen had the right to disable software on a computer that someone else paid for. I think there are special circumstances if you're legally prohibited from owning your own computer, or from borrowing money to buy your own computer, or forced to work for free all day so that you can't afford your own computer--then it's OK to use someone else's.

You've worn many different hats: bug hunter, spam litigant, censorware buster, circumvention software provider--have I missed anything?
I think that's it.

So my question is, what ties these various causes together beyond Bennett's mission du jour?
Some of these things aren't really Peacefire projects, but I had a section on Peacefire for personal Web space. Since I started out by looking for holes in blocking software, that led in the general direction of looking for security holes in general, and a few companies like Netscape and E-Gold offered rewards for finding security bugs.

As for the spam battle, we didn't exactly choose that one.
As for the spam battle, we didn't exactly choose that one. The way I looked at it, our server was already under attack from spammers, so the question is what we were going to do about it. Washington had an anti-spam law that allowed us to collect money for the spams, so if we could weave straw into gold, then why not?

What's the latest on the spam litigation front?
I think it will be a big win for spam-fighting if AOL wins in their latest round of "John Doe" lawsuits. When you don't know the spammer's real identity, you can sue John Doe and then ask a court to make the ISP tell you who was using a particular address at a particular time, so that you can sue that person specifically. This is important because most of the time it's not possible to track down a spammer's real identity unless you have a court order to help you.

We also need courts to say that if a company announces it will pay Bob for a list of names and phone numbers of people who are interested in buying a product, regardless of how Bob got those names and numbers, then that's the same as paying Bob to spam for them, and makes the company liable. That's why for years there was no spam about DVD-copying software, and suddenly last spring, every third spam that you got was about how to copy a DVD--because one company announced that it would pay money to anyone who could find people who were interested in DVD copying.

Even if the company tells its affiliates that they are not allowed to spam, that's meaningless if the company can't enforce it, because a person who receives spam from one of the affiliates doesn't know where they're supposed to complain.

Most importantly, there needs to be more consistency in the rulings from different judges, or else it's not practical for an individual to sue a spammer because you have to learn a different version of the law for every judge. In Bellevue, half the judges said you couldn't sue spammers outside Washington state, and the other half said you could. Half said that you couldn't sue them unless you'd actually lost money, and the other half said you could sue for the $500 allowed by law. Half said that if a spammer spammed you twice, you could sue them twice, and the rest said, no, you could only sue them once. And so on.

On questions like those, if a judge disagrees with the plaintiff, it's highly inappropriate for them to say that the plaintiff needs to "go do legal research" or "hire an attorney," when the truth is that the judges themselves haven't made up their minds what the law is.

How has the circumventor test gone so far? How many people have downloaded it, and is there any way of knowing whether or not it's being used by the target audience, in China? In other countries with national firewalls? By oppressed teens here at home?
We've gotten e-mails from people using it in China, in the Middle East, and in schools around the country as well. The nice thing about it is that if a group of friends wants to use a circumventor, only one of them has to install it on their machine, and then the rest of them can all share it.

Are you concerned about so-called Super DCMA laws tripping up your anti-censor software? Your circumventor? What are the odds, should one of these laws pass, of your government-funded circumventor being cited by a state government as a violation of the law?
The bills being considered in Texas and Massachusetts ban any technology that conceals from your ISP the "place of origin or destination of any communication." Our circumventor does meet this definition, since someone could use it to prevent their ISP from seeing what Web sites they were browsing. But I don't think any state government would try to shut it down, because that would call attention to the stupidity of the law, and just speed up the process of the law being overturned--which it probably would be, if someone challenged it. That doesn't mean we won't attack the law, and join a lawsuit to challenge it, if we get the chance. If the state passes an overbroad law, they can't buy our silence by promising not to enforce it against us specifically.

On the other hand, if a group like the ACLU (American Civil Liberties Union) were to challenge one of these laws, I don't know if we would be "sympathetic" enough as a plaintiff, because the circumventor is still controversial due to the fact that it can be used to defeat school and home blocking software. There are many other potential plaintiffs, such as the makers of PGP encryption software, that are less controversial, and would serve the purpose of calling attention to the futility of the law. But if one of those laws is passed and then challenged in court, and we're invited to join the lawsuit, we will.

Having agitated against the government's policies with respect to the installation of content filtering software on public computers for so long, what's it like to be contracting for them with the circumventor?
Well, they don't have a position on the use of the software to defeat blocking programs used in homes or schools. I guess their only position is that even if the software can be used that way, that's not a good enough reason to withhold the software and deny its use to people in censored countries like China and Saudi Arabia.

As for us, we could take the cop-out and say that we just make a tool and we don't care how it's used, but instead we use the opportunity to take a stand and say that we actively support the use of the software to help defeat home and school blocking programs. If you're not legally allowed to own your own computer, and you're made to work for free all day so that you couldn't afford a computer even if you could legally own one, you do what you have to do.