Five participants confirmed installing GFW evasion tools exposed them to malware; prior work cited in the paper found >38% of Android apps using the VPN permission contain malware. Participants additionally reported fake gaming platforms that install adware and credential-stealing phishing pages; notably, VirusTotal did not flag any of the fake platform URLs identified by participants, indicating conventional AV tools provide insufficient protection.

In a survey of 2,415 young Chinese online gamers, 73.9% (1,786) were affected by addiction prevention systems (APS) while minors, and 37.7% (674) of those successfully evaded the APS. 15 of 35 interview participants also actively evaded the GFW at interview time (verified by Twitter live-post retrieval), supporting the hypothesis that mandatory APS evasion for trivial gaming activities normalizes and desensitizes minors to GFW circumvention.

§5, §9.2 evaluation

Domestic Chinese search engines (e.g., Baidu) return no valid results for direct VPN or '翻墙' (climb the wall) queries, but 16 of 18 GFW ladders mentioned by participants remained discoverable via Chinese jargon and homonyms (e.g., '蕃蔷' as a homonym for 'climbing the wall'). Word-of-mouth through college friends, gaming forums (Baidu Tieba), and QQ group chats were primary alternative distribution channels.

§8.1 evaluation

17 of 35 interview participants used game accelerators or GFW ladders interchangeably to connect to international gaming platforms; several popular VPNs bundle game acceleration, and open-source accelerators (e.g., Steam++, rebranded as Watt Toolkit) provide partial GFW-evasion covering GitHub, Google Authenticator, Pixiv, Discord, and Twitch. The paper recommends CRSes market as gaming accelerators to provide plausible deniability, while capping active accounts or rebranding periodically to avoid attracting censor attention as popularity grows.

§9.2, §9.3 defense

The GFW engages in a continuous IP-blocking race against VPN services: participants reported that when one VPN goes down, others fail simultaneously, and banned services recover 'after a while,' suggesting coordinated blocking waves followed by IP rotation. Major foreign providers (ExpressVPN, NordVPN) now have no mainland China server nodes, rendering them ineffective for Chinese users.

§8.2 detection

During the June 2025 shutdown, Iranian authorities blocked international One-Time Password (OTP) SMS delivery, preventing new sign-ins to foreign secure-messaging platforms and VPN services. This forced users toward government-approved domestic platforms that lack security and privacy protections. The blockade of OTPs effectively weaponized account-recovery flows as a secondary shutdown layer, disproportionately affecting users who needed to activate new circumvention tools during the crisis.

2025-iran-shutdown-measurement §Human Rights Implications port-blockingdpikeyword-filtering

Simple character-level perturbations (English) and homophone substitutions (Chinese), combined with LLM instruction-following prompts directing the model to use word substitutions in its output, successfully bypassed all input and output filters for all 41 input-blocked and 197 output-blocked queries across five major Chinese LLM services (Baidu-Chat, DeepSeek, Doubao, Kimi, Qwen). Every input-blocked query contained at least one keyword combination that alone triggered the filter, confirming keyword-matching rather than semantic classification.

2026-ablove-characterizing §VII-D keyword-filtering

Cross-national experiments conducted from Singapore, South Korea, and Taiwan during February 19–24, 2025 found no variance in blocking implementations, event syntax, or server infrastructure across all five Chinese LLM services. Input blocking was enacted identically in all three international locations, and services connected to the exact same server IP addresses globally — Kimi and Baidu-Chat connected to identical IPs and DeepSeek to the same two addresses across all tested locations.

2026-ablove-characterizing §VIII-A keyword-filtering

Input blocking in Chinese LLM services (DeepSeek, Qwen, Kimi, Doubao) is overwhelmingly consistent: all four services persistently block the exact same queries across all 5 measurement samples in both Simplified and Traditional Chinese. Output blocking is far less consistent, with only 29 out of 349 output-blocked queries blocked across all 5 samples. Baidu-Chat is exceptional: it performs almost no input blocking but instead relies heavily on post-search and output blocking (78.6% of blocks are output-phase).

2026-ablove-characterizing §VI-B keyword-filteringdpi

DeepSeek, Kimi, and Doubao all transmit analytics logs to the same Autonomous System (AS24429, Zhejiang Taobao Network Co., Ltd., a ByteDance/Volcengine subsidiary), with one monitoring endpoint IP directly overlapping between DeepSeek and Doubao. Additionally, all four non-Qwen services maintain connections with servers physically located in China throughout the chat session, transmitting user IDs, session IDs, viewport data, language preferences, and in Baidu-Chat's case, the full query text via URL-encoded CAPTCHA requests.

2026-ablove-characterizing §VI-D keyword-filtering

All five Chinese LLM services transmit partial or complete responses to the client machine even when output blocking is triggered, representing a major information leak. For DeepSeek and Qwen, truncated blocked responses are on average close in token length to full successful responses. For Baidu-Chat, the complete response is transmitted to the client but only partially rendered in the browser UI, with only a word or two visible on screen.

2026-ablove-characterizing §VI-C keyword-filtering