keyword-filtering   Keyword filtering

During the June 2025 shutdown, Iranian authorities blocked international One-Time Password (OTP) SMS delivery, preventing new sign-ins to foreign secure-messaging platforms and VPN services. This forced users toward government-approved domestic platforms that lack security and privacy protections. The blockade of OTPs effectively weaponized account-recovery flows as a secondary shutdown layer, disproportionately affecting users who needed to activate new circumvention tools during the crisis.

2025-iran-shutdown-measurement §Human Rights Implications policy

Simple character-level perturbations (English) and homophone substitutions (Chinese), combined with LLM instruction-following prompts directing the model to use word substitutions in its output, successfully bypassed all input and output filters for all 41 input-blocked and 197 output-blocked queries across five major Chinese LLM services (Baidu-Chat, DeepSeek, Doubao, Kimi, Qwen). Every input-blocked query contained at least one keyword combination that alone triggered the filter, confirming keyword-matching rather than semantic classification.

2026-ablove-characterizing §VII-D defense

Cross-national experiments conducted from Singapore, South Korea, and Taiwan during February 19–24, 2025 found no variance in blocking implementations, event syntax, or server infrastructure across all five Chinese LLM services. Input blocking was enacted identically in all three international locations, and services connected to the exact same server IP addresses globally — Kimi and Baidu-Chat connected to identical IPs and DeepSeek to the same two addresses across all tested locations.

2026-ablove-characterizing §VIII-A evaluation

Input blocking in Chinese LLM services (DeepSeek, Qwen, Kimi, Doubao) is overwhelmingly consistent: all four services persistently block the exact same queries across all 5 measurement samples in both Simplified and Traditional Chinese. Output blocking is far less consistent, with only 29 out of 349 output-blocked queries blocked across all 5 samples. Baidu-Chat is exceptional: it performs almost no input blocking but instead relies heavily on post-search and output blocking (78.6% of blocks are output-phase).

2026-ablove-characterizing §VI-B evaluation

DeepSeek, Kimi, and Doubao all transmit analytics logs to the same Autonomous System (AS24429, Zhejiang Taobao Network Co., Ltd., a ByteDance/Volcengine subsidiary), with one monitoring endpoint IP directly overlapping between DeepSeek and Doubao. Additionally, all four non-Qwen services maintain connections with servers physically located in China throughout the chat session, transmitting user IDs, session IDs, viewport data, language preferences, and in Baidu-Chat's case, the full query text via URL-encoded CAPTCHA requests.

2026-ablove-characterizing §VI-D deployment

All five Chinese LLM services transmit partial or complete responses to the client machine even when output blocking is triggered, representing a major information leak. For DeepSeek and Qwen, truncated blocked responses are on average close in token length to full successful responses. For Baidu-Chat, the complete response is transmitted to the client but only partially rendered in the browser UI, with only a word or two visible on screen.

2026-ablove-characterizing §VI-C evaluation

When the researchers attempted to use Gemini 2.5 Flash as a third independent LLM judge via its API for evaluating moderation decisions, Gemini automatically blocked all judging attempts citing safety reasons. This occurred even though the research task (judging whether a response is more or less moderated) does not itself produce harmful content. The incident illustrates that LLM safety systems can over-block legitimate research use cases, and that different LLM providers have different thresholds— Claude Haiku 4.5 and GPT-4o completed all judging tasks without safety refusals.

2026-lipphardt-dual §3.3.3 detection

Category-level analysis of 100 statements across 5 sensitive content categories found that interface-based moderation gaps vary significantly by topic. Sexuality showed the strongest WebUI/API gap (WebUI 7.0× more likely to be moderated than API per GPT-4o judge for Gemini). Political ideology followed at 2.0×, then hate speech at 1.0×. Miscellaneous offensive topics showed the inverse pattern (API more moderated at 0.3×). Religious content showed WebUI moderation with no API moderation. The pattern suggests public-facing WebUI interfaces prioritize reputational risk management for high-scrutiny categories.

2026-lipphardt-dual §4.5, Figure 8 evaluation

An empirical study of 100 sensitive statements tested on Gemini (2.5 Flash) and ChatGPT (GPT-5) found that WebUI interfaces are systematically more restrictive than their API counterparts. According to GPT-4o judge: WebUI was moderated 18% of the time vs. 9% (Gemini API) and 13% (ChatGPT API). DeBERTa classifier found 82% of WebUI responses moderated vs. 58% of API responses. The Gemini WebUI:API ratio ranged from 2.0:1 (GPT-4o) to 7.0:1 (Claude), and ChatGPT from 1.4:1 (GPT-4o) to 15.6:1 (Claude). Neither Google nor OpenAI discloses these interface-specific policies.

2026-lipphardt-dual §4.3, Table 2 evaluation

Across all 7 LLMs tested (GPT 4o, GPT 4o Mini, Gemini 1.5 Flash, Gemini 1.5 Pro, Llama 3.2, Claude 3.5 Haiku, Claude 3.5 Sonnet), statistically significant evidence of censorship bias was found in at least one evaluation metric per model: responses to Simplified Chinese prompts were more neutral, more similar to sanitized text, and less opinionated than semantically identical Traditional Chinese prompts (p < 0.05 across refusal-rate, sentiment, CensorshipDetector classification, and word-embedding analyses).

2025-ahmed-llm-censorship-bias Table 4, §6 evaluation

CensorshipDetector, an XLM-RoBERTa model fine-tuned on 587,819 Baidu Baike articles (censored) and Chinese Wikipedia (uncensored), achieved 91% accuracy on a held-out validation set of Chinese news articles, correctly classifying 93% of Chinese state media articles as censored and 87% of New York Times Chinese articles as uncensored, with average censorship scores of 0.93 and 0.13 respectively.

2025-ahmed-llm-censorship-bias §4.7, §4.7.2 evaluation

A systematic search of the Common Crawl dataset — the training corpus attributed to most major LLMs including Llama, GPT, and Gemini — found content from 325 of 326 Chinese government and state media domains searched, confirming that sanitized content is pervasive in LLM pretraining data and providing a concrete mechanism for how Chinese information controls propagate into Western-built models.

2025-ahmed-llm-censorship-bias §3.3 evaluation

Using English as a pivot language (prompting the model in English while requesting Chinese-language responses) reduced but did not eliminate censorship bias: CensorshipDetector scores showed less bias in English-pivoted responses than in direct Simplified Chinese prompts, but sentiment analysis and word-embedding analyses still found statistically significant bias in most models, indicating censorship bias is a function of both prompt language and response language.

2025-ahmed-llm-censorship-bias §8.2 evaluation

The study finds that LLM censorship bias affects Chinese-speaking diaspora populations who reside outside mainland China: because user language — not user location — determines exposure to sanitized outputs, Chinese speakers globally receive information shaped by CCP information controls when using popular AI chatbots in Simplified Chinese, constituting an extraterritorial export of domestic censorship infrastructure.

2025-ahmed-llm-censorship-bias §8.3 policy

TLS connections to blocked services (instagram.com, telegram.org) were terminated by TCP RST immediately after the client's ClientHello, before any certificate exchange, confirming SNI-based DPI that reads the plaintext SNI extension and aborts the handshake. HTTP filtering additionally matched Host headers and URL keywords case-sensitively, with injected HTTP 403 pages or TCP RST responses, and case-change evasions were sometimes effective.

2025-aryapour-stealth-blackout §4.2, §4.3 detection

Iran's HTTP censor exhibits several parsing inconsistencies exploitable for evasion: (1) it is case-sensitive and ignores lowercase method variant "gET"; (2) it does not censor the Host header for HTTP version strings "HTTP", "1.1", and "example" (suggests a version regex of HTTP/.*); (3) when the Host header is absent, the path is not censored for versions "HTTP" and "HTTP/1"; (4) the body is never analyzed regardless of version. All HTTP and DNS censorship occurs at the same last-hop border node, suggesting centralized architecture.

2025-lange-i-ra-nconsistencies §3.2, Table 1 detection

All six Chinese browsers (Baidu Searchbox, UC Browser, QQ Browser, OPPO, Redmi/Mi, VIVO) transmit the full URL of every page visited—including HTTPS pages—along with page titles and search terms out-of-band to vendor servers, entirely bypassing VPN tunnel protection. In five of six cases this data is transmitted with no cryptography or weak cryptography (purely symmetric AES with hardcoded keys, or textbook RSA with a 128-bit modulus factorable in under 3 seconds), making it readable by any on-path actor between the VPN egress and the vendor's servers.

2025-rodriguez-revisiting §4.1 detection

PWA-based circumvention tools that display their name or any identifying string in the browser URL bar or page title expose that identifier to all six Chinese browser vendors' telemetry servers, since all six browsers collect page titles and full URLs. Browser SDKs with READ_PHONE_STATE and elevated permissions can monitor PWA activity at the OS level in ways not possible with standard browsers, making browser selection as security-critical as the circumvention tool itself for the Tor Browser threat model.

2025-rodriguez-revisiting §5, §6 defense

All six browsers grant dangerous Android permissions (READ_PHONE_STATE, INTERNET, ACCESS_NETWORK_STATE) to third-party SDKs; built-in phone browsers grant significantly more such permissions than app-store browsers. Baidu Mobile Tongji Analytics SDK—present in all six via Baidu as default search engine—collects IMEI, UUID, CUID, GAID, device MAC, and Bluetooth MAC, creating a persistent cross-app device fingerprint that identifies users across VPN sessions and survives IP changes.

2025-rodriguez-revisiting §4.3 detection

IRBlock discovered that 1.7M of 3.3M blocked apex domains (52%) were attributed to blanket suffix-level blocking rules rather than individual domain listings. Examples include regex patterns targeting all Israeli domains (.il TLD), adult content (.porn), and country-coded suffixes (.com.mx, .my.id). Of 87K Tranco-ranked apex domains analyzed, 37% fell into adult content, with entertainment and gambling following. Approximately 1.27M apex domains were jointly censored by both DNS and HTTP filters, while the two filters maintained operationally independent blocklists for a significant fraction of domains.

2025-tai-irblock §5.3 detection

The paper proposes a black-box methodology for detecting censorship bias in LLMs by comparing responses to identical prompts in Simplified vs. Traditional Chinese — scripts for the same spoken language — controlling for translation quality while exploiting that Simplified Chinese training data is disproportionately sourced from mainland China's censored internet. Each prompt is repeated ten times and scored for similarity to censored text using an XLM-RoBERTa classifier fine-tuned on Baidu Baike (censored) vs. Chinese Wikipedia (uncensored) with scores from 0 to 1.

2024-ahmed-extended §2 / §2.4 evaluation

Of 326 websites known to adhere to CCP censorship laws — including Chinese government sites and state media — 325 were found indexed in the Common Crawl dataset commonly used to train major LLMs including GPT-3. Only the official government site of Macao (www.gov.mo) was absent, indicating that LLM training corpora are broadly contaminated with CCP-censored content.

2024-ahmed-extended §3.1 evaluation

Because LLMs such as ChatGPT (over 100 million weekly active users) reflect CCP information-control requirements when prompted in Simplified Chinese, they effectively export Chinese domestic censorship to diaspora communities and non-China-based Chinese speakers worldwide — extending the reach of information manipulation beyond any jurisdiction where Chinese censorship law applies.

2024-ahmed-extended §1 / §3.2 policy

Exploratory testing of GPT-3.5 Turbo showed significant response divergence between Simplified and Traditional Chinese prompts on politically sensitive topics. Simplified responses glossed over or omitted details on Tiananmen Square casualties, Uyghur genocide allegations, Taiwan's sovereignty status, and Xi Jinping's human rights record; Traditional Chinese responses described these topics in substantially more critical and detailed terms.

2024-ahmed-extended §3.2 / Table 2 evaluation

For Tier 2 apps (IP geo-blocking only), using a VPN with a foreign endpoint was sufficient to restore access. For Tier 1 apps (SIM + IP geo-blocking), the authors confirmed that (1) removing the Indian SIM card and accessing via WiFi, or (2) intercepting HTTP traffic with a MITM proxy to suppress or rewrite the carrier_region=IN parameter, fully bypassed server-side censorship. The authors note that Indian users primarily rely on mobile Internet, making SIM removal impractical as a user-facing solution.

2024-gosain-out §4.3, §5 defense

After India imposed a permanent ban in January 2021, seven of the eight previously SIM-only-blocked apps escalated to dual-factor filtering: they continued extracting carrier_region=IN from the SIM card while simultaneously adding IP geo-blocking. Accessing these apps now requires both a VPN (for source IP masking) and SIM removal or carrier_region parameter suppression; MICO Chat remained the sole app using only SIM-based blocking.

2024-gosain-out §4.3 (Permanent ban subsection), Table 2 evaluation

Seven of the 220 banned apps (Tier 1, including TikTok, Likee, Kwai, UC Browser, FaceU, Hago, and V-Fly) used the Android TelephonyManager.getSimCountryISO() API to read the primary SIM's country code and embed a carrier_region=IN parameter in HTTP requests, enabling server-side identification and blocking of Indian users regardless of source IP or VPN state. A dual-SIM phone with an Indian SIM in the secondary slot only (primary empty or non-Indian) bypassed the check.

2024-gosain-out §4.3 detection

GFWeb discovered that the GFW's bidirectional blocking is not symmetric: certain domains trigger blocking only when probed from inside China, not from outside. This overturns the prior assumption that the GFW blocks the same domains symmetrically in both directions. The paper also documents that the GFW has been upgraded to fix previously-reported evasion techniques, including overblocking mitigation and improved fragmented-packet reassembly, indicating active engineering iteration on the censor side.

2024-hoang-gfweb Abstract, §5.3, §6 detection

GFWeb tested 1.02 billion domains against the GFW over 20 months and discovered 943,000 pay-level domains blocked by HTTP filters and 55,000 by HTTPS filters — the largest GFW blocklist dataset ever published. The HTTP-to-HTTPS ratio (17:1) confirms that the GFW's HTTPS keyword-based and SNI-based blocking covers far fewer domains than its HTTP host-header blocking, likely because HTTPS blocks carry higher collateral-damage risk.

2024-hoang-gfweb Abstract, §5.1 detection

China's Great Firewall showed anomalous inconsistency: 13 test vectors produced mixed outcomes—TCP RST injection on some executions and a clean server response on others—with circumvention rates between 10% and 35% across 100 executions per vector. The authors attribute this to heterogeneous GFW infrastructure components applying different HTTP parsing logic, a departure from the GFW's usual consistency.

2024-m-ller-turning §5.2 detection

HTTP Request Smuggling—a web-security vulnerability that exploits CL/TE header parsing ambiguities between a front-end (censor) and back-end (web server)—can be systematically repurposed as a censorship circumvention technique. By hiding a censored Host in the body of a benign outer request, the censor parses only the uncensored outer request while the destination server processes both, successfully bypassing HTTP censorship in China (19 vectors), Iran (254 vectors), and Russia (all 2,015 vectors) from the evaluated vantage points.

2024-m-ller-turning §3 / §8 defense

Iran's censor contains an implementation bug: when the Content-Length header carries an invalid (non-integer) value and a Transfer-Encoding header is also present, the censor gracefully skips the invalid CL value and attempts to parse subsequent traffic, but fails to correctly interpret the TE header—causing it to pass the smuggled (censored) request. This bug enabled 254 of 2,015 evaluated test vectors to bypass Iranian censorship, all using the CL*/TE or CL/TE* vector types.

2024-m-ller-turning §5.2 / §5.3 detection

Russia's censor (at the Moscow/ASN-50867 vantage point) inspects only the first HTTP packet of the first TCP segment per TCP stream and never analyzes subsequent HTTP requests—whether in the same TCP packet or a later one. This caused all 2,015 accepted test vectors to successfully evade censorship, and the bypass is achievable with standard-compliant HTTP (e.g., whitespace or case variations in header names, which HTTP/1.1 explicitly permits).

2024-m-ller-turning §5.2 / §5.3 detection

China's GFW exhibited unusually inconsistent HTTP censorship behavior: 13 of the evaluated HRS test vectors circumvented the GFW in some executions but not others, with per-vector success rates between 10% and 35% across 100 executions per domain. The authors attribute this to two distinct parts of GFW infrastructure employing different HTTP censorship mechanisms, a departure from the GFW's typical consistency.

2024-niere-http-smuggling §5.2 (China paragraph), §5 intro detection

HTTP request smuggling (HRS) vectors that exploit CL/TE header parsing divergence between a censor-as-middlebox and a destination web server can circumvent HTTP censorship in China, Iran, and Russia. Of 4,488 test vectors derived from prior HRS research, 2,015 (44.9%) were accepted by at least one web server; CL*/TE vectors achieved a 99.0% web-server acceptance rate while TE/CL* vectors achieved 0%.

2024-niere-http-smuggling §3, §5.1, Table 1 defense

Iran's censor injects an HTTP block page consistently but contains an implementation bug: it fails to parse the TE header when a CL header with an invalid (non-integer) value is present, causing it to pass subsequent traffic. 254 of the evaluated test vectors circumvented Iran's censor; the 'Wrapping' CL*/TE strategy (e.g., 'Content-Length: <len>\u00FF\x0aX: X') was especially effective, exploiting this graceful-degradation fault.

2024-niere-http-smuggling §5.3 (Wrapping strategy, Iran discussion) detection

The Russian censor at the tested Moscow vantage point (ASN 50867, China Unicom-equivalent private ISP) inspects only the first HTTP packet of the first TCP segment in a TCP stream and never blocks a second HTTP request, whether coalesced in the same TCP packet or sent in a subsequent one. All 2,015 web-server-accepted test vectors evaded Russian censorship, including standard-compliant whitespace-injection vectors (e.g., 'Content-Length\x20: <len>\x20').

2024-niere-http-smuggling §5.2 (Russia paragraph) detection

Across five popular translation services available in China (Alibaba, Baidu, Tencent, Youdao, and Microsoft Bing), researchers discovered 11,634 unique censorship rules in total. Every service — including the American-operated Bing Translate — implemented automatic censorship that silently omits content, with only Alibaba displaying any notification ('Query csi check not pass') to the user.

2024-ruo-lost §6 Results / Table 2 evaluation

Alibaba and Bing Translate scan only the user's input text for censorship triggers, not the translation output, while Baidu and Tencent apply the same censorship rules to both input and output. Youdao censors input and output using different rule sets. Because Chinese-language censorship rules dominate all services' blocklists, users translating from a non-Chinese language into Chinese using Alibaba or Bing experience materially less censorship than users of the other services.

2024-ruo-lost §7 Effect of Translator Output / Table 6 evaluation

Among 286 randomly sampled censorship rules across all five services, only one rule targeted erotic content, while the vast majority targeted political dissidents, CCP leaders, Tiananmen Square, Falun Gong, and government criticism. The paper interprets this near-total absence of pornography censorship as evidence that the censors did not anticipate their rules being audited, or are no longer interested in concealing the overtly political agenda of Chinese information control.

2024-ruo-lost §6.2 Content Analysis / §6.2.6 Eroticism detection

On Tencent Translate, 15 distinct representations of Xi Jinping's name — including romanizations (xijinping, XiJinping, XIJINPING, xIDaDa, xidada), character variants (习近平, 习大大, 习主席, 习书记, 习总书记, 近平习, 反习大大), and a romanized reversed form (JinpingXi, jinpingxi) — each triggered censorship of the translator's entire output rather than just the offending sentence. Between 4–5% of Tencent's discovered rules were inconsistently enforced, which the paper attributes to load-balanced servers implementing different rule sets or rapid rule churn.

2024-ruo-lost §6.3 Censorship Behavior / Table 5 detection

Evidence from Youdao Translate suggests it deploys a machine-learning or NLP-based classifier alongside keyword rules: measured rules included repeated components (e.g., 螺+螺+螺+螺+螺+螺+蟢+D+哒+大) and nonsensical multi-token sequences that no human rule author would write, yet which consistently triggered censorship. Youdao returned 9,414 unique rules from the general test set — the most of any service — while also producing the most structurally anomalous rule patterns.

2024-ruo-lost §6 Results / §10 Future Work evaluation

China's local censorship operates through 'extra-institutional governance' (EIG) — practices that transgress the official identity and authorized means of the CAO system, including outsourced private surveillance, unpaid personnel secondment, and mass reporting via personal accounts — which upper-level offices tolerate but do not formally authorize, preserving plausible deniability when practices are ethically or legally questionable. The paper documents these as widespread implicit norms across China, not isolated to District T.

2024-zhang-toothless §Discussion and Conclusion policy

A county-level CAO in east China (District T, ~500,000 residents) operated with only 7 formal employees yet was tasked with monitoring more than 60 social media platforms, detecting unwanted voices in text, image, video, and audio formats, and submitting hourly reports to upper-level offices — a workload the authors characterize as a 'mission impossible' for a county-level office.

2024-zhang-toothless §The case: the CAO in District T deployment

The District T CAO's 'Cavalry Team' of approximately 100 members used coordinated mass reporting — timing reports within 5–10 minutes of a post appearing, using different IP addresses and devices, and submitting long complaints invoking phrases like 'threatening social stability' — to achieve a documented weekly takedown success rate of 95.01% (286 of 301 targeted posts removed).

2024-zhang-toothless §Coping strategy 2: organized mass reporting evaluation

The District T CAO outsourced surveillance to a commercial SaaS platform ('Public Opinion Assistant') capable of scanning 180 million social media posts per day, processing 20 million posts per minute, and using supervised learning to classify 'negative voices' with performance comparable to human moderators. The platform generates ready-to-submit bureaucratic reports and maintains localized keyword lists that include euphemisms and homophones of censored terms as netizens update evasion strategies.

2024-zhang-toothless §Coping strategy 1: outsourcing surveillance to private service providers deployment

Chinese social media platforms detect and downweigh accounts that over-use the reporting function, reducing their future report credibility. The CAO's counter-response was to recruit 'fresh accounts' from visitors, borrow civilian accounts from seconded staff, and store credentials in an unencrypted Excel file circulated via WeChat — indicating the censor relies on high account turnover rather than persistent infrastructure to maintain reporting effectiveness.

2024-zhang-toothless §Coping strategy 2: organized mass reporting detection

Domestic Chinese search engines (e.g., Baidu) return no valid results for direct VPN or '翻墙' (climb the wall) queries, but 16 of 18 GFW ladders mentioned by participants remained discoverable via Chinese jargon and homonyms (e.g., '蕃蔷' as a homonym for 'climbing the wall'). Word-of-mouth through college friends, gaming forums (Baidu Tieba), and QQ group chats were primary alternative distribution channels.

2023-feng-study §8.1 evaluation

Five participants confirmed installing GFW evasion tools exposed them to malware; prior work cited in the paper found >38% of Android apps using the VPN permission contain malware. Participants additionally reported fake gaming platforms that install adware and credential-stealing phishing pages; notably, VirusTotal did not flag any of the fake platform URLs identified by participants, indicating conventional AV tools provide insufficient protection.

2023-feng-study §8.4 evaluation

HTTP-based blocking is the dominant censorship technique across Indian ISPs, observed in 64 of 71 measured ASes. However, the authors note it is largely ineffective because over 90% of web connections now use HTTPS, meaning ISPs cannot inspect the HOST header for the vast majority of traffic — making HTTP blocking easily bypassed by any HTTPS client.

2023-katira-censorwatch §5.1 evaluation

HTTP/URL/keyword filtering was the most prevalent censorship method both during the measurement period (49% of countries) and historically (69%), despite 82% global HTTPS adoption. The authors attribute this persistence to censors lacking technical sophistication to upgrade, and to uneven HTTPS adoption leaving older methods effective in underserved regions.

2023-master-worldwide §4.2, Table 2 evaluation

The largest measurement study of Turkmenistan censorship to date tested 15.5 million domains and found more than 122,000 domains censored using separate blocklists for DNS, HTTP, and HTTPS. Reverse-engineering the blocking rules revealed approximately 6,000 over-blocking rules that cause incidental filtering of more than 5.4 million additional domains — a 44x collateral damage ratio relative to intentionally blocked domains.

2023-nourin-measuring §Results detection

In China, it is typically the publisher (not the government) who self-censors translated books to avoid punishment including harsh scrutiny of future publications, book confiscation, and suspension of publishing rights. Authors are often unaware their translations were altered until well after publication. This self-censorship dynamic produces more restrictive outcomes than direct government censorship because publishers err on the side of caution without clear rules.

2023-streisand-where §1 Introduction policy

A case study on Chapter 5 of Chinese Literature: A Very Short Introduction (Knight) found 7 censored topics, 5 removed paragraphs, 31 removed sentences, and 2 removed/altered words in the Chinese translation. Censored topics included 2000 Nobel laureate Gao Xingjian, the Tiananmen Square Massacre, Mao Zedong, the Cultural Revolution, the Great Leap Forward, the plasma economy scandal in Henan, and a discussion of book censorship itself.

2023-streisand-where §3 Case Study / Table 1 evaluation

The paper proposes detecting translation censorship by back-translating the Chinese text to English via Google Translate, embedding each paragraph with distiluse-base-multilingual-cased-v1, and solving a linear-sum-assignment bipartite matching weighted by negated cosine similarity. Paragraphs below a similarity threshold are flagged as cut; matched paragraphs are recursively compared at sentence level to detect alterations.

2023-streisand-where §2 Methodology detection

The paper argues that an effective counter to translation censorship is to actively trigger the Streisand effect: publishing detected censored content side-by-side with the original on a public website causes the censored text to reach a broader audience — including people who would not have read the censored version — and makes the censorship itself backfire. Censors deliberately avoid publicizing removals precisely to prevent this outcome.

2023-streisand-where §1 Introduction / §5 Conclusion defense

The proposed crowdsourced system runs multiple isolated Geneva training pools on a controlled server — one pool per censorship system (initially China and Iran) — and instructs volunteer browsers via JavaScript to send forbidden requests to isolated ports, with no download or software installation required from the user. The server monitors per-strategy success or failure to drive genetic evolution entirely from the server side.

2023-tran-crowdsourcing §3 Design defense

Browsers cannot independently set the HTTP Host header or TLS SNI field, blocking the standard censorship-trigger methods used in Geneva training. The paper proposes two workarounds: (1) keyword-based HTTP censorship triggers using forbidden strings in URL parameters, limited to censors that employ keyword filtering; and (2) registering domains whose strings contain a censored substring to exploit censor overblocking via overbroad regular expressions (e.g., registering a domain matching torproject.org's regex to also catch mentorproject.org).

2023-tran-crowdsourcing §3 Design — Triggering Censorship defense

Hong Kong Twitter users are 33% more likely than a random control sample to have protected their accounts, and over 247% more likely to have deleted past Tweets, after enactment of the June 2020 national security law (NSL). These differences are statistically significant at p ≤ 1.74e-48 for all account-protection and Tweet-deletion metrics.

2023-wang-self-censorship §4.1 / Table 2 policy

Hong Kong Twitter discussion of COVID-19 continued declining after mid-2020 and did not resurge during Hong Kong's large March 2022 COVID wave, unlike the control group whose COVID discussion tracked local transmission rates. The authors interpret this anomalous pattern as a generalized chilling effect: NSL legal risk suppressed even politically ambiguous health discussion that mainland China had censored but that may not clearly fall under the NSL.

2023-wang-self-censorship §4.2 / Figure 2c policy

Of inaccessible Tweets from 2019, those containing NSL-sensitive political keywords are disproportionately deleted or protected by both Hong Kong users (36.38% inaccessibility) and Taipei users (34.89%), compared to New York City (29.45%) and Tokyo (30.80%). This suggests that NSL legal exposure — which extends extraterritorially under Article 38 — may be chilling speech even among users outside Hong Kong who transit or have ties to mainland China.

2023-wang-self-censorship §4.1 / Table 3 policy

While Hong Kong users sharply reduced discussion of NSL-sensitive political topics after July 2020, their rate of Tweeting about non-sensitive topics (travel, food, art, media) remained stable and mirrored control-group trends. This targeted suppression — rather than a general withdrawal from Twitter — confirms the NSL produced specific self-censorship of covered speech rather than platform abandonment.

2023-wang-self-censorship §4.2 / Figure 2b policy

After the NSL entered into force in July 2020, the proportion of Hong Kong Tweets containing NSL-sensitive political keywords declined steadily and never returned to prior levels. By contrast, the control group's equivalent keyword usage rebounded (e.g., surging around the August 2021 Taliban takeover and March 2022 Ukraine invasion), indicating the Hong Kong decline is attributable to legal chilling rather than global topic cycles.

2023-wang-self-censorship §4.2 / Figure 2a policy

The COVID-19 Wuhan lockdown caused geolocating Twitter users in China to increase 1.4-fold immediately, remaining 10% above pre-crisis baseline long-term; approximately 320,000 new Chinese users joined Twitter due to the crisis, and the available VPN application's ranking on the Chinese iPhone App Store jumped significantly around 23 January 2020 and maintained that elevated rank.

2022-chang-covid-19 Crisis Increased Censorship Circumvention evaluation

In countries with no Great Firewall-equivalent censorship (Germany, Italy) and in less-censored authoritarian states (Iran — Persian Wikipedia; Russia — Russian Wikipedia) that experienced comparable COVID-19 outbreaks, no analogous spillover to politically sensitive content was observed; Wikipedia engagement in those countries increased generally but did not show disproportionate access to historically censored topics, confirming the gateway effect is specific to high-censorship environments.

2022-chang-covid-19 Comparison with Other Countries Affected by the Crisis / Table 1 evaluation

Once mainland China users circumvented the Great Firewall during COVID-19, they disproportionately followed politically sensitive accounts: international news agencies at 1.31x the expected rate, Chinese citizen journalists at 1.42x, and political activists at 1.23x — all relative to Hong Kong users as a control — while state media accounts saw only a 1.06x increase and entertainment accounts a 0.85x decrease, confirming a selective gateway to censored political content.

2022-chang-covid-19 Crisis Provided a Gateway to Censored Political Information / Types of Twitter accounts evaluation

Extending Geneva's genetic algorithm to the application layer automatically discovered 77 unique HTTP evasion strategies and 9 DNS evasion strategies against censors in China, India, and Kazakhstan — all requiring only unprivileged usermode modifications with no TCP/IP header access. Against India's Airtel censor, 56 of the 77 strategies succeeded; 29 worked against Kazakhstan; 22 evaded China's keyword-based HTTP censorship and 27 evaded its Host-header censorship.

2022-harrity-get §5.1, §6 evaluation

China's GFW keyword-based and Host-header HTTP censorship can be simultaneously defeated by a 'sandwich' strategy: a header with a name ≥64 bytes must appear before the Host header, the Host header value must start ≥1,281 bytes from the start of the headers, and the final header must be ≥129 bytes total — and the Host header must not be first or last. A 64+ byte header name alone is sufficient to defeat Host-header censorship because it prevents the GFW from reading further headers.

2022-harrity-get §5.2 defense

India's Airtel HTTP censor fails to reassemble TCP segments: padding any HTTP request to at least 1,449 bytes causes the IP+TCP overhead (52 bytes) to push the total past the Ethernet MTU of 1,500 bytes, forcing segmentation that the censor cannot handle and achieving 100% evasion. Kazakhstan requires the segmentation boundary to fall precisely between the Host header name and value (with two trailing spaces), rather than anywhere in the request.

2022-harrity-get §5.2 evaluation

A central finding of the paper is that RFC-compliance in the censor creates evasion opportunities: the more faithfully a censor parses HTTP/DNS per the RFC, the more RFC-permitted variants it will pass that servers also accept, yielding more viable evasion strategies. In contrast, India's Airtel censor was the most brittle (56/77 strategies bypassed it) precisely because it failed on many legitimate RFC variants; China's more sophisticated parser left fewer openings.

2022-harrity-get §5.1, §7 detection

D-LDA detected event-driven shifts in Indian censorship without prior knowledge: the word 'violence' disappeared from the 'Riots in India' topic cluster between months 6 and 14 of the measurement period, and 'killing' did not appear until month 16, consistent with the absence of actual riots during that window. Similarly, the 'Danish cartoonist' topic shifted from cartoon-focused discourse to broader Islamic-rights framing ('freedom,' 'speech') approximately 18 months in.

2022-waheed-darwin-s §3.2, Figure 3 evaluation

Dynamic LDA applied to ICLab longitudinal data for India (2016–2020) successfully identified 14 distinct censored topic clusters—including religious conflict, piracy, educational fraud, and political dissent—from 677 overtly-censored URLs out of 6,012 tested (11.3% overtly censored at least once). The model required monthly time-slice granularity; daily and weekly granularities produced unstable results due to wild swings in document counts.

2022-waheed-darwin-s §3.1, Table 1 evaluation

India's censorship apparatus, while less aggressive than China's, legally mandates ISP-level blocking capability and has deployed it regularly. Of 6,012 URLs in ICLab's India test list observed since 2016, only 677 (11.3%) were ever overtly censored (block-page redirect); the majority of anomalies were covert (connection disruption mimicking network faults) and excluded from analysis due to ambiguity. Censorship topics include not only political dissent but copyright enforcement, indicating infrastructure originally deployed for political control is routinely repurposed.

2022-waheed-darwin-s §2, §3.1 policy

Only 8% of keywords censored by Chinese chat clients (WeChat, Sina Weibo — ~63,200 total terms) are also censored by GFW packet inspection, demonstrating independently maintained blocklists. The GFW's packet-inspection chat-derived blocklist contains up to 1,221 distinct censored keywords for outbound traffic; just 68 keyword components account for all censored terms from Beijing, with 「六四」(June Fourth) alone responsible for more than half.

2021-rambert-chinese §4.2, §4.2.2, §4.3 evaluation

The GFW only inspects two locations within an HTTP request for censored keywords: the path component of the request line and the Host header, in UTF-8 and GB 18030 encodings (with %-decoding applied). Cookie headers, custom headers (e.g., X-Tension), and POST body fields are not monitored. Even in monitored positions, only approximately 75% of requests containing censored keywords actually trigger a TCP RST disconnection.

2021-rambert-chinese §4.4 detection

After a censored connection, 50–75% of subsequent connections from the same client IP to the same server IP and port are blocked for 90 seconds even without censored keywords ("penalty box"). The penalty box is strictly scoped to the (client IP, server IP, server port) triple — other ports at the same server IP or other server IPs are unaffected. The GFW monitors HTTP keyword traffic on every TCP port, not just port 80.

2021-rambert-chinese §4.4, §4.5 detection

The GFW maintains two HTTP keyword sublists: 15 terms censored unconditionally, and approximately 60–63 additional terms censored only when the English word "search" also appears in the request URL. No other English word among the 10,000 most common, no Chinese search synonym (搜索, 查找, 关键词), and no common URL parameter abbreviation ("q", "kw", "s") replicates this expanded-censorship trigger.

2021-rambert-chinese §4.1, §4.2.1 detection

DPI blocking by Spanish ISPs (Fortinet/Telefonica) was circumvented by inserting a tab escape character (\t) into HTTP GET request headers, or by delaying HTTP GET transmission — the same techniques reported to have bypassed DPI blocking of Catalan referendum sites in 2017. Both techniques exploited the DPI's shallow, stateless inspection of the opening HTTP request.

2021-ververis-understanding §3.9 defense

Filtering rules in Saudi Arabia were uniform across all three major ISPs (STC, Zain, Mobily) and six vantage points spanning four geographically distributed cities (Riyadh, Jeddah, Makkah, Al-Khobar), indicating a single centralized national filtering infrastructure rather than per-ISP implementation.

2020-alharbi-opening §3, §2.5 deployment

Saudi Arabia's blocking decisions closely track diplomatic ruptures: Qatari news sites were blocked in 2017 amid the Gulf crisis, Iranian news sites in 2018 following severed diplomatic relations, and Turkish outlets Anadolu and TRT Arabic in April 2020 amid Ankara–Riyadh tensions — the Turkish blocks were partly triggered by a citizen Twitter campaign calling for the block.

2020-alharbi-opening §3.3 policy

Internet filtering in Saudi Arabia is implemented primarily as HTTP URL-keyword filtering augmented by TLS-level (SNI) filtering for HTTPS connections; DNS and IP-level failures were minimal and consistent with transient network issues rather than deliberate blocking. In 2019, 82.2% of Adult, 7.6% of Shopping, and 6.2% of Games websites returned HTTP 403; TLS filtering of Shopping sites decreased from 9.6% to 6.6% between 2018 and 2020.

2020-alharbi-opening §3.1 detection

During the Sri Lanka social-media block following the April 21, 2019 bombings, Censored Planet measured HTTP(S) censorship jumping from 0.1% to 2% in one week and discovered 22 blocked domains versus the 7 reported by NetBlocks and AccessNow; 5 of those extra domains were only present in the Alexa top-sites list, not the Citizen Lab Global Test List. Blocking remained elevated through May 12, 2019, contradicting public reports that the ban was lifted by May 1st.

2020-raman-censored §7.1.1 evaluation

Anonymization and circumvention tools (VPNs, Tor, etc.) are among the three most commonly blocked content categories across all commercial filters surveyed, alongside pornography and gambling. This holds across diverse products including Fortinet, Cisco, and government-deployed firewalls in Iran, Saudi Arabia, and Bahrain.

2020-raman-measuring §V-A-1, Fig. 7 evaluation

FilterMap identified 90 blockpage clusters from 90 vendors and actors across 103 countries using 374 million measurements from ~45,000 vantage points against 18,736 sensitive domains; 87 of these signatures were previously unknown. Commercial filters were detected in 36 out of 48 countries rated 'Not Free' or 'Partly Free' by Freedom House, with Fortinet alone present in at least 60 countries.

2020-raman-measuring §V deployment

Russia operates the most fragmented ISP-level filtering infrastructure in the dataset: FilterMap detected 41 distinct ISPs deploying blockpage-injecting filters, and 38 out of 49 filter clusters identified by Quack were deployed in Russian ISPs. All 41 Russian blockpages explicitly cited Federal Law as the reason for blocking.

2020-raman-measuring §V-A-3 deployment

Data center VPSes predominantly experienced TCP connection timeouts and resets—with the highest-blocking VPS censoring 96.8% of tested domains—while residential ISPs were substantially more likely to inject explicit blockpages citing Roskomnadzor's registry, confirming that blocking mechanism varies significantly by network tier even when blocking rates are similar.

2020-ramesh-decentralized §VI-B evaluation

Despite Russia's decentralized ISP ecosystem, 9 of 14 residential probes observed more than 90% of 98,098 tested blocklist domains blocked, and all 14 probes observed at least 49% blocked—demonstrating that coordinated nationwide censorship without centralized choke-points is achievable through legal mandates and commodity equipment alone.

2020-ramesh-decentralized §VI-B evaluation

A proposed HTTP censorship detection algorithm combining status-code comparison, response-length Z-score, HTML TF-vector cosine similarity, and redirect-hostname matching achieves F1 scores of 0.83 (censored) and 0.77 (uncensored), outperforming OONI (0.80 / 0.70), length-difference methods (0.70 / 0.66), and HTML-similarity methods (0.52 / 0.34) on a manually annotated set of 3,000 responses across six Indian ISPs.

2020-singh-india §4.3, Table 1 evaluation

All detected HTTP censorship events in BSNL and MTNL are attributable to infrastructure shared with or operated by Airtel and ACT, demonstrating that upstream ISP filtering creates collateral censorship visible to downstream networks. Isolated cross-ISP leakage was also observed: Vodafone's censorship notice appeared in 2 Jio tests, and Airtel's appeared in 2 Vodafone tests.

2020-singh-india §5.1.3 evaluation

Indian ISPs use heterogeneous and overlapping censorship mechanisms with no single technique common across all providers: DNS tampering (ACT, Airtel, BSNL, MTNL), HTTP header filtering (all six ISPs), and SNI inspection (Jio only). Individual ISPs such as ACT simultaneously apply DNS-only blocking to 233 sites, HTTP-only to 1,873 sites, and both to 1,615 sites.

2020-singh-india §5.1, Table 2 evaluation

The GFW's robustness depends principally on suppressed citizen demand for uncensored information, not solely on access barriers. Calibration shows censorship remains stable even if the unencouraged access rate were substantially expanded, because low demand and moderate social transmission prevent information from reaching population-wide tipping points. However, censorship is fragile to demand stimulation: scaling the encouragement intervention to all students would, per the model, inform the entire student population.

2019-chen-impact §V policy

When given a free 18-month subscription to a premium VPN (retail value US$25/month), only 55% of treated Chinese university students activated the tool, and less than 5% of active users regularly browsed blocked foreign news websites. By contrast, 86% activated a placebo free Youku (Netflix-equivalent) account within a week, isolating low demand—not friction—as the barrier.

2019-chen-impact §III.A, Table 2 evaluation

Acquisition of politically sensitive information produced broad, durable attitude change: access-plus-encouragement moved the median student from the 47th to the 56th percentile across all measured outcome dimensions. Students became more pessimistic about Chinese economic growth (elicited incentive-compatibly), more skeptical of government performance, more likely to plan exit via foreign graduate school, and more likely to report having withdrawn stock-market investments.

2019-chen-impact §IV, §III.C (Figure 1) evaluation

Peer-to-peer knowledge spillovers were statistically significant but small: a student who actively browsed foreign news and learned of a sensitive event made her dormitory roommate 12.7 percentage points more likely to answer a quiz on that event correctly. Model calibration showed this transmission rate is insufficient to propagate knowledge to the broader student population given the low share of initially informed students.

2019-chen-impact §IV.B evaluation

The component-aware binary splitting algorithm (CompAwareBinSplit) requires on average 35.47 messages per article to isolate a sensitive keyword combination — 10.3% as many as the 342.72 required by the previously used algorithm — and is the only evaluated algorithm that correctly handles overlapping keyword components and multiple co-occurring combinations.

2019-xiong-efficient §5.4, §6, Table 1 evaluation

WeChat, Alibaba Wangwang, Zhihu, and Sina Weibo all implement keyword combination filtering — messages are blocked only when every component of a blacklisted combination appears simultaneously, regardless of order. This allows censors to target sensitive contexts (e.g., 习近平 + 三连任 [Xi Jinping + three consecutive terms]) without filtering neutral mentions of individual terms.

2019-xiong-efficient §3 detection

The previously used bisection algorithm required an average of 342.72 messages per news article to isolate a triggering keyword combination, and produced incorrect results in 44% of test cases — primarily because the Unilateral Elimination Flaw caused it to miss components that appeared multiple times in an article.

2019-xiong-efficient §4, §6 evaluation

Server-side keyword enumeration on Chinese platforms has become increasingly uneconomical: platforms now require non-virtual phone numbers for account registration, and test accounts are banned after sending a threshold volume of sensitive content. The paper's 5,521-article dataset and 1,956 confirmed keyword combinations were collected via sample testing between September 2017 and October 2018, with registration costs being the primary limiting factor for research scale.

2019-xiong-efficient §1, §7 deployment

WeChat censors messages even when keyword components overlap within the message text — e.g., the combination 帶來 + 調整 + 整體 + 領域 triggers filtering in the fused form 帶來abc調整體xyz領域 where 調整 and 整體 share a character. No previously published algorithm correctly identified overlapping components; only CompAwareBinSplit resolves this by advancing the search window from index i+1 rather than past the full matched span.

2019-xiong-efficient §4.2, §5.4 detection

China actively censors websites far outside the popular-traffic tier: many discovered censored domains appear in the tail of the Alexa Top 1,000,000, and some are absent from Alexa entirely. This demonstrates the GFW pursues content-classified hosts regardless of traffic rank, not only high-visibility platforms.

2018-hounsel-automatically §5.2, Figure 3 detection

The 1,125 newly discovered censored domains span a broad taxonomy: Chinese human rights organizations, Tibetan rights outlets, Falun Gong and religious freedom sites, minority news, privacy-enhancing technology providers, and sources covering Tiananmen and the 1989 democracy movement—none appearing on the Alexa Top 1,000 or FilteredWeb's blocklist. Privacy-enhancing technology providers appear explicitly as a censored category alongside political and religious content.

2018-hounsel-automatically §1, §5.1, §6 detection

Multi-word Chinese phrases as search seeds discover qualitatively different censored sites than individual English words: the phrase 'Chinese human rights violation' surfaces Chinese activist homepages and culture-specific outlets, while individual constituent words return only well-known Western media. TF-IDF scoring against a Chinese corpus ranks culturally rare phrases (e.g., '自由亚洲电台' / Radio Free Asia) as high-signal seeds and discards common filler phrases.

2018-hounsel-automatically §3.1–3.2 evaluation

Culturally specific Chinese phrases are strong predictors of censorship: unigrams for controversial figures—Wang Qishan (74%), Li Hongzhi (64%), Guo Boxiong (62%), Hu Jintao (56%)—returned the highest block rates. Trigrams such as 'Beidaihe meeting' (54%), 'CCP's religious policy' (42%), and 'Tiananmen Square demonstrations' (32%) showed similar patterns, confirming King et al.'s finding that references to collective political dissent are disproportionately targeted.

2018-hounsel-automatically §5.3, Tables 2–4 detection

WeChat's OCR filter performs blob merging to reconstruct characters from disconnected components. Filling character strokes with tiled letter patterns evaded OCR filtering in 100% of tests (vs. 92% for tiled square patterns), because tiled letters distract the blob-merging stage into finding the letter tiles rather than the composed characters.

2018-knockel-analysis §3.1.2 detection

WeChat's OCR-based image filter converts images to grayscale using the luminosity formula (0.299r + 0.587g + 0.114b) before text recognition. All 150 test images with colored text on a luminosity-matched gray background evaded OCR filtering, while average and lightness formulas failed to evade filtering for most colors.

2018-knockel-analysis §3.1.1 detection

WeChat normalizes uploaded images by their shortest dimension before blacklist comparison. Adding blank space equal to 50–200% of the longest dimension caused 4/5 wide images and 3/5 tall images to evade filtering; adding space along the shortest dimension never evaded filtering, consistent with a shortest-dimension resize hypothesis.

2018-knockel-analysis §3.2.4 detection

WeChat's visual-based image filter compares uploads against a specific blacklist using a perceptual similarity metric rather than ML classification. Semantic-preserving transformations — mirroring, cropping, adding whitespace — evaded all 15 tested blacklisted images, and images filtered visually were typically removed within 10 seconds, faster than OCR-filtered images (5–30 seconds).

2018-knockel-analysis §3.2.2 detection

WeChat's visual filter compares images as a whole rather than via a sliding window. Adding 3 or more duplicate copies of a blacklisted image to its canvas caused 8/10 images to evade filtering with no evasion attributable to compression artifacts (Figure A.13), whereas blank canvas extensions evaded mostly only through compression artifacts.

2018-knockel-analysis §3.2.5 detection

Information Gain feature selection from 408 candidates identified informal language markers (informal, nonflu, swear), Chinese modal and general particles signaling mood and relational framing, and physical-feeling words used metaphorically as the top predictors of censored Weibo content — all with statistically significant differences between censored and uncensored classes.

2018-ng-detecting §5, §6 detection

A Naive Bayes classifier built on 17 LIWC-derived and keyword features achieved 79.34% accuracy (10-fold cross-validation) predicting censorship of Sina Weibo posts, with precision 0.80 and recall 0.85 for the censored class — outperforming all single-domain feature sets including the full 408-feature combination (0.69 accuracy).

2018-ng-detecting §5, Table 1 detection

A 598-term sensitive-keyword blacklist (sourced from Wikipedia and China Digital Times) achieved only 53% classification accuracy on Weibo censorship — below the 66% achieved by punctuation features alone — and appeared in only 31 of 152 uncensored posts versus 60 of 192 censored posts, confirming keywords are not the primary driver of platform censorship decisions.

2018-ng-detecting §4.2, §6, Table 1 detection

Sentiment analysis features (Baidu and Boson tools) achieved only 57% accuracy individually; censored posts averaged 53.9% negative sentiment (General model) versus 49.3% for uncensored — a difference too small to be operationally useful — indicating that sentiment polarity does not reliably distinguish censorable content from permitted content on Weibo.

2018-ng-detecting §4.3–4.5, §6, Table 1 detection

Across all tested countries, circumvention and anonymization tools are the most consistently blocked category: www.hotspotshield.com is blocked in 5 of 13 detected censoring countries, and three Tor Project properties (bridges.torproject.org, www.torproject.org, ooni.torproject.org) each appear in the top-10 most broadly blocked domains. Collateral damage is also documented — Iran blocks psiphonhealthyliving.com as a substring match for the psiphon.ca circumvention domain.

2018-vandersloot-quack §6.2, Figure 12 evaluation

High-power seed domains including uyghuramerican.org, dw.com, hrw.org, and eastturkistaninfo.com each produced TF-IDF descriptive tags that led to discovery of more filtered URLs from other domains than the total number of URLs crawled from those seeds themselves. Content-category analysis of the 1,355 poisoned domains showed filtering-avoidance tools, news, educational content, and human-rights sites among the most heavily targeted categories.

2017-darer-filteredweb §V-B, §V-D, Fig. 2, Fig. 7 evaluation

Shadowsocks traffic appears as ordinary TCP with no payload keywords or obvious protocol markers because the entire payload is encrypted; firewalls cannot distinguish it from generic TLS without behavioral flow analysis. This makes signature- and keyword-based detection ineffective against it.

2017-deng-random §III.A detection

Nearly 70% (n=160) of respondents reported self-censoring online for fear of the law. Frequency of exposure to blocked content was a statistically significant, ordered predictor of self-censorship (Goodman-Kruskal's gamma = 0.421, 95% CI [0.247, 0.595], p < 0.05), with self-censorship increasing monotonically as exposure to blocked content increased. Notably, self-censorship rates did not differ significantly between respondents inside and outside Thailand, suggesting the chilling effect extends beyond the reach of domestic ISP-level blocking.

2017-gebhart-internet §5.5.1 evaluation

Social media—primarily Facebook—was the dominant venue for direct, experienced threats: 9 of 15 respondents who had content blocked reported being censored on Facebook, and respondents observed that government censorship was shifting away from website blocking toward social media surveillance precisely because social media platforms are 'hard to block.' Respondents lacked any effective technical defenses against peer reporting, group-administrator censorship, and intermediary liability; they relied instead on social management strategies such as abbreviating references to royalty, running 'trial posts,' and self-censoring likes and shares.

2017-gebhart-internet §5.2.4, §5.3.1, §6.1.1 evaluation

India's federated censorship model — each ISP independently enforces government blacklists — produces dramatically inconsistent filtering: Airtel censored only 1 of 50 pornographic sites probed, while MTNL censored 45 of 50; Reliance Jio censored 0 sites across all 540 test URLs. A well-informed user can escape censorship through a judicious choice of ISP.

2017-gosain-mending §3.1, Table 1 evaluation

Of the 55 filters that inspected the HTTP Host header, 26 keyed only on the first Host header in a multi-Host request, 27 keyed only on the last, and only 2 examined both. Placing a benign Host header in the position the filter reads and the blocked URL in the other position bypassed the filter, and this divergence in behavior tracks RFC 7230's requirement to reject multi-Host requests with a 400 error — which none of the tested filters implemented.

2017-jermyn-autosonda §4.1 Mechanism detection

HTTP GET fuzzing via subtle token modifications bypassed large fractions of filters: removing the `\r\n` before the Host header bypassed 36–38 of 44 Host-header filters; embedding the censored URL in the middle of a long hostname string bypassed 33–35 filters; placing the URL in an after-Host field with a non-empty Host bypassed 29–36 filters. Blacklist coverage was also weak: no filter blocked all 100 of the Alexa top adult sites, and some blocked as few as 31.

2017-jermyn-autosonda §4.1 / Appendix A evaluation

Among the 44 non-DNS filters, 11 did not reassemble TCP segments and 7 did not reassemble IP fragments before inspection, meaning a censored URL split across segment or fragment boundaries evaded detection. Five filters applied fragment/segment reassembly timeouts of under 2 seconds despite maintaining HTTP request state for more than 8.5 seconds, creating a window where a deliberately fragmented flow with artificial delay avoids inspection entirely.

2017-jermyn-autosonda §4.1 Mechanism detection

Autosonda classified 76 commercial web filters in the NYC metropolitan area into three categories: 21 (27.63%) performed DNS blacklist filtering, 44 (57.89%) matched on the HTTP Host header of GET requests, and 11 (14.47%) performed a DNS lookup of the Host header value and blocked based on the resulting IP. Autosonda found circumvention paths for 100% of filters tested.

2017-jermyn-autosonda §4.1 Results evaluation

All 76 filters inspected only TCP traffic: sending the identical HTTP request over UDP bypassed censorship 100% of the time. Additionally, 17 of the 49 filters that censored requests to EC2 servers only inspected traffic on port 80 and passed through the same requests sent to port 9900 without modification. No filter triggered on URI query strings, so appending query parameters to any censored URL bypassed every tested filter.

2017-jermyn-autosonda §4.1 Mechanism detection

Chinese mobile games widely implement keyword censorship client-side — blacklists were found embedded in plain text, XML, JSON, compiled Lua, compiled C++, and encrypted formats requiring reverse engineering to extract. The client-side implementation exposed 132 keyword lists from 113 different games in the first experiment alone. Games must submit their blocked keyword list to regulators (MOC/SAPPRFT) to obtain a publication license, making keyword filtering a regulatory compliance artifact rather than purely an operational choice.

2017-knockel-measuring §2, §3.1 detection

Analysis of over 183,111 unique keywords collected from 200+ Chinese mobile games found no central state or provincial authority controlling keyword list generation. The only consistently significant predictors of keyword list similarity were whether games shared the same developer (Mantel r=0.17, p<0.001) or publisher (r=0.15, p<0.001); city, province, and genre showed no significant correlation (p>0.58). This indicates Chinese companies have substantial flexibility in determining which content to block under the 'self-discipline' intermediary liability framework.

2017-knockel-measuring §4.1–4.2 policy

When controlling for shared-developer as a confound, shared-publisher correlation collapsed to r=0.047 (p=0.0015) in the first experiment and r=0.064 (p=0.015) in the second; when controlling for shared-publisher, shared-developer remained r=0.095 (p<0.001) and r=0.13 (p<0.001) respectively. This demonstrates that development teams — not publishing entities — are the primary locus of keyword list authorship in the Chinese mobile gaming ecosystem.

2017-knockel-measuring §4.1–4.2 evaluation

Forensic analysis of keyword list formatting artifacts — C-style escapes appearing in XML files, XML entities appearing in non-XML files, and double-backslash encoding traceable to a 2004 leaked QQ keyword list — provides evidence that developers copy and circulate keyword lists across companies through informal channels including old web applications and bulletin boards. This keyword propagation mechanism explains partial overlap between unrelated companies' lists without implying a central authority.

2017-knockel-measuring §5.1 detection

Content analysis of 7,000 randomly sampled keywords (±1.1% at 95% confidence) found Social content (gambling, illicit goods, competitor references) was the dominant theme at 51.16%, followed by Technology/URLs at 16.81%, Political content at 15.00%, People (officials, dissidents) at 6.57%, and Event-related keywords at only 4.89%. Gaming keyword lists lacked references to current events from 2016–2017 that were found actively censored on Chinese chat applications during the same period, suggesting games face lower scrutiny for real-time event censorship than communication platforms.

2017-knockel-measuring §5.2 evaluation

China's Internet censorship ecosystem is bilateral: the GFW handles technical blocking while separate government agencies (MIIT, TCA, MPS, MSS) handle non-technical regulation, and 'these two components do not operate synchronously.' Google Scholar is considered a legal service by Chinese regulators but is incidentally blocked as collateral damage because it falls under the google.com domain, blocked since 2010.

2017-lu-accessing §2 policy

41% of users (139,042 of 342,650) in the post-coup dataset voluntarily removed 18% of all post-coup tweets by switching to protected mode, deleting accounts, or deleting individual tweets; the largest groups were active users who deleted some tweets (44% of affected accounts) and users who switched to protected mode (22%).

2017-tanash-decline §4.1, Table 1 policy

Zero pro-Gülen topics appeared in the public tweet set post-coup, while 70% of unreachable (deleted/protected) Gülen-related tweets were pro-Gülen; the unreachable rate for Gülen-related tweets was twice the background rate, quantifying rapid directional self-censorship on politically targeted content within days of a government crackdown.

2017-tanash-decline §4.2–§4.3, Table 2 policy

Comparing 5.6M pre-coup tweets (2015 Turkish general election) to 8.5M post-coup tweets (July–November 2016), the authors found 72% fewer government-censored tweets post-coup (142,492 vs. 513,719), with an estimated 43% of that decline attributable to reduced overall Twitter usage in Turkey and the remainder to user self-censorship.

2017-tanash-decline §4.1 evaluation

Twitter's official Transparency Report for July–December 2016 reported 489 censored tweets in Turkey from non-withheld accounts; the authors identified 6,402 unique censored tweets from the same period—approximately 13× more than officially reported—replicating an earlier order-of-magnitude undercount finding by Tanash et al. (2015).

2017-tanash-decline §5 evaluation

China's Great Firewall adds sites to its blacklist within hours of their becoming newsworthy and drops them again just as quickly; conversely, Pakistan's pornography crackdown used a rarely-updated blocklist, causing 50% of consumption to shift to unlisted sites. An outdated probe list will therefore underestimate GFW effectiveness and overestimate effectiveness in countries with static lists.

2017-weinberg-topics §1 detection

Topic correlation analysis across 2,904 list-topic pairs (585 significant after Bonferroni correction at α = 0.05) shows social media is disproportionately represented in country blacklists relative to the broader web; video-sharing sites are also frequently blocked, likely to suppress political organization, copyright infringement, or competition with local businesses.

2017-weinberg-topics §7.1, Table 3 detection

A censor tracking which deleted posts are resurrected can apply Bayesian inference to identify content-preservation system users: for each resurrected post r observed by set O(r), each observer's suspicion score updates by factor (|O(r)|−1)/|O(r)|, while observers of non-resurrected deletions can be ruled out with certainty. The attack requires only that the censor join the preservation system with a few sock-puppet accounts spread across multiple followed-user lists.

2016-douglas-ghostpost §5 detection

A censor with platform-side control can definitively confirm a single suspected user by injecting a unique fake post visible only to that user, then querying the preservation system for resurrected posts attributed to that fabricated author. Presence of the fake post in the resurrection feed is binary confirmation of user membership. This targeted attack defeats automated post-alteration countermeasures when a human examines the result.

2016-douglas-ghostpost §5.1 detection

Simulation on a 1,000,000-user scale-free Weibo topology shows that at 1% GhostPost user adoption the system preserves over 70% of postviews against the daytime censor (2-hour median deletion) and nearly 90% against the nighttime censor (10-hour median deletion). Even a highly aggressive censor deleting posts within 30 minutes on average cannot prevent a 1.5% GhostPost deployment from resurrecting the majority of postviews. Steep coverage gains plateau around 0.5% adoption, after which marginal returns diminish.

2016-douglas-ghostpost §4.2, Figure 1 evaluation

GhostPost's client-server coordination channel transfers only metadata and small text payloads, making it neither bandwidth-intensive nor latency-sensitive. The paper explicitly concludes that 'practically any means of communication, including low-performance covert channels, are adequate' for the coordination channel, enabling operation over DNS tunnels, steganographic channels, or other constrained transports when the central server's HTTPS endpoint is blocked.

2016-douglas-ghostpost §2.1 defense

Sina Weibo's deletion workforce exhibits strong diurnal variation: posts published 3–9 AM have median lifetimes of 8–9 hours, while posts from 10 AM–midnight have median lifetimes around 2 hours. Over 90% of eventually-deleted posts are removed within 24 hours, but the nighttime slowdown creates a predictable window where post survival is 4–5× longer than daytime.

2016-douglas-ghostpost §4.2 evaluation

Camouflage bypassed GFW censorship in China across one month of daily testing with no plugin blocked. The GFW's primary mechanism was identified as keyword filtering on web content rather than DNS hijacking (avoided due to risk of collateral international impact). Dropbox was inaccessible inside China during testing, demonstrating that plugin substitutability is operationally necessary: at least one alternative protocol must remain reachable in any given censored environment.

2016-zarras-leveraging §5.3 evaluation

Table 1 of the survey documents that by 2013–2014 censors were deploying simultaneous blocking across BGP, DNS, IP/port filtering, TCP disruption, TLS, and application-layer keyword filtering. No single detection tool in the survey covers all six layers; the most comprehensive, OONI (2012), covers DNS, IP/port, TCP, TLS, keyword, and HTTP but notes only partial BGP coverage.

2015-aceto-internet Table 1 detection

The paper formally defines circumvention as either preventing the trigger from being seen by the surveillance device, or countering the effects of the censoring action. This two-path decomposition — hide the trigger vs. nullify the enforcement — provides a clean design framework: a circumvention tool can succeed by making traffic unrecognizable (no trigger fires) or by routing around the blocking device (action nullified).

2015-aceto-internet §2.1 defense

Locally curated URL lists elicit 3–5× higher blocking rates than global lists in high-censorship countries. In China and Yemen, local content was blocked three to five times more than globally sensitive content, attributed to language filtering and active censorship of local political discourse; China's 99% block rate on 'falun' in HTTP path vs. 81% for 'falun' in domain name further illustrates trigger sensitivity.

2015-gill-characterizing §5.4, §4.9, Fig. 13 evaluation

Blocking all homophones of 422 censored keywords would generate approximately 47,000 false-positive weibos per day per keyword, totaling roughly 20 million false positives daily — approximately 20% of Sina Weibo's daily message volume — making blanket homophone blocklisting operationally infeasible without massive collateral censorship of innocent traffic.

2015-hiruncharoenvate-algorithmically Analysis: Cost to adversaries (RQ3) evaluation

Homophone-transformed weibos lasted on Sina Weibo an average of 3.94 hours (σ=5.51) before removal, versus 1.3 hours (σ=1.25) for unaltered originally-censored posts — a threefold difference (W=1830, p<0.01) — while ultimate censorship rates were not significantly different between conditions.

2015-hiruncharoenvate-algorithmically Experiment 1 / Results evaluation

Falling back to human review to defeat the homophone technique would cost the Sina Weibo censorship apparatus more than 15 additional human-hours per day per censored keyword — derived from an efficient censorship worker reading approximately 50 weibos per minute (Zhu et al. 2013) applied to ~47,000 daily false-positive matches per keyword — a burden that scales with the number of simultaneously banned keywords, which may number in the thousands.

2015-hiruncharoenvate-algorithmically Analysis: Cost to adversaries (RQ3) evaluation

Replacing censored keywords with algorithmically-generated homophones increased the initial publication rate on Sina Weibo from 90.79% for unaltered posts to 94.74% for transformed posts (χ²=6.219, p=0.01), demonstrating that the technique successfully bypasses automatic keyword matching at the publication gate even when posts are ultimately censored at similar rates.

2015-hiruncharoenvate-algorithmically Experiment 1 / Results — Table 1 evaluation

Native Chinese-speaking Amazon Mechanical Turk workers understood the content of 605 out of 608 homophone-transformed posts (99.51%), with only 2.85% of all impressions (52/1,824) reporting difficulty; workers unable to identify transformed keywords were significantly more likely to report confusion (p<0.001 for original keywords, p=0.03 for transformed keywords).

2015-hiruncharoenvate-algorithmically Experiment 2 / Results — Table 2 evaluation

9158 version 6.9, in addition to its explicit keyword filter, asterisks out all English alphabet letters in any chat message containing six or more consecutive English letters. Combined with explicit keywords for 'http', 'www', and 'com' on its filter list, this constitutes a blanket URL-suppression mechanism that also incidentally blocks arbitrary English-language communication.

2015-knockel-every §4.3 detection

Reverse engineering of four Chinese social video platforms (YY, 9158, Sina Show, GuaGua) yielded 42 keyword lists totaling 17,547 unique keywords. Jaccard similarity clustering shows very little overlap between lists from different companies, consistent with prior work that found only 3% overlap in unique keywords across TOM-Skype and Sina UC (4,256-keyword dataset). This provides the largest unbiased cross-platform evidence that Chinese platform censorship is decentralized rather than governed by a monolithic ruleset.

2015-knockel-every §5.1 evaluation

Between February and May 2015, YY High received 21 updates and 9158 Chat received 8 updates. Updates correlated directly with current events within days: Zhou Yongkang's name was added to 9158 Chat on May 6, days after his April 3 corruption indictment; YY Normal added and then removed Chinese Christian song titles between April 23 and April 30 during a church demolition controversy. GuaGua does not download keyword updates at all.

2015-knockel-every §5.3 detection

SVP keyword lists from all four platforms explicitly target both government criticism and collective action, contradicting King et al.'s claim that criticism is tolerated while collective action is suppressed. All four platforms censor Falun Gong and current CPC leaders (including phonetic homonyms like '习尽平'); over 90% of YY's event-related keywords (2,535 total) reference the June 4 1989 Tiananmen Square Massacre, and derogatory phrases such as '共匪' (Communist gangsters) appear alongside collective action event keywords.

2015-knockel-every §5.2 evaluation

YY version 7.1 silently exfiltrates the full text of any triggering message via HTTP GET to sere.hiido.com, including sending user ID, receiving user ID, and the triggering keyword. The surveillance endpoint authenticates using md5(⌊unix_epoch/1000⌋ + ";username=report;password=pswd@1234") with hardcoded credentials, making the surveillance traffic structurally distinguishable from normal YY traffic.

2015-knockel-every §4.1.1 detection

Among withheld retweets in the Turkish dataset, 92% of the corresponding original tweets were also withheld, while 4% survived uncensored and 4% belonged to fully-withheld accounts; this asymmetry suggests the Turkish government's censorship targeting mechanism operates with some degree of systematic (possibly hashtag- or keyword-based) sweep rather than purely manual per-tweet review.

2015-tanash-known §5.2 (Phase III) detection

Manual review of 46 fully-withheld Turkish accounts found that 36 (78%) were classified as posting anti-government political content critical of President Erdoğan, 2 as pornography, 1 as advertising bots, 3 as unidentified, and 4 as no-longer-findable; NMF/tf-idf topic modeling of withheld individual tweets confirmed that the dominant censored themes were criticism of government-aligned media and ruling-party politicians.

2015-tanash-known §6.1, §6.2 evaluation

The Chilling Effects database contained only 33 notices from Twitter across all countries, far fewer than the 108 account-withholding requests disclosed in Twitter's own transparency reports for the same period; Twitter itself acknowledges its transparency reporting is neither 100% comprehensive nor complete, and the authors confirmed that at least 86% of Turkish government withholding requests for non-protected tweets were approved by Twitter.

2015-tanash-known §3.1, §4.2 policy

Twitter's official transparency reports for Turkey recorded 183 withheld tweets (Jan–Jun 2014) and 1,820 withheld tweets (Jul–Dec 2014), but the authors' collection of 17 million geo-bounded Turkish tweets yielded 3,258 withheld tweets from the streaming phase alone, and expanding to followers of censored accounts produced 171,652 withheld tweets—roughly two orders of magnitude more than Twitter's own disclosures.

2015-tanash-known §4.1, §5.2 evaluation

Testing approximately 130 million domain names uncovered 35,332 censored domains from which 14,495 keywords were extracted across 7 distinct matching patterns. The blocklist grew by approximately 10% over eight months (August 2013–April 2014), and more than two-thirds of censored domains had expired registrations, suggesting the GFW rarely removes entries.

2014-anonymous-towards §6 detection

Four circumvention tool names were explicitly blocked as URL substrings with zero allowed requests passing through: hotspotshield (126,127 blocked), ultrareach (50,769), ultrasurf (31,483), and the generic keyword israel (48,119). All matching requests — including update checks and background pings — were denied at 0% pass-through rate.

2014-chaabane-censorship §5.4, Table 9 detection

Skype.com (503,932 censored, 0 allowed) and live.com IM services were blocked with 100% denial rates at all times. During the August 3, 2011 protest events Skype accounted for up to 29.24% of all censored traffic; 9% of Skype requests were software update attempts, which were also denied, confirming content-agnostic domain-level blocking rather than content-selective filtering.

2014-chaabane-censorship §5.1, §5.5, Tables 5 & 7 detection

Syria's Blue Coat proxies blocked any URL containing the string "proxy," generating 3,954,795 censored requests (53.61% of all policy-censored traffic in Dfull). The collateral damage was severe: Google Toolbar's /tbproxy/af/query API calls and Facebook social plugins (/plugins/like.php at 43.04% and /extern/login_status.php at 38.99% of facebook.com censored traffic) together account for over 80% of censored facebook.com requests, all denied with 0 allowed counterparts.

2014-chaabane-censorship §5.4, Tables 9 & 14 detection

Syrian censors used a custom Blue Coat URL-category to policy_redirect specific Facebook pages (Syrian.Revolution: 1,461 censored) while allowing 17.70M facebook.com requests overall — only 1.62M (8.4%) were censored. The URL-pattern matching was imprecise: www.facebook.com/Syrian.Revolution?ref=ts was blocked but the identical page with additional AJAX query parameters (__a=11&ajaxpipe=1) was not categorized as 'Blocked Site,' leaving some access through.

2014-chaabane-censorship §6, Tables 12–13 detection

Chinese censorship does not primarily target criticism of the state or its leaders — vitriol against top officials is routinely published. The decisive variable is collective action potential: posts that organize, incite, or reference crowd formation outside the Internet are censored regardless of whether they are pro- or anti-government, a distinction the authors formally establish and experimentally test for the first time.

2014-king-reverse-engineering Results detection

The automated keyword-filtering tier is acknowledged to be largely ineffective at text classification due to well-known poor performance of keyword-matching approaches; the government compensates by deploying tens of thousands of human censors who manually review posts held by automated filters. The automated system affects large numbers of posts on fully two-thirds of Chinese social media sites surveyed.

2014-king-reverse-engineering Participant Observation / Research Design detection

By operating their own Chinese social media site using commercially available software, documentation, and vendor support, the authors confirmed that censorship enforcement is delegated to platform operators via configurable off-the-shelf software. By default the software shipped with no automated review or blocking; webmasters activate keyword lists and gain controls for bulk deletion, IP blocking, user banning, and per-post-type restrictions.

2014-king-reverse-engineering Participant Observation deployment

Chinese social media censorship operates at two sequential stages: an instantaneous automated review that holds flagged posts before they receive a public URL, followed by human censors who read each held post and decide within roughly 24 hours whether to publish or delete it. The ex ante automated stage is invisible to observational methods that only monitor published content, creating a systematic blind spot in prior censorship measurement research.

2014-king-reverse-engineering Participant Observation / Fig. 2 detection

The Chinese censorship apparatus detects collective action potential through volume-burst monitoring: it identifies a spike in social media posts about a topic area, traces the spike to a real-world event, classifies the event as having collective action potential, and then censors all posts in that burst — regardless of individual post stance or content.

2014-king-reverse-engineering Theory / Collective Action Potential Hypothesis detection

Censors on Sina Weibo were documented retroactively removing entire repost cascades started from a single sensitive post. Extrapolating from sampled data, prior work estimated that up to 4,200 workers working eight-hour shifts would be required to match the censorship demand on Sina Weibo alone, with documented peak hours for deletion activity.

2014-morrison-toward §2 Related work evaluation

A random sample of Sina Weibo messages found that 16.25% were deleted overall, with geographic distribution having a strong impact: up to 53% of messages from some Chinese provinces were deleted. Nearly 30% of all deletions occurred within the first 5–30 minutes of posting, and up to 90% within 24 hours of the posting.

2014-morrison-toward §2 Related work evaluation

Measurement of Alexa top-500 websites across 18 categories found that over 50% of the internet's most-visited sites were blocked in Iran, with adult content blocked at over 95% and the Art category the third-most censored. DNS hijacking was applied selectively to only three domains (facebook.com, youtube.com, plus.google.com), while HTTP Host filtering accounted for the vast majority of blocks.

2013-aryan-internet §4.1, Table 1 evaluation

Iran's HTTP censorship allows the TCP three-way handshake to complete normally before acting on the HTTP GET request: the censor responds with a '403 Forbidden' and simultaneously sends 5 spoofed RST packets to the destination server (3 with in-sequence numbers, 2 with seemingly random offsets). No modifications to TCP/IP or HTTP headers were observed at either endpoint, ruling out a transparent proxy and pointing to inline DPI.

2013-aryan-internet §4.2, Figure 3 detection

Censorship on Weibo does not produce a measurable chilling effect on discussion: Spearman's ρ = 0.198 (p = 0.011) between the percentage of censored tweets and unique tweeters per topic, indicating that censored topics attract more unique participants. No significant negative correlation was found for any of five engagement variables (comments per tweet, comments per user, total comments, unique commentors, unique tweeters).

2013-chen-tweeting §5.2, Table 3 evaluation

Comments on Weibo (~18M per day) are not independently censored: when a tweet is deleted, its comments are deleted as a cascade, but no instances of standalone comment censorship were observed in 36.5M tweets and associated comments. This creates a structural asymmetry — there are an order of magnitude more comments than tweets, yet comments persist unless their parent tweet is removed.

2013-chen-tweeting §2.3, §4.2 detection

Weibo users circumvent keyword-based censorship by substituting censored terms with morphs — abbreviations, anglicizations, homophones, homographs, and neologisms. 11 of 37 trending topics in a 44-day crawl of 280K users contained morphs, and morph usage was concentrated in heavily censored topics, with up to 5 morphs per topic observed.

2013-chen-tweeting §2.3, §6.1 defense

Morph adoption in censored topics begins within hours of censorship being imposed, and in some topics users adopt morphs preemptively before censorship is applied, demonstrating rapid community-level awareness of keyword filtering. Temporal analysis of the Lushan and Taxi topics (Figures 19–20) shows morph usage rising sharply in parallel with or ahead of censor action.

2013-chen-tweeting §6, Figures 19–20 evaluation

Weibo employs keyword-based censorship with highly uneven application across topics: 82% of tweets in the Lushan topic (criticism of a local official) were censored, while 27 of 37 trending topics exhibited <2% censorship; overall ~1% of the 36.5M crawled tweets were censored. The Chinese government prioritizes censoring content that could incite public protest over content that is merely critical.

2013-chen-tweeting §5.2, Table 1 detection

All confirmed URL filtering deployments—McAfee SmartFilter in UAE and Netsweeper in Yemen, UAE, and Qatar—block content across at minimum six of seven tested human-rights-sensitive categories: media freedom, human rights, political reform, LGBT, religious criticism, and minority groups/religions. Netsweeper in both Qatar (Ooredoo) and UAE (Du) blocks all seven categories. This content is protected under Article 19 of the Universal Declaration of Human Rights.

2013-dalek-method §5, Table 4 policy

In YemenNet (AS 12486), URL filtering was observed to be intermittently offline: proxy URLs accessible in one test run were blocked in others and vice versa. A prior ONI measurement found a Yemeni ISP running Websense whose filtering ceased entirely when concurrent user count exceeded the product's license capacity. This inconsistency required larger URL test sets and repeated measurement runs to establish blocking with high confidence.

2013-dalek-method §4.4 evaluation

In every ISP where URL filtering was empirically confirmed, the 'proxy anonymizer' category was actively blocked. Netsweeper blocked 6/6 submitted proxy domains in YemenNet (AS 12486), 5/6 in Du UAE (AS 15802), and 6/6 in Ooredoo Qatar (AS 42298); McAfee SmartFilter blocked 5/5 anonymizer-category submissions in Etisalat UAE (AS 5384). Blue Coat in UAE and Qatar did not confirm—Etisalat appears to use SmartFilter for URL filtering atop a Blue Coat proxy appliance for traffic management.

2013-dalek-method §4.3–4.5, Table 3 detection

The paper presents a repeatable method for confirming which specific URL filtering product is used for censorship: create test domains under researcher control, submit a subset to the vendor's public URL categorization interface, then retest within 3–5 days to observe whether submitted domains become blocked. This technique confirmed McAfee SmartFilter in UAE (Etisalat, AS 5384) and Saudi Arabia (Bayanat Al-Oula AS 48237, Nournet AS 29684), and Netsweeper in Qatar (Ooredoo AS 42298), UAE (Du AS 15802), and Yemen (YemenNet AS 12486).

2013-dalek-method §4.2, Table 3 evaluation

Self-censorship of status updates was significantly higher for users whose friend networks spanned greater political diversity, indicating that perceived audience heterogeneity amplifies the chilling effect even in the absence of any explicit platform enforcement action.

2013-das-self-censorship §3.1 Status Update Abatement policy

Das and Kramer measured last-minute self-censorship on Facebook by tracking text typed into composer fields but never submitted; 71% of users in their study composed at least one status update or comment that they ultimately withheld during the 17-day observation window.

2013-das-self-censorship §3 Results policy

Comment self-censorship was primarily driven by the relationship between commenter and post author: users were more likely to suppress comments when the audience included the post's author, underscoring that relational asymmetry — not just content sensitivity — shapes suppression decisions.

2013-das-self-censorship §3.2 Comment Abatement policy

GFW exhibits three confirmed HTTP analysis gaps: it inspects only the first Request-URI and Host header in HTTP-pipelined requests (HTTP3), will not scan beyond 2,048 bytes into a Request-URI (HTTP2), and recognizes only standard percent-encoding while ignoring alternative URI encodings such as overlong UTF-8 (HTTP4). The authors classify all three as low-difficulty fixes for the censor, meaning they may be patched quickly once disclosed.

2013-khattak-towards §5, Table 1 (HTTP2, HTTP3, HTTP4) detection

GFW maintains TCP connection state for up to ≈10 hours and tolerates up to ≈1 GB of client-to-server data, but drastically reduces these limits when a sequence hole exists: it abandons state after buffering only 1 KB above the hole (TCP9) and times out holed connections in 60–90 minutes rather than ≈10 hours (TCP10). These thresholds were confirmed over repeated measurements and represent the maxima tested, not precise censor-configured limits.

2013-khattak-towards §5, Table 1 (TCP9, TCP10) detection

Every website blocked at the DNS level in Pakistan was also blocked by a secondary HTTP-layer mechanism, ruling out the use of alternative DNS resolution (web-based lookup tools or user-generated content hosting DNS records) as a standalone bypass. Multi-IP shared-service sites such as YouTube and Wikipedia were blocked only at the HTTP level, where a Host-header match triggered censorship regardless of the destination URL.

2013-nabi-anatomy §5.1 detection

In four of five incidents (all except Syria), spam accounts were registered in temporally clustered blocks while legitimate accounts were not; in Russia and Mexico, multiple distinct registration bursts were observed. Across all five incidents, spam account usernames were automatically generated, with China'12 and Mexico accounts following a {name}{name}{number} pattern padded to exactly 15 characters (Twitter's maximum), making algorithmic reverse-engineering feasible.

2013-verkamp-five §4.1, Table 6, Figure 4 detection

In the Russia and Mexico incidents, spam tweets showed statistically significant spikes at fixed sub-hour intervals (5 and 15 minutes past the hour respectively), consistent with cron-job automation. Despite this automation, both campaigns deliberately mimicked human diurnal activity patterns — spam volume peaked at the same hours as legitimate traffic — to evade time-based anomaly detection.

2013-verkamp-five §3.2, Figures 2–3 detection

Default-profile usage was significantly elevated among spam accounts in China'11 (89.4% spam vs 51.2% non-spam), Russia (57.8% vs 34.7%), and China'12 (95.1% vs 47.8%); however, Mexico inverted this trend with only 1.7% of spam accounts using default profiles vs 27.0% of non-spam accounts, indicating that newer campaigns actively customize profiles to evade appearance-based detection.

2013-verkamp-five §4.2, Table 7 detection

Across five political spam incidents, spam constituted 62–73% of all tweets in the Russia, China'12, and Mexico incidents, while Syria had only 6% spam. In the China'12 incident, 1,700 spam accounts (14% of all accounts) generated 600,000 spam tweets (73% of total), with 10 individual accounts each producing over 5,000 tweets before shutdown; in Mexico, 50 accounts sustained 1,000 spam tweets per day throughout the incident.

2013-verkamp-five §2, Table 2 evaluation

Twitter's existing automated spam-filtering mechanisms caught only approximately 50% of politically motivated spam in the Russian parliamentary election incident, as reported by Thomas et al. (2012) and noted as the baseline for this study. Spammer behavior varied sufficiently across incidents (targeting strategy, URL usage, mention patterns, default-profile adoption) that supervised machine-learning classifiers trained on one incident are unlikely to generalize to others.

2013-verkamp-five §1, §5 evaluation

When using a domestic email provider that collaborates with the censor (DomesticMail), SWEET clients must embed tunneled data via steganography (image or text) and coordinate a secondary secret email account with the SWEET server out-of-band. This prevents the censor from discovering the SWEET server association via recipient-field inspection, but adds operational complexity and requires an out-of-band bootstrapping channel.

2013-zhou-sweet §3 defense

A snapshot from 6 April 2012 shows TOM-Skype had 1,130 censorship keywords and SinaUC had 1,490, with only 21 words in common — all high-frequency stock keywords (e.g., 'falun', 'Epoch Times'). This near-total divergence indicates each company independently compiled its own blacklist rather than distributing from a centralized government source.

2012-aase-whiskey §4 evaluation

TOM-Skype's client-downloaded keyword blacklist was updated with current-event-specific terms (protest locations, individual names like Bo Xilai) while SinaUC's lists were not updated with current events and appeared more targeted at spam removal. This correlation between surveillance capability and more timely, politically specific keyword updates suggests censors prioritize maintaining current blacklists on clients that also perform message surveillance.

2012-aase-whiskey §4, §5 evaluation

Weibo's post-censorship system initially checks only for literal keyword strings, but after a user posts a literal blacklisted keyword the server switches to regex/wildcard matching for that user's subsequent posts — catching obfuscations like 'Fa-ccc-lun' that were not blocked before the trigger event. This per-user escalation of pattern matching means keyword obfuscation provides only one-shot protection.

2012-aase-whiskey §3 detection

Weibo's search censorship is more aggressive than its post censorship: searching for a keyword returned no results in cases where posting the same keyword was not blocked. The authors hypothesize this asymmetry reflects resource constraints — post censorship requires processing longer, more varied content at high volume, while search censorship is cheaper to apply broadly.

2012-aase-whiskey §3, §5 detection

Bigram frequency analysis of Weibo around the December 2011 Wukan village protests (Figure 1) shows censorship of the keyword 'Wukan' was applied proactively before mainstream media coverage and lifted after the government announced a peaceful resolution on 21 December 2011 — demonstrating that censors operate on a news-cycle timescale and use temporary suppression to manage narrative rather than indefinitely blocking topics.

2012-aase-whiskey §3, Figure 1, §5 evaluation

OONI's experiment-control methodology explicitly favors false positives over false negatives: it is preferable to generate more censorship candidate events for further investigation than to miss genuine interference. Mismatch between experiment and control data is not always a definitive signal of manipulation but is treated as sufficient cause for flagging, and data collection and analysis are treated as distinct phases.

2012-filast-ooni §4 Methodology evaluation

The vast majority of censorship activity occurs within 24 hours of original posting, with some deletions occurring more than 5 days later. Across 11,382,221 posts from 1,382 Chinese social media sites collected in 2011, the average censorship rate is 13%, with rates of 16%, 17%, and 24% in low, medium, and high ex ante political sensitivity topic categories respectively.

2012-king-censorship Data / Collection; Figure 2 evaluation

Chinese government censorship is aimed at suppressing collective action potential, not state criticism. Average censorship magnitude is 27% for collective action events but −1% for policy and −4% for news events. Posts criticizing and supporting the state are both censored at ~80% during collective action events, compared to ~10% for non-collective-action topics.

2012-king-censorship Results / Figure 3 policy

Censors apply categorical event-level judgment — whether a post is associated with a collective action topic — rather than per-post sentiment classification. The paper explicitly states that no known statistical or machine-learning technology can achieve the accuracy required for this task, and the authors obtained 98.9% intercoder agreement (86/87 events) using human coders applying the same five-category scheme.

2012-king-censorship Analysis Strategy / Central Hypothesis; Coding Rules detection

Keyword blocking has limited effect because users evade it through homophones (e.g., 'river crab' substituting for 'harmonious society'), homographs, analogies, metaphors, and satire; the Chinese character-based writing system provides particular affordances for this evasion. Chinese social media is distributed across approximately 1,382 sites following a power-law distribution, with blog.sina alone accounting for 59% of posts, creating highly variable enforcement across the long tail of local sites.

2012-king-censorship Data / Types of Censorship policy

Chinese censors operate primarily through manual human review, not automated classification. Hand-censorship is identified as the last and most extensive form of content filtering and cannot be evaded by clever phrasing, unlike automated keyword blocking. Individual content providers each employ up to 1,000 censors, supplemented by 20,000–50,000 Internet police and an estimated 250,000–300,000 'fifty-cent party' members at all levels of government.

2012-king-censorship Data / Types of Censorship detection

Twitter's relevance-ranked search returned 53% fewer bot-generated tweets compared to real-time chronological search across 1.1 million queries during the attack; restricting analysis to the top 5 most-recently returned relevance results reduced spam by 64% versus real-time. Relevance ranking incorporates social-graph overlap and content popularity signals to demote mass-produced low-engagement content.

2012-thomas-adapting §5 evaluation

The attack demonstrates that spam-as-a-service markets built for commercial spam (fake reviews, URL advertising) were directly repurposed for political censorship without modification, using the same compromised-host pools (39% blacklisted IPs) and bulk account infrastructure. This convergence means technical defenses against commercial spam infrastructure simultaneously constrain politically-motivated censorship operations by actors who lack direct Internet-access control.

2012-thomas-adapting §6 policy

An unknown attacker leveraged 25,860 fraudulent Twitter accounts to send 440,793 tweets targeting 20 election-related hashtags, peaking at 1,846 tweets per minute, in an attempt to dilute political conversations following Russia's December 2011 parliamentary election. The accounts were drawn from a pool of approximately 975,283 fraudulent accounts identified by the researchers, 80% of which remained dormant with zero friends, followers, or tweets.

2012-thomas-adapting §1, §4.1 detection

Content-oblivious replication delegates ongoing availability maintenance to 'manifest guarantors' — nodes holding content manifests — who periodically sample chunk replication factors and restore missing replicas without knowing the plaintext they protect, freeing the original publisher from any post-publication obligation. Two honest manifest holders (one content, one key) are sufficient to maintain replication with overwhelming probability even under adversarial conditions and high churn.

2012-vasserman-one-way §3.3 defense

A hybrid garbage-collection scheme combining time-based expiry (last-access timestamp cutoff), popularity-based retention, and editor-signed manifest exemptions forces adversaries conducting pollution or exhaustion attacks to continuously re-access or re-upload junk to prevent its deletion. A single honest editor's signature is sufficient to exempt important but infrequently accessed content from deletion indefinitely, while malicious editors cannot explicitly remove content from the system.

2012-vasserman-one-way §3.3 defense

One-way indexing separates a published file into encrypted content blocks (indexed by hash1(block)), a content manifest (indexed by hash2(keyword)), and a key manifest (indexed by hash3(keyword)), so a storer holding all content chunks cannot recover the plaintext or keywords without inverting a cryptographic one-way function. Using distinct hash functions for each manifest type also minimizes the probability that a single node stores both manifests, preventing correlation.

2012-vasserman-one-way §3.1 defense

China's censoring device is stateful: it inspects only the first HTTP GET request after a TCP handshake and ignores subsequent requests or those without a preceding handshake. After blocking a request, it records the (src IP, dst IP, port, protocol) tuple and denies all further communication between that machine pair for approximately 12 hours, even for traffic that would not independently trigger censorship.

2012-verkamp-inferring §4.3 detection

#h00t achieves censorship resistance by truncating a key-derivation-function output to k bits to produce a 'short tag', deliberately inducing collisions across unrelated groups. A censor cannot block a targeted group's short tag without simultaneously blocking all colliding groups — including innocuous, high-traffic ones — forcing heavy-handed censorship that creates domestic blowback. The design provides plausible deniability: subscribers can claim they follow a foreign pop star rather than a dissident group.

2011-bachrach-h00t §2.2, §3.1 defense

During a two-month run in 2011 that coincided with the Jasmine Revolution protests, China's HTTP GET request backbone blacklist showed no additions or removals of keywords on a daily, weekly, or even monthly basis. Numerous current-event terms that triggered search engine censorship produced zero GET request RST responses, indicating the two censorship mechanisms operate on entirely different update timescales.

2011-espinoza-automated §4.2 evaluation

To measure Chinese search engine censorship independently of backbone GET request filtering, the authors split each search engine HTTP GET request across multiple TCP packets so the server would reassemble the full query but routers performing single-packet keyword inspection would not see a complete match. This technique allowed ground-truth measurement of search engine responses free of backbone RST injection interference.

2011-espinoza-automated §3 defense

A controlled probe of two Chinese search engines found that the query 'fuck' triggered a legal notice that results had been removed, while 'fuck you' did not, suggesting that search engine censorship suppresses websites where a sensitive term appears prominently rather than matching exact byte strings in the query itself. The paper concludes this mechanism is topical and website-removal-based, not a static keyword blacklist.

2011-espinoza-automated §4.2 detection

During the 2011 Jasmine Revolution, words such as 'Jasmine Flower,' terms linked to Liu Xiaobo's Nobel Prize, and numeric references to presidential rent criticism triggered Chinese search engine censorship (results-removed warnings) but produced no HTTP GET request RST injections. This demonstrates that search engine filtering and backbone keyword filtering are independently operated layers that diverge sharply for rapidly evolving current-event content.

2011-espinoza-automated §4.2 detection

BBC Chinese's multi-channel Psiphon promotion — radio broadcasts three times daily with additional trails, daily email newsletters, and ad hoc tweets — allowed its service to reach page-view parity with BBC Persian's established Psiphon deployment within eight weeks of launch in September 2010. Separately, a third-party BBC Persian iPhone app using full-text RSS feeds received over 50% of its downloads from inside China, demonstrating that syndicated full-text content distributed across multiple third-party sites and apps is difficult for censors to enumerate and block.

2011-kathuria-bypassing §3.2, §4.3 deployment

TOM-Skype maintains two separate encrypted keyword lists: one triggering both message suppression and silent upload to a Chinese server, and a second triggering surveillance only. Version 5.1.4.10 introduced a distinct surveillance-only keyfile downloaded from a separate URL (skypetools.tom.com/agent/keyfile_u), allowing the censor to monitor users without alerting them via censorship.

2011-knockel-three §2.1–§2.2 detection

TOM-Skype keyword list encryption evolved from a simple XOR cipher in versions 3.6/3.8 to 256-bit AES-ECB in versions 5.0/5.1. Surveillance traffic was encrypted with DES-ECB using hardcoded ASCII keys embedded in the binary (SURVEIL_KEY4.0 = 'X7sRUjL\0'; SURVEIL_KEY3.6 = '32bnx23l'), both recovered via known-plaintext attack and DLL injection respectively.

2011-knockel-three §2.1.1–§2.1.3 detection

The TOM-Skype keyword blacklist contained numerous user-coined neologisms added after the originals were censored—e.g., 'Lu Si' (a homophone for the Tiananmen date '64') and 'Oscar best actor winner' (a euphemism for Wen Jiabao)—demonstrating an adversarial arms race in which evasion vocabulary spreads freely until censors detect and blacklist the neologisms. The authors observed that some sensitive concepts (e.g., '64' rendered as '32+32' or '8 squared') spawn so many variants that the neologism strategy may not scale for the censor.

2011-knockel-three §4 (Conjecture 5) detection

The TOM-Skype censorship keyfile was substantially updated on 4/22/2011—possibly correlated with US-China human rights talks on 4/27–4/28/2011—and contained exact phrases lifted verbatim from 2011 Jasmine Revolution protest coordination documents, including specific intersection meeting points such as 'McDonald's in front of Chunxi Road in Chengdu'. This demonstrates real-time, operationally targeted keyword blacklisting within days of new coordination material appearing.

2011-knockel-three §3 detection

The 158-word surveillance-only keyword list in TOM-Skype 5.1.4.10 focused predominantly on specific Beijing demolition sites and addresses (e.g., 'Ling Jing Alley demolition'), plus five Shouwang church keywords—none of which triggered message suppression. Messages matching these keywords were silently uploaded to a server, demonstrating that the censor operates event-specific surveillance lists targeting localized grievance communities independent of its censorship blacklist.

2011-knockel-three §3 detection

Censorship operating at the infrastructure layer (hosting, DNS, ISPs) rather than the content layer produces opacity: blocklists must be kept secret lest they become menus of blocked content, accuracy cannot be examined, and harms are divided from those with incentive or expertise to oppose them. The consistent pattern in anti-censorship responses is to distribute, decentralize, encrypt, and obfuscate — making circumvention traffic indistinguishable from permitted use.

2011-seltzer-infrastructures §2.1 policy

Over a 14-day evaluation in April 2011, CensMon tested 4,950 unique URLs from 2,500 domains across 174 agents in 33 countries, detecting 951 unique URLs from 193 domains as filtered. Manual verification of all 193 flagged domains found only 3 false positives, demonstrating high precision for an automated distributed monitor.

2011-sfakianakis-censmon §4.2 evaluation

Among all filtered URLs detected, HTTP filtering accounted for 48.5%, IP address blocking for 33.3%, and DNS manipulation for 18.2%. Of the domains blocked at the HTTP layer in China, 71% were blocked due to URL keyword filtering rather than HTML response content filtering.

2011-sfakianakis-censmon §4.2, Figure 2 evaluation

CensMon detected zero instances of partial web-page content filtering across 4,950 tested URLs during April 2011, indicating that censors at that time uniformly applied coarse-grained techniques — full URL block, IP blacklist, or DNS hijack — rather than inline content modification at the sub-page level.

2011-sfakianakis-censmon §4.2 evaluation

Forum and blog platform operators in the censored country were systematically coerced into serving as first-line censorship enforcers: they monitored user comments, warned users that Internet anonymity did not exist, gave users chances to self-remove offending posts, and ultimately handed user identifying information to government agencies when users did not comply. Larger forums hired full-time moderators operating 24 hours a day to manage this compliance workload.

2011-shklovski-online §Forum owner and platform provider strategies policy

The study located 495 router interfaces with attached IDS filtering devices across China, with CHINANET holding 79.4% and CNCGROUP 17.4%. The two ISPs use fundamentally different placement strategies: CHINANET distributes filtering across provincial networks (80% of its 21 served provinces operate their own filtering devices, Guangdong alone hosting 84 of 374 CHINANET interfaces), while 90% of CNCGROUP's 82 filtering interfaces concentrate in its backbone.

2011-xu-internet §4.4, Table 2, Table 3 evaluation

CNCGROUP's filtering interface count has grown to three times its 2007 level, now accounting for 17.4% of all 495 filtering interfaces found, while CHINANET's count has remained stable since 2007. This divergence indicates CNCGROUP is actively expanding its censorship infrastructure while CHINANET's filtering capacity has matured.

2011-xu-internet §4.4 evaluation

The GFW is fully stateful as of 2010: probing all 11,824 Chinese IP prefixes with single TCP packets containing the keyword 'falun' produced no RST responses, confirming that a complete TCP handshake must precede any filtering trigger. Earlier measurements (2006, 2007) reported contradictory results; this study finds statefulness is now universal across all probed prefixes.

2011-xu-internet §4.1 detection

14 of 495 filtering interfaces (2.9%) are located in non-border internal ASes, all but two belonging to CHINANET provincial subsidiaries. The paper notes that CHINANET's provincial filtering architecture creates infrastructure capable of inspecting inter-provincial domestic traffic, even though there is no current evidence it is being used for that purpose.

2011-xu-internet §4.4, Table 2 detection

SkyF2F tunnels censored traffic through Skype's encrypted overlay network, forcing the censor into an all-or-nothing dilemma: blocking SkyF2F requires blocking Skype entirely, which causes actual economic damage to businesses and users who depend on it. Because Skype users are identified by pseudonym and all messages are routed to overlay addresses rather than Internet addresses, IP-based blocking, DNS filtering, port blocking, and keyword filtering are all rendered ineffective.

2009-cao-skyf2f §V.A defense

ChinaNET (CHINANET-*) performed 324/389 = 83.3% of all filtering observed across 296 probed hosts over a two-week period, and 99.1% of all filtering that occurred at the first hop past the Chinese border, despite constituting only 77% of first-hop routers encountered.

2007-crandall-conceptdoppler §3.3.1 evaluation

GFC keyword filtering exhibits strong diurnal patterns in which filtering effectiveness drops markedly during busy network periods, sometimes letting more than one fourth of packets containing known filtered keywords pass through unimpeded; the blocking timeout after a keyword RST was measured at 90 seconds for the tested route.

2007-crandall-conceptdoppler §3.2 detection

GFC keyword filtering is distributed across the backbone, not confined to border routers: only 29.6% of filtering occurred at the first hop into China's address space, 11.8% occurred beyond the third hop (with as many as 13 hops past the border in one case), and 28.3% of the 296 probed Chinese hosts were reachable via paths with no filtering at all.

2007-crandall-conceptdoppler §3.3 detection

Latent semantic analysis applied to the Chinese-language Wikipedia (942,033 terms across 94,863 documents, k=600 rank reduction) discovered 122 previously unknown GFC-filtered keywords starting from only 12 seed concepts; each list of 2,500 candidate terms required 1.2–6.7 hours to probe, with an average of 3.5 hours.

2007-crandall-conceptdoppler §4.3 evaluation

When the GFC keyword blacklist is known, multiple server-side-only evasion techniques become viable requiring no client modification: IP packet fragmentation to split keywords across MTU boundaries, HTML comment injection mid-keyword (e.g., 'Fa<!- Comment ->lun Gong'), alternative URL percent-encodings (e.g., 'F%61lun Gong'), and spam-style character substitution ('F@1un G0-ng'); the GFC implementation was observed not to check control characters in URL requests.

2007-crandall-conceptdoppler §5 defense

Nonsense domains with known-censored hostnames embedded as subdomains (e.g., www.epochtimes.com.pSyfA6srAZ0qCxU63.com) triggered the same tampered responses — returning the pool of 8 bad IPs — as direct queries for the censored domain. Control-subdomain nonsense domains (e.g., www.pSyfA6srAZ0qCxU63.com) did not trigger tampering, indicating the GFW performs substring keyword matching across the full DNS query label string.

2007-lowe-great §6.2 detection

In measurements conducted over 10 days in early February 2006, the GFW scanned approximately two-thirds of packets from a 256-address block per hourly probe, with address selection following a structured (non-random) pattern consistent with simple modular assignment to a limited pool of IDS devices. After several days, the inspected fraction rose to nearly all addresses, suggesting a configuration change to expand capacity.

2006-clayton-ignoring §6.1 evaluation

The GFW's keyword-blocking mechanism relies entirely on endpoints honoring injected TCP RST packets; because the IDS operates out-of-band and cannot remove packets already queued in the router's transmission path, configuring both endpoints to silently discard incoming RSTs (e.g., via `iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP`) allows blocked content to transfer unimpeded. In a controlled experiment, 28 injected RSTs were ignored and the complete blocked web page was successfully retrieved.

2006-clayton-ignoring §5 defense

The GFW performs no stateful TCP stream reassembly, inspecting one packet at a time: splitting the blocked keyword '?falun' across two TCP segments is sufficient to evade detection entirely. Cross-device state is also absent — triggering a block on one border AS (e.g., AS9929) had no effect on traffic transiting a different Chinese border AS.

2006-clayton-ignoring §4.1 detection

The paper presents a systematic taxonomy of blocking criteria across ISO/OSI layers: circumstance-based (addresses including sender/receiver/kind/physical location; timing including send time, receive time, duration, frequency; data-transfer properties; services including protocols, names, addresses) and content-based (file type/MIME, statistical detection of encrypted or compressed data, pattern matching for keywords or phrases, and website fingerprinting via request-count/byte-volume signatures).

2004-k-psell-achieve §4, Appendix A defense