Update: The site hosting the data for these tools has now removed the faq entry offering to sell the data. Please read my subsequent update for responses from the tool developers and further thoughts.
Three of the circumvention tools — DynaWeb FreeGate, GPass, and FirePhoenix — used most widely to get around China’s Great Firewall are tracking and selling the individual web browsing histories of their users. Data about aggregate usage of users of the tools is published freely. You can see, for example, that the three sites most visited by users of these circumvention tools are live.com, google.com, and secretchina.com. Aggregate data like this is a terrific resource for those of us interested in researching circumvention tool usage, and not much of a privacy risk for the circumventing users if it is only stored (as well as displayed) in the aggregate.
But the ranking site also advertises a pay service through which you can get not only much more data, but data about individual users. The site’s FAQ states:
Q: I am interested in more detailed and in-depth visit data. Are they available?
A: Yes, we can generate custom reports that cover different levels of details for your purposes, based on a fee. But data that can be used to identify a specific user are considered confidential and not shared with third parties unless you pass our strict screening test. Please contact us if you have such a need.
So they are happy to provide you with specific user data, but only if you double super promise not to share it and only if they really like you.
It’s hard to state how dangerous this practice is. These tools are acting as virtual ISPs for millions of users. All circumvention tools work by proxying the data of their users through some third machine, so all circumventing traffic is going through that third party machine. Selling the browsing histories of those users is like an ISP selling the browsing histories of its users, which is a big step beyond what companies like NebuAd and Phorm were / are trying to do. NebuAd and Phorm are at least adding a variety of pseudonymity and privacy layers to their tracking, whereas dynaweb et al. are evidently directly storing (and selling) the full, individually identifiable browsing histories of their users.
And the data about circumventing users is much more sensitive than the data about most ISP users. These are the histories of users browsing sites that are not only blocked (and therefore mostly sensitive in one way or another) but blocked by an authoritarian country with an active policy and practice of persecuting dissidents. The mere act of anyone, let alone projects proclaiming themselves for internet freedom, storing this data is very bad practice. Any data that is stored can be potentially be shared or stolen. The best way to make sure that dangerous data like this does not get into the wrong hands is not to store it in the first place.
FP encrypts all your network traffic. No third-party can recognize what Internet information is flowing in/out of your computer, even if they are monitoring your traffic.
In fact, third parties can recognize the data flowing in/out of a computer running FirePhoenix by buying that data and promising not to share it with anyone else.
This sort of thing demonstrates that there is no way to eliminate points of control from a network. You can only move them around so that you trust different people. In this case, Chinese users are replacing some of the trust in their local Chinese ISPs with trust in the circumvention projects through which they are proxying their traffic. But those tools are acting as virtual ISPs themselves and so have all the potential for control (and abuse) that the local ISPs have. They can snoop on user activity; they can filter and otherwise tamper with connections; they can block P2P traffic.
These particular virtual ISPs have chosen to support themselves by selling user data. Lots of folks rely on personal VPNs to circumvent or otherwise secure their connections, but those VPNs are not inherently any safer that the local ISPs through which they are tunneling. The popular VPN Relakks, for example, is hosted in Sweden, where a law passed last year requires that the federal government monitor all data entering and leaving the country, including foreign users of the Relakks VPN. Some circumvention projects like Psiphon use a peer to peer model in which volunteers host proxies (ideally a volunteer known by the circumventing user) and others like Tor use algorithms to try to ensure trust of the proxies, but all of them require that the user trust some other person or some code with all of her circumventing traffic.
*: installation language not verified for FirePhoenix, which has only a Chinese interface.