Huy Zing

Update Dec. 4, 2009: added Google public DNS servers.

There is a lot of confusion about whether Facebook is in the process of being blocked right now. Here are my thoughts to try to clear up some of the misconceptions.

In short, these are my claims: Yes, Facebook is being blocked by the internet service providers in Vietnam because of the authorities. Yes, there are workarounds in order to access Facebook. No, that’s not enough. Yes, this totally blows.

What access problems is Facebook experiencing in Ho Chi Minh City recently?

As stated on wikipedia:

Starting around November 4, 2009, the major Internet Service Providers (ISPs) SCTV/VDC and Viettel blocked access to Facebook by removing www.facebook.com and apps.facebook.com from their DNS service for a time ranging from a few hours to a few days. Another major ISP FPT followed suit for a few hours on November 10, 2009. Rumors have designated these as tests in anticipation of an official censorship decree. Starting on November 16, 2009,FPT, Viettel, SCTV/VDC, and EVN all started blocking DNS requests for Facebook, in what many people believe to be a permanent ban.

How is this evidence of an official block and not just an accident or glitch?

The ongoing Facebook block is not an accident. It is not due to technical unreliability. It is a surgical strike on the each of the major Internet Service Providers’ (ISPs’) DNS service (which is a service to translate www.facebook.com and apps.facebook.com into addresses that computers can understand, e.g. 69.63.184.31).

The recent access problems are akin to having the Yellow Pages all of a sudden missing the entries for Highlands Coffee. It’s not as if someone spilled food all over your Yellow Pages and you have trouble reading it. The rest of your Yellow Pages is completely fine but suspiciously missing 2 major entries. Moreover, there isn’t just one set of Yellow Pages. FPT, SCTV, Viettel all have their own Yellow Pages books and each of them are missing the same 2 entries.

The odds of the DNS omission being due to accident are thus close to nil. All this adds up to evidence of deliberate action.

What other evidence is there of an impending official block?

The actions from the ISPs speak for themselves, but there is no known concrete proof of an official decree to block Facebook yet.

A supposedly-official decree demanding that the ISPs block Facebook was earlier leaked on the internet in September 2009, but its authenticity has not been confirmed. There is a version of this document with a stamp and signature from a hospital, but this version can be ignored as it has clearly been doctored (look at the bottom line where letters are chopped off, right where the original version of the decree is cut off).

A commercial customer of FPT talked to representatives who have unofficially stated that there is a pending decree banning Facebook which has not yet been publicly released.

Why do you think it’s being blocked if some of my friends can still access Facebook?

We are hearing reports that some people can still access Facebook, e.g. at universities like RMIT.

A block does not have to be complete to be real. And in any case, as I explain below, a partial block is all that’s needed to kill off the widespread use of Facebook.

Why not just wait until there is an official decree instead of going nuts over this?

An official decree may never become public.

And for some of us, waiting is not an option. We need to anticipate whether we can rely on Facebook to communicate with groups or promote events in the future. Any downtime affects the effectiveness of online marketing initiatives, organizational efforts, let alone being able to keep up with friends and family.

What are motives for a Facebook block?

As everyone can guess, political censorship and control. But also, there are rumors that local competitors may be using their government connections to shut out the mighty giant Facebook.

Are there workarounds to access Facebook?

Yes, right now, you can use either of these workarounds:

• Use the limited functionality of http://lite.facebook.com/, which has not been blocked.
• Configure your computer or router to use Google Public DNS or OpenDNS instead of your ISP’s default DNS service.
  • Here are instructions on how to set up OpenDNS
  • Here are instructions on how to set up Google Public DNS
• Hard-code some IP addresses for Facebook servers.
  • Here are instructions on how to edit a hosts file
  • Here are some example entries for IP addresses for Facebook, but replace 69.63.178.11 with the newer 69.63.181.15
    • Unfortunately, these IP addresses may be changed by Facebook in the future.
• Use some of the freely available web proxies
  • You can google for some of the free web proxies
• If you have access to a server overseas, you can use VPN or set up your own SOCKS proxy using ssh tunneling.
  • Since this is for advanced computer users, I’m sure you can figure it out yourself

Of course, these workarounds may stop working in the future if the authorities or the ISPs want to tighten their block. But there is a reasonable chance that they won’t go that far, for reasons I discuss below.

Why aren’t they blocking the workarounds?

Blocking some of the above workarounds is easier than others. Certainly, throwing lite.facebook.com in with the rest would be simple. But what about blocking OpenDNS or blocking Facebook by IP address?

It’s easier, quicker, and cheaper to block Facebook by DNS than to block Facebook or OpenDNS by IP address. First, DNS requests are much less frequent than web content requests by nature of the data. Second, DNS requests are cached at many different levels making them even less frequent. Third, there are much fewer DNS entries for Facebook than there are IP addresses for Facebook to block. Not only are there many Facebook domain names, but each domain name such as www.facebook.com can actually map to hundreds of ever-changing servers around the world, which is a technique that big web sites use to distribute traffic and keep things going fast.

IP filtering could slow down internet traffic in Vietnam, which is not the case for DNS filtering. It’s reasonable that ISPs would try to discourage IP blocks.

As for web proxies, there are just so many out there it would take quite a while. And if you have your own proxy that you can VPN or ssh to, then that’s effectively impossible to block.

It’s still conceivable that the workarounds will stop working, but it will take some time.

If there are workarounds, why worry?

The workarounds I listed above, e.g. OpenDNS and proxies, help but only a little. Blocking a social network is not like blocking YouTube or some anti-government complaint website. We generally don’t get on Facebook just to access titillating information. We are on Facebook to connect with one another. As Metcalfe’s Law states, “the value of a telecommunications network is proportional to the square of the number of connected users of the system.”

In order for a social network to have all its promised value, you need a majority of your friends and community on it, not only you. In order to effectively promote an event on Facebook, you need most of your audience on it. If you can’t ensure that everyone in your community, whether it’s locals or expats, can get on easily, then your community will eventually die off. Proxies and OpenDNS are not well known and not easy to use. If 80% of your community don’t know how to use them and cannot access Facebook even if you can, you could still have lost 99% of the value of the social network.

And because of these network effects, Facebook will get fewer and fewer users logging on, even if they know how to use workarounds. Eventually, you may be all alone, and how fun is that? In China, the number of Facebook users dropped from a million to 14,000 in 3 months because of their ban.

So while DNS blocking is not effective in completely censoring information or censoring sites like YouTube, DNS blocking is highly effective in simply destroying the value of a social network like Facebook.

On the bright side, after Facebook gets so much less usage from Vietnam, there may not even be interest from the authorities to tighten their ban, which means workarounds would continue to work. This may be a sufficient situation for those of us who are still interested in staying in touch with overseas communities.

So what can we do?

Well, as we all know, there is no comparable web site out there with the same functionality and power as Facebook. Most likely, local Vietnamese will go to a number of local Vietnamese-language competitors.

And expats may choose to go back to the inferior Hi5, Orkut, or god-forbid MySpace. But I’m hoping that all expats in VN learn to use the access workarounds in order to maintain the value of the Facebook network.

Where can we find more information?

Here’s an AP story “Vietnam Internet users fear Facebook blackout“.

Lonely Planet has some interesting backstory regarding software licenses.

LGPL Conditions

• You can open-source your app.  Specifically, you provide to your users the source code of your entire application under the LGPL or GPL.  That means for example all the .h and .m files.
• You can keep your app closed-source, but you provide to your users all the object code of your  application necessary to re-link your application.  That means for example all the .o and .a files.  Most people forget that this option is in fact available to iPhone app developers.

Dynamic/Shared Library

Static Library Exception

Spirit of the LGPL

• Jailbreak their iPhone to install any binary that they want
• Join the iPhone Developer Program for $99 a year to be able to legally distribute "Ad Hoc" the new app to up to 100 devices.

References:

• GNU Lesser General Public License, particularly section 4.d)
• StackOverflow - Which open source licenses are compatible with the iPhone and App Store?
• Nabble - iphone, and releasing object code satisfies LGPL Re: Static building and bundling of SDL.
• Nabble - iPhone SDK <-> SDL License