Before you read this: what is documented and what is reconstructed
This article distinguishes documented mechanism from reconstructed mechanism. The distinction matters and is held throughout.
Documented: the existence of the Great Firewall and the Great Cannon, and their use of Domain Name System (DNS) pollution, Deep Packet Inspection (DPI), Transmission Control Protocol (TCP) Reset injection, and in-path bystander redirection; WeChat's use of a proprietary Transport Layer Security (TLS) variant called MMTLS, analysed in detail by the Citizen Lab; WeChat's server-side filtering of images by Message Digest 5 (MD5) hash; DeepSeek's published training methodology for the V3 base model and the R1 fine-tune; the model's observable refusal to discuss specific topics, including when run locally and offline.
Reconstructed from public technical research: the heuristics used by the Great Firewall to detect fully encrypted circumvention traffic, including the entropy measurements published by the GFW Report collective and presented at USENIX; the protocol-level weaknesses in MMTLS, including deterministic initialisation vectors and the absence of forward secrecy in the legacy layer beneath it; the mechanism by which the firewall issues active probes against suspected proxy servers.
Not addressed: the contents of the prohibited keyword lists, the specific evasion techniques currently in active use, or any operational detail that would assist a reader in conducting surveillance or evading it. The technical breakdown describes mechanisms at the level at which a defender would recognise them.
Story opening
A user in Shenzhen sends a message containing a particular image on a Friday evening. Their WeChat client reports the message as delivered. The recipient does not receive it. Neither user is notified. There is no error indicator, no retry prompt, no record of the attempted send in any transactional log either user can see. The message has not failed. It has been dropped, silently, on a server, by an algorithm that compared its cryptographic hash against an index and decided that the file the user had attached should not exist.
Several layers up from that message, a researcher in Sydney is running an open-weight Chinese large language model called DeepSeek-R1 on a workstation disconnected from the internet. The researcher asks the model about the 1989 Tiananmen Square protests. The model declines to answer. The decline is not a content filter applied after the fact; the model itself, running locally on hardware that has no upstream censor to consult, has been trained in such a way that certain topics do not surface. The refusal travels with the weights.
Between those two scenes sits a third. A Shadowsocks proxy server, recently set up in Singapore by a volunteer, begins accepting connections from inside China. Within minutes, the server is interrogated by a sequence of probes originating from thousands of distinct Internet Protocol (IP) addresses inside China. The probes do not attempt to decrypt the traffic. They send replays of earlier payloads, random byte sequences of various lengths, and partial replays designed to elicit characteristic error responses. They are looking for the particular silence that a circumvention tool returns when asked something it does not know how to answer. Soon afterwards, the server's IP address stops being reachable from inside China.
Each scene is a different layer of the same enclosure. The first is application-level. The second is model-level. The third is network-level. The mechanisms differ. The effect, in all three cases, is a system that says no without saying anything.
Case file
What outside researchers call the Great Firewall (GFW) is not a perimeter device. It is a distributed system integrated into the routing infrastructure of the national network, and it operates at several layers simultaneously. The Citizen Lab in Toronto, the GFW Report collective, and the academic groups publishing through USENIX have documented its behaviour for more than two decades. The picture that emerges from that body of work is a censor that has been forced to keep moving up the stack as circumvention has improved.
Early versions of the firewall did most of their work at the DNS layer. When a user inside China asked a resolver to translate a prohibited domain name into an IP address, the firewall would inject a forged response containing an invalid address, racing the legitimate reply and arriving first. The technique, known as DNS pollution, was computationally cheap and almost invisible to the affected user. The connection simply never opened. There was no page to fail to load.
As encryption became the default on the web, the firewall moved up the stack to Deep Packet Inspection, reading the contents of packets rather than just their routing metadata, and reassembling fragmented sessions to evaluate complete requests. The firewall does not block at this stage in the way a conventional firewall would. Instead, when it identifies a violation, it injects forged TCP Reset packets into both ends of the connection, instructing each side that the other has hung up. The connection dies, and to the user it looks like a transient network fault.
Sitting alongside the firewall in the same physical infrastructure is a separate, offensive system. The Citizen Lab documented its behaviour in 2015 and gave it a name: the Great Cannon. The Cannon does not block; it weaponises. When a user outside China requests a resource hosted on a server inside the country, such as a common JavaScript library, the Cannon can replace the legitimate response with malicious code that programmes the user's browser to participate in a distributed denial-of-service attack against an external target. The user is not the intended victim. The user's browser is the weapon, fired through the firewall in the same direction the legitimate response would have travelled.
Underneath the network layer, the application layer does its own work. The case file at this layer is principally WeChat, which functions as the operating system of daily Chinese digital life and which has been subject to detailed protocol analysis by the Citizen Lab.
Underneath the application layer sits the cognitive layer. DeepSeek's R1 model, released in early 2025 and described variously as open-source, open-weight, and a Chinese answer to OpenAI, is the most-studied of a generation of Chinese large language models whose training methodology is partly published and largely opaque. The model refuses to discuss specific historical and political topics. The refusal is reproducible across deployments, including local ones with no network connectivity. The mechanism by which the refusal was instilled is, in the language of the field, embedded rather than filtered.
The three layers do not coordinate in real time. They do not need to. Each is independently configured to ensure that certain things do not happen, and the cumulative effect is a digital estate in which the absence of a message, a model response, or a reachable server is, by design, the normal state of affairs.
Technical breakdown
The Locknet
The Great Firewall's defining engineering feature is that it does not have a single point of decision. It is a load-balanced architecture in which any one of many parallel processes may handle any given connection. Each process maintains its own state, and each numbers the forged TCP Reset packets it injects. That counter, visible to outside observers in the Time To Live (TTL) field of the injected packets, is what allowed researchers in the early 2010s to triangulate the firewall's physical locations, count its parallel processes, and, on occasion, watch them fall over and reboot.
The load-balancing architecture also constrains the firewall. Reassembling a TCP bytestream across millions of simultaneous connections is expensive, and when the firewall's flow cache is full it must decide whether to evict an older connection or skip reassembly on a new one. The decisions it makes under load are the seams of the enclosure. Several researchers refer to the firewall, collectively, as the Locknet: a system of programmable gates whose operating limits are the substrate of every documented evasion.
The Silent Drop
WeChat, the platform on which a significant fraction of Chinese digital communication takes place, encrypts its traffic with a protocol of its own design called MMTLS, derived from MicroMessenger TLS. MMTLS is a non-standard variant of TLS 1.3 implemented inside Tencent's Mars networking component. Independent analysis by the Citizen Lab in 2024 identified several departures from the open standard: the use of deterministic initialisation vectors rather than randomised ones, the absence of forward secrecy in the legacy business-layer encryption that sits beneath MMTLS, and the use of a custom key exchange whose security properties are weaker than the protocol it is patterned on.
The point of MMTLS is not, primarily, to defeat outside observers. It is to make WeChat traffic resistant to ordinary analysis while remaining transparent to the platform itself. The platform's server-side filtering does the rest. When a user sends an image, the WeChat server calculates the MD5 hash of the file and compares it against an index of hashes the platform has flagged as prohibited. If the hash matches, the message is dropped. Neither the sender nor the recipient receives a notification. The transactional log shows the message as sent. The transactional log is wrong.
Images that are not in the index are delivered, but in parallel they are queued for deeper analysis: Optical Character Recognition (OCR) to extract text from the image, and visual fingerprinting to detect images that are visually similar to known prohibited content. If the analysis flags an image, its MD5 hash is added to the index, and the next attempt to send the same file will fail at the first stage. The index is reactive. The index grows.
The reliance on MD5 has been demonstrated experimentally. Researchers have run a chosen-prefix collision against a known prohibited image, producing a second, visually different file with the same MD5 hash, and shown that both files are blocked. The system is filtering by hash, not by content. It does not see what the image depicts. It sees only whether the bit pattern has been seen before, in a form that earlier flagged it as the kind of thing that should not be sent.
Active probing and the entropy problem
When circumvention tools moved to full encryption, the firewall could no longer fingerprint them by inspecting their contents. Modern tools such as Shadowsocks and VMess produce traffic in which every byte appears to be drawn from a uniform random distribution. The protocol designers' goal was for the traffic to be statistically indistinguishable from random noise. In November 2021, the GFW Report collective and collaborators at the University of Maryland documented a new capability deployed by the firewall: a passive detector that flags fully encrypted traffic in real time, not by decrypting it but by recognising its statistical signature.
The signature has several components. The fraction of bits set to one in the early packets of a connection. The presence and position of printable American Standard Code for Information Interchange (ASCII) characters, which appear in protocols such as Hypertext Transfer Protocol Secure (HTTPS) handshakes but not in fully encrypted streams. The packet length distributions characteristic of particular circumvention tools. And the Shannon entropy of the first several packets, which in fully encrypted protocols is higher than in standard TLS, because TLS handshakes contain plaintext metadata that pulls the average down.
Once a server is flagged by the passive detector, the firewall sends a sequence of active probes. The probes do not try to use the proxy. They replay earlier client payloads to see whether the server responds in a way that is consistent with a particular protocol. They send random byte sequences and watch for characteristic error behaviours. They send partial replays to test for replay-protection mechanisms. The probes originate from thousands of source IP addresses inside China, which makes them difficult to filter without also filtering legitimate users. A small number of genuine connections, on the order of a dozen, is enough to attract the interrogation. The server that fails to convincingly act like something other than what it is, is, after a short interval, no longer reachable.
The cognitive layer
DeepSeek's V3 base model was pre-trained on roughly 14.8 trillion tokens of text, the specific provenance of which is not disclosed beyond the categories plain web pages and e-books. The R1 fine-tune, which received most of the press attention in early 2025, was produced through reinforcement learning on top of the base model, and the widely cited US$294,000 training cost reflects the reinforcement learning phase alone. The base model is not in that figure, nor are the salaries, the human feedback labour, or the prior infrastructure investment.
The model declines to engage with specific historical and political topics. It does so on hardware disconnected from any network and running an unmodified copy of the published weights. The refusal is not implemented by an external filter; it is a property of the trained model. Researchers who have probed the refusal describe it as embedded, in the sense that the model has been trained to produce a particular kind of non-response when certain topics arise. The arXiv preprint R1dacted, published in 2025, documents the behaviour systematically and shows that it is consistent across deployment configurations.
For the technical layer, the point is not what the model refuses, which is to a substantial extent predictable from public knowledge of Chinese information governance. The point is that the refusal is in the weights. The information has not been suppressed at the edge; the absence has been built into the core. An open-weight release, in this configuration, is open in the same way a locked filing cabinet is open: the cabinet is in the room, available for inspection, and the contents the cabinet was designed not to contain remain not contained.
Looks like nothing
The cleanest technical lesson in the case file is the entropy lesson, and the cleanest place to land it is the active probing of Shadowsocks. A circumvention protocol was designed to be statistically indistinguishable from random noise, on the reasoning that random noise is the inverse of a fingerprint and therefore unfingerprinted. The firewall then trained a detector to recognise traffic that was statistically indistinguishable from random noise, on the reasoning that nothing else on the network looked like that.
The trap is structural. Standard encrypted traffic contains plaintext metadata. Video streaming carries predictable packet sizes. Voice over Internet Protocol (VoIP) carries a predictable cadence. Each ordinary protocol has a statistical shape, and the shape is what permits an observer to classify it without decrypting it. A protocol that successfully looks like nothing is, in a network of protocols that all look like something, the loudest possible signal.
The same logic generalises. The silent drop on WeChat is detectable, to the platform and only to the platform, because the platform is the one with the index. The embedded refusal in DeepSeek is detectable, to anyone who tests it, because a model that refuses to discuss a small set of topics in an otherwise fluent way is, in its silences, more identifiable than a model that refuses nothing. The Great Cannon is detectable, in retrospect, because traffic that should have been a JavaScript library and is instead a payload that programmes a browser to attack a third party has a different shape from what the browser asked for.
The enclosure described in the case file is built out of three different mechanisms operating at three different layers, and what unites them is the same observation. A system that quietly produces nothing produces, in the act of producing nothing, the most distinctive output it has. The lesson is structural. There is no such thing as the absence of a fingerprint. Looking like nothing is itself a thing to look like.
Glossary
The terms below cover the protocols, components, and concepts named in the technical breakdown. Each is explained in plain English; the precise behaviour is in the breakdown above.
- Great Firewall (GFW)
- The distributed system of routers, deep packet inspection appliances, and traffic injectors that enforces network-level information control across the Chinese internet. Not a single device, and not located at the country's edge.
- Great Cannon
- An offensive capability co-located with the Great Firewall, able to replace legitimate responses in transit with malicious code. Documented by the Citizen Lab in 2015 after a sustained denial-of-service campaign against the open-source project GitHub.
- Deep Packet Inspection (DPI)
- The practice of examining the contents of network packets, not just their routing metadata, in order to make filtering decisions.
- MMTLS
- A proprietary variant of Transport Layer Security 1.3, implemented by Tencent inside the WeChat application's Mars networking component. Analysed by the Citizen Lab in 2024 and found to depart from the open standard in several ways that reduce its security properties.
- MD5 (Message Digest 5)
- A cryptographic hash function that produces a fixed-length fingerprint of an arbitrary input. MD5 has been considered cryptographically broken for collision resistance since the mid-2000s, but remains widely used as a fast content-fingerprinting tool.
- Shadowsocks
- An open-source proxy protocol, originally developed by a Chinese programmer in 2012, designed to circumvent the Great Firewall by producing traffic that resembles random noise. Subsequently the target of dedicated detection capability.
- Shannon entropy
- A measure, from information theory, of the unpredictability of a sequence of symbols. Fully encrypted traffic has higher entropy than ordinary traffic, which is the property the firewall's detector exploits.
- Active probing
- The practice of sending crafted traffic to a suspected proxy server in order to identify the protocol it is running, by observing how the server responds.
- Embedded censorship
- The condition in which a language model has been trained, rather than filtered, to refuse to engage with particular topics. The refusal is a property of the model weights, not of the runtime environment.
Further reading
The following sources informed this article and are recommended for readers who want to read the primary technical work behind the case file.
- Citizen Lab, Should We Chat, Too? Security Analysis of WeChat's MMTLS Encryption Protocol, October 2024. The source for the MMTLS analysis in the breakdown above, including the deterministic initialisation vector finding and the analysis of the legacy business-layer encryption.
- Citizen Lab, China's Great Cannon, April 2015. The original disclosure of the in-path bystander redirection capability and its first observed deployment against GitHub and GreatFire.org.
- GFW Report and collaborators, How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic, USENIX Security 2023. The original paper on the entropy heuristics described in the active probing section.
- R1dacted: Investigating Local Censorship in DeepSeek's R1 Language Model, arXiv preprint, May 2025. The systematic study of DeepSeek-R1's embedded refusal behaviour across deployment configurations, including local and offline ones.
- Stanford Centre for Research on Foundation Models, DeepSeek Transparency Report, part of the broader Foundation Model Transparency Index, December 2025. Places DeepSeek's documentation deficits in comparative context against other foundation model developers.