Surveillance systems are fundamentally more selective than censorship systems due to storage constraints: as of 2009 the NSA could store only 7.5% of received traffic across 592 tapped 10 Gbps links with only 69 10 Gbps backhaul links, and the authors' campus network retains non-alert metadata for ~36 hours and IDS alerts for ~1 year. Censorship systems by contrast are transaction-focused and retain only enough data to process real-time requests. This asymmetry creates an exploitable gap: traffic that does not stand out from the population is discarded before reaching human analysts.

Beverly et al. found that 77% of Internet clients can spoof source addresses within their own /24 and 11% can spoof within their own /16, with these characteristics holding across a wide range of countries and regions. The authors use this result to argue that IP-spoofed cover traffic — where measurement probes appear to originate from many hosts in the same AS — is broadly feasible in practice.

§4.2 defense

The authors argue that it is almost certainly impossible to eliminate — or even definitively quantify — the risk to users who perform censorship measurements, because surveillance system capabilities are rapidly evolving and in some cases unknowable; retribution in adversarial environments may not follow due process. The paper explicitly states that its techniques had not been deployed on real networks as of writing because "a better consideration of the associated risks is warranted."

§6–§7 policy

Spam-cloaked censorship measurements were correctly classified as spam by Proofpoint (the authors' university spam filter), validating surveillance evasion; separately, MX queries sent from a PlanetLab node in China confirmed that the GFW injected bad A DNS responses for both A-record and MX-record lookups for twitter.com and youtube.com, validating measurement accuracy.

§3.2.3 evaluation

Analysis of two days of leaked censorship log files from Syria shows that 1.57% of the population accessed at least one censored site — a proportion the authors argue is far too large for a user-focused surveillance system to pursue individually. This implies that simply flagging all users who access censored content is not a feasible targeting strategy for surveillance.

§2.2 evaluation

The paper proposes a black-box methodology for detecting censorship bias in LLMs by comparing responses to identical prompts in Simplified vs. Traditional Chinese — scripts for the same spoken language — controlling for translation quality while exploiting that Simplified Chinese training data is disproportionately sourced from mainland China's censored internet. Each prompt is repeated ten times and scored for similarity to censored text using an XLM-RoBERTa classifier fine-tuned on Baidu Baike (censored) vs. Chinese Wikipedia (uncensored) with scores from 0 to 1.

2024-ahmed-extended §2 / §2.4 keyword-filteringml-classifiermeasurement-platform

Majority-vote ML inference (OCSVM + IF) over OONI data uncovered at least 5 previously undocumented DNS injection IPs active in Russia (e.g., 195.19.90.226, 95.167.13.51, 61.95.167.13.50, 188.19.132.154, 144.85.142.29.248) absent from OONI's existing blocking-fingerprints database, along with novel fingerprints in Italy, Czech Republic, and the UK. Records with fewer than 50 instances were excluded as a conservative false-positive filter.

2024-calle-toward §4.3, Table 5 dns-poisoningml-classifiermeasurement-platform

XGBoost trained on a single month of OONI data achieves near-optimal performance; expanding the training window to 24 months produces deviations of only 0–5 percentage points for FNR, 0.07 PP for FPR, and 0.10 PP for accuracy — suggesting that larger windows introduce noise and overfitting rather than improving detection. Isolation Forest performance degrades more sharply, with accuracy dropping ~5 PP as training data grows beyond 6 months.

2024-calle-toward §4.2, Figure 3 dns-poisoningml-classifiermeasurement-platform

For the Isolation Forest model, resolver ASN (SHAP importance 0.237) and probe ASN (0.220) are the two most predictive features for DNS tampering, reflecting that censorship is topologically concentrated at specific network vantage points. For XGBoost, headers_match dominates (0.317), followed by asn_control_match (0.177), indicating that supervised models rely more on cross-layer consistency signals. DNS tampering represents only 0.5–0.8% of all OONI measurements across 2022–2023 (Figure 2), creating severe class imbalance in any training set.

2024-calle-toward §4.1, Table 4, Figure 2 dns-poisoningml-classifiermeasurement-platform

XGBoost achieves a False Positive Rate of 0.0005, True Positive Rate of 0.9403, and overall accuracy of 0.9991 on OONI global DNS measurement data (2.5% stratified sample), vastly outperforming unsupervised alternatives: Isolation Forest achieves FPR 0.1321 / ACC 0.8699, and One-Class SVM degrades to FPR 0.9711 / ACC 0.0598, making OCSVM effectively unusable for this task.

2024-calle-toward §4.1, Table 3 dns-poisoningml-classifiermeasurement-platform

CenDTect (Tsai et al., NDSS 2024) uses decision trees and a novel clustering method on Censored Planet plus OONI data to identify blocking policies and provide interpretable insights at local and country levels. A separate approach (Duncan & Chen, 2023) applies sequence-to-sequence models and CNN image classification — treating network reachability data as grayscale images — to distinguish censored from uncensored content.

2024-gao-extended §2 Related Works measurement-platformml-classifier