Network Level Content Blocking (UK)

Hi all,

Sorry for the cross posting to a number of lists but this is an
important topic for many of you (especially if you get multiple copies).

As many people are aware there is an 'expectation' that 'consumer'
broadband providers introduce network level content blocking for
specified content on the IWF list before the end of 07.

Whilst this is seen by many as a honorable political crusade to 'protect
the innocent' many with a strong technical background are concerned that
the long term impact on network development will lead to major
'breakages' within the internet.

So far the only debate has revolved around the legal concerns that the
introduction of this technology imposes to problems on the ISP:

1. Revocation of mere conduit status; by inspecting certain content and
preventing access to it the ISP is doing more that just passing packets
and is getting involved in the content.

2. Thin end of the wedge; if we can block Child Abuse Content then we
can block copyright infringement....

3. Increased liability; by blocking the content at a network level
outside of the control of the user the ISP is potentially opening it
self to a lawsuit should content leak through the block (although many
are saying that this is not going to be enforcable it could still tie up
people in court going through the arguments with no guarantee of a win
cf mere conduit issue above).

LINX (the London Internet Exchange) and ISPA are looking to arrange a
day to address the technical issues of placing such a block in the
network. The topics are expected to include:

1. Implementation - how do you put this into place
2. Scalability - how do you provide a non-degrading service
3. Circumvention - how do you stop people getting round the block
4. Reverse Engineering - how do you hide the block (should you hide it?)
5. Messaging - what do you tell the person about what you just done
6. Legality - what is the legal impact of this
7. Security - who should have access to what
8. Sanity Checking - how to prevent poisoning of the block list
9. Testing - how do you make sure that the block is working
10. Reality - is this actually the best way to do this

We have 13 companies involved so far but really want to get as many
ISP's together to make sure that people understand the implications of
the governments request.

Whilst the intent is to focus the content on the technical side we are
keen to make sure that the all parts of the ISP industry are brought up
to date so may run multiple strands with different levels of technical
content if we have the numbers.

If you are interested please contact John Souter (john@linx.net) or
Malcolm Hutty (malcolm@linx.net) for more details.

Thx

J

[trimmed other lists, not sure if they'd appreciate nanog volumes]

Whose expectation is it? If it is not a LAW, then, ISPs should reset
the expectation and go back to the real problems
of running a network.

Owen

Iljitsch van Beijnum wrote:

[trimmed other lists, not sure if they'd appreciate nanog volumes]

As many people are aware there is an 'expectation' that 'consumer'
broadband providers introduce network level content blocking for
specified content on the IWF list before the end of 07.

Where is this list, what type of stuff is on it and how do you translate
from the real-world identification of that which is to be blocked into
some kind of restriction in the network?

Please see http://publicaffairs.linx.net/news/?p=497 for more details

J

There are no British colonies in North America...are there? Or are the red coats coming again?

There are no British colonies in North America...are there? Or are the
red coats coming again?

No, but there are a large number of American operators that
have networks in the UK and this +will+ affect them. There is
also the fear that once this is deployed in one country that
others might follow suit.

Regards,
Neil.

[On the mainland, not since Belize's independence in 1981. There are British Overseas Territories in the Caribbean (Anguilla, Bermuda, British Virgin Islands, Cayman Islands, Montserrat and the Turks and Caicos Islands) which are in North America according to at least some definitions of the phrase.

However, to answer the question you were really asking, there are surely North American companies on this list who do business in the UK, and certainly no reason to think that North American politicians, given an example to follow, would never do so in this continent. So it's not obvious to me that this is off-topic here, speaking as one single subscriber.]

Anyway, how does BT's cleanfeed work? How are British 3G operators doing equivalent blocking? I'd be interested in learning about the implementation.

Joe

Joe Abley wrote:

Anyway, how does BT's cleanfeed work? How are British 3G operators doing
equivalent blocking? I'd be interested in learning about the
implementation.

There is an excellent paper on the failures of clean feed here:

http://www.cl.cam.ac.uk/~rnc1/cleanfeed.pdf

J

Joe Abley wrote:
[..]

Anyway, how does BT's cleanfeed work? How are British 3G operators doing
equivalent blocking? I'd be interested in learning about the
implementation.

I wonder how this solves the, from what I found out, common situation
that people rent cheap "root servers" in a country like Germany where
they VPN into and thus have full access to everything.

Or for that matter any form of VPN or other remote access.

The only thing that this 'content blocking' solves is that pops&moms who
don't have any clue about the Internet at all will be deprived from some
freedom, that the government can look into everything claiming that
everything on the Internet is p0rn (which is not so far from the truth
according to some :).

All the folks who really want to access icky pictures will do so any way
by using something very simple called HTTPS or any other form of
encrypted access and work arounds like VPN's, Tor, Open proxies and the
myriad of other ways that are possible.

Takes a little bit of effort, but hey, does it matter, you at least get
to get your daily feed of icky stuff and you can say to the government
"oh I thought it was okay as it was not blocked by your filter".

Btw, the 90% quote given is of course a marvelous thing when you have a
single organization which has almost a monopoly :wink:

I wonder which companies are going to provide the 'solutions' to this
problem and how well they sponsored various people of the government.

Long live VPN's!

Greets,
Jeroen

The only thing that this 'content blocking' solves is that pops&moms who
don't have any clue about the Internet at all will be deprived from some
freedom, that the government can look into everything claiming that
everything on the Internet is p0rn (which is not so far from the truth
according to some :).

actually it keeps heat off the politicians that passed the law/dictate...
I suspect that what happened is the gov't folks involved got into a
situation where they couldn't say: "no" without also basically saying:
"long live icky content!" :frowning:

All the folks who really want to access icky pictures will do so any way
by using something very simple called HTTPS or any other form of
encrypted access and work arounds like VPN's, Tor, Open proxies and the
myriad of other ways that are possible.

what's also 'nice' is that once the 'service' goes into effect the folks
trafficing in 'icky picts' will know when their content has been 'found'
so they can move it around to another location :frowning: Making
prosecution/protection actually HARDER for the gov't folks involved :frowning:
it's perverse, but it's mostly true :frowning:

-Chris

I strongly recommend you read Richard Clayton's paper on how (among
other things) one could hack the Cleanfeed system to *find* the really
bad stuff. He and his colleagues at the Cambridge Computer Lab also
have a fine blog - http://www.lightbluetouchpaper.org

Its not "content" blocking, its source/destination blocking.

While IWF may decide to list a particular source/destination based on its view of content, the network doesn't know look at or know what the content is and blocks anything at that source/destination address. The "address" may be an application layer "address," i.e. a URL part rather than a network layer address. But if the "address" is dynamically generated or changed, it may not have the same content.

Some cellular networks still have walled gardens, which only allow access to "approved" source/destinations. Again not based on content, but
based on business relationships with the cellular network operator.

Once you understand its the network isn't blocking "content" but rather an ever expanding list of sources/destinations, the real question is how can you be certain the bad stuff and good stuff will stay in separate places. Or will the bad stuff continue to migrate elsewhere until you've
blocked most of the Internet, and only "approved" sources/destinations
remain?

yup, read it, which was part of the reason for the note I sent... these
sorts of blocking mechanisms don't seem to achieve the goals expected, and
even in many cases make the goals of the 'icky pict' crowd more achievable
:frowning:

Alexander Harrowell wrote:

I strongly recommend you read Richard Clayton's paper on how (among
other things) one could hack the Cleanfeed system to *find* the really
bad stuff. He and his colleagues at the Cambridge Computer Lab also
have a fine blog - http://www.lightbluetouchpaper.org

I don't understand why this is a problem. So they find it, but look, they can't get to it because it's been "cleanfeeded" anyway. Also they only get to know the IP adddress so if the site is a virtual host it's pretty useless to them.

oh, so null routes? I got the impression it was application-aware, or
atleast port-aware... If it's proxying or doing anything more than
port-level blocking it's likely it sees content as well, or COULD.

Either way, it's not like it's effective for anything except the m ost
casual of users :frowning:

Its more than null routes, but not much more. The router does a re-route on a list of network/IP address, and then for the protocols the redirector
box understands (i.e. pretty much only HTTP) it matches part of the application/URL pattern.

So IWF can block only one part of a sub-tree of a popular shared webhosting site *IF* is one of a few application protocols.

That's a cool way to implement monitoring of traffic towards random parts of the internet.

Sorry, clicked send before finishing.

BUT the important thing is the network operator and routers don't actually look at the content. If the same bad content (picture, video, whatever) appears somewhere else that isn't on the IWF list, it won't be blocked.

And likewise if the content at the source/destination changes/removed, e.g. the picture disappears, the destination will continue to be blocked until IWF updates their bad list even though nothing bad still at the destination.

There are no British colonies in North America...are there?
Or are the red coats coming again?

In fact, there are several British colonies now squatting in North
America in that great British squatter tradition. One of them occupies a
corner of the NANOG list which is why the meeting was mentioned on this
list. Another can be found hoarding a chunk of MySpace. And so on.

--Michael Dillon

P.S. If you didn't get that bit about squatter tradition, check this
http://tinyurl.com/2zvogn

Anyway, how does BT's cleanfeed work? How are British 3G
operators doing equivalent blocking? I'd be interested in
learning about the implementation.

Well, first of all Cleanfeed's not perfect. And it's not that secret
either.
http://www.cl.cam.ac.uk/~rnc1/cleanfeed.pdf

--Michael Dillon

P.S. Although I work for BT, I have no involvement with the group that
is repsonsible for Cleanfeed. All that I know about it, I learned via
Google.