Network Level Content Blocking (UK)

Sean Donelan wrote:

Its not "content" blocking, its source/destination blocking.

oh, so null routes? I got the impression it was application-aware, or
atleast port-aware... If it's proxying or doing anything more than
port-level blocking it's likely it sees content as well, or COULD.

Either way, it's not like it's effective for anything except the m ost
casual of users

Its more than null routes, but not much more. The router does a re-route on a list of network/IP address, and then for the protocols the redirector
box understands (i.e. pretty much only HTTP) it matches part of the application/URL pattern.

So IWF can block only one part of a sub-tree of a popular shared webhosting site *IF* is one of a few application protocols.

What we have is a box that takes the IWF feed of dodgy sites and resolves the entries to IP addresses. These are then injected into the network with Quagga's bgpd. The network then obviously routes anything to these IP addresses and therefore those websites to the filter box.

(but not a bad idea....)The filter box runs Squid with the URL list from the IWF. Port 80 traffic is directed through squid and anything appearing on the IWF list that is accessed by anybody returns a page telling them to go away. We thought about the error page stuff but what the heck, it's obvious its being filtered anyway so you may as well put some google ads on the page you return (Joke In fact you could run upside-down-ternet on it, there's no end to the things you could do to screw with people's heads.

Anything on a virtual host whos URL is not explicitly in the IWF list is passed through squid without being touched.

Since only port 80 is passed through the filter then of course there are all manor of things you could do to circumvent the filter and this will of course always be the case as people will use whatever they can to get what they want. After all, all yuo really need to do in order to get all the dodgy material you want is to subscribe to a decent USENET service and get it all from that.

For what it's worth though it works well for what it is and we certainly get a few hits on it.

Sean Donelan wrote:

Its not "content" blocking, its source/destination blocking.

oh, so null routes? I got the impression it was application-aware, or
atleast port-aware... If it's proxying or doing anything more than
port-level blocking it's likely it sees content as well, or COULD.

Either way, it's not like it's effective for anything except the m ost
casual of users

Its more than null routes, but not much more. The router does a re-route on a list of network/IP address, and then for the protocols the redirector
box understands (i.e. pretty much only HTTP) it matches part of the application/URL pattern.

So IWF can block only one part of a sub-tree of a popular shared webhosting site *IF* is one of a few application protocols.

Sorry, clicked send before finishing.

BUT the important thing is the network operator and routers don't actually look at the content. If the same bad content (picture, video, whatever) appears somewhere else that isn't on the IWF list, it won't be blocked.

And likewise if the content at the source/destination changes/removed, e.g. the picture disappears, the destination will continue to be blocked until IWF updates their bad list even though nothing bad still at the destination.

But this is OK as it's unlikely that something good and wholesome will be on http://n.n.n.n/foobardodgypr0n.html

Also the lists are actually updated fairly regularly.

There are much easier, cheaper ways to do that.

And as another person pointed out, the IWF method is not very surreptitious so the bad guys can tell someone found them and
can improve their methods.

And did I mention the false positive problem of click-fraud and
embedded IMG URLs accessing those sites too. Yes, your computer
may have been recorded accessing a bad site when you read a
spam mail.

Easier and cheaper? Can't think of any... This method nicely gets around the need to tap and process numerous (10) gigabit links, which isn't particularly easy and certainly not all that cheap.

Interestingly, nobody has mentioned on the list what the offending content is yet. Or why this would even remotely be a good idea. I would think that if the content in question is legal, ISPs and the government shouldn't touch it, and if it isn't, law enforcement should do something about it.

Quoting the article http://publicaffairs.linx.net/news/?p=497

"At present, the government does not propose to require UK ISPs to block
content and our policy is to pursue a self-regulatory approach wherever
possible. However, our legislation as drafted provides the flexibility to
accomodate a change in Government policy should the need ever arise."

Lot of different ways to read that depending on your paranoia level. The
phrase "Slippery Slope" does come to mind, however...

Iljitsch van Beijnum wrote:

Interestingly, nobody has mentioned on the list what the offending content is yet. Or why this would even remotely be a good idea. I would think that if the content in question is legal, ISPs and the government shouldn't touch it, and if it isn't, law enforcement should do something about it.

It was in http://publicaffairs.linx.net/news/?p=497

"images of child abuse"

"voluntary" "co-operation"

"At present, the government does not propose to require UK ISPs to block
content and our policy is to pursue a self-regulatory approach wherever
possible."

"However, 90 per cent. of connections is not enough...."

Ok. I'll chime in.

William Allen Simpson wrote:

Iljitsch van Beijnum wrote:

Interestingly, nobody has mentioned on the list what the offending content is yet. Or why this would even remotely be a good idea. I would think that if the content in question is legal, ISPs and the government shouldn't touch it, and if it isn't, law enforcement should do something about it.

It was in http://publicaffairs.linx.net/news/?p=497

"images of child abuse"

"voluntary" "co-operation"

"At present, the government does not propose to require UK ISPs to block
content and our policy is to pursue a self-regulatory approach wherever
possible."

"However, 90 per cent. of connections is not enough...."

I find these two lines to be the most interesting "..we are setting a target that by the end of 2007, all ISPs offering broadband internet connectivity to the UK general public put in place technical measures that prevent their customers accessing websites containing illegal images of child abuse identified by the IWF."

and

"“At present, the government does not propose to require UK ISPs to block content and our policy is to pursue a self-regulatory approach wherever possible. However, our legislation as drafted provides the flexibility to accomodate a change in Government policy should the need ever arise. “

The last line being most significant. I read it as, "We will threaten you with a law to do the work, but since we don't want it challenged [like we would with the US legal system] we are going to threaten it...even if it might not pass."

And this is for anyone "selling broadband to the general public" -- however that is defined. Are commercial connections the general public? or just residential?

While I can't wait until web hosts/operators have to debug screwy performance and Squid bugs for sites passed through "untouched" by these proxies just because they share an IP address

While offering this as a service, or a free service is interesting (and in the spirit of voluntary cooperation) where users could opt in or out for it might be interesting... I can't imagine this would fly in the US.

Britain's moves to become a police state notwithstanding, I wonder how this insidious door-opener for censorship will rear its head as it effects the general Internet. Google's "voluntarily" censoring itself in China as a precondition of operating there. I am sure this "voluntary" policy in Britain will make getting various permits or approvals impossible even if they don't create a law to expressly mandate its use -- The Home Office Minister has already said he expects it in place, thats not far from a precondition of operation.

On the positive side, this will spark all kinds of innovation and give the conspiracy theorists all sorts of fun filled evenings.

Deepak Jain
AiNET

Well indeed, it'll be "terrorist" sites and "Fundamentalist religious" sites and "Sites that contain material that may incite religious hatred" or some other such nonsense. And then who decides what does and does not constitute these sites and *BANG* you have the great firewall of Britain or America or wherever.

And since all these things are largely operated by para-government organisations and civil servants your vote makes little difference.

But the reality is that right now the four hoursemen are a lovely political hot topic and either networks in the UK do somethin g about it themselves (i.e. filtering, not matter how ineffective it is) or some idiot who can't tell Internet Explorer from Excel will do it for us.

Everybody knows it's really quite dumb, but it's less dumb than the dumbness that will be legislated if nothing gets done.

So we'll all have odd boxes that inject a thousand or so routes into BGP (nowhere neat that many actually) and filters a bit of port 80 and everybody's happy for a while.

Perhaps it'll even go away.

Obviously if you block access to the images the child abuse goes away.

Where can I sign up for my lobotomy so that government policy starts to make sense?

"If a politician fixes a problem then he loses it as a campaign issue. But
if he makes the problem worse while heroically fighting against it, then
he's golden."
    -- Rex Tincher

- Matt

I can't imagine this would fly in the US.

Such systems have already been ruled "unconstitutional" in the US.

-- The Home Office Minister has already said he expects it in place,
thats not far from a precondition of operation.

We are kind of use to the home office minister saying all sorts of cranky
things. Chances are he'll be gone by the end of the month.

My personal dealing with the IWF (stop emailing me, we don't have any NNTP
servers anymore) don't fill me with confidence.

If the government mandate this, they'll have to provide a list of images to
block under a more accountable regime than some random "voluntary body", and
they'll have to take responsibility when people point out the government is
blocking access to specific sites that contain material that criticises them.

I think complying with a voluntary censorship regime is a bad idea all around.

I'm one of James's employers customers when I'm surfing at home.

Simon

Have you been asked by the Dibble for the squid's server log yet? It's
the obvious next step - if you had a URL request blocked, obviously
you were where you shouldn't have been. You're either with us...or
you're with the terrorists.

Alexander Harrowell wrote:

Internet governance by benevolent conspiracy:-)

Have you been asked by the Dibble for the squid's server log
yet? It's the obvious next step - if you had a URL request
blocked, obviously you were where you shouldn't have been.
You're either with us...or you're with the terrorists.

If this website blocking is voluntary and if your goal is to protect
your customers from inadvertently loading one of their pages, then you
would not want to log any details, would you? If you want to help the
police by reducing the number of spurious hits on this known illegal
website so that they have a higher chance of tracking real criminals
from the website hits, then you would not want to muddy the waters by
sending your useless data to them, would you?

Situations like this are always very complex and it does not help when
people throw around simplistic analyses that are not grounded in
reality. There was recent media coverage in the UK that indicates there
are far more pedophiles than was thought and that real pedophiles don't
fit the common stereotypes that people have of them. To me, this
indicates that the police are struggling with data explosion and need
help in reducing that data to increase their chances of catching SOME of
the criminals.

It does not suggest that police want to catch ALL the criminals and some
number of innocent people as well. After all, any arrests will have to
be processed through the court system and when you throw lots of
innocent people and marginal cases into the courts, the cases drag on
for a long time and clog up the system. That would be counterproductive
wouldn't it?

The objections that I see from people in regard to things like website
blocking and network tapping, seem to assume that governments are very
narrowminded, very efficient and have evil intent. In my experience,
there is a lot more systems thinking in governments that you think, they
are not terribly efficient, and they do not collectively have evil
intent. They do make a lot of mistakes, but these get corrected. If
nothing else, governments have learned that it is very bad to cover up
mistakes, but you can make a lot of political hay by admitting them and
proposing the next bold new solution.

If you really don't like something that governments do, you are better
off not attacking it in a narrow way, but suggesting that it was a
mistake and pushing government into the next bold new initiative to fix
the mistake. This works especially well around election time, but it can
also be done between elections because even the party in power changes
tack from time to time.

In this case I would suggest that it is in ISPs best interests to get
involved with network content blocking, so that ISPs collectively become
deep experts on the subject. We are then in a position to modify these
activities in a way that is beneficial to ISPs and their customers (who
happen to be voters too). And we are in a position to advise government
on future actions as well. If ISPs choose not to get involved, then they
are less likely to be listened to by government partly because they have
less credibility and partly because they simply don't understand the
issue and therefore fail to communicate effectively.

Inter-ISP cooperation is a big problem that needs to be solved on a
global scale. Fortunately, there is a growing number of international
forums in which ISPs do get together to deal with specific flashpoints.
If your company has any part of your network in the UK, please do get
involved by contacting LINX as requested:

   We have 13 companies involved so far but really want to get as many
   ISP's together to make sure that people understand the implications
of
   the governments request.

   Whilst the intent is to focus the content on the technical side we
are
   keen to make sure that the all parts of the ISP industry are brought
up
   to date so may run multiple strands with different levels of
technical
   content if we have the numbers.

   If you are interested please contact John Souter (john@linx.net) or
   Malcolm Hutty (malcolm@linx.net) for more details.

--Michael Dillon

Its too late, you've already admitted that the data exists and can be captured.

This is always where it starts...

Dave.

Leigh Porter wrote:

ssshhhhhhh

David Freedman wrote:

The logging code in release versions of Squid is pretty horrible and
won't handle the loads modern ISPs will put under it. You have to
disable it to get any decent performance.

Adrian

Your assumption that blocking parts of the internet is a useful activity is flawed. The only positive effect that this has is that it protects users from accidentally running into stuff they'd rather not come into contact with. But this is much more effeciently and effictively done using commercially available filters.

I talked to some people from the Dutch equivalent to http://www.iwf.org.uk/

This was a very curious experience. What they want to achieve is protecting children from abuse. This is of course a laudable goal. But they think they can do that by ridding the internet of images depicting said abuse. There are pretty strong laws against that in the Netherlands*, but this woman thought that wasn't enough: she felt it would be good to also outlaw _text_ describing child abuse. This is really scary. If these well-intentioned but extremely dangerous people get their way, someone can end up in jail for simply writing some text.

All the while, children in known dangerous situations go on a waiting list before they can be removed from the dangerous (home) environment. So apparently, it's more important to go after the results of child abuse in the past, and maybe even go after people who only fantasize about this stuff, rather than help kids that are in danger NOW. But hey, removing kids from abusive homes costs money and results in angry parents on the news. Strongarming ISPs into taking "voluntary" action on the other hand, is free and only results in angry threads on NANOG.

I'm not one to give up my civil liberties without a struggle, but protecting kids may be important enough to make it worth giving up a few. But is it too much to ask for something that actually works in return?

* Not long ago, a man was convicted because he had 10 images of this kind on his computer. They were part of a 100000 image porn collection. His claim that the 10 images were downloaded accidentally wasn't accepted by the judge: he should have been more careful.

* Jeroen Massar:

I wonder how this solves the, from what I found out, common situation
that people rent cheap "root servers" in a country like Germany where
they VPN into and thus have full access to everything.

In Germany, the legal framework for filtering transit traffic already
exists, so if the UK precedent shows that it's technically and
economically feasible, this will be implemented over here, too. I
doubt the situation is much different in most European countries.

Of course, when the blocking is pretty much universal, I don't really
see how the list maintainer verifies that the reason for blocking
still exists. On the other hand, this might also provide an
opportunity to shut down some of the most egregious malware
distributors and controllers.