Don’t look now, but someone’s
deciding what you can look at
The spectre of website blocking found its
way back onto the news pages again recently when BT announced it had
implemented a court-ordered block on the Pirate Bay website. As we report on
p7, the block was, as usual, quickly rendered mostly useless by those pesky pirates,
who offered alternative unblocked addresses where users could access their
services. Visiting the Pirate Bay site is not in itself illegal, and there are
no penalties for ordinary users who choose to circumvent this or any other
court-ordered block to continue their own browsing.
Website
Block software utility allows you to block unwanted websites from display in
Internet Explorer
There are two main methods an internet
service provider (ISP) can use to block a site. The simplest is to remove its
domain, such as dodgysite.co.uk, from its DNS (domain name server) database.
That database is a crucial link in the chain for most broadband customers. It
converts the web address typed into a browser, or clicked in a link, into the
IP address for the website - the string of numbers that leads directly to the
server where the information resides. Remove the domain from the database, and
the site is no longer accessible.
There are a couple of problems with this
basic method of denying access, however. The first is that it’s very easy to
get around. Not every customer uses the ISP’s own DNS in the first place, and
those who do can easily switch to an alternative, such as OpenDNS, by changing
the settings on their router (though some I SP-supplied routers prevent this)
or on the device being used to access the web. For example, in OS X, go to the
Network pane of System Preferences, select your current connection on the left,
click the Advanced button, go into the DNS tab, click the “+’ icon at the
bottom left, and type the address(es) of your favourite DNS server into the
panel. For OpenDNS, you would enter 208.67.222.222 and 208.67.220.220 (the pair
of addresses is just in case one fails).
Take the ISP’s DNS out of the equation like
this, and it’s as if the site block never happened. This method of blocking a
site is also problematic because it prevents access to an entire domain, rather
than specific pages. That could mean perfectly innocuous content, not intended
to be blocked, would be made unavailable.
The Ease With which the DNS method can be circumvented means it’s obviously
unsuitable for blocking access to illegal content such as sexually abusive
images of children. To do that, ISPs use the BT-developed CleanFeed system.
CleanFeed steps in after a DNS has resolved an IP address and compares the IP
with a list of blocked addresses maintained by the Internet Watch Foundation.
If it finds a match, access to the requested web page is prevented. CleanFeed
is now mandatory for all ISPs in the UK.
The Internet Watch Foundation is a private
organisation set up by commercial internet providers and funded by a variety of
industry and public bodies. It has no special status in law, is not accountable
to the public or to parliament, and does not respond to Freedom of Information
Act requests. Its complaints procedures and code of practice are laid down and
monitored by itself, and appeals are heard by the IWF’s own staff, whose
decision is final. So what could possibly go wrong?
Newzbin2
itself didn’t host any content, and merely operated as an index, much like
Google but with more of a specific focus on finding movies and music that you
hadn’t paid for
Of course, many people would agree that
it’s a good idea to prevent sexually abusive images of children being accessed,
and it seems to have become accepted that this kind of content (whether
correctly or incorrectly identified) is a special case. Inevitably, though,
once an internet kill switch had been invented to block scary kiddie porn, the
temptation was bound to arise to use the same technology for less noble
purposes.
So when BT was ordered by a court last year
to block the link aggregation site Newz-bin2, it opted to use CleanFeed to
implement the block. The complaint against Newzbin2 came from copyright owners
who were angry about the site providing links to other sites that hosted
unlicensed copyright material.
Newzbin2 itself didn’t host any content,
and merely operated as an index, much like Google but with more of a specific
focus on finding movies and music that you hadn’t paid for. Compared to child
pornography, this didn’t seem to present quite such a good case for trampling
on freedom of expression and censoring users’ internet connections en masse.
But the court was nevertheless convinced.
When BT was then ordered to block The
Pirate Bay, a peer-to-peer file sharing service that openly flouted copyright. it
asked for additional time to implement lessons learned from Newzbin2. Despite
this, when the block finally came into effect, The Pirate Bay was able to make
itself available to BT customers within minutes, simply by adding another
couple of servers with new IP addresses. Users could then type these IP
addresses, or click on a link in a forum, and, because the new IP address
wasn’t on BT’s blacklist, would be able to access the site.
The Pirate Bay explained that this was intended as a ‘statement’ to show how easy
it is to circumvent this type of block. It does illustrate that any type of
filter which relies on comparing IP addresses with a list of known banned IPs
ends up as a game of cat and mouse between the ISP and site operator.
If adding new IP addresses every time the
ISP blocks one becomes impractical, there’s an easier method to circumvent a
block: use a proxy server. Proxy servers allow users to make it look to their
IS P as if they’re visiting one IP address, while the proxy forwards the
request to another, such as a blocked site.
Using a proxy server carries its own risks
for the user, however. Although there are thousands of open proxies that can be
found with nothing more troublesome than a Google search, many will display
pop-up adverts or other unwanted content, and there are also privacy and
security issues in allowing HTTP requests to be intercepted by an unknown third
party.
TalkTalk's
HomeSafe adult
Though not perfect, CleanFeed is more
successful than other forms of site blocking, such as Talk Talk’s HomeSafe
adult content filter. That system, which is offered to all new Talk Talk
customers, allows content such as malware, pornography and gambling sites to be
filtered at network level - that is, affecting every device on a broadband
line, so anything parents decide their kids shouldn’t be able to see, they
won’t be able to see themselves either.
Some MPs want to see this type of blocking
adopted as standard by all ISPs. Earlier this year, an ‘independent’
parliamentary enquiry led by Conservative MP and conservative Christian Claire
Perry recommended the implementation of ‘opt-irf filtering, where users would
have to specifically ask their ISP to be allowed to view ‘adult’ content.
‘Our inquiry found that many children are
easily accessing internet pornography as well as websites showing extreme
violence or promoting self-harm and anorexia. This is hugely worrying,’ said
Perry, who didn’t seem to be worried by the prospect of mass censorship, or by
the plain fact that the millions of gigabytes of data accessible on the
internet don’t come with age-appropriate stickers to enable software to
categorise them.
The Internet Service Providers Association
criticised the proposals, saying that ‘forcing ISPs to filter adult content at
the network level, which users would then have to opt out of, is neither the
most effective nor most appropriate way to prevent access to inappropriate
material.’ And the Open Rights Group said the proposed filter ‘would endanger
children, create disruption for small business, and would not work
technically.’
While
copyright owners have forced ISPs to block individual sites, blanket censorship
of child abuse images is already in place and the government is keen to
auto-block a wide variety of ‘adult’ content
The First Problem with a filter such as HomeSafe is that it relies on comparing requests
for web pages in a browser with an auto-generated list of blocked sites. This
list is necessarily incomplete, thus lulling those who rely on the filter into
a false sense of security, and will inevitably include thousands of false
positives - sites that the list generator believes are of the type intended to
be blocked, but aren’t.
As the Daily Telegraph journalist Tom
Chivers put it after discovering that his newspaper’s website had been blocked
by a mobile phone network: ‘Your children would not be able to access the
edifying goodness that is Telegraph Blogs, but may be able to waltz freely into
the darker recesses of Spankwire, because the algorithms are imperfect at
best.’
Regardless of whether it’s blocking the
right sites, TalkTalk admits HomeSafe is easily circumvente d by ‘any
intelligent teenager.’ While TalkTalk is the only ISP currently offering to
filter at the network level, other ISPs are considering introducing such
systems as an option, and in the meantime can supply software that allows
content to be blocked on Macs and PCs. The government, meanwhile, hasn’t made
up its mind. It seems minded to require ISPs to provide some kind of network
filter, but has so far stopped short of supporting the recommendation in
Perry’s report. Perhaps a fact-finding mission to Iran or Burma would help?
