Hadrian's Firewall: UK's New Internet Filter or Censor?
BY Wendy M. Grossman | Wednesday, January 22 2014
"Hadrian's Firewall," the veteran journalist Guy Kewney called it in 2006, the first time I wrote about plans for UK-wide content blocking. The term is much more valid now: just before Christmas British ISPs turned on a system that requires subscribers to actively choose whether they want filtering that will block material in broad categories such as sex, alcohol, violence, and hate speech. In response, the Open Rights Group is gearing up to collect evidence of whether and how the filters work. Of particular concern to ORG is the problem of over-blocking with little redress available to site owners, as well as the dangers inherent in over-confidence in the technology. [Disclosure: Wendy Grossman is a member of ORG's advisory council.]
"It's not a panacea for parents. It doesn't mean children will be safe," ORG's executive director, Jim Killock, told a group of volunteers on Saturday to kick off the filtering study project. "It's a mixed bag, but it's portrayed as an unqualified good."
Most people - including ORG - think parents should have good tools available in case they wish to limit what their children can access online. The difficulty is that these are not good tools.
Installed at the ISP end of the connection instead of on users' own machines, says Richard Clayton, a Cambridge security researcher, "It's a blunt instrument and assumes that everybody in the household has the same needs and requirements. And it's inefficient - because it's much harder to evade blocks on individual machines than on the network." Clayton believes the government would have done better to insist that good user-controllable filtering tools should be developed for devices - such as the Xbox - that lack them.
"Instead, they've seen some technology and decided it will fix a social problem and it won't," he says.
The biggest complaints are that there is no transparency about what is blocked; it's extremely difficult to get an innocent site unblocked; and the tools are easily bypassed by the determined and technically adept. Worse, the blunt-instrument approach to categories can mean disastrous errors - such as in December, when the mobile operator O2 was found to be blocking most police and NHS sites, the child abuse hotline Childline, and the Samaritans' suicide prevention site. The present system may be less effective at protecting children than at keeping the Daily Mail tabloid newspaper quiet (while decorating its pages with scantily clad 14-year-olds). And, perhaps, at getting David Cameron re-elected in 2015.
Nonetheless, what's happening in the UK is a far cry from the comprehensive, much less avoidable Chinese system. Most of the UK's blocks are on by default - but there is no pressure, legal or social, to keep them on. "Hadrian's firewall" is cute, but misleading: it makes it sound as though there is one comprehensive British system of Internet censorship. The reality is an inconsistent moth-eaten patchwork of systems from different suppliers for different purposes.
To wit: first, child abuse images have been blocked since 1997 according to lists supplied by the Internet Watch Foundation, an independent charity. Second, the last couple of years have seen blocks on specific sites for copyright infringement, implemented by ISPs under court orders applied for by rights holder organizations. Finally, multiple systems filter a number of categories of material that may be objectionable. Blocking has been the default on mobile networks since 2011; mobile subscribers must prove they are over 18 and ask to have filtering turned off. Last summer, under pressure from the conservative Web forum Mumsnet, Prime Minister David Cameron, and MP Claire Perry (Conservative, Devizes), the companies that provide 90 percent of Britain's public wifi hotspots - O2, Virgin, Nomad, BT, and Arqiva - signed an agreement to put "family-friendly filters" in place anywhere children are likely to be present. The system attracting publicity in December 2013, has each major ISP separately implementing filtering and requiring new (eventually all) subscribers to make an active choice about whether they want filters turned on and in which categories.
Both the public wifi blocking and the opt-out system for broadband subscribers were announced by David Cameron in a July speech, in which he also pushed the main search engines to block searches on terms that might lead to illegal images. They have since complied. The latest notion, originating from the veteran campaigner John Carr, is that the UK's domain name registry, Nominet, should ensure that domain names suggestive of serious sex crimes cannot be registered in .uk. After commissioning a report, Nominet plans to amend its terms and conditions and review registrations post-hoc.
With the exception of TalkTalk, which views filtering as a market opportunity, ISPs were and are largely unenthusiastic. The software engineer Iain Collins, who has worked on both Sky's and TalkTalk's systems, says, for example, that in his experience they see blocking as a slippery slope, and don't like the expense or obligations involved - or the PR liability when things go wrong. There is less public objection than there might be: few wish to be seen publicly criticizing the IWF system at the risk of being labeled as a defender of child abuse.
It's important to know that the landscape of ISPs is rather different in the UK from that in the US. As in the US, the transition from dial-up (which is free of filtering since it's dying off anyway) to broadband consolidated hundreds of ISPs into a small group. However, the regulator Ofcom's continuing competitive oversight requires BT to sell Internet access provision wholesale to other ISPs as well as retail to consumers, and also to open up its exchanges to local loop unbundling to create competition in the last mile. A number of companies that have taken advantage compete with BT nationally, as does Virgin cable. The result is that in most of the UK both consumers and businesses typically have many more choices than their US counterparts. Accordingly, 90 percent of consumer broadband connections are supplied by six ISPs: BT (retail), Virgin, TalkTalk, Sky Broadband, Orange, and O2, all of them part of large multinational companies. Businesses and the remaining 10 percent of consumers are served by a mix of rebranded BT (wholesale) or other connections and business ISPs, which may be anything from a large company to a two-man networking consultancy. There is no push for business ISPs to adopt filtering; businesses don't want it (and have no children to protect). The intention is that eventually small consumer ISPs should also adopt filtering, but they're on the sidelines for now.
Determined consumers of blocked material, therefore, have many choices. They can pay more to subscribe to a small or business ISP. Use a proxy, Use Tor, or probably even just HTTPS. Smart teens can enter their parents' passwords and turn the filtering off. The government surely knows this.
Like the systems that have followed it, the IWF began with threats by government and/or law enforcement to ISPs: regulate yourselves, or we will do it for you. In August 1996, the London Metropolitan police demanded the removal of 133 Usenet newsgroups claimed to carry child pornography under threat of enforcement action. All sides faced off at a meeting, where Peter Dawe, the founder of Pipex, one of the first two British consumer ISPs, pledged £500,000 to create the IWF as a self-regulatory mechanism. A charity supported by donations and fees from member ISPs, the IWF manually reviews material reported to it by the public. Images the staff judge to be potentially illegal are forwarded to police for action and the URLs are added to the recommended blocklist supplied to member ISPs. The contents of this list are secret and even the ISPs who implement it are discouraged from looking at it. Iain Collins, a software engineer who has worked on blocking systems for TalkTalk and Sky, says the automated implementation, the list's manual generation and the prohibition on looking at it make it difficult to avoid hiccups due to typos and parsing errors.
Child abuse images are illegal almost everywhere. The IWF was quickly copied by many other countries. Under watch from human rights campaigners to ensure that it doesn't exceed its remit, its operation has been mostly uncontroversial with a couple of exceptions. In 2008, a botched implementation that left much of the country unable to edit Wikipedia pages revealed that the IWF had blocked the site's image of the 1976 Scorpions album Virgin Killer, which features the image of a nude young girl. The increasing controversy led the IWF to remove the block on the basis that the publicity was giving the image greater exposure. It has never recanted its position that the image is indecent under British law - and experts say a court might well agree. More recently, TalkTalk blocked HTTPS access to WordPress administrator logins after a single account was reported for containing child abuse content. The IWF has been successful in at least one regard: very little illegal child abuse material is now hosted in the UK.
BT offers its IWF implementation system, which it internally calls Cleanfeed, as a service to other ISPs. Cleanfeed, says Clayton, who studied it in a 2005 paper (PDF), is clever enough to examine URLs and block selectively: denying access to Playboy's images, perhaps, while leaving readable the articles (which are all anyone ever looks at the magazine for anyway, right?). The number of providers and past consolidation means there are many different blocking systems even within individual ISPs: those six major ISPs may have as many as 18 or 20 different systems.
The newer filters, Clayton says, are a mix of IP address blocking and domain name system poisoning, where the ISP sets its default DNS resolver to either return no result or send users to a you've-been-blocked page. The latter tactic, he adds, is also widely used by smaller ISPs to implement the IWF list. The knowledgeable can easily bypass it by using a third-party DNS resolver.
The lack of consistency about how sites are categorized or whether individual systems can differentiate between multiple sites using the same IP address makes it, as Killock says, almost impossible for the owner of a small online business to find out if it's being erroneously blocked and by whom - and no ISP seems to have a clear mechanism for redress.
Expert sources suggest there are as few as three organizations worldwide that supply the raw blocklists on which these systems are built: Huawei (known to be used by TalkTalk), Nominum (used by BT), and Symantec. Getting a wrongly blocked site removed from TalkTalk's system, for example requires sending a request back to Huawei. TalkTalk's system, widely reported to have cost £20 million, has another quirk: all traffic is routed to Huawei servers for checking whether or not the subscriber has turned off the filters. According to Collins, this monitoring gives the company substantial insight into user behavior - presumably useful for marketing purposes.
"My view is that this is illegal under [the Regulation of Investigatory Powers Act]", says Clayton. "TalkTalk's view is that because the data is not seen by humans, it's lawful."
The bigger source of controversy when the filters became active in December was their cultural tone-deafness. BT subscribers quickly discovered, for example, that the "sex education" category blocked sites where the main purpose is to provide information on subjects such as respect for a partner, abortion, gay and lesbian lifestyle, contraceptives, sexually transmitted diseases and pregnancy. The wording has since been revised, but what about the list?
Few believe the government will push for mandatory filtering or expand into political speech.
"The real test," says Clayton, "is whether, the next time we get some royal scandal or Closer has more pictures of royals with no clothes on, the blocks react particularly quickly to that."
Wendy M. Grossman is a freelance science and technology writer who covers the border wars between cyberspace and real life.
Personal Democracy Media is grateful to the Omidyar Network and the UN Foundation for their generous support of techPresident's WeGov section.