Saturday, June 09, 2007

It's for your own good (again)

You probably don't know that the government wants to implement wholesale filtering of URL requests from the end of next month, do you? Not that the national press, TV, or anything else has reported on it, nor has there been any serious parliamentary debate. Nuh. But the Home Office is pressurising British ISPs to install a system BT has been using since 2003, at the behest of (guess who) David Blunkett, called Cleanfeed.

A brief technical description - the Internet Watch Foundation provides a list of dodgy sites, and these are resolved to IP addresses in the normal way. Those addresses are then injected into the ISP's internal routing table through BGP, giving the address of a squid proxy within the ISP's network. This proxy matches the requests against the IWF's list of URLs. Matches return a "fuck off" splash page, non-matches are routed in the normal way.

The flaws are well-known; for a start, any encrypted protocol, even https, will pass through without touching the sides. It doesn't attempt to examine e-mail (and anyway, anyone who tries to distribute illegal material by e-mail without encrypting deserves to be caught), nor does it affect NNTP traffic - and, after all, alt.binaries.* newsgroups are still the best places to find any form of smut on the 'net. BitTorrent, Skype file transfer, and things more exotic will also go unfiltered. It's literally just port 80. Another problem, as demonstrated by Richard Clayton of the Cambridge Computer Lab, is that the system could be repurposed as a directory of the really bad stuff.

So, nobody who actually wants child abuse images will suffer from this. ISPs will, though, because it costs money. The Government pays for RIPA data retention, but it isn't paying for this little exercise because it's "voluntary", in the special Home Office sense of "voluntary" that means "do this or we'll make your life a misery". The official justification is to protect children from "accidentally stumbling upon" the images. This is ridiculous. I've been on the 'net since 1996 and I've never "stumbled upon" illegal images - for the same reason no-one ever accidentally buys cocaine. It's illegal, you fucking idiots. Nobody walks around waving a sign saying DRUG DEALER. And drug dealers do not give drugs away.

But there's worse. How can anyone be naive enough to imagine that the geniuses behind Operation Ore won't immediately want the log from that squid box - after all, if "the computer" refused to serve you something, you must have asked for it. Are you with the terrorists? I am aware that at least one ISP that has implemented the system has also removed the logging code from the squid, in the hope that any police request would require extensive software development (at the public charge).

Who, anyway, decides what is to be censored? The Internet Watch Foundation seems to rely on complaints from the public, only 33 per cent of which are upheld after the IWF's own enquiries. This is mildly promising - it suggests that some scrutiny is going on. But should the right to censor be in the hands of an organisation partly funded by News International?

If this is meant to be voluntary, I'd like to make clear that any ISP that refuses can have my business.

Update: Did you know that the list is priced at £5,000 a year and that it's confidential?


cian said...

Are they using the ip numbers, or the actual addresses. Because if the latter, just using a publicly available name server will get round that problem.

cian said...

OK I answered my own question. Still anyone who can't work out how to use a proxy to get round this...
Inconvenience for the law abiding, no affect on the crims. How very new labour.

Watching Them, Watching Us said...

Do not forget the plans which Home Secretary John Reid and Franco Fratinni, Vice President of the European Commission, have been spinning since last August, to create some sort of "Great Firewall of Europe" to be aimed at allegedly "terrorist websites".

The Labour government has has now added another layer of criminal bureaucratic red tape see:

UK Government internet censorship powers - The Electronic Commerce Directive (Terrorism Act 2006) Regulations 2007

These threaten up to 2 years in prison (and / or a fine).

There are Exceptions for Acting as a Mere Conduit and for Caching and for Hosting. i.e. almost blanket immunity for Internet Service Providers and Telecommunications companies.

However these Exceptions only apply to these Regulations, and do not provide any protection from the threat of up to 7 years in prison (and / or a fine) under the the Terrorism Act 2006 section 3 "takedown notices",

N.B. these Regulations and the Terrorism Act 2006 both have worldwide scope and attempt to ineffectually regulate not just UK based ISPs and Telcos, but those in the European Economic Area and the Rest of the World as well.

The "brains at the Home Office" have provided no authentication mechanisms for these "takedown notices", so improperly authorised or even fake "takedown notices" are going to be used by incompetent or malicious people to harass innocent websites and to fool ISPs etc. to get them to take arbitrary website targets offline at short notice.

Tom said...

Good lord - has anyone any idea how much effort it takes to provide even a passive proxy for all port 80 traffic? If you're passing that through squid, who's paying for the servers if you're one of the big guys.

Given that BT are already using it, this means Virgin Media, who have some millions of cable modem customers.

Alex said...

@Tom: The ISP pays. Check out NANOG and UKNOF for the squealing. Virgin - well, insofar as they are not customers over cable. This appears to apply to customer networks, not transit.

kostenloser Counter