commentary If Australia is going to implement its mandatory ISP filter, then at the very least we should be told when and why it is being done.
Liam Tung (Credit: ZDNet.com.au)
The block notification page option outlined in the discussion paper on measures to increase the transparency of the mandatory ISP filter seem sensible: if the censors want to block an RC page that is located offshore, then it's reasonable that the government tells Australians what's behind there and why it was blocked.
Regardless of where they stood on the filter itself, Google, Microsoft, Yahoo, and even the Australian Christian Lobby have supported the idea that a standardised "block" page should inform end users that the content they have attempted to access is blocked because it is on the RC content list.
But in the name of global safety, Australia's largest gateway to the internet, Telstra, has recommended the government not adopt what the Department of Broadband Communications and the Digital Economy called a "crucial" measure for accountability and transparency.
Instead it wants us to adopt a system similar to that run by the Internet Watch Foundation (IWF) in the UK, which delivers an error 404 or error 403 message instead of an explanation why the page was blocked.
Telstra said the explanation option is a bad idea, not because it's against transparency, but because blocking notification pages "can be easily phished by a technically astute user so that the URL of the blocked site becomes transparent to that user, who could then publish it".
"If the contents of the RC list is published it could be used as a directory of harmful content, which would therefore become more easily available to users that are able to circumvent the ISP filter or who are located overseas," Telstra warned.
In other words, Australia's filter could quickly become the means for global citizens to view what is deemed the worst of the internet. But is it that easy? And is the block page notification really the give away that a page has been blocked?
Telstra called the technique of harvesting URLs that generate the standard block message "phishing". Hacklabs' security consultant Chris Gatford said this was an incorrect use of the term; however, he agreed that harvesting those URLs would be possible, if not easy.
"It would be hard to create a raw list from guessing domains to browse. More likely users would talk about seeing the page and hence report it as blocked and a list would be created based in that if done at all," he said.
Could a script be written that automatically harvests URLs showing the predicted "block page notification" response, whatever that may be?
"You could scrape Google for a phrase 'how to make a bomb' then have it retrieve each page to see if it was blocked," said Gatford.
I'm not convinced this is so easy, and it sounds like doing what Telstra fears could be a painstaking and laborious task. And is it really worth sacrificing our right to know, and by extension our right to contest an RC classification when we stumble across one?
To illustrate why we should advise users when a page they are attempting to access has been blocked, the Electronic Frontiers Association's submission noted an incident that occurred in the UK in 2008 when an image that was sourced from Wikipedia was deemed unacceptable by the IWF. It was the cover image for German band Scorpion's 1976 album Virgin Killer, not too dissimilar to photos by local artist Bill Henson.
Citizens in the UK were not made aware that it had been blocked, but a few crafty and concerned citizens discovered that it had been, which triggered public debate that eventually lead to a decision to unblock the page. That the page was unblocked showed why such a measure would be crucial to Australia's operation of the filter.
The source of Telstra's concern appears to have come from research by the University of Cambridge Computer Laboratory's Richard Clayton, who explored the use of BT's IWF-based CleanFeed system as an "oracle" for identifying blocked content. Clayton argued that because CleanFeed redirected traffic for particular IP addresses to a web proxy that determines whether a page under that IP should be blocked, the blocked page detection process can be automated — presumably what Telstra fears could be done by a technically astute user.
If Clayton is right, then it doesn't matter whether Australia issues a block notification page. The redirection, and not the issuing of a notification, could lead to an astute user doing what Telstra feared.
Let's hope Australia does not follow the UK's example on this one.