We should be told when we're filtered

We should be told when we're filtered

Summary: Telstra outright opposed the government's option to boost the transparency of its ISP filter regime by issuing a "block page notification". But will transparency really make the filter a Refused Classification (RC) oracle?


commentary If Australia is going to implement its mandatory ISP filter, then at the very least we should be told when and why it is being done.

Liam Tung

Liam Tung (Credit: ZDNet.com.au)

The block notification page option outlined in the discussion paper on measures to increase the transparency of the mandatory ISP filter seem sensible: if the censors want to block an RC page that is located offshore, then it's reasonable that the government tells Australians what's behind there and why it was blocked.

Regardless of where they stood on the filter itself, Google, Microsoft, Yahoo, and even the Australian Christian Lobby have supported the idea that a standardised "block" page should inform end users that the content they have attempted to access is blocked because it is on the RC content list.

But in the name of global safety, Australia's largest gateway to the internet, Telstra, has recommended the government not adopt what the Department of Broadband Communications and the Digital Economy called a "crucial" measure for accountability and transparency.

Instead it wants us to adopt a system similar to that run by the Internet Watch Foundation (IWF) in the UK, which delivers an error 404 or error 403 message instead of an explanation why the page was blocked.

Telstra said the explanation option is a bad idea, not because it's against transparency, but because blocking notification pages "can be easily phished by a technically astute user so that the URL of the blocked site becomes transparent to that user, who could then publish it".

"If the contents of the RC list is published it could be used as a directory of harmful content, which would therefore become more easily available to users that are able to circumvent the ISP filter or who are located overseas," Telstra warned.

In other words, Australia's filter could quickly become the means for global citizens to view what is deemed the worst of the internet. But is it that easy? And is the block page notification really the give away that a page has been blocked?

Telstra called the technique of harvesting URLs that generate the standard block message "phishing". Hacklabs' security consultant Chris Gatford said this was an incorrect use of the term; however, he agreed that harvesting those URLs would be possible, if not easy.

"It would be hard to create a raw list from guessing domains to browse. More likely users would talk about seeing the page and hence report it as blocked and a list would be created based in that if done at all," he said.

Could a script be written that automatically harvests URLs showing the predicted "block page notification" response, whatever that may be?

"You could scrape Google for a phrase 'how to make a bomb' then have it retrieve each page to see if it was blocked," said Gatford.

I'm not convinced this is so easy, and it sounds like doing what Telstra fears could be a painstaking and laborious task. And is it really worth sacrificing our right to know, and by extension our right to contest an RC classification when we stumble across one?

To illustrate why we should advise users when a page they are attempting to access has been blocked, the Electronic Frontiers Association's submission noted an incident that occurred in the UK in 2008 when an image that was sourced from Wikipedia was deemed unacceptable by the IWF. It was the cover image for German band Scorpion's 1976 album Virgin Killer, not too dissimilar to photos by local artist Bill Henson.

Citizens in the UK were not made aware that it had been blocked, but a few crafty and concerned citizens discovered that it had been, which triggered public debate that eventually lead to a decision to unblock the page. That the page was unblocked showed why such a measure would be crucial to Australia's operation of the filter.

The source of Telstra's concern appears to have come from research by the University of Cambridge Computer Laboratory's Richard Clayton, who explored the use of BT's IWF-based CleanFeed system as an "oracle" for identifying blocked content. Clayton argued that because CleanFeed redirected traffic for particular IP addresses to a web proxy that determines whether a page under that IP should be blocked, the blocked page detection process can be automated — presumably what Telstra fears could be done by a technically astute user.

If Clayton is right, then it doesn't matter whether Australia issues a block notification page. The redirection, and not the issuing of a notification, could lead to an astute user doing what Telstra feared.

Let's hope Australia does not follow the UK's example on this one.

Topics: Censorship, Government AU, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • There's like 10 billion web pages out there. If you requested one page per second to check whether it was on the list or not, it would take you over 300 YEARS to go through them all. Only a "technically astute" user with the computing power of google at their disposable would be able to detect the list of blocked sites by trial and error...

    Even if you just searched Google for pages that match a specific phrase, the phrase "how to make a bomb" returns 50 million results currently... still waaay too many to be concerned with.
    Dean Harding
  • 404 or 403 certainly would give a quicker and less exploitable block page.... But think for one second about what this will do for users who come across it, and the site admins who have to deal with the result. I know it won't be common, but the sites who get added mischievously, such as due to hacking, will have to waste user and admin time on solving a problem that doesn't actually exist.

    Using a block page, on the other hand, will tell the user who is responsible for them not getting the data they expected. They can then contact the site about the actual situation, and the site can contact the ACMA to get off the list.
  • @Dean Harding
    I'm not defending the stance to not put block pages up in fact I'm against the whole black-list for a start. However, your suggestion that it would take a inconsiderable long time to process them all isn't quite correct. The problem with your statement is that you assume it will be just one person working on their own project. The more likely scenario is a community of disgruntled users and wanna-be hackers running automated scripts scraping web pages with a central server collecting the results. In which case it won't take nearly as long as you're assuming. Particularly if you start using filtering based on topic elimination.

    While my computer or your computer doesn't hold a flame to the processing power of Google, as you pointed out in your statement, when you get a community of 1000 + users total processing power becomes a lot closer.

    This is why programs like SETTI and Folding@Home are so successful, the potential processing power is immense and for very little outlay.