Internet Filtering Doesn’t Work

When I started my campaign against internet filtering my original concern was that the government would be running a secret censorship scheme.

However, as I’ve found out more about how the filtering will work (see the Technical FAQ), I’ve become increasingly impressed with just how useless it is. The DIA’s proposed internet filtering system is not going to stop the people who want blocked material from accessing it.

Here are some of the major technical problems with it:

1. It can’t intercept encrypted web traffic (https).

When internet web traffic gets diverted to the DIA, their filter server examines the request to see which website it is going to and then the request is either blocked or allowed. This does work if the web traffic is in plain text and not encrypted.

Of course, many people don’t want anyone to see the information they’re sending over the web to the bank, or the credit card number they’re sending to an online shop. So someone invented a secure form of web traffic (called https) that encrypts everything sent to and from the web server. More and more sites are starting to use secure web traffic for everything (e.g. Google Mail).

It’s not hard to change your website from non-secure http to secure https. And, if you do, the DIA filter server can’t intercept it.

2. It can’t intercept file sharing, email, chat, instant messaging or anything other than unencrypted web traffic.

Most mainstream movies and music are shared with peer to peer file sharing. The DIA’s filter server won’t look at this type of traffic.

Most online communications are through email or instant messaging. The DIA’s filter server won’t look at this type of traffic.

Why wouldn’t people who spread child pornograpy use the same tools available to everyone else on the internet?

The DIA’s filter server only examines unencrypted web traffic, ignores everything else, and is therefore doomed to irrelevance.

3. Adding new entries to the filter is a manual process.

Creating and moving websites is fast and easy these days. My own web server (used for this blog) only took about an hour to set up.

To be blocked by the DIA’s server, someone has to find out about the site, check it, and then add it to the list. At which point it can just be moved to a new name on the web.

When websites are so easy and quick to set up, I just don’t see how it’s possible for them to do a good enough job to keep the filter list up to date enough.

4. The filter will only be used by some ISPs.

A number of ISPs in New Zealand do not intend to use the DIA’s internet filter. They don’t see it as part of their business. To quote the words of one ISP’s CEO – “we’re the pipe, not the censor”.

If a number of major ISPs don’t use the filter, is there any point in implementing it for the ones that do?

And if the ISP wants to implement their own filter for their business/school clients, they’ll surely be wanting to ban more than is covered by the DIA filter.

5. A motivated person can easily get around the filter.

Most importantly of all, even if all those other points weren’t true, it’s just too easy for a motivated person to work around the filter.

One fairly simple way (and you could write instructions that would let even the non-technically savvy do it). Sign up for US$10/month account with a hosting firm in the US. Install MyEnTunnel on your PC and point it at your account in the US… and everything you do on the internet goes through the US and will never go anywhere near the DIA’s filter server.

Most people won’t bother doing this, but the people who want this material know that it’s illegal and are already used to using similar techniques to avoid detection.


Even if we ignore the political problems and the internet performance problems, we’re still left with the major problem that the filter just won’t work.

So why are we wasting time and money on it?

5 Responses to “Internet Filtering Doesn’t Work”

  1. 1Colin Coghill on Jul 19, 2009 at 2:39 pm:

    Just a note on points 1 & 2. It sounded to me more that they were filtering by IP address, which would still let them block access to encrypted stuff, as long as they’ve somehow discovered that the place it’s coming from is dodgy.

    The other points still stand, of course.

    They’d get much better value for money by hiring and training some extra police specialists in the area.

  2. 2thomas on Jul 19, 2009 at 3:48 pm:

    Hi Colin,

    The traffic is diverted by IP address but then the filter server has to check the request to decide whether the URL is blocked or not. It can’t do this if it is encrypted.

    You are correct in that they could block *all* encrypted https traffic to that IP address, but that would also block interrupt legitimate sites using https on the same server (e.g. a shopping cart for).

  3. 3seanfish on Jul 20, 2009 at 12:40 pm:

    Not to mention the various methods entailed by #5 Colin which render the whole thing moot. I know of intermediate school children who can (for social networking, but the principle is the same) readily work around their schools’ filtering.

    In essence we have described here a system that, at best, keeps people safe from unwittingly exposing themselves to inappropriate content and at worst (a) blocks who knows what of benefit, and (b) costs us.

  4. 4Tim on Jul 21, 2009 at 7:32 am:

    With respect to point 3 (filter entries are added manually) – it would be dangerous to assume that an automatic filter based on heuristics could safely be implemented, given the present level of heuristic technology – and especially considering point 1. It would become trivial to ‘lead’ such a filter into blocking certain sites, abusing the filter to deny service to sites which are legitimate.

  5. 5anonymous on Dec 29, 2009 at 4:51 pm:

    I came to this discussion late but think it’s important to point out that there are now portable Tor versions for Firefox and Opera. These are so idiot-proof that anyone able to switch on a computer can now thumb their noses at any conceivable filtering software. This makes the whole idea of censorware even more useless and absurd than it already was. Just Google for OperaTor, download, click to unzip, click the executable (operator.exe), and you are away. Everything is preinstalled for encrypted, anonymous browsing.