Update on Filtering

Today I met with some of the staff in the Censorship Unit at the Department of Internal Affairs to discuss the Internet filtering system.

Here’s some of what I learnt:

  • The Censorship Unit prosecute approximately 40-50 people a year for trading in child pornography, with a conviction rate of over 90%. Most of these are using P2P file sharing.
  • The purpose of the filter is not to stop the hard core traders, but to stop the casual and curious. The view is that a curious person will be sucked into getting more and more.
  • The Enterprise (final live system) Internet filtering system will be installed in Auckland, Wellington and Christchurch. Initially all traffic will go through the Auckland location with the others as redundant fail-over sites, eventually the traffic will be load-balanced between the sites.
  • The system also has redundant Internet connections.
  • The DIA claims that a major outage would be resolved in 5-10 minutes at worst.
  • The DIA say that the cost of the system is approximately $30k a year plus Internet and staff costs.
  • They really do re-check 7000 sites each month. Apparently there are three checkers who spend about an hour each working day, checking about 120 sites each an hour.
  • The Code of Practice is being rewritten somewhat in response to the submissions. In particular, the role of the Independent Reference Group (IRG) will be better defined.
  • The IRG will have access to the reports about the websites as well as the details of the appeal.
  • The DIA have been speaking to likely bodies to see if they wish to be part of the IRG.
  • There may be a role for the Office of Film and Literature Classification in auditing the list of banned sites.
  • We confirmed that the system doesn’t work with HTTPS (encrypted web traffic) and the new IP version 6.
  • The NetClean (the filtering product being used) contract specifies that the system can only be used to filter child pornography.
  • They say that they wouldn’t add Wikileaks to the filter if a copy of the list turned up there.

I will be updating the FAQs accordingly.

9 Responses to “Update on Filtering”

  1. 1Sam on Oct 21, 2009 at 8:40 am:

    The claim that major outages will be resolved in 5-10 minutes sounds like they have no experience in operations. It certainly is possible that service levels like that may be achieved, but it would cost an order of magnitude more than the $30k p.a. budget they mention. I think one of those numbers is wrong.

  2. 2Jack M. on Oct 21, 2009 at 12:58 pm:

    Wow, they going to have one person check 120 sites in one hour, every day? That’s 30 seconds per site! Amazing! I hope they don’t suffer from any type of lag while opening the site, or the whole process would fall behind after, say, the first 30 seconds.

    What sort of checks are these, anyway? That they still contain childporn? Or that they still exist? The latter you could do automatically, the former you could not possibly achieve in 30 seconds.

    Good luck with that!

  3. 3Fred on Oct 21, 2009 at 1:06 pm:

    7000 sites on the list?

    IWF, the prominent black list producer has less than 2500 on their list, so what is the other 4500 sites. This is not accounting for the non child pornography sites now on their lists

  4. 4Fred on Oct 21, 2009 at 1:08 pm:

    So what happens to HTTPS traffic, is it blocked or ignored?

  5. 5Fred on Oct 21, 2009 at 1:10 pm:

    And when IP6 becomes widespread, in oh a year or three, do they scrap the idea? IP6 provides for every site offering HTTPS traffic at the browser’s request.

  6. 6thomas on Oct 25, 2009 at 5:29 pm:

    Sam – yes, it does seem a bit optimistic.

    Jack M – Well, after discussing the checks with the people at the DIA I did find their explanation of the testing makes sense. They have a URL that had child porn last time they looked, they open it, check that it still has ick on it, tick it off and move on to the next.

    Fred – well, they claim that they check them every month and are only filtering sites with images of child sexual abuse. I do wonder if the 7000 is more granular and therefore refers to pages as much as it refers to sites.

    Fred – https traffic on a filtered IP is passed through the filter without interruption.

    Fred – no IPv6 support yet. They expect it to be added at some point. The DIA even told me to check out http://ipv6porn.com !

  7. 7Joseph on Nov 2, 2009 at 3:08 pm:

    Are you sure they would like you linking to that site?

  8. 8thomas on Nov 2, 2009 at 3:11 pm:

    Joseph – I imagine they’ll be amused.

  9. 9Anonymous on Nov 2, 2009 at 4:12 pm:

    When they finally get around to filtering HTTPS and IP6 and all the nonchild-porn sites you can bet they’re going to start blocking sooner or later, you can always use Tor (https://www.torproject.org). It’s free and open-source. If they start blocking Tor’s entry nodes start using the hidden bridge nodes. Don’t trust Big Brother to only filter out the “bad stuff”. The government’s not your friend.