The Scope Always Creeps

Three Statements

From the DIA press release titled “Web filter will focus solely on child sex abuse images”:

A filtering system to block websites… will focus solely on websites offering clearly objectionable images of child sexual abuse.

From a letter from Nathan Guy, Minister of Internal Affairs:

I support the Digitial Child Exploitation Filtering System that has been developed by the Department of Internal Affairs to help prevent access to child sexual abuse images. The filtering system will focus solely on known websites offering clearly objectionable images of child sexual abuse.

However, Rory McKinnon has also been writing to the DIA to collect information for an article he wrote for the NZPA. He asked: “Can the minister personally guarantee that the blacklist will not “creep” (that is, expand its scope to include anything other than child sex abuse)?” The response (written by Trevor Henry, Senior Communications Advisor, Regulation and Compliance – 17/7/2009) to this letter was a little different:

The Department confirms that the scope of the filter will be confined to websites carrying images of children being sexually abused but there may be circumstances when a website that contains text files might be blocked. For example, an instructional manual for child abuse or a diary relating to the abuse of an actual child might be blocked.

Scope Creep

You may note that the first two statements very clearly say that the only websites to be filtered will be those that host images of children being sexually abused. The third statement contradicts the first two. It includes examples of other material that might be blocked by the filter, such as a text manual or a description of abuse.

Now, maybe you don’t think that filtering a manual or diary about sexual abuse is that bad – but that’s part of the problem. It often makes sense to extend something just a little bit further… then a little bit further… until finally you end up somewhere quite different from where you started.

For example, if you can filter an article that describes how to sexually abuse a child, can you also filter an article that explains how to get around the filter to read the first article?

The Australian system experienced this exact problem. They started by banning objectionable images and ended up banning entire websites that revealed what was being filtered.

Trusting the Government

Now, it probably bears repeating that I have no sympathy for those who create and distribute child pornography. My argument has always been that filtering won’t work, and that doing it secretly will lead the government to abuse it.

On the second point, the DIA’s position has been that we have to trust them and whatever secret review process they set up. But why should we trust them?

They refuse to give anyone a copy of the full list so that it can be audited, and when asked for a partial version of the list without the full addresses, they revealed that they have started deleting the records so that no one else can audit them either.

Now we find that their statements about only filtering images are also incorrect. The scope of what they’re doing has already grown before the system is out of the trial phase.

Internet filtering is not going to stop child abuse or child pornography and any such scheme is too open to abuse by the government. We should abandon it now – personally I’d rather we spent the money on preventing child abuse.

DIA to Accept Oversight of Internet Filter

I have received a letter from Nathan Guy, Minister for Internal Affairs, where he expands upon the DIA’s plans to set up some sort of oversight on the Internet filtering scheme.

My department recognises that, to ensure public confidence in the filtering system, the operation of the system must be as open to scrutiny as possible. The Department is, therefore, developing a Code of Practice to govern the operation of the completed system, and will be making the Code available on the Department’s website for public comment. An Independent Reference Group will be formed to ensure the Department operates the website filtering system in compliance with the Code.

I look forward to seeing the Code of Practice and hearing more about the Independent Reference Group.

DIA Deletes Records of Filtering Trial

While re-reading the most recent response from the Department of Internal Affairs (see page 3), I was struck by the following:

The Department is moving to implement the fully operational system and will shortly commence rebuilding the list. As the filtering list is rebuilt, new officer’s reports will be generated and, in preparation for this process, the reports related to the trial list have been deleted. The Department therefore cannot provide the requested information as it does not exist. [emphasis added]

I believe that this is a serious concern.

The Department of Internal Affairs has been running an Internet filtering scheme that has been actively used to filter people’s Internet connections without their knowledge. They have apparently deleted the reports that they used to justify adding websites to the list. This means that they have deliberately removed the ability for anyone to audit what they have been doing.

As a government department, the DIA has a responsibility under the Public Records Act 2005 to ‘create and maintain full and accurate records in accordance with normal, prudent business activity‘. They’re not allowed to just delete them without getting permission from the Chief Archivist.

It’s this sort of behaviour that makes it so important that any filtering scheme be conducted in an open and accountable manner.

Labour Party Supports Internet Filtering

Clare Curran, the IT & Communications spokesperson, has confirmed that the Labour Party supports the DIA’s proposed Internet filtering scheme.

This is hardly a great surprise as the initial testing stages were done under the auspices of the Labour government.

Clare goes on to quote/paraphrase David Cunliffe (the Minister at the time):

He also stated that New Zealand had no intention of following Australia’s legislation of mandatory filtering by ISPs. New Zealand’s response to undesirable material has been an emphasis on education, as demonstrated by Netsafe. The Films, Videos and Publications Classification Act had no legislative authority for website filtering, he said.

I find this a bit disappointing, especially when Clare has obviously been doing a lot of thinking around other Internet-related issues such as copyright. I think it might be time to do some thinking around the Internet filtering problem too.

More from the DIA

My second letter to the Department of Internal Affairs seemed to get lost so I sent them another copy. I just got the response (page 1, page 2, page 3). Unfortunately the letter is now a bit obsolete as I have found out all of the answers by other means.

However, seeing as I have nothing to say about the letter I thought this would be a good time to make a few comments about the DIA and government in New Zealand:

  • The Official Information Act is wonderful. It’s enabled me to request useful information from the DIA and expect to get it as of right.
  • I’m impressed that the DIA have generally made a good job of answering my questions (although not always in the detail I’d like).
  • Someone jokingly told me the other day that I’d better not want to leave the country (as the DIA administer our passport issuing system). It pleases me that a) that idea had never crossed my mind, b) that I can’t see that happening in New Zealand.

Of course, it’s exactly this openness that I like that matters so much. The OIA is good – but the secret censorship scheme takes away from that. We need accountability so that we don’t end up in the same situation as the Australians with their farcical scheme aimed at dentists and dog kennels. An open and democratic government needs to work in an open and democratic manner.

Finally, I’d like to say that I support the DIA in their fight against child abuse and the people who make and traffic in images of child abuse. They have done some good work in catching people and bringing them to justice.

Internet Filtering Doesn’t Work

When I started my campaign against internet filtering my original concern was that the government would be running a secret censorship scheme.

However, as I’ve found out more about how the filtering will work (see the Technical FAQ), I’ve become increasingly impressed with just how useless it is. The DIA’s proposed internet filtering system is not going to stop the people who want blocked material from accessing it.

Here are some of the major technical problems with it:

1. It can’t intercept encrypted web traffic (https).

When internet web traffic gets diverted to the DIA, their filter server examines the request to see which website it is going to and then the request is either blocked or allowed. This does work if the web traffic is in plain text and not encrypted.

Of course, many people don’t want anyone to see the information they’re sending over the web to the bank, or the credit card number they’re sending to an online shop. So someone invented a secure form of web traffic (called https) that encrypts everything sent to and from the web server. More and more sites are starting to use secure web traffic for everything (e.g. Google Mail).

It’s not hard to change your website from non-secure http to secure https. And, if you do, the DIA filter server can’t intercept it.

2. It can’t intercept file sharing, email, chat, instant messaging or anything other than unencrypted web traffic.

Most mainstream movies and music are shared with peer to peer file sharing. The DIA’s filter server won’t look at this type of traffic.

Most online communications are through email or instant messaging. The DIA’s filter server won’t look at this type of traffic.

Why wouldn’t people who spread child pornograpy use the same tools available to everyone else on the internet?

The DIA’s filter server only examines unencrypted web traffic, ignores everything else, and is therefore doomed to irrelevance.

3. Adding new entries to the filter is a manual process.

Creating and moving websites is fast and easy these days. My own web server (used for this blog) only took about an hour to set up.

To be blocked by the DIA’s server, someone has to find out about the site, check it, and then add it to the list. At which point it can just be moved to a new name on the web.

When websites are so easy and quick to set up, I just don’t see how it’s possible for them to do a good enough job to keep the filter list up to date enough.

4. The filter will only be used by some ISPs.

A number of ISPs in New Zealand do not intend to use the DIA’s internet filter. They don’t see it as part of their business. To quote the words of one ISP’s CEO – “we’re the pipe, not the censor”.

If a number of major ISPs don’t use the filter, is there any point in implementing it for the ones that do?

And if the ISP wants to implement their own filter for their business/school clients, they’ll surely be wanting to ban more than is covered by the DIA filter.

5. A motivated person can easily get around the filter.

Most importantly of all, even if all those other points weren’t true, it’s just too easy for a motivated person to work around the filter.

One fairly simple way (and you could write instructions that would let even the non-technically savvy do it). Sign up for US$10/month account with a hosting firm in the US. Install MyEnTunnel on your PC and point it at your account in the US… and everything you do on the internet goes through the US and will never go anywhere near the DIA’s filter server.

Most people won’t bother doing this, but the people who want this material know that it’s illegal and are already used to using similar techniques to avoid detection.

Conclusion

Even if we ignore the political problems and the internet performance problems, we’re still left with the major problem that the filter just won’t work.

So why are we wasting time and money on it?

Green Party Opposes Internet Filtering

The Green Party has announced that they are opposed to the DIA’s plans to filter the internet.

Metiria Turei has given a comprehensive answer to the questions I asked, including:

…the Green Party sees the role of ISPs as common carriers and that ISPs should not be made responsible for content that passes through their networks or for material on web sites which they host.

Green Party Policy explicitly states that ISPs must, within the constraints of legal requirements, provide a censorship free service for users who do not want any form of censorship.

I suggest you read the response in full.

I am still waiting for statements from the other major parties.

But Which ISPs?

The list of which ISPs will or won’t implement the filter has been moved to Tech Liberty.

The Department of Internal Affairs has just issued a press release in which they:

  • State their intention to start the filter service within a couple of months.
  • Say that the filter will not cover email or file sharing.
  • Say that the information collected will not be used for law enforcement.
  • Claim that Internet NZ is happy with their plans.
  • Say that an independent reference group will be established to oversee the operation.

I have updated the general FAQ and technical FAQ with the new information.


Edit: DIA have released an amended version clarifying the position of Internet NZ.

Original version: “We understand that Internet NZ is happy with our plans but the society will be able to review the hardware setup to ensure it complies with industry best practice.”

Amended version: “Internet NZ has requested further information which the Department will provide. The society will be able to review the hardware setup to ensure it complies with industry best practice.”


It’s now available on their website, but here is the complete text of what they emailed me (amended version):

Continue Reading “DIA Announces Internet Filtering Implementation” »

Website Update

It looks like this site is going to be taken over by the topic of internet filtering for a little while. The normal (if infrequent) programming may or may not return at any time. Here’s a bit of an update on what’s happening.

Internet Filtering FAQs

Articles and Links

Collecting Information

I am endeavouring to collect more information around this issue. This includes asking political parties for their policy, talking to ISPs, writing to the Chief Censor, etc, etc. I will post news as the responses come in.

News Feed

I have created the @nzcensor Twitter feed for posting links to articles of interest. It will include new articles as well as any interesting older articles that I find. You can get it at:

Send me an email at thomas@thomasbeagle.net if you wish to suggest a link.

Next Steps

I believe the next step is to start a campaign against the planned internet filtering scheme. This will mean developing a policy followed by deciding on and implementing a strategy. Feel free to volunteer!