DIA’s Draft Code of Practice

The Department of Internal Affairs has released a draft Code of Practice for the operation of their Internet filtering scheme.

The Code of Practice provides a good overview of how the system works and explains the policies that the DIA will use to manage the list. None of it should be a surprise to anyone who has read the FAQs and other articles on this website.

Rather than rehash the arguments for or against the filtering (although it is amusing to note that the Code admits a number of the shortcomings with the system), I’d rather write about their proposal for an Independent Reference Group that they have included in the draft Code.

The Department will institute an Independent Reference Group (IRG) to maintain oversight of the operation of the Digital Child Exploitation Filtering System to ensure it is operated with integrity and adheres to the principles set down in this Code of Practice.

That reads well enough but finding out what the IRG will actually do is a bit tricker. The first reference to them is in relation to people appealing decisions to block particular sites: “The appeals submitted and the actions taken will be reported to the IRG. The reports will be published on the Department’s website.”

The second is merely about reviewing the Code of Practice: “The Department, in conjunction with the IRG, will review the Code after 12 months operation. ”

The first major omission in the Code is the method by which the members of the IRG are going to be selected. We need to know that to get some idea of just how Independent the RG will be.

Secondly, there is no real guidance to the workings of the IRG. How often will they meet? What powers will they have? What happens if there is a disagreement between the DIA and the IRG about the inclusion of a particular site?

Thirdly, note that the IRG still has to rely on the DIA as they’re the ones that judge any appeals. The IRG only sees the report of the DIA’s inspector. Is the IRG going to be able to anything more than say “The DIA told us that they’re doing everything correctly”?

Overall, I’m not sure if the IRG really adds much to the need for openness and transparency. Once again the DIA’s desire to keep the filter list secret ends in the inevitable “you have to trust us”, except that this time we have to trust the IRG who has to trust the DIA.

Naturally I’ll be making a submission.

Another Internal Affairs Letter

A further response from the Department of Internal Affairs (page 1, page 2, page 3).

Some points from their letter:

  • The Internet filtering system will be going live “within two months”.
  • Public records? Those reports that we used to censor certain websites based on their content and then deleted are public records? Cor.
  • Confirmation that all traffic (chat, file sharing, email, etc) other than web traffic is passed through the filter without being checked.
  • Confirmation that all HTTPS (secure web traffic such as used by banks and shopping sites) is passed through the filter without being checked.
  • Three people will be employed maintaining the filtering system, although they might have other duties as well.

Internet Connection

The Internet filter server will be using a “fibre optic cable at 100Mb/sec” at a cost of $2000 per month.

After talking to people in the industry, this sounds like it will be a connection through the Wellington Citylink network and at that price will probably include 5-10Mbps of paid for Internet bandwidth.

Filtered Content

Finally there are a series of questions & answers about the type of content they’re blocking.

First they respond with “All of the websites that were on the filtering list hosted images of child sexual abuse.”

But when asked about link sites, the response is very carefully written: “Some of the websites that were on the filtering list contained thumbnail sized child sexual abuse images as part of galleries and links to websites hosting objectionable material. There were no sites that did not include images of child sexual abuse, even if only thumbnail images.”

Of course, this in direct contradiction to what they have told other people as documented here (in both the article and the comments).

I hope the Ombudsman hurries up with their decision about releasing the list.

The Scope Always Creeps

Three Statements

From the DIA press release titled “Web filter will focus solely on child sex abuse images”:

A filtering system to block websites… will focus solely on websites offering clearly objectionable images of child sexual abuse.

From a letter from Nathan Guy, Minister of Internal Affairs:

I support the Digitial Child Exploitation Filtering System that has been developed by the Department of Internal Affairs to help prevent access to child sexual abuse images. The filtering system will focus solely on known websites offering clearly objectionable images of child sexual abuse.

However, Rory McKinnon has also been writing to the DIA to collect information for an article he wrote for the NZPA. He asked: “Can the minister personally guarantee that the blacklist will not “creep” (that is, expand its scope to include anything other than child sex abuse)?” The response (written by Trevor Henry, Senior Communications Advisor, Regulation and Compliance – 17/7/2009) to this letter was a little different:

The Department confirms that the scope of the filter will be confined to websites carrying images of children being sexually abused but there may be circumstances when a website that contains text files might be blocked. For example, an instructional manual for child abuse or a diary relating to the abuse of an actual child might be blocked.

Scope Creep

You may note that the first two statements very clearly say that the only websites to be filtered will be those that host images of children being sexually abused. The third statement contradicts the first two. It includes examples of other material that might be blocked by the filter, such as a text manual or a description of abuse.

Now, maybe you don’t think that filtering a manual or diary about sexual abuse is that bad – but that’s part of the problem. It often makes sense to extend something just a little bit further… then a little bit further… until finally you end up somewhere quite different from where you started.

For example, if you can filter an article that describes how to sexually abuse a child, can you also filter an article that explains how to get around the filter to read the first article?

The Australian system experienced this exact problem. They started by banning objectionable images and ended up banning entire websites that revealed what was being filtered.

Trusting the Government

Now, it probably bears repeating that I have no sympathy for those who create and distribute child pornography. My argument has always been that filtering won’t work, and that doing it secretly will lead the government to abuse it.

On the second point, the DIA’s position has been that we have to trust them and whatever secret review process they set up. But why should we trust them?

They refuse to give anyone a copy of the full list so that it can be audited, and when asked for a partial version of the list without the full addresses, they revealed that they have started deleting the records so that no one else can audit them either.

Now we find that their statements about only filtering images are also incorrect. The scope of what they’re doing has already grown before the system is out of the trial phase.

Internet filtering is not going to stop child abuse or child pornography and any such scheme is too open to abuse by the government. We should abandon it now – personally I’d rather we spent the money on preventing child abuse.

DIA to Accept Oversight of Internet Filter

I have received a letter from Nathan Guy, Minister for Internal Affairs, where he expands upon the DIA’s plans to set up some sort of oversight on the Internet filtering scheme.

My department recognises that, to ensure public confidence in the filtering system, the operation of the system must be as open to scrutiny as possible. The Department is, therefore, developing a Code of Practice to govern the operation of the completed system, and will be making the Code available on the Department’s website for public comment. An Independent Reference Group will be formed to ensure the Department operates the website filtering system in compliance with the Code.

I look forward to seeing the Code of Practice and hearing more about the Independent Reference Group.

DIA Deletes Records of Filtering Trial

While re-reading the most recent response from the Department of Internal Affairs (see page 3), I was struck by the following:

The Department is moving to implement the fully operational system and will shortly commence rebuilding the list. As the filtering list is rebuilt, new officer’s reports will be generated and, in preparation for this process, the reports related to the trial list have been deleted. The Department therefore cannot provide the requested information as it does not exist. [emphasis added]

I believe that this is a serious concern.

The Department of Internal Affairs has been running an Internet filtering scheme that has been actively used to filter people’s Internet connections without their knowledge. They have apparently deleted the reports that they used to justify adding websites to the list. This means that they have deliberately removed the ability for anyone to audit what they have been doing.

As a government department, the DIA has a responsibility under the Public Records Act 2005 to ‘create and maintain full and accurate records in accordance with normal, prudent business activity‘. They’re not allowed to just delete them without getting permission from the Chief Archivist.

It’s this sort of behaviour that makes it so important that any filtering scheme be conducted in an open and accountable manner.

Labour Party Supports Internet Filtering

Clare Curran, the IT & Communications spokesperson, has confirmed that the Labour Party supports the DIA’s proposed Internet filtering scheme.

This is hardly a great surprise as the initial testing stages were done under the auspices of the Labour government.

Clare goes on to quote/paraphrase David Cunliffe (the Minister at the time):

He also stated that New Zealand had no intention of following Australia’s legislation of mandatory filtering by ISPs. New Zealand’s response to undesirable material has been an emphasis on education, as demonstrated by Netsafe. The Films, Videos and Publications Classification Act had no legislative authority for website filtering, he said.

I find this a bit disappointing, especially when Clare has obviously been doing a lot of thinking around other Internet-related issues such as copyright. I think it might be time to do some thinking around the Internet filtering problem too.

More from the DIA

My second letter to the Department of Internal Affairs seemed to get lost so I sent them another copy. I just got the response (page 1, page 2, page 3). Unfortunately the letter is now a bit obsolete as I have found out all of the answers by other means.

However, seeing as I have nothing to say about the letter I thought this would be a good time to make a few comments about the DIA and government in New Zealand:

  • The Official Information Act is wonderful. It’s enabled me to request useful information from the DIA and expect to get it as of right.
  • I’m impressed that the DIA have generally made a good job of answering my questions (although not always in the detail I’d like).
  • Someone jokingly told me the other day that I’d better not want to leave the country (as the DIA administer our passport issuing system). It pleases me that a) that idea had never crossed my mind, b) that I can’t see that happening in New Zealand.

Of course, it’s exactly this openness that I like that matters so much. The OIA is good – but the secret censorship scheme takes away from that. We need accountability so that we don’t end up in the same situation as the Australians with their farcical scheme aimed at dentists and dog kennels. An open and democratic government needs to work in an open and democratic manner.

Finally, I’d like to say that I support the DIA in their fight against child abuse and the people who make and traffic in images of child abuse. They have done some good work in catching people and bringing them to justice.

Internet Filtering Doesn’t Work

When I started my campaign against internet filtering my original concern was that the government would be running a secret censorship scheme.

However, as I’ve found out more about how the filtering will work (see the Technical FAQ), I’ve become increasingly impressed with just how useless it is. The DIA’s proposed internet filtering system is not going to stop the people who want blocked material from accessing it.

Here are some of the major technical problems with it:

1. It can’t intercept encrypted web traffic (https).

When internet web traffic gets diverted to the DIA, their filter server examines the request to see which website it is going to and then the request is either blocked or allowed. This does work if the web traffic is in plain text and not encrypted.

Of course, many people don’t want anyone to see the information they’re sending over the web to the bank, or the credit card number they’re sending to an online shop. So someone invented a secure form of web traffic (called https) that encrypts everything sent to and from the web server. More and more sites are starting to use secure web traffic for everything (e.g. Google Mail).

It’s not hard to change your website from non-secure http to secure https. And, if you do, the DIA filter server can’t intercept it.

2. It can’t intercept file sharing, email, chat, instant messaging or anything other than unencrypted web traffic.

Most mainstream movies and music are shared with peer to peer file sharing. The DIA’s filter server won’t look at this type of traffic.

Most online communications are through email or instant messaging. The DIA’s filter server won’t look at this type of traffic.

Why wouldn’t people who spread child pornograpy use the same tools available to everyone else on the internet?

The DIA’s filter server only examines unencrypted web traffic, ignores everything else, and is therefore doomed to irrelevance.

3. Adding new entries to the filter is a manual process.

Creating and moving websites is fast and easy these days. My own web server (used for this blog) only took about an hour to set up.

To be blocked by the DIA’s server, someone has to find out about the site, check it, and then add it to the list. At which point it can just be moved to a new name on the web.

When websites are so easy and quick to set up, I just don’t see how it’s possible for them to do a good enough job to keep the filter list up to date enough.

4. The filter will only be used by some ISPs.

A number of ISPs in New Zealand do not intend to use the DIA’s internet filter. They don’t see it as part of their business. To quote the words of one ISP’s CEO – “we’re the pipe, not the censor”.

If a number of major ISPs don’t use the filter, is there any point in implementing it for the ones that do?

And if the ISP wants to implement their own filter for their business/school clients, they’ll surely be wanting to ban more than is covered by the DIA filter.

5. A motivated person can easily get around the filter.

Most importantly of all, even if all those other points weren’t true, it’s just too easy for a motivated person to work around the filter.

One fairly simple way (and you could write instructions that would let even the non-technically savvy do it). Sign up for US$10/month account with a hosting firm in the US. Install MyEnTunnel on your PC and point it at your account in the US… and everything you do on the internet goes through the US and will never go anywhere near the DIA’s filter server.

Most people won’t bother doing this, but the people who want this material know that it’s illegal and are already used to using similar techniques to avoid detection.

Conclusion

Even if we ignore the political problems and the internet performance problems, we’re still left with the major problem that the filter just won’t work.

So why are we wasting time and money on it?

Green Party Opposes Internet Filtering

The Green Party has announced that they are opposed to the DIA’s plans to filter the internet.

Metiria Turei has given a comprehensive answer to the questions I asked, including:

…the Green Party sees the role of ISPs as common carriers and that ISPs should not be made responsible for content that passes through their networks or for material on web sites which they host.

Green Party Policy explicitly states that ISPs must, within the constraints of legal requirements, provide a censorship free service for users who do not want any form of censorship.

I suggest you read the response in full.

I am still waiting for statements from the other major parties.

But Which ISPs?

The list of which ISPs will or won’t implement the filter has been moved to Tech Liberty.