Friday, May 01, 2009

IWF Annual Report: Wikipedia blocking and more

The Internet Watch Foundation has just issued its 2008 Annual Report (PDF) where it offers this defence of its role in the Wikipedia blocking saga, along with an indication that it will review its procedures in light of this case:
Wikipedia on the IWF list

In December our hotline received a report regarding an indecent image of a pre-pubescent girl on a Wikipedia page. The image was assessed according to current UK legislation, in accordance with the UK Sentencing Guidelines Council thresholds (see page 8, Figure 5) and was considered to be potentially illegal.

Our procedures require us to pass details of every URL considered to be in breach of UK legislation to law enforcement and hotline associates around the world for further investigation, in accordance with the laws in the hosting country. If the URL is hosted outside the UK, it is also added to our URL list which is provided to companies in the online sector that have voluntarily committed to blocking access to these URLs to help protect their customers from inadvertent exposure to indecent images of children online.

These procedures and policies are approved by our Board of Trustees and Funding Council, and our hotline systems, security and processes, including the handling of the URL list, are periodically audited by external independent inspectors, including forensic, academic and law enforcement professionals identified by our Board.

In this particular case there was an unforeseen technical side-effect of blocking access to the Wikipedia page in question. Due to the way some ISPs block, users accessing Wikipedia from these ISPs appeared to be using the same IP address. This undermined the way Wikipedia controls vandalism therefore anonymous UK Wikipedia users were blocked from editing.

Following representations from Wikipedia the IWF invoked its Appeals Procedure. This entails a review of the original decision with law enforcement officers. They confirmed the original assessment and this information was conveyed to Wikipedia. Due to the public interest in this matter our Board closely monitored the situation and, once the appeals process was complete, they convened to consider the contextual issues involved in this specific case. IWF’s overriding objective is to minimise the availability of indecent images of children on the internet, however, on this occasion our efforts had the opposite effect so the Board decided that the webpage should be removed from the URL list.

As a learning organisation we are committed to improving our services so issues raised by this incident will be addressed, in collaboration with our industry partners, in the year ahead. (p.9)
My take? The Wikipedia debacle created a number of fundamental challenges for the IWF in relation to its reputation, procedures and legitimacy, as well as undermining the technical claims for the efficacy of internet filtering. This IWF response offers the possibility that they will address these issues - but it remains to be seen whether the outcome will be (possibly modified) business as usual or whether there will be a fundamental rethink of the IWF's role in internet filtering.

Incidentally, the annual report is also interesting in that it signals a move towards tackling child pornography by targeting a new type of intermediaries - by seeking to have domain name registries delist domain names involved in the sale of child pornography. This follows a trend I've noted before - towards domain name registrars / registries becoming the new points of control for regulators.

1 comment:

  1. hey TJ. regarding domain names being the new point of control -- going by my experience in anti-spam, this, I think, is largely due to the pervasiveness of highly effective censorship-avoidance technology using open proxies, which means that blocking IP addresses or IP ranges no longer works very well to block access to "bad" sites. (for whatever values of "bad" apply.)

    On the other hand, domains are still effectively "owned" by individuals or companies, and it's a lot harder to "proxy" domain ownership in the same way as it is with IPs.

    We certainly use domain blocking a lot in antispam, and have for years.