Monday, April 11, 2011

The curious case of internet filtering in Ireland

[Reblogged from the new website MediaLaws.eu, where I will be contributing updates from Ireland.]

One of the most important developments for freedom of expression online has been the growth of internet filtering systems, which have rapidly been adopted by national governments as the “solution” to various forms of internet wrongdoing. Ireland is no exception to this trend, and last month it was revealed that the Garda Síochána (the national police force) is now attempting to introduce a system whereby ISPs would block access to websites alleged to host child abuse images.

It is somewhat ironic that this news becomes public just as both Germany and the Netherlands have decided to abandon similar systems, having found that they are ineffective as a means of tackling child abuse images. Even leaving aside considerations of effectiveness, however, the proposed Irish system still presents a number of significant concerns.

A fundamental principle under Article 10 of the European Convention on Human Rights is that measures which have the effect of restricting freedom of expression must be “prescribed by law”. In this case, however, the Irish system would not have any legal basis whatsoever, much less any judicial oversight or control. Instead, it would involve the police in telling ISPs what domains to block on a “self-regulatory” basis. Consequently, it would seem on the face of it that the proposed system would violate Article 10. The European Commission recently reached the same conclusion about self-regulatory blocking systems (p.30) as did a government study which was decisive in causing the Dutch blocking system to be abandoned.

A further problem relates to the secret manner in which the government and the police have attempted to introduce this system. There has been no public consultation or debate of any kind regarding blocking – instead, information has only dripped out in response to freedom of information requests and leaks from ISPs. This is particularly worrying given that (as Lessig points out) internet filtering is an inherently opaque process, which is prone to operating in an unaccountable way and to being extended beyond its original purposes. In the Irish context, the secrecy surrounding the introduction of filtering doesn’t bode well for the future.

The nature of the proposed blocking is also worrying. What Irish police have suggested is based on the CIRCAMP model, which attempts to block material by using DNS tampering. In short, the police would notify ISPs to block http://example.com or http://subdomain.example.com and the ISP would then configure their DNS servers to redirect all attempts to visit any material hosted on those (sub)domains. The effect would be massive overblocking, where users would be unable to visit any page hosted on a particular domain, irrespective of whether it had any connection whatsoever with the blocked material. Last February, a similar approach in the United States saw over 84,000 innocent websites being wrongfully blocked, and there is no reason to think that the Irish approach would be any more precise.

Finally, one particularly unusual aspect of the proposals is the way in which police seek to introduce monitoring of users. According to the proposals, where a user attempts to view a blocked domain name, police would “obtain details of other websites visited by the user, along with other technical details, in order that [they] can identify any new websites that require blocking”. This in effect seeks the full browsing history of users – whether or not there has been any attempt on their part to view child pornography! (Bearing in mind that DNS tampering results in massive overblocking, it is quite likely that a user may have their browsing history disclosed due to an attempt to visit http://example.com/innocent_content when the entirety of example.com has been blocked due to a single image or page elsewhere in the site.) This raises fundamental privacy and data protection concerns, particularly given that a user can often be identified by viewing their browsing history (e.g.), and has therefore been referred to the Data Protection Commissioner for investigation.

Given these problems, it must be hoped that these proposals are abandoned. But quite apart from these particular proposals, it is now also time to look at the other systems of internet filtering in Ireland that have developed on an ad hoc basis. In particular, Irish mobile phone companies have been engaged in self-regulatory blocking for some time (1|2), in a manner which often affects innocent users due to crude DNS systems. Similarly, the largest Irish broadband provider Eircom recently settled an action brought by the music industry by (amongst other things) agreeing to block access to The Pirate Bay and “related domain names”. These systems have developed without any real public scrutiny or oversight and it is time to consider the effect which they have on users, whether they are subject to adequate transparency and oversight mechanisms and whether or not they are effective at achieving their goals.

9 comments:

  1. Censorship seems alive and well as well as unconstitutional...any chance of the new European Directives offering a way to make this an infringement under the net neutrality rules?

    ReplyDelete
  2. Hi TJ
    glad to see you mention the GS letter to ISP's that got published online - I wonder if the same ISP's would care to publish their responses online also?

    DNS filtering is NOT what is required - try the Hybrid model instead - it is far more robust and less succeptable to the shortcomings of its older DNS cousin.

    BTW - have you looked at the IWF's report for last year - I don't think that they mention any complaints of mistakenly blocking sites

    Pat

    ReplyDelete
  3. @Chris - there have been murmurings to that effect, but until the Directives are implemented and someone complains to the Commission I can't see anything further happening.

    @Pat - I completely agree that DNS filtering is a mistake, which is why I was surprised to see that this is what the Garda proposals suggest! I presume you know this already, but if you look at the letter closely you'll see that despite some loose language in parts the key section proposes blocking "domains and subdomains" - i.e. implementing a DNS approach based on the CIRCAMP model. Consequently, there would be no point in Irish ISPs introducing hybrid filtering - why spend the money on a more sophisticated URL based system when the Garda blacklist will only designate domains in any event?

    You're absolutely right that the IWF itself doesn't have a problem with mistakenly blocking sites - though some companies which take its list do. I'm thinking in particular of the GSM operators who have been taking the URL list, stripping off everything but the domain and then implementing DNS filtering (o2 Ireland - I'm looking at you here). There has been massive collateral damage caused by this rather lazy approach, especially to image hosting websites.

    Leaving the IWF aside though, the CIRCAMP model doesn't appear to have a great track record for mistaken blocking. I'm thinking in particular of the AK Zensur study of the leaked Danish blacklist in which only 3 of 167 listed domains contained child abused images, with the remainder either expired (66), hosting terminated (92) or containing legal content (6). We can only hope that the proposed INTERPOL "worst of the worst" list would be better maintained.

    ReplyDelete
  4. Anonymous02 May, 2011

    @pat What problem are you trying to solve with blocking? There is no indication that people access these sites accidentally in significant numbers while, on the other hand, there is evidence that governments use blocking as a way of getting out of taking real action against the real crimes. If there is no proven benefit to child protection and there is a proven cost... what should you do?

    ReplyDelete
  5. Anonymous06 May, 2011

    The Netherlands did not abandon filtering because of its ineffectiveness, they decided that the police are not the correct entity to decide what is illegal or not. The plan was to have a NGO body evaluate the content and continue filtering, but in the 2-3 years since they stopped, no such body has been created. Germany has never had filtering. They have a law passed that makes this possible, but that law was later deemed unconstitutional.

    The likes of AZ Zensur - that strive to discredit any control of information has no credibility. Would you trust the "legalize marihuana" people to evaluate if marihuana is a problem or not?
    Anyone who knows anything about the Internet will also know that the first page displayed may not have all the content, or even any of the content, that is hidden in the URL on the site. Looking at only the default.html-page is, at best, just laziness. Why not contact the police that have added the address to see the seized version of the domain. I am sure they have evidence that the content was illegal when they checked it.

    There is no CIRCAMP list, each country makes their own according to their own laws. In some countries a lot is illegal, in some only a little - based on age, real child, type of abuse etc.

    The Interpol list is up and running and available to all ISPs and other services that would like to prevent distribution of child rape and abuse. They say they have about 400 domains on the list at any given time, using strict rules on what get on the list. 400 domains that are primarily run by criminals to provide abuse images for money to people who have a sexual desire for kids. Taking that off the internet is not a bad thing.

    ReplyDelete
  6. Some interesting points there, but I can't agree with all of them.

    The Netherlands did not abandon filtering because of its ineffectiveness, they decided that the police are not the correct entity to decide what is illegal or not.

    This is only partially correct. The first Dutch trial system was abandoned after the Stol study found it to be illegal. The follow up plan that you refer to - i.e. to have an NGO decide what to block - was the one which ISPs declined to continue having decided that it was ineffective.

    Germany has never had filtering. They have a law passed that makes this possible, but that law was later deemed unconstitutional.

    As far as I'm aware, the German law has not yet been ruled on by their courts. At the moment, the decision to abandon that law is a political one.

    Anyone who knows anything about the Internet will also know that the first page displayed may not have all the content, or even any of the content, that is hidden in the URL on the site. Looking at only the default.html-page is, at best, just laziness. Why not contact the police that have added the address to see the seized version of the domain. I am sure they have evidence that the content was illegal when they checked it.

    This reveals the problem with any DNS system. If only a particular page contains illegal content then there is no justification for blocking other material on the site - let alone the entire site. The UK hybrid URL blocking system does, at least, acknowledge this problem and attempt to block on a more granular basis.

    There is no CIRCAMP list, each country makes their own according to their own laws. In some countries a lot is illegal, in some only a little - based on age, real child, type of abuse etc.

    I never said there was a CIRCAMP list rather that there is a CIRCAMP model of blocking, which the Gardai wish to import.

    Your point, however, does reveal another difficulty - mobile broadband providers such as O2 are happily blocking in Ireland based on the IWF list even though UK laws are entirely different and would prohibit material which would be perfectly legal in Ireland.

    The Interpol list is up and running and available to all ISPs and other services that would like to prevent distribution of child rape and abuse. They say they have about 400 domains on the list at any given time, using strict rules on what get on the list. 400 domains that are primarily run by criminals to provide abuse images for money to people who have a sexual desire for kids. Taking that off the internet is not a bad thing.

    Nobody disputes that stopping the distribution of child pornography is a good thing. However, the fact that something is well motivated does not mean that it should be exempt from the normal legal rules. Is there any good reason why this area should (uniquely) be exempt from legislation and judicial oversight? The AK-Zensur study is just one of a number of different studies that should make one skeptical of secret and unaccountable controls on the internet.

    ReplyDelete
  7. Sinead D10 May, 2011

    So how would you handle blocking access to sites that hold child exploitation material?

    ReplyDelete
  8. So how would you handle blocking access to sites that hold child exploitation material?

    The short answer is that I wouldn't pursue ISP level blocking at all. There's plenty of evidence showing that ISP blocking is ineffective against individuals who seek out material. A good recent example is Eneman, Marie(2010) 'Internet service provider (ISP) filtering of child-abusive material: A critical
    reflection of its effectiveness', Journal of Sexual Aggression, 16: 2, 223 — 235
    http://dx.doi.org/10.1080/13552601003760014


    Arguments based on accidental exposure are rather weak - a recent Dutch study found no evidence of accidental exposure - and in any event can be dealt with by end-user software filtering if wished.

    Meanwhile, there's also plenty of evidence showing that takedown can be made substantially more effective at relatively little cost.

    In short, I'm inclined to support the German group representing survivors of sexual abuse, who describe blocking in the following terms:

    Deletion and investigation of such sites should always be prioritized ahead of blocking, and this is also true for this Directive. In any event, access restrictions in general should be seen as a subject matter that is covered by subsidiarity, under the condition that any such policy implemented by Member States be subject to a specific national law.

    The restrictions described in Article 10 of the European Convention on Human Rights (which covers "Freedom of Expression") clearly require a legal basis for interferences such as "internet blocking".

    Lawless situations which rely on corporate contract clauses in Scandinavia and in the United Kingdom are incompatible with this provision.

    The creation of a legal basis for these measures is therefore the absolute minimum that should be demanded. A second important criterion would be the involvement of a judge with a proper ruling which would provide a justification for the blocking.

    Nonetheless, MOGiS e.V. stresses that even though we are victims of sexual exploitation themselves we reject blocking in principle and believe that it represents a danger for democratic societies.

    Especially for victims, the Internet is a very important tool. It allows us to share our hope and sorrow. For this to be possible we need anonymity and confidentiality. These characteristics of the internet are at risk with the technology that is being proposed for internet blocking.

    Also we don’t want there to be any excuse for not acting – neither for the police nor any of the other stakeholders involved. Also we don’t want to give EU member states a means to hide their inaction and the failure of international cooperation on fighting sexual child exploitation.


    There is a possible exception in relation to hash value based blocking of images at the upload stage by hosts - where some interesting work has been done by e.g. Facebook - but a shortsighted focus on DNS blocking in Ireland means that the more effective technologies are being ignored.

    ReplyDelete
  9. @Sinead - I had posted a lengthy comment in reply, which Blogger now seems to have lost in the last technical outage. But this link - http://mogis-verein.de/eu/letter/ - generally reflects my views.

    ReplyDelete