Website blocking LINX
Transcript of Website blocking LINX
-
8/7/2019 Website blocking LINX
1/49
26th January 2011
Internet Content Blocking:
a primer
Malcolm HuttyHead of Public Affairs, LINX
-
8/7/2019 Website blocking LINX
2/49
-
8/7/2019 Website blocking LINX
3/49
26th January 2011
A glossary
Right from the start
-
8/7/2019 Website blocking LINX
4/49
26th January 2011
What is an ISP?
Formally
Internet Service Provider
Commonly
Internet Services Provider
Technically
Provider ofInternet Service
a.k.a Internet access
-
8/7/2019 Website blocking LINX
5/49
26th January 2011
Other terms for an ISP
Connectivity provider
Mere conduit
Legal term, relates to legal liability
Public Electronic Communications Service provider Legal term from regulatory framework
Transit provider
An ISP that connects other network operators to each
other; normally to contrast with one who providersaccess for consumers and businesses
-
8/7/2019 Website blocking LINX
6/49
26th January 2011
Business and consumer ISPs
Consumer broadband market is heavily concentrated
Business market is more fragmented
Large number of niche providers Solutions providers that include connectivity
Business connectivity is basic infrastructure
Mechanical control systems
Distributed business units (e.g. supply chain management)
-
8/7/2019 Website blocking LINX
7/49
26th January 2011
What is Internet service? (1)
Internet protocol
Communications protocol designed to enable diversecomputer systems to interconnect and exchange data
Data is split up into small packets Packet format defined by Internet Protocol
Packet header contains:
a destination address
a source address (for reply)
content (could be anything)
-
8/7/2019 Website blocking LINX
8/49
26th January 2011
What is Internet service? (2)
ISP provides connectivity
Receive packets of data
Route those packets to their destination
ISP network is a series of connected routers The Internetconsists ofend points connected by a
series of routers
Routers receive packets and pass them on
Routers inspect packet header to determine whereto send them
Routers do not inspect packet contents
-
8/7/2019 Website blocking LINX
9/49
26th January 2011
What is Internet service? (3)
Internet Protocol packet contents can be anything
Contents can be data formatted according to anothercommunications protocol (e.g. web, e-mail)
Thus, Internet protocol is application agnostic And so is ISP
Destination device (end point)
Receives packets
Reassembles contents into a message (e.g. web page)
Interprets message, and acts on it
Thus, destination service is application specific
-
8/7/2019 Website blocking LINX
10/49
26th January 2011
What is hosting?
Usually refers to web hosting
Connecting a web server to the Internet
A web server is a computer that runs a web site
Hosting services may include Physical space for the computer system
Technical operation/maintenance
But does not itself include
Originating the content (authorship) Selecting, correcting the content (editorial control)
-
8/7/2019 Website blocking LINX
11/49
26th January 2011
Types of hosting
Self-hosting
A large business may provide its own hosting
Traditional hosting provider
Business and consumer hire a hosting company
Shared hosting: multiple customer on one server
Co-location: give the hosting company your server
User-generated content End users upload their content to an open service
e.g. Facebook, YouTube, E-Bay
-
8/7/2019 Website blocking LINX
12/49
26th January 2011
The E-Commerce Directive
Provides protection from liability to
mere conduits
Hosting providers
Caches No duty for Internet intermediaries to monitor
their networks
-
8/7/2019 Website blocking LINX
13/49
26th January 2011
Qualifying for legal protection
Mere conduit
Does not initiate communication
Do not select recipient of communication
Does not modify communication NB: Mere conduits knowledge is irrelevant
Hosting provider
Removes content expeditiously upon gainingactual knowledge of the content
Cache
(Follows technical standard practice for caches)
-
8/7/2019 Website blocking LINX
14/49
26th January 2011
Nature of Liability Protection
Complete protection from liability
Applies to civil and criminal liability
Courts can still grant injunctions
to terminate or prevent infringements
Interpretation dispute
Is liability restricted to monetary damages?
Or does it also prevent general filtering injunctions?
Ongoing litigation
-
8/7/2019 Website blocking LINX
15/49
26th January 2011
Internet addressing
Each Internet device has an IP address
E.g. 216.154.60.109
Used by Internet routers to send data to the right location
Domain name system (DNS) provides names
E.g. example.com
DNS server translates names to IP addresses
Names are more memorable
Underlying address can be changed without changing thename
Individual applications have their own addressingschemes e.g. e-mail, Instant Messaging
-
8/7/2019 Website blocking LINX
16/49
26th January 2011
The web is not the Internet!
The Internet
Many services
Streaming video (e.g. iPlayer)
Instant Messaging (e.g. MSN)
Voice [VoIP] (e.g. Skype)
Games (e.g. World of Warcraft)
Business (e.g. supply chain)
Control systems (e.g. SCADA)
P2P (e.g. eDonkey)
Each has its own protocol
The web
One service (web pages)
Viewed via a web browser
One technical communicationsprotocol (HTTP)
-
8/7/2019 Website blocking LINX
17/49
26th January 2011
Peer-to-peer (P2P)
Pseudo P2P
User connects to a server to find content
Server directs them to a user with the content
User downloads directly from the other user Content is not hosted by server
True P2P
No central server
Search other users PCs directly
-
8/7/2019 Website blocking LINX
18/49
26th January 2011
Two contexts for content blocking
-
8/7/2019 Website blocking LINX
19/49
26th January 2011
Purposes of Content Blocking (1)
Protection
Help users avoid content they do not wish to
encounter
Compliance
Prevent users from accessing material they areactively seeking
-
8/7/2019 Website blocking LINX
20/49
26th January 2011
Purposes of Content Blocking (2)
Protection
User does not want to access blocked material
User will not deliberately subvert blocking system
Users normal usage will usually not strain theblocking system by introducing difficult cases
Compliance
User wishes to access blocked material
User may deliberately subvert blocking system
-
8/7/2019 Website blocking LINX
21/49
26th January 2011
Examples of protection
Phishing
E.g. bank impersonation sites
Viruses and other malware
Protecting ordinary users from viewing child abuseimages (child pornography)
Helping children not to mistake gambling for computergames
-
8/7/2019 Website blocking LINX
22/49
26th January 2011
Examples of compliance
Preventing terrorists accessing bomb makinginstructions
Preventing paedophiles accessing child pornography
Preventing gamblers accessing gambling sites
-
8/7/2019 Website blocking LINX
23/49
26th January 2011
Examples of mixed cases
In these cases, some users may wish to be
blocked, some may not:
Preventing teenagers accessing pornography
Preventing Muslims accessing extremist ideologies
Preventing the curious accessing banned material
-
8/7/2019 Website blocking LINX
24/49
26th January 2011
In theory
Content Suppression
-
8/7/2019 Website blocking LINX
25/49
26th January 2011
Content suppression
Main methods
Notice & Takedown
Network level address blocking
Network level filtering End user filtering and blocking
First three are mandatory for end user; last requires theend users cooperation
Last three are technical interventions; first is aninstitutional procedure
-
8/7/2019 Website blocking LINX
26/49
26th January 2011
Blocklists (1)
All address based blocking methods depend onbeing supplied with a list of addresses to block
Who supplies this list?
Who supervises? Is list publicly available?
What criteria?
What appeals?
Is appeals process real or merely theoretical? (If you dont
know youre being listed you wont appeal)
-
8/7/2019 Website blocking LINX
27/49
26th January 2011
Blocklists (2)
All blocking systems are a machine for censorship
May be limited to certain types of content
But only by choice of what goes on blocklist
Change in listing policy technically easy but change in size of list may overload system
And switch from user protection to enforcement willcompromise outcome
Change in protocol (e.g. from web to P2P) not the same asa change in listing policy, and not easy
-
8/7/2019 Website blocking LINX
28/49
26th January 2011
Notice & Takedown
Method
Contact the hosting provider
Identify the content and ask for removal
Hosting provider removes the content at source Outcome
Content is gone from the Internet
Problems
Can of course be re-uploaded, here or elsewhere
Only works for hosted content
-
8/7/2019 Website blocking LINX
29/49
26th January 2011
Network level address blocking
Method
Give the ISP a list of addresses to block
ISP prevents Internet traffic reaching those addresses
Outcome
In theory, the ISPs customers cannot reach the destinationdevice
although there are many ways they can
Problems
The content remains on the server
Other ISPs customers can still access it
Might break mere conduit
-
8/7/2019 Website blocking LINX
30/49
26th January 2011
Network level filtering
Method
Give the ISP a list of items to filter
ISP continually monitors its network for those items
Intercepted in mid transmission and discarded
Problems
Not practically possible to do
Utterly impossible for encrypted communications
Highly intrusive
Breaks mere conduit (modifies transmission) Incompatible with no duty to monitor
-
8/7/2019 Website blocking LINX
31/49
26th January 2011
End user filtering
Method
End user installs software on own PC to block andfilter traffic
Outcome User can select own choice of blocking software, and
hence what gets blocked
If PC is properly configured, hard to get round
Problems
Device support e.g. smart phones
Depends on user cooperation
-
8/7/2019 Website blocking LINX
32/49
26th January 2011
Types of address blocking
-
8/7/2019 Website blocking LINX
33/49
26th January 2011
Address-based blocking methods
DNS blocking
Web Proxy blocking
IP address blocking
Hybrid blocking (Cleanfeed)
-
8/7/2019 Website blocking LINX
34/49
26th January 2011
DNS Blocking (1)
Background
ISPs customarily provide DNS resolvers for theircustomers to use
But others do too e.g. OpenDNS, Google Method
ISP configures their DNS resolver to return a falseresult for a site to be blocked
E.g. example.com
End user is thus directed to an alternative site, or tonone
-
8/7/2019 Website blocking LINX
35/49
26th January 2011
DNS Blocking (2)
Features
Low financial cost
Blocks entire domain, not just web
Uptake Used in Italy, parts of Scandinavia
Not used in UK (NB: Nominet exception)
Problems
Massive overblocking
Easy to avoid by using alternative DNS resolver
Surprisingly difficult to implement without errors
-
8/7/2019 Website blocking LINX
36/49
26th January 2011
Web proxy blocking
Method
Force all web traffic through a proxy operated by ISP
Intercept particular items and return a false result
Features Granular: blocks individual items
Centralised, mandatory blocking
Very expensive: all web traffic through proxy
Can slow network traffic
Reduces network reliability
-
8/7/2019 Website blocking LINX
37/49
26th January 2011
IP address blocking
Method
ISP configures router to discard traffic destined for aspecified IP address
Features Less expensive than web proxy blocking
Massive overblocking
Multiple hosting customers share one IP address
Blocks access for all protocols, not just web
But note end user IP addresses change
-
8/7/2019 Website blocking LINX
38/49
26th January 2011
IP address/web proxy hybrid(Cleanfeed) (1)
Method
ISP uses same technology for IP-based blocking tosend selected traffic to a web proxy; the proxydecides what to block
Features
Cheaper than web proxy blocking
As granular as web proxy blocking
i.e. overblocking greatly reduced
-
8/7/2019 Website blocking LINX
39/49
26th January 2011
IP address/web proxy hybrid(Cleanfeed) (2)
-
8/7/2019 Website blocking LINX
40/49
26th January 2011
IP address/web proxy hybrid(Cleanfeed) (3)
Uptake
Initially implemented in UK by BT
Some version of this implemented or planned by allthe largest UK consumer broadband providers
Fed by IWF blocklist of URLs of child abuse images
Some international uptake (e.g. Canada)
Issues
Allegedly breaks mere conduit
Success has bred demands for blocking of other typesof content (e.g. copyright material)
-
8/7/2019 Website blocking LINX
41/49
-
8/7/2019 Website blocking LINX
42/49
26th January 2011
Proficiency levels required for avoidance
VERY HIGH Advanced network software research
HIGH Good understanding of networkingprinciples. Basic software developmentskills.
MODERATE Can search for and find obscure orcomplex software. Can follow complexinstructions. Capable of imaginingsecondary uses of dual-purposesoftware.
LOW Aware of common applications e.g.peer-to-peer. Capable of following
written instructions to download, installand use such software.
VERY LOW Can use web browser, e-mail. Cannotset up own computer to use Internet
-
8/7/2019 Website blocking LINX
43/49
26th January 2011 43
Avoiding Blocking Systems 1
Surreptitious by-pass by PC user (MODERATE to VERYHIGH expertise)
End User Filters
Use different ISPs DNS resolver (LOW expertise)
Removal by PC owner (LOW expertise)
DNS-SEC will make this obsolete
Run your own DNS resolver (MODERATE
expertise) Avoid or confuse DNS (MODERATE expertise)
DNS poisoning
-
8/7/2019 Website blocking LINX
44/49
26th January 2011 44
Avoiding Blocking Systems 2
All address-based methods except End-User Filters
Use Peer-to-Peer (LOW expertise); only provides access to
content, not applications such as gambling sites
Anonymizer.com style tunnel (VERY LOW expertise)
Create your own encrypted tunnel (MODERATE expertise)
Confuse the blocking system with technical attacks1
(MODERATE to VERY HIGH expertise, variable effectiveness)1Simple examples include URL Character encoding, web file-path traversal with .. etc
-
8/7/2019 Website blocking LINX
45/49
26th January 2011
Avoiding network filtering
No known successful implementations of network levelcontent filtering on ISP scale
Depends on realtime monitoring / DPI
Encryption thwarts monitoring
Some P2P networks already include encryption by default
Onion-routing systems provide IP address concealment
Onion-routing is a technically sophisticated technique
Some advanced P2P systems have onion-routing built-in
E.g. i2P
-
8/7/2019 Website blocking LINX
46/49
26th January 2011
Broader policy questions
-
8/7/2019 Website blocking LINX
47/49
-
8/7/2019 Website blocking LINX
48/49
26th January 2011
Undermining the end-to-end principle
The end-to-end principle is a basic organising principle ofthe Internet
It says that intelligence occurs at the network edges, notin the core routers
It permits technological development, including inventionof web, VoIP, etc
Requiring blocking at the network level undermines theend-to-end principle and the capacity for invention
Arguably, it invites network operators to subvert theend-to-end principle further
-
8/7/2019 Website blocking LINX
49/49
26th January 2011
An end-run around justice system
Court system is designed to be fair
Procedures developed over centuries
Can be slow, expensive, but for a reason
Direct remedies from ISP obviate need forcomplainant to go to court
Faster, cheaper than court
Reduced evidence and changed procedures
Right to be heard?
Presumption of guilt?
Remedies designed by complainants