Like Cervantes’ bumbling knight Don Quixote, most people would regard trying to censor the internet as a modern-day tilt at a windmill.
That hasn’t stopped Australia’s Communications Minister, Stephen Conroy, from trying. Speaking on Tuesday at the release of a report into the trial of the government’s controversial plans to force ISP’s to filter a blacklist of RC-classified (refused classification) material from their users, Conroy announced that the government was pressing ahead with the censorship plan. Conroy was quoted by the Sydney Morning Herald‘s Asher Moses as saying:
”Most Australians acknowledge that there is some internet material which is not acceptable in any civilised society. ‘It is important that all Australians, particularly young children, are protected.”
Moses’ article goes on to point out that:
It is not clear how or if the filters will distinguish between banned material that is illegal and that which is legal.
A version of the Government’s list of banned sites was leaked on to the web in March, revealing that the scope of the filtering could extend significantly beyond child porn. About half were not related to child porn and included links to poker sites, YouTube, gay and straight porn sites, Wikipedia, euthanasia sites, fringe religions, fetish sites, Christian sites, a tour operator and a Queensland dentist.
Over at Marcus Westbury’s blog, his brother Stuart (an accomplished sysop and network engineer) has analysed the report of the filtering trial by Enex Testlab, and concluded that none of the proposed filter technologies can prevent determined access to RC material. You can read his full assessment over the fold:
Here is a bit of background. The Enex report (which is fucking big) on the live trial explains that there were 3 technologies used by the participating ISP’s. Some in combination with each other.
The simplest solution. Just blocks web traffic based on a blacklist using a standard proxy (caching) server. This would work in small scenarios but is extremely simple to bypass unless they block other network traffic. They have not said that the proxy trial participant did this. I do this at work to block known malware sites based on a blacklist. In larger implementations this is just not feasible due to the massive amounts of data you would have to pass over these servers. It is not scalable and not suitable for ISPs the size of Telstra or Optus.
Pass by filtering
Not all traffic is inspected. This would need to be used for much larger implementations. Instead of funneling everything via the proxy, they maintain a list of IP addresses that are blocked using border gateway protocol (i wont go into that) on border routers. If you are attempting to access an IP address that is on the blacklist, your traffic is then funneled through a proxy server to filter it for the actual URL. You cannot just block an IP address for undesirable content. This is due to shared hosting environments that often have the same IP. Blocking the undesirable IP would potentially result in blocking harmless stuff on the same web host. This also just relies on a blacklist anyway. Again, there is no mention of blocking ports or protocols like bittorrent, P2P technologies, IM, VPN or anything else that could be used to transmit smut.
Pass through filtering
Pass through filtering is the scariest one. It performs DPI (Deep Packet Inspection). This one can identify undesirable content inside individual packets of data but it is also by far the most resource intensive to implement. It has the potential to inspect torrents, IM etc but will still be defeated by encrypted technologies live VPNs. Without the ability to decrypt, then inspect a VPN packet (making the “Private” in virtual private network redundant), the only way to stop it accessing nasty content is to block them all. The economic implications of this are huge. They just won’t do it.
Some other stuff
Of 37 circumvention tests performed against the filters. The successful block rate ranged from 8.1% (proxy / pass by) to a much higher 94.5% in the case of hybrid proxy / DPI methods. You can be assured that a) this method will not be implemented without the government subsidising banks of super computers and b) the circumvention that worked against it is the holy grail of defeating this thing. VPNs. It will also be capable of serious false positives.
I looked mostly into Participant ISP #5’s results as it had the most success in blocking circumvention attempts – 94.5%. It also had by far the worst results in terms of performance degradation. I didn’t do any number crunching but the graphs show at least 50% in a lot of cases. This will not be implemented as the final solution. It would be insanity.
It’s also important to note that these tests are also ludicrously based on people getting access speeds of 8mbit (FTTN specifications) / sec in a trial that involved very small numbers of real clients. What happens when the NBN rolls out and is supposed to supply most of the nation with 100mbit connections? This whole thing will need massive reassessment.