Website blocking LINX

download Website blocking LINX

of 49

Transcript of Website blocking LINX

  • 8/7/2019 Website blocking LINX

    1/49

    26th January 2011

    Internet Content Blocking:

    a primer

    Malcolm HuttyHead of Public Affairs, LINX

  • 8/7/2019 Website blocking LINX

    2/49

  • 8/7/2019 Website blocking LINX

    3/49

    26th January 2011

    A glossary

    Right from the start

  • 8/7/2019 Website blocking LINX

    4/49

    26th January 2011

    What is an ISP?

    Formally

    Internet Service Provider

    Commonly

    Internet Services Provider

    Technically

    Provider ofInternet Service

    a.k.a Internet access

  • 8/7/2019 Website blocking LINX

    5/49

    26th January 2011

    Other terms for an ISP

    Connectivity provider

    Mere conduit

    Legal term, relates to legal liability

    Public Electronic Communications Service provider Legal term from regulatory framework

    Transit provider

    An ISP that connects other network operators to each

    other; normally to contrast with one who providersaccess for consumers and businesses

  • 8/7/2019 Website blocking LINX

    6/49

    26th January 2011

    Business and consumer ISPs

    Consumer broadband market is heavily concentrated

    Business market is more fragmented

    Large number of niche providers Solutions providers that include connectivity

    Business connectivity is basic infrastructure

    Mechanical control systems

    Distributed business units (e.g. supply chain management)

  • 8/7/2019 Website blocking LINX

    7/49

    26th January 2011

    What is Internet service? (1)

    Internet protocol

    Communications protocol designed to enable diversecomputer systems to interconnect and exchange data

    Data is split up into small packets Packet format defined by Internet Protocol

    Packet header contains:

    a destination address

    a source address (for reply)

    content (could be anything)

  • 8/7/2019 Website blocking LINX

    8/49

    26th January 2011

    What is Internet service? (2)

    ISP provides connectivity

    Receive packets of data

    Route those packets to their destination

    ISP network is a series of connected routers The Internetconsists ofend points connected by a

    series of routers

    Routers receive packets and pass them on

    Routers inspect packet header to determine whereto send them

    Routers do not inspect packet contents

  • 8/7/2019 Website blocking LINX

    9/49

    26th January 2011

    What is Internet service? (3)

    Internet Protocol packet contents can be anything

    Contents can be data formatted according to anothercommunications protocol (e.g. web, e-mail)

    Thus, Internet protocol is application agnostic And so is ISP

    Destination device (end point)

    Receives packets

    Reassembles contents into a message (e.g. web page)

    Interprets message, and acts on it

    Thus, destination service is application specific

  • 8/7/2019 Website blocking LINX

    10/49

    26th January 2011

    What is hosting?

    Usually refers to web hosting

    Connecting a web server to the Internet

    A web server is a computer that runs a web site

    Hosting services may include Physical space for the computer system

    Technical operation/maintenance

    But does not itself include

    Originating the content (authorship) Selecting, correcting the content (editorial control)

  • 8/7/2019 Website blocking LINX

    11/49

    26th January 2011

    Types of hosting

    Self-hosting

    A large business may provide its own hosting

    Traditional hosting provider

    Business and consumer hire a hosting company

    Shared hosting: multiple customer on one server

    Co-location: give the hosting company your server

    User-generated content End users upload their content to an open service

    e.g. Facebook, YouTube, E-Bay

  • 8/7/2019 Website blocking LINX

    12/49

    26th January 2011

    The E-Commerce Directive

    Provides protection from liability to

    mere conduits

    Hosting providers

    Caches No duty for Internet intermediaries to monitor

    their networks

  • 8/7/2019 Website blocking LINX

    13/49

    26th January 2011

    Qualifying for legal protection

    Mere conduit

    Does not initiate communication

    Do not select recipient of communication

    Does not modify communication NB: Mere conduits knowledge is irrelevant

    Hosting provider

    Removes content expeditiously upon gainingactual knowledge of the content

    Cache

    (Follows technical standard practice for caches)

  • 8/7/2019 Website blocking LINX

    14/49

    26th January 2011

    Nature of Liability Protection

    Complete protection from liability

    Applies to civil and criminal liability

    Courts can still grant injunctions

    to terminate or prevent infringements

    Interpretation dispute

    Is liability restricted to monetary damages?

    Or does it also prevent general filtering injunctions?

    Ongoing litigation

  • 8/7/2019 Website blocking LINX

    15/49

    26th January 2011

    Internet addressing

    Each Internet device has an IP address

    E.g. 216.154.60.109

    Used by Internet routers to send data to the right location

    Domain name system (DNS) provides names

    E.g. example.com

    DNS server translates names to IP addresses

    Names are more memorable

    Underlying address can be changed without changing thename

    Individual applications have their own addressingschemes e.g. e-mail, Instant Messaging

  • 8/7/2019 Website blocking LINX

    16/49

    26th January 2011

    The web is not the Internet!

    The Internet

    Many services

    Streaming video (e.g. iPlayer)

    Instant Messaging (e.g. MSN)

    Voice [VoIP] (e.g. Skype)

    Games (e.g. World of Warcraft)

    Business (e.g. supply chain)

    Control systems (e.g. SCADA)

    P2P (e.g. eDonkey)

    Each has its own protocol

    The web

    One service (web pages)

    Viewed via a web browser

    One technical communicationsprotocol (HTTP)

  • 8/7/2019 Website blocking LINX

    17/49

    26th January 2011

    Peer-to-peer (P2P)

    Pseudo P2P

    User connects to a server to find content

    Server directs them to a user with the content

    User downloads directly from the other user Content is not hosted by server

    True P2P

    No central server

    Search other users PCs directly

  • 8/7/2019 Website blocking LINX

    18/49

    26th January 2011

    Two contexts for content blocking

  • 8/7/2019 Website blocking LINX

    19/49

    26th January 2011

    Purposes of Content Blocking (1)

    Protection

    Help users avoid content they do not wish to

    encounter

    Compliance

    Prevent users from accessing material they areactively seeking

  • 8/7/2019 Website blocking LINX

    20/49

    26th January 2011

    Purposes of Content Blocking (2)

    Protection

    User does not want to access blocked material

    User will not deliberately subvert blocking system

    Users normal usage will usually not strain theblocking system by introducing difficult cases

    Compliance

    User wishes to access blocked material

    User may deliberately subvert blocking system

  • 8/7/2019 Website blocking LINX

    21/49

    26th January 2011

    Examples of protection

    Phishing

    E.g. bank impersonation sites

    Viruses and other malware

    Protecting ordinary users from viewing child abuseimages (child pornography)

    Helping children not to mistake gambling for computergames

  • 8/7/2019 Website blocking LINX

    22/49

    26th January 2011

    Examples of compliance

    Preventing terrorists accessing bomb makinginstructions

    Preventing paedophiles accessing child pornography

    Preventing gamblers accessing gambling sites

  • 8/7/2019 Website blocking LINX

    23/49

    26th January 2011

    Examples of mixed cases

    In these cases, some users may wish to be

    blocked, some may not:

    Preventing teenagers accessing pornography

    Preventing Muslims accessing extremist ideologies

    Preventing the curious accessing banned material

  • 8/7/2019 Website blocking LINX

    24/49

    26th January 2011

    In theory

    Content Suppression

  • 8/7/2019 Website blocking LINX

    25/49

    26th January 2011

    Content suppression

    Main methods

    Notice & Takedown

    Network level address blocking

    Network level filtering End user filtering and blocking

    First three are mandatory for end user; last requires theend users cooperation

    Last three are technical interventions; first is aninstitutional procedure

  • 8/7/2019 Website blocking LINX

    26/49

    26th January 2011

    Blocklists (1)

    All address based blocking methods depend onbeing supplied with a list of addresses to block

    Who supplies this list?

    Who supervises? Is list publicly available?

    What criteria?

    What appeals?

    Is appeals process real or merely theoretical? (If you dont

    know youre being listed you wont appeal)

  • 8/7/2019 Website blocking LINX

    27/49

    26th January 2011

    Blocklists (2)

    All blocking systems are a machine for censorship

    May be limited to certain types of content

    But only by choice of what goes on blocklist

    Change in listing policy technically easy but change in size of list may overload system

    And switch from user protection to enforcement willcompromise outcome

    Change in protocol (e.g. from web to P2P) not the same asa change in listing policy, and not easy

  • 8/7/2019 Website blocking LINX

    28/49

    26th January 2011

    Notice & Takedown

    Method

    Contact the hosting provider

    Identify the content and ask for removal

    Hosting provider removes the content at source Outcome

    Content is gone from the Internet

    Problems

    Can of course be re-uploaded, here or elsewhere

    Only works for hosted content

  • 8/7/2019 Website blocking LINX

    29/49

    26th January 2011

    Network level address blocking

    Method

    Give the ISP a list of addresses to block

    ISP prevents Internet traffic reaching those addresses

    Outcome

    In theory, the ISPs customers cannot reach the destinationdevice

    although there are many ways they can

    Problems

    The content remains on the server

    Other ISPs customers can still access it

    Might break mere conduit

  • 8/7/2019 Website blocking LINX

    30/49

    26th January 2011

    Network level filtering

    Method

    Give the ISP a list of items to filter

    ISP continually monitors its network for those items

    Intercepted in mid transmission and discarded

    Problems

    Not practically possible to do

    Utterly impossible for encrypted communications

    Highly intrusive

    Breaks mere conduit (modifies transmission) Incompatible with no duty to monitor

  • 8/7/2019 Website blocking LINX

    31/49

    26th January 2011

    End user filtering

    Method

    End user installs software on own PC to block andfilter traffic

    Outcome User can select own choice of blocking software, and

    hence what gets blocked

    If PC is properly configured, hard to get round

    Problems

    Device support e.g. smart phones

    Depends on user cooperation

  • 8/7/2019 Website blocking LINX

    32/49

    26th January 2011

    Types of address blocking

  • 8/7/2019 Website blocking LINX

    33/49

    26th January 2011

    Address-based blocking methods

    DNS blocking

    Web Proxy blocking

    IP address blocking

    Hybrid blocking (Cleanfeed)

  • 8/7/2019 Website blocking LINX

    34/49

    26th January 2011

    DNS Blocking (1)

    Background

    ISPs customarily provide DNS resolvers for theircustomers to use

    But others do too e.g. OpenDNS, Google Method

    ISP configures their DNS resolver to return a falseresult for a site to be blocked

    E.g. example.com

    End user is thus directed to an alternative site, or tonone

  • 8/7/2019 Website blocking LINX

    35/49

    26th January 2011

    DNS Blocking (2)

    Features

    Low financial cost

    Blocks entire domain, not just web

    Uptake Used in Italy, parts of Scandinavia

    Not used in UK (NB: Nominet exception)

    Problems

    Massive overblocking

    Easy to avoid by using alternative DNS resolver

    Surprisingly difficult to implement without errors

  • 8/7/2019 Website blocking LINX

    36/49

    26th January 2011

    Web proxy blocking

    Method

    Force all web traffic through a proxy operated by ISP

    Intercept particular items and return a false result

    Features Granular: blocks individual items

    Centralised, mandatory blocking

    Very expensive: all web traffic through proxy

    Can slow network traffic

    Reduces network reliability

  • 8/7/2019 Website blocking LINX

    37/49

    26th January 2011

    IP address blocking

    Method

    ISP configures router to discard traffic destined for aspecified IP address

    Features Less expensive than web proxy blocking

    Massive overblocking

    Multiple hosting customers share one IP address

    Blocks access for all protocols, not just web

    But note end user IP addresses change

  • 8/7/2019 Website blocking LINX

    38/49

    26th January 2011

    IP address/web proxy hybrid(Cleanfeed) (1)

    Method

    ISP uses same technology for IP-based blocking tosend selected traffic to a web proxy; the proxydecides what to block

    Features

    Cheaper than web proxy blocking

    As granular as web proxy blocking

    i.e. overblocking greatly reduced

  • 8/7/2019 Website blocking LINX

    39/49

    26th January 2011

    IP address/web proxy hybrid(Cleanfeed) (2)

  • 8/7/2019 Website blocking LINX

    40/49

    26th January 2011

    IP address/web proxy hybrid(Cleanfeed) (3)

    Uptake

    Initially implemented in UK by BT

    Some version of this implemented or planned by allthe largest UK consumer broadband providers

    Fed by IWF blocklist of URLs of child abuse images

    Some international uptake (e.g. Canada)

    Issues

    Allegedly breaks mere conduit

    Success has bred demands for blocking of other typesof content (e.g. copyright material)

  • 8/7/2019 Website blocking LINX

    41/49

  • 8/7/2019 Website blocking LINX

    42/49

    26th January 2011

    Proficiency levels required for avoidance

    VERY HIGH Advanced network software research

    HIGH Good understanding of networkingprinciples. Basic software developmentskills.

    MODERATE Can search for and find obscure orcomplex software. Can follow complexinstructions. Capable of imaginingsecondary uses of dual-purposesoftware.

    LOW Aware of common applications e.g.peer-to-peer. Capable of following

    written instructions to download, installand use such software.

    VERY LOW Can use web browser, e-mail. Cannotset up own computer to use Internet

  • 8/7/2019 Website blocking LINX

    43/49

    26th January 2011 43

    Avoiding Blocking Systems 1

    Surreptitious by-pass by PC user (MODERATE to VERYHIGH expertise)

    End User Filters

    Use different ISPs DNS resolver (LOW expertise)

    Removal by PC owner (LOW expertise)

    DNS-SEC will make this obsolete

    Run your own DNS resolver (MODERATE

    expertise) Avoid or confuse DNS (MODERATE expertise)

    DNS poisoning

  • 8/7/2019 Website blocking LINX

    44/49

    26th January 2011 44

    Avoiding Blocking Systems 2

    All address-based methods except End-User Filters

    Use Peer-to-Peer (LOW expertise); only provides access to

    content, not applications such as gambling sites

    Anonymizer.com style tunnel (VERY LOW expertise)

    Create your own encrypted tunnel (MODERATE expertise)

    Confuse the blocking system with technical attacks1

    (MODERATE to VERY HIGH expertise, variable effectiveness)1Simple examples include URL Character encoding, web file-path traversal with .. etc

  • 8/7/2019 Website blocking LINX

    45/49

    26th January 2011

    Avoiding network filtering

    No known successful implementations of network levelcontent filtering on ISP scale

    Depends on realtime monitoring / DPI

    Encryption thwarts monitoring

    Some P2P networks already include encryption by default

    Onion-routing systems provide IP address concealment

    Onion-routing is a technically sophisticated technique

    Some advanced P2P systems have onion-routing built-in

    E.g. i2P

  • 8/7/2019 Website blocking LINX

    46/49

    26th January 2011

    Broader policy questions

  • 8/7/2019 Website blocking LINX

    47/49

  • 8/7/2019 Website blocking LINX

    48/49

    26th January 2011

    Undermining the end-to-end principle

    The end-to-end principle is a basic organising principle ofthe Internet

    It says that intelligence occurs at the network edges, notin the core routers

    It permits technological development, including inventionof web, VoIP, etc

    Requiring blocking at the network level undermines theend-to-end principle and the capacity for invention

    Arguably, it invites network operators to subvert theend-to-end principle further

  • 8/7/2019 Website blocking LINX

    49/49

    26th January 2011

    An end-run around justice system

    Court system is designed to be fair

    Procedures developed over centuries

    Can be slow, expensive, but for a reason

    Direct remedies from ISP obviate need forcomplainant to go to court

    Faster, cheaper than court

    Reduced evidence and changed procedures

    Right to be heard?

    Presumption of guilt?

    Remedies designed by complainants