Australian internet censorship

One of the main communications policies being advocated by the Australian government at the moment is the introduction of nationwide internet filtering to block illegal and ‘inappropriate’ material and to ‘protect children’. The government proposes doing this using a blacklist of sites which internet service providers (ISPs) will be legally obliged to block. While protecting children from inappropriate material and preventing the dissemination of child pornography and terrorist material are certainly amiable objectives, a nationwide internet filter is the least effective and most unworkable approach, and one with an enormous potential for misuse.

From a technological perspective, a nationwide filter simply will not work for two reasons. First, there are literally billions of websites on the internet, with millions more popping up every day. Maintaining a blacklist of sites to block, when there are so many sites in existence and more coming into existence every day, is folly. Second, an internet filter will only block unencrypted websites (HTTP). It will not, and cannot, block other internet protocols such as encrypted sites (HTTPS), or point-to-point (P2P) protocols. Pedophiles do not use websites to distribute child pornography – they use encrypted channels. If they did use unencrypted websites, they all would have been caught by now.

In addition to being technologically ineffective, a nationwide filter may have the effect of slowing down internet traffic, as all traffic first must pass through the filter, which resides in software on the ISP’s servers. This is somewhat ironic, as the same government is complaining about how slow the internet is, and is intending to speed it up by introducing a national broadband network (NBN).

Technological issues aside, there are still strong reasons for concern about the introduction of a mandatory internet filter. There is incredible potential for abuse. At the end of the day, the blacklist will sit in the hands of a small group of bureaucrats. Should these select few have nefarious or partisan intentions, they could easily manipulate the internet filter to decide what opinions, news stories or political views we are able to access. This is exactly what has happened in the few countries where filters such as this exist (see China and Iran). The Federal Communications Minister, Stephen Conroy, has already indicated that should the policy pass through parliament, the contents of the blacklist will not be made public. This is a police state in the making – next stop thought police. On one hand the government wants to reserve the right to block any material they deem ‘offensive’, while on the other hand they refuse to disclose what is on their list of offensive material. The mere fact that the Government intends to keep this list secret, to me, is indicative of potentially very sinister intentions. Additionally, if the list is secret, parents will have no influence over what it is which their children should be protected against, which completely undermines the point of the exercise.

Finally one must question the need for a nationwide filter at all, when client side software is available which achieves the same outcome. Net Nanny-like software is commercially available, which parents can install on their home computers and use to block specific sites or keywords. This client side model gives parents much greater flexibility as to what their children can and cannot see than a blanket nationwide filter. So if the goal of the filter is to protect children, then a client side approach is more flexible, gives parents greater control, and doesn’t impose extra regulatory and financial burden on ISPs, while slowing down the internet for everyone else.

Conroy’s internet filter is a shamble. It is technologically unviable. It won’t protect children. It undermines the parent’s ability to make parental decisions for themselves. It will stop the circulation of neither child pornography nor terrorist material. It may infringe on freedom of speech. And, there is enormous potential for abuse of the system by politicians and bureaucrats.

This policy is cheap politicking. Conroy is leveraging off the fact that as soon as you say you are ‘protecting children’ or ‘preventing pedophilia’ you can win votes instantly by playing on the emotions of the public who are largely unaware of the details of the proposal.

I urge all Australians to contact their federal representatives with regards to this draconian policy.

22 thoughts on “Australian internet censorship

  1. Wait, I think I’ve met you O.o You know G. Schmalz, correct? Small world…

    Anyway, aside from that, there is also the problem that this may be extended in the future to break the layer of trust in issued SSL certificates, which could also lead to massive security holes and kill online commerce in this country.

  2. No arguments here… I’m disappointed the Libs haven’t made enough noise about this – they need to go on the attack. Sadly, I think many of them like the idea of a filter, even if they see this proposed implementation as unworkable. It doesn’t seem to occur top them that the idea itself is unworkable.

  3. It is very feasible for a filter to block encrypted sites. What is hard (close to impossible) for a filter (man in the middle) is to do decrypt the content that is passing between the web server and the client computer. However if the objective is merely to block a site then decryption isn’t a requirement.

    By way of analogy if I send letters to you that are written in code it may be impossible for Australia post to read those letters but it is trivial for Australia post to block delivery.

    Of course combined with offshore proxies or peer to peer systems then encryption can help to bipass a filter. Even so a filter will still undermine some of the spontaneous order that currently surrounds the Internet and associated activities. It would be somewhat akin to an infection within a persons central nervous system.

  4. It is very feasible for a filter to block encrypted sites. What is hard (close to impossible) for a filter (man in the middle) is to do decrypt the content that is passing between the web server and the client computer. However if the objective is merely to block a site then decryption isn’t a requirement.

    They can, however, intercept communications. Encryption must be negotiated! Say, for example, I have a box sitting in between a client and the server. I can make said box act as a proxy for ALL communications, which means I take the encryption requests and switch my own public key in for the client’s key completely transparently. This would allow me to request for resources encrypted with my public key, decrypt them, check them and then send them off re-encrypted with the client’s key. SSL/TLS is very weak against man in the middle attacks

  5. “It is very feasible for a filter to block encrypted sites.”

    Only by blocking the IP address… I don’t know the details of the filter, but Conroy said something about it being url based… though it’s likely he was reading from technical notes he didn’t really understand, so take that for what it’s worth.

    Does anyone have any technical implementation details of the filter?

  6. An IP address also qualifies as a URL. IIRC a number of the URLs on the leaked ACMA blocklist were IP addresses.

    [quote]They can, however, intercept communications. Encryption must be negotiated! Say, for example, I have a box sitting in between a client and the server. I can make said box act as a proxy for ALL communications, which means I take the encryption requests and switch my own public key in for the client’s key completely transparently. This would allow me to request for resources encrypted with my public key, decrypt them, check them and then send them off re-encrypted with the client’s key. SSL/TLS is very weak against man in the middle attacks[/quote]

    That’s why we have Certificate Authoities. As long as the certificate authority isn’t subverted, a man-in-the-middle attack will not work against HTTPS connections.

  7. “An IP address also qualifies as a URL.”

    The point was that restrictions are supposedly at a page level, ie. http://ip.address/abc is different to http://ip.address/xyz

    With https, even the url is encrypted in transmission… like I said, I don’t know the exact implementation details, but based on little bits I’ve heard, https will not be effected.

  8. That’s why we have Certificate Authoities. As long as the certificate authority isn’t subverted, a man-in-the-middle attack will not work against HTTPS connections.

    There was recently debate on whether a Chinese authority should be approved given the CCP’s record on this kind of thing. It really isn’t a stretch to think that governments may lean on local issuing authorities in the future

  9. Sorry about the double post, but…

    Only by blocking the IP address… I don’t know the details of the filter, but Conroy said something about it being url based… though it’s likely he was reading from technical notes he didn’t really understand, so take that for what it’s worth.

    The DNS makes it too easy to block on either domains or IPs. Got an IP request? Run a reverse resolution and check it against your blacklist.

    Does anyone have any technical implementation details of the filter?

    I think this has some details on it. From what I can recall, there was no test on dynamic filtering conducted, which means they’re relying on a small bureau to classify the >1bil new webpages a day.

    With https, even the url is encrypted in transmission… like I said, I don’t know the exact implementation details, but based on little bits I’ve heard, https will not be effected.

    This is true. You open an encrypted channel with the server, which means all ‘talk’ between you and the server goes through as what looks like random characters. What you’re actually doing when you type in http://www.xyz.com/page.html is telling your browser to open an HTTP connection with http://www.xyz.com and then ask on that connection for the webpage page.html. However, this requires negotiation between you and the server. A box in the centre can swap in its own encryption credentials over yours if it wants to look at what you’re doing, which means HTTPS communication (and therefore all secure online transactions) may be in danger in Australia if the government is stupid enough to decide it wants to go down this path

  10. ChrisV is correct. So long as the site has the right certificate the channel is secure. However I’m also pretty sure that most users would not know how to confirm that the certificate is the right one and that those that do know how to check usually don’t. The few number of people that do check routinely probably just look for a padlock symbol and a substitute certificate would still show the padlock.

    So a man in the middle certificate substitution would feasibly trick the vast majority of users. In some ways accepting the installation of a government filter is like giving the ATO a copy of your ATM card along with a copy of the pin number. Ouch.

  11. Accepting alternate authorities is a pretty scary prospect in most browsers – confirming a non-standard certificate takes effort.

    Of course, as Steve points out, if the state has control over the certificate authority, then all bets are off.

  12. Oh, is the filter working already? Looks like my thoughts about governments were too controversial! That was quick filtering!

  13. I just told the truth about the Government, the ***** of *************, and they felt the need to object, Donald! I thought we had free speech here in Australia.
    (Alright, I’ll confess- it was my little joke about censorship and Internet filtering. I just put the word (deleted) as the only word in that comment. I didn’t think I’d fool anyone!)

  14. Just stumbled across this blog today, and missed miss-read your humour. So there, I admit I am gullible… I was actually offended when I thought your post was deleted. I feel freedom of speech is paramount, yet my fellow Australian appear not to care too much about it.

  15. Don’t worry, Donald – you get used to his humour eventually. I (and, I would say, most on this blog) agree with you about the importance of free speech – but just to play devil’s advocate:

    If a government censors, then that’s a violation of free speech. If an individual censors comments on their own blog, then they’re just exercising their own property rights.

  16. When my internet is even slower and I can’t access the websites I want, I assume the government will pay out the rest of my contract.

    It’s only fair. >_>

  17. By using this sort of system on computers once again takes the responsibility from the parent as they should supervise what their children access and watch. It is giving the State the power to nanny and there is much to much of that nonsense, Australia will end up like Britain.
    Parents are the prime educators not the State.

Comments are closed.