Update 1st August 2013
The DIA have now confirmed that they did filter some sites hosted by Google and that this caused problems for both the filter and some internet users.
Officials provided an oral briefing on the incident reported regarding a degradation of service noted by some users of certain services. The Filter Operations Team worked with the provider of those services in question. It was discovered that hentai and cgi based child abuse sites hosted on the blogspot.com domain, a resource operated by Google Inc were included in the list in error.These sites were then shown to the IRG. It was then explained that a list refresh, removed the sites in question, and subsequently resolved this issue.
The problem was further compounded by the severe congestion in the networks of one of the upstream providers used by the system. A review of the Filter’s failsafe systems was undertaken. Steps have been added to ensure that the IPs of large hosting providers are flagged and placed on a white list with a reporting mechanism for the removal of the content from the site. Additional resources were requested from the upstream provider in question to ensure traffic congestion can be avoided in the future.
Back in 2011 we spotted the first indications of how the Department of Internal Affairs Internet filter, used by 90% of all New Zealand Internet connections, actually operates. At the time, we noticed an address - 220.127.116.11 - appearing where it shouldn't in traceroutes to a site.
Now that same address has popped up in traces to Google addresses, specifically googlehosted.l.googleusercontent.com (18.104.22.168). As noted in this thread on Geekzone, some people have been experiencing performance problems reaching some Google services.
These performance problems could be caused by a Google-load of traffic to that IP being routed to the DIA's filtering server which may not be coping with the volume. Note that the filter will only be blocking one web address (URL) at that IP and letting the rest of the traffic through.
Of course this won't affect you if you are using an ISP that doesn't use the filter. Check the list of ISPs here.
Making the link
As noted back in 2011, the address appearing in traces where they shouldn't be are controlled by Fastcom, who list the Department of Internet Affairs as an important customer and which they host infrastructure for.
This was always one of the fears when the filter was introduced - that it would reduce the stability and performance of the New Zealand internet. It appears that this has now happened. Two questions:
- Will the DIA remove the entry for this IP now that they realise the problems it's causing?
- How will the DIA block web addresses hosted at high volume websites such as Google (or Wikipedia) when the filter can't cope?
Seeking more information
Have you been experiencing any issues accessing Google? Can you provide a traceroute for us? Post a comment below.
Rumours and hearsay
Thanks to the people who contacted us with more information, we just wish you were prepared to speak on the record. So far we have heard the following from people that we typically find to be reliable:
- That the DIA has denied filtering that IP address.
- That a senior ISP engineer says that the IP address was definitely filtered by the DIA filter and that they have seen the relevant BGP records.
- That the filtering of at least one Google IP address has been removed but that there might be more.
- That Google was greatly annoyed by the block and contacted the Minister to get it removed.
We'll update these rumours as we can confirm/deny them. Please email any information to firstname.lastname@example.org. We will do our best to keep your name confidential if requested, but suggest using an anonymous remailer for the best anonymity.
We recently received a complaint from a German tourist saying that when he tried to access a couple of innocuous German political sites using the free wireless at Te Papa, a page was displayed saying that his access to those sites was blocked. Te Papa had implemented internet filtering software to control what websites people could access.
The tourist complained to Te Papa. They initially tried to fob him off, but eventually he got through to someone and those sites were removed from the filter. A good outcome, right?
Not So Simple
This incident raises a number of questions:
- Why is Te Papa filtering what people see on the internet?
- What type of content is being blocked?
- Who chooses which types of content to block?
- Finally, why are they using software that flags a German political website as "Pornography (Japanese)"?
Why censor internet access?
We spoke to Te Papa but they couldn't tell us why they felt the need to censor their wireless. They did know that they blocked file sharing protocols to reduce internet traffic but couldn't tell us why they were blocking some websites. We'd understand if Te Papa wanted to use some censorware on internet terminals available to children, but their filter goes far beyond that.
Are they worried that people will somehow download banned material? It's not their responsibility and it's not like they're monitoring phone calls to make sure people don't have illegal conversations.
Are they worried that people will browse offensive material (pictures/video) in a public place and annoy others? An increasing number of their guests have smartphones and "bring their own internet" and someone could as easily watch a porn DVD on a portable player. In any of these cases, it would be a simple matter of asking them to stop.
We reject the idea that internet providers (for that is what Te Papa is doing by providing free wireless) are in any way responsible for what an internet user does with that connection, in the same way that they aren't responsible if someone uses Te Papa provided water or electricity.
Te Papa's Filter
Te Papa could tell us that they are using internet filtering supplied by their internet service provider, Telstra Clear, but they had very little idea about how it works.
- They don't know why they're blocking some types of content.
- They don't know what type of content is being blocked.
- They don't know who decides what to block and what criteria they use.
- They don't really want to find out, saying that they're "happy for them [Telstra Clear] to make the decisions".
Any museum and art gallery is surely aware of issues around censorship and free speech, Te Papa itself has been involved in certain controversies about what should be shown and to who. Why has Te Papa chosen to censor the internet with so little thought about why and how? As our visiting tourist put it:
Seeing this happen at Te Papa, a flagship of the capital, tells me something about democracy and the importance of free speech and human rights in NZ.
We tend to side with the visiting German tourist - it's inappropriate for a place like Te Papa to be censoring the internet.
We suggest that worries about people accessing "bad material" over public internet are overstated. Any inappropriate behaviour (e.g. viewing internet pornography in a public place) can be solved by asking them to stop.
If an organisation decides to press on with censorship anyway, it would seem at a minimum that they should:
- Be able to tell people what sort of material is blocked and why they're doing it.
- Have a process for deciding what to block.
- Provide an easy way to appeal any incorrect blocking.
- Not use software that is as badly written as that used by Te Papa and TelstraClear.
Of course, once you look at all that, doesn't it just seem easier to let people have unconstrained internet access in the first place?
The following is a guest post from Matt Taylor about the operation of the government's internet censorship in New Zealand.
- Very few people (only 9%) knew whether their ISP used the government filter. The ISPs using the filter represent more than 90% of the NZ internet market.
- Less than a quarter (23%) wanted the government choosing whether to filter their internet connection.
- Two-thirds want the filter to include other, non-specified, content.
Tech Liberty's Comment
We've always been opposed to the government's internet censorship system but support the right of people to choose filtering for themselves or their families. We're pleased to see that the people of New Zealand agree with us, rejecting the idea of letting the government impose centralised censorship.
Unfortunately we already have such a system. While it is voluntary at the ISP level, their users get no say in the matter and this survey shows that most are unaware that they are covered by it. We also note that with Telecom, Vodafone and 2 Degrees all having implemented the filter there are no major providers of censorship free mobile data in New Zealand, further undermining any voluntary aspect to the current filter.
At the same time it also seems obvious that the internet has a lot of disturbing content that you might want to block other than just child pornography. Therefore it makes sense that someone wanting "cleaner internet" at their home would be looking for a more general purpose filter than the government's one. A number of ISPs do offer such a service (either free or as an add-on) and it seems that they should be promoting this further.
In conclusion, it seems that the survey shows that the current government internet filter is implemented the wrong way for the wrong purpose and by the wrong people.
An interview with Ross from Cyberdodge, a supplier of VPN services that enables internet users to hide what they do on the internet.
What inspired you to offer the service?
People will always choose the easiest way to get the latest movies and TV shows and downloading off the internet is it. Unfortunately options are now limited to VPN tunnels not only for p2p but also for using an American IP address to get access to TV sites like www.hulu.com.
Are you getting many customers and what do they want it for?
Yes I am. VPN tunnels have a number of uses that include getting an American IP address to watch tv sites such as hulu.com, encrypt internet traffic when they are using a public WiFi point and of course hiding their real IP address.
How do you feel about the fact that some of your customers will probably be using your service to break NZ law?
What sort of information do you keep about your customers?
We only keep the email address.
What sort of information do you keep about your customers connections? (Such as when they connect, how long they connect for, anything they do through the service.)
We do not log what the user does or transfers over our network but we do log the time of connection and disconnection. We use this data to strategically deploy network resources. We also log the country the user is logging in from, this helps us to detect hijacked accounts and abuse. We do not log IP addresses.
Do you think your business has an obligation under the Telecommunications (Interception Capability) Act to allow the NZ police or other enforcement agencies to monitor traffic?
No, I am not a network operator. A network operator means a person who owns, controls, or operates a public telecommunications network or a person who supplies (whether by wholesale or retail) another person with the capability to provide a telecommunications service. CyberDodge does not provide anyone else with the capability to provide a service and CyberDodge is not a public telecommunications network. Public telecommunications network means a public switched telephone network and a public data network. CyberDodge is not a public switched telephone network nor a public data network. A public data network means a data network used, or intended for use, in whole or in part, by the public and includes, without limitation, the following facilities: Internet access and email access. CyberDodge requires that you have internet and email access already. This law applies to ISPs, which CyberDodge is not.
Do you think your business has an obligation under the Copyright (Infringing File Sharing) Act to store customer IP addresses so that you can pass on notices?
No, I am not a IPAP. IPAP, or Internet protocol address provider, means a person that operates a business that, other than as an incidental feature of its main business activities, offers the transmission, routing, and providing of connections for digital online communications, between or among points specified by a user, of material of the user's choosing and allocates IP addresses to its account holders and charges its account holders for its services and is not primarily operated to cater for transient users. CyberDodge does not offer the transmission nor providing of connections for digital online communications. CyberDodge only routes digital online communications. This law applies to ISPs and CyberDodge is not a ISP.
What we're seeing
A thread over on gpforums.co.nz has discussed problems Telecom users have had accessing content delivered by various CDNs (content delivery networks - used by many sites to handle video streaming).
Network traces showed a large amount of packet loss and the path taken by the data looked a bit unusual.
This appears to be the first sign of a site being either adversely affected or actually blocked by the DIA filter. We've also had confirmation of other ISPs (Internet service providers) believed to be using the filter having access blocked.
What we believe is happening
The filter works by creating alternative routes to particular network IP addresses and passing them onto the participating ISPs. Traffic to those IP addresses is then passed to the DIA and checked by the filter to see whether it is going to the blocked site or another site on the same IP address. If it is going to a blocked site, the user is redirected to www.dce.net.nz, or else it allowed through the DIA's ISP and out onto the Internet. (Read more in our Filtering Frequently Asked Questions article.)
Inspection of the traces shows that the traffic is going through an ISP with a relationship with the Department. The address 22.214.171.124 in the traces is from that ISP. The traffic is then going out through a link that the ISP has to Australia.
This ISP's link to the Internet appears to be either under considerable pressure or is simply broken. The level of traffic being dropped by it (as reported by users and our own investigation) is likely to be degrading access significantly to any site hosted - but not actually blocked - by any IP address the DIA is wanting to inspect.
What does this mean?
The site in question hosts anime (animated video from Japan and other countries). While we believe that some anime work has been found objectionable in New Zealand, we cannot find any reference to this site being banned by the Chief Censor.
Even if one video at the site has been blocked by the DIA, this blocking appears to be generally degrading performance to other material on that site or any other site hosted by the same content delivery network.
The Department has repeatedly denied access to the filter list in the expectation that hiding the list will prevent people from accessing it. As this story illustrates, it's not difficult to uncover the filter given the effects it has on an IP address being filtered/intercepted.
We're very interested in hearing from anyone else having difficulties accessing a site where 126.96.36.199 appears in a traceroute to the site. We're particularly interested in legal content being degraded by passing through the DIA's filter.
Dear Independent Reference Group,
Please do your job.
Yours, Tech Liberty
We believe that secret censorship is a threat to our democracy. We need to be careful when giving our government the ability to limit what we can see and hear - which is why we require the Chief Censor to publish their decisions. This openness, the ability for anyone to review and challenge, helps prevent abuse of the censorship scheme.
One of our objections to the government's Internet censorship filter was that the Department of Internal Affairs has refused to release the list of censored sites. They say that they'll only censor certain types of material, but how can we know that they're sticking to this without being able to see the list?
The DIA did respond to these concerns by establishing the Independent Reference Group to provide at least some semi-independent oversight of the filter, although they had to be persuaded to let the IRG have access to the list of blocked sites. Then, from the minutes of the IRG's meeting on 15th October 2010:
Members of the Group were invited to identify any website that they wish to review. They declined to do so at this stage.
Now, we quite understand that members of the IRG don't want to look at those sites. But that's not the point - they have a responsibility to ensure that the filter "...is operated with integrity and adheres to the principles set down in the Code of Practice."
This oversight isn't going to work if the IRG don't exercise it. The filter list grew from 153 entries in June to 538 in November - surely it would have made sense to have a look at the list and select some of the additions for a brief review?
We recommend that at each meeting the IRG should randomly select a sample of newly added sites and review the content to ensure that the filter is not being abused. Anything less is neglecting their duty.
It seems that a lot has happened since we did our last update.
Increase in the number of ISPs
The ISPs using the system are now:
Telecom are obviously next and Vodafone are also apparently well on the way to implementing it. According to the DIA, "Discussions are continuing with Ihug/Vodafone, Woosh, Orcon and 2degrees. Design changes are being investigated to adapt the system for performance on mobile devices." However public statements from Orcon have said they have no plans to implement the filter.
Even so, this means that most users of the Internet in New Zealand will be using a filtered connection.
It's been over 3 years since the Department of Internal Affairs started their internet censorship trials in New Zealand. Since then (data from June 29th 2010):
Update on internet filtering including which ISPs will filter, more information from the DIA, and links to the Australian anti-filtering campaign.