Update 1st August 2013
The DIA have now confirmed that they did filter some sites hosted by Google and that this caused problems for both the filter and some internet users.
Officials provided an oral briefing on the incident reported regarding a degradation of service noted by some users of certain services. The Filter Operations Team worked with the provider of those services in question. It was discovered that hentai and cgi based child abuse sites hosted on the blogspot.com domain, a resource operated by Google Inc were included in the list in error.These sites were then shown to the IRG. It was then explained that a list refresh, removed the sites in question, and subsequently resolved this issue.
The problem was further compounded by the severe congestion in the networks of one of the upstream providers used by the system. A review of the Filter’s failsafe systems was undertaken. Steps have been added to ensure that the IPs of large hosting providers are flagged and placed on a white list with a reporting mechanism for the removal of the content from the site. Additional resources were requested from the upstream provider in question to ensure traffic congestion can be avoided in the future.
Back in 2011 we spotted the first indications of how the Department of Internal Affairs Internet filter, used by 90% of all New Zealand Internet connections, actually operates. At the time, we noticed an address - 220.127.116.11 - appearing where it shouldn't in traceroutes to a site.
Now that same address has popped up in traces to Google addresses, specifically googlehosted.l.googleusercontent.com (18.104.22.168). As noted in this thread on Geekzone, some people have been experiencing performance problems reaching some Google services.
These performance problems could be caused by a Google-load of traffic to that IP being routed to the DIA's filtering server which may not be coping with the volume. Note that the filter will only be blocking one web address (URL) at that IP and letting the rest of the traffic through.
Of course this won't affect you if you are using an ISP that doesn't use the filter. Check the list of ISPs here.
Making the link
As noted back in 2011, the address appearing in traces where they shouldn't be are controlled by Fastcom, who list the Department of Internet Affairs as an important customer and which they host infrastructure for.
This was always one of the fears when the filter was introduced - that it would reduce the stability and performance of the New Zealand internet. It appears that this has now happened. Two questions:
- Will the DIA remove the entry for this IP now that they realise the problems it's causing?
- How will the DIA block web addresses hosted at high volume websites such as Google (or Wikipedia) when the filter can't cope?
Seeking more information
Have you been experiencing any issues accessing Google? Can you provide a traceroute for us? Post a comment below.
Rumours and hearsay
Thanks to the people who contacted us with more information, we just wish you were prepared to speak on the record. So far we have heard the following from people that we typically find to be reliable:
- That the DIA has denied filtering that IP address.
- That a senior ISP engineer says that the IP address was definitely filtered by the DIA filter and that they have seen the relevant BGP records.
- That the filtering of at least one Google IP address has been removed but that there might be more.
- That Google was greatly annoyed by the block and contacted the Minister to get it removed.
We'll update these rumours as we can confirm/deny them. Please email any information to email@example.com. We will do our best to keep your name confidential if requested, but suggest using an anonymous remailer for the best anonymity.
The following is a guest post from Matt Taylor about the operation of the government's internet censorship in New Zealand.
The government is your friend and wants you to be happy.
This is the transcript of a speech given by Thomas Beagle at Kiwicon in Wellington on November 6th, 2011.
What we're seeing
A thread over on gpforums.co.nz has discussed problems Telecom users have had accessing content delivered by various CDNs (content delivery networks - used by many sites to handle video streaming).
Network traces showed a large amount of packet loss and the path taken by the data looked a bit unusual.
This appears to be the first sign of a site being either adversely affected or actually blocked by the DIA filter. We've also had confirmation of other ISPs (Internet service providers) believed to be using the filter having access blocked.
What we believe is happening
The filter works by creating alternative routes to particular network IP addresses and passing them onto the participating ISPs. Traffic to those IP addresses is then passed to the DIA and checked by the filter to see whether it is going to the blocked site or another site on the same IP address. If it is going to a blocked site, the user is redirected to www.dce.net.nz, or else it allowed through the DIA's ISP and out onto the Internet. (Read more in our Filtering Frequently Asked Questions article.)
Inspection of the traces shows that the traffic is going through an ISP with a relationship with the Department. The address 22.214.171.124 in the traces is from that ISP. The traffic is then going out through a link that the ISP has to Australia.
This ISP's link to the Internet appears to be either under considerable pressure or is simply broken. The level of traffic being dropped by it (as reported by users and our own investigation) is likely to be degrading access significantly to any site hosted - but not actually blocked - by any IP address the DIA is wanting to inspect.
What does this mean?
The site in question hosts anime (animated video from Japan and other countries). While we believe that some anime work has been found objectionable in New Zealand, we cannot find any reference to this site being banned by the Chief Censor.
Even if one video at the site has been blocked by the DIA, this blocking appears to be generally degrading performance to other material on that site or any other site hosted by the same content delivery network.
The Department has repeatedly denied access to the filter list in the expectation that hiding the list will prevent people from accessing it. As this story illustrates, it's not difficult to uncover the filter given the effects it has on an IP address being filtered/intercepted.
We're very interested in hearing from anyone else having difficulties accessing a site where 126.96.36.199 appears in a traceroute to the site. We're particularly interested in legal content being degraded by passing through the DIA's filter.
Dear Independent Reference Group,
Please do your job.
Yours, Tech Liberty
We believe that secret censorship is a threat to our democracy. We need to be careful when giving our government the ability to limit what we can see and hear - which is why we require the Chief Censor to publish their decisions. This openness, the ability for anyone to review and challenge, helps prevent abuse of the censorship scheme.
One of our objections to the government's Internet censorship filter was that the Department of Internal Affairs has refused to release the list of censored sites. They say that they'll only censor certain types of material, but how can we know that they're sticking to this without being able to see the list?
The DIA did respond to these concerns by establishing the Independent Reference Group to provide at least some semi-independent oversight of the filter, although they had to be persuaded to let the IRG have access to the list of blocked sites. Then, from the minutes of the IRG's meeting on 15th October 2010:
Members of the Group were invited to identify any website that they wish to review. They declined to do so at this stage.
Now, we quite understand that members of the IRG don't want to look at those sites. But that's not the point - they have a responsibility to ensure that the filter "...is operated with integrity and adheres to the principles set down in the Code of Practice."
This oversight isn't going to work if the IRG don't exercise it. The filter list grew from 153 entries in June to 538 in November - surely it would have made sense to have a look at the list and select some of the additions for a brief review?
We recommend that at each meeting the IRG should randomly select a sample of newly added sites and review the content to ensure that the filter is not being abused. Anything less is neglecting their duty.
It seems that a lot has happened since we did our last update.
Increase in the number of ISPs
The ISPs using the system are now:
Telecom are obviously next and Vodafone are also apparently well on the way to implementing it. According to the DIA, "Discussions are continuing with Ihug/Vodafone, Woosh, Orcon and 2degrees. Design changes are being investigated to adapt the system for performance on mobile devices." However public statements from Orcon have said they have no plans to implement the filter.
Even so, this means that most users of the Internet in New Zealand will be using a filtered connection.
It's been over 3 years since the Department of Internal Affairs started their internet censorship trials in New Zealand. Since then (data from June 29th 2010):
Update on internet filtering including which ISPs will filter, more information from the DIA, and links to the Australian anti-filtering campaign.
Last week we announced that the New Zealand internet filter had "gone live" and was now being used to filter the connections for users of two ISPs (Watchdog and Maxnet), with more expected to follow.
The obvious question has to be, why was Tech Liberty announcing something that the Department of Internal Affairs had done? Where was their announcement that the filter had gone live on the 1st of February? Don't civil servants have a duty to communicate to the people that they serve?
We'd like to welcome our first guest author, Gerard Creamer. He's written an article that explains some of the security risks inherent in implementing a centralised filtering system. It's a little more technical than most of the articles we publish; we hope you find it interesting.