Guest post: The operation of NZ’s internet censorship filter
The following is a guest post from Matt Taylor about the operation of the government's internet censorship in New Zealand.
Kiwicon – The government is your friend
The government is your friend and wants you to be happy.
This is the transcript of a speech given by Thomas Beagle at Kiwicon in Wellington on November 6th, 2011.
Is this what the DIA filter looks like?
What we're seeing
A thread over on gpforums.co.nz has discussed problems Telecom users have had accessing content delivered by various CDNs (content delivery networks - used by many sites to handle video streaming).
Network traces showed a large amount of packet loss and the path taken by the data looked a bit unusual.
This appears to be the first sign of a site being either adversely affected or actually blocked by the DIA filter. We've also had confirmation of other ISPs (Internet service providers) believed to be using the filter having access blocked.
What we believe is happening
The filter works by creating alternative routes to particular network IP addresses and passing them onto the participating ISPs. Traffic to those IP addresses is then passed to the DIA and checked by the filter to see whether it is going to the blocked site or another site on the same IP address. If it is going to a blocked site, the user is redirected to www.dce.net.nz, or else it allowed through the DIA's ISP and out onto the Internet. (Read more in our Filtering Frequently Asked Questions article.)
Inspection of the traces shows that the traffic is going through an ISP with a relationship with the Department. The address 124.150.165.62 in the traces is from that ISP. The traffic is then going out through a link that the ISP has to Australia.
This ISP's link to the Internet appears to be either under considerable pressure or is simply broken. The level of traffic being dropped by it (as reported by users and our own investigation) is likely to be degrading access significantly to any site hosted - but not actually blocked - by any IP address the DIA is wanting to inspect.
What does this mean?
The site in question hosts anime (animated video from Japan and other countries). While we believe that some anime work has been found objectionable in New Zealand, we cannot find any reference to this site being banned by the Chief Censor.
Even if one video at the site has been blocked by the DIA, this blocking appears to be generally degrading performance to other material on that site or any other site hosted by the same content delivery network.
The Department has repeatedly denied access to the filter list in the expectation that hiding the list will prevent people from accessing it. As this story illustrates, it's not difficult to uncover the filter given the effects it has on an IP address being filtered/intercepted.
We're very interested in hearing from anyone else having difficulties accessing a site where 124.150.165.62 appears in a traceroute to the site. We're particularly interested in legal content being degraded by passing through the DIA's filter.
Dear Independent Reference Group – Do Your Job
Dear Independent Reference Group,
Please do your job.
Yours, Tech Liberty
We believe that secret censorship is a threat to our democracy. We need to be careful when giving our government the ability to limit what we can see and hear - which is why we require the Chief Censor to publish their decisions. This openness, the ability for anyone to review and challenge, helps prevent abuse of the censorship scheme.
One of our objections to the government's Internet censorship filter was that the Department of Internal Affairs has refused to release the list of censored sites. They say that they'll only censor certain types of material, but how can we know that they're sticking to this without being able to see the list?
The DIA did respond to these concerns by establishing the Independent Reference Group to provide at least some semi-independent oversight of the filter, although they had to be persuaded to let the IRG have access to the list of blocked sites. Then, from the minutes of the IRG's meeting on 15th October 2010:
Members of the Group were invited to identify any website that they wish to review. They declined to do so at this stage.
Now, we quite understand that members of the IRG don't want to look at those sites. But that's not the point - they have a responsibility to ensure that the filter "...is operated with integrity and adheres to the principles set down in the Code of Practice."
This oversight isn't going to work if the IRG don't exercise it. The filter list grew from 153 entries in June to 538 in November - surely it would have made sense to have a look at the list and select some of the additions for a brief review?
Recommendation
We recommend that at each meeting the IRG should randomly select a sample of newly added sites and review the content to ensure that the filter is not being abused. Anything less is neglecting their duty.
An Update on Internet Censorship in NZ
Yesterday Telecom announced that they were joining the DIA's Internet censorship scheme.
It seems that a lot has happened since we did our last update.
Increase in the number of ISPs
The ISPs using the system are now:
- Maxnet
- Watchdog
- TelstraClear
- Airnet
- Xtreme
Telecom are obviously next and Vodafone are also apparently well on the way to implementing it. According to the DIA, "Discussions are continuing with Ihug/Vodafone, Woosh, Orcon and 2degrees. Design changes are being investigated to adapt the system for performance on mobile devices." However public statements from Orcon have said they have no plans to implement the filter.
Even so, this means that most users of the Internet in New Zealand will be using a filtered connection.
Internet filtering – time to let it go?
It's been over 3 years since the Department of Internal Affairs started their internet censorship trials in New Zealand. Since then (data from June 29th 2010):
Internet filtering update
Update on internet filtering including which ISPs will filter, more information from the DIA, and links to the Australian anti-filtering campaign.
Department of Internal Affairs failing on open government
Last week we announced that the New Zealand internet filter had "gone live" and was now being used to filter the connections for users of two ISPs (Watchdog and Maxnet), with more expected to follow.
The obvious question has to be, why was Tech Liberty announcing something that the Department of Internal Affairs had done? Where was their announcement that the filter had gone live on the 1st of February? Don't civil servants have a duty to communicate to the people that they serve?
Guest article: Security risks of centralised filtering
We'd like to welcome our first guest author, Gerard Creamer. He's written an article that explains some of the security risks inherent in implementing a centralised filtering system. It's a little more technical than most of the articles we publish; we hope you find it interesting.
Media release: NZ government now filtering internet
The Department of Internal Affairs has admitted that the internet filter is now operational and is already being used by ISPs Maxnet and Watchdog. It appears that Maxnet have not told their customers that they are diverting some of their internet traffic to the government system to be filtered.
Thomas Beagle, spokesperson for Tech Liberty, "We're very disappointed that the filter is now running, it's a sad day for the New Zealand internet."
