How the Great Firewall of Britain works

Here's a flowchart showing how Cleanfeed -- the secret British national firewall that is presently restricting access to Wikipedia - operates:

Our routers firstly check the IP address of the server that’s hosting the URL you’re trying to access. If they determine that the IP address is also used to host one of the websites on the IWF list then your request is passed to the IWF proxies. A lookup is then done and if the address you’re trying to access matches one on the list then the request is denied.

Translation: a third party now monitors every request made to Wikipedia from the six ISPs that participate in the Great Firewall of Britain.

Great Firewall of Britain (Thanks, Seth!)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Civlib • politics

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

paul567

You could still use Tor to get around this couldn’t you?

http://www.torproject.org/
Blue

>The Internet Watch Foundation, an independent body funded by the EU and the major ISPs administer the list, in response to submissions by the public.

I don’t think it’s our duty to take a stance on whether an image is illegal or not. We need to report anything we suspect might be dodgy to the IWF so that they, in partnership with those bastions of good judgement, the British police, can take a wild guess at it and censor it.

Books by Nan Goldin, David Hamilton, Jock Sturges, Sally Mann. The ‘pseudo-photographs’ of Michaelangelo. Any instances of Alan Moore’s Lost Girls. Children’s clothing catalogues (underwear section). Anything and everything.

It is not for us to decide.

That these items will be able to be legally bought in the UK, but not viewable by UK users of the internet, is neither here nor there. We cannot fathom the wisdom of our betters in their quest to protect us.

http://www.iwf.org.uk/reporting.htm
Ugly Canuck

“Internet Watch Foundation”? Similar to…
“Board of Censors”? Eh, wot?
I’m not for child porn, but am strongly against State monitoring of(=interference with) their Citizen’s use of the Internet: the latter is so very capable of producing very bad outcomes that it is better to keep the State from developing any such methods of monitoring/control, at all. It’s an issue of basic human freedom. (And it -ie monitoring – is an area where the US gov. it appears is proceeding full bore.)
History shows that if people have access to info they will use it for their own selfish ends. Do not give this to politicians, do not trust them with this power.
Such measures are an over-reaction to the problem, which is , let me be clear, the abuse of children, NOT the ogling of pictures downloaded from the Internet.
arjenkamphuis

So who makes the ‘suspect’ list and on what grounds are IP’s put on the list?
a_user

things just keep shifting rightwards in the UK don’t they, next they’ll start arresting people for making ‘inappropriate’ comments
dssstrkl

@ARJENKAMPHUIS:

Dude, don’t you know? That data must always be secret to protect us from the terrists! Us lowly peons are too stupid and huddled mass-like to think for ourselves.

That, and its too easy to criticize the government now…
teb

@DSSSTRKL:

Should they publish a list of all known child porn then?
Anonymous

Would it be possible to make a Firefox add-on that would monitor such connection terminations and alert the user, and/or anonymously report it to some censorship monitoring server, and/or redirect it through “our” proxy?

For Wikipedia specifically, what about allowing access via HTTPS, at least for editing? That’d solve the IP address issues.
coldspell

If government knows where the child porn is, why don’t they just go ‘em?
Anonymous

@paul567
Using TOR to bypass filters relies upon people running “Exit nodes” in countries that aren’t behind filtered internet access. Normally this would be a “Western Democracy” that promotes freedom of speech, unfortunately in this case, the UK is seemingly not such a country any more.

I used to run a TOR Exit Node, now it seems that to use my connection as an exit node would just be swapping one filter for another. I’m with PlusNet at the moment but I’m so disgusted with the lack of transparency, I’ll likely jump ship at my earliest opportunity.
Ugly Canuck

Put another way: wholesale monitoring/censorship of the internet will not result in one less child being abused….but would cost a lot in terms of freedom and money…and would succeed in punishing those who would ogle “bad” pictures downloaded from the internet.
The cure is worse than the disease (although targeted investigation of originating sites, and their prosecution, is to be encouraged, I think).
Oskar

Ok, so I’m really upset about this and all, but really, you have to sit these people down and give them a stern talking-to: STOP COMPRESSING YOUR JPGS SO FUCKING HARD! YOU GET ARTIFACTS! THE IMAGES LOOK LIKE CRAP!

And, yeah, stop it with the big-brother thing. But I’m mostly upset over the jpgs.
imipak

@arjenkamphuis, #1:
“So who makes the ‘suspect’ list and on what grounds are IP’s put on the list?”

The Internet Watch Foundation, an independent body funded by the EU and the major ISPs administer the list, in response to submissions by the public. They’ve also got a superleet top sekrit flowchart showing their process for dealing with submissions.

@Coldspell, #5:

“If government knows where the child porn is, why don’t they just go ‘em?”

If it’s hosted in the UK, they’ll pass the info to the police, who do the door kicking and collar feeling. Stuff outside the UK goes to Interpol. Of course national standards vary,

OK my last comment on this topic, as I did a lot of “Speak Your Branes” rambling on the earlier thread yesterday. This is not a Chinese-style “great firewall”, and to claim that it is such simply devalues the coin of protest when genuinely regressive technological stuff happens. Cory and most everyone else here (I realise I’m in a minority of one on this!) seems to want unfettered access to child porn in the name of free speech and no censorship. I respectfully disagree.

Wow, spooky, literally as I typed these words the BBC Radio “Today” programme is covering the story; the IWF have put up a spokesperson. BBC news online are carrying the story too. Hey ho.
Julian Bond

Time for some investigation into the http://www.iwf.org.uk/ methinks.
imipak

Forgive me, for I am weak… :rolleyes:

…and the Wikipedia spokesman on Radio 4 has just said that they have no objection at all the existence of the IWF or blocking of illegal images in principle, only to the listing of this particular image.

You can do the ListenAgain thing from the Today programme’s site:

http://news.bbc.co.uk/today/hi/default.stm

It was pretty much the last item covered, at about 8:50am.

Cory, can you point to any established campaigning organisations who are running a campaign to say “nothing on the internet should ever be blocked, including child porn”?

Anyone?
imipak

@Julian Bond: http://en.wikipedia.org/wiki/Internet_Watch_Foundation

“About Us”: http://www.iwf.org.uk/public/page.103.htm
Powerphail

@Imipak #7:

The Wikipedia page that was censored is hardly ‘child porn’. This is simply a step too far in internet censorship – the image in question appears in tons of books that were not deemed indecent, you can even pick up the original record baring the cover from the high street without any grief.

Taking down online child porn rings is one thing, blocking articles on Wikipedia is another.
Macroscopia

@Imipak

Not saying it’s your doing but your comments suggest the threads have twisted into an argument for and against the censorship of child porn – I don’t think anyone is really arguing against you on that point.

The issue comes where the system is attacking a well reputed site, which is consensually maintained by a diverse community. If an article was offensive to a large proportion of that community it would get changed from within the community.

That’s the problem. The state, here represented by the iwf, dictating morality. The extrapolation being that you stop people from thinking things through for themselves and coming to a firm set of personal morals. The ultimate outcome being a blanket set of right and wrongs defined by the governing body with no distinction or grey scales between them. We all agree that child porn is firmly on the wrong side, but what is next? Drug use? The reactionary media would put that firmly next to child porn, but is it even in the same league of wrongness? Who decides? A body that has to appear tough on such things to appease the ignorant masses? That’s lynch mob justice for the modern age.

A last point – I would imagine that the Scorpions album cover has never had so many viewings as it has since it got banned by the UK ISP’s. I would again imagine that the majority of these viewings were not made by actual paedophiles, who are more likely up to far more sinister activities. Number of people somehow titillated into committing real abuse after looking at the page? Again I would imagine a minute proportion. As someone else said, why not put the resource into preventing the real crimes being committed rather than nannying wikipedia and the vast majority of the community that just take offence at being told what to do.

http://uk.youtube.com/watch?v=jaUkt59vY1Q
Cory Doctorow

No one is advocating free access to child porn.

However, Cleanfeeds doesn’t prevent people who are looking for child porn to gain access to it (the cops who specialise in child porn will tell you that trading takes place on private, closed P2P networks, often hardened with crypto — Cleanfeeds doesn’t and can’t prevent this).

So that leaves the use-case for Cleanfeeds being “preventing people from accidentally seeing child porn.” I believe that this is generally a non-problem. I’m a pretty wide-ranging web-user and I’ve *never* accidentally had child porn come up in a web-browser (the same is not true of email — I’ve gotten many graphic child-porn images in spam, but Cleanfeeds does nothing about spam).

But even stipulating that this *is* a problem for some people, Cleanfeeds won’t be effective at combatting it because the blacklist will necessarily omit some child porn (no one is pretending that Cleanfeeds can evaluate every page on the net), and will necessarily include some material that *isn’t* child porn (like Wikipedia pages) because the people who run the list are not accountable and will have definitions of “child porn” that don’t jibe with the law or with individual judgments.

What I believe is that Cleanfeeds should operate like HM Customs. If you try to import something questionable into the UK (say, a copy of Alan Moore’s brilliant LOST GIRLS, which explores the subject of pubescent sexuality with art and sensitivity), then HM Customs may try to stop the book from entering the country.

When they do, they will notify both the importer and the exporter of their decision. It will be made public. If anyone objects, they can appeal the decision, also in public.

This is the rule of law. This is transparency. This is due process. This works.

This is not how Cleanfeeds works.

Cleanfeeds uses secret criteria to assemble secret blacklists of pages that it wishes to block. If you try to “import” a blocked page, you aren’t told that it’s blocked; you’re returned a cryptic HTTP error-code. There’s no notice to the “exporter” or the “importer” that the page is on the list. The list is not disclosed to the public.

The failure of security through obscurity is axiomatic to every field of information security — except Cleanfeeds, which relies on secrecy and obscurity to prevent the importation of child porn.

Letting a secret group of people decide what you can and can’t read according to secret criteria is not a good basis for creating a free society. And it doesn’t stop child porn, either.
vpjayant

This is stupid. Incredibly stupid.

The image is still available on other large sites, such as Amazon. Are the IWF going to try to take that down as well? People always moan about how much censorship there is in China, but now people here have enough power to make the UK just as bad.

What does this accomplish? It does nothing to hinder paedophiles; I seriously doubt they browse Wikipedia to get their kicks. All it does is harm legitimate Wikipedia users, restricting their access and editing privileges.
The Unusual Suspect

Cleanfeed has infested Canada, too:

http://www.cybertip.ca/app/en/cleanfeed
Powerphail

#25 Paul567:

Of course you can… Until the government deems that illegal because paedophiles could possibly maybe use it to look at 1970s metal covers on Wikipedia!

It’s going to happen guys, serious!
Anonymous

On a related note a Australian Supreme Court judge has just ruled that fictional depiction’s of underage sexual acts are child porn. Next up, prosecutions of any persons that have a copy of Lolita…..

http://www.stuff.co.nz/4786351a1860.html
Anonymous

And it gets worse:
It looks like the whole of Wikipedia is currently unavailable to everybody with Virgin Media as their ISP! :-(
MikeGrice

Hi,

As the author of the above diagram I’d like to clear up – this isn’t how CleanFeed, which is a BT product, works – this is how the Plusnet implementation of the IWF CAIC list works.

The diagram as quoted is one that was posted on the Plusnet Community Site following a discussion between some of our customers and staff on how the system works (they had concerns about logging and so on).

I think its worth stating that the system above:

a) was designed, implemented, and operated here at Plusnet (i.e., its not a black box from a third party)
b) doesn’t log anything that might identify a person (even internal system debug logs do not contain things personally identifying, such as an IP address),
c) is totally managed in-house and on our network (so a third party does not oversee anything)
d) is automated in what is on there, and
e) even access to the system is tightly controlled internally due to the nature of how it works.

Just clearing up the technical / factual side of things, there is more information on the Community Site if you want to know more about its implementation here at Plusnet.

Thanks,
Mike
Anonymous

The radio interview is downloadable (don’t try streaming it!) from:

http://www.bathrobecabal.org/bbcinterview.mp3

- David Gerard
connor

hy cry.

f crs w ll gr wth y n ths prvcy/tchnlgy sss. bt wht cn w d wth n gng ppltn nd dmcrcy flng s ? y nvr sm t prvd sltn t th wy ppl lk s wh rn’t cmplt cnts r trtd by th gvrnmnt. m ntrstd t hr wht y thnk w shld d bt t. strt cmmn ? trrrsm..?

y mnng bt th k gvrnmnt gts s nwhr. why dn’t y pck smll cntry smwhr wth slck mmgrtn lws. w wll ll mv thr nd thn nstll fr hgh spd ntrnt, vryn wll hv lnx cmptrs, n drm, gvrnmnt wll b pn nd trnsprnt tc..

bngbng tp. :P
Alex Tingle

Let’s do something about it. Sign the pledge: “I will move to an ISP that does not censor my Internet access but only if 1,000 other people in the UK will do the same.”

http://www.pledgebank.com/boycottcensors
Anonymous

So photos by Jock Sturges and Bill Henson are illegal in the UK?
Anonymous

Re Cory’s book importing analogy:

Horses for courses – importing a book is a one to one process (exporter – importer). The customs and police etc can probably cope with the traffic. The web is a more of a many to many process and the book importing legal processes simply wouldn’t work. Anyone that doesn’t agree with the principle of a state policing its citizens will find his stay in the UK very tiresome.

On the other hand public scrutiny and correction of the state’s policing processes is essential for freedom and democracy etc etc. Keep up the good work Cory.
serraphin

Teb up @4

A bit of the problem with the Cleanfeed system is that any enterprising young/old/wrong hacker may find it possible to reverse engineer the system to actually gain the blocked list.

http://www.guardian.co.uk/technology/2005/may/26/onlinesupplement

So you now have a full list of indecent sites likely not hosted in countries where it can be shut down.

Also all it takes is for some rightwing nutjob to decide – oh I dunno – that as well as indecent images they should block sites that are linked to seditious or criminal behavour. And then who get’s to decide what that consists of?

BoingBoing critiscises government policy – tut tut. Can’t have the plebious masses reading that can we?
arjenkamphuis

In the Netherlands there was a department withing the national police that made a list of ‘known’ sites hosting forbidden images. When the list became public it turned out some of those locations were in Dutch soil and this could have been shutdown (instead of just blocked).

There was no documented process or a set of conditions to be met to guide the selection proces, individuals within the department just made it up as they went.

There was also no clear process for getting of the list or knowing why you were on it if you were on it if a mistake had been made.

The department has been shutdown since this has become public information
george57l

Wellington Grey has a good perspective on this …

http://miscellanea.wellingtongrey.net/2008/12/07/dear-internet-censors/

I suggest a campaign to notify this, and any other similar “war” or “news” pictures, to IWF, along with Amazon and everyone else still showing the Scorpions cover. Drown the IWF in their own idiocy and inconsistency.
imipak

Posting on lunchbreak so have to be brief. Cory – thanks for breaking it down. I think I’m still going to respectfully disagree though, I’m afraid.

You say “No one is advocating free access to child porn” — if that’s the case then the details about exactly what gets blocked, how the list is maintained, how the filtering happens etc is purely an implementation detail, isn’t it? Seems to me that what’s being debated is the supposed “great firewalls” rulebase, rather than their existence per se?

Sorry I haven’t time to read and respond properly right now :/
Oskar

@Imipak: You’re missing the point. The point is that this is a closed system, where one administrator at one private company can decide what should and should not be on the internet, and there is no way at all to appeal.

That guy isn’t perfect. It is obvious, to any reasonable observer, that the IWF is clearly in the wrong. If the image is up on Amazon, if it’s been sold in record stores for three decades, if it’s never been ruled illegal by any authority, of course wikipedia should be allowed to host the image in a scholarly article surrounding the controversy about it. It is educational material, and you can’t go around blocking educational material just because you don’t like it. That way lies autocracy. Free speech, remember?

What if he decides to block other stuff next? Regular pornography? Maybe images that are repulsive to christians? “That’s absurd”, you might think. It’s no more absurd than blocking a wikipedia article.

If any system like this is to be implemented, it is imperative that it should be transparent. Everyone has to be informed of what is happening, in the open, and given a chance to protest the blocking (just like Cory said).

(Not to mention the fact that this system does absolutely no good what-so-ever. Pedophiles are still going to get their images, IWF wont be able to stop that. All this is doing is blocking regular users from wikipedia)

You say this is just an “implementational detail”. That’s absurd. It’s like saying that the difference between a fair trial and just locking people up indefinitely because you think that they are guilty is an “implementational detail” of a justice system.

Wikipedia is now in the position that one of it’s pages is completely blocked and there is no way of undoing it. Also, now all contributions coming from those ISPs are coming from a single IP address, which makes it a million times harder to check edits and block vandals coming from it. Not to mention the users, whose visits to wikipedia are now being funneled through one private company’s server, quite possibly being monitored. Can they appeal? Can they safely search wikipedia without the fear of being spied on by the IWF?

This is not “implementation detail”. This is restricting free speech.
vib

Let’s try this thing in inverse and list things the censors would gladly leave uncensored.

- Things that portray authorities in positive way
- Things that encourage heterosexuality between adults
- Things that encourage the youth to be healthy and productive (in terms dictated by the authority)
- Things that are in harmony with the views of the authority and large corporations (which supply the technology)

The worship of self gains momentum in a world, which doesn’t follow the will of a confused individual. The subjects become the projected objects, which hold all the immaturity that was originally hidden inside. Therefore they need to be controlled, and the confused dialogue expands while the original illusions remain unsolved. The cycle will continue until it’s too much to bear, but how much can we take, and how short sighted are we? There is a whole new reality out there beyond the 2D projection provided by the eyes.
Chicchan

Erhmm, aint they also saving up request generating usersÂ´s ips and other sensible information in some monstrous log of panopticum mayhem ?

Thats missing on the flow chart.
The Unusual Suspect

Canadian cultural bias could be a model for the world!

That’s great and all, but having a secret organization make secret decisions based on secret rules about a secret list of websites is bound to fail sooner or later, even in Canada.

It just failed earlier in the UK.
Anonymous

An important point is that this system affects shared systems greatly, so in this social media world if one member of a site posts unfortunate material, then all of the site is impacted. I originally was given the information about the flow chart in response to my reporting general access problems to Ning.com – which is now on the list by my understanding.

http://nocky100.wordpress.com/2008/12/08/obviously-ning/
Anonymous

Canadians rock! Cleanfeed Canada refers complaints within Canada directly to law enforcement — modelled on the IWF, it nevertheless allows the album cover in question, and apparently additionally analyses 100 times the content from American sources, even though economies of scale would recommend (at most, if we were to do all their work for them) 10 times, since our population is 10% of theirs.

As wary as I am of censorship, Canadian cultural bias could be a model for the world!
Anonymous

What interests me, is whats the score if it had been Amazon (or other retailer) they Censored, for the Album cover. As they would be interfering with a legitimate business with no legitimate Grounds.

I know id be looking at sueing anyone that deliberate blocked customers from buying a Legal product from me.
Craig
dragonfrog

Hmmm. “TCP Reset is sent back to customer instead of content”. I suspect could be more accurately phrased “TCP Reset is sent back to customer ahead of content.”

Which means that the customer request proceeds to the server, and the response begins coming back, but the hope is that the client will already have reset the connection and will ignore the response.

Is this in place, or only proposed? If it’s in place, is there a reader in the UK who can set up a simple packet filter to drop all incoming TCP Resets, and then try to look at forbidden content (e.g. the Wikipedia articles described)?

Of course, they could also sent a RST to the server, which would also have to have a similar packet filter in place – presumably those serving up truly vile content will quickly implement this, while the innocent will not. Then this would go the way of all DRM schemes – the only people to suffer will be the honest ones…
Anonymous

“Translation: a third party now monitors every request made to Wikipedia from the six ISPs that participate in the Great Firewall of Britain. ”

I think filtering blows, but if you think third parties (or your ISP for that matter) has no knowledge or record of where your traffic goes, you’ll always be disappointed.

The whole Internet exists because third parties allow it to work. Your dirty little secrets probably pass through a dozen provders between your special interest website and your bedroom :)