UK ISPs vexed by filtering proposal

British ISPs are increasingly concerned by the government’s little-reported effort to get them all to deploy a content-filtering system developed by BT before mid-July.

Back in 2003, at the behest of then-Home Secretary David Blunkett, BT deployed its Cleanfeed system in its customer DSL network to filter child abuse images (CAI).

Now, the government would like all consumer ISPs to do likewise. Otherwise, it is threatening to legislate in the autumn.

The system is something of a throwback to the 90s, when essentially all ISPs cached web pages. Under Cleanfeed, a list of suspect pages is passed in by the Internet Watch Foundation, an industry (and News International)-funded group, and then resolved to IP addresses in the normal way.

The ISP then injects BGP routing messages into its network for port 80 on the prefixes concerned, substituting the IP address of a squid web proxy on their network for the next-hop router. This proxy catches URL requests and matches them against the IWF blacklist. Non-matches are simply forwarded to the gateway router and matches return a 404 error.

There is widespread concern at the cost of such an exercise. Unlike law-enforcement data retention under the Regulation of Investigatory Powers Act 2000 (RIPA), the ISPs are not legally obliged to do this. And unlike RIPA, the government will not contribute to the costs. Hence, no doubt, part of the Home Office’s keenness to implement it.

Technical concerns also include the consequences for the internet routing tables. Each IP address on the list requires a /32 to be disaggregated from the CIDR and given its own unique route, which could increase the RAM and speed requirements for internal routers significantly, especially if the list tends to grow.

There are also issues of principle – so far as is known, there is no recourse for those on the list. The list itself is confidential, and is priced by the IWF at £5,000 a year. It seems unlikely that the police will not be tempted to demand the logs from the proxy – one ISP is known to as having removed the logging code from the squid so that significant development work (at taxpayers’ expense this time) would be necessary to do this.

Encrypted protocols, NNTP, encrypted email, and peer to peer systems will not be affected – or to put it another way, the major distribution channels for CAI. Officially, the aim is to protect the public from “accidentally stumbling on” the images. How realistic a threat this is may be debated.

The Open Rights Group, a British digital rights and privacy campaign group, is promising to make the filtering concerns its “next big issue”.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.