Archive for the ‘Internet Blocking’ Category

Read more uk_internet_censors.htm at MelonFarmers.co.uk

internet regulation part ii b This report follows our research into current Internet content regulation efforts, which found a lack of accountable, balanced and independent procedures governing content removal, both formally and informally by the state.

There is a legacy of Internet regulation in the UK that does not comply with due process, fairness and fundamental rights requirements. This includes: bulk domain suspensions by Nominet at police request without prior authorisation; the lack of an independent legal authorisation process for Internet Watch Foundation (IWF) blocking at Internet Service Providers (ISPs) and in the future by the British Board of Film Classification (BBFC), as well as for Counter-Terrorism Internet Referral Unit (CTIRU) notifications to platforms of illegal content for takedown. These were detailed in our previous report.

The UK government now proposes new controls on Internet content, claiming that it wants to ensure the same rules online as offline. It says it wants harmful content removed, while respecting human rights and protecting free expression.

Yet proposals in the DCMS/Home Office White Paper on Online Harms will create incentives for Internet platforms such as Google, Twitter and Facebook to remove content without legal processes. This is not the same rules online as offline. It instead implies a privatisation of justice online, with the assumption that corporate policing must replace public justice for reasons of convenience. This goes against the advice of human rights standards that government has itself agreed to and against the advice of UN Special Rapporteurs.

The government as yet has not proposed any means to define the harms it seeks to address, nor identified any objective evidence base to show what in fact needs to be addressed. It instead merely states that various harms exist in society. The harms it lists are often vague and general. The types of content specified may be harmful in certain circumstances, but even with an assumption that some content is genuinely harmful, there remains no attempt to show how any restriction on that content might work in law. Instead, it appears that platforms will be expected to remove swathes of legal-but-unwanted content, with as as-yet-unidentified regulator given a broad duty to decide if a risk of harm exists. Legal action would follow non-compliance by a platform. The result is the state proposing censorship and sanctions for actors publishing material that it is legal to publish.

Advertisements
Read more uk_internet_censors.htm at MelonFarmers.co.uk

av security standard analysis 2 Executive Summary

The BBFC’s Age-verification Certificate Standard (“the Standard”) for providers of age verification services, published in April 2019, fails to meet adequate standards of cyber security and data protection and is of little use for consumers reliant on these providers to access adult content online.

This document analyses the Standard and certification scheme and makes recommendations for improvement and remediation. It sub-divides generally into two types of concern: operational issues (the need for a statutory basis, problems caused by the short implementation time and the lack of value the scheme provides to consumers), and substantive issues (seven problems with the content as presently drafted).

The fact that the scheme is voluntary leaves the BBFC powerless to fine or otherwise discipline providers that fail to protect people’s data, and makes it tricky for consumers to distinguish between trustworthy and untrustworthy providers. In our view, the government must legislate without delay to place a statutory requirement on the BBFC to implement a mandatory certification scheme and to grant the BBFC powers to require reports and penalise non-compliant providers.

The Standard’s existence shows that the BBFC considers robust protection of age verification data to be of critical importance. However, in both substance and operation the Standard fails to deliver this protection. The scheme allows commercial age verification providers to write their own privacy and security frameworks, reducing the BBFC’s role to checking whether commercial entities follow their own rules rather than requiring them to work to a mandated set of common standards. The result is uncertainty for Internet users, who are inconsistently protected and have no way to tell which companies they can trust.

Even within its voluntary approach, the BBFC gives providers little guidance to providers as to what their privacy and security frameworks should contain. Guidance on security, encryption, pseudonymisation, and data retention is vague and imprecise, and often refers to generic “industry standards” without explanation. The supplementary Programme Guide, to which the Standard refers readers, remains unpublished, critically undermining the scheme’s transparency and accountability.

Recommendations

  • Grant the BBFC statutory powers:

  • The BBFC Standard should be substantively revised to set out comprehensive and concrete standards for handling highly sensitive age verification data.

  • The government should legislate to grant the BBFC statutory power to mandate compliance.

  • The government should enable the BBFC to require remedial action or apply financial penalties for non-compliance.

  • The BBFC should be given statutory powers to require annual compliance reports from providers and fine those who sign up to the certification scheme but later violate its requirements.

  • The Information Commissioner should oversee the BBFC’s age verification certification scheme

Delay implementation and enforcement:

Delay implementation and enforcement of age verification until both (a) a statutory standard of data privacy and security is in place, and (b) that standard has been implemented by providers.

Improve the scheme content:

Even if the BBFC certification scheme remains voluntary, the Standard should at least contain a definitive set of precisely delineated objectives that age verification providers must meet in order to say that they process identity data securely.

Improve communication with the public:

Where a provider’s certification is revoked, the BBFC should issue press releases and ensure consumers are individually notified at login.

The results of all penetration tests should be provided to the BBFC, which must publish details of the framework it uses to evaluate test results, and publish annual trends in results.

Strengthen data protection requirements:

Data minimisation should be an enforceable statutory requirement for all registered age verification providers.

The Standard should outline specific and very limited circumstances under which it’s acceptable to retain logs for fraud prevention purposes. It should also specify a hard limit on the length of time logs may be kept.

The Standard should set out a clear, strict and enforceable set of policies to describe exactly how providers should “pseudonymise” or “deidentify” data.

Providers that no longer meet the Standard should be required to provide the BBFC with evidence that they have destroyed all the user data they collected while supposedly compliant.

The BBFC should prepare a standardised data protection risk assessment framework against which all age verification providers will test their systems. Providers should limit bespoke risk assessments to their specific technological implementation.

Strengthen security, testing, and encryption requirements:

Providers should be required to undertake regular internal and external vulnerability scanning and a penetration test at least every six months, followed by a supervised remediation programme to correct any discovered vulnerabilities.

Providers should be required to conduct penetration tests after any significant application or infrastructure change.

Providers should be required to use a comprehensive and specific testing standard. CBEST or GBEST could serve as guides for the BBFC to develop an industry-specific framework.

The BBFC should build on already-established strong security frameworks, such as the Center for Internet Security Cyber Controls and Resources, the NIST Cyber Security Framework, or Cyber Essentials Plus.

At a bare minimum, the Standard should specify a list of cryptographic protocols which are not adequate for certification.

Read more me_internet.htm at MelonFarmers.co.uk

adolf hitler YouTube has decided to adopt a widespread censorship rule to ban the promotion of hate speech. Google wrote:

Today, we’re taking another step in our hate speech policy by specifically prohibiting videos alleging that a group is superior in order to justify discrimination, segregation or exclusion based on qualities like age, gender, race, caste, religion, sexual orientation or veteran status.

However for all the Artificial Intelligence it has at its disposal the company cannot actually work out which videos promote hate speech. Instead it has taken to banning videos referencing more easily identifiable images such as Nazi symbology, regardless of the context in which they are presented.

For example YouTube has blocked some British history teachers from its service for uploading archive material related to Adolf Hitler.

Scott Allsopp, who owns the longrunning MrAllsoppHistory revision website and teaches at an international school in Romania, had his channel featuring hundreds of historical clips on topics ranging from the Norman conquest to the cold war deleted for breaching the rules that ban hate speech. Allsopp commented:

It’s absolutely vital that YouTube work to undo the damage caused by their indiscriminate implementation as soon as possible. Access to important material is being denied wholesale as many other channels are left branded as promoting hate when they do nothing of the sort.

While previous generations of history students relied on teachers playing old documentaries recorded on VHS tapes on a classroom television, they now use YouTube to show raw footage of the Nazis and famous speeches by Adolf Hitler.

Richard Jones-Nerzic, another British teacher affected by the crackdown, said that he had been censured for uploading clips to his channel from old documentaries about the rise of Nazism. Some of his clips now carry warnings that users might find the material offensive, while others have been removed completely. He said he was appealing YouTube’s deletion of archive Nazi footage taken from mainstream media outlets, arguing that this is in itself form of negationism or even holocaust denial.

Allsopp had his account reinstated on Thursday following an appeal but said he had been contacted by many other history teachers whose accounts have also been affected by the ban on hate speech. Users who do not swiftly appeal YouTube’s decisions could find their material removed for good.

Read more uk_internet_censors.htm at MelonFarmers.co.uk

IWF logo A recent internet protocol allows for websites to be located without using the traditional approach of asking your ISP’s DNS server, and so evading website blocks implemented by the ISP. Because the new protocol is encrypted then the ISP is restricted in its ability to monitor websites being accessed.This very much impacts the ISPs ability to block illegal child abuse as identified in a block list maintained by the IWF. Over the years the IWF have been very good at sticking to its universally supported remit. Presumably it has realised that extending its blocking capabilities to other less critical areas may degrade its effectiveness as it would then lose that universal support.

Now of course the government has stepped in and will use the same mechanism as used for the IWF blocks to block legal and very popular adult porn websites. The inevitable interest in circumvention options will very much diminish the IWF’s ability to block child abuse. So the IWF has taken to campaign to supports its capabilities. Fred Langford, the deputy CEO of IWF, told Techworld about the implementation of encrypted DNS:

Everything would be encrypted; everything would be dark. For the last 15 years, the IWF have worked with many providers on our URL list of illegal sites. There’s the counterterrorism list as well and the copyright infringed list of works that they all have to block. None of those would work.

We put the entries onto our list until we can work with our international stakeholders and partners to get the content removed in their country, said Langford. Sometimes that will only be on the list for a day. Other times it could be months or years. It just depends on the regime at the other end, wherever it’s physically located.

The IWF realises the benefit of universal support so generally acknowledged the benefits of the protocol on privacy and security and focusing on the needs for it to be deployed with the appropriate safeguards in place. It is calling for the government to insert a censorship rule that includes the IWF URL List in the forthcoming online harms regulatory framework to ensure that the service providers comply with current UK laws and security measures. Presumably the IWF would like its block list t be implemented by encrypted DNS servers worldwide. IWF’s Fred Langford said:

The technology is not bad; it’s how you implement it. Make sure your policies are in place, and make sure there’s some way that if there is an internet service provider that is providing parental controls and blocking illegal material that the DNS over HTTPS server can somehow communicate with them to redirect the traffic on their behalf.

Given the IWF’s respect, then this could be a possibility, but if the government then step in and demand adult porn sites be blocked too, then this approach would surely stumble as every world dictator and international moralist campaigner would expect the same.

Read more eu.htm at MelonFarmers.co.uk

government of ireland logo Ireland’s Justice Minister Charlie Flanagan confirmed that the Irish government will consider a similar system to the UK’s so-called porn block law as part of new legislation on online safety. Flanagan said:

I would be very keen that we would engage widely to ensure that Ireland could benefit from what is international best practice here and that is why we are looking at what is happening in other jurisdictions.

The Irish communications minister Richard Bruton said there are also issues around privacy laws and this has to be carefully dealt with. H said:

It would be my view that government through the strategy that we have published, we have a cross-government committee who is looking at policy development to ensure online safety, and I think that forum is the forum where I believe we will discuss what should be done in that area because I think there is a genuine public concern, it hasn’t been the subject of the Law Reform Commission or other scrutiny of legislation in this area, but it was worthy of consideration, but it does have its difficulties, as the UK indeed has recognised also.

Read more uk_internet_censors.htm at MelonFarmers.co.uk

house of lords red logo At the moment when internet users want to view a page, they specify the page they want in the clear. ISPs can see the page requested and block it if the authorities don’t like it. A new internet protocol has been launched that encrypts the specification of the page requested so that ISPs can’t tell what page is being requested, so can’t block it.This new DNS Over HTTPS protocol is already available in Firefox which also provides an uncensored and encrypted DNS server. Users simply have to change the settings in about:config (being careful of the dragons of course)

Questions have been raised in the House of Lords about the impact on the UK’s ability to censor the internet.

House of Lords, 14th May 2019, Internet Encryption Question

Baroness Thornton Shadow Spokesperson (Health) 2:53 pm, 14th May 2019

To ask Her Majesty ‘s Government what assessment they have made of the deployment of the Internet Engineering Task Force ‘s new ” DNS over HTTPS ” protocol and its implications for the blocking of content by internet service providers and the Internet Watch Foundation ; and what steps they intend to take in response.

Lord Ashton of Hyde The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

My Lords, DCMS is working together with the National Cyber Security Centre to understand and resolve the implications of DNS over HTTPS , also referred to as DoH, for the blocking of content online. This involves liaising across government and engaging with industry at all levels, operators, internet service providers, browser providers and pan-industry organisations to understand rollout options and influence the way ahead. The rollout of DoH is a complex commercial and technical issue revolving around the global nature of the internet.

Baroness Thornton Shadow Spokesperson (Health)

My Lords, I thank the Minister for that Answer, and I apologise to the House for this somewhat geeky Question. This Question concerns the danger posed to existing internet safety mechanisms by an encryption protocol that, if implemented, would render useless the family filters in millions of homes and the ability to track down illegal content by organisations such as the Internet Watch Foundation . Does the Minister agree that there is a fundamental and very concerning lack of accountability when obscure technical groups, peopled largely by the employees of the big internet companies, take decisions that have major public policy implications with enormous consequences for all of us and the safety of our children? What engagement have the British Government had with the internet companies that are represented on the Internet Engineering Task Force about this matter?

Lord Ashton of Hyde The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

My Lords, I thank the noble Baroness for discussing this with me beforehand, which was very welcome. I agree that there may be serious consequences from DoH. The DoH protocol has been defined by the Internet Engineering Task Force . Where I do not agree with the noble Baroness is that this is not an obscure organisation; it has been the dominant internet technical standards organisation for 30-plus years and has attendants from civil society, academia and the UK Government as well as the industry. The proceedings are available online and are not restricted. It is important to know that DoH has not been rolled out yet and the picture in it is complex–there are pros to DoH as well as cons. We will continue to be part of these discussions; indeed, there was a meeting last week, convened by the NCSC , with DCMS and industry stakeholders present.

Lord Clement-Jones Liberal Democrat Lords Spokesperson (Digital)

My Lords, the noble Baroness has raised a very important issue, and it sounds from the Minister ‘s Answer as though the Government are somewhat behind the curve on this. When did Ministers actually get to hear about the new encrypted DoH protocol? Does it not risk blowing a very large hole in the Government’s online safety strategy set out in the White Paper ?

Lord Ashton of Hyde The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

As I said to the noble Baroness, the Government attend the IETF . The protocol was discussed from October 2017 to October 2018, so it was during that process. As far as the online harms White Paper is concerned, the technology will potentially cause changes in enforcement by online companies, but of course it does not change the duty of care in any way. We will have to look at the alternatives to some of the most dramatic forms of enforcement, which are DNS blocking.

Lord Stevenson of Balmacara Opposition Whip (Lords)

My Lords, if there is obscurity, it is probably in the use of the technology itself and the terminology that we have to use–DoH and the other protocols that have been referred to are complicated. At heart, there are two issues at stake, are there not? The first is that the intentions of DoH, as the Minister said, are quite helpful in terms of protecting identity, and we do not want to lose that. On the other hand, it makes it difficult, as has been said, to see how the Government can continue with their current plan. We support the Digital Economy Act approach to age-appropriate design, and we hope that that will not be affected. We also think that the soon to be legislated for–we hope–duty of care on all companies to protect users of their services will help. I note that the Minister says in his recent letter that there is a requirement on the Secretary of State to carry out a review of the impact and effectiveness of the regulatory framework included in the DEA within the next 12 to 18 months. Can he confirm that the issue of DoH will be included?

Lord Ashton of Hyde The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

Clearly, DoH is on the agenda at DCMS and will be included everywhere it is relevant. On the consideration of enforcement–as I said before, it may require changes to potential enforcement mechanisms–we are aware that there are other enforcement mechanisms. It is not true to say that you cannot block sites; it makes it more difficult, and you have to do it in a different way.

The Countess of Mar Deputy Chairman of Committees, Deputy Speaker (Lords)

My Lords, for the uninitiated, can the noble Lord tell us what DoH means –very briefly, please?

Lord Ashton of Hyde The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

It is not possible to do so very briefly. It means that, when you send a request to a server and you have to work out which server you are going to by finding out the IP address, the message is encrypted so that the intervening servers are not able to look at what is in the message. It encrypts the message that is sent to the servers. What that means is that, whereas previously every server along the route could see what was in the message, now only the browser will have the ability to look at it, and that will put more power in the hands of the browsers.

Lord West of Spithead Labour

My Lords, I thought I understood this subject until the Minister explained it a minute ago. This is a very serious issue. I was unclear from his answer: is this going to be addressed in the White Paper ? Will the new officer who is being appointed have the ability to look at this issue when the White Paper comes out?

Lord Ashton of Hyde The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

It is not something that the White Paper per se can look at, because it is not within the purview of the Government. The protocol is designed by the IETF , which is not a government body; it is a standards body, so to that extent it is not possible. Obviously, however, when it comes to regulating and the powers that the regulator can use, the White Paper is consulting precisely on those matters, which include DNS blocking, so it can be considered in the consultation.

Read more uk_internet_censors.htm at MelonFarmers.co.uk

channel islands government logo As of 15 July, people in the UK who try to access porn on the internet will be required to verify their age or identity online.

The new UK Online Pornography (Commercial Basis) Regulations 2018 law does not affect the Channel Islands but the States have not ruled out introducing their own regulations.

The UK Department for Censorship, Media and Sport said it was working closely with the Crown Dependencies to make the necessary arrangements for the extension of this legislation to the Channel Islands.

A spokeswoman for the States said they were monitoring the situation in the UK to inform our own policy development in this area.