call +44 20 7096 1079

Blog


January 23, 2014 | Peter Bradwell

What's happening to your medical records and how you can opt out

The NHS has been going through some fairly radical changes. This will affect who can see your medical records and what they can do with them.

Where your records will be stored, the people deciding who has access to them, the reasons people can access them - all of these things are affected by what's happening.

And it is happening now.

You have the opportunity to opt out of your medical records being used in this way. But you have to actively opt out. If you don't want your medical records to be part of the new system from the start you need to opt out soon.

If you're just looking for details about how to do that, I'd suggest heading over to medConfidential, who have produced information about what the changes mean and a guide to opting out with forms for doing so

There's also lots of really useful information up on Dr Neil Bhatia's site and information on how to opt out, again with an opt out form (in pdf format), should you decide that's what you want to do.

More on what is happening to your records

The NHS are making some big changes to how very sensitive information about us is handled - information about which many people feel understandably protective and worried.

The story about what is happening is fairly long. But most simply put, your medical records, in identifiable form, will be extracted from GP surgeries. They will be held centrally and then made available, in certain circumstances, to a variety of people and institutions from university researchers to think tanks and businesses. The data will be available in different forms for different purposes - sometimes 'anonymised', sometimes 'pseudonymised', sometimes identifiable. There will be various conditions that those wishing to apply for access to the data must meet.

medConfidential say this will "fundamentally alter the concept of doctor-patient confidentiality" - which sounds fair, if only because now there are many more people involved in deciding who can access your medical records, and more people who can potentially do so. 

If you'd like to read NHS England's explanation of what's happening and why they think this is a good idea, read their information page, the patient FAQ and the article written by their Chief Data Officer.

Like medConfidential, lots of people have become extremely concerned about the way these changes are happening. The issues include how much of an informed choice people can make, the faith placed in 'anonymisation' techniques, and who will be able to access records and for what purposes.

What choice do we have?

One of the most pressing issues is whether we have a proper choice about whether our records are part of the new system. 

Well, you can opt out. If you don't do anything, your data will be uploaded to the new system. NHS England say you can change your mind later.

(Update: Phil from medConfidential has pointed out that whilst they say you can change your mind, once your data has been uploaded to HSCIC it will never be deleted and will always be available for subsequent matching on its systems.)

Of course you can only opt out of something that you know is happening. So the opt out approach relies on people knowing what is going on, and having some way of telling the health service what decision they have taken. That places a responsibility on the NHS to provide people with clear and comprehensive information, and to try to make sure people see it.

The NHS fell short of the mark here. Their approach looks like it is more about selling the idea and minimising opt outs than helping people come to informed decisions.

They are sending leaflets, supposedly to every household in the county, with an overview of the benefits of sharing more information. The leaflet is also available as a pdf from the NHS website, with more detail on an information page. Dr Geraint Lewis, the NHS England Chief Data Officer, has posted an article explaining more about how the new system will work and its benefits. There's an FAQ pdf too, which gives a little more detail. 

The leaflet and website read more like a sales pitch for the new system, and are both light on specifics. The leaflet also implies people need to make appointments with the GP surgery to discuss options for opting out - however this is not true. An appointment is not necessary. 

medConfidential and Dr Neil Bhatia have both pointed out some of the shortcomings with the leaflet and information campaign - some of the things that it doesn't mention or explain properly. 

It has been left to medConfidential, Dr Bhatia and others to provide people with clear, detailed and comprehensive explanations about what is happening, and to make it absolutely clear how people can opt out of the scheme. Following the pressure they have applied, it seems the NHS is trying to up their game.  

medConfidential and Dr Bhatia also raise extremely important questions about other aspects of the system, including the problems with a reliance on anonymisation, and concerns about who will have access to identifiable information and for what purposes (see medConfidential's explanation of how paid for access to information will work.)

Here's some more useful articles with information and opinion about what's going on:

1. An editorial from last week in Nature, criticising how 'people's right to opt out has been greatly downplayed.' 

2. The Guardian this week reported on concerns about access that insurance and drug companies. 

3. Jane Fae on openDemocracy, arguing that we're in danger of sleepwalking into a big information grab. 

4. Ross Anderson on opting out - he notes that "if you don't opt out your kids in the next few weeks the same will happen to their data, and they will not be able to get their data deleted even if they decide they prefer privacy once they come of age." 

5. Jon Baines, of InformationRightsandWrongs.com, on why he's worried about the new system and has opted out. 

6. Roy Lilley, giving a run down of what he sees is happening and why the Department of Health could have run the opt out better 

7. An article about an Early Day Motion tabled by MP Roger Godsiff in the House of Commons, following news that 2,400 people have called the customer hotline with concerns about the system since January 6th. 

Of course there are benefits to various innovative uses of medical data. And it's obvious that there are ways to improve how health related information is used. 

But with such fundamental reforms patients should be at the heart of the system, and reforms should be happening with their consent. 

Whatever you think of the merits of the new system, it's hard to escape the conclusion that the way the transition has been handled so far is below standard. Looking at how patients' attitudes and opinions are being built in to this process, it seems the NHS are trying to minimise how many people opt out because they are institutionally so convinced of the benefits of greater data sharing.

This is probably counterproductive, too.  It will surely, for some people, raise doubts about the principles and motivations guiding future decisions about how their medical data will be used. 

If you want to opt out, you can use the forms that medConfidential and Dr Bhatia have made available. You can change your mind at a later date.

More background to relevant NHS changes

As mentioned above, medConfidential have produced a helpful guide to what's happening, including information about changes to the NHS and who is in charge of overseeing the use of health records.  

The King's Fund have produced an explanation of what's happening to the NHS in the form of an animated video, which is helpful for background on what the NHS is going through. 

[Read more] (2 comments)


January 15, 2014 | Peter Bradwell

How to complain about mobile filtering over-blocking

The British Board of Film Classification (BBFC) is now involved in how mobile internet filtering works. In this post we explain what role they have and how you should be able to get over-blocking problems fixed.

Yesterday we had a very helpful meeting with the BBFC. Last year they took on an important role dealing with mobile Internet filtering. You can read about it on their website.

Over Christmas there was an awful lot of understandable concern about mobile filters, especially the ‘Parental Control’ filters provided as an optional service by O2. We wrote about this at the time, but for now it’s worth repeating that one of the biggest lessons was that mobile networks don’t do a good enough job of explaining how their filters work, why and how they make decisions about what gets filtered, and how people can complain. 

I thought it would be helpful to explain what role the BBFC now has, and explain how the process for complaints about over-blocking (or under-blocking) is supposed to work.

The BBFC’s role involves three things: 

1. Setting a framework that describes what should be considered adult content for the purposes of mobile phone filtering. They have defined a set of categories and explained what content will be considered blockable.

2. They offer advice to the mobile networks when they are setting their filters.

3. They run an appeals process, which is designed to resolve disputes about over- or under-blocking.

The BBFC do not classify individual sites for mobile networks or run a first-stage complaints process.  And they aren't responsible for the decisions that mobile networks make about implementing the framework. It’s also important to point out that their framework and complaints procedure only applies to networks’ under 18 filters - their default safety level - and not to other services provided for different age groups. For example, they do not regulate O2’s Parental Controls, which is an optional service designed for those under 12.  

 

How you can complain about overblocking

1. You should be able to complain direct to the relevant mobile operator. The BBFC have helpfully provided email addresses for each mobile network, which is where you should direct complaints about overblocking or underblocking in the first instance. This contact information should also be on the mobile operators’ websites. In some cases it isn’t, however. For example, at the moment, O2 point people at their Twitter account or forum. As we saw over Christmas, those are not helpful channels. 

2. If you do not get a satisfactory resolution from the mobile network, you can then appeal to the BBFC. Details about how to do this are on the BBFC website. BBFC have committed to resolving the complaints they receive in five working days.

 

What will happen after a complaint?

If the BBFC agree that a site should not be blocked by under 18 filters, in the case of over blocking, then they will inform the mobile network, who should then remove the site from their block list. The BBFC told us that in the cases they have handled so far, the networks have responded fairly quickly to these notifications.

The same applies for under blocking - i.e. if the BBFC decide a site should be blocked, they will inform the network and it should be added to the block list.

Things are slightly complicated with overblocking because at the moment, mobile networks are allowed to block more categories than the BBFC have set out. 

So even if the BBFC decide that a site should not be blocked against the BBFC criteria for over 18 content, the mobile networks might decide that the site should still be blocked because it falls under their additional categories. 

For instance, we believe most networks block information about ‘circumvention’ technology, which might help people learn how to get round blocking, even though such information is not considered blockable by the BBFC. Networks also used to block content related to tobacco or alcohol, but the BBFC framework specifically excludes sites that supply age restricted goods or services such as tobacco or alcohol. We are not currently sure if any of the networks continue to block alcohol and tobacco. 

That may lead to a fair amount of confusion if the BBFC decide something should not be blocked but the mobile network decides it still fits one of their additional categories. This is made more tricky for consumers or website operators because the mobile networks don't publish what categories they block, so it's impossible currently for someone to know in advance of any complaint.

 

Mobile networks need to be more transparent, consistent, clear and responsive

The BBFC site and process is a vast improvement on the previous code - it's clearer, more considered, and there's an added appeals process. They are taking the work seriously.

However, the issues with mobile networks’ own implementation have not gone away. The BBFC's transparency, clarity and responsiveness cannot be a replacement for mobile networks' own information or process, because these networks will be customers' or website owners' first port of call when they are looking for information or trying to complain.

It is still hard to get clear information from networks about what they block and why - for instance what categories they filter - and it is still hard to get information about their own complaints procedure. For example, O2 point people at their Twitter account and forums, which to date have not been helpful. Three still link to the Mobile Broadband Group code of practice, rather than the BBFC. And Everything Everywhere used to provide a list of categories filtered by their two filtering levels, but that link no longer works.  

Families should be in a position to make informed choices about what their children can access via mobile phones. At the moment, it’s not really possible for a parent to get a clear idea about what a mobile networks’ default safety filters do and why.

It also should be possible for someone who runs a website that is blocked by a mobile network for no good reason to get that problem fixed quickly. They should be able to find out easily if their site is blocked on different networks. Again, at the moment that process is not clear enough and happens too slowly.

It shouldn't be too difficult to fix these problems - it's more a question of whether mobile networks consider it important enough to spend time and resources really addressing it.

[Read more] (2 comments)


January 08, 2014 | Ed Paton Williams

MEPs release draft report damning blanket Internet surveillance

Tomorrow MEPs on the European Parliament's civil liberties committee will present their draft report on the Internet surveillance of the UK and USA as well as other EU states. Its recommendations are damning and the UK Government comes in for particularly strong criticism.

It won't be officially presented to the committee until tomorrow but you can already read the draft report on the EU Parliament website. Here are the headlines.

After condemning the systematic collection of the personal data of innocent people, the report calls on EU Member States and the USA "to prohibit blanket mass surveillance activities and bulk processing of personal data."

It goes on say that "these mass surveillance activities appear also to entail illegal actions by intelligence services." The MEPs call on the UK, Germany, France, Sweden and the Netherlands to revise their legislation relating to intelligence services to ensure they comply with the European Convention on Human Rights.

They make particular mention of the UK saying that the current legal framework governing British surveillance – the Human Rights Act 1998, the Intelligence Services Act 1994 and the Regulation of Investigatory Powers Act 2000 –  "should be revised" to comply with fundamental rights obligations relating to privacy, data protection and presumption of innocence.

The report also calls on EU Member States to "take appropriate action immediately, including court action, against the breach of their sovereignty...perpetrated through the mass surveillance programmes."

The MEPs go on to call on Member States to "refrain from accepting data from third states which have been collected unlawfully and from allowing surveillance activities on their territory by third states’ governments or agencies which are unlawful under national law".

On transfers of data from Europe to the USA, the committee says that American data protection laws "do not provide adequate protection for EU citizens" and calls on the European Commission to produce a "comprehensive assessment of the US privacy framework covering commercial, law enforcement and intelligence activitie" by June 2014.

It's striking when reading the draft report just how opposite the response to Snowden's revelations has been in Brussels to that in Westminster. This inquiry puts the UK Parliament to shame.

Whereas the European Parliament has called witnesses, had a full debate and will soon hear from Snowden himself, MPs in London have debated Internet surveillance just once. In that debate and in the few committee hearings dealing with surveillance, many MPs have decided that it is more important to criticise Snowden and the Guardian for revealing the surveillance than to engage with implications of the revelations themselves.

ORG and others have long called for a full inquiry into British surveillance law and we welcome the recommendations in the committee's report. We call on the UK Government to accept the recommendations of this report and undertake a comprehensive review of the legislation governing British Internet surveillance.

[Read more]


December 24, 2013 | Jim Killock

O2 pulls blocked URL checker as wave of new customers activate their phones

Following complaints, media attention and misunderstandings surrounding O2's URL checker and categories, O2 have switched it off, with no timescale for reinstatement.

While O2 are the only company providing any transparency with their checker, this is a bad move. People need to see how the filters work, and the checker helps them do this. Christmas is a time when huge numbers of people set new phones up.

Of course people will suspect that the checker has been “closed for maintenance” because it is producing complaints. People are concerned that websites from Childline, the NSPCC, the Police and many others are deemed unsuitable for under 12s. (Childline should now be available following complaints.)

Pink News reports that: “O2 has labeled Stonewall, BBC News, the Conservative Party and the Number 10 Downing Street website as unsuitable or uninteresting to under 12s.” O2 provided them with a list of types of sites likely to be allowed, but still refuse to provide a list of actual sites allowed. 

What this emphasises is that transparency needs to be of right, and not something that can be withdrawn for commercial or public relations purposes. Websites need to identify that they are blocked, or not. Complaints should not only be dealt with because of Twitter campaigns.

If you want to help, we have a project to make filtering and blocking transparent. This isn't to "improve" inherently flawed filters, but simply to make it clear what is happening. Transparency should help people limit their reliance on filters. It helps us document the harm and argue that filters are not a 'good' in themselves but have significant downsides.

Our first aim is to make sure that any website can check their status on any UK network. Can you help? Donations, joins and practical help are much appreciated!

[Edit note: for avoidance of doubt, O2's under 12 Parental Controls are “opt in” and provide a restrictive whitelist of sites deemed to be aimed at children. The “default safety” setting is opt-out and restricts access to a selection of sites thought to be unsuitable for under 18s]

[Read more] (3 comments)


December 23, 2013 | Jim Killock

Help ORG monitor UK blocking and filtering

This weekend showed that the debate on blocking is getting serious and worrying. We aren’t being given any of the information we need to check what is happening as a result of new filtering tools. We don’t know what, how or why sites are blocked. We need to know, and you can help.

ORG is putting together tools to track what is blocked and where. We intend to develop our current blocked.org.uk site into a means to request a check across the UK - using probes based in each network.

We intend to make it easy for anyone to check whether their site is blocked, and find out where, so that complaints can be made as needed. We also want to compile a list of sites that have found themselves mis-categorised, so we can check for future errors.

In the end, we want ISPs to do this themselves. But we fear they won’t do until they have been shown that error checking will happen anyway. So we’re just going to get on with it ourselves.

How you can help the project

Join ORG

We need money to do this, including basic costs, and longer term employing someone with technical project management skills, so if you haven't already, please join us.

Development and bug reports

At the moment we are looking for coders and people with project management skills and time. if you are interested please subscribe and introduce yourself on our Tech Volunteers list.

Project Details

The outline of the project is on our wiki: https://wiki.openrightsgroup.org/wiki/Censorship_Monitoring_Project

Get the Code

There are three parts to this project, probes (on phones and on Raspberry Pi's) some middleware to manage the probes and the website front end. The code for the probes and middleware is on Github

 

[Read more] (2 comments)


December 23, 2013 | Jim Killock

Blocking: what could possibly go wrong?

Concerns are growing over exactly what filters are doing, and what information is blocked for adults and children.

David Cameron cc-by-nc-sa-worldeconomicforumWe now have two kinds of blocking: firstly, mobile companies, providing one or two levels of filtering, which has to be actively switched off.

Secondly, we have new “parental controls” developed and rolled out by BT, TalkTalk, Sky and Virgin. Here, users will be asked to decide whether to switch different filters on, but will be “nudged” towards enabling them. 

Last week, BT launched their filtering product, and people started to look at what they were blocking. Some surprises emerged, including a suggestion it would block sites that “promote respect for a partner”. 

Over the weekend BT updated their descriptions of Parental Control categories, removing the description of sites that “promote respect for a partner”. However, this leaves a great deal of doubt: has BT changed the filtering mechanism, or has the description merely been altered? How do we know? (The Register says it is just a change of description.)

Also, over the weekend, people concerned about blocking were directed to O2’s url checker, snowballing after a LGBT website drew attention to their site being blocked. Many bloggers and others found that their sites were blocked by its Parental Control category and used Twitter to ask O2 why their site was blocked. 

Sites being blocked on the O2 Parental Control filter would not be unexpected, as it blocks everything on the web with a small number of exceptions deemed suitable for under-12s. The setting is switched on by parents, unlike the “default safety” which is set for everyone until they get it lifted.

However, what we really need to know with O2’s whitelist is who is making the decision about what is allowed for children, and by what criteria. It is allowing a very narrow range of material, which should be chosen carefully to be as broad but as safe as possible.

O2’s under-12 whitelist includes mcdonalds.com but excludes childline.org.uk - showing that their aim of promoting child safety with this product really is not delivering very well.

This raises wider questions. Perhaps there are some sites that a parent should never be able to ban for a child, starting with help services like Childline. Unfortunately, what you should not ban varies with a child’s age, meaning in practice, once empowered with blocking tools, some parents will seek to restrict information inappropriately. Abortion advice, sexuality, religious debate, perhaps Darwinism: all these are now much more blockable for the parent worried about their child’s moral development.

Let’s remember, blocking has arisen at the government’s initiative. These problems will be theirs to resolve. 

Both mobile and fixed ISPs are loath to provide information about how and what is blocked. [note] ISPs so far have been very cagey about how sites are categorised. BT, for example, disclaims responsibility for the categorisation and promises to forward complaints to their unnamed third-party supplier. 

Beyond the reasons of commercial confidentiality, there are reasons why ISPs may be reluctant to tell you who makes the blocking decisions. Some ISPs buy filtering services from countries with differing religious or cultural values to the UK - attitudes to guns, alcohol, sex and discrimination may not match customer expectations. Some use services that use computer algorithms to do the bulk of their classification. Others may use cheap labour.

What you can guarantee is that filtering is error prone. The sheer number of classifications to make means that costs have to be kept low. 

But without some level of transparency and accountability, not just to their customers but to the internet at large, why should people trust the decisions ISPs make about what they or their children are allowed to see? 

We are calling on ISPs to provide lookups, information about where they get their categorisation, criteria, and means to report and correct errors, as well as statstics about the problems they encounter. Last week, we made ten recommendations to UKCCIS to deal with overblocking. We need transparency.

But in the absence of transparency from companies, ORG is putting together tools to track what is blocked and where. We intend to develop our current blocked.org.uk site into a means to request a check across the UK - using probes based in each network. 

Our aim is to allow you to be able to check whether your site is blocked, and where, so that you can make complaints as you need to. We want to compile a list of sites that are frequently mis-categorised and limit some of the harms. Ultimately, we want to do this to encourage the ISPs to provide these tools themselves. 

Of course, we need money to do this, so if you haven't already, please join us

[Note] O2 attempted to placate people on twitter by shifting the responsibility for all web filtering to the BBFC (almost certainly based on a misunderstanding within O2’s staff about how their web filters are managed). See this for instance. O2 however are the one company that does at least provide a mechanism for people to check.

[Read more] (13 comments)


December 19, 2013 | Peter Bradwell

Ten recommendations to ISPs for dealing with over-blocking

Yesterday's Newsnight has helped demonstrate once again that over blocking by ISPs internet filtering systems is a real and serious issue. We've told the 'UKCCIS' over-blocking group how ISPs should start dealing with the problem.

We started looking closely at internet filtering by mobile networks a couple of years ago. We knew that we could try to learn lessons from the way their default-on systems worked that could be helpful if and when systems for domestic ISPs were rolled out. We found that it was hard to understand what was blocked and why and that over-blocking was a serious problem. We also found that it was hard to get the Government or ISPs to take it seriously. We published a report in May last year, jointly with LSE Media Policy Project, setting these things out.

So far it seems those lessons (we set out five earlier this year) have not been learnt. TalkTalk, BT and Sky now offer network level filters and we're seeing the same issues play out. Yesterday Newsnight helped demonstrate some of the overblocking issues, showing that filters designed to stop pornography also block sex education, sexual health and advice sites.    

We have joined the 'UKCCIS' group that has been set up to try to address over-blocking. (UKCCIS is made up of a number of 'working groups' that are set up to discuss issues related to online child safety.) We'd like to help the group ensure ISPs take concrete steps to deal with inevitable overblocking by their filtering systems. To kick start that process we have sent the group a summary of our concerns about what is happening now and made 10 recommendations for how ISPs could improve the way they deal with over-blocking. You can read what we sent them below.

We are clear that we don't agree with the Government's current approach - mandating network level filters and a 'one click to safety' approach. The 10 ideas below are about dealing with the problems with over-blocking as we see them now, but the Government should be thinking again about the best approach for parental controls. 

Let us know if you have other ideas for dealing with over-blocking in the comments below. 

Concerns about over-blocking and 'one click to safety' filtering

Filtering systems should adhere to four principles: transparency, accountability, choice and responsiveness. The Government's current approach of mandating network level filters and aiming for what David Cameron called 'one click to safety', is not conducive to policies that live up to these principles.

The result could be counter-productive to the Government's aims. For example, all users within a household will be subject to the same level of filtering at a given time, and there is a risk that in frustration at how unresponsive filters can be some account holders may simply turn them off.

Rather than addressing here this broader question about the best solution to the Government's policy goals, below are our top level concerns about the 'one click to safety' approach and some recommendations for addressing these issues.

Concerns about how over-blocking is currently dealt with

1. There is not enough clarity for users about what categories are blocked, what falls within those categories and why, and who makes these decisions. 

2. People who run sites that are blocked incorrectly...:

a. ...have no way of checking if and why their sites are blocked on different ISPs. As far as we are aware, only O2 provide a URL checker. Website owners are going to face multiple ISPs, who will use a variety of filtering systems. 

b. ...can find it difficult to report the problem. Issues can include knowing to speak to and getting a clear response / finding someone at the ISP who understands the issue.

c. ...can find it takes too long to get their site removed from blocking lists. On mobile networks we've seen cases taking a month to get resolved; recently, it took around a week to resolve issues TalkTalk users had accessing Wordpress admin pages (this related to TalkTalk's implementation of the IWF list).

3. There is no clear organisational responsibility for blocking mistakes.

4. It can be hard to find out technical details about how filtering works. This sort of detail may affect someone's decision about which ISP to use, or it may help website operators or users understand filter-related access issues.

Ten recommendations for addressing current over-blocking problems

1. ISPs should provide a one-stop URL checker to help people check if sites are blocked, which checks across ISPs.

2. ISPs should provide clear and consistent information for the user at the point of blocking and on their general customer service pages. At the point of blocking this should cover why a site is blocked and how to report mistakes. On FAQ and customer service pages that should include the categories blocked with explanations and examples of what those categories will block.

3. When mistakes or errors occur due to filtering, clear information should be provided quickly to users and affected sites about what has happened and why. 

4. ISPs should ensure training to ensure that customer service staff understand filter-related problems.

5. ISPs should commit to monitoring performance of their filtering accuracy and responsiveness and to publishing data about this performance. That should include, for example:

a. The number of over-blocking reports received, broken down by filtering category

b. The speed with which mistakes with blocking issues are resolved and sites are taken off blocked lists.

6. ISPs should set common performance standards against these metrics. Performance against these standards should be overseen by independent regulator.

7. ISPs should provide a process for site owners to proactively have their sites whitelisted. 

8. ISPs should offer a process for 'edge cases' (where suitability for under 18s may be disputed, for example) to be resolved. An independent regulator could arbitrate if disputes are not resolved. 

9. ISPs should publish who provides their filtering service and details of the technology involved. 

10. There should be a clear timetable for implementing these changes, we suggest by Spring 2014. Roll out of parental filters to existing customers should not proceed until these measures to mitigate over-blocking are in place.

 

[Read more] (1 comments)


December 18, 2013 | Peter Bradwell

Why WordPress bloggers were blocked by TalkTalk, and what it tells us about Internet filtering

Even a site with WordPress' popularity and clout struggled for a week to understand and fix their users' access problems.

At the end of November a number of WordPress blog admins complained on WordPress forums that they were having problems accessing their accounts. It appeared that TalkTalk subscribers who had WordPress blogs could not access their administration pages over https, and so couldn't write and publish new blog posts.

WordPress were unable to explain what was happening. The first reports were on 26th November and continued until around December 5th.

Similar access problems have occurred before, with users struggling to access WordPress and another site called Vk.com. Other ISPs have had issues (see below).

The story demonstrates some of the key issues with over blocking by ISPs' Internet filtering systems. There are lessons here for the Government as they press for more Internet blocking - about the ISPs' responsiveness to reports of over-blocking and how seriously the government and ISPs take the problem. 

It seems reasonable at this point to mention again that in June this year Claire Perry MP, who advises the Prime Minister on preventing the commercialisation and sexualisation of childhood, described concerns about overblocking as a 'load of cock'. 

What happened?

It seems a WordPress account was reported for containing child abuse content, and once this was confirmed WordPress took the account down and the IWF added the relevant URLs to its block list. (thanks to Barry Turnbull for his work figuring out what was happening.)

The Internet Watch Foundation (IWF) give ISPs a list of sites that contain child abuse images, which the ISPs then block. It is down to the ISP how this blocking actually works. The IWF maintained that no WordPress URLs were on their block list at the time of the access problems and that they are not responsible for how the blocking is implemented. 

So it seems the problem comes from the way TalkTalk deal with the list the IWF supply them. TalkTalk provided the following statement:

"Due to the application of our blocking of the IWF list of URLs that contain child abuse imagery, a small number of users may have experienced intermittent issues accessing WordPress at the end of last week. We apologise for any inconvenience this may have caused."

Beyond this, we don't know exactly why TalkTalk's implementation of the IWF blocking list causes this issue. TalkTalk do not seem to have supplied any further technical explanation. 

It's not the first time this has happened

The cases we have seen all involve filters struggling to limit the blocking to a specific page or site within a domain, and end up restricting access to more than was intended.

When their subscribers had similar problems accessing some of WordPress and Vk.com in October this year, TalkTalk provided almost the same statement as the one above in response. Just before that statement was posted, TalkTalk admins posted some slightly unclear and unhelpful explanations, pointing the finger of blame at the IWF.

It was reported this week that Sky subscribers also had issues accessing imgur, an image sharing site, last weekend. The difference here is that instead of the intention being to block child abuse material via the IWF list, the aim in this case was to block sites found to be infringing copyright. 

Why does it matter?

1. It matters even when 'small numbers' of users can't access a site.

It seems any TalkTalk users trying to access their WordPress admin pages over https couldn't do so. It's important to look at who was affected as much as how many.

Some may have been journalists who couldn't post stories for a number of days. For others their WordPress sites may have been part of their business, meaning they couldn't reach their market for a week.

There shouldn't be a number of affected users that counts as legitimate collateral damage.

2. ISPs need to take more responsibility for negative affects of filtering.

Affected users received vague and sometimes conflicting information about the problem and who was to blame.

In their forums, for example, TalkTalk's admins initially blamed the existence of the IWF list rather than their implementation of it.

The IWF explained repeatedly on Twitter that the issue was not of their making.

WordPress struggled to explain why their users couldn't access the site, leaving some of their users to speculate that it was WordPress' fault. It is telling, for example, that WordPress lead developer Peter Westwood was tweeting at IWF for an explanation on 4th December.

Even WordPress and its users can find themselves in a protracted state of limbo. It will probably be a lot more difficult for a site with a lower profile to get things sorted.

ISPs should make sure that there are speedier ways for sites to get these issues resolved, and should explain as soon as possible what the cause of the problem is. Those running websites need to be able to find out quickly from ISPs what is happening and why so they can explain to their users.

3. The Government need to take more responsibility for their filtering policies - even if they involve 'voluntary' industry arrangements.

The Government unwisely want more Internet filtering. They have pushed ISPs to roll out network level parental control filtering and want to see more blocking of content related to extremism. They seem less concerned that blocking comes with technical issues.

In their response to an e-petition about over-blocking the government say they have set up a discussion group at UKCCIS to look at over-blocking, but stress users should complain to ISPs about their issues.

We know mistakes and errors will happen, and the Government should be ensuring ISPs deal with the problems quickly. At the moment, nobody is willing to take responsibility.

In cases like this, the Department for Culture, Media and Sport in particular, who have recently pushed filtering with such enthusiasm, should be trying to understand why these problems are occurring.

We've asked to be part of the UKCCIS group to see if that forum can be a route to a solution.

[Read more] (10 comments)


google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail