January 23, 2012 | Peter Bradwell

UK Mobile operators censor privacy tool 'Tor'

Open Rights Group and Tor have established that UK mobile networks such as Vodafone, O2 and 3 are filtering UK users' access to Tor's primary website (meaning the HTTP version of the Tor Project website, rather than connections to the Tor network) on pre-paid contractless accounts. 

Tor helps people stay anonymous online. Some examples of how it has been used include those trying to avoid oppressive state censorship in places such as Iran, through to abuse victims in the UK. There is a post by Jacob Appelbaum with more technical details about the blocking on UK mobile networks over at the Tor blog. 

These mobile networks' filters are supposed to be tools through which parents can manage their children's access to the Internet. O2 provide a tool to check whether a URL is blocked under their filtering system. Searching for 'torproject.org' tells us it is blocked because it falls into the category of 'anonymiser'. (Orange also say that they block content that falls into the 'anonymiser' category - but it does not seem that Tor is blocked on Orange.) It's unlikely that mobile operators are targeting Tor, and more likely that anonymisation tools generally are filtered.

It is not clear why services such as Tor have been included in filtering systems. It's clear that mobile operators need to look again at what sites they are blocking and why, especially when those blocks include important and legitimate tools such as Tor.

We initially established that Tor was blocked initially through our new tool blocked.org.uk. You can help us monitor how filtering on mobile networks works by reporting when you come across incorrectly applied blocks.

Problems with mobile Internet filtering

These problems would be less of an issue if it was clear to users when filtering applied to their account, how to turn the filter off, and how to report mistakes. But this isn't the case.

Phone companies 'filter' the mobile Internet because they don't know whether their phones are being given to or used by children and young adults. This happens by default in most cases. The concern is that if young people have unfettered access to the Internet they will stumble upon undesirable material. Filtering is usually turned 'on' by default.

Mobile Internet filtering systems can often block access to the wrong content, for example because content is categorised incorrectly or simply because the blocks are applied too broadly. 

We created a website recently that helps people report when this 'over-blocking' happens. In the last couple of weeks, we have received around 30 reports of inappropriate blocks to sites ranging from bars and restaurants through to personal blogs and pictures. This is denying businesses access to their market, consumers to services they want and restricting people's ability to freely access information online.

One of the first cases we came across was of a church being blocked by O2 - with the person running the church having serious problems getting the site unblocked. 

Such stories help demonstrate many of the problems with overly broad blocking:

  • Phone companies do not properly inform adults that they may encounter censorship, or fully explain what is blocked.
  • It can be difficult to opt out, and people who do are often actually asked to “opt in” to pornography and to provide credit card details.
  • Mobile companies don't allow website owners to check if their sites are blocked, don't make it easy to report when things go wrong, and can be unresponsive when made aware of mistaken blocks. 
  • Their staff seem poorly trained to help users making complaints.

Open Rights Group will be meeting with mobile operators over the next few weeks to talk about making sure that they can both help parents manage their children's mobile Internet use and avoid clumsy implemented filtering. Some are better at aspects of this than others (Orange provide an overview of the categories they block, for example.) But none implement a transparent and clear policy that puts users in charge.

We hope to have a good and constructive discussion about the pitfalls and how to tackle them; we have some pretty simple 'asks' that should help address many of the problems:

  • Every adult is given a straightforward choice at sign up, whether to live with censorship or not. This is often called an 'active choice'.
  • Every adult is given clear advice about the kind of content that may be blocked.
  • They provide information on how their blocking works.
  • Every mobile operator provides clear and easy ways to check if a site is blocked.
  • Every mobile operator provides an easy ways to complain about wrongful blocks, including at the time that you find an incorrectly blocked website.

We'll be posting about our discussions with mobile operators as they happen.  

Comments (10)

  1. NikTheGeek:
    Jan 23, 2012 at 07:17 PM

    T Mobile expect you to provide a credit card complete with security code to remove the block. How easy would it be for a hacker, lets say me, to set up a website, detect the browser is IOS and serve up a T Mobile content block message. Surely some of the visitors would actually be using T Mobile and supply their details...

  2. Tom Barfield:
    Jan 24, 2012 at 10:39 AM

    A lot of completely innocent websites appear to be blocked by mobile operators' filters. I've often encountered problems searching for information about Linux on my (Orange UK) phone - I can't see any legitimate reason why this would be blocked.

  3. Jim Killock:
    Jan 24, 2012 at 11:00 AM

    @Tom Please let us know about blocked Linux sites via http://www.blocked.org.uk

  4. Neurobonkers:
    Jan 24, 2012 at 11:21 AM

    @NikTheGeek I thought exactly the same thing. I'm pretty sure this is already happening.

    o2 do the same. I have refrained from signing up to have the parental block removed because every time I have come up against it (when I am away from the desktop) I have been unable to confirm the authenticity of the message. The ridiculous thing is that the block requesting credit card details does not come from a known domain (o2.co.uk) but a scrambled looking URL.

  5. Hoshi_mitsu:
    Jan 24, 2012 at 06:41 PM

    Whats new? I guess they've caught on to the fact that anyone with brains could easily obtain a contract free sim and top up from your local high street mobile stool and obtain a cheap yet decent phone. Do a wifi tether, change mac, do some packet monitoring and pull a one-off deadly hack and remain anonymous. Why involve tor? I guess it depends on the situation.

  6. sickkid1972:
    Jan 24, 2012 at 06:49 PM

    I too have had trouble with T-mobile's opt-out only censoring of the net. Apparently, only a credit card will do as proof of age, and since I don't have any, I was told they wouldn't be able to change this.

    I found a way around it though. Since my phone is running Android, I just downloaded a new browser (Opera mini) to replace the default one installed on the phone, and use third party apps for other stuff like twitter... it's like their filter isn't even there now. 8-)

  7. sickkid1972:
    Jan 24, 2012 at 06:54 PM

    Oh, and the torproject.org home page is entirely viewable in Opera mini too... 8-)

  8. sickkid1972:
    Jan 24, 2012 at 06:57 PM

    Oh, and https://www.torproject.org/ is entirely viewable in Opera mini too... 8-) (Spelling corrected)

  9. Gervase Markham:
    Jan 26, 2012 at 01:07 PM

    Peter: one correction - I don't "run" The Crowded House, I'm just a church member. Although I told the church leadership about my troubles with O2, they are not responsible for efforts to get them unblocked.

  10. MissedThePoint:
    Feb 11, 2012 at 11:57 AM

    I think you are missing the point a bit with your 5 'asks. You assume that all adults sign-up for a contract. We dont. My family buy PAYG phones cash so we dont have our personal details stored on mobile operators databases. By 'signing-up' we have to compromise this privacy. Your blocked.org.uk campaign also appears to infer that it is ok for mobile operators to block adult sites, it is not. If mobile operators are concerned about children, then require proof of age at purchase. If the purchaser cant prove their age then advise them that a filter will be applied. As with alcohol purchases, this doesnt require any logging of personal details. I am an adult - I should not have to give personal details or credit card info to access content that I am legally entitled to by UK law.