August 14, 2013 | Lee Maguire

Virgin and Sky blindly blocking innocent sites

The blind over-blocking of innocent sites by UK ISPs apparently continues.

As reported by PC Pro, the systems implemented by both Virgin and Sky to stop access to websites blocked by the courts appear to be blocking innocent third-party sites with apparently little or no human oversight.  For example the website was reported to have been blocked.

In order to understand why this specific issue happened, you need to be familar with a quirk in how DNS is commonly used in third-party load-balanced site deployments.

Many third-party load balanced systems, for example those using Amazon's AWS infrastructure, are enabled by pointing CNAME records at names controlled by those third-party systems. For example may be pointed at  However, "" usually cannot be directly given a CNAME record (CNAME records cannot be mixed with the other record types needed such as those pointing to nameservers and mailservers). A common approach is to point "" to a server that merely redirects all requests to "".

From forum posts we can see that it's this redirection system, in this specific case an A record used for "", that has been blocked by the ISPs - probably a court-order-blocked site is also using the service - making numerous sites unavailable for any request made without the "www" prefix.

These incidents strongly suggest that the opaque approach to website blocking by ISPs, and the apparent lack of oversight, has the potential to be hugely damaging to the internet. Open Rights Group calls for greater transparency in this area, beginning with making the court orders available for public inspection.

Comments (6)

  1. Don:
    Aug 14, 2013 at 04:04 PM

    hi all
    as long as the isp's are allowed to do what they want, web blocking, tracking, recording personally identifiable meta data, and sharing/selling that information with 3rd party's who are not accountable to UK laws on how they use that information. we don't stand a chance.
    I have been advised to carry a phone with me at all times for medical reasons, But I do not, because I do not wish to have my location and meta data recorded and shared with others.
    At the moment we are working on a secure point to point messaging/mailing system. but with the UK isps refusing to issue fixed ip addresses (using the rotating address method so people cannot set up servers to use the bandwidth they are paying for) there is no way i can be contacted directly without going through an untrusted 3rd party.

  2. Steve:
    Aug 14, 2013 at 04:24 PM

    ISPs shouldn't block anything, if it's for "children's protection" the onus should be on the parent(s)/guardian(s).

    @Don, you can get a fixed IP from several UK ISPs: You can also buy phones without GPS capabilities. Personally, I wouldn't be trading my health/life for privacy.

  3. ThomasGC:
    Aug 14, 2013 at 05:33 PM

    @steve, mobile phones can be tracked pretty well without GPS, by reference to the cell towers to which they connect.

  4. Dondilly:
    Aug 14, 2013 at 11:39 PM

    @steve the cell towers can give a rough location but because of the way cellular networks work, they offer greater accuracy in urban areas. To reduce traffic load in cells in urban areas and to mitigate signal obstruction by buildings, rather than having one high power network cell, the area is divided up into many smaller lower power cells. In the centre of London, each cell may only be 100metre radius. However if you are out in the country you may be 6 or 7 miles from the cell tower.

  5. Simon:
    Aug 22, 2013 at 02:59 PM

    @Don - just switch to a half decent ISP. Many will let you have a fixed address at a cost - eg BT Internet charge £5/m for a fixed IP. This is a complete ripoff though and is just a ruse to charge extra for a "proper" connection - some charge nothing, and some (eg Plusnet who I'm with and would recommend) provide a fixed address as standard on some packages.

    As to phone tracking, this can be done with just one tower - ie if you have a signal, they know where you are. The base station has a fairly good measure of distance from the tower and this is the primary tracking information. They also have a rough idea of direction as they know which segment (think like segments of an orange) you are in - each base has multiple directional antennas so (for example) a user who is north of the tower will be using a different radio unit to someone who is east of the tower which means more users can be accommodated by one tower. Thus if you have a signal from just one tower they can locate you on an arc with fairly precise distance, but only vague direction (within around 30˚) which can mean a large area if you are some distance away.
    Once your phone is within range of two towers, then they can roughly locate you by the segments, but precisely locate you by distance. Ie if you are 4000m from one tower and 5000m from another, then that pinpoints you to one of two fairly small areas. However, only one of those will be within the area defined by the rough direction from each tower. The accuracy varies according to geometry, and adding more towers that can talk to your phone increases the accuracy.
    However, there is no reason for the network operator to store this information - it would be a huge database which has no value to them, would be costly to store, and would tie up enormous resources to apply to all phones all the time. They do (I believe) store historical values of "home location register" which merely notes the base and segment your phone is currently logged into - at least the current value of this is required so that incoming calls can be routed to you.

  6. Martin:
    Aug 22, 2013 at 05:25 PM

    Hi Simon - I would be extremely surprised if providers routinely stored the historic values of "home location register" information for network users who were not using their devices to send or receive communications at any given time. I can understand why current values are necessary (to route current calls) but surely not historic values when no call was routed.