Questions ISPs must answer about Internet filtering
Over the past few weeks the Government has held meetings with Internet companies about child protection online. These are designed to prompt more more action to protect children, on the assumption that these companies could and should be doing more.
Sadly the Government has seemed keen to appear as if they are taking tough action, and not so keen on thinking carefully about what their action should be.
Nowhere is this problem clearer than in an extraordinary letter written by the Department for Education to internet companies, which was leaked to Rory Cellan-Jones at the BBC. The letter sets out a fairly direct interventionist industrial policy – these businesses are asked to make various commitments in service of a speech that the Prime Minister would like to make. The ISPs are asked to implement ‘pre-ticked’ boxes, a ‘browser intercept’ to prompt users to turn on filtering, and to refer to the system as ‘default on’.
Policy makers who are pushing for more Internet filtering for child protection do not take the related practical and technical questions seriously. They tend to throw about ideas for technical interventions such as internet filtering without considering how these would work, or what unintended consequences they might have.
They simply want ‘more’ done. What that ‘more’ is, or what it will achieve, seems to be an irrelevant detail. This is despite the Government having run a consultation last year, after which they settled on a fairly reasonable policy of helping parents make the right choices about filtering. They seem determined to edge towards a stricter ‘default on’ regime.
We have seen no evidence that during the meetings with internet companies the Government has taken account of any of the broader public policy questions related to the implementation of Internet filtering systems. Along with Index on Censorship, English PEN and Big Brother Watch, we wrote to the Culture Secretary Maria Miller asking her to invite us to the discussions so these issues could be raised. The Department has subsequently set up a meeting between us and the Minister Ed Vaizey MP.
The details are very important. Internet filtering can easily block more content than it is designed to – for example, if people do not understand what is being blocked and why, or if sites are incorrectly categorised. People may also easily get around blocking. It can give people a false sense of security. Making Internet filtering fit multiple devices, ages or beliefs within a household or other setting is almost impossible. And there are other consequences, such as the speed of access or an impact on privacy where traffic or blocking events are logged.
That’s why we are putting these questions to ISPs. We will be sending the questions and replies to the relevant policy makers, and will hope to explain to them why we think these are important questions.
You can read our questions below, and the letter we have sent to ISPs on the correspondence page.
Twenty questions for ISPs on Internet filtering systems
A. On how the technology works
Under the Internet filtering system set up following discussions with the Government about online safety and child protection:
1. Is any traffic of users who are not opted in to filtering inspected and / or logged? If so, is it logged in a way that links the traffic to a subscriber? What logging will there be of blocking events? How does this work?
2. Is filtering applied to all forms of connection offered by the ISP (dialup, ADSL, cable, fast fibre connections etc)?
3. Have you estimated the impact of the through-put of filtering technology on the speed of users’ internet access (both for those who are opted in and opted out)?
4. We are concerned about the impact on Internet applications in general as well as web traffic. Does filtering take place only of HTTP traffic on port 80, or will other traffic be affected? What steps will be taken to avoid interfering with non-HTTP traffic on port 80, for example non-HTTP applications that use this port in order to bypass firewall restrictions?
5. What impact does the filtering have on end-to-end security measures such as SSL or DNSSEC?
6. Can you guarantee that your networks will not be susceptible to mistaken blocking as a result of using specific IP addresses for forwarding filtered traffic, for example as seemed to happen in a case involving Wikipedia?
7. Have you made any estimates on the impact of filtering systems on infrastructure upgrades?
B. On setting up the filtering
8. Are users faced with pre-ticked boxes when choosing to activate filtering? What is the impact on customers who do not have access to or who do not use a web browsers on a network such as a home broadband connection that is only used for Smart TV video on demand applications? (ie who will not be presented with a web-based set up screen?)
9. How granular are the available choices? Will a household be able to cater for:
a. Multiple ages or a variety of beliefs?
b. Can specific sites be unblocked by a user?
10. Have you done user-testing for your opt-in systems?
11. What information about the filtering is available at the point of sign up? Does it include:
a. Detailed information about what types of content are blocked, with examples?
b. The providers of their filtering tools, if a third party is involved?
c. Information about the possible problems with and limitations of blocking, with information about how to report problems?
12. What age-verification processes will be in place? How will this work?
13. Is a customer’s decision not to activate filtering a one-off decision, or will it have to be periodically repeated?
C. On managing problems and mistakes
14. When a site is blocked, what information is supplied to the end-user about why and how it has been blocked?
15. Are there easy ways to report mistaken blocks, either over-blocking or under-blocking? Are these clear when users encounter a block?
16. Are there easy ways for people to check if URLs are blocked, and will this include a reporting tool for requesting corrections and reclassifications?
17. How will complaints, from both your subscribers and from owners of sites that are blocked, be dealt with?
a. Are there plans in place to train customer service staff for dealing with these reports?
b. Are there targets for dealing with mistakes in a timely manner, or estimates of how long responding to and correcting mistakes will take?
c. Will you share error reports and corrections with other ISPs?
18. Have you specified acceptable error rates to suppliers of filtering services? If so, what are they?
19. Have you sought legal opinions relating to liability for incorrect blocks, including both false positives and false negatives? Do you have plans to offer compensation for businesses harmed by blocking errors, for example when potential customers are unable to access the site?
20. Are there or will there be systematic reviews of the effectiveness and quality of filtering, including reporting on problems and complaints? Is there a process for review and improvement? Is there or will there be an ombudsman or other oversight body to handle disputes and review performance?