Telstra’s Interpol filter goes live

59

The nation’s largest telco Telstra tonight confirmed it had started filtering its customers’ Internet traffic for a blacklist of sites containing child pornography as compiled by international policing agency Interpol.

The move to switch on Telstra’s filter is the first known implementation of a voluntary filtering framework developed by the ISP industry’s peak representative body, the Internet Industry Association. Publicly unveiled just several days ago on Monday this week, the voluntary filter is expected to be adopted by most Australian Internet service providers this year.

Customers who visit one of the sites on Interpol’s list will be greeted by an Interpol ‘stop page’ which will explain that the content they have attempted to access is illegal, along with instructions as to how they can challenge Interpol’s ruling. Those who believe their web site has been inadvertently blocked by Interpol are able to ask for a review via the agency’s own website, or will be able to contact the Australian Federal Police, which Telstra has worked closely with on the filter’s implementation.

The Interpol list is believed to have been in use for a number of years, with telcos such as BT, O2 and Virgin having blocked addresses on it from reaching customers for some time. For a site to get onto the list, law enforcement agencies in at least two separate jurisdictions have to validate the entry as being illegal and not just potentially offensive. In addition, the age of children depicted through content on the sites must be younger than 13 years of age, or perceived to be less than 13.

Under the IIA’s scheme, ISPs who use the Interpol list to block access to child pornography would be doing so in accordance with “a legal request for assistance” under Australia’s existing Telecommunications Act (section 313). Because of this, and unlike the wider mandatory filtering scheme, the IIA believes that no new legislation will be required to implement the Interpol-focused framework.

The implementation of Telstra’s filter follows a whirlwind process over the past week, since the telco first revealed it was considering using the list generated by Interpol.

Last Saturday, Telstra revealed it was close to achieving executive sign-off for its internal filtering proposal, and the involvement of the Interpol list. Then on Monday, the IIA revealed Telstra’s proposal was part of a wider industry framework under development. Since that time, Optus has also confirmed its support for the framework, although other ISPs such as iiNet and Internode have yet to commit to implementing the scheme.

The limited filtering initiative is a stop-gap measure agreed to by ISPs and the Federal Government in mid-2010 while a review is carried out into the Refused Classification category of content which Government’s wider mandatory filter project is slated to block. The ISPs’ filter will only block sites with child pornography — instead of those with illlegal content in general.

Telstra, Optus and Primus had initially agreed to carry out the voluntary filtering initiative, but Primus has since backed away from the proposal and is yet to make a decision on whether it will implement the IIA scheme.

The implementation of the more limited filter has not raised the same degree of public criticism which the Government’s more comprehensive Internet filter has attracted since the policy was first unveiled back in late 2007. In addition, the IIA has sought to distance its own policy from the Government’s approach, and hopes the widespread implementation of the filter aimed solely at child pornography will take some heat out of the debate about the wider filter initiative.

However, not everyone believes the IIA’s Interpol filter will be effective in meeting its aims. Digital rights lobby group Electronic Frontiers Australia has panned the efficacy of the filter, describing it as “security theatre” that wouldn’t actually make much difference to the ability of police to enforce the law.

While the EFA has praised the world of Australia’s law enforcement authorities, and believes it is appropriate for the IIA to work together with them, it believes that it is better to adequately fund and equip those authorities to fight crime themselves rather than seeking to block material online.

Image credit: Kenn Kiser, royalty free

59 COMMENTS

      • Just venting… the thing that is so wrong about this is it will be absolutely trivial to get around.

        Just use hidemyass.com or proxify.com and it is circumvented, change your DNS serves and it is circumvented.

        Hell, I hear a lot of people use OpenDNS instead of the Telstra DNS because how flaky Telstra’s can be. Conroy was lampooning the previous governments NetAlert PC filter because it took someone with administrator access to the computer 30mins to defeat. That is until they fixed the software a few days later.

        Remember that the NetAlert filter program has be abandoned in favor of this?

        Ask any parent what they would prefer to control over?
        1/ Content they have never stumbled on and will never see, or
        2/ Porn, violence or whatever it is they find offensive.

        Conroy should know this was “cracked and hacked” before it even came through the portals., talk about scams

        In fact many had post how to defeat this more than two years ago! Fully predicted how this would bypassed. Given the song and dance they made of 30mins, that was on a poorly configured PC, and rectified anyway, he should be ashamed.

        • Sadly, Telstra are my only option for ISP at the moment (every other application for ADSL returned no ports available accept Telstra).

          I’ve just updated my modems DNS server settings to override what is assigned by Telstra and use Googles 8.8.8.8 DNS Server. Took me 30 seconds including modem restart and now all my devices at home, including my iPad are bypassing the Telstra Filters, which in principal I must do.

          30mins to bypass NetAlert because Tom had the admin password, 30 seconds to bypass ISP Level filters. *Slow clap*

          I bet it would take longer to have material added to the Interpol blacklist and propogate the changes to the ISPs than it would to contact the Hosting company/admin and alert them to the fact that their site is hosting Child Sexual Abuse material and have them remove it completely.

          So not only does Interpol’s blacklist block entire domains (massive overblocking), it only takes 30 seconds to bypass the filters but by the time new material is blocked by the ISPs, if Interpol bothers to attempt to contact the web hosts of the offending sites, it will have already been removed from the Internet and that domain blocked forever (Interpol’s site claims domains are not removed from their list).

          Yep, a great Child Protection tool in action.

          Not…

          • I’ve just updated my modems DNS server settings to override what is assigned by Telstra and use Googles 8.8.8.8 DNS Server. Took me 30 seconds including modem restart and now all my devices at home, including my iPad are bypassing the Telstra Filters, which in principal I must do.

            umm, how exactly does that bypass the filter?

            Sure you’re resolving DNS external to Telstra, but the connection to the IP still has to connect via Telstra’s network, so http can easily still be blocked.

          • umm, how exactly does that bypass the filter?

            Telstra is using DNS poisoning, don’t use Telstra’s DNS servers you have bypassed their “block”

            Sure you’re resolving DNS external to Telstra, but the connection to the IP still has to connect via Telstra’s network, so http can easily still be blocked.

            No, Telstra and the IIA are relying on a rather novel interpretation of the Telecommunications Intercept Act (TIA) as it is. This may be challenged and I wouldn’t be staking anything significant on the outcome if it was.

            Consider the following…

            1. If http://www.example.com/hidden/badimage.jpg is found to be CP by interpol they add the URL to their list and distribute it.

            2. Telstra get the updated list, finds http://www.example.com/secret/badimage.jpg on it and poisons the domain on its DNS. This means adding http://www.example.com to the DNS and instead of resolving to the correct ip address 1.2.3.4 they make it resolve to a.b.c.d, which is the web page showing the block message. Check out http://interpol.contentkeeper.com for an example.

            3. Whenever a Telstra customer goes to view any content from http://www.example.com the first thing that happens is their client looks up the IP address. As it is on the Interpol list Telstra’s DNS returns the poisoned IP address a.b.c.d instead of the correct one.

            4. The customer’s client then visits http://a.b.c.d/secret/badimage.jpg, a.b.c.d is a webserver that is configured to serve up the block message similar to http://interpol.contentkeeper.com

            Hopefully you see that the ability of being able to block is entirely dependent on the client using Telstra’s DNS to resolve the IP. Don’t use the Telstra’s DNS and you will get the correct ip address of 1.2.3.4 and you are now considered a LEET hacker by supporters of the policy.

            If Telstra did molest the IP traffic to 1.2.3.4 and perform “filtering” instead of DNS poisoning they would be in breach of the TIA as it would be considered an illegal intercept, to do that they need the same kind of warrants that the AFP need when tapping your phone or internet connection. Don’t have a warrant? Go straight to jail, do not pass go.

          • That’s how the filter works – it only poisons DNS queries.

            Yep. You better believe it.

          • @Tezz

            I forgot to add that this is the same reason you hear opponents talk about massive overblocking.

            All content hosted on http://www.example.com will get redirected to the CP block page.
            Every. Single. Webpage.

            Before you say it isn’t an issue think about the dentist site that was on the ACMA blacklist. Someone had compromised their webserver and put some dodgy content on there to share amongst a small group of people. It was buried in the website so unless you knew the exact URL you wouldn’t find it.

            This was brought to the ACMA’s attention, instead if telling the website owners their site was hacked they just added it to the blacklist. Under the IIA’s current policy the entire site would be blocked for every Telsra user that tried to visit it.

            Would you let your child visit a dentist for treatment that had their website blocked for hosting child porn? Would you continue to use them? Would you confront them or just find a new dentist?

            Guess what happened to the when the dentist finally found out their site was compromised? First thing they did was to remove the offending content. If the ACMA had have contacted them first the content would have been removed as soon as it was found. It shouldn’t take the leaking of the blacklist to get rid of the content.

          • Oh I agree, it’s terrible, it’s arguably even worse than the proposed government filter because at least that got down to specifics and didn’t do site blocking.

            I wonder if this would affect virtual hosting, by that I mean are they taking the domain 1.2.3.4 and changing it at the DNS level to a.b.c.d, or are they taking 1.2.3.4 and redirecting it to a.b.c.d?

            The former would only block the site in question, the latter would block every site on a particular IP.

          • Even if it was the only entire single site and not all sites on the virtual server, hackers would have a field day putting their services to hire so you could bring down you oppositions website by getting it blacklisted without them even knowing.

            You’ve got to think the process of having your website removed from the Interpol blacklist and that removal filtering down to the ISP Level wouldn’t be a quick one.

            It’s been bad enough in the past when I’ve had my domain added to a blacklist for spamming because of an infected computer on the network. It took 48 hours to have the blacklist removed from most lists and 2 full weeks before all the blacklists updated.

            It was bad enough we couldn’t send out any emails to clients whose ISP used those blacklist on their email servers but if our entire site had been inaccessible things would have been much worse.

            There are a lot of dangers and exploits that might be worth it if the child sexual abuse material was being removed from the Internet and not filtered and those responsible for the creation of the material were caught and prosecuted, but that’s not the case with the filtering. As we’ve shown, it can be bypassed on entire local area networks within a matter of 30 seconds…

            All risk no reward other than possible future justification for Mandatory Government Controlled ISP Filtering.

          • No, they are poisoning individual DNS records, to keep it simple it’s the first part of the URL, so they will be able to discriminate at the domain/sub domain level only.

            The DNS maps the sub/domain to the IP address, normally your client contacts your ISPs DNS and if it hadn’t looked up it up recently it goes the the internet to find the “authoritative” DNS that the webmaster has setup when they created the website once they know what their ip address will be.

            In this example Telstra’s DNS server normally isn’t the authoritative server as someone is hosting the webserver, poisoning is essentially when the sysadmin tricks Telstra’s DNS and uses a locally programmed IP address for the record and doesn’t look it up from the authoritative DNS.

            Also it is likely that all poisoned records will be pointed to the same IP address, the address of the block notification page.

            Examples of the records might be…
            example.com
            http://www.example.com
            forum.example.com
            blog.example.com
            sales.example.com
            store.example.com
            gallery.example.com

            But they will not be able to discriminate between the following…
            gallery.example.com/portfolio/weddings/ceremony.jpg
            gallery.example.com/hacked/csa.jpg

            But this isn’t the only problem, but it is important to understand how it works.

          • The Interpol website below also states that if a blacklisted domain removes the child sexual abuse material that got it blacklisted but still contains illegal material as determined by the laws of one or more countries it will remain on the blacklist, so the blacklist almost certainly already contains domains that don’t host any child sexual abuse material at all.

            http://www.interpol.int/public/THBInternetAccessBlocking/ComplaintsProc.asp

            “If found not to contain child sexual abuse material according to the “Worst of”-list criteria, but still illegal material according to national legislation in one or more countries, the material will remain inaccessible in those countries.”

            So the Telstra filter is easily bypassed, blocks domains that don’t host any child sexual abuse material, and overblocks by blocking entire domains (according to the first line in the link above).

            And here I was worrying about scope creep and overblocking happening in the future, not the instant it’s turned on…

          • Something you may not have noticed is that the content will only be unavailable to the countries it is illegal in. You seem to be implying that if, for example, pictures of surfboarding were illegal in all European countries, then they would be filtered in Australia. However, the quote you posted says that such pictures would only be banned in Europe, where they are illegal.

          • Basically that means Telstra will ‘Block’ (block is a horrible way to describe what they’re doing) only content that contains ‘Worst of-‘ CP and content that is illegal in Australia which is hosted on a server that has, in it’s past, been on the list for CP.

  1. OK, so Telstra now blocks access to a domain list supplied by Interpol. So, ah, what’s the problem? Go out and argue with Interpol boys, they maintain the list. Can’t spend your whole lives panning agencies actions when you have so little visibility into what they do. The AFP and Interpol etc can only be amused that people out here seem to think they know more about what the AFP and Interpol do then the AFP and Interpol… You have no idea at all if there is massive overblocking, you are just assuming for the argument’s sake…

    • Because it is a secret list, neither you nor I really know what they are blocking. We know what they say they are blocking, and since they say they are blocking domains not URLs, this means that if they are doing what they say they are doing, they are overblocking, since a single domain may contain many websites apart from the offending one, and even that website may have only one offending page and many that do not.

      This applies, even if you totally trust that the list is composed of what they say it is. Experience with similar regimes elsewhere in the world shows that this trust is almost certainly misplaced.

    • So your argument appears to boil down to “there is little to no transparency, so how can you oppose it as you don’t know enough about how it operates”, rather amusing when you read it back.

      The most accurate assessment I have seen regarding the policy is it’s security theatre.

      It seems designed to do nothing but give people that don’t look at the details and apply a little brain power the impression that they are doing something.

  2. CP is disgusting, and it’s production must be stopped.

    But an internet filter:

    – does not stop a single piece of CP from being produced.
    – does not protect a single child from being abused.
    – does not serve to facilitate the rescue of a single child that is being abused.
    – does not stop those who wish to obtain CP from doing so.

    You do not solve the problem by (trying) to hide it. And this doesn’t even hide it from those who really want to get their hands on it.

    Spend the time and resources hunting down the producers, and shutting these sites down. That’s a far more valuable exercise.

    • Well said Michael.

      I would add that its not the information thats bad, its what people do with it that make it good or bad. Its the “guns dont kill people, people kill people” argument.

      There is a saying that goes something like “If people cant talk about their problems,. then the only thing left to do is fight over them.”

      Censorship tries to hide problems rather than trying to resolve them. As it doesn’t solve the problem, things just get more extreme until they do become visible in another form.

      • It’s exactly like holding a tarpaulin up around a horse the on-course vets are about to put down after a fall at a race track.

        – we know what’s happening
        – we don’t want to see it
        – it is terrible that it is happening

        …but it’s still happening. Holding the tarp up doesn’t change it. And it doesn’t stop us from “seeing” it, because our minds still paint the picture in our heads.

        Holding a tarp around the child porn is just the same.

    • Well put Michael.
      Its like using glad wrap as a tool to fix a leaky roof or in this case as birth control.

  3. Didn’t Telstra submit a report to the government trials saying that they’d combat circumvention by forcing customers to use their DNS.

    I guess that’s not happening. I’ve always used Google DNS with Telstra because it’s far more reliable.

    Since I’m not being protected by Telstra DNS poisoning, does that mean all sorts of horrid content is going to pop up all over my computers now? ;)

    • It would only take a few simple firewall rules on Telstra’s network to prevent people on the Telstra network from using anything but the Telstra DNS servers.

      • Im with Wyres. do permanent things to the supply end, by using the demand end to FIND the supply end. sweeping the lot under the rug so Mr.&Mrs. Q braindead dont have to watch their child(ren) online is yet another way to treat people like cattle. when not trying to teach our young stylised noises to associate with animals, do we moo, baa or bleat? no? then let us use our own brains and quit screwing with our legal choices. if its illegal, ill volunteer to help end production. if it is not, GTFO & STFU.

  4. Its funny because none of the sites i go are blocked and the speed have actually picked up from those sites, the filter may have some benefits after all

    thankyou

    • written, spoken, and authorised by the Department of Broadband, Communications and the Digital Economy, Canberra

      Seriously, the filter sped you up? Funniest thing I’ve heard in days…

      • Well before the filter on the same site wiht bigpond i was getting 350-400

        today im getting 900-1mbps first time i ever received those speeds

        so something has sped my connection

          • The filter isnt blocking these sites , which some people were telling me they would , and the speed hasnt dropped but improved something has sped it up and i done nothing any different to i normally do

          • The most likely explanation is that the site has more bandwidth available to it than it did previously. I repeat, a filter will NOT double your internet speeds.

          • You are probably right , but the point is im not panicking about the filter it hasnt stopped any sites i go too, as long it doesnt im laughing

            If the mandatory filter of all isps comes in it may be a different matter ,

          • I have to agree with Michael here, as I cannot see how a filter will provide faster speeds or double your bandwidth.

            Its another reason why many ISP’s have not applied for the “volunteering” mandatory internet filter as performance issues is a concern as with over blocking and etc etc.

          • Well whatever it is , every of the sites from today what i got told would be blocked arent and my speed has picked up , which im quiet happy with.

            Thats only from my experience i know other users arent happy

          • The only sites claimed to be blocked are the “worst of the worst” child porn sites – so I don’t know what sites you were told would be blocked.

          • You go to under 13yo CP sites because that’s what the filter is supposed to be blocking per the Interpol list (although we don’t know for sure what is really blocked)?

          • Which sites exactly were you expecting to be blocked? The only filtered content is child pornography so either you need to be locked up, or you have a very poor information source, given it’s public knowledge that the voluntary filter would only be blocking the worst child pornography sites on the internet!

            As for your speed increasing, you can also increase your internet speed by placing a piece of paper with the word FAST printed on it under your router. Give it a go. My ADSL2 download speeds tripled!

        • Since 12pm Sydney time I haven’t been to get above 1Mbps on Bigpond. I’m normally around the 9 mark.

          Maybe a coincidence but who knows.

    • You know all that this filter is doing is DNS routing for Child Porn websites at this stage. This is not the filter Conroy wants to put in.

      So your claims about it speeding up sites that you were told it would block is making you out to be someone who visits child porn websites

      • no i will never go to those sites they deserved to be blacked out , i just dont know why people are fused overt those sites being blocked and leaving an isp for it

        • I oppose filtering because it’s too much power to put in the hands of future governments, Bill.

        • no i will never go to those sites they deserved to be blacked out , i just dont know why people are fused overt those sites being blocked and leaving an isp for it</cite?

          I wouldn't and don't access or view CP content either. I will virtually guarantee everyone speaking out against this policy doesn't access it either. How? Why would anyone accessing illegal and exploitative content bring attention to themselves?

          Thing is though, if you wanted to access the content you still can, in fact many of Telstra's (and the other ISPs) will be able to do so without having to do anything. Telsra's DNS are known for being flaky and troublesome and many customers will be using Google's DNS or OpenDNS or any other number of DNS.

          Anyone working in a workplace with a competent SysAdmin may also be circumventing if they are running their own DNS. You can even run your own DNS at home as well.

          Hopefully you can see that it is a useless policy, the only reason Telstra appears to be pursuing this is they know it is a very low impact approach (technically) and that it might appease the government and stop them moving forward with a more restrictive and draconian version.

  5. Im on bigpond and havent changed anything , im not saying what sites but they have nothing to do with child pron or anything rubbish like that.

    Looks to me people have panicked for not reason about the filtering

  6. Interpol is not stupid. some porn is hosted in countries that do not co-operate (well) with Interpol.

    hence, the block AND arrest strategy.

  7. I know that linking to the blacklist URLs directly is illegal.

    However I assume if I create a web site that reverse-engineers the blacklist on the client-side (e.g. using JavaScript, ActiveX or Flash etc) then this wont get me in hot-water?

  8. Whats to say the next LulzSec group does hack telstra’s dns servers and redirect telstra.com.au to everything on the list, just for a laugh

  9. Much as I hate CP and Conroy I am reluctantly accepting the “interpol solution”. It is less open to manipulation by any Australian Government so that is a winner. It might shut Conroy up so that would be a good thing. If, and I do mean if, it stops you getting to a legitimate website there are two benefits: 1) It tells you why (unlike Conroy’s BS proposal) and 2) it is relatively easy to circumvent. However as an overall strategy to fight CP it is utter rubbish and propaganda.

    Let’s all turn a blind eye to the evil that is CP. Ahhh that’s better now isn’t it?

    This filter and its idiotic supporters are reprehensible (note: I only grudgingly accept the interpol solution. I never support it. I simply accept it because Conroy’s alternative is too horrible to contemplate).

  10. We already know the sort of sites that get blocked.
    ISP level filters based on the Interpol list has blocked such evil sites as.
    Wikipedia
    Archive.org
    for hosting child porn images like those that appear on record covers.

  11. I have no issue with the Interpol filter. Sure, there’s ways around but most businesses already use internet filtering to stop main stream access to sites.

    The problem with the “government” filter is that it was a secret list, nobody trusts the nanny state and it was likely to be used to control the population’s online discussions.

  12. child protection laws in Australia are breached by hundreds of thousands of people,’every minute of the day. those Simpson porn images we’ve accidentally seen on google when you’ve browsed google images are enough to be in breach of federal law (and a fee states). yep that alone and browsing by accident is no excuse. a depiction, either in a story, drawn or photo, of a person under 18 is enough.

    • If accidentally browsing a site containing CP (or whatever) was enough for a conviction then popups would have sent the vast majority of us to jail years ago.

      Hell I’ve wanted to numb my brain and read some /b/ and someone had posted a (fuzzed out over the main bits thankfully) CP pic, am I worried about getting a conviction? No, because there still has to be some form of intent involved.

      Oh and Alan John McEwan had the pics on his computer, he didn’t just stumble on them via a google search.

  13. Is there a quote or a sound bite from Mick Kelty et al from AFP about any of the CP rings they have taken down where they describe HOW the ring communicated/shared files?

    If so, has anyone used that quote/sound bite and asked Conroy directly how his proposed filter would stop that method of PTP/email/VPN file transfer?

  14. Oh Telstra. What were you thinking? Looks like I’m changing ISPs, gonna cost me plenty to burn my contract but I just can’t support this.

    • Yes, depending on the reply to a query to the CEO, I’ll paying out my contract too. No way will I support an ISP that supports this ‘voluntary’ filtering.

      I’m particularly riled that customers have not been advised of it. Opinion seems to vary on Whirlpool as to whether they have legal obligation to under the ToS.

  15. I have received a reply from Telstra’s CEO’s office in answer to my query about whether customers will be notified of the filtering as a change in the ToS agreement.

    “We first flagged our intention to disrupt the availability of child abuse content in mid 2010 (our media release at the time for your records http://www.telstra.com.au/abouttelstra/media-centre/announcements/telstra-supportive-of-interim-internet-child-protection-measures.xml )

    Our Customer Terms require that customers do not breach laws when using their Telstra service. Consequently, steps made to block access to illegal content, such as the INTERPOL child abuse sites, do not constitute a change in the terms of our service.”

    I think the last paragraph is interesting because it indicates that the scope of filtering could easily be widened without anyone even being aware.

Comments are closed.