Redacted: AFP cuts ISP details from filter docs

17

news The Australian Federal Police has sought to prevent the public from ascertaining the identities of ISPs participating in the Federal Government’s voluntary filter scheme for child abuse materials, through redacting the ISPs’ details from relevant documents released under Freedom of Information laws.

In November last year, Communications Minister Stephen Conroy formally dumped the Government’s highly controversial mandatory Internet filtering scheme, instead throwing his support behind a much more limited scheme which sees Australian ISPs voluntarily implementing a much more limited filter which Telstra, Optus and one or two other ISPs had already implemented. Vodafone is also believed to be implementing the filter, and the process is also believed to be under way at other ISPs such as iiNet.

The ‘voluntary’ filter only blocks a set of sites which international policing agency Interpol has verified contain “worst of the worst” child pornography — not the wider Refused Classification category of content which Conroy’s original filter had dealt with. The instrument through which the ISPs are blocking the Interpol list of sites is Section 313 of the Telecommunications Act. Under the Act, the Australian Federal Police is allowed to issue notices to telcos asking for reasonable assistance in upholding the law. It is believed the AFP has issued such notices to Telstra and Optus to ask them to filter the Interpol blacklist of sites.

In mid-January this year Delimiter filed a Freedom of Information request seeking the complete text of all notices issued by the AFP under Section 313 of the Telecommunications Act over the two years preceding 14 January 2013 that mentioned the Interpol blacklist; as well as any responses sent by ISPs to the AFP in response to the issuing of those notices, and any subsequent communication from the AFP in response.

In response, the AFP this month published two documents; a decision letter (download PDF here) relating to the request and a longer document compiling all of the Section 313 notices and responses. The second document is 10.6MB in size and is available to download here in PDF format.

The documents reveal that the AFP has issued only a small number of Section 313 notices under the scheme; and certainly not enough notices to cover most of the ISPs operating in Australia. The AFP appears to have issued Section 313 notices in two tranches; in June 2011, shortly before Telstra and Optus implemented their Interpol filters in July that year, and more notices in mid-October 2012, shortly before Conroy announced the Government’s plans to abandon its more comprehensive filtering plans in November.

However, in all cases the AFP has removed all references to the specific ISPs which it targeted with its notices, citing several sections of the applicable FOI legislation. The two principal sections cited by the AFP in its redactions to its documents include subsection 37(2)(b) of the FOI Act, and subsection s47E(d), as well as section 47F.

In its letter, the AFP stated that portions of the documents released — namely, the identities of the ISPs — constituted information that would disclose methods and procedures used by the AFP in investigations of breaches of the law. With reference to another subsection, the AFP noted that while there was a public interest in the information being released, there was a need to ensure “continued cooperation during police investigations and the effectiveness and integrity of current procedures”.

It is unclear why the AFP considers that the identities of ISPs would cause an impact on its ability to undertake its operations, given that no customer data is collected by the ISPs in their implementation of the Interpol list; the list acts only as a block to stop the ISPs’ customers from accessing offensive sites on the list.

Lastly, with respect to individuals employed by the ISPs who received Section 313 notices from the AFP, the AFP noted that again, while there was public interest in the issue, the AFP had not received consent regarding those individuals’ personal information, and their identities would therefore be exempt under the FOI Act.

Delimiter has filed an application for the AFP to conduct an internal review of the FOI decisions, stating: “… the decision document I received did not provide sufficient detail to explain why these sections of the Act apply to the identities of the ISPs concerned. I do not believe that releasing the identities of the ISPs which the AFP has contacted regarding these trials would either be likely to prejudice the effectiveness of the AFP’s operations in this area.”

The decisions appear to contradict earlier AFP decisions on the issue of releasing ISPs’ identities. In documents released in December 2011 under FOI laws, for example, the AFP stated that iiNet, Internode and Primus had also “expressed interest” in the scheme and were “preparing to use the list”. It also revealed that Internet gateway filter manufacturer ContentKeeper had already implemented the scheme. At that Telstra and Optus were publicly known to have implemented the filter.

In addition, Delimiter made the following additional reply to the AFP: “Section 47F is also cited in the decision document as a rationale for withholding information in this regard; however, I would point out that the individuals contacted by the AFP as part of the process of issuing Section 313 notices are publicly known members of large corporations with public positions. It is irrational to suggest that releasing their identities would be an “unreasonable disclosure of personal information”; there is no personal information being released here; rather, the information being released relates solely to their professional role.”

The AFP’s FOI documents also revealed that the ISPs would need to sign a relatively straightforward confidentiality agreement regarding the contents of the Interpol list, as a condition of being part of the program.

Background
Since Telstra and Optus implemented the Interpol filtering scheme in mid-2011, there have been no known public complaints about the system and no sites known to have been wrongfully added to the Interpol list apart from known child abuse sites. In addition, users of both ISPs have not complained publicly about speed issues with respect to the Internet filtering system. However, some segements of the community are still concerned about specific details of the Interpol filtering scheme.

For example, when Telstra and Optus implemented the Interpol filter, neither explicitly communicated with customers to let them know that the scheme was in operation and that their Internet connections were actively blocking a small list of sites; and neither is known to have updated their terms of service with customers.

In addition, in contrast with the mandatory Internet filtering policy (which was to have been administered by the Australian Communications and Media Authority) there is currently no known civilian oversight of the scheme, which is administered by the Australian Federal Police and international policing agency Interpol, apart from questions which parliamentarians may put to the Federal Police.

Furthermore, Section 313 of the Telecommunications Act does not specifically deal with child pornography. In fact, it only requires that ISPs give government officers and authorities (such as police) reasonable assistance in upholding the law. Because of this, there appears to be nothing to stop the Australian Federal Police from issuing much wider notices under the Act to ISPs, requesting they block other categories of content beyond child pornography, which are also technically illegal in Australia but not blocked yet.

A number of sites which were on the borderlines of legality — such as sites espousing a change of legislation regarding euthanasia, for example — were believed to be included as part of the blacklist associated with the Federal Government’s much wider mandatory filtering policy. It is not clear what safeguards exist to prevent the Interpol filtering scheme being extended by the Australian Federal Police to include such extra categories of content.

The current attitudes of ISPs apart from Telstra and Optus towards the Interpol filtering scheme are also currently unknown, with it being unclear whether they would implement the scheme if the Australian Federal Police issued them with a request to do so. Last year, ISPs such as TPG and Exetel said right out that they would reject such an attempt, while others such as iiNet and Internode said they were unclear as to the specifics of the situation.

The efficacy of the Interpol filter has also been publicly questioned. Optus has admitted that users would be able to defeat its implementation of the Interpol filter merely by changing the DNS settings on their PC. And information released under Freedom of Information laws by the AFP late last year shows as time went on, less and less requests were made by Telstra customers to access child abuse material on the list — presumably, as Telstra customers attempting to access the offensive material became aware that the telco had implemented a filtering system to block the requests.

For the first five weeks it operated, from 1 July through to 7 August last year, Telstra’s filter blocked a total of 52,013 requests to access child abuse materials online, with 10,402 average requestsper week. Average requests per day were 1,405, with the highest day recorded seeing 2,443 requests blocked and the lowest seeing 915 blocked.

However, over the succeeding weeks through to mid-October last year, fewer and fewer requests were made. In the week commencing 13 August, 8,649 requests were made, but by September the figure was down to between 1,193 and 3,452 requests per week, and in the week beginning 15 October, just 989 requests were made — which had previously been close to the lowest requests received in one day, in the filter’s first month of operation. In the period from mid-September to mid-October, the lowest day saw just 99 requests made by Telstra customers to access the blocked material.

Delimiter has encouraged the Minister to hold an open press conference on the issue to take questions from the media, as well as to issue a discussion paper on the issue which would allow the public to comment on the scheme formally. In addition, we have invited the Minister to respond to the following questions in writing:

  • Given the wide-ranging nature of the Interpol filter — affecting most Australian Internet users — why was no public consultation held before the Government decided to take take this step? I note that the Government has never held a formal public consultation into Internet filtering in general.
  • How would the Government respond to the claim that there will be no civilian oversight of this Interpol filtering scheme, with key information about it only being released over the past several years through Freedom of Information requests filed with the Australian Federal Police?
  • ISPs such as iiNet, Internode, TPG and Exetel have declined to participate in this scheme so far over the past 12 months, with some citing uncertainty of the legal situation. How would the Government address the claim that the legal ground of this Interpol filtering scheme, notably the process whereby the AFP issues notices to ISPs, is not clear?
  • Which further ISPs will the AFP issue notices to? Has the Government already received support from those ISPs for the scheme? How will the Government react if an ISP declines the notice?
  • How would the Government respond to the claim that there is the potential for the AFP to issue notices beyond the Interpol list to ISPs, in an approach which could be dubbed ‘scope creep’?
  • Neither Telstra nor Optus explicitly notified customers that they had implemented the Interpol filter when they did so last year. What guidelines will the Government be placing around ISPs’ participation in this scheme?

However, so far Conroy has declined to respond to the questions.

opinion/analysis
In July 2011, when Telstra and Optus implemented the voluntary Interpol filter, I wrote the following about it:

“We are talking about a filtering scheme here which is being implemented behind closed doors, with little notification to customers, with no civilian oversight, an unclear legal framework, the potential for scope creep and a limited and secretive appeals process overseen by the agency which drew up the list to start with.”

None of this has changed. Communications Minister Stephen Conroy will not answer basic questions about the scheme. The Australian Federal Police will not answer basic questions about the scheme. And Australians are apparently not even allowed to know which ISPs have implemented it and which have not. Plus … there is also a lot of evidence to show that the new filter is trivial to circumvent.

Personally, I think the voluntary Interpol filter is a good idea; and it’s certainly a much better idea than the mandatory ISP filtering idea the Government came up with last time around. However, the scheme is far from perfect, as the AFP’s current reticence to disclose an appropriate level of detail about it shows. Australia can do better on this issue.

17 COMMENTS

  1. I don’t have a problem with this sort of filtering, but transparency is important. I would hate to think that ISPs might start slipping other sites on such a filter as well without warning.

  2. It is interesting to note that the Telstra figures on referrals to the stop page have substantially reduced over time. This surely would indicate that the largest number of hits on the stop page were not in reality actual requests but resulted from automated processes which had nothing to do with actual attempts to access domains on the Interpol list. I seem to recall that the AFP were loudly trumpeting their success shortly after the introduction of the Interpol filter.

    It would be interesting to know exactly what sub section of Sec313 the AFP are relying upon in making their request. It would be even more interesting for a full review of this process by the judiciary. Undoubtedly we will hear more of this when Senator Ludlum receives an answer to his question on notice. http://whrl.pl/RdvolE

    There has been some interesting discussion on Whirlpool about this http://forums.whirlpool.net.au/forum-replies.cfm?t=1892148&p=101 The comments here are interesting http://whrl.pl/RdvNIB

  3. If child pornography possession is illegal then that person is a paedophile. In order to create an ongoing blacklist, they need to not only view the content but possess it perpetually. They need to possess it because Internet addresses change all the time and may end up in the hands of an unsuspecting domain owner who wants to know why the domain is blocked. Ergo the filterers are government-funded paedophiles.

    How they can stop child porn AND destroy content? By investigating and prosecuting those that possess child porn. Then destroy it. As a bonus, they can stop child abuse. Guess who will be keeping a massive amount of child pornography? The Australian Federal Police or at least Interpol.

    I say, ban Internet filters except for opt-in for concerned Internet users. It’s deeply concerning that Telstra/Optus spent millions voluntarily controlling users’ access to the web.

    • “If child pornography possession is illegal then that person is a paedophile… the filterers are government-funded paedophiles.”
      No that’s completely wrong. Breaking a law doesn’t make somebody a paedophile, and similarly being a paedophile is not illegal.

    • What are you smoking? The ISPs didn’t spend millions, they would have spent maybe $1,000 on a technician’s salary for them to spend maybe a day altering DNS records on a test server, testing, then pushing it out to the live servers. All in a day’s work for a network admin.

  4. I certainly think it’s fair that they redact anything identifiable with the person handling their requests, as one who has processed 282 requests, but not any 313 requests, it’s nobodies business but mine and the AFP’s, same goes for other ISP liasions.

    Further, I also certainly don’t think the AFP has a responsibility, or even a right, to release who it sends notices to, that would be the ISP’s rightful place to announce that.

  5. Security is subjective, its a feeling, you feel secure or your dont, it cant be objectively measured.

    This filter attempts to make us feel more secure by requiring blind trust in Authority, its counterproductive, it can not achieve any net good.

  6. You ask a relevant question but later answer it with data from the trial.

    “It is unclear why the AFP considers that the identities of ISPs would cause an impact on its ability to undertake its operations, given that no customer data is collected by the ISPs in their implementation of the Interpol list; the list acts only as a block to stop the ISPs’ customers from accessing offensive sites on the list.”

    The fact that telstra has logged all the failed attempts day by day, week by week, month by month would be very relevant in any AFP investigation.
    If each ISP is reporting that to AFP, it gives them an Ida of which IP ranges to monitor more closely, and which ISPs are worth subpoenaing for more info on their customer base.

    While logging the page request / filter block, they are more than likely capturing the IP address of the requesting service, date, time, browser agent etc which would link back to the account holder. That gets them another step closer to possible suspects.

    If the AFP is investigating people, they wouldn’t want it known exactly which ISPs are running the filter because it would make it more difficult for a peadophile to shop around for an ISP who isn’t running the filter.

    More transparency on what is being filtered is good, then do we really need to know who is filtering?

    • “While logging the page request / filter block, they are more than likely capturing the IP address of the requesting service, date, time, browser agent etc which would link back to the account holder. That gets them another step closer to possible suspects”.

      No this is not being recorded or the AFP has lied to the Parliament. It is also directly contrary to the way that Interpol say their filter works. All that Telstra was recording was the number of requests that were diverted to the “Stop Page” As I noted in a post above this has significantly reduced and the assumption must be that a large number of the original hits were from crawlers and other automated searches and not from human initiated searches. How many of the 989 requests in one week in October were humans and how many were bots is something we don’t know. To say that these statistics have any real meaning is “gilding the lily”.

      The stats that Telstra have collected on hits on the “Stop\ Page” are not going to be of any assistance to the AFP or anyone else as they don’t tell us any thing more than the number of hits.

      • If you read the schemes details, there is nothing preventing an ISP from logging access requests.

        There is no requirement but the section 313 request specifically does not state that you should or should not log requests. (It merely says logging is not a requirement since identification is not the goal of the scheme).

        • “If you read the schemes details, there is nothing preventing an ISP from logging access requests.”

          Interpol say ( http://www.interpol.int/Crime-areas/Crimes-against-children/Access-blocking/The-INTERPOL-%22Worst-of%22-list ) “INTERPOL or other police authorities will not, as a rule, have access to logs and/or identifying data on the Internet users being redirected, such as IP-addresses.”

          This means that any logging of this data is not required under Sec313 and the ISP is subject to Sec 7 of the Telecommunications (Interceptions and Access) Act 1979 as amended which would seem to preclude them from recording the information. My understanding is that ISPs can only obtain and use a record by DPI or similar means for network maintenance purposes. ISPs who kept a record of the IP address of anyone redirected to the stop page would likely be in breach of the law. This is one of the reasons that any statistics on access to the stop page should be viewed with skepticism.

  7. ¨The AFP’s FOI documents also revealed that the ISPs would need to sign a relatively straightforward confidentiality agreement regarding the contents of the Interpol list, as a condition of being part of the program.¨ – how does that work with Conroy´s claim that this new Censorship Scheme is being forced on to ALL ISPs? Surely they can´t force anyone to sign?

    And, even if you were in favour of this censorship why would you sign. You know that this whole thing is going to be leaked, it is a matter of when not if. The previous scheme was leaked, and the UK version of this was leaked. The Police are unlikely to be capable to track down who leaked the information, nor will they be likely to even attempt to do so since they already have your name on a document assuming responsibility.

    It seems to me like you are signing on to play roulette with the prize being identified as a paedophile enabler and career ruin.

  8. Seriously, 10,000 requests/week for child porn through just one ISP? Either I live in an extremely sheltered world, or that number is garbage. Or some guys are EXTREMELY active and totally incapable of hiding their tracks.

  9. This is sorta BS hey, if you follow Anonymous on twitter for instance they are big on taking down these types of pedo scum. Yet when they provide the information and proof to the law they themselves are looked upon as the person who was in breach and the “law” uses excuses such as saying that this isnt a problem which is of priority to them.
    So to me… it just seems very suspicious that the “law” wants a filter to block access to things which are not of a high “priority”.

    I like to research things for myself and question the mainstream news.
    You’ll be shocked at what you might find ;)

Comments are closed.