AFP FOI review keeps filter info secret

24

news An internal review has backed a decision by the Australian Federal Police to prevent the public from ascertaining the identities of ISPs participating in the Federal Government’s voluntary filter scheme for child abuse materials, through supporting the redaction of the ISPs’ details from relevant documents released under Freedom of Information laws.

In November last year, Communications Minister Stephen Conroy formally dumped the Government’s highly controversial mandatory Internet filtering scheme, instead throwing his support behind a much more limited scheme which sees Australian ISPs voluntarily implementing a much more limited filter which Telstra, Optus and one or two other ISPs had already implemented. Vodafone has also implemented the filter, and the process is also believed to be under way at other ISPs such as iiNet.

The ‘voluntary’ filter only blocks a set of sites which international policing agency Interpol has verified contain “worst of the worst” child pornography — not the wider Refused Classification category of content which Conroy’s original filter had dealt with. The instrument through which the ISPs are blocking the Interpol list of sites is Section 313 of the Telecommunications Act. Under the Act, the Australian Federal Police is allowed to issue notices to telcos asking for reasonable assistance in upholding the law. It is believed the AFP has issued such notices to Telstra and Optus to ask them to filter the Interpol blacklist of sites.

In mid-January this year Delimiter filed a Freedom of Information request seeking the complete text of all notices issued by the AFP under Section 313 of the Telecommunications Act over the two years preceding 14 January 2013 that mentioned the Interpol blacklist; as well as any responses sent by ISPs to the AFP in response to the issuing of those notices, and any subsequent communication from the AFP in response.

In response, the AFP in February published two documents; a decision letter (download PDF here) relating to the request and a longer document compiling all of the Section 313 notices and responses. The second document is 10.6MB in size and is available to download here in PDF format.

The documents revealed that the AFP has issued only a small number of Section 313 notices under the scheme; and certainly not enough notices to cover most of the ISPs operating in Australia. The AFP appears to have issued Section 313 notices in two tranches; in June 2011, shortly before Telstra and Optus implemented their Interpol filters in July that year, and more notices in mid-October 2012, shortly before Conroy announced the Government’s plans to abandon its more comprehensive filtering plans in November.

However, in all cases the AFP removed all references to the specific ISPs which it targeted with its notices, citing several sections of the applicable FOI legislation. The two principal sections cited by the AFP in its redactions to its documents include subsection 37(2)(b) of the FOI Act, and subsection s47E(d), as well as section 47F.

In its letter, the AFP stated that portions of the documents released — namely, the identities of the ISPs — constituted information that would disclose methods and procedures used by the AFP in investigations of breaches of the law. With reference to another subsection, the AFP noted that while there was a public interest in the information being released, there was a need to ensure “continued cooperation during police investigations and the effectiveness and integrity of current procedures”.

Delimiter subsequently filed an application for the AFP to conduct an internal review of the FOI decisions, stating: “… the decision document I received did not provide sufficient detail to explain why these sections of the Act apply to the identities of the ISPs concerned. I do not believe that releasing the identities of the ISPs which the AFP has contacted regarding these trials would either be likely to prejudice the effectiveness of the AFP’s operations in this area.”

However, in a response in mid-April (PDF), the AFP’s manager of Government Relations Peter Whowell noted that he backed the AFP’s initial decision to redact key information from the documents.

With respect to the AFP’s claim that releasing the identities of the ISPs involved in the filter effort, Whowell noted that the material previously released which disclosed those ISPs’ names had “related to a trial”. “While it did include the names of a number of internet service providers participating or considering participation in the trial, the documents you sought in this request are different documents which contain more information that confirms the scope of the trial and ongoing arrangements,” he wrote.

“To release the exempted material would confirm who is participating, who is not and who was considering their position. I believe this would prejudice the effectiveness of these notices,” Whowell added. “In terms of the [Office of the Australian Information Commissioner] guidelines, I believe this is not a routine method or technique that is well known to the public. For these reasons I uphold the section 37(2)(b) exemptions put in place by the decision maker.”

Similar, with respect to a different section of FOI law, Whowell noted that although there were public interest factors in favour of disclosing the names of the ISPs participating in the filtering effort and that the release of those identities would “inform debate on a matter of public importance”, overall he believed that “the cost of impeding the flow of information to the AFP” outweighed the public interest in releasing the ISPs’ identities.

“This prejudice goes beyond the effectiveness of the [section 313] notices to facilitate the use of the blacklist and the use of the blacklist by Internet service providers,” the public servant wrote. “The release of the exempted material could undermine future cooperation from the affected internet service providers. The release of the exempted material could also reasonably be expected to affect Internet services providers’ commercial activities by confirming who participated in the trial and who is participating now.”

Lastly, Whowell upheld the AFP’s decision to withhold the identities of ISP executives and AFP officers whom had facilitated communication between the various parties with respect to the filter.

Background
Since Telstra and Optus implemented the Interpol filtering scheme in mid-2011, there have been no known public complaints about the system and no sites known to have been wrongfully added to the Interpol list apart from known child abuse sites. In addition, users of both ISPs have not complained publicly about speed issues with respect to the Internet filtering system. However, some segements of the community are still concerned about specific details of the Interpol filtering scheme.

For example, when Telstra and Optus implemented the Interpol filter, neither explicitly communicated with customers to let them know that the scheme was in operation and that their Internet connections were actively blocking a small list of sites; and neither is known to have updated their terms of service with customers.

In addition, in contrast with the mandatory Internet filtering policy (which was to have been administered by the Australian Communications and Media Authority) there is currently no known civilian oversight of the scheme, which is administered by the Australian Federal Police and international policing agency Interpol, apart from questions which parliamentarians may put to the Federal Police.

Furthermore, Section 313 of the Telecommunications Act does not specifically deal with child pornography. In fact, it only requires that ISPs give government officers and authorities (such as police) reasonable assistance in upholding the law. Because of this, there appears to be nothing to stop the Australian Federal Police from issuing much wider notices under the Act to ISPs, requesting they block other categories of content beyond child pornography, which are also technically illegal in Australia but not blocked yet.

A number of sites which were on the borderlines of legality — such as sites espousing a change of legislation regarding euthanasia, for example — were believed to be included as part of the blacklist associated with the Federal Government’s much wider mandatory filtering policy. It is not clear what safeguards exist to prevent the Interpol filtering scheme being extended by the Australian Federal Police to include such extra categories of content.

The current attitudes of ISPs apart from Telstra and Optus towards the Interpol filtering scheme are also currently unknown, with it being unclear whether they would implement the scheme if the Australian Federal Police issued them with a request to do so. Last year, ISPs such as TPG and Exetel said right out that they would reject such an attempt, while others such as iiNet and Internode said they were unclear as to the specifics of the situation.

The efficacy of the Interpol filter has also been publicly questioned. Optus has admitted that users would be able to defeat its implementation of the Interpol filter merely by changing the DNS settings on their PC. And information released under Freedom of Information laws by the AFP late in 2011 shows as time went on, less and less requests were made by Telstra customers to access child abuse material on the list — presumably, as Telstra customers attempting to access the offensive material became aware that the telco had implemented a filtering system to block the requests.

For the first five weeks it operated, from 1 July through to 7 August last year, Telstra’s filter blocked a total of 52,013 requests to access child abuse materials online, with 10,402 average requestsper week. Average requests per day were 1,405, with the highest day recorded seeing 2,443 requests blocked and the lowest seeing 915 blocked.

However, over the succeeding weeks through to mid-October last year, fewer and fewer requests were made. In the week commencing 13 August, 8,649 requests were made, but by September the figure was down to between 1,193 and 3,452 requests per week, and in the week beginning 15 October, just 989 requests were made — which had previously been close to the lowest requests received in one day, in the filter’s first month of operation. In the period from mid-September to mid-October, the lowest day saw just 99 requests made by Telstra customers to access the blocked material.

Delimiter has encouraged the Minister to hold an open press conference on the issue to take questions from the media, as well as to issue a discussion paper on the issue which would allow the public to comment on the scheme formally. In addition, we have invited the Minister to respond to the following questions in writing:

  • Given the wide-ranging nature of the Interpol filter — affecting most Australian Internet users — why was no public consultation held before the Government decided to take take this step? I note that the Government has never held a formal public consultation into Internet filtering in general.
  • How would the Government respond to the claim that there will be no civilian oversight of this Interpol filtering scheme, with key information about it only being released over the past several years through Freedom of Information requests filed with the Australian Federal Police?
  • ISPs such as iiNet, Internode, TPG and Exetel have declined to participate in this scheme so far over the past 12 months, with some citing uncertainty of the legal situation. How would the Government address the claim that the legal ground of this Interpol filtering scheme, notably the process whereby the AFP issues notices to ISPs, is not clear?
  • Which further ISPs will the AFP issue notices to? Has the Government already received support from those ISPs for the scheme? How will the Government react if an ISP declines the notice?
  • How would the Government respond to the claim that there is the potential for the AFP to issue notices beyond the Interpol list to ISPs, in an approach which could be dubbed ‘scope creep’?
  • Neither Telstra nor Optus explicitly notified customers that they had implemented the Interpol filter when they did so last year. What guidelines will the Government be placing around ISPs’ participation in this scheme?

However, so far Conroy has declined to respond to the questions.

24 COMMENTS

  1. Should be ‘fewer and fewer requests’, not less and less. You can’t have a fraction of a request ;-)

  2. I’m not in the least bit surprised by this development – just imagine the outrage from a participating ISP if their name was released when they were guaranteed anonymity. I actually don’t think this will affect customer numbers beyond maybe a few dozen tinfoil hat wearers – most people will never be materially affected by the filters anyway, so wouldn’t consider it noteworthy.

    I do completely agree with you with respect to the lack of specific limitations in the legal structure enabling this, or even some kind of oversight or review. The legislation is far too broad with far too much possibility for scope creep.

  3. Hi Renai

    I am very doubtful that an internet filter would actually cause people to give up on looking up child porn, as the statistics from telstra suggest at first glance.

    The sort of human scum who actually seek out such content repeatedly wouldn’t just give it up because their ISP blocked it.

    I think its much more likely they found a site was blocked, in 5 minutes googled how to set up a VPS and went on their way. Except now their activities are completely untracable. Policy win!

    Trying to filter the internet is never going to do anything other than stop accidental contact with these areas of the internet (which wouldnt result in the decrease in searched telstra is demonstrating).

    Laudable maybe, but its something that can be done on an optional basis by the isp or the homeowner.

    Putting the content of the internet in the hands of the government of the day is too steep a price to pay for ubiquitous implementation of something that can be done with OpenDNS.

    • Someone correct me if I’m wrong but I thought the filtering was only done via the ISP’s DNS server and users can just use a different DNS server, the filter taking all of 3 minutes to legally circumvent? They don’t even need a VPS.

      • I thought the same. Either way, the point remains that its childs play (no pun intended) to circumvent the blockers put in place. Even if those blockers had some bite to them, it wouldnt be long before some other avenue opened up.

        This is one of the biggest problems with trying to dictate what sites you can and cant access – its a reactive process of whack-a-mole. Close one site down, another opens. Close that down, a third opens.

        Manage to somehow close them all down, they go to invite only ftp sites.

        I for one have no problems with these filters. If you’re hitting sites that they are intended to block, you deserve what you get. But that doesnt mean I think they are worth the effort.

        I’d have thought it would be far simpler to simply capture the IP’s of people visiting the undesired sites, and building up a profile for further investigation.

        • Actually my understanding is that the fastest way to fix the problem of sites containing illegal material is to notify the web host for the site.

          If the site doesn’t contain illegal material then who the hell has the right to tell me that I can’t visit it.

          I for one have a massive problem with these filters with secret lists. You don’t know what is on them and we already have seen examples of perfectly innocent sites being seriously inconvenienced.

          The fact that the AFP wont tell anyone who is actually using the Interpol filter without a reasonable explanation and the blocking of the Melbourne Free University site and the refusal to give a reason are extremely frightening. Not because I think that the Melbourne Free University situation was caused by the Interpol Filter but because the AFP and possibly other Federal Authorities seem to think that they don’t have to be openly responsible for their actions.

          • Please, dont get me wrong, I dont like them in the slightest, but if they work AS INTENDED, then none of us should ever notice. In that ideal world, these blocks have a place.

            As you say, when something goes wrong though, there’s no way to know whats gone wrong, and who’s to blame. Secrecy has its place, but this isnt it.

            If a site gets blocked, people wanting to access it will find a way around the block pretty fast. People running the site will find away around the block pretty fast. And for both those reasons, authorities would be no better off, and in a month or two, be adding yet another mirror site to their list.

            It’s proven not to be an effective strategy, just look at pirate bay and how they keep appearing when they are “shut down”.

            So if the authorities are serious about stopping this sort of content being available in Australia, again, why not simply IP farm anyone accessing those sites, which can be done at the ISP level, and build a profile? They know the sites they want blocked, so they must know there is illegal content on them – should note that means illegal under Australian law, not necessarily where the site/content is hosted.

            If they know its illegal, why not get the evidence needed for prosecution?

            Not sure I’m explaining it right. I’m happy for these sick sites to be blocked, but surely they can take advantage of the lists and get the sicko’s off the streets as a result.

          • Ok GongGav I think that you like a lot of people have an incorrect impression of the co-relation between porn and child sexual abuse. I would urge you to have a look at http://www.theregister.co.uk/2011/06/30/smut_freakonomics/ and http://www.hawaii.edu/PCSS/biblio/articles/1961to1999/1999-effects-of-pornography.html these highlight studies which call into question the assumptions that have been made about pornography and sex crimes.

            Am I defending child sexual assault perpetrators. No I am not. I agree that they should be removed from society until it is certain that they wont be harming another child. You will note that I don’t call these perpetrators Pedophiles. This is because Pedophilia is a diagnosed psychiatric condition and their interest is pre-pubescent children. We are dealing with a lot more with child abuse.

            Australian law in regard to censorship is a dogs breakfast. The best explanation of it that I am aware of is on Irene Graham’s web site http://libertus.net/ Did you know that you can be gaoled for having a cartoon depicting two under age kids having sex. Did you know that if you happen to have some photos of your naked 23 year old girlfriend who looks like she is only 16 and you share them with a bosom buddy via an email you can be charged with possession and distributing child pornography. Did you know that videos that are perfectly legal X rated in the USA can be illegal in Australia.

            Now I am going to ask you to ask yourself the following questions:

            1 If you block a web site which contains child abuse material will you remove that material from the web?
            2 If you block a web site which contains child abuse material will you stop the perpetrators from abusing another child?
            3. If you block a web site which contains child abuse material will you stop the dissemination of this material using other means such as P2P and Tor?
            4. If you block a web site which contains child abuse material will you be providing help and support to the abused child?
            5. If you block a web site which contains child abuse material will you know that law enforcement action against the perpetrators has occurred?
            6. If you block a web site which contains child abuse material are you really just hiding the problem and not doing anything about it?

            You can make up your own mind but the main reason I hate filtering at any level with a passion is that it is designed to hide problems instead of addressing them. Problems that are hidden generally fester and grow to cause enormous problems for the community and its members when they have no choice but to take action to fix the problem.

          • Thanks for taking the time to make the situation clearer. No, I’m not confusing them and I fully agree with you – blocking the sites doesnt solve the issues.. I’m saying that if INTERPOL have gone to such lengths to add them to whats clearly intended to be a global action, then thats good enough for me. I’m also saying that I dont necessarily think its the best approach to simply block the sites.

            They’ve clearly done some work in identifying the sites in the first place. So there has to be some reason they’ve been tagged as globally inappropriate. By extension they are saying that under various laws those sites are illegal, for one reason or another. The child abuse angle is the one most often referred to, but not the only one.

            So take it a step further. They know what the content is. They know they consider the content illegal. They know that people who visit those sites regularly would be a higher risk of offending. So why not use those sites to gather information on who visits them?

            Dont block the sites, monitor them. That would be my choice. Request the ISP’s to capture who’s visiting those sites, then see if its a regular occurence, and cross reference that fact with other information on them.

            If its a medical issue, get help for them. If its an legality issue, do something about it.

            I’m all for using the information to get criminals off the street, and to get help for those that need it. But if thats not an option, I have no problems with blocking the sites. Its at least something, and while it doesnt solve the problem, it gives one less avenue that can be accessed.

            I’m not in favor of censorship for the most part, but when something crosses the line, most people shouldnt notice that its been blocked. When things go wrong, then it becomes clear pretty fast and we see stories such as the Melbourne Free Uni site being blocked.

            What we’re NOT seeing is stories on the sites that deserve to be blocked. Which is fine by me. I’d like to see a list of blocked sites be made available, but when it doesnt happen, what are you going to do about it?

          • I hope you don’t mind but just to clear things up a little more.

            The Interpol publish full details of their access blocking scheme (filtering/censorship) at http://www.interpol.int/Crime-areas/Crimes-against-children/Access-blocking which has 7 pages of information. You will see from this that they are only interested in blocking very specific child abuse material.

            The only thing that is supposed to be on the Interpol block list is child sex abuse/exploitation where the child appears to be under 13 years old. This falls short of Australian laws on child abuse where the age can be as high as 18 or may not even be a natural child.

            The problem with the Interpol filter is that it blocks whole domains. If there are a number of different sites on the same domain, which is pretty common, and one of them is put on the Interpol block list then every other site on the domain is also blocked even though they contain no illegal material. In the case of the Melbourne Free University it is on a domain with about 1,200 other sites. The blocking of another site by the Interpol filter would also block all 1,200 of the other sites. Incidentally I don’t believe this is necessarily what happened to Melbourne Free University because there are no reports of a block page.

            Gathering information on people who visit an illegal site is problematic for a number of reasons. Firstly the only identifier of who the person is is an IP address. All that is identified is the home network the ISP is providing services to. That network could be connecting via a wireless modem to a number of computers and other devices. The wireless network may have been hacked. So in reality you don’t know which real person was actually looking at the site with illegal material. You can add to this the collection of information of people who may have accessed the illegal site accidentally and the privacy implications. Then you have the problem of the real sickos that are after this material who are using anonymisers and make it extremely difficult to identify them in any case.

            If blocking sites on the WWW or monitoring them was really going to do anything to reduce child abuse I would agree with your suggestions. The police admit that there is very little child abuse material on the WWW most of it is moved using P2P which is not, and can’t be blocked by a filter. So it seems we are throwing money and time at a minor problem which can easily be fixed by having the material taken down by the site host with a simple request as soon as it is discovered.

            I think that I would prefer to see the efforts and money concentrated on catching and punishing the actual child abusers not the sickos that get their kicks looking at pictures. The blocking of about 1,000 sites isn’t doing diddly squat about stopping child abuse or helping the victims. Nor is gaoling people who are just looking at pictures or movies and not involved in actual abuse. The possibility of a couple of consenting teens being branded for life as sex offenders because of some high spirited sexting is in my opinion ludicrous and highlights the stupidity of our censorship laws and lack of direction.

            Show me a scheme where the victim is receiving help to deal with the trauma and the perpetrator is dealt with appropriately by the courts and I will give it my full support. Anything less than that is bullshit and a diversion to fool people into thinking you are doing something when you aren’t.

            Another interesting bit of data is that more than 90% of children who are abused were related to the abuser or the abuser was well known to and trusted by the family. Shouldn’t we be questioning why we are obsessed with an ineffective attack on the smallest side of the problem, the www, and not putting the major effort into the 90% + where our attention is needed.

  4. The number of requests that the Telstra DNS redirected to the stop page in no way reflect the number of genuine attempts to access child pornography. The significant drop in recorded attempts would suggest that it likely that a lot of the traffic was actually automated searches for indexing purposes.

    The release by the AFP of the information that was requested wouldn’t hurt any police activity except possibly if someone who was a client of a participant with a load of spare money decided to take their participating ISP to Court and challenge the validity of filtering in response to a Sec 313 notice.

    If there is an appeal process available against the internal AFP decision it may be worth considering. I can not see how an internal review of a decision can be fair and impartial. In fact I would suggest that internal reviews rarely are.

  5. >”there have been no known public complaints about the system”

    Say what? You obviously missed the Melbourne Free University story, wherein they were wrongly blocked for about a week. (Complaints to the Attorney-General’s Department appear to have got the block removed.)

    That same story also undermines the point of keeping the ISPs secret. Anyone who cared to could test whether their ISP was participating simply by attempting to access that web site. Some people did this. The results are public.

    @TrevorX
    >”most people will never be materially affected by the filters anyway”

    Not so. See above.

    • If the filter was being implemented as described it could not possibly have the affect being claimed by Melbourne Free University, so my comment still stands. The fact is we don’t yet know what happened in this case. If the ALP ordered blocking of the IP they have stepped beyond the Interpol filter and into dangerous territory with a very questionable legal basis. If they required a site block and the Host blocked the IP, then the Host got it wrong. We simply don’t know. Claiming we do is both arrogant and disingenuous.

  6. I thought in a previous article you had reported that Conroy had ordered the AFP to issue notices to ALL major ISPs. This was supposed to be his ¨Big Surprise¨ that he had been taunting Free Speech Advocates with for over 6 months beforehand. Has that changed? Or did I misread the article?

  7. You seem to be conflating two separate things in this article.

    Initially, Telstra and Optus agreed to implement a voluntary filtering scheme based on Interpol information. They obviously received requests from the government in this regard, but their participation was legitimately voluntary. They were not required to.

    Section 313 notices have been issued more recently. While they’re still being issued mostly to willing parties, they’re not – technically – voluntary at all. Or at least, it’s up to interpretation whether or not they are. Compliance with a reasonable s.313 request is not optional. And they haven’t *only* been issued on a voluntary basis – Internode for one, I’m guessing never asked to be roped into a filtering scheme, but then they got section 313’ed and their legal advice is that they must comply.

    • My recollection is that the use of the “voluntary” Interpol filter was worked out by the AIIA with Conroy and others.

      The ISPs wanted some sort of legislation passed to give them protection but that couldn’t be done due to a hostile Senate. Telstra and Optus then agreed to implement the filter with at least one other ISP provided the AFP issued a Section 313 notice.

      I don’t know if the block that affected the Melbourne Free University was due to the Interpol filter or not but there were no reports of anyone seeing the block page which a parliamentary committee were told was in existence. It is possible the block was due to other reasons and had nothing to do with the Interpol Filter.

      I think a search of Whirlpool will confirm most of what I have recalled.

      More details are available at http://libertus.net/censor/isp-blocking/au-ispfiltering-voluntary.html about the Interpol Filter.

  8. “outweighed the public interest” – funny how much that phrase has entered the standard political vocabulary under Gillard’s ALP.

Comments are closed.