The UK Government is considering whether to restrict access to adult content online using an opt-out system. In this blog post I am going to present my opinion on the matter not by making a moral argument, but by treating the blocking system as a security system. Using this approach I will analyse the proposed security system to glimpse at the effectiveness of such a measure, were it to be implemented.

Bruce Schneier, a renowned security expert, presented a five-step plan for performing a security analysis of a system in his book Beyond Fear. This will be used as the structure of this post. The steps are:

  • What asserts are you trying to protect?
  • What are the risks to these assets?
  • How well does the security solution mitigate those risks?
  • What other risks does the security solution impose?
  • What costs and trade-offs does the security solution impose?

At the moment, there are only glimpses of exactly how this will be implemented. The approach suggested by an independent Parliamentary inquiry is for a “network-level ‘opt-in’ system, maintained by ISPs, that delivered a clean internet feed as standard but allowed them to choose to receive adult content”. Confusingly, the report does not specifically define what should be blocked. For the purposes of this analysis I am going to take this solution of an ISP-level blocking system for pornography only. Note that under current UK law ISPs are required to block illegal websites when notified. Such content is therefore outside of the scope of this analysis.

##What assets are you trying to protect?

Fundamentally we are trying to protect, or indeed preserve, the ‘innocence’ of children.

##What are the risks to these assets?

Specifically we are concerned with exposing children to content that is considered harmful. That is, content which children may find upsetting or are not capable of fully understanding.

##How well does the security solution mitigate those risks?

This solution prevents users subscribed to the blocking filter from accessing the content of websites listed on the block list. As this is implemented at the ISP level, such restrictions apply to all devices using a particular internet connection.

The effectiveness of this solution depends upon several key aspects:

  • The coverage of the block list. It is important for the detection mechanisms to be adequate to prevent content from falling through the block, known as a ‘false-negative’. This can never be reduced to zero, but should be kept minimal.
  • The regularity at which the block list is updated must be sufficient so that coverage can be maintained.
  • Blocking only takes place when a customer is subscribed to the blocking list. In the situation where a family household chooses to opt-out of the blocking system, all users will of that connection will have unrestricted access.
  • Traffic which is encrypted in a manner designed to mask the destination website from the ISP will not be affected by the filter. Anonymity tools, such as Tor, proxies and Virtual Private Networks can bypass this solution. Such technologies have legitimate use cases so to simply restrict access to these is outside the scope of this security solution.

What other risks does the security solution impose?

  • The risk of too many false positives. This often happens when keywords are scanned and used to determine whether a web page should be blocked. Often it is difficult to accurately understand the context in which certain keywords are used and there is evidence that access to content relating to sexual health has been blocked. The risk here is that we risk unnecessarily restricting access to information which should be made available to encourage safe sex.
  • Mission creep. This is where the blocking filters begin to restrict access to more types of content than originally intended. This risk can be mitigated though transparency, preferably in the form of independent scrutiny. A clear definition of what should be blocked is needed. Ideally this definition should form part of the Bill itself and can only be amended by further legislation requiring a vote in Parliament.
  • In the case of content being blocked unnecessarily, it is important for an adequate appeals procedure to be established. Under the current mobile data blocking system appeals are dealt with on an ISP-level basis and there are documented cases showing that lifting a block is a difficult thing to do.
  • There are additional risks regarding the particular implementation of the block list. Off-the-shelf solutions tend to come with their own block lists that are protected by intellectual property rights. As this will be a publicly-mandated level of blocking, ultimate control of the block list should remain in public ownership. This is especially important because there will be several instances of the blocking system – one at each ISP. They will need to be kept in sync for overall confidence in the mechanism to remain high. Adequate protections need to be placed such that it is only possible for the bill payer to unsubscribe from the blocking service. If a teenager can impersonate a parent and have the block lifted the entire system is ineffective.
  • Finally, there is a risk that this creates a false sense of complete security in the situation where this mechanism is the only protection put in place.

What costs and trade-offs does the security solution impose?

  • There is the cost of establishing and running the blocking systems at each ISP. This may be government-funded, or recuperated from customers as an additional charge or one-time price rise for their Internet services.
  • There is further financial cost towards establishing and running the appropriate auditing and appeals bodies. Depending upon the solution this may be the role of the government (through a quango body or the courts), or part of a self-regulation solution between a group of ISPs.
  • As a society, we are making the fundamental trade off that it is necessary to restrict access to particular types of content, effectively a form of state censorship.
  • Consider again the family household. Adult members of the family who choose not to opt-out of the blocking system for the benefit of their children are willingly restricting the types of information they can access.

##Conclusion

This mechanism alone is not a silver bullet. It is easily circumnavigated using well-known methods and relies upon a blocking service which has wide coverage, limits the number of failures and is responsive to change. If the Government implements this system they should not remain content. They should continue in efforts to educate and inform the public about risks associated with the Internet.

By adding security in depth, that is another layer of security in the form of a home blocking system, the overall security solution can improve. There will be the option for false-positives to be caught and successfully blocked by the second system. But, implementing security in depth adds its own layer of complexity and will probably be susceptible to the same avoidance techniques as the ISP-level filters.

A large concern remains, which is the potential lack of transparency. The Government have not yet discussed how the public will remain informed about this system. For public confidence to remain high it is important for the Government to prove that the block is effective. Without transparency the Government is asking for blind trust, which makes a mockery of the current line of allowing parents to make informed choices.

Without the adequate transparency measures in place I cannot support this system. In this instance I feel that the risk to society (the loss of holding the Government to account) outweighs the benefits of a security system that is only moderately effective and can instead be implemented through off-the-shelf solutions at the home level.