The vendor supplying internet filtering software to the NZ Department of Internal Affairs says Australian ISPs and civil liberties lobbies are overstating the likely impact of filtering on the efficiency of website access, in response to plans by the Australian Federal government to trial ISP-based filtering.
Auckland's Watchdog International is working with some of the Australian ISPs who have applied to participate in the trial.
A modern filter need have no detectable effect on the passage of ordinary traffic, says Watchdog managing director Peter Mancer. The compulsory filtering being considered by the Australian government will relate to only a very small number of sites (in the thousands). Requests including the IP addresses of such sites are diverted into a special stream by the Border Gateway Protocol -- the same process used to decide on the most efficient route for ordinary traffic, says Mancer; so there is no overhead.
The few suspect requests are then checked by the filter according to the URL specified.
This overcomes another objection to filtering -- that an innocent site hanging off the same IP address as an illegal one might be erroneously blocked. If the request is for an innocent URL, it is routed back into the ordinary internet fabric, Mancer says. There may, he concedes, be a penalty of "a few microseconds" for checking and passing such innocent packets.
This is the technology used in the Department of Internal Affairs filter, which is being voluntarily operated by some New Zealand ISPs, such as TelstraClear's ClearNet and Paradise (Computerworld November 24). Called the Whitebox, it was devised by Swedish company NetClean.
The Whitebox is being used by large carriers in the backbone, for example Telia Sonera of Sweden, which serves around 50 ISPs in 14 countries, Mancer says.
Watchdog is the Asia-Pacific distributor for Whitebox, and claims specific expertise in the policing of illegal online content. "You have to know how to deal with governments and NGOs [non-governmental organisations such as the anti-child-abuse body ECPAT]," says Mancer.
Filtering the wider range of sites such as those featuring legal pornography, which the Australian government wishes to allow for those users who opt in, requires a different technique, Mancer says. Here the main data stream is not interfered with at all, instead, requests are mirrored and copies inspected offline. If a request comes from a user not allowed access to that site, the filter sends a block-page to the browser, which terminates that browsing session.
Watchdog is the Australasian agent for a version of this technology from 8e6, newly merged with Marshal (Computerworld, November 10).
A technical specialist with Electronic Frontiers Australia, lobbying against the filter plan, says even the Whitebox technique imposes some penalty, particularly for users of innocent sites that have to be checked because they share an IP address with a site on the blacklist.
EFA members expressed various views on the extent of this overhead.
The 8e6 mirroring solution "takes phenomenal amounts of processing power to do properly" the original source says, conceding that he will have to do "further checking to see exactly how they [8e6] do it".
Previous Australian laboratory trials used older styles of filtering and resulted in large reported effects on efficiency, Mancer says. They have never looked at the Whitebox technology, he says. The government has "confused the issue somewhat" and must share the blame for the misleading impression created.
The trials were secretive and the providers not named, but documents say "pass by" as well as "pass through" filtering was tested. "Pass by" is a synonym for the 8e6 mirroring technique, and this still gave poor results, EFA sources suggest.
The use of proxies is a problem, Mancer acknowledges, since the first routing step will be only to the innocent address of the proxy. Access to the offending site is done by that proxy or even by one several steps down a chain. However, software is being developed that will recognise suspicious "proxying patterns", he says, a similar technique to that malware detectors use to police suspect program behaviour.
In a controlled environment such as a school or place of work, the filter could simply block requests to known anonymous proxies, except for users who have a legitimate reason for using them, Mancer says.
Watchdog has arrangements with "about 10" Australian ISPs to support their proposed participation in the trial, he says.
The deadline for expressions of interest in participating was last Monday. The trial is expected to start before the end of the year.