Cleanfeed

Cleanfeed (officially the BT Anti-Child-Abuse Initiative[1]) is the web filtering technology introduced by BT in 2004 specifically for blocking access to child abuse images hosted outside of UK jurisdiction.[2] It's existence as a technical solution for web filtering has lead to BT being ordered by the High Court to use it for other purposes.[3] (For more information on the blacklist used by Cleanfeed see Internet Watch Foundation.)

Background

Initially Cleanfeed was created by BT PLC to block only illegal child sexual abuse content, as reported to the Internet Watch Foundation (IWF), as result of pressure from both charitable organisations such as NCH (now Action for Children) and government. At the time of its initial implementation BT Retail's chief executive, Pierre Danon, noted the difficulty of striking a balance between fighting child pornography and maintaining the freedom of information. Martin Bright, writing in The Observer, commented that Cleanfeed's activation was the first example of "mass censorship of the web attempted in a Western democracy"[2][4]. Although the IWF facilitate investigations into various kinds of illegal content (e.g. content that incites racial hatred) the black list used for Cleanfeed contains only URLs of child sexual abuse content[5] - hence when Cleanfeed was initially in use it blocked only such content. The stated purpose of Cleanfeed and the IWF blacklist is to prevent web users accidentally encountering such material, rather than prevent those intent on obtaining such material doing so[6].

Previous governments have made clear their desire for all domestic ISPs to implement Cleanfeed or similar systems[4], however some ISPs have been openly hesitant to implement the system. Concerns expressed have included cost, effectiveness and ethics of web censorship[7][8].

Recently, however, the High Court has ruled that BT must use Cleanfeed to prevent access to the Newzbin 2 website that allegedly provides access to content that infringes copyright[3]. The Judge, Mr Justice Arnold, reasoned that since BT were aware that Newzbin 2 could be used for illegal purposes and that they were aware that their own subscribers used it for those purposes they should block it. BT welcomed the clarity provided by the ruling (having refused to block access to the site without such a ruling [9]) and affirmed that they would continue to require a court ruling before blocking such websites. The Internet Services Providers’ Association (ISPA) criticised the move, likening Cleanfeed to a "small rural road in Scotland" and blocking Newzbin 2 to "shutting down the M1". The Open Rights Group criticised the "dangerous precedent" set by the move (further sites have since been blocked, although not necessarily using Cleanfeed[10]) and the risks to legitimate content[11].

Technology

BT have not released the design of the Cleanfeed system, however it is believed to operate as follows:

Cleanfeed blocks a blacklist of URLs drawn up by the IWF. Typically such systems suffer from overblocking (blocking the whole of https://www.example.com if there is illegal content at https://www.example.com/illegalcontent/illegalcontent.jpg; blocking https://www.sitethatsharesanipaddresswithexample.com; blocking email sent to [email protected] - IP address based blocking) or underblocking (for example blocking only https://www.illegalcontentsite.com but not https://illegalcontentsite.com - DNS based blocking) depending on their implementation. In an attempt to overcome this BT have developed a hybrid system that operates in the following procedure:[1][12]

  • BT customer enters domain name into browser (e.g. www.example.com)
  • Browser retrieves IP address associated with that domain name from a DNS (e.g. 192.0.32.10) that tells it where the website's server is located on the internet
  • If there is blocked content located at https://www.example.com/illegalcontent/illegalcontent.jpg then BT's network will route any traffic to any IP address associated with example.com to a proxy server
  • The proxy server will then determine whether the request is to https://www.example.com/illegalcontent/illegalcontent.jpg or another section of example.com/another site entirely
  • If the request is for the blocked content then the proxy server will return a 404 error page to the customer
  • If the request is not for the blocked content then the proxy server will return the request content

The Cleanfeed system does not log the details of users who attempt to access indecent material[12].

Advantages

  • Cannot be circumvented merely by knowing a sites IP address (unlike DNS based blocking)
  • Less collateral damage - only blocks content that has been explicitly blacklisted and not whole pages/whole sites

Circumvention/Weaknesses

  • Cleanfeed can be easily circumvented by any technique that hides the final destination of your traffic from BT - for example VPNs, proxy servers or the Tor networ].
  • Cleanfeed only blocks traffic that uses port 80. Traffic using other ports is unaffected (so https traffic, for instance, is not filtered)[12].
  • A professional security researcher was able to exploit back doors in the system that allowed him to locate blacklisted sites with an estimated 80% success rate, turning the system into "an index of child pornography"[13]

Criticism

  • Numerous criticisms exists of the way that the IWF operates and compiles the blacklist.
  • The serving of 404 error pages when a site has been blocked has been criticised as dishonest and misleading - users are not made aware of why they are unable to access certain content[14]
    • It should be noted that this goes against the IWF's advice that a "specific splash page" should be displayed[15]
  • Cleanfeed is susceptible to the weaknesses described above
  • The stated purpose of Cleanfeed is not to prevent those determined to obtain such materials from obtaining them, but to prevent innocent individuals accidentally encountering such material[5]. It has been pointed out that accidentally encountering such materials is very rare and something that the vast majority of internet users will never experience - hence Cleanfeed is targeting a non-existent problem[8][7]
  • The remit of such a filter can rapidly increase from images of child sexual abuse to, for instance, material that is deemed to "incite hatred"[8] or infringe copyright[11]

Wikipedia / Scorpions incident

An image of the cover of the 1976 Scorpions album, Virgin Killer, was determined to be illegal content by IWF on 5 December 2008 (despite the album being legally sold for decades). The URL of the Wikipedia article was added to the IWF list, and hence Cleanfeed.[16] The result is that UK traffic for Wikipedia was redirected via the Cleanfeed servers. One impact of this was that all access to Wikipedia from the majority of home internet users in the UK was passed through a small number of proxy servers. As a result, since the site was unable to distinguish users by IP address, UK users were unable to make anonymous modifications to any Wikipedia article.

After reviewing the situation, the IWF removed the listing on 9 December 2008.

Links

References