Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: Report from Germany on gov't-mandated blocking of overseas sites

From: Declan McCullagh <declan () well com>
Date: Thu, 5 Jun 2003 01:15:38 -0400

---

Date: Thu, 5 Jun 2003 00:45:05 +0200
Subject: Internt-Filtering / DNS-Tampering at ISP level in germany
From: Maximillian Dornseif <md () hudora de>
To: politech () politechbot com

I have recently put a paper (preprint) titled "Government mandated  
blocking of foreign Web content" online at  
http://md.hudora.de/publications/#blocking

Germany puts an new flavor in the Internet filtering cocktail. Blocking  
of foreign Web content by       Internet access providers has been a  
hot topic for the last 18 months in Germany. Since fall 2001 the state  
of North-Rhine-Westphalia (NRW) very actively tried to mandate such  
filtering. They prefer using the DNS to suppress content. Ever wondered  
how to use DNS for filtering Web content? You can't - at least if you  
care about the rest of the Internet.

I have analyzed the  technical aspects of Internet filtering at ISP  
level and how the german blocking order stands up to technical  
realities.

I also surveyed how DNS blocking is actually implemented by various  
providers finding no provider actually complying with the blocking  
order while being grossly underprotective, overrestrictive and  
intrusive to privacy at most times. Some ISPs were even actively  
redirecting email to their own servers. Empirical results include:

* Keeping email usable seems to be no issue to most providers. All  
providers block at   least some email via MX record manipulations.  A  
single provider has tried to reduce email  blocking by not tampering  
with DNS MX resource records, but failed in this effort. All other  
seemingly didn't even try to keep email   from being affected.

* Privacy of users trying to access the blocked pages seems to be   no  
issue to most providers. One provider is even using - possibly by    
accident - cookies, two providers reroute email to their own   systems,  
10 providers return DNS A resource records at machines   located at  
other providers allowing third-party logging, 12 providers allow third  
parties to monitor redirects leading to them, where in two cases the  
third  party is the district government itself.

* Informing users of what actually is happening seems of no  priority.  
Web accesses to blocked content results at 11 providers  always in  
confusing errors and at all other providers at least in  some cases in  
confusing errors.

* Configuration of DNS-tampering seems to be difficult. At least   30%  
of the providers have created major misconfigurations besides   being  
overrestrictive or underprotective.

* Sites not directly mentioned in the blocking order and run by   
different persons than the sites which were mandated to be blocked    
where substantially hit by erroneous blocking.  
http://kids.stormfront.org/ is blocked by 58% of the surveyed    
providers. http://www.rotten.com/, which the district   government in  
2001 briefly considered to be blocked, is blocked by  11% of the  
providers.

* Compliance with the blocking orders seems to be next to   impossible.  
  Even when   stretching the legal principles to the maximum and  
interpreting the   blocking orders in   the broadest possible way, only  
55% of the providers comply with  them. Interpreting the blocking  
orders more reasonable   in a way that they try to protect non-Web  
communication from being   blocked, we see no single provider  
complying. With this interpretation 45%   underprotective and  
overrestrictive at the same time while the   remaining 55% are "only"  
overrestrictive.

This results are mainly what one would expect after having seen  
research on filtering in US libraries. The difference here is that  
filtering is applied not at single PCs but statewide at ISP level.

More detail in the 32-page report at  
http://md.hudora.de/publications/200306-gi-blocking/200306-gi-blocking.pdf



----- End forwarded message -----



-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
-------------------------------------------------------------------------
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: