--- Date: Thu, 5 Jun 2003 00:45:05 +0200 Subject: Internt-Filtering / DNS-Tampering at ISP level in germany From: Maximillian Dornseif <mdat_private> To: politechat_private I have recently put a paper (preprint) titled "Government mandated blocking of foreign Web content" online at http://md.hudora.de/publications/#blocking Germany puts an new flavor in the Internet filtering cocktail. Blocking of foreign Web content by Internet access providers has been a hot topic for the last 18 months in Germany. Since fall 2001 the state of North-Rhine-Westphalia (NRW) very actively tried to mandate such filtering. They prefer using the DNS to suppress content. Ever wondered how to use DNS for filtering Web content? You can't - at least if you care about the rest of the Internet. I have analyzed the technical aspects of Internet filtering at ISP level and how the german blocking order stands up to technical realities. I also surveyed how DNS blocking is actually implemented by various providers finding no provider actually complying with the blocking order while being grossly underprotective, overrestrictive and intrusive to privacy at most times. Some ISPs were even actively redirecting email to their own servers. Empirical results include: * Keeping email usable seems to be no issue to most providers. All providers block at least some email via MX record manipulations. A single provider has tried to reduce email blocking by not tampering with DNS MX resource records, but failed in this effort. All other seemingly didn't even try to keep email from being affected. * Privacy of users trying to access the blocked pages seems to be no issue to most providers. One provider is even using - possibly by accident - cookies, two providers reroute email to their own systems, 10 providers return DNS A resource records at machines located at other providers allowing third-party logging, 12 providers allow third parties to monitor redirects leading to them, where in two cases the third party is the district government itself. * Informing users of what actually is happening seems of no priority. Web accesses to blocked content results at 11 providers always in confusing errors and at all other providers at least in some cases in confusing errors. * Configuration of DNS-tampering seems to be difficult. At least 30% of the providers have created major misconfigurations besides being overrestrictive or underprotective. * Sites not directly mentioned in the blocking order and run by different persons than the sites which were mandated to be blocked where substantially hit by erroneous blocking. http://kids.stormfront.org/ is blocked by 58% of the surveyed providers. http://www.rotten.com/, which the district government in 2001 briefly considered to be blocked, is blocked by 11% of the providers. * Compliance with the blocking orders seems to be next to impossible. Even when stretching the legal principles to the maximum and interpreting the blocking orders in the broadest possible way, only 55% of the providers comply with them. Interpreting the blocking orders more reasonable in a way that they try to protect non-Web communication from being blocked, we see no single provider complying. With this interpretation 45% underprotective and overrestrictive at the same time while the remaining 55% are "only" overrestrictive. This results are mainly what one would expect after having seen research on filtering in US libraries. The difference here is that filtering is applied not at single PCs but statewide at ISP level. More detail in the 32-page report at http://md.hudora.de/publications/200306-gi-blocking/200306-gi-blocking.pdf ----- End forwarded message ----- ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. ------------------------------------------------------------------------- To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jun 05 2003 - 00:39:25 PDT