This morning the UK High Court granted an injunction to a group of movie companies which is intended to force BT to block access to “newzbin 2” by their Internet customers. The “newzbin 2” site provides an easy way to search for and download metadata files that can be used to automate the downloading of feature films (TV shows, albums etc) from Usenet servers. ie it’s all about trying to prevent people from obtaining content without paying for a legitimate copy (so called “piracy“).
The judgment is long and spends a lot of time (naturally) on legal matters, but there is some technical discussion — which is correct so far as it goes (though describing redirection of traffic based on port number inspection as “DPI” seems to me to stretch the jargon).
But what does the injunction require of BT? According to the judgment BT must apply “IP address blocking in respect of each and every IP address [of newzbin.com]” and “DPI based blocking utilising at least summary analysis in respect of each and every URL available at the said website and its domains and sub domains“. BT is then told that the injunction is “complied with if the Respondent uses the system known as Cleanfeed“.
There is almost nothing about the design of Cleanfeed in the judgment, but I wrote a detailed account of how it works in a 2005 paper (a slightly extended version of which appears as Chapter 7 of my 2005 PhD thesis). Essentially it is a 2-stage system, the routing system redirects port 80 (HTTP) traffic for relevant IP addresses to a proxy machine — and that proxy prevents access to particular URLs.
So if BT just use Cleanfeed (as the injunction indicates) they will resolve newzbin.com (and www.newzbin.com) which are currently both on 85.112.165.75, and they will then filter access to http://www.newzbin.com/, http://newzbin.com and http://85.112.165.75. It will be interesting to experiment to determine how good their pattern matching is on the proxy (currently Cleanfeed is only used for child sexual abuse image websites, so experiments currently pose a significant risk of lawbreaking).
It will also be interesting to see whether BT actually use Cleanfeed or if they just ‘blackhole’ all access to 85.112.165.75. The quickest way to determine this (once the block is rolled out) will be to see whether or not https://newzbin.com works or not. If it does work then BT will have obeyed the injunction but the block will be trivial to evade (add a “s” to the URL). If it does not work then BT will not be using Cleanfeed to do the blocking!
BT users will still of course be able to access Newzbin (though perhaps not by using https), but depending on the exact mechanisms which BT roll out it may be a little less convenient. The simplest method (but not the cheapest) will be to purchase a VPN service — which will tunnel traffic via a remote site (and access from there won’t be blocked). Doubtless some enterprising vendors will be looking to bundle a VPN with a Newzbin subscription and an account on a Usenet server.
The use of VPNs seems to have been discussed in court, along with other evasion techniques (such as using web and SOCKS proxies), but the judgment says “It is common ground that, if the order were to be implemented by BT, it would be possible for BT subscribers to circumvent the blocking required by the order. Indeed, the evidence shows the operators of Newzbin2 have already made plans to assist users to circumvent such blocking. There are at least two, and possibly more, technical measures which users could adopt to achieve this. It is common ground that it is neither necessary nor appropriate for me to describe those measures in this judgment, and accordingly I shall not do so.”
There’s also a whole heap of things that Newzbin could do to disrupt the filtering or just to make their site too mobile to be effectively blocked. I describe some of the possibilities in my 2005 academic work, and there are doubtless many more. Too many people consider the Internet to be a static system which looks the same from everywhere to everyone — that’s just not the case, so blocking systems that take this as a given (“web sites have a single IP address that everyone uses”) will be ineffective.
But this is all moot so far as the High Court is concerned. The bottom line within the judgment is that they don’t actually care if the blocking works or not! At paragraph #198 the judge writes “I agree with counsel for the Studios that the order would be justified even if it only prevented access to Newzbin2 by a minority of users“. Since this case was about preventing economic damage to the movie studios, I doubt that they will be so sanguine if it is widely understood how to evade the block — but the exact details of that will have to wait until BT have complied with their new obligations.
What happens when a site like this uses a CDN? You can’t simply block a CDN’s IP without disrupting all the other traffic.
From a legal point-of-view, what happens if NewsBinz simply disbands, registers a new domain name, and switches IP. Does the injunction still apply?
Can CleanFeed keep up with DNS propogations?
I just can’t see how this can work from any practical standpoint.
In the thesis you wrote “If Clean-Feed is used in the future to block other material, which may be distasteful but is legal to view, then there will be no bar to anyone assessing its effectiveness.”
Can we expect such an assessment to be forthcoming?
“and its domains and subdomains”, eh?
lulz.newzbin.com. IN CNAME http://www.google.com.
Hilarity ensues.
Hi Richard
We read, with great interest, your papers on the theory of Cleanfeed and combined with our own research we are doing practical research into the implications. The result will be revealed after October when the injunction kicks in.
We agree there are apparent weakpoints in the system and we do like @Jon’s lulz suggestion as well.
p.s.do you do technical consulting 😉
Regards
Mr White
Newzbin2
I’m curious about the scalability of the Cleanfeed system, if it is going to be used for this new application. I assuming that once the precedent is set we will see more court orders granted to block content for a variety of rasons.
In terms of scalability, I guess there could be issues with the number of IP addresses that need to be redirected at the first stage, the volume of traffic redirected to the web proxy and the number of URL patterns that need to be matched in the proxy. I assume the trafic volume will be the limiting factor. Can anyone comment?
@Andrew Yes there are limits to Cleanfeed’s scalability, and BT raised this in court. The judges view was that this might be an issue for people considering future injunctions buit not a bar to issuing the present one.
As to traffic volumes, I understand that the first implementation of Cleanfeed struggled and it had to be souped up before URLs from GeoCities could be handled — but that was done. However, all of this was a long time ago, so I doubt that anyone outside of BT’s engineering team could guess at current traffic limits.
Does cleanfeed also filter ipv6? If not, just get yourself a v6 tunnel and you’re set. (Assuming newzbin2 can get themselves some v6 connectivitiy.
The problem with this is that starting arms races never ends well, especially when they’re asymmetric. While the people who are on the receiving end of the ban-hammer only need to find one circumvention that works and aren’t overly bothered about the collateral damage, the people wielding the ban hammer have to both prevent every circumvention and avoid too much collateral damage in the process.
Newsbin’s activities are either legal or not criminally illegal in many jurisdictions. Their activities are also popular, or at least tolerated, by a wide range of Internet users. This is unlike child pornography is almost every way: that is pretty much universally illegal and does not enjoy widespread public support. Even when blocking of child porn overreaches itself (l’affaire Virgin Killer) few people draw the conclusion that the process itself is unworkable and unwelcome. ISPs probably get more popular support for running Cleanfeed than they do condemnation. But in this case, there’s no widespread abhorrence of the “problem” and therefore the slightest whiff of over-blocking is going to be very unpopular, and the ISPs will get almost no popular credit for doing the blocking in the first place. There’s no public outcry in favour of banning Newsbin; there is a lot of public outcry about child pornography.
Moreover, the drivers are different. Cleanfeed was never marketed as something to completely stop nasty people getting access to nasty things; or at least, if it was, no-one “in the trade” of either ISPs or child protection seriously believed it. In as much as Cleanfeed has a point, it’s there to remove the “inadvertent access” defence: one effect of it is to mean that someone found in possession of child pornography who argues “I was accessing legal adult porn and was surprised to see…” has a weaker case than they otherwise would. Or, alternatively, Cleanfeed means that people who do want to access child pornography have to use circumvention techniques which would themselves be circumstantial evidence of intent, or at least a trigger for other forms of investigation.
But here, the media companies want a hard block. The police aren’t going to investigate downloaders, nor are downloaders going to end up in criminal courts, not are investigations of downloading going to have the resources of the TAC or similar to analyse intercepted data, even if they could intercept data legally, which they can’t. This isn’t about removing the ability to claim you didn’t realise it wasn’t legal, it’s about attempting to actually stop people who are willing to use circumvention techniques. And as those techniques are going to involve encryption via public VPN services, it isn’t going to end well.
Why stop at one CNAME
lulz2.newzbin.com. IN CNAME http://www.bbc.co.uk.
lulz3.newzbin.com. IN CNAME http://www.microsoft.com.
lulz4.newzbin.com. IN CNAME http://www.facebook.com.
lulz5.newzbin.com. IN CNAME http://www.youtube.com.
etc
*and* add v6
Why not use DNAME:
root.newzbin.com. IN DNAME .
That would result in all traffic having to go via cleanfeed…
@anonymouse: Yes, obviously.
@cwd24: That almost certainly would not work. There’s a tiny possibility it might cause some temporary problems if it triggered a bug in the CleanFeed back-end though I suppose.
*please* stop putting http:// in your CNAME people.
We’re not, the blog software on this site is mangling what we enter.
‘describing redirection of traffic based on port number inspection as “DPI” seems to me to stretch the jargon’
Not just stretching the jargon — I’m pretty sure the “D” in “DPI”, Deep Packet Inspection, was as a contrast to the “shallow inspection” of examining the TCP and IP headers alone. So basing decision on TCP ports alone is fundamentally not DPI, I’d guess. But I guess that’s what happens to technical details in a court of law 😉
@ Justin Mason,
“But I guess that’s what happens to technical details in a court of law”
Sadly yes “m’learned friends” are very similar to the stories you hear about absent minded professors.
That is they spend way to much time living in their chosen environment (involving the “making a lot of people unhappy by the shuffling of little pieces of paper…”) and not that of the world even in general.
So we end up with a rather silly game where “expert witnesses” act as “friends of the court” and are “recognised by the court” and thus “should be impartial”, only they are paid for by the contesting parties. Thus you can understand why one expert witness will claim something is not possible and another it is easily done. At the end of the day “m’learned friends” are supposed to select the view of the more credible witness…
But what makes you credible in the judges view point…
People spend a lot of money researching this, which sugests that the whole process is “gameable”…
Next time you see a statue of “justice” note the blind fold which can be taken either way…
http://www.bbc.co.uk/news/technology-14372698
Plans to block websites that host copyright infringing material are to be dumped by the government.
Business secretary Vince Cable announced the change following a review of the policy by telecoms regulator Ofcom.
Website blocking was one of the key provision contained in the Digital Economy Act. …..
Finally got round to reading Richard’s 2005 paper and found the observations around experimentation very interesting.
Although newzbin is (probably) not on the IWF database, It does provide a test site which contains some legal content and therefore could serve as a vehicle to explore and compare and contrast blocking systems such CleanFeed and WebMinder.
Perhaps this is the start of a new (£’s) service that could be provided, in the same vein as virusbtn.com…