[Reblogged from the new website MediaLaws.eu, where I will be contributing updates from Ireland.]
One of the most important developments for freedom of expression online has been the growth of internet filtering systems, which have rapidly been adopted by national governments as the “solution” to various forms of internet wrongdoing. Ireland is no exception to this trend, and last month it was revealed that the Garda Síochána (the national police force) is now attempting to introduce a system whereby ISPs would block access to websites alleged to host child abuse images.
It is somewhat ironic that this news becomes public just as both Germany and the Netherlands have decided to abandon similar systems, having found that they are ineffective as a means of tackling child abuse images. Even leaving aside considerations of effectiveness, however, the proposed Irish system still presents a number of significant concerns.
A fundamental principle under Article 10 of the European Convention on Human Rights is that measures which have the effect of restricting freedom of expression must be “prescribed by law”. In this case, however, the Irish system would not have any legal basis whatsoever, much less any judicial oversight or control. Instead, it would involve the police in telling ISPs what domains to block on a “self-regulatory” basis. Consequently, it would seem on the face of it that the proposed system would violate Article 10. The European Commission recently reached the same conclusion about self-regulatory blocking systems (p.30) as did a government study which was decisive in causing the Dutch blocking system to be abandoned.
A further problem relates to the secret manner in which the government and the police have attempted to introduce this system. There has been no public consultation or debate of any kind regarding blocking – instead, information has only dripped out in response to freedom of information requests and leaks from ISPs. This is particularly worrying given that (as Lessig points out) internet filtering is an inherently opaque process, which is prone to operating in an unaccountable way and to being extended beyond its original purposes. In the Irish context, the secrecy surrounding the introduction of filtering doesn’t bode well for the future.
The nature of the proposed blocking is also worrying. What Irish police have suggested is based on the CIRCAMP model, which attempts to block material by using DNS tampering. In short, the police would notify ISPs to block http://example.com or http://subdomain.example.com and the ISP would then configure their DNS servers to redirect all attempts to visit any material hosted on those (sub)domains. The effect would be massive overblocking, where users would be unable to visit any page hosted on a particular domain, irrespective of whether it had any connection whatsoever with the blocked material. Last February, a similar approach in the United States saw over 84,000 innocent websites being wrongfully blocked, and there is no reason to think that the Irish approach would be any more precise.
Finally, one particularly unusual aspect of the proposals is the way in which police seek to introduce monitoring of users. According to the proposals, where a user attempts to view a blocked domain name, police would “obtain details of other websites visited by the user, along with other technical details, in order that [they] can identify any new websites that require blocking”. This in effect seeks the full browsing history of users – whether or not there has been any attempt on their part to view child pornography! (Bearing in mind that DNS tampering results in massive overblocking, it is quite likely that a user may have their browsing history disclosed due to an attempt to visit http://example.com/innocent_content when the entirety of example.com has been blocked due to a single image or page elsewhere in the site.) This raises fundamental privacy and data protection concerns, particularly given that a user can often be identified by viewing their browsing history (e.g.), and has therefore been referred to the Data Protection Commissioner for investigation.
Given these problems, it must be hoped that these proposals are abandoned. But quite apart from these particular proposals, it is now also time to look at the other systems of internet filtering in Ireland that have developed on an ad hoc basis. In particular, Irish mobile phone companies have been engaged in self-regulatory blocking for some time (1|2), in a manner which often affects innocent users due to crude DNS systems. Similarly, the largest Irish broadband provider Eircom recently settled an action brought by the music industry by (amongst other things) agreeing to block access to The Pirate Bay and “related domain names”. These systems have developed without any real public scrutiny or oversight and it is time to consider the effect which they have on users, whether they are subject to adequate transparency and oversight mechanisms and whether or not they are effective at achieving their goals.
One of the most important developments for freedom of expression online has been the growth of internet filtering systems, which have rapidly been adopted by national governments as the “solution” to various forms of internet wrongdoing. Ireland is no exception to this trend, and last month it was revealed that the Garda Síochána (the national police force) is now attempting to introduce a system whereby ISPs would block access to websites alleged to host child abuse images.
It is somewhat ironic that this news becomes public just as both Germany and the Netherlands have decided to abandon similar systems, having found that they are ineffective as a means of tackling child abuse images. Even leaving aside considerations of effectiveness, however, the proposed Irish system still presents a number of significant concerns.
A fundamental principle under Article 10 of the European Convention on Human Rights is that measures which have the effect of restricting freedom of expression must be “prescribed by law”. In this case, however, the Irish system would not have any legal basis whatsoever, much less any judicial oversight or control. Instead, it would involve the police in telling ISPs what domains to block on a “self-regulatory” basis. Consequently, it would seem on the face of it that the proposed system would violate Article 10. The European Commission recently reached the same conclusion about self-regulatory blocking systems (p.30) as did a government study which was decisive in causing the Dutch blocking system to be abandoned.
A further problem relates to the secret manner in which the government and the police have attempted to introduce this system. There has been no public consultation or debate of any kind regarding blocking – instead, information has only dripped out in response to freedom of information requests and leaks from ISPs. This is particularly worrying given that (as Lessig points out) internet filtering is an inherently opaque process, which is prone to operating in an unaccountable way and to being extended beyond its original purposes. In the Irish context, the secrecy surrounding the introduction of filtering doesn’t bode well for the future.
The nature of the proposed blocking is also worrying. What Irish police have suggested is based on the CIRCAMP model, which attempts to block material by using DNS tampering. In short, the police would notify ISPs to block http://example.com or http://subdomain.example.com and the ISP would then configure their DNS servers to redirect all attempts to visit any material hosted on those (sub)domains. The effect would be massive overblocking, where users would be unable to visit any page hosted on a particular domain, irrespective of whether it had any connection whatsoever with the blocked material. Last February, a similar approach in the United States saw over 84,000 innocent websites being wrongfully blocked, and there is no reason to think that the Irish approach would be any more precise.
Finally, one particularly unusual aspect of the proposals is the way in which police seek to introduce monitoring of users. According to the proposals, where a user attempts to view a blocked domain name, police would “obtain details of other websites visited by the user, along with other technical details, in order that [they] can identify any new websites that require blocking”. This in effect seeks the full browsing history of users – whether or not there has been any attempt on their part to view child pornography! (Bearing in mind that DNS tampering results in massive overblocking, it is quite likely that a user may have their browsing history disclosed due to an attempt to visit http://example.com/innocent_content when the entirety of example.com has been blocked due to a single image or page elsewhere in the site.) This raises fundamental privacy and data protection concerns, particularly given that a user can often be identified by viewing their browsing history (e.g.), and has therefore been referred to the Data Protection Commissioner for investigation.
Given these problems, it must be hoped that these proposals are abandoned. But quite apart from these particular proposals, it is now also time to look at the other systems of internet filtering in Ireland that have developed on an ad hoc basis. In particular, Irish mobile phone companies have been engaged in self-regulatory blocking for some time (1|2), in a manner which often affects innocent users due to crude DNS systems. Similarly, the largest Irish broadband provider Eircom recently settled an action brought by the music industry by (amongst other things) agreeing to block access to The Pirate Bay and “related domain names”. These systems have developed without any real public scrutiny or oversight and it is time to consider the effect which they have on users, whether they are subject to adequate transparency and oversight mechanisms and whether or not they are effective at achieving their goals.