"I don't want porn coming in to my home"

As you know, I always get very concerned if any customer has a disconnect with what they expect and what we provide. I take it very seriously and always try to improve how we work to avoid it in future. It does not happen often, but we had one today that was, for want of a different word, "special". I initially assumed it was a wind up even!

The gist of it was that there were a list of things that she did not want coming in to her home including porn, suicide, self harm... She was amazed that "the internet" has not taken down such videos. Who? Apparently "blue wale challenge" is real and "every school in the uk has sent a formal email about it to parents and children have been told about it in assemblies" - really?!? Not the schools round here, sorry.

OK, personally, I think that if her kid's school has told kids in assembly not to google for suicide videos, that would be something to complain about as it would be very irresponsible. Tell a kid not to do something, that works every time, duh!

Though, her kids are apparently quite savvy, as her son "innocently googled some games the other day and found a pretty hard core sex games internet site"... Err, OK... Safe search, anyone? Given a later comment I hope this is a son in late teens... If so, I suspect he knows how to "innocently" google many things by now. Time to talk to your kids about what you may find on the internet I think.

OK, lets be a bit fair here. Not everyone knows how to fact check stories. People do need some help understanding how they can filter content, or even just turn on google safe search on the browsers their kids are using! It is actually quite a concern that parents get very little help in this area - it is bad enough learning about everything you need to know when being a parent but for a whole generation, this stuff is new and complicated. It is not something parents could have been taught in school even.

To be clear: we are more than happy to offer advice, and even set alternative DNS servers as default on the router. We're not irresponsible here. What we do is make sure every customer is well aware that they are buying an unfiltered service with an active choice you cannot ignore on the order form, as well as confirmation in the key terms you have to tick, and on our web site and the order confirmation and the information pack we send.

It is also very important that parents understand that no filtering is 100%, so is a "false sense of security" to some extent. It is also the case that a teenage boy (and girl I expect) will be more than capable of bypassing filters if they want to access something. What you need is education and openness, not cotton wool. Else you create innocent blobs that go out on their own in to the wild world of the internet at 18 and don't know how to handle what they find and probably with nobody to talk to.

But the icing on the cake was the last bit...  "My boys play 18 rated pc games...... all killing and horrrible stuff......Hopefully they will still be able to play these games?"

OK, now I am not sure what to say, sorry... Please, just be a parent!

Think of the Children (again)

Once again, the nanny state is on about censoring the internet because "Think of the Children".

See ISP review article (here).

I have said it all before, but it it may be worth explaining a bit about what AAISP do here.

Firstly, all of our customers are adults, we do not sell to minors at all. And all broadband customers have actively selected that they want no filtering. So I suspect we comply with even these latest suggestions.

But there is a lot that our adult customers can do to take responsibility for their children using the Internet. Remember, if you have teenage kids that want to access porn, they will always be able to - it is not clear that there is evidence that this does any harm to be honest, and a solution to any harm (such as skewed ideas on relationships) is better education - talk to your kids, explain that porn is fiction just like thrillers on TV, and sci-fi. Talk to them about relationships.

However, for younger children, every computer system these days provides a range of "parental controls". Indeed, sometimes it is hard to set up a machine with these turned off! Use these tools.

Also, you can set up additional free and even paid for tools if you need - just search for them!

We can also help - we can set the default DNS servers on your broadband to be OpenDNS, which allows you to set up DNS level filtering that will help stop young children stumbling across the more dodgy parts of the Internet. If you are unsure, call us and ask for help (or chat on the web page, or irc, or email, or SMS). The only thing we don't do is filtering in the connection we provide to you.

Ultimately, as our customer, you are in control of your computers and have access to a range of tools to help.

Child Safety Online

The government has launched a consultation, and anyone can reply, so read it and express your view even if you do not agree with my view.

So where do I stand?

I see porn like any other fiction entertainment, and like any other fiction entertainment there are themes that are clearly unsuitable for young children. We already avoid exposing very young children to extreme violence or themes they are ill equipped to understand.

I fully support helping parents be parents and managing what their children do and access. As an ISP we have many ways to help with that.

As people get older they can handle such fiction and recognise it as the fiction it is and an escape from reality that we all enjoy. Watching porn is not really any different from watching any other fantasy fiction entertainment.

The problem with society is that unlike most other things - like violence or science fiction - we cannot easily see what is the normal case for things like sex and relationships because of the massive social taboo that surrounds the topic. This is the problem.

People can see that it is not socially acceptable to go all Die Hard and shoot everyone, or even to beam up to a space ship. They cannot easily see it is not right to abuse a woman in private because the private relationships are hidden away. We need more education to explain what is good and bad in such relationships that teenagers can understand. Once we do that, they can understand porn as fiction as much as Die Hard for Star trek. [I am waiting for someone to tell me "Die Hard" is actually a very dodgy porn movie].

To be honest, we already expose children to some seriously screwed up influences from religion with no age verification at all - judgemental sky fairies, talking snakes, rules on keeping slaves, boats that can carry every species after a genocide, stoning, and revering a roman torture and execution device as a jewellery! Some of the shit kids are exposed to is just not right and really should be reserved for when they are 18 and able make their own choice. If your religion only works if you get hold of them young you are pretty insecure, in my opinion.

Thankfully the report seems to cut short of forcing ISPs to filter things - that would be bad for lots of reasons. ISPs are specifically not liable for what they carry for the very reason that the Internet would not exists if they were. We enjoy the benefits of the Internet (and the downsides) because of that mere conduit protection. Take it away and it all falls apart. ISPs could not actually filter any content 100%, and even if 1% then 100% of people can search for the way to use that 1% loophole. It is futile. If ISPs were liable the insurance costs for that passed on to customers would make the Internet unviable.

So let's not try and bottle porn up and censor it - let's make education work and ensure children can cope with what is out there, like the rest of life. The porn industry should be, and is, regulated in most countries to ensure people are paid and not exploited. People may enjoy the fiction entertainment and still be normal in real life, whether watching porn or the X-files.

So, that is my view... comments?

This is basically my reply, which I will be submitting.

Question 1: In your opinion, should age verification controls be placed on all forms of legal pornography (‘sex works’) online that would receive a British Board of Film Classification rating of 18 or R18?

My issue here is that a lot of porn sites are well outside UK jurisdiction and so placing such controls is not going to be effective in any way. I suspect most sites charging for porn will be happy with this as the fact they charge means they have an effective age verification by the fact they want a credit card. So the sites you can make comply already do, and the sites that do not will ignore UK law, so why the hell are we discussing this?

Question 2: Do you think age verification controls should be placed on sites containing still as well as moving images of pornography?

I don't see much difference - porn comes in all sorts - stills and videos.

Question 3: To what extent do you agree with the introduction of a new law to require age verification for online pornographic content available in the UK?

Again, this is not about the UK - most sites are not UK - I have no problem with UK hosted sites having age verification, apart from the commercial disadvantage they will face, but that cannot have realistic impact on non UK sites.

Question 4: If age verification controls are to be required on pornographic websites, how do you think they should work (select all that apply, and please suggest other ideas that you may have).

I do not think there is actually any way to do this - whatever you do a teenager can mimic what an adult did or does, even borrowing their credit card. Nothing will work against an adolescent boy that wants to access porn, sorry. And if they VPN or Tor to an non UK IP, the verification will vanish as UK specific.

Question 5: Do you agree that a regulator should have the power to direct payment and other ancillary services to remove their services from non- compliant websites? Please give reasons.

You could, but that simple means kids will access the thousands of free (paid by adverts) sites instead and not actually help matters at all.

Question 6: Do you have any suggestions for other actions that could be taken to ensure that commercial providers of online pornography comply with the new law? Please give details.

No - everyone outside the UK is not subject to UK law, sorry.

Question 7: Do you think that the regulator should have the power to direct parent and umbrella companies of pornographic websites to comply

No - as such company structures can be re-engineered at a whim and any law that worked would immediately be worked around. That is assuming any of the parties are subject to UK law.

Question 8: Do you agree with the introduction of a civil regime to regulate pornography websites? Please explain your answer.

No - would only work on UK providers - so actually putting UK at a commercial disadvantage and not actually addressing the perceived problem at all.

Question 9: Would the introduction of a new criminal offence be a better form of regulation?

No - would only work on UK providers - so actually putting UK at a commercial disadvantage and not actually addressing the perceived problem at all.

Question 10: To what extent do you agree with the introduction of a new regulatory framework?

Disagree - see top of this blog post. Not the way to solve the problem, if there is one.

Question 11: Should a new framework give powers to a regulator/ regulators to (select all that apply):

Powers only work in UK, so no.

Question 12: Do you think that a co-regulatory approach involving more than one regulator would be appropriate in this context?

Can't see how that helps.

Question 13: Do you agree that the regulator’s approach should focus on having the greatest proportional impact, for instance by looking at the most popular sites, or those most visited by children in the UK?

Again, such sites will be outside UK - so outside jurisdiction.

Question 14: Wherever new regulation is proposed, the Government must consider impacts on smaller and micro-sized businesses (those with fewer than 50 employees) based in the UK, and whether these impacts are proportionate. Should smaller and micro-sized businesses (such as some payments and ancillary services) be exempt from the scope of the policy?

Puzzled by this - why would size of operation change anything? If harm is done, the need exists, if not, then it does not. How is size of company even a consideration?

Question 15: Overall, are you broadly in favour of the proposals set out in the consultation?

No - see top of blog post.

Question 16: How effective do you think the Government’s preferred approach would be in preventing children from accessing online pornography?

Zero - actually negative - there is possible impact on payment providers and advertisers and UK porn industry that would have to comply when competing overseas providers would not have to. The end result being no help to kids in the UK but harm to some UK industries.

Seriously, censorship of communications is bad

Once again Cameron is meddling. See wired article. The EU have started "Net neutrality" which is designed to ensure that communications is "clean", and does not have interference from commercial or other interests to block or slow or preferentially treat some communications over others. This is important to ensure communications systems continue to provide the invaluable framework for business and personal communications to grow and boost the economy.

The problem is that ISPs filtering porn (apart from the logistic and technical impossibility of doing such a thing) is that it goes against net neutrality. It is ISPs specifically blocking some traffic - and not even illegal traffic at that.

I have to admit I am at a total loss as to why the government have latched on to "porn" as the target here. It is a legitimate and legal industry, but just something that our social taboos mean we try not to discuss. I can only assume that the government have latched on to it, not because they think that actually a lot of people are against "porn" but because a lot of people will say they are against it, or agree with such policies because of such social taboos.

The whole "think of the children" angle is just designed to try and get the popular and vocal support of parents, grandparents, and well, anybody who quite sensibly has concerns over children. I have five kids and two grandsons now, but I think this is crazy. The whole thing is the very definition of "nanny state".

Young kids have no interest in porn, and it is a good idea to try and ensure they do not accidentally find porn - this is a simple task for parents to do these days with operating systems including various parental controls in the control of the parents. Search engines have the same with "safe search" settings. There are also simple streps at network level such as controlling DNS and using free services like openDNS to control some access. Of course, actually supervising kids is another good idea!

None of this will stop someone who actually wants to access porn - all such systems are trivial to bypass. I would have to include adolescent children in that. Porn has always been available, and I would be shocked if any MP did not access porn before they were 18 (not counting dead pigs).

The side effect of trying to ensure all ISPs filter porn, or at least have the large scale systems to filter porn by default, is that it allows more and more to be censored, and not just porn. The list of sites that are blocked will not be managed by ISPs themselves in most cases as it is a massive task - porn is a legal and well funded industry (that has no interest in kids accessing porn anyway) so they can easily ensure they stay ahead of filters. This means you have a handful of companies in control of the censorship that applies to most Internet connections - companies that the government can pressure to include sites they do not like, and "wrong thinking".

We already see massive blurring of "extremism" and "freedom of belief" and "freedom of expression". No matter how crazy people may be, they have a right to their religious beliefs and freedom to express that. You need that freedom in any democratic society.

Even so, with all his meddling, I seriously doubt that we (A&A) will not be able to offer an unfiltered service. Every bill Baroness Howe has tried to introduce has so far had no impact on us, and with which we already comply. We offer a choice, but we simply refuse to provide service to anyone asking for filtering. Simples.

Internet and law

Times are changing, and the governments of the world are trying very hard to keep up. There are consultations on this at an EU level, and the UK is considering the "snooper's charter". Legislation is being considered that would impact everyone.

This blog post is my thoughts on the matter, and I hope a good start to some debate. As an ISP, I am, of course, somewhat biased - but I am also an Internet user, and a parent, and someone that has had computers nicked and needed police to trace an IP address.

Summary

• Physical infrastructure (ducts, mast owners) should be provided and managed independently to competing CPs (Communications Providers)
• CPs paying a fair price for access (e.g. non-profit running it) and no "fibre tax"
• CPs should have no responsibility for the content of communications ("mere conduit")
• This ensures CPs can continue to innovate and develop services
• CPs should not be expected to block traffic
• This avoids unnecessary technical and commercial impact on CPs
• Encryption and Tor and VPNs and proxies make such measures pointless
• CPs should not be expected to look in to the content of communications
• This avoids unnecessary technical and commercial impact on CPs
• Encryption means that CPs cannot do so anyway
• CPs are expected to assist authorities with criminal investigations
• This must be specific and targeted investigation with formal process and oversight
• CPs should not be expected to collect data or monitor users generally
• CPs should be paid for costs involved in assisting authorities
• Basic processes such as finding billing address from IP should be more streamlined!
• There should be transparency - advising subjects of requests once no longer suspect
• Encryption should be encouraged not restricted or banned
• Criminals are attaching the virtual world of the Internet and encryption is the protection for privacy and security that is now essential to combat such crime

Layers

One of the first issues which needs considering carefully in any legislation is the way that the government think of "the Internet". Having had an interesting dinner with several MPs (thanks to ISPA) it is clear that MPs see "the Internet industry" as very much one "thing", lumping in everyone from a company putting fibre in the ground to FaceBook as the same "industry".

In actual fact, just like the protocols used in the Internet, there are layers. It is important for legislators to understand this, as the rules have to be different for different layers. If you think about this, it does make sense, and I have included "a company putting fibre in the ground" in the above list deliberately as an example because that is pretty obvious. Putting glass in the ground, and even renting that glass out to companies, is clearly at much the same level as an electrician wiring up a house. They are clearly not responsible for what flashing lights are sent down that glass, and would not have any way to take any responsibility for that. I think even MPs can understand that.

At the other extreme, companies like FaceBook provide a service which "just happens to make use of the Internet as a means of communication". In theory one could operate such a service over the post (did any of you have a pen pal)? The fact that the Internet is use is, of course, important, but the service itself is very much more than simply flashing lights down a bit of glass. FaceBook have contracts with customers (albeit ones where there is no payment in most cases); they manage personal information; they operate in multiple countries and across borders; they have policies on content and police those policies. There are already a whole raft of rules and regulations in many countries that cover a lot of what they do.

Glass

I picked fibre as an example of the lowest level, but there is an even lower level that could be worthy of legislation. It is not legislation concerning snooping, or security, but more one of providing access to the Internet. Governments recognise (thankfully) that the Internet is an invaluable resource within a community, and ensuring good access for all citizens has benefits to the community and the economy as a whole, so should be encouraged.

It seems to me fairly obvious that there needs to be a lowest level of access by way of "ducts" and radio mast sites that take physical space and can be included in designs for new housing developments. These are things that probably do not benefit from competition in their provision at that level - having multiple providers running cables and ducts in the same street is how it was done in the past but it may make sense if ducts and basic roadwork type stuff is handled by someone like the council, or a non-profit responsible for providing access to physical infrastructure to competing telcos.

Internet Protocol

The level above copper and glass is the actual data being sent over those. There are actually two layers here really - the means to send data over the raw infrastructure, and the operation of a network of such infrastructure to provide something like a packet routing system such as Internet Protocol. At present we see companies like BT and TalkTalk operating national infrastructure networks, using Openreach copper pairs, and providing access to end users and connecting that to internet providers.

At the lowest level, the internet provider (ISP) routes packets - simple as that. There are extra services that are essential, like DNS, and then more optional services like email, web sites, and so on.

When it comes to the low level communications itself, such as routing IP packets or telephone calls, I think it is very important to separate the communications system itself from what is being communicated.

We already have this concept in EU, and also in US. In EU it is called "mere conduit", and it means that CPs don't have liability for what is being communicated.

This is not a very new principle - even the postal service has some long standing legal protections in place. The most obvious being that the post office are not responsible for the content of letters, and are not considered to be assisting or aiding and abetting any criminal activity carried out by post, nor even profiting from crime; and, the security and integrity of the post is important and "interfering with the mail" is considered a serious matter. Communications itself needs to be reliable and independent of what is communicated. These protections allow CPs to provide the services cost effectively.

I feel quite strongly that Internet service needs to have these protections, and that even "mere conduit" is not quite far enough. We have to consider slightly more, and this is something the EU is considering now - "Net neutrality" is the term being used. It is important that CPs are not locking horns with "content providers" over access and priority of traffic. This has happened in the US and could lead to some complicated issues which would impact customers. Essentially, it is important that  CPs route traffic fairly, and when there is congestion packets are dropped purely on technical and practical basis and not for political or commercial reasons.

I also consider it important that CPs are not expected to look in to packets for any reason. This is much like "interfering with the post" but it is also down to a simple practical fact of life now - that encryption exists. Whatever the reason a government may want for CPs to look in to the packets is basically going to be thwarted by normal, day to day use, of encryption. It is common now for encryption to be used for web site access, messaging systems, and pretty much anything using the Internet. Even if encryption was somehow banned or crippled, the fact that it exists means that criminals or suspects could use it and be breaking just one more law. There are also many ways to use encryption which would either not be illegal, or not be detectable or provable.

Blocking web sites

Even though there is "mere conduit" there is one catch in the copyright legislation that allows a court to grant an injunction against a communications provide where they are aware of copyright infringement. This has been used to block access to some specific web sites like The Pirate Bay.

Unfortunately this is pretty much totally ineffective. The Pirate Bay have loads of mirrors and proxies and they move all the time. This means ISPs are spending time and effort messing about playing whack-a-mole. Of course VPNs, proxies, Tor and the like means that even if the ISP was actually blocking the site in question reliably, their customers can still easily access it.

After a spate of blocks, The Pirate Bay reported that they had massive increases in traffic - it was publicity! This means that he blocks are not just ineffective, they are counter productive. One court in the EU even reversed an injunction because it was ineffective.

Given that this has been tried and failed, it seems sensible to remove this anomaly from the copyright legislation - to stop ISPs having to waste time on this crap.

Of course, in principle, ISPs could provide blocking services to customers. It is rather concerning that the UK government seem to have pressured many ISPs in to providing some blocking by default for porn sites. We already see over blocking, which could create liability for ISPs and may even be a breach of the Computer Misuse Act. We also see that people now sell USB sticks with pre-installed Tor browsers so that kids can bypass blocks!

Back on the whole net neutrality front, it makes sense that ISPs simply do the job or routing packets, not blocking or prioritising things, just providing the raw communications means. ISPs have enough work doing that without getting bogged down with politics.

Of course, there are things people do using a communications system that are illegal, and they should be held to account for that.

Helping the authorities

Obviously I am keen on legislators not interfering with CPs and I think it is critical to ensuring CPs can provide the innovation, development and investment in providing access to everyone in the best way.

However, CPs are a key factor in helping the authorities investigate crimes. One of the most obvious things that anyone investigating a crime will need is the ability to track where an IP address is being used.

Unfortunately the very nature of Internet Protocol makes that impossible to do reliably. I recall an old cop show on TV and they were thwarted tracking a call to a payphone which had the handset taped to the handset of the adjacent payphone. Whilst that is a tad silly for phones it is actually incredible simple for IP networks, and even normal. IP can be, and is, tunnelled over IP or relayed at higher levels as a proxy. There are systems like Tor that specifically relay connections randomly around the Internet with no record of the real endpoints.

Even so, there is a starting point for authorities if they can quickly locate the installation address (if there is one) for an IP address for a connection. CPs can be an assistance to authorities in this in many cases. However, even with something so seeming simple as this, there is a catch. Carrier Grade NAT and transparent or explicit proxies mean that the IP address seen at the other end on the Internet is of the CGNAT or proxy system and not the end user. It is not necessarily practical for an ISP to have logs of every single connection made via such a system, and even where there are logs you may need millisecond accurate timestamps to track to one installation address. Even when you have an installation address you do not know what user at that address (if the user is there even) applies.

So, yes, CPs need to help the authorities, but there is only so much they can do. We have RIPA with covers this already. What we do not need is forcing CPs to start logging everything that they don't log anyway. This has a technical and commercial cost that CPs do not want, but also a security issue. You potentially start having logs of everyone's "activity" using the Internet - including all of the people that are not criminals and suspects. This is not just an invasion of privacy (which should be protected) but also a target for crime and hacking. Information has value.

One of the other concerns I have is the transparency of these processes. RIPA allows all sorts of "authorities" to request all sorts of information. What seems obvious to me is that this needs oversight, and controls. One simple step is that the subject of any such requests should be notified of the request. This is a problem if they are a suspect in a crime, so some requests have to be kept secret., but even then, once no longer a suspect the subject could then be notified.

Encryption

This is perhaps the elephant in the room. Encryption is not a new concept, but the changes in computer technology over the years have moved the goal posts somewhat. What has changed is that computing power in our hands (quite literally in most cases - mobile phones) is now at a level where encrypted communications can be used completely routinely. It used to be used only in specific cases like on-line banking, but is now used for simple web site access (even the conservative party web site). Once again, this is seen as a threat by the spooks that want to be able to covertly monitor suspects communications.

It is important to realise that there is always "plain text" at each end of the communications, and various ways one can access that if you can compromise one end (either social engineering, infiltrating a criminal organisation, or technical means like key loggers on computers). It is also the case that encryption normally means some degree of verifiable trust and use of keys - and people can be sloppy over encryption keys no matter how good their computers are. So encryption does make some things harder but it does not stop the authorities investigating crimes and suspects.

It is also important to understand that encryption exists. It is not a secret. Most encryption software is free, and so there is no "software company" to go after with legislation. This means that making it illegal (or illegal to use "strong" encryption) does not make it go away. Criminals can use encryption and will just be breaking one more law. It is also possible to use encryption in ways that cannot be proved (designed to provide "deniability") and the software to do that is also free and freely available and not secret.

It is also important to understand that encryption is not "hard". Yes, computers are good at this, and use a lot of processing to do the encryption we use every day, but there are systems you can use to unbreakably encrypt messages that nobody can decode without the right key and yet use pen and paper and dice and nothing more (see my video here). So unless you also ban something as basic as "adding up" you still allow "strong encryption".

Encryption is however important. It is seen by anyone with any technical clue as complete irony for governments to make statements like "In our country, do we want to allow a means of communication between people which […] we cannot read?" yet at the same time as saying encryption is "important to the economy". There is simply no way to make a system which allows only the authorities to read a message, and ensures only criminal's and suspect's messages can be read by the authorities.

Criminals are moving on, even "terrorists". I don't like the use of terrorists and pedophiles in the media and by MPs to justify any legislation like this as they represent a tiny fraction of crime and harm done to the public. I find it ironic that the whole idea of terrorism is to create "terror" and then we make that "terror" ourselves in the way to portray and report terrorists. If we reported every car accident with the same publicity as any terrorist attack then nobody would dare drive again. But yes, if someone is hell bent on causing big scary havoc, they do need a bomb, they can hack in to critical infrastructure or even domestic infrastructure. Things like taking down the power grid are big and scary, but even things like hacking the logistics systems for all of the major super markets could suddenly mean nobody has any food for a few days - now that is a terrorist attack. There are also issues on smaller scales, like hacking in to cars (already been done) - imagine just disabling a small percentage of all of the cars on the M25 all at once so they stop and cannot be moved. All of this is without hacking banks and simply stealing money. These systems are protected by strong encryption, and any steps to weaken that or add back doors for the authorities will make the crimes easier.

So, in short, encryption needs to be encouraged, not banned or crippled.

Debate

Please do comment and discuss. I may have missed something.

Government to abandon all ideas of trying to ban strong encryption

I have tried hard to explain the problem with government plans to interfere with strong encryption.

Sign the petition here.

My son just posted on Facebook to try and explain this as well :-

"You may not understand the implications of the laws they wish to put in place so let me put it this way, it would make whatsapp, snapchat, facebook and even many phones illegal in the UK, so please sign..."

And for the majority of the public this is a good start. Ultimately the existing systems that do whatsapp, iMessage, FaceTime, Snapchat and so on are not compatible with the way the government want things done.

At the end of the day we have to get the government to understand that there is an issue here - that trying to mess with encryption will have serious negative impact on citizens, business, and even government departments. It will create new ways that criminals can impact our lives and new ways to invade privacy.

Criminals wanting to keep secrets still can as the cat is out of the bag - encryption exists, and is easy to access and use. You do not even need a computer!

Sign the petition here.

Baroness Howe at it again

Once again mentioned in The Lords, albeit more indirectly: "One of them even boasted of the fact that it deliberately did not filter". That pretty much has to be us, A&A.

Would she be so condescending to a phone company saying that they do not listen to, and filter, what you say on the phone, I wonder?

Once again, I say to the Baroness here:

1. We already offer our customers an unavoidable choice regarding filtering when ordering.
2. We already confirm customers are over 18, and are happy to link to any freely available external validation system that she wishes to put in place for that.
3. We already provide help and advice for parents wishing to actually be parents and look after their children.

For those that do not know, the choice is like this :-

I have removed the comment about moving to North Korea if you want filtering. At this rate, their ISPs will be suggesting you come to the UK for censorship!

We already (as you see in that image) suggest we can set up alternative DNS (e.g. OpenDNS) that can avoid children accidentally accessing unsavoury parts of the Internet. This is about the best any ISP could actually do as anyone determined to access something can easily bypass the filters any ISPs include.

We also lack the actual evidence that access to porn is harmful anyway. I would be happy to stop my kids (when they were younger) accidentally finding smut on the Internet, but if my son accessed it when he was in his teens, that is not something I could have stopped even if I wanted to, and is there actual evidence that it is a problem? What we need is education so that young adults understand the context of porn - like any fiction on TV depicting unreal scenarios and not "how you do things in a real relationship".

Of course, we also have the fact that such filtering it likely to fall foul of EU wide net neutrality rules that are coming in to place.

We also have the fact that such filters are against mere conduit EU rules, and perhaps even against the Computer Misuse Act.

I assume her Bill will, again, fall flat on its face. If it does not, it seems we will have little problem complying and probably already do.

P.S. Sorry if not obviously, but if you pick the "Censored" option you cannot place your order and the message suggests you choose another ISP. That is a choice anyone can make.

15 minutes of fame is not enough...

I was on Sky News again this morning - I am getting quite good at getting to Millbank studio and back reasonably efficiently now - leaving Bracknell at 9:02 by train and getting back in Bracknell by taxi at 11:59 for my grandson's birthday party.

A woman from IWF was meant to be debating with me, but she insisted on doing her bit first rather than a discussion/debate. I think I managed to get some of the key points over, and as usual I was not going up against the IWF and I agreed with a lot of what she was saying.

The problem is really that you cannot properly discuss and debate these issues in a 5 minute slot - and to be fair a "15 minutes of fame" slot would probably not be a lot more help.

The IWF (Internet Watch Foundation) work to remove child abuse images from the Internet. Much of this is acting on reports and tracking down the hosting company to get the content removed. They are rightly proud at how well this works in the UK, but when the material is hosted outside the UK they have to work with other organisations in other countries. Sadly they are not as efficient or as effective. Obviously I agree that such material should be tracked down and removed (though I don't agree on illegality of cartoons which has led to some silly cases, but that is another debate and I may yet be convinced otherwise).

The point where it gets contentious is where the IWF have a block list and ISPs use this (pay for it) to block access to some web site URLs (specific image files on web sites). It is not that contentious really with the IWF - they have pretty much always said that this block list is to stop people accidentally accessing material which would be illegal to possess. They don't claim that this block list is a tool to stop child abuse or creation or distribution of child abuse images. It stands to reason that blocking one specific unencrypted protocol for access to material which is illegal is not going to help much. Anyone wanting to access such material can no doubt find it by many other means and protocols over the Internet, many of which cannot be tracked or effectively specifically blocked. If the process of removing content is fast and effective then the block list is pointless even to stop accidental access.

The woman from the IWF did not raise the blocking issue specifically, but the interviewer did ask what ISPs can do, and whether we should be doing more. This is where the debate really starts to unravel and go in slightly different directions.

My view is that ISPs as communications providers should not have to concern themselves with what is communicated. This is a long standing principle (mere conduit) where we are not liable for what is communicated. It is not just some handy cop-out but a key factor in ensuring we even have an Internet. If there was liability for content, or a requirement to monitor police communications, it is hard to see how even a phone network, let alone the Internet, would have been commercial viable.

The problem with this view is that it sounds uncaring, understandably. But I also feel that any attempt to force monitoring, policing and filtering on ISPs is the thin end of the wedge. It opens up the possibility of extending beyond the original remit, and we have already seen this happen where copyright related court orders have been effective on ISPs that have the IWF blocking in place. Ultimately this has also led to the filtering and blocking offered by so many ISPs now at the request of the government. If there are not a ISPs like us standing up for the right to work as mere conduit we will wake up and find ourselves in a police state with approved media and content only.

However, there is another argument against filtering this sort of content - and I made that point in the interview - that the technology is changing and encryption is becoming the normal way we communicate on the Internet. This means that it is difficult or impossible to tell what someone is doing when they communicate. Identifying the "server" is not good enough, you need to tell a lot more about what is communicated (e.g. specific web pages on web sites) otherwise you cause all sorts of collateral damage. This is even more the case as servers end up behind NAT and mapping gateways and people make use of content delivery networks, and so on.

This leads the the counter argument (which is where we simply don't have time on such a short slot on TV) that we need to be able to see through encryption. This is where we start on the current government madness of trying to ban [strong] encryption. Well, I have lots to say on that, and much I have already said, but that is for another time.

Maybe some day I'll get a chance to be in a longer debate on the matter.

z226etuo57q9m6brbblz6ztkpea5ct23rmex0vlv3ik*0m3rw

Please do watch the video [here]. Tweet #dontbanprivacy. I may have nothing to hide but I still expect to be allowed a private conversation.

Theresa May has said that there must not be a safe place for terrorists to communicate. David Cameron has gone further and said that we cannot allow any means of communications which cannot be read, [telegraph article] and so presumably means that the 64 million of us in the UK that are not in fact terrorists are not allowed to communicate privately either. Sadly Obama has joined in [here].

I was horrified, really, that our servants, the government, are really saying that we cannot talk privately any more. That is just police state gone mad.

I was also horrified at the heckling and stupid answer that Julian Huppert got when he asked Theresa May about this. It shows that the people in government, who run this country, really have no clue what these statements actually mean.

Obviously, the people I deal with immediately think of how stupid this is in light of the technology we use every day. We understand the usage of encryption (keeping secrets) done by computer systems in our daily lives. Each and every one of us use secret communications that the security services cannot see when we access FaceBook, or Google, or even The Conservative Party Website! We are doing exactly what David Cameron has stated, in no uncertain terms, must not be allowed for any of us (not just terrorists) to do. We also know that any attempts to achieve what they are saying, no matter how stupid, would not actually stop criminals and terrorists. It is like passing a law that says "If you are a terrorist, you must send a copy of all your plans and communications to [email protected]". It is stupid. It is us, the ones that are not terrorists, that stand to be impacted by this stupidity. Terrorists won't care.

But I want to try and take technology out of this debate and explain just how stupid this is in terms that anyone can understand. I have made a video [here], and I explain below, a means of communications that anyone (including terrorists) can easily use; a method of communication that cannot be read; something that is absolutely what Theresa May and David Cameron say must not be allowed. I am not being extremest here - every one of you does far more complex stuff every time you visit FaceBook, remember that!

The system is called a one time pad, and it is uncrackable. This may look like child's play, but I can assure you that if the NSA or GCHQ intercepted your communications using this then they could not crack it as long as you have done what I say and made sure the keys are secret and safe. I'd be surprised if this is not millennia old, but the concept was first published in 1882 relating to secure telegraph.

This is not difficult - and it is fun for all the family - why not try it with your kids? If could teach them important tools they may need if this government have their way.

Let's take is step by step...

1. Before you start you need keys. In my video I have made each key a separate sheet of paper and printed with blank boxes by each character. In the spirit of SMS I have made the keys 160 characters long. You will need a set of keys for future messages, with each key twice, one kept by the sender and one by the recipient. I made the keys using a computer program, and you could get from a web site [here] but that means the web site operator may have your key, so not safe (unless you are just doing this for a bit of fun). Running the software yourself is better, but you can just use a pair of dice! You do not need a computer. A couple of dice and some squared paper and a pencil, that is all.
2. You need to make sure the sender has a set of keys and the recipient has the same set of keys, and that nobody else has seen the keys or has a copy or has access. Each of you should keep them safe, perhaps in an actual safe even. This does mean meeting up face to face at some point, but this can set up secure communications for the future. You may want to agree a way to tell each other that your keys have been accessed, some suitable message like "my keys have been seen by someone else" in a text! NEVER LET ANYONE ELSE SEE THE KEYS!
3. When you want to send some critical message, such as the date and time of an attack you are planning (don't attack people, that is not legal), you pick one of the key sheets. You can pick it at random, as it happens, and I'll explain how the recipient knows which you used.
4. You write your message over the key letters on the sheet, but start with say 4 spaces. (We didn't do this on the video) Make sure you don't have other paper below as it could leave an impression when you write (a mistake we make on the video)
5. For each letter in your message you also have a key letter. Using a simple addition table or wheel you add the two letters together. You look up the message letter on one side, and the key letter on the other, and find where the lines cross to get the output (coded) letter and write that down.
6. For this purpose I have created a sheet with an alphabet of 36 characters in total, being A-Z, 1-9 and a space. To avoid misreading multiple spaces we are treating a space as a * in the final message sent, and to avoid confusion as well as making it a nice number to use with two dice, we have made O and 0 the same. A simple addition sheet can be found here. You could make different decisions on the alphabet to use and so on.
7. For convenience, in my addition sheet, the space (or *) is added as a zero value, and so does not change the other letter (unlike the video). That means any spaces in your message you just write the key letter down unchanged - this saves time, but it also means your final message starts with 4 key letters as per the sheet. You should also have spaces on the end, so also writing the key letters again, either a random extra number of spaces, or perhaps all the way to the end of the 160 characters every time. This hides the length of your true message.
8. You send the code letters to the recipient. This could be by text, but remember, this coded message is not secret - so you could just tweet it, or write it on a post-it note, or graffiti it on the side of a building (don't do that, it is not legal either). As long as the recipient knows where to look for the message that is fine.
9. The sender now destroys the sheet, destroying your message and the key. NEVER EVER USE THE SAME KEY SHEET TWICE.
10. The recipient can use the first 4 letters to work out which key sheet applies as they were coded as spaces. When making the key sheets you may want to avoid duplicates in the first 4 letters.
11. The recipient writes the coded message on the sheet, and then works through the characters. This time, you find the key letter row, and follow it along to the coded letter, then go up/down to the letter at the end of the column and that will be the original message letter. Write that down on the sheet. You will see spaces easily as they have the coded letter the same as the key letter and so the padding spaces at the end are simple to spot and ignore.
12. At the end you will see the original message on the sheet. Read it and understand it.
13. The the recipient destroys the sheet, destroying the message and the key.

If, later, the police or security services, having seen this coded message, come to you and demand the key you used to decode the message (as allowed by law), you can honestly tell them that it was destroyed, and so not handing over the key would not be illegal. We think you have no legal obligation to hand over the keys that are not yet used and you can keep them in the safe, but if you do have to, just tweet that your keys are taken so no more message are sent or you indicate in some more subtle way if ordered not to, or if you are a terrorist and don't care about following the law!

The one time pad does have some issues. The main benefit is the simplicity and total security it offers, but the down sides are that you have to pre-exchange some keys, you have to be sure the keys really are random, and you have to be sure to keep the keys totally safe. If you can do that, then you have a means to safely communicate privately (even if you are not a terrorist).

Now, computers can do a lot more, and have ways to avoid the sharing of keys like this, but authenticity of sender and recipient are always issues in any system. Using computers it is even possible to actually hide the fact that the message is coded in some way, so you are not looking suspicious by sending gibberish texts. However, I hope this shows how simple it is to do what David Cameron and Theresa May actually want to ban, and how pointless any such ban would be. The damaging effects of any sort of measures they take could be massive though, and that is why we have to stop this proposal at the start and make them understand that:-

• we have a right to communicate privately,
• we have the technology (pen and paper) to communicate privately, and
• we will communicate privately (and so might terrorists).

Please do watch the video [here]. And share our A&A FaceBook post and tweet under #dontbanprivacy. I want this to get back to David Cameron and Theresa May and everyone else that heckled Julian in parliament. He seems the only one with clue and I'd even move to his constituency if I could.

Keeping secrets

Cameron has raised awareness of privacy, the Streisand effect at work. If certain apps are banned, the criminals will know exactly which apps are safe to use. So I am working out what we can do to help customers that are concerned over security.

Andrews & Arnold and PGP

A&A have always supported use of PGP/GPG and customers can (and do) send encrypted emails. We sign emails we send from the accounts system. Staff have GPG installed and have keys signed by the company key which I control. Sadly few customers use this, and so staff are perhaps less on-the-ball than they could be, but we are working on improving that too.

I think we can do more though. What I am trying to work on now is a way for customers to tell us that they want encrypted emails from us. We would use the https access to the accounts system to manage this which has some degree of traceable trust but it would mean uploading a public key to us (or perhaps referencing a key server). We'd need to make this simple, and perhaps even have an API, as some people may wish to issue new keys every day and delete old ones in order to thwart the RIPA requirement to hand over keys if you have them.

The challenge I then face is how we manage that preference as we have various systems that send emails as well as staff that could send emails directly. We would need some way for every system to know to use encryption and which key to use. Now, for staff sending emails we can almost certainly integrate this in with the ticketing system as a "direct" email is relatively rare, but that is not ideal. I suspect that it will take some time to ensure every system and every script that sends emails understands this, unless we run an intermediate outgoing mail server for it.

I am interested in the best practice way of managing this though. I am sure this cannot be an uncommon problem. Should we run a key server? Should we put keys in shared SQL databases? We are only talking public keys so not a huge security issue. Maybe some combination of the two. Any advice welcome.

FireBrick and IPsec

The FireBrick products already support IPsec, and any day now we expect to have the EAP elements that will allow things like iPhones and Androids to remote connect to a FireBrick and allow VPN access to your office, etc. Once that is done we will progress on to TL, https and ssh, obviously.

One of the key features of the FireBrick, and one of the main reasons it has taken so long to get these features in place, is that this is written from scratch.*

What this means is that we know there are no back doors in the code. Almost any small router that does https or even IPsec has bought in the code or used open source. It is large and complex and may even be a "binary blob" so it is hard to be sure that it has no back doors. Open source is generally safer as it can be reviewed, and people do, but how do you know the code you downloaded is that reviewed and correct code exactly unless you check it yourself? Well, in our case, we know because it has been written in-house. There is not even a third party operating system below it, we wrote that too. We even use a processor with no hidden boot ROM code and no binary blob device drivers for peripherals (both of which are quite common these days in some types of processor). We even make the FireBricks in the UK and load the code in to them ourselves. All code is signed by us, and our boot loader checks the signature to ensure no rogue code can be issued with back doors added.**

I think it is incredibly rare for any manufacturer to be able to say that. And if some UK law is passed that could compel us to add back doors we would stop.***

Even so, suggestions welcome.

* Some of you may have heard the long standing truth that one should never try and design an encryption system yourself or behind closed doors. They have to be one subject to wide scrutiny to be any good. This is true, but is not the same an implementing these algorithms, which can be done behind closed doors, and the standards provide lots of good test data for doing just that.

** Technically, with physical access and a JTAG interface someone could load other code, but that is highly unlikely and would require that physical access to the FireBrick.

*** In practice we would probably set up in a saner country and make and ship from there, or possibly just emigrate there as the UK really would have lost the plot by then.

Sorry David Cameron but we have a right to privacy!

David Cameron stating that we cannot allow a means of communications where the government cannot read that communication. [video]

Sorry, but no! This is not acceptable.

His statement is reported as relating to snapchat, but how would he make it so that all communications can be read by the government? If I access a bank that is not in the UK using https then this government cannot read that, which is as it should be.

He would have to ban encryption to achieve what he is saying and that is madness.

1. There are means which can be used to communicate in a way which cannot be read by the government, or anyone else - that is a fact and no amount of laws will change that fact. This is called encryption. Encryption is used every day by most people - Facebook defaults to using encryption, and of course on-line banking uses it.

2. There are means which can be used to communicate where it cannot be proved that any additional message exists if you of not have the key. This is called steganography. It means that one can send private message with no way to prove that you have done so, and so no way to prove you have broken some "no encryption" law.

Making laws against private communications is totally pointless as it does not stop private communications between criminals or suspects. What it does do is impact otherwise law abiding citizens and commerce and our right to a private life.

This issue surrounding David Cameron's statement that he believes that the government should be able to see/hear/read any communication in this country if necessary. He does go on about "in extremis" and how this needs to be signed off by Home Secretary, but even with the controls he mentions, in order to do this he needs it to be technically possible.

Think about that for a second - it means laws in the UK that make it possible for communication between two people to be listened in to by a third party even if those two people do not want that to happen. For the warrant from the Home Secretary to work, that has to be technically possible in the first place for all communication in the UK!

That is a huge thing to say - because if it is technically possible for the government to "listen in" then it is technically possible for criminals and terrorists to do so. What ever the legislation is, its job is to weaken what we do to the extent that the government can snoop. That means is possible, and those criminals will not need a sign off from the Home Secretary. That sort of change would make Britain a laughing stock and ensure nobody does anything sensitive with the UK. Indeed, it is hard to say how such weakening of communications could be consistent to Data Protection laws. In fact, it would mean NO COMPANY DEALING WITH UK CUSTOMERS COULD TAKE CREDIT CARDS ON-LINE as such weakened communications would be against the strict rules imposed and enforced by the card companies.

I have not actually read 1984, but is David Cameron quoting from it?

If you take what he has said literally it would mean whispering to your partner in bed would be illegal in case the government planted microphone could not pick up what you said.

Getting started with PGP.

Remember, Mr Cameron, you work for us, not the other way around. This sort of rhetoric shows you have no clue about basic rights or technology and really should not be running anything.

Update: Loads of responses on twitter along the lines of "Already UK law in RIPA, you have to hand over keys". ONLY IF YOU HAVE THE KEY! That does not help for transient keys. I mean, if you are asked to hand over the transient https key used on your last access to FaceBook so they can decode the TCP traffic they captured - you cannot. Similarly, I can simply make a key, send the public key to someone, receive from them a message, read it, and delete it and the key, then nothing to hand over. I think some chat apps do that inherently with transient keys in memory only, deleted after reading. It is not complex technology and perfectly legal not to have the key - only illegal not to hand it over on demand if you do have it.

Update: Another good blog post on this [Steve's blog].

Update: I have written to my [Conservative] MP.

Think of the children

Someone said that on irc just now, "Think of the children"... in jest, but my having had a few drinks I was thinking "what does that mean?"

I have children! I have 5 kids (3 mine, 2 step kids) and I have 2 grandchildren. One of whom is round here playing World of Warcraft right now...

So, let's think of the children for a moment - what do I think is important to them?

Well... I am a realist and I don't think that terrorists or child abusers will play any part in their lives. This is a simple matter of statistics - such things are rare. In the case of child abuse it is way more likely to be family members than a stranger so even less likely, knowing my family. Really, all the hype on such things should not worry me, or my children. Do the numbers, work it out, it is not an issue. They are far more in danger as a passenger in a car or walking along a pavement.

So what is an issue for my kids? Well, there are big things. Think 50 years ahead? Climate change is likely to be an issue, though, to be honest, the politics and hassle around climate change control are likely to affect their day to day lives more that actual climate change itself, IMHO. But even looking at something simple like the world population and our global ability to house and feed people, there are possible issues. My children and grand children may face somewhat interesting issues. They may even face wars.

But one thing I think is very important - that people matter. The people of the world, even the stupid ones, matter. It is, after all, "making people continue" that matters, and for me, making my kids and their kids continue. This is the driving force of life as we know it.

So it is crucial that people have a view and a say - that we do not separate those that control and the drones that do the work. That all people's views count. This is the very foundation of any democratic society.

To make a system of government that "works for the people" rather than being a class that controls and managers the people there is one key element without which it cannot work. Freedom of speech!

At a large scale, social commentary, whistle blowers, and so on - it makes sense. There are obviously issues at smaller scales - one cannot allow everyone to say anything they want with no consequences - what if they are telling lies to con old ladies in to giving up their life savings? That is not the sort of "freedom of speech" we mean here. But at a general level - being allowed to state your opinion (as an opinion) is important to any democratic society.

A massive part of that is allowing the means for anyone that wants to speak, to be able to. To ensure all communications means are themselves impartial and transparent. Yes, if what someone says is, itself, legally unacceptable, take legal action against them, but do not try and stifle there means by which they say it. Allow the world to judge what they say. Allow the speech!

There are bad things in this - I was in Vegas and saw this with someone in the street spouting rather offensive homophobic messages, and others "in their face" shouting back. It did not come to blows or contacts as that would have invited the police - but speaking, no matter how wrong it seemed to me, was allowed. It was a right, and to be frank - everyone ignored it. The message in this case was wrong, but the right to spout the message was important. The right to state what is wrong with it just as publicly is protected and allowed.

Without that - in a world of censored messages - we do not know what is important and what messages we are missing - we would live in a world of coverups and propaganda and no way to see the truth.

Think of the children!? I am when I say we need to keep the Internet open and free from meddling, even with the filth that lurks, it means we also get the truth that matters.

Unfiltered advert!

We ran an advert in Linux Voice magazine recently, which included the title text "Home::1 BROADBAND, F*CK FILTERING". It was meant to be a bit of a play on words both as "We don't want filtering", but also on the type of material that filtered by default by large ISPs. I am more than happy to be criticised for it being in poor taste, and I apologise for that. Thankfully most people did find it amusing.

However, to our surprise someone raised a formal complaint to the Advertising Standards Authority!

Even though a tad bad taste, we were a bit surprised by this. But if gets odder.

• The complaint was that it was irresponsible as the readership included children?!
• The complaint was submitted with a photograph of the advert. But what is extra strange is that it was not one taken by the person complaining, but was one taken by one of our customers who posted a link to the picture on an irc channel. That channel has quite small readership, and is almost entirely existing customers as well as people with a sense of humour and a place of definitely adult conversation at times.

We have no idea who it was that complained, though the ASA screwed up quite badly as they left the EXIF data in the photo. Had it been taken by the complainer, we would have been able to work out where and when it was taken very accurately. As it happens we traced it to the customer that took it, and we were able to confirm it was the same picture he posted in the irc channel.

The ASA clearly have no clue on handling personal information!

Another thing they have no clue on is copyright law. Obviously we are not lawyers, but they were emailing around, i.e. copying, a photograph of a magazine. The photograph was copyright of the photographer (our customer) who had not given permission for the complainer or the ASA to copy it. The subject of the photograph is a magazine, which is likely at least in part to be copyright of Linux Voice. And finally the advert that is the subject of the picture is our copyright.

Now, the usage in this case may possibly come under the "fair usage" exceptions in the copyright act, I am not sure, but when we pointed out the copyright issues to the ASA their reply was rather bizarre! They said that they were using the photo :-

• Not for commercial purposes
• Not disseminating it any further other than for our reference and ASA council
• That the ad itself was "public domain" anyway

None of these are valid excuses for breaching copyright. If they were, then copying a CD (public domain) for a mate (not disseminating far) for free (non commercial) would be fine under copyright law. At no point did he suggest it was fair usage or that it was covered by some other legal loophole allowing it. It suggests ASA have no clue at all on copyright.

They also had some interesting points on confidentiality - they said the case was confidential. We asked on what legal basis that was the case (half expecting there to be some law on the matter) and they basically had nothing. No contract or agreement with us. No legal requirement. Their only suggestion was that if we published anything then they would not take any further comments from us in defence of the case, and that publishing could prejudice the case?! Anyway, that being their reasoning, there is no reason not to publish their ruling now.

I'd like to thank the guys from Linux Voice as they were helpful in addressing this. We think it is their first ever ASA complaint too.

Anyway, the good news is that the complaint was not upheld. Linux voice is not a children's magazine, surprise surprise! Of course, the whole thing is rather daft, as most of these sorts of cases are, even if upheld - by the time we got the complaint we had finished running the advert anyway!

I include the PDF here journalistically for criticism, comment and review.

2014-12-12 Adjudication (Final)-1.pdf

So, our advert is not filtered either - yay!

Mind you - I do wonder if we should run an advert in "unfiltered", the Scottish Malt Whisky Society magazine. I'll have to ask.

The end of the Internet as we know it

When I first got a web site, for the company, back in the 90's, they were all a bit new. You could not sensibly suggest someone "look at my web site" as they probably did not even have Internet access.

Over the decades that has changed. There have been minor technical issues about making sure a web site shows correctly in the latest browsers or old browsers, and so on. Some minor compatibility issues that did not usually stop people seeing the site, just meant it did not look as good.

Governments have realised how important "Internet access" is, and are working on making sure everyone has access one way or another.

So, "look at my web site" is pretty much a sensible thing to say to anyone now.

But now, for the first time, I feel we are going backwards.

I cannot expect "look at my web site" to work any more, not even to friends and family.

This is because they might have kids, or might not know how to tell their ISP that they don't have kids, and so my web site may be blocked in a blanket category of "blogs". It is not reasonable to expect people to have to go through the hassle (and perceived risk) of turning off child protection settings to read my blog and then turn them back on again afterwards. It is not like one laptop in a house can access my blog whilst others cannot.

This is not even one of those "misclassification" issues about which I may have some slim hope of complaining to all ISPs. They classify my blog as a blog, which it is. The issue is that blocking blogs is seen as even vaguely sensible in the interests of child protection and that it is seen as sensible for an entire household to suffer this block.

BLOCKING ADULTS (THE PARENTS) SEEING MY BLOG IS SUPPOSEDLY IN THE INTERESTS OF CHILD PROTECTION.

So, what's the answer? Do I have to start an arms race to bypass the blocking systems (changing IPs, URLs, serving different content to different requesters, etc).

I am moving the URL of my blog anyway, to see how that impacts filters. www.me.uk will redirect to www.revk.uk instead of revk.www.me.uk but I am setting a redirect on the old URL for direct links. It is a pain that bloodspot cannot cope with my blog actually being on www.me.uk!

The bluntest instrument!

To block "blogs" or not?

That is the question faced by parents with one of the more flexible blocking options they can choose with a supplier like Talk Talk retail. Many ISPs offer very crude on or off options but Talk Talk have quite a few choices.

Even so, the options they include have a range of categories, but one of them includes "blogs", yes or no?

How the hell can a parent decide if all blogs are to be allowed or not?

There are blogs by teenage kids talking about school dinners. There are blogs about guns and terrorism. There are blogs about sexuality, and teenage stress and support groups. There is everything in between.

Blocking social media is often an option, so lets stop kids being engaged with other kids while they grow up - that'll fix 'em, surely?

How the hell is a parent meant to decide how to use this huge blunt instrument to restrict what their kids see? And why? And this is one of the more flexible selections that ISPs offer (well done Talk Talk on that at least).

This is total nonsense. It is nanny state gone mad.

Even if this made some sense, the day they turn 18 they can see anything they want, and it will all be a surprise for their cotton wool wrapped minds. That can't possibly go wrong.

Thank deity/sanity that the law has not stopped ISPs offering parents an unfiltered Internet where they can choose to actually supervise and educate their own children properly.

Porn filters - no it is not a law!

We hear people saying "They all filter now don't they, it's the law isn't it?" when it comes to porn and other filters.

It seems to me that there is a lot of confusion over this, and I am sure this is exactly what the likes of Baroness Howe would want - people assuming that a filtered Internet is normal or even a legal requirement. It is not!

I was, however, rather encouraged having done a talk at both LONAP and LINX, the two main London based Internet Exchanges to find that almost nobody does any filtering. Whilst A&A may well push the whole unfiltered angle, it seems that most small ISPs simply are not filtering. The notable exceptions being some ISP selling specifically to schools, and, of course, the big ISPs like BT, etc.

The main points in my talk cover the principles of why we don't filter:

1. There is an important principle, which has some protection in law even ("mere conduit") that the how you communicate is separate from the what you communicate. Providers of communications, whether post, telephone or Internet should not have to consider the ethical, legal, moral, or political aspects of what is communicated. They should be able to concentrate on the how aspects and make the communications work. If we had to concern ourselves with what is communicated we would not have the Internet at all.
2. The whole censorship is bad and this is the thin end of the wedge and slippery slope arguments.
3. The pointlessness of this all - nobody will be stopped from communicating if they want to. There are people selling USB sticks with TOR browsers and Flash allowing unfiltered browsing with one click.

The presentation went down well at both events.

But even with most Internet access having filtering now, simply because most lines are with the biggest providers, people still seem to misunderstand. It is not obvious to people that these filters are optional - you do not have to have them. Of course, those that understand that they are optional do not want to be put on the ISPs perv list by asking.

Of course, even now, there is mission creep on this - and already calls to include "extremist" web sites on the filters, and include non-optional filtering of "illegal content". We said this would happen and we are sliding down that slippery slope already it seems.

So, lets be clear:

There is no legal requirement for an ISP to filter anything!

The closest we get to that is the ability for a court to make an order against an individual ISP to filter access to a specific site relating to copyright infringement. Even that is on shaky ground after a court ruling elsewhere in the EU removing such blocks after conceding that they do not work.

An ISP does not have to filter illegal or immoral content, or monitor for such content, or report such usage to anyone. ISPs are protected from liability for the content that is passed. Obviously customers should not do anything illegal, but ISPs do not have to police that, and (in my view) should not.

So it is good news that there are a lot of small ISPs for consumers and businesses that are not filtering the Internet. I am all in favour of choice. Of course, I don't mind if ISPs do offer additional services and filtering, as a choice the customer picks. What concerns me is the way people now assume filtering is normal.

Thanks to LINX and LONAP for letting me talk on this, and ask members about what they do.

Web site operators will have to apply to UK government to allow their web site to be seen by UK citizens

Sounds like an unlikely headline, but how far from the truth is that I wonder?

The BBC article on whitelisting sites to not be accidentally black listed is clearly making this one step closer to reality.

The next step, obviously, is that they realise that the existing porn blocking is simply not good enough as it will miss so many sites. But they have this whitelisting system in place - all they have to do is block everything except the whitelist, and problem solved.

This really need stamping on - it is simply getting silly.

The politicians clearly have no clue. They think porn blocks are even possible (without making "the Internet" in to a whitelist of web sites only), and they even think that a "nanny state" of default blocks is sensible.

We have people like Baroness Howe using A&A as an example for why we need legislation on this, not realising that we already meet her proposed measures. That makes us an example of not needing legislation as her worst example already complies, yet all of this with no evidence of any actual harm caused in the first place!

Do we really want access to information in this country to be government controlled and censored?

THIS IS NOT CHINA
THIS IS NOT NORTH KOREA

So please talk to your MP and tell them this nonsense must stop now.

Open letter to Baroness Howe

Dear Baroness Howe,

I see that you mentioned Andrews & Arnold in your recent speech in The House of Lords in relation to child protection and Internet censorship.

I would be delighted to have the opportunity to discuss such issues with you if possible, both on a technical basis, and a practical basis, but also as a father having raised five children in the Internet age.

Whilst I am pleased that our marketing efforts have brought us to your attention, I am slightly puzzled that you seem to have mentioned Andrews & Arnold in a context of being something of a problem ISP, and a reason for your amendments. Therefore, I would like to take this opportunity to clear up any misunderstanding you have about our service.

For a start, we appear to be a company that already complies with the requirements of your proposals:

1. We do not sell to individuals under 18. We already ask anyone ordering to confirm that they are not under 18. Obviously if OFCOM were to come up with some practical means to verify age on an on-line order we'd be more than happy to consider integrating such a system, but at present we feel it very unlikely that an under 18 could order. For our type of services it means having access to a phone line (without Internet already) in order to install equipment, or access to allow a phone line to be installed - both of which seem unlikely to go unnoticed by parents in a household. Our services are also unlikely to be cost effective for a minor to purchase.
2. We already confirm that our customers want fully unfiltered Internet access, and this is made very clear when ordering. Indeed, it is one of the main reasons people come to us in the first place to obtain Internet access.

So it seems to me that we are already exactly the sort of ISP you want - one that does not sell to minors and only provides unfiltered Internet access to those that specifically request it.

I am quite sure that most other small ISPs would be happy to work in a similar way, and I would be happy to engage with ISPA, LONAP, LINX, and UKNOF to try and build an informal arrangement regarding such clear information at the point of sale.

Indeed, specifically for parents, we even go as far as providing means to set alternative DNS servers which are a way of helping block accidental access to unsavoury content on a customers Internet access with us.

In light of this, I am somewhat surprised that you appear to use us an example of why legislation would be needed. It seems to me that we are exactly the opposite, an example of why legislation is not needed.

However, as I said earlier, I would be delighted if there was an opportunity to discuss such matters more directly. I am sure, if you would like, that we could arrange a dinner/meeting with a number of similar small ISPs if that would be helpful. Alternatively, I would be delighted if you would like to visit our offices in Bracknell and discuss matters and see what we do.

I also have a suggestion for age verification which could be achieved by a change in BACS, using a variation of normal Direct Debit set up as a means to verify that an account holder is 18 or over. After all, the banks already do significant checks on account holders, and it would be ideal to make use of their information for such a purpose.

Regards,
-- 
Adrian Kennard
Director
AAISP.

[Being posted as well, I'll update any reply]

Mentioned in The House of Lords

It seems A&A got a mention in the Lords yesterday

Baroness Howe of Idlicote: "Self-regulation, for example, provides no means of dealing with the likes of Andrews and Arnold where default filters are concerned. Its closed loop system does not provide for proper age verification and the mobile phone code all too often—and at very real cost to children—has not been respected. If we believe that child protection is really important—and I have every belief that your Lordships believe just that—we must introduce robust statutory measures to help prevent children accessing this material."

I am pleased to see that some of my good work has been noticed, and I would love to have the opportunity to try and explain things to the Lords or Parliament.

I am, however, somewhat concerned at the comments that have been made. "age verification" seems an odd one, as we do not sell to minors (and ask people to confirm they are over 18 when buying as well as expecting a bank account with Direct Debit). I am not sure what "mobile phone code" means in this context either.

Indeed, we have no "age verifications" when a child uses a telephone to make a call, and no checks on the words spoken in that call. Similarly no "age verification" for a child to receive post.

As a father I am very interested in the "very real cost to children" this causes, and I would love to see a reference to any credible study of the impact of access to pornography by children and how it has affected them. I wonder how many MPs saw some porn when still a minor? I don't believe I know any man who did not, at some point, when a minor, see porn. I am sure such clear evidence must exist, or else Baroness Howe would not have used such strong words as "very real cost". I am always interested to learn.

However, with the comment "we must introduce robust statutory measures to help prevent children accessing this material." I do wonder what the objective here is.

I see two issues, one is younger children happening across something unsavoury when unsupervised accessing the Internet. This is, of course, easy to address, and many tools exist already, such as alternative DNS servers. Some ISPs (Andrews & Arnold included) will happily help parents set up alternative DNS servers on customer equipment or even pre-configure the equipment supplied to make use of such free services.

The second case is where a child wants to access "such material", such as a teenage boy (or girl, lets not be sexist here!). This is, of course, impossible to stop. None of the blocks in place by ISPs stop such access. The blocks in place do little more than stop accidental access and have lots of side effects with technical issues and over blocking. There are already people selling USB sticks pre-loaded with TOR+flash browsers to bypass all logging and blocking with one click.

But really, if this is such a real cost, why not make a law "It shall be an offence for any child to access porn on The Internet, over the phone or by post" - there you go - job done? Perhaps better would be "It shall be an offence for any parent or guardian of any child to allow that child to access porn on The Internet, over the phone or by post". That is a very simple law.

Or is it that such a law would be totally ineffective? Just like a law suggesting ISPs should block communications would be totally ineffective. I suppose we could cripple all communications in the UK massively by making the Internet some sort of white list only set of web sites you can access and no more - that could have a fun impact on the economy - I am sure that will be good for our children!

All the current ISP porn blocks do is give parents the false impression that the Internet is now "safe"meaning they supervise children less.

The recent blocks on The Pirate Bay, a single web site, being so ineffective that the Dutch courts have reversed the bans, just shows how ineffective blocks are. That was just one web site and not an attempt to block an entire, well funded, and legal industry.

If you are not convinced, go order one of these USB sticks and try, or better still ask a 12-15 year old, as an OFCOM report confirms that 1 in 5 of them know how to bypass filters, and that is a survey that pre-dates the recent introduction of filtering by major ISPs.

I do think the Baroness needs to think a little more on exactly what she is asking for here, and why. As I say, I am more than happy to come and explain things and can be contacted through the A&A press email address.

Update: As someone commented, we have been mentioned earlier and she even quotes our web site!

Interestingly the Baroness's actual proposals, having read them, would do nothing to our service as all of our customers have already opted for an unfiltered Internet connection and are over 18, so the service would remain exactly the same and we would simply not take on customers that ask for network level filtering.

Update: I see we are not alone in our views, comment from Lord Lucas.

My letter to the Baroness.