UK national Internet filter: a chill runneth up my spine

The weekly blog by the Issues Team

The UK has just set up a National Cyber Security Centre (NCSC), which is based in London, but is a business unit of the Government Communications Headquarters (GCHQ), Britain's signals intelligence agency, and a partner of the GCSB here.

Last week, the new CEO of the UK NCSC announced that they are working on a way to block sites that they know host viruses, malware and 'bad stuff.' How? Domain Name Server (DNS) filtering.

Sigh.

The DNS is the system that makes the Internet work for humans who prefer typing "internetnz.nz" rather than an Internet Protocol number like "202.68.93.36" (i.e. most of us). And yet again, someone is suggesting that the DNS should be filtered to protect us from harm.

The UK is seen as a 'like-minded' country that our government officials often look to for policy prescriptions and ideas to adapt here in NZ. UK are part of the 'Digital 5' which is a group of five countries who believe they have digitally leading governments (New Zealand are also part of this group). The GCHQ is also a partner of NZ's GCSB.

With these ties, there's a risk that someone in Wellington will see the UK's new filtering idea and think "maybe that's a good idea?"

Well it's not. DNS filtering for a whole country, and run by the Government is a terrible idea. Why? Let us count the ways.

Technical reasons it's a bad idea

It's trivial to get around. When you use DNS blocking to try and prevent people from accessing sites, it only works if people literally do nothing to try and circumvent it. It doesn't take much before people with low levels of technical skills are able to work around it.

China has used DNS interception and poisoning techniques as part of the 'Great Firewall of China' for years. We're not going to comment on how effective the Great Firewall is or not, but there seems to be a wealth of knowledge on how to bypass it. If you Google "How to get around the Great Firewall of China" - you get 994,000 results.

Turkey tried to use control over DNS to block Twitter during the 2014 protests but that resulted in an INCREASE in Twitter use as people learnt how to get around the blocks.

A common way to get around these type of blocks is by using end-to-end encryption and VPNs and we are seeing many examples of this right across the globe.

It's too large a hammer (or mallet if you will)

DNS blocking affects EVERY page on a site. In fact, it could even affect EVERY site at a given domain name. This is why when the Department of Internal Affairs here in New Zealand was looking to implement the child exploitation filter, they went for a solution which has a page by page granularity rather than a DNS based one. Affecting every page means judging Twitter, Facebook, Tumblr and Snapchat by the worst content and either blocking, or not. That doesn't seem fair or sensible.

Non-technical reasons why filtering is a bad idea

Who decides what is blocked?

 This is contentious and in the modern world cuts straight to economic issues. What happens to a business owner whose website starts serving malware to customers, all without their knowledge? If it gets blocked, would most business owners even know how to sort that? Or would getting blocked end up putting them out of business?

And if there is no remedy for challenging getting blocked (I bet the 'block' list will have a security classification), how does that sit with our universal human right to hear accusations and seek a remedy or redress?

Also, some practical issues - would a government filter block popular sites like the Metservice if their sites were serving up malware inside their advertisements (which has happened in the past).

Who gets to choose if they subscribe?

An interesting point the CEO of the UK NCSC made is that the filter will enable opt-out so it doesn't require new law or powers as it's completely voluntary. Well if that's NCSC's best go at a responsible opt-out policy, then that is a little concerning. The idea that opt-out schemes can help protect or benefit the vast majority of people, is full of moral and ethical concerns. Simply hand-waving and saying "no privacy issues here, it's opt out" is being disingenuous at the least.

Even if there are opt-out capabilities who gets to make that call? Is it the ISPs or network providers, or is it the individual customers?

What about an open and uncapturable Internet?

Is capturable okay as long as it's "the good guys" doing it? Whenever there has been talk about other countries/organisations exerting control over the DNS, countries like the UK and the USA have been very critical. But, apparently it seems to be okay now that the 'right' country is suggesting this as a workable solution for the 'right' reasons?

So how relevant is the British idea to New Zealand?

Hopefully, by now we've presented enough reasons for you to think that maybe DNS filtering is a bad idea that doesn't work properly. So cool story, how is this relevant to New Zealand?

Project CORTEX is run by our GCSB for networks of organisations that are considered "critical national infrastructure." We wouldn't be surprised if CORTEX involved some level of DNS filtering.

Also, the GCSB has been talking about a new project, spun out of CORTEX called "malware free networks." We're keen to hear more as this could either be a great project with shared indicators and information to help ISPs clean up their networks, or it could be another government filtering project. I know which one we would prefer.

If you'd like to know more about filtering here's some helpful links: