First
Previous
Regulating content on the Internet: A new technological perspective
Part II: Can we promote or constrain access to content on the Internet in today's world?
A. Restricting Access to Content
This section discusses approaches to restricting users' access to particular types of content. It will first look at the techniques that are currently being used in the world today. It will then consider what else might be possible using the technologies currently available. Finally, it will take a look ahead at technologies that are under development but not currently ready for primetime.
What is Being Done Today?
In discussing current approaches to restricting content, we will first provide an overview of research into Internet filtering practices currently in use in those countries identified as being most active in attempting control access to Internet content. We will then provide examples of how the various approaches to content identification are being used for a variety of purposes in the world today.
Current Internet Filtering Practices Around the World
In February 2008, MIT Press released Access Denied: The Practice and Policy of Global Internet Filtering20 reporting the results of research conducted by the Open Net Initiative (ONI). ONI conducted technical trials and compiled information on a number of the states practicing Internet content filtering21. Our discussion of current state-mandated Internet filtering practices draws largely on the results of that research.
According to the researchers involved in ONI, state-mandated Internet filtering takes place in at least twenty-four states worldwide including many countries in Asia, the Middle East and North Africa22. ONI sought to identify places in the world that practice state-mandated technical filtering. Their research revealed that among those states identified by the study, China practices "by far the most extensive filtering regime in the world." It is difficult to say how extensive these Internet filtering practices are since, for obvious reasons, no lists of blocked sites or terms are published. However, as studies by both ONI and Harvard indicate, it is clear that in China thousands of sites are blocked, although not entirely consistently or effectively. (Even within the strictly regulated Internet environment in China, blocking was found to vary across locations23). The following chart provides a view of the breadth (scope) and depth (amount of content on specific topics) of content targeted by those countries most involved in Internet filtering, as identified by ONI.
Political and social filtering. AE - United Arab Emirates; BH - Bahrain; CN - China; ET - Ethiopia; IR - Iran; JO - Jordan; KR - South Korea; LY - Libya; MM - Burma/Myanmar; OM - Oman; PK - Pakistan; SA - Saudi Arabia; SD - Sudan; SY- Syria; TH - Thailand; UZ - Uzbekistan; VN -
Vietnam; YE - Yemen. A number of small countries that filter a small number of sites are omitted from this diagram, including Azerbaijan, Belarus, India, Jordan, Kazakhstan, Morocco, Singapore, and Tajikistan.
Source : Access Denied24
As noted by ONI, the effectiveness of state-mandated filtering measures is largely dependent on non-technical factors such as "the political, legal, religious, and social context" in which they are implemented. In other words, factors such as the fear of state retribution for violation of regulations is as much of a deterrent to access of prohibited content, as are the technical restrictions imposed.25
The research conducted by ONI, reveals that state-instigated content filtering and blocking are implemented using a combination of legal and social coercion and technical measures falling into the categories of "IP blocking, DNS tampering, and URL blocking using a proxy" or "search result removal."26 ONI notes that, as of 2007, it did not observe any evidence that filtering was being done at the content level (i.e., reading the content of Web sites).27
The following table from Access Denied shows the types of blocking being employed in the top 22 countries identified by ONI as using technical measures to restrict citizens' access to content.
|
IP blocking |
DNS tampering |
Blockpage |
URL Keyword |
|
|---|---|---|---|---|
| Azerbaijan | X | X | ||
| Bahrain | X | X | ||
| China | X | X | ||
| Ethiopia | X | |||
| India | X | X | ||
| Iran | ||||
| Jordan | X | |||
| Libya | X | |||
| Myanmar | X | |||
| Oman | X | |||
| Pakistan | X | X | ||
| Saudi Arabia | ||||
| Singapore | X | |||
| South Korea | X | X | X | |
| Sudan | X | |||
| Syria | X | |||
| Thailand | X | |||
| Tunisia | X | |||
| United Arab Emirates | X | |||
| Uzbekistan | X | |||
| Vietnam | X | X | ||
| Yemen | X |
Source : Access Denied28
Automated Content Identification to Restrict or Promote Access
As previously mentioned, in order to attempt to restrict or promote access to particular types of content, the first thing one must be able to do is identify that content. In this section, we will discuss the methods that are currently available for identifying content as it transits the Internet. For each of these methods of content identification, we will discuss the ways in which it can be used to restrict or promote access to content on the Internet, as well as any challenges, limitations or weaknesses associated with each approach to content restriction or promotion. Note that the majority of this discussion will focus on approaches to content restriction, as this has been the focus of most efforts to date.
Approach to Content Identification: Identifying by IP Address
How It Works
Each device attached to the Internet has a unique numeric identifier called an Internet Protocol address (IP address). For example, 142.58.102.1 is the IP address for one of the servers hosting the Web site of Simon Fraser University. IP addresses are registered to an organization or an Internet Service Provider (ISP) through the Internet Assigned Number Authority (IANA). IANA allocates IP addresses to Regional Internet Registries, which in turn allocate IP addresses to Local Internet Registries or National Registries. Local or National Registries allocate ranges of IP addresses to ISPs, who then provide IP addresses to their subscribers.
Map of IANA's Regional Internet Registries. Source.
It is relatively easy to use technology to identify the IP address of either a user or a content source, as detection of IP addresses is something that network routers routinely do in determining which machine data should be sent on the Internet.
How an IP Address can be used to Filter Content: IP Address Blocking
IP address blocking is perhaps the simplest type of content filtering to implement. It allows the blocking of content based on the IP address of the server. This type of filtering is relatively easy for ISPs to set up and maintain, and requires no additional hardware, as IP address blocking is implemented in all carrier-class routers.
In a number of countries around the world, ISPs are participating in "Cleanfeed" projects. In these projects, a variety of organizations, working with law enforcement agencies, compile and exchange lists of IP addresses associated with images of child sexual abuse. For example, in Canada, Cybertip.ca has created and maintains a regularly updated list of specific Internet addresses (IP addresses) associated with images of child sexual abuse. The list of IP addresses is amassed by Cybertip.ca analysts who have received from Canadians information about Web sites that may be hosting images of child pornography. The analysts assess and validate the reported information, and if it matches certain criteria, the IP address is added to the Project Cleanfeed Canada distribution list, which is provided in a secure manner to participating ISPs. "The ISPs' filters automatically prevent access to addresses on the list. There is essentially no "human" intervention on the part of participating ISPs. ISPs do not have input into creating the list nor knowledge of what is contained on it."29
The "Cleanfeed" projects are intended to try and block illegal content at the ISP level. Other types of organizations provide "parental control" software that attempts to filter content that is not illegal but may be deemed inappropriate for children. This software allows parents to block access to Internet content based on a range of criteria. A useful description of the common features of parental control software can be found on the Top Choice Reviews Web site.30 A core feature of most of these software applications is a centrally maintained Web site list that uses IP address blocking to filter out sites deemed inappropriate for children. These sites are often categorized (e.g., sexual content, violence, gambling) and rated, to allow some measure of granularity. The most highly rated products include the ability to customize the list, add URL keyword blocking, block particular kinds of activities (e.g., chat), and allow parental monitoring of Internet usage. The Web site Well Researched Reviews provides a useful primer for parents considering purchasing parental control software, and clearly sets forth the limitations of IP blocking and filtering software :
"The Internet is a vast and quickly-growing ocean of information. More new Web pages come online every day and keeping up with them is an impossible task.
Web Filtering and Blocking software attempts to categorize all of these pages but in all of our real-world testing, not one was able to keep Everything [emphasis from original] out.
For this reason, it is important to make sure that any software you do buy also offers you the ability to monitor the activity of your child so that you can decide what is and is not appropriate for them."31
All of the major Canadian ISPs make third-party "parental control" software available to their subscribers at little or no cost. ICRA32 is the oldest content rating system and can be accessed by Internet Explorer for blocking purposes. It is not currently implemented in other commonly used browsers, such as Safari, Firefox and other versions of Mozilla.
Parental control software has traditionally been implemented on the client-side and has been made available on an "opt in" basis — that is to say, parents decide whether to use this software on their home computers and what parameters to activate. The Australian government has announced plans to require ISPs to implement parental control filters33 at the ISP level, blocking access for all users to content deemed inappropriate for children. Under this scheme, users will only have access to this content on an "opt in" basis.34.
ISPs also use IP address blocking technology to identify certain IP addresses for the purposes of protecting their networks (e.g., from worms, viruses and denial of service attacks) or in response to court orders.
In some authoritarian states, ISPs may be ordered to implement more aggressive approaches to content blocking or filtering. They may engage in IP address blocking based on government supplied "blacklists" or "whitelists".
Challenges, Problems & Countermeasures to IP Blocking
Over-blocking
A significant drawback of IP address filtering is that it does not allow for very fine-grained control. For example, if you block the IP address for the CNN Web site, none of the content on that Web site will be accessible. In the case of hosting providers (organizations that host many Web sites on a single machine — often with a single IP address), the use of IP blocking technology would not only block the content of the targeted organization but it would also prevent access to the content from any other organization also hosted on that machine.
Under-blocking
Even if one is willing to block all content on a specific server, the biggest short-coming of IP blocking is the need to know the IP address of the server to be blocked. Given the fact that there are currently over 500 Million Web servers in the world (and many other servers that do not use the HTTP protocol), and tens of billions of Web pages and other data objects, the percentage of servers with offending content that can be indexed and added to a list of blocked IP addresses is, of necessity, small.
Furthermore, even if an IP address with offending content is identified, content providers can evade IP blocking by simply moving their content to a server with an IP address that is not on the list. This pervasive practice is why it has been impossible for governments, law enforcement agencies, and ISPs, despite their best and sincere efforts, to block sites purveying child pornography. As soon as purveyors of child pornography realize that the IP address for their Web site is on a block list (such as that created by "Cleanfeed"), they simply move their content to a different IP address. The problem was articulated succinctly to us by Kevin Salvador, CIO of Telus:
Ask yourself the question: Have we been successful in eliminating child pornography on the Internet? No. Is that because of a lack of interest or commitment on the part of law enforcement, politicians, and ISPs? No. The pornographers are so sophisticated at flipping and randomizing their IP addresses, as soon as they know they are on a list they will pop-up somewhere else. It's a constant game of whack-a-mole, and it's not one we're winning.
Kevin Salvadori, CIO, Telus
Proxy servers
Users wishing to access content from blocked IP addresses can use proxy servers that disguise the IP address of the machine on which the content resides. Users simply visit a proxy server (a Web site that has not been blocked) through which they can view the blocked content. Rather than connecting directly to the server with the desired content or service, the user connects to the proxy server, "requesting some service, such as a file, connection, Web page, or other resource, available from a different server. The proxy server provides the resource by connecting to the specified server and requesting the service on behalf of the client."35. Because the proxy server sits between the user and the target Web site, anonymizing proxy servers are able to disguise the user's IP information, as well as the IP information related to the Web page the user has requested.
Many Web sites exist that publish links to proxy sites, and the proxy sites frequently change their IP addresses to prevent their being blocked. Sites providing information about proxy sites, anonymizers, and encryption provide detailed instructions to anyone wishing to use them.36 Users in countries with content filtering policies that are viewed by their citizens as repressive frequently resort to proxy servers to access content in which they are interested. And, as the following anecdotal example from Iran indicates, the information is updated continuously to take into account the latest blocking measures imposed by state authorities. In his "MediaShift" blog of September 28, 2007, journalist Mark Glaser writes:
"One Facebook user in Iran, a 17 year old high school student named David, told me why he thinks Iran is blocking social media sites:
Iran tries to block any kind of social networking and blogging Web sites because they are scared! They are worried, they think that young Iranians might join and make a big group against this, as I prefer to call it, dictatorship! The main technique here is to keep people stupid, everything is censored here, the only way to get the truth about happenings in the world is the Internet and satelite [sic] TV (which is illegal) and the Web sites are all blocked.
Of course that can't work over a long period of time and so we use Web-based proxy sites to access filtered Web sites. Of course these proxies get blocked too but we always find new ones. If there is a strong will to break through the barriers that the government places for us then there is a way to break them and we Iranians here are determined to find all these ways. Just last night I went to a metal concert here, which is of course illegal, and there were people giving out proxy URLs so that we can access the bands' Web sites and blogs There is a saying that keeps us going over here: "If there is a will, there is a way."37
Similarly, Professor. Richard Smith, at Simon Fraser University, recounts giving a presentation to a room full of senior academics and graduate students at a university in China. As part of his presentation, he attempted to access a Web site that turned out to be blocked by either an ISP or some form of national filtering. Immediately, his audience stepped up to provide numerous work-arounds that, within a matter of minutes, allowed him to access the desired site. This incident occurred in a public setting in a government-funded institution!
Approach to Content Identification: Identifying by Location
How It Works
It is generally possible to determine the geographic location of a user or a content provider by examining the IP address of the machine requesting or providing the content. The IANA registry data provides the location of the ISP to which a set of IP addresses is registered. (For example, looking at the IANA registry, you would find that all the IP addresses registered to Simon Fraser University are located in Burnaby). To provide finer-grained information, service providers have come into existence who can supply enriched data about the location of IP addresses, usually down to at least the city level. So, for example, by using a service such as MaxMind38 it would be possible to determine which of the IP addresses registered to Simon Fraser University are assigned to systems located on the university's Burnaby campus, which ones are located at the university's downtown Vancouver campuses, and which are located at its Surrey campus. This ability to identify the location of a machine based on its IP address is commonly known as "geo-location."
How Location Detection Can be Used to Filter Content: Geo-gating
Another method of restricting access to content is what is frequently referred to as "geogating." This term is one of several terms used to refer to a technological approach that is generally implemented by content hosting sites, rather than by ISPs or national governments. Licensees of copyright-protected content such as television shows or music often enter into agreements with copyright holders restricting access to their content to users within the territory for which they hold the license. Geo-gating uses the ability to identify users by geo-location to restrict access to copyright-protected content to users in the licensed territory, and does so by refusing access to that content to users with IP addresses registered outside of particular geographic areas. So, for example, Hulu39 is a US Web site that provides access to full-length episodes of primetime TV shows and feature films. Hulu "geo-gates" the shows it provides so that they can only be accessed by Internet users with IP addresses registered in the United States. The screenshot below shows the message a Canadian user receives on the hulu.com site if an attempt is made to access one of its programs. The message begins "We're sorry, currently our video library can only be streamed within the United States."
Screenshot of "We're sorry" message displayed to Internet user with Canadian IP address in response to request for an episode of The Office from hulu.com
While geo-gating is typically implemented by content providers, it would be technically possible for an ISP to block access to all content coming from IP addresses registered to a specific geographic location or not coming from IP addresses registered to a specific geographic location.
Challenges, Problems & Countermeasures to Geo-Gating
Anonymizers
Anonymizers are a popular method for circumventing access restrictions based on detection of the location of the user. Anonymizing software disguises the IP address of the user, allowing the user to access content that would normally be blocked to a user with that IP address. Like Hulu, NBC "geo-gates" the online versions of its television programs so that they can only be accessed by Internet users with IP addresses registered in the United States. If a user with a Canadian IP address attempts to access an episode of "Late Night with Conan O'Brien," the user receives a "We're sorry" message as shown in the screen shot below:
Screenshot of "We're sorry" message displayed to Internet user with Canadian IP address in response to request for an episode of Late Night with Conan O'Brien from NBC
As part of their research, the researchers downloaded and installed the trial version of "Anonymous Surfing", to determine how easy it was to use and how effective it was in disguising the user's location and enabling access to the geo-gated content. (While many free anonymizing software packages are available to Internet users, it is interesting to note that there is sufficient interest in "anonymous surfing" that a number of companies are now commercializing their anonymizing products.) The screenshot below shows the interface for the trial version of "Anonymous Surfing."
Screenshot of trial version of "Anonymous Surfing" software
We can report that the software was both extremely easy to use and completely effective in our trial. It took the researchers less than five minutes to download the software, install it, and obtain access to the TV episode on the nbc.com site that had previously been blocked by geo-gating. As can be seen from the screenshot above, the user's real IP address (24.80.184.49 — registered to Shaw Cable in Canada) is disguised as 207.195.245.246, which appears to be in Delaware. It is interesting to note that using the anonymizing software did not significantly slow down access. Finally, it is worth noting that it is possible for the user to encrypt the data stream by simply clicking a checkbox in the "Control Panel." The next screenshot shows the Web page from nbc.com with the TV episode then made available to the Canadian user.
Screenshot showing episode of "Late Night with Conan O'Brien" accessed from nbc.com by Internet user with Canadian IP address using anonymizer software
While the researchers tested the effectiveness of anonymizing software in the context of geo-gating, a similar approach could be used to avoid other types of restrictions imposed on the basis of either the user's or the content provider's IP address. For example, it is interesting to note that the latest figures from Alexa.com (see screenshot, below) indicate that google.com is the fourth most popular site in China, whereas google.cn is the fifth most popular. It appears that, while Google is suppressing certain results for users of google.cn (regardless of where the user is located), it is not suppressing results on google.com if a search is conducted on that site by users in China.40 It would theoretically be possible for Google to program its system to suppress results on google.com for certain search terms if it detects a request coming from an IP address registered in China. However, even if this were the case, a Chinese user accessing google.com via an anonymizer would have unrestricted access to all search results. Combined with the use of proxy servers that disguise the IP address of any source content, restrictions on access to content based on IP address become completely ineffective. (We should, however, note that although users in China may be able to access Google.com, their access to certain search terms may still be blocked as a result of the fact that China filters content based on keywords contained in URLs.41)
Screenshot from alexa.com showing top ranked sites in China 20/02/08
Approach to Content Identification: Identifying by Domain Name
How It Works
The Domain Name Service (DNS) translates IP addresses into easy-to-remember names. So, for example, the IP address 159.33.3.85 may be given the domain name CBC. As with IP addresses, DNS domains are controlled by a registry system that is managed by IANA. Each country is assigned a two-letter top level domain. For example, .ca is the top level domain for Canada. In addition, there are several generic top level domains used by particular classes of organization (for example, .com for commercial, .org for not-for-profit, .net for network service providers).
Not all devices with IP address are assigned domain names. Furthermore, there is not a strict one-to-one relationship between IP addresses and domain names. Most large Web sites operate in clusters, where many computers, each with their own IP address, service requests to a particular domain. When a user enters a domain name into the address bar of a browser, the user's DNS server (usually the DNS server of the user's ISP) checks its records for an IP address that matches the domain name. If it finds a match, it forwards the request to the machine with that address. If it does not find a match, it forwards the request to the next DNS server up the line, which performs the same procedure, and so on, until a match is found. This information is then returned to the local DNS server and cached for quicker reference in the future. By analyzing the requests made to the DNS server, it is possible to identify the domain names being requested by users.
How Domain Names Can be used to Filter Content: DNS Tampering
For the purposes of blocking access to hosts, either local ISPs or governments can insert false entries in the local DNS server. The DNS server can detect the domain name requested by the user and tampers with the results. Rather than forwarding the domain name request to the appropriate IP address and then returning the requested page, the DNS server can be programmed to return a warning page, the homepage of the local law enforcement agency, or no result at all. For example, according to a BBC News report, until March 25, 2008 "Chinese users trying to access pages on the BBC English language] site have almost always been redirected to an error message telling them: "The connection was reset." As of the date of that report, the DNS tampering with the English language version of the BBC Web site appeared to have ended, but users attempting to access the Mandarin language version of the BBC Web site still received the "connection was reset" message.42
Challenges, Problems & Countermeasures to DNS Tampering
Public DNS servers
By default a user's DNS server is the one provided by the DHCP (Dynamic Host Configuration Protocol) server on the user's network. However, it is simple for a user to override this default by changing the Internet Protocol (TCP/IP) Properties settings on his or her computer and entering the IP address for a public DNS server. For example, in Windows, the user simply opens the dialogue box shown below and specifies the DNS server addresses to be used. A list of public DNS servers can be found easily by typing the search term "public DNS servers" into a search engine.
Entering IP addresses for public DNS servers bypasses DNS tampering
If a user changes the DNS server preferences, the user bypasses any DNS tampering implemented on their network.
Approach to Content Identification: Identifying Information in Packet Header
How It Works
The Internet is a packet switched network. This means that data transferred over the network is broken up into small blocks of data or "packets" so that the data pipe can be shared by many users. The size of packets can vary, generally depending on network congestion. (When the network is very congested, data will be broken into smaller packets.) Every packet must contain certain information that indicates where it is going (destination IP), where it came from (source IP), how it is expecting to be received (protocol), and the order in which packets are to be reassembled once they reach their destination. This information is contained at the beginning of each packet, in a segment called the "header." Network devices are designed to inspect the information in packet headers in order to determine how the packet should be handled.43
How Data in Packet Header can be Used to Filter Content: Protocol Blocking
Due to concerns about maintaining network performance for all users, many ISPs have been interested in being able to detect and manage Internet traffic that uses common peer-to-peer protocols. On private networks, network administrators, similarly, have been interested in detecting and, in some cases, blocking, peer-to-peer network traffic. A number of vendors advertise solutions that claim to be able to detect commonly used peer-to-peer protocols and manage peer-to-peer traffic.
On March 27, 2008, Internet Evolution published the results of a test of carrier grade peer-to-peer filtering and regulation systems. According to the report:
Internet Evolution and SNEP (the Syndicat National de l'Édition Phonographique, an organization that represents the interests of the French music industry), commissioned an independent test lab, the European Advanced Networking Test Center AG (EANTC), to test the functionality and performance of P2P filters. The focus on the test was on largescale devices, or so-called "carrier grade" systems — ones designed to filter vast amounts of peer-to-peer traffic on the Internet, in real time.44
This test was conducted based on the kind of data traffic transiting ISP networks, so the results are a useful benchmark for this discussion.
Twenty-eight vendors of peer-to-peer filtering products were invited to participate in the trial by EANTC, including "all the established players and market leaders" (Allot Communications, Cisco Systems Inc., Ellacoya Networks (recently acquired by Arbor Networks Inc.), F5 Networks Inc., Huawei Technologies Co. Ltd., Narus Inc., Packeteer Inc., and Sandvine Inc., "as well as a host of lesser known startups").
Internet Evolution reports that, after seeing the test conditions:
only five [vendors] agreed to take part, and only under the condition that if they didn't like their results they could withdraw from the test and not be included in this report. In the event, three vendors chose to exercise their right of veto because each of their results were — ummm... how to put this? — "not perfect" for various reasons." Ultimately, two vendors (Arbor/Ellacoya, based in the U.S.A., and ipoque GmbH, a German vendor) had products that showed good results in filtering common peer-to-peer protocols. However, "neither turned in perfect detection performance across the whole range of more and less popular P2P protocols."45.
The Internet Evolution article concludes that, "It's quite clear that most [peer-to-peer filtering] vendors are still in an early phase of product deployment, and that their products' limited scale and functions have a long way to go before they catch up with the marketing and sales materials that their manufacturers are using to describe them." And further, "Based on the response to Internet Evolution's ground-breaking test of P2P filters, both ISPs and the music industry will have to wait a while before the power tools they need to beat back bandwidth hogs or stymie copyright violators are widely available."46
Note that these limitations in the ability to detect "content" were identified with respect to the relatively "simple" task of detecting protocols. To identify any more specific information about the content being transferred would be a significantly greater challenge.
Challenges, Problems & Countermeasures to Protocol Blocking
Over-blocking
Blocking all traffic using a particular protocol would result in blocking legitimate traffic using that protocol. For example, blocking HTTPS (encrypted HTTP traffic using public key encryption) would have a crippling effect on a wide variety of electronic-commerce activities, Internet banking, and many Web-based mail clients. Blocking of P2P protocols, would interfere with peer-to-peer file transfers being used for content delivery by organizations such as the CBC and the Norwegian Broadcasting Corporation, which are using BitTorrent to deliver content to their audiences, and by independent artists using peer-to-peer as a channel for reaching audiences. Multi-participant calling using applications such as Skype is also based on peer-to-peer networking. All of these services could be inadvertently blocked through use of protocol blocking technology by ISPs attempting to manage peer-to-peer network traffic or other specific protocols.
Tunneling/Alternative Protocols
Traffic that uses a specific protocol tends to use specific ports or channels. For instance, Web traffic (HTTP) uses Port 80. Popmail uses Port 110. It is possible to send other types of traffic through a particular port. This is referred to as tunneling. The easiest way to block traffic that uses a particular protocol is to block the port which that traffic uses. So, for example, peer-to-peer traffic normally uses Ports 6881 to 6889. One could attempt to block peer-to-peer traffic by blocking all traffic using those ports. However, it is possible to disguise peer-to-peer traffic as HTTP traffic by sending it to Port 80. This process would defeat the attempt to block peer-to-peer file sharing.
Encryption
It is possible to encrypt the protocol being used. As discussed above, a few high-end network devices are able to detect specific protocols even when they are encrypted. Because most peer-to-peer traffic has distinctive patterns of behaviour, a few highly specialized devices are able to detect these patterns and identify peer-to-peer traffic even when encryption interferes with their ability to read the protocol information contained in packet headers. However, this is a constant game of cat-and-mouse, with the software developers constantly creating new algorithms, and the device manufacturers constantly struggling to keep up.
Costs of Protocol Detection Technologies
Carrier-grade devices capable of managing Internet traffic based on protocol detection carry high implementation and operation costs, as discussed below.
20 Ronald Deibert, John Palfrey, Rafal Rohozinski, and Jonathan Zittrain, Access Denied: The Practice and Policy of Global Internet Filtering, MIT Press, Boston, 2008.
22 ibid. p. 6
23 Jonathan Zittrain and Benjamin Edelman, Empirical Analysis of Internet Filtering in China, http://cyber.law.harvard.edu/filtering/china/
24 Access Denied, Op. Cit., p 7
25 We have seen that in some countries (Burma/Myanmar and the Autonomous Region of Tibet, for example) the government has simply shut down all Internet access. In countries with a very small number of Internet peering points and limited telecommunications egress to the outside world, cutting off Internet egress is an effective way of preventing cross-border data exchange. For the purposes of this paper, the researchers will not discuss complete denial of Internet services as an option.
26 http://opennet.net/about-filtering. Note: we will go on to define and discuss these categories more fully later in this report.
27 http://opennet.net/about-filtering. Note: this is not conclusive evidence that filtering at a content level is not taking place in any of these countries. In our interview with Ronald Deibert, he indicated that the methodologies used by ONI in its 2006 research were not designed to detect content substitution at the page level.
28 Access Denied, Op. Cit., p 13
29 http://www.cybertip.ca/app/en/cleanfeed
30 http://top-parental-control-software.com/parental-control-software-features.htm
31 http://www.wellresearchedreviews.com/computer-monitoring/blocking-Websites.html?id=18&s=google&gclid=CJm3o--vpJECFSBeagodGVJ4dg
33 See discussion of parental control software, above.
34 A Melbourne company has been contracted to test the effectiveness of different content filters for this purpose.
35 http://en.wikipedia.org/wiki/Proxy_server
36 A short list of proxy sites is attached to this report as Appendix E.
37 http://www.pbs.org/mediashift/2007/09/breaking_government_blockadesy.html.
40 The conclusion that users in China do receive different search results depending on the version of the Google search engine used, is based on verbal reports from users who used both google.cn and google.com while in China. Based on the same anecdotal reports, it appears that there is a lack of consistency in terms of which Web sites are blocked in China. So, for example, google.com is sometimes available to users in China and sometimes is not.
41 For example, the URL for the results page for a search on the term "falun gong" on google.ca has the URL http://www.google.ca/search?hl=en&q=falun+gong&btnG=Google+Search&meta. Based on URL keyword filtering, a practice widely acknowledged to be used in China, it would be simple enough to block access to any site with a URL containing "falun+gong".
42 http://news.bbc.co.uk/2/hi/asia-pacific/7312240.stm
43 For a description of the structure of IP data packets, see Appendix C.
44 Carsten Rosenhövel, Internet Evolution, "Peer-to-Peer Filters: Ready for Internet Prime Time?" http://www.internetevolution.com/document.asp?doc_id=148803 March 27, 2008
45 Ibid.
46 Ibid.
