Exetel Trials Filtering with No Ability to Opt-Out

Exetel announced that it would run its own filtering trial, independently of the Government-run trial with no ability to opt out.

Around noon yesterday, four weeks late for April Fools’, Steve Waddington of Exetel announced that Exetel would run its own Internet filtering trial, independently of the Government-run trial. The kicker? There is no ability to opt-out of the trial.

The announcement states that the purpose of the trial is to give engineers and administrators an opportunity to understand the filtering technology, its implementation, and its costs.

We anticipate that the implementation of this NetClean system will have no impact for any end user. However, if you suspect you have been impacted, please post your experience here and we will investigate and report back.

Most curiously, the announcement states—

Any opinions or comments relating to your personal views on government filtering should be directed to your local MP.

The trial is set to start today and is expected to run ‘a few days to a week’.

Technical Summary

Last Friday, Steven Waddington posted some technical details about the NetClean WhiteBox that Exetel would use. You can get the firsthand information here.

If I understand correctly, the system is set up as a BGP neighbour. It queries DNS servers for the IPs of all blacklisted sites. It then poisons the attached network by advertising hostroutes for these IP addresses with itself as the next hop.

Since ISPs do this kind of routing anyway, so long as the blacklist is small (less than around 10,000 IPs according to the system’s makers), there should be no discernible impact on performance.

When a request is routed to the filtering system, the filter inspects it to determine whether the specific URL requested is on the blacklist. That way, when blacklisted content shares an IP with non-blacklisted content, the non-blacklisted content isn’t blocked.

It’s an elegant solution, insofar as it’s a clever implementation of bad policy.

No Opt-Out

Steven Waddington confirmed in a reply to a comment to his technical post that there’s no ability to opt out. In the forum, it’s explained that it’s technically infeasible for this system to allow end-users to opt-out.

I’m not intimately familiar with this technology, but I don’t see why that would be the case. The system would only have to check for an opt-out preference after it receives a routed IP and has confirmed that the requested URL is blacklisted. This should occur for relatively few requests with a small blacklist.

Of course, you can still ‘opt-out’ by using a proxy server, a VPN, or Tor.

What’s Filtered

Steve Waddington’s technical post states that the makers of the NetClean WhiteBox, Watchdog International (whose motto is appropriately ‘get the worst out of the Internet’), are supplying Exetel with a list of 198 IPs. What does it contain?

It’s a technical trial so it really doesn’t matter. If ever a law is passed that requires Exetel [to] use a list of sites then the Australian Federal [Government] would be the only issuing authority.

So we don’t know what’s on the list, but we do know that the list won’t be expanded during the course of the trial. The system only works with small blacklists, and doesn’t support any kind of dynamic filtering.

Conclusion

The key points are that Exetel is running a filtering trial with no-opt out mechanism. It’s using a blacklist of 198 unknown IPs. There is no dynamic filtering, and seemingly no plans for any trial of such technology.

It’s likely that Exetel customers won’t notice a change, other than a sinking feeling of knowing that they are one step closer to an Orwellian Australia.

This post covers recent events and may contain errors or inaccuracies. Exetel hasn’t provided an official statement detailing this trial, and much of the information posted here is from semi-official sources.
I am opposed to any plan for mandatory filtering of online content.

Tags: censorship, clean feed, politics