‘Prohibited content’ suggests content that is illegal to view or possess. In fact, it is a legislative term that includes all content classified RC or X 18+ and some content classified R 18+ and MA 15+.

There’s been some confusion surrounding the government’s use of the phrase ‘prohibited content’ to describe what’s on the ACMA blacklist.

The phrase suggests content that is illegal to view or possess, and that misconception is furthered by Senator Stephen Conroy’s constant references to the contents of the ACMA blacklist as being mostly child pornography and the ‘worst of the worst’.

In fact, ‘prohibited content’ is a legislative phrase defined in clause 20 of schedule 7 of the Broadcasting Services Act 1992 (Cth). Briefly, it is—

• content rated RC or X 18+;
• content rated R 18+ and not subject to a restricted access system; and
• content rated MA 15+ provided by certain commercial services and not subject to a restricted access system.

When ACMA finds prohibited content hosted overseas, it adds it to its blacklist. The procedure dealing with Australian hosted content is different, and I don’t propose to deal with it in this post. (I deal with it here.)

Under the present system, the ACMA blacklist is provided to the makers of IIA Family Friendly Filters. ISPs have an obligation to provide those filters to their customers at cost on an opt-in basis or face fines of up to $27,500 per day.

No other (relevant) legal consequences flow from content hosted overseas being ‘prohibited content’. Thus, it’s not illegal to view, distribute, or provide access to online content merely because it’s prohibited content.

The caveat is that accessing or distributing certain content is illegal for other reasons. The most obvious example is that it’s illegal to produce, disseminate, or possess child pornography.

Below, I have posted a detailed look at the law that governs what ends up on the ACMA blacklist and what ISPs must do about content on that blacklist.

What Is Prohibited Content?

The general definition of ‘prohibited content’ is found in clause 20(1) of Schedule 7 of the Broadcasting Services Act 1992 (Cth). That subclause provides that generally content is ‘prohibited content’ if—

• (a) the content has been classified RC or X 18+ by the Classification Board

In other words, all content refused classification or rated X 18+ by the Classification Board is prohibited content.

• (b) both:
  • (i) the content has been classified R 18+ by the Classification Board; and
  • (ii) access to the content is not subject to a restricted access system

Content rated R 18+ by the Classification Board is prohibited content unless access to it is subject to a restricted access system.

Under clause 14, ACMA has power to declare what is a ‘restricted access system’ in relation to particular classes of content. The most recent declaration is the Restricted Access System Declaration 2007.

It provides guidelines that specify risk analysis factors that content providers must consider when assessing whether particular evidence is sufficient to verify the age of a person applying to access the content. See here for more information.

• (c) all of the following conditions are satisfied:
  • (i) the content has been classified MA 15+ by the Classification Board;
  • (ii) access to the content is not subject to a restricted access system;
  • (iii) the content does not consist of text and/or one or more still visual images;
  • (iv) access to the content is provided by means of a content service (other than a news service or a current affairs service) that is operated for profit or as part of a profit-making enterprise;
  • (v) the content service is provided on payment of a fee (whether periodical or otherwise);
  • (vi) the content service is not an ancillary subscription television content service; or
• (d) all of the following conditions are satisfied:
  • (i) the content has been classified MA 15+ by the Classification Board;
  • (ii) access to the content is not subject to a restricted access system;
  • (iii) access to the content is provided by means of a mobile premium service.

These last two paragraphs essentially provide that content classified MA 15+ by the Classification Board provided by certain commercial services is prohibited content unless access to it is subject to a restricted access system.

What If the Content Isn’t Classified?

Each of the subclauses above refers to content having been classified by the Classification Board. Since most Internet content wouldn’t be so classified, clause 21(1) provides:

• For the purposes of this Schedule, content is potential prohibited content if:
  • (a) the content has not been classified by the Classification Board; and
  • (b) if the content were to be classified by the Classification Board, there is a substantial likelihood that the content would be prohibited content.

ACMA’s relevant powers in relation to content hosted overseas are the same with respect to prohibited content and potential prohibited content.

Eligible Electronic Publications

The definition of ‘prohibited content’ in clause 20(1) does not apply to eligible electronic publications. An ‘eligible electronic publication’ is an electronic version (or an audio recording) of a book, magazine, or newspaper that is or was available to the public in Australia.

A more constrained definition of ‘prohibited content’ is provided in clause 20(2) in relation to eligible electronic publications:

• For the purposes of this Schedule, content that consists of an eligible electronic publication is prohibited content if the content has been classified RC, category 2 restricted or category 1 restricted by the Classification Board.

The definition of ‘potential prohibited content’ in clause 21(1) is correspondingly constrained in relation to eligible electronic publications by clause 21(2):

• … content is not potential prohibited content if:
  • (a) the content consists of an eligible electronic publication; and
  • (b) the content has not been classified by the Classification Board; and
  • (c) if the content were to be classified by the Classification Board, there is no substantial likelihood that the content would be classified RC or category 2 restricted.

Why, for example, an electronic version of a printed newspaper should be treated differently than an online-only news website is not clear.

What’s Prohibited about Prohibited Content?

I’m only dealing with content hosted overseas in this post. And clause 40(1) of Schedule 5 answers this question in relation to such content:

• If, in the course of an investigation under Division 2 of Part 3 of Schedule 7, the ACMA is satisfied that Internet content hosted outside Australia is prohibited content or potential prohibited content, the ACMA must:
  • (a) if the ACMA considers the content is of a sufficiently serious nature to warrant referral to a law enforcement agency (whether in or outside Australia)—notify the content to: [police or an authorised person or body]

The above is fairly straightforward. The next paragraph is the most important.

• (b) if a code registered, or standard determined, under Part 5 of this Schedule deals with the matters referred to in subclause 60(2)—notify the content to Internet service providers under the designated notification scheme set out in the code or standard, as the case may be

Part 5 authorises bodies and associations that represent ISPs to make codes dealing with certain matters. Those codes may be registered by ACMA. If there is no code, ACMA can determine a standard (basically a code, except that it’s made by ACMA). Why is this code or standard so important?

• (c) if paragraph (b) does not apply—give each Internet service provider known to the ACMA a written notice (a standard access-prevention notice) directing the provider to take all reasonable steps to prevent end-users from accessing the content

In other words, ACMA already has the power to direct ISPs to block prohibited content and potential prohibited content, but only so long as there is no code or standard under Part 5 dealing with the clause 60(2) matters.

What Are Clause 60(2) Matters?

Those matters are found in paragraphs (c) and (d) of clause 60(2), which provides—

• The Parliament intends that, for the Internet service provider section of the Internet industry, there should be:
  • (a) an industry code or an industry standard that deals with; or
  • (b) an industry code and an industry standard that together deal with;
  each of the following matters:
  • (c) the formulation of a designated notification scheme;
  • (d) subject to subclause (8A), procedures to be followed by Internet service providers in dealing with Internet content notified under paragraph 40(1)(b) of this Schedule or clause 46 (for example, procedures to be followed by a particular class of Internet service providers for the filtering, by technical means, of such content).

(Subclause (8A) simply provides that the Minister can declare that filtering is not viable in relation to particular devices, like mobile phones.)

In other words, clause 60(2) allows a code or standard to provide that, instead of ACMA issuing a standard access prevention notice, some other procedure will be followed when ACMA finds prohibited content or potential prohibited content hosted overseas.

The Internet Industry Association (IIA) has made such a code. The most recent version is the Internet Industry Codes of Practice 2005, and it’s registered by ACMA here.

Clause 19 of this Code provides an opt-in scheme, whereby ISPs provide IIA Family Friendly Filters at cost to customers who request them. This effectively replaces the access-prevention notice regime, which would otherwise be mandatory, with an opt-in system.

What Are ISPs’ Obligations?

If there were no registered code or standard dealing with the clause 60(2) matters, ACMA would have the power to issue access-prevention notices. Clause 48(1) then provides—

• An Internet service provider must comply with a standard access-prevention notice that applies to the provider as soon as practicable, and in any event by 6 pm on the next business day, after the notice was given to the provider.

However, ACMA doesn’t have that power because there is a code dealing with the clause 60(2) matters. Compliance with that code is effectively mandatory. Clause 66 provides—

• (1) If:
  • (a) a person is a participant in a particular section of the Internet industry; and
  • (b) the ACMA is satisfied that the person has contravened, or is contravening, an industry code that:
    • (i) is registered under this Part; and
    • (ii) applies to participants in that section of the industry;
  the ACMA may, by written notice given to the person, direct the person to comply with the industry code.
• (2) A person must comply with a direction under subclause (1).

Clause 72 similarly provides that a person must comply with any applicable ACMA standard.

What Are the Penalties?

Clause 79 provides that the clauses requiring compliance with access-prevention notices, codes, and standards are online provider rules. Clause 82 then provides—

• (1) A person is guilty of an offence if:
  • (a) an online provider rule is applicable to the person; and
  • (b) the person engages in conduct; and
  • (c) the person’s conduct contravenes the rule.
  Penalty: 50 penalty units.
• (2) In this clause:
• engage in conduct means:
  • (a) do an act; or
  • (b) omit to perform an act.

The section 4AA(1) of the Crimes Act 1914 (Cth) defines ‘penalty unit’ as $110. And section 4B(3) of that Act provides that the maximum penalty is five times the specified amount when the person convicted is a body corporate. Thus, the maximum penalty here is $5,500 for an individual and $27,500 for a body corporate.

Finally, clause 86 provides—

• A person who contravenes clause 82 or subclause 83(4) is guilty of a separate offence in respect of each day (including the day of a conviction for the offence or any later day) during which the contravention continues.

In other words, the maximum penalty for failing to comply with an access prevention notice, code, or standard is $5,500 for each day of contravention for an individual and $27,500 for each day of contravention for a body corporate.

Conclusion

Presently, the obligations of ISPs in relation to the ACMA blacklist of prohibited content and potential prohibited content hosted overseas end with provision of IIA Family Friendly Filters at cost to customers who request them.

It’s also notable that the existing legislation could provide for mandatory filtering if the existing code is, at least to the extent that it deals with the clause 60(2) matters, removed (though that’s unlikely given ISPs’ resistance to mandatory filtering).

I hope that explains how the ACMA blacklist works in relation to overseas content. In a future post, I’ll cover ACMA’s powers in relation to prohibited content and potential prohibited content hosted in Australia.

Read full post »

Three versions of the ACMA blacklist have leaked to Wikileaks. Then it was revealed that anyone could extract the blacklist from the Integard filter in a 30-second hack. Now the Classification Board website has been hacked:

The text on the homepage has been replaced with the following:

This site contains information about the boards that have the right to CONTROL YOUR FREEDOMZ. The Classification Board has the right to not just classify content (the name is an ELABORATE TRICK), but also the right to DECIDE WHAT IS AND ISNT APPROPRIATE and BAN CONTENT FROM THE PUBLIC. We are part of an ELABORATE DECEPTION from CHINA to CONTROL AND SHEEPIFY the NATION, to PROTECT THE CHILDREN. All opposers must HATE CHILDREN, and therefore must be KILLED WITH A LARGE MELONS during the PROSECUTION PARTIES IN SEPTEMBER. Come join our ALIEN SPACE PARTY.

Wouldn’t it have been ironic had the hackers elected to post the leaked ACMA blacklist on the site and then report the site to ACMA?

Update: The first report of the hack was made at around 8:00 pm AEDT on 26 March 2009. At around 11:30 pm AEDT, the site started returning HTTP status code 400, ‘Bad Request’. On 29 March 2009 at around 3:00 pm AEDT, the site started refusing connections altogether.

Now, on 31 March 2009 at around 6:40 pm AEDT, the site is now back up, albeit showing only a temporary placeholder page.

Near the head of the page is this:

Important note: We are currently upgrading our website and some features are temporarily unavailable. We apologise for any inconvenience caused.

It took five days to get to this stage.

Update: On 24 March 2009, nearly a full month after the site was hacked, an overhauled version of the site is finally back online.

Read full post »

CommSec uses a non-SSL frameset to deliver sensitive financial data. You never know (without some digging) whether the content frame is at the www.comsec.com.au domain and whether it’s using SSL or not.

In June 2008, CommSec introduced an integrated banking and trading solution. The idea is that you can do all of your securities trading and all of your banking using the one website. And you get a tastefully designed CommSec Debit MasterCard too. Why wouldn’t you sign up?

Logging In

You arrive at the CommSec website. You’re greeted by the CommSec homepage sitting comfortably underneath a green address bar.

Protected by an Extended Validation Certificate, you enter your Client ID and password. You’re taken to the next page.

Your browser prompts you to remember your password. That’s okay, though, because CommSec uses a second password, one that you can’t save, when you actually want to execute a financial transaction. But what else is missing?

Oops. We’ve lost the SSL. And this appears to be by design.

Broken by Design

CommSec uses frames. The navigation bar is in one frame and the content is in another. The content frame uses SSL only when the content is sensitive. For example, it uses SSL when displaying account balances, but not when displaying market prices.

But the parent page and the navigation frame never use SSL. Since the link to, say, ‘Cash Management’ is itself on an unsecured page, a man in the middle can change the link to point anywhere.

That means you never know where you’ll go when you click ‘Cash Management’. And since you never know (without some digging) whether the content frame is at the www.comsec.com.au domain or whether it’s using SSL, you’ll never know whether it’s safe to enter your details there.

Mitigating Factors

CommSec’s site has some characteristics that make man-in-the-middle attacks more difficult. First, the authentication cookie is an SSL-only cookie.

A man in the middle cannot, therefore, acquire that cookie. He or she would need to use some social engineering to get your credentials. For example, the man in the middle could prompt you for your Client ID and password. You’re likely to trust such a prompt, since you came to the site independently and CommSec does itself prompt for such confirmation.

The second mitigating factor is that CommSec uses (optional) SMS security. Whenever you make a payment to a third party (and in certain other circumstances), CommSec will send you a one-time code to your mobile phone.

But, again, social engineering should work. A man in the middle can merely ask you for the code when you go to check your balances, or your details, or when you attempt to perform some transaction.

Conclusion

Delivering sensitive information over HTTPS within an HTTP frame is just bad design. It hides the nature of the connection from the user, who then has no way of telling whether the information is being sent securely or not.

From the perspective of the user, an attack might look like this: they type the CommSec URL, making sure to include https://. They see a green address bar. They login. They’re taken to an HTTP page (as they always have been). They click the ‘Cash Management’ link, but they’re prompted to confirm their identity first by entering their details and then an SMS code. Having no reason to suspect the site, having accessed it over HTTPS with a green bar, they enter their details. They’re taken to their cash management page. Only now there’s several thousand dollars missing.

I understand that there are performance considerations for delivering market data, charts, etc over SSL, but this kind of design is unacceptable. It confuses already confused users, making social engineering too easy.

Steve Gibson would roll over in his grave, if it weren’t for the fact that he’s still alive doing a great security podcast.

Read full post »

iTunes takes 7–8 seconds to load, compared to about 1 second for each of Windows Media Player 12, Microsoft Office Word 2007, and Firefox 3.0.7.

On 11 March 2009, Apple released iTunes 8.1. ‘Faster. Smarter. Better.’ Or so Apple claims. In particular, Apple provides this snippet:

Speed improvements

iTunes gets a speed boost. Now when it comes to loading large libraries, browsing the iTunes Store, and syncing your devices, iTunes responds faster than before.

I suppose ‘speed boost’ means that it’s faster, not fast.

I’m running Windows 7 Beta x64 on an Intel X3350 (four 2.66 GHz cores) with 8 GB of memory. iTunes 8.1 takes 7–8 seconds to load. That’s unacceptable. By comparison, Windows Media Player 12, Microsoft Office Word 2007, and Firefox 3.0.7 each take less than one second to load.

Not only that, but once it loads its hopelessly unresponsive. When you click on an item in the sidebar to change to another view, such as Music, Podcasts, or Applications, iTunes appears to do absolutely nothing for half a second or so.

iTunes 8.1 did improve performance in some areas, though. For example, TG Daily reports that iTunes Plus songs download noticeably faster now. And Kirk McElhearn reports that iTunes now rips CDs and sets tags faster. That’s great.

But long progress bars when performing batch operations are not the fundamental problem. It’s the slow, unresponsive interface that makes the user experience unbearable.

Apple needs to drop the layer of bloat that translates Mac OS X system calls to their Windows equivalents, and write a native Windows iTunes interface that just works.

Read full post »

Telstra recently announced that it will upgrade its BigPond cable service in Melbourne to 100 Mbps by Christmas 2009. Big deal.

Somehow, this news has excited some people. Alan Kohler, for example, writes, ‘Telstra’s decision to upgrade its cable definitely now means that the National Broadband Network won’t get built.’

Two problems immediately come to mind. First, you’ll never see those speeds. Even if you’re in an area that can get the upgraded cable service, the 100 Mbps is shared between a number of households. You can get the full 100 Mbps only if none of those households is using its cable broadband.

Second, if you’re ever lucky enough to see those speeds, you won’t see them for long. BigPond’s $139.95 cable plan includes only 60 GB of usage (uploads and downloads). At 100 Mbps, that lasts 80 minutes. Excess usage is charged at $1.88 per second.

Incidentally, Next G has the same problems, except that it’s slower and even more expensive. At its peak speed of 21 Mbps, the 10 GB you get for $129.95 lasts only 63 minutes. Excess is charged at $0.66 per second. Keep that in mind next time Telstra brags that its Next G network provides 21 Mbps to 99% of the Australian population.

Fast speeds seem to be more important to broadband users than large quotas. Perhaps that accounts for how little has been said about increasing download quotas in the context of the National Broadband Network debate.

But it should be obvious that increasing speeds without increasing quotas won’t enable the bandwidth-intensive applications that the government hopes to enable.

Read full post »