Reference Links:
- US Mirror - US Mirror of this document (for obvious reasons)
- Broadcasting Services Amendment (Online Services) Act 1999 - PDF format
- Broadcasting Services Amendment (Online Services) Act 1999 - HTML format
- Senate Select Committee on Information Technologies - Index
- Squid - an open source proxy server
- NLANR Cache - an open proxy hierarchy
- Anti CensorWare Proxy - Masks the URL you're accessing
- Free S/WAN - an IPSEC implementation for Linux
- PGP - International download site
- SSL - Open Source SSL implementation
- FTP by email - instructions
- BugTraq Mailing List - Web Archive
- Words filtered by iFilter - Thanks to Danny Yee
Introduction
Australia's citizens are about to be subject to content regulation on the Internet following the introduction of an amendment to existing legislation relating to broadcasting services. This legislation defines certain responsibilities for the ABA (Australian Broadcasting Authority), the OFLC (Office of Film and Literature Classification) and any company or individual providing public access to "Internet content". All rhetoric aside about "big brother" and how this legislation spells the end of free speech in this country, it is acknowledged by most if not all participants in the debate about this legislation that, for a number of reasons it will be very difficult if not impossible to effectively stem the tide of what the government calls "illegal and offensive material".
This paper has one aim - to highlight the futility of attempting such content regulation by explicitly describing the legal means by which citizens can evade the provisions within the legislation.
Warning
I believe that all Australian laws should be in language understandable by ordinary Australians. This paper is my interpretation of the Broadcasting Services Amendment (Online Services) Act 1999 and should not be construed as anything more than this. Just as I believe what you view on the Internet should be your own responsibility, if you choose to follow any of my suggestions here, it's your sole responsibility to deal with any adverse or unforseen consequences of those actions. That said, if you disagree with anything I've said here, feel free to contact me.
The means of evasion...
I should point out that most of these means of evasion assume that the content you want to access is outside the country and therefore beyond the effective reach of the "take down notices" mentioned in the legislation.
Use an alternate proxy network
- Use an alternate proxy network - connect to a different proxy server on a non-standard port
- Mask web content before entering the proxy network - change some words, change some server names
- Encrypt the content - they can't regulate what they can't read
- Encrypt web content before it enters the proxy network
- Use an encrypted VPN/tunnel for streaming content
- Distribute content by means of a "company" to your "employees"
- Offer on-demand, point-to-point email access to content
- Flood the ABA with legitimate, appropriate complaints
- Use a "recognised alternative access prevention arrangement"
- Mirror content so widely as to prevent effective enforcement of the legislation
You should be able to access any content you wish by connecting to a proxy server network outside Australia either directly from your browser on a port other than 80, 3128 or 8080 (the most popular proxy server ports, and the ones most likely being transparently proxied) or using a Squid-like cache internal to your network that accesses a proxy hierarchy outside Australia on a port other than 3130 (the standard ICP port).
This assumes that the government does not mandate the use of a packet level filter, regardless of how ineffective one might be at locating banned content in a stream of data passing through it and preventing access to it. If it were to do this, it would most likely be done using an industry standard able to be defined under Part 5 of the legislation.
Transparent proxying, for those unsure of it's meaning, is the process of redirecting a users' outgoing web content request through a network switch capable of what's called layer 3 routing. Layer 3 routing enables the network switch to invisibly redirect the web content request away from the intended destination into a proxy server which then fetches the web content for you, assuming it's not been configured to block certain URLs or certain media types (mpg movies, for example).
Mask web content before entering the proxy network
Assume your ISP uses transparent proxying methods to pass all web content through a filter of some kind. What about masking the web content in some way at the server (aka "internet host") end such that when it passes unhindered through the proxy network, your computer can unmask the information, making it visible to you . A basic example of this, but one that only masks the URL you're trying to access is accessible here. The Youth Alliance against Internet Censorship offers information on software for your computer that can disable a proxy server here.
Encrypt the content before it enters the proxy network
Above, I mentioned the ability to mask content on the server side before it passes through the proxy network. The same concept can applied to any Internet content using encryption. This could be achieved using a traditional SSL-based transaction between a server and your own computer, by means of a PGP-based transaction with an appropriately configured server, or by using any other form of encryption that prevents decryption by anyone other than yourself.
Use an encrypted VPN/tunnel for streaming content
A VPN is a Virtual Private Network. It allows physically separate networks to operate in a homogenous fashion by encrypting packets at one particular "endpoint", tunnelling them (sending in a point-to-point fashion) across the internet, then decrypting them at some other "endpoint", protecting the information being passed between the two networks. A typical use of a VPN is by a company with offices in different cities or in different countries. VPN technologies are offered by a number of major networking vendors including Cisco, Bay Networks and Ascend, though usually with a fairly high price tag attached. At a more grass roots level, end users can download and use a product called SSH (Secure Shell) to give them secure network access to UNIX shells and set up encrypted tunnels between two hosts. For Linux users, the kernel comes with tunnelling code built-in and can be made secure with IPSEC patches available from the Netherlands.
Distribute content by means of a "company" to your "employees"
The legislation allows for information to be distributed to an end-user provided they are within your "immediate circle" and is described in Subclause 9(1-4):
9 Supply to the public (1) This clause sets out the circumstances in which an Internet carriage service is taken, for the purposes of subclause 8(1), to be supplied to the public. (2) If: (a) an Internet carriage service is used for the carriage of information between 2 end-users; and (b) each end-user is outside the immediate circle of the supplier of the service; the service is supplied to the public. Note: If a company makes Internet content available for access on the Internet, and an individual obtains access to the content using an Internet carriage service, the company and the individual are end-users in relation to the carriage of the content by the Internet carriage service. (3) If: (a) an Internet carriage service is used to supply point-to-multipoint services to end-users; and (b) at least one end-user is outside the immediate circle of the supplier of the service; the service is supplied to the public. (4) If: (a) an Internet carriage service is used to supply designated content services (other than point-to-multipoint services) to end-users; and (b) at least one end-user is outside the immediate circle of the supplier of the service; the service is supplied to the public.The thing to note here are the words "immediate circle". Jumping back up in the document to the definition, we note it refers to the Telecommunications Act of 1997. Jumping to the (rather long) definition in that legislation, we find that your "immediate circle" refers to employees if you are a company:
Immediate circle SECT. (1) For the purposes of this Act, a person's "immediate circle" consists of the person, together with the following persons: (a) if the person is an individual--an employee of the individual; continued...In theory, using this aspect of the legislation, you could create a company and employ individuals interested in the banned content you have on offer. Far fetched, but apparently possible. The definition, interestingly, would also allow a University to offer banned content to it's employees and students.
Offer on-demand, point-to-point email access to content
In the early days of the commercial internet, before the invention of the World Wide Web, not everybody had access to the FTP sites that contained lots of information. The way most people got around this restriction/limitation was using a service called ftp-by-email. To use it, you'd send an email to a certain address containing a sequence of standard ftp commands, as follows:
From: 2600 Webmaster (webmaster@2600.org.au) To: FTP-By-Email (ftpmail@ftp.sunet.se) open mirror.aarnet.edu.au cd pub/linux/kernel cd v2.2 binary get README quitFollowing the receipt of this email, any files you had requested with a "get" command would be emailed back to you. A rundown of how this (still) works can be found here.
Now, referring to the legislation, we find the following definition of "Internet content":
Internet content means information that: (a) is kept on a data storage device; and (b) is accessed, or available for access, using an Internet carriage service; but does not include: (c) ordinary electronic mail; or (d) information that is transmitted in the form of a broadcasting service.and of "ordinary electronic mail":
ordinary electronic mail does not include a posting to a newsgroup.Are you thinking what I'm thinking? Assuming the content is not accessible to the public by any means other than point-to-point, user-requested email, you could be very well within the law to offer content that is otherwise banned in any other forum.
Flood the ABA with legitimate, appropriate complaints
I'll start describing this means of evasion by displaying Clause 26. Take particular note of Subclause 26(2b):
26 Investigation of complaints by the ABA (1) The ABA must investigate a complaint under Division 1. (2) However, the ABA need not investigate the complaint if: (a) the ABA is satisfied that the complaint is: (i) frivolous; or (ii) vexatious; or (iii) not made in good faith; or (b) the ABA has reason to believe that the complaint was made for the purpose, or for purposes that include the purpose, of frustrating or undermining the effective administration of this Schedule. (3) The ABA must notify the complainant of the results of such an investigation. (4) The ABA may terminate such an investigation if it is of the opinion that it does not have sufficient information to conclude the investigation.Okay, so they thought people might flood them with frivolous complaints... Fair enough. But isn't it the case that every site that is not investigated by the ABA remains unregulated and therefore free? I'm sure you can put two and two together on this one.
Use a "recognised alternative access prevention arrangement"
I'll start this one by displaying two rather lengthy but important subclauses of the legislation, both of which describe possible means to evade content regulation by installing (but presumably not using) one of the currently-available end-user filtering pieces of software. Firstly Subclause 40(4-7):
40 Action to be taken in relation to a complaint about prohibited content hosted outside Australia (1) - (3) Recognised alternative access-prevention arrangements (4) An Internet service provider is not required to comply with a standard access-prevention notice in relation to a particular end-user if access by the end-user is subject to a recognised alternative access-prevention arrangement(as defined by subclause (5)) that is applicable to the end-user. (5) The ABA may, by written instrument, declare that a specified arrangement is a recognised alternative access-prevention arrangement for the purposes of the application of this Division to one or more specified end-users if the ABA is satisfied that the arrangement is likely to provide a reasonably effective means of preventing access by those end-users to prohibited content and potential prohibited content. Note: For specification by class, see subsection 46(2) of the Acts Interpretation Act 1901. (6) The following are examples of arrangements that could be declared to be recognised alternative access-prevention arrangements under subclause (5): (a) an arrangement that involves the use of regularly updated Internet content filtering software; (b) an arrangement that involves the use of a "family-friendly" filtered Internet carriage service. (7) An instrument under subclause (5) is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901and Subclause 60(3-8):
60 Matters that must be dealt with by industry codes and industry standards (1) - (2) Designated alternative access-prevention arrangements (3) An industry code or an industry standard may provide that an Internet service provider is not required to deal with Internet content notified under paragraph 40(1)(b) of this Schedule or clause 46 by taking steps to prevent particular end-users from accessing the content if access by the end-users is subject to an arrangement that is declared by the code or standard to be a designated alternative access-prevention arrangement for the purposes of the application of this clause to those end-users. (4) An industry code developed by a body or association must not declare that a specified arrangement is a designated alternative access-prevention arrangement for the purposes of the application of this clause to one or more specified end-users unless the body or association is satisfied that the arrangement is likely to provide a reasonably effective means of preventing access by those end-users to prohibited content and potential prohibited content. Note: For specification by class, see subsection 46(2) of the Acts Interpretation Act 1901. (5) An industry standard made by the ABA must not declare that a specified arrangement is a designated alternative access-prevention arrangement for the purposes of the application of this clause to one or more specified end-users unless the ABA is satisfied that the arrangement is likely to provide a reasonably effective means of preventing access by those end-users to prohibited content and potential prohibited content. Note: For specification by class, see subsection 46(2) of the Acts Interpretation Act 1901. (6) The following are examples of arrangements that could be declared to be designated alternative access-prevention arrangements: (a) an arrangement that involves the use of regularly updated Internet content filtering software; (b) an arrangement that involves the use of a "family-friendly" filtered Internet carriage service. (7) For the purposes of this Schedule, if an industry code: (a) deals to any extent with procedures to be followed by Internet service providers in dealing with Internet content notified under paragraph 40(1)(b) of this Schedule or clause 46; and (b) makes provision as mentioned in subclause (3); then: (c) the code is taken to deal with the matter set out in paragraph (2)(d); and (d) the code is taken to be consistent with subclause (2). (8) For the purposes of this Schedule, if an industry standard: (a) deals to any extent with procedures to be followed by Internet service providers in dealing with Internet content notified under paragraph 40(1)(b) of this Schedule or clause 46; and (b) makes provision as mentioned in subclause (3); then: (c) the standard is taken to deal with the matter set out in paragraph (2)(d); and (d) the standard is taken to be consistent with subclause (2).Now, if you've made it through all of that, you'll note a single key thing - that subject to appropriate industry codes and standards, it may be possible to have an unfiltered internet feed delivered to you if you have an end-user filtering system installed on your computer. The means of evasion here? Turn the filter off. Not exactly rocket science, is it?
Mirror content so widely as to prevent effective enforcement of the legislation
As with the two previous means of evasion, I will begin by displaying several pieces of the legislation. First up is Clause 36:
36 Anti-avoidance-special take-down notices If: (a) an interim take-down notice or a final take-down notice relating to particular Internet content is applicable to a particular Internet content host; and (b) the ABA is satisfied that the Internet content host is hosting in Australia, or is proposing to host in Australia, Internet content (the similar Internet content) that is the same as, or substantially similar to, the Internet content identified in the interim take-down notice or the final take-down notice, as the case may be; and (c) the ABA is satisfied that the similar Internet content is prohibited content or potential prohibited content; the ABA may give the Internet content host a written notice (a special take-down notice) directing the host not to host the similar Internet content at any time when the interim take-down notice or final take-down notice, as the case may be, is in force.Clause 36 appears to apply to mirrored information or, quite possibly, a website consisting of different layout/text but identical images. I'll now move onto Clauses 46 and 47:
46 Anti-avoidance-notified Internet content (1) If: (a) particular Internet content has been notified to Internet service providers as mentioned in Paragraph 40(1)(b) of this Schedule; and (b) the notification has not been withdrawn; and (c) the ABA is satisfied that Internet content (the similar Internet content) that is the same as, or substantially similar to, the first-mentioned Internet content is being hosted outside Australia; and (d) the ABA is satisfied that the similar Internet content is prohibited content or potential prohibited content; and (e) a code registered, or standard determined, under Part 5 of this Schedule deals with the matters referred to in subclause 60(2); the ABA must notify the similar Internet content to Internet service providers under the designated notification scheme set out in the code or standard, as the case may be. (2) If: (a) particular Internet content is notified to Internet service providers as mentioned in Paragraph 40(1)(b) of this Schedule; and (b) as a result of the application of subclause (1) to that content, the ABA notifies similar Internet content to Internet service providers in accordance with subclause (1); and (c) the notification of the first-mentioned content is withdrawn; the notification of the similar Internet content is taken to have been withdrawn. (3) If: (a) a notification of Internet content is withdrawn under subclause (2); and (b) a code registered, or standard determined, under Part 5 of this Schedule deals with the matters referred to in subclause 60(2); the ABA must notify the withdrawal to Internet service providers under the designated notification scheme set out in the code or standard, as the case may be. 47 Anti-avoidance-special access-prevention notice (1) If: (a) a standard access-prevention notice relating to particular Internet content is applicable to a particular Internet service provider; and (b) the ABA is satisfied that the Internet service provider is supplying an Internet carriage service that enables end-users to access Internet content (the similar Internet content) that is the same as, or substantially similar to, the Internet content identified in the standard-access prevention notice; and (c) the ABA is satisfied that the similar Internet content is prohibited content or potential prohibited content; the ABA may give the provider a written notice (special access-prevention notice) directing the provider to take all reasonable steps to prevent end-users from accessing the similar Internet content at any time when the standard access-prevention notice is in force. Note: The ABA may be taken to have given a notice under this clause-see clause 51. (2) For the purposes of subclause (1), in determining whether particular steps are reasonable, regard must be had to: (a) the technical and commercial feasibility of taking the steps; and (b) the matters set out in subsection 4(3). (3) Subclause (2) does not, by implication, limit the matters to which regard must be had. recognised alternative access-prevention arrangements (4) An Internet service provider is not required to comply with a special access-prevention notice in relation to a particular end-user if access by the end-user is subject to a recognised alternative access-prevention arrangement (as defined by subclause 40(5)) that is applicable to the end-user.The means of avoidance here would be purely and simply mirroring content so widely and in so many derivative (and possibly dissimilar) forms that even the process of generating take-down notices and notifying internet services providers would bog down the ABA and the OFLC.
Commentary
The intent of this legislation, as stated by the government, was to prevent children accessing "illegal and offensive" material on the Internet. More specifically, they made reference in various forums to pornographic material. My concern is not that responsible adults will be prevented from accessing this material, but that the legislation does not explicitly define what else might be regulated on the whim of a misguided Government minister or influential moral crusader within the ranks of the ABA or OFLC.
One example of what might be banned is the BugTraq mailing list. This list contains "full disclosure" discussions of computer software bugs, including in some cases explicit instructions on how to break into computers. What might be easily overlooked in any such government review of this material is the fact that in most cases, such information is accompanied by further instructions on how to secure any vulnerable computers.
Another oft-quoted example of how an overzealous filter might exclude important content is in the area of health. Breast cancer. Sexually-transmitted diseases. Contraception. If it's got any of the words filtered by Senator Alston's favoured filtering solution, iFilter (a number of them listed here), chances are your friendly neighbourhood ISP will be told to ban it long before you see it.
Conclusion
As you can see, there's a number of loopholes in the legislation that our government has pushed through parliament, and most of them allow a mildly intelligent citizen to quite legally evade any form of content regulation. Far from suggesting that this legislation should be heavier-handed than it already is in restricting people from accessing the information they want, I am suggesting that it should have been thrown out by the Paliament on the basis that it is fundamentally flawed and unenforceable.
Instead, and without fear tactics or moralist rhetoric, the Government could have instituted a public education campaign informing parents about the need to restrict unsupervised/unfiltered access to the Internet with young children (5-13) and begin a dialogue about personal responsibility and self moderation with older ones (13 and up). As a young person that has grown up in the midst of computers and communication technologies, I believe this would have achieved a much more productive outcome.
Feedback
Given that this is a layperson's analysis of the legislation, I invite any and all comment from similarly concerned citizens, and in particular citizens familiar with legal matters that may be able to provide further insight.
Please feel free to make comments to webmaster@2600.org.au.