Thursday, 1 August 2013

#PornGate: What could a determined small ISP do?

They want filtering to be offered even by small ISPs, so some thoughts, off the top of my head - just some ideas...

1. If they don't make legislation?

No problem - stay as we are - easy.

2. They legislate that we have to offer a choice of filtering, even default on?

So fine, we offer filtering on the order form, but at present, like almost any other business, we do not have to actually accept an order from a new customer. We can choose our customers, so we simply choose not to accept any orders where filtering is requested. As long as our choice is not discrimination on race or sex (neither of which we know or ask) then that should be fine.

Forcing someone to take all customers would be a huge step in any legislation. At present there are very few cases that force that on anyone (BT universal service obligation, for example).

3. They legislate that existing customers have to have the option?

Again, at present, we have the choice to stop providing services to anyone. So simple - ask for filtering and we stop supply. May be a slight issue with min term services.

4. They don't say the filtering is free?

Fine, filtering available at £1,000,000 a month - please do choose it.

5. They somehow legislate that we cannot discriminate based on filtering choice and have to take the order and not cancel it for this reason?

OK, so the filtering is "no packets pass", after all it is the only way to be sure. We have that system in place now (for credit control). Pick the option if you like.

6. Somehow they define that we have to access some of the Internet in the filtered service?

That would be harder - but we'd be able to block the Daily Mail, right? Could the service only be to Clare Perry's web site (yes, I know that has a risk of seeing porn, but probably OK now). It would not be hard to comply with a very slim set of IP addresses to whitelisted endpoints, and be useless so nobody picks the option.

7. Somehow they insist that the filtered service accesses all legal content not on the filtering list?

That would be interesting, as lots of ISPs do not allow access to www.loopsofzen.co.uk at present as it is IPv6 only - that would be a fun law to force all ISPs to provide access.

But suppose we had to filter - does the law apply to us?

8. Really somehow forced to do a filtered service

One really simple answer is we sign up as a BT Retail or TT Retail reseller. Anyone asking us for filtered broadband gets put on one of their retail services with the filtering with us as the reseller. This keeping A&A service unfiltered. This is the same as the choice people have now - picking a filtering service from one ISP or picking an ISP with no filtering. Forcing us to filter does not really mean we have to, just means we get to make a mark-up on someone else's service. Totally daft and pointless.

9. Not apply to business lines?

I think that is the case, so we could be "business only" ISP, or maybe we include the creation of a Ltd Company in the price for non business customers. After all a Limited Company can be created on-line and have annual return and simple accounts all filed by a script. Could be a new business opportunity for us, and is only a few pounds more a year in cost.

10. Not apply to staff lines?

So what if it is not applicable to a business providing Internet for employees. Oddly enough the changes recently for HMRC and RTI and BACS mean we could automate having lots of employees. We could make every customer an employee - only working for us for a few minutes a month on so on a salary of a few pence. It would not actually cost us anything to do this as we would automate it all.

Legislating that companies have to filter for employees would have a huge impact.

11. What about a private club?

We have considered this before, and even asked OFCOM (who were very non committal). We could create a friendly society, non profit, members owned, and provide Internet only to members. Obviously get the existing customers to join.

With suitable membership rules (perhaps simply a membership veto on new members) it would be the case that a member of the public cannot automatically get service just because they order. In practice, almost all people would, I am sure, but there would be no guarantee.

That takes us out of most of the rules and legislation as we would not be a public communications provider. Covering every private club would be hard.

12. Other ideas

What if we only provide L2TP handover (like BT wholesale) and the ISP is off shore?

What if transit providers forced to filter (really?) and we have to run transit via a tunnel to off shore?

What if BTW start filtering in the L2TP (really?) and we have to start running encrypted PPP links?

What if we just start selling off shore tunnel endpoint services direct to end use routers. Some small broadband routers can do IPsec these days. That would be an interesting business model.

26 comments:

  1. I really doubt they'll make it mandatory for small ISPs. It'd be difficult to push through parliament (esp. with more pressing concerns like the pending general election) as nobody really wants it.

    ReplyDelete
  2. What if BT (Or Be or TalkTalk) under Political pressure, decide to apply any of your points 2 through 5, to the services they're supplying to A&A ?

    ReplyDelete
    Replies
    1. As I say at the end - we start doing obfuscated or encrypted PPP.

      Delete
    2. I actually meant "what if they just decide they don't want you as customers anymore" as opposed to putting in filtering in the middle.

      Delete
    3. D'Oh, sorry, I see what you mean - fortunately there are a choice of providers now, and we can cover 88% of the population via TalkTalk. I think, for some parts of the country they have to take us as a customer (where BT have a monopoly) so covering the remaining 12%. It is an interesting idea though, I agree.

      Delete
  3. Sell DSL access to a private network consisting of the A&A site only. That means that all connectivity is in effect filtered, and you're selling IP but not Internet access for endpoint connectivity.
    Then offer a bundle of L2TP connectivity for Internet breakout. If that needs to be abroad/from a different company, then so be it. (Actually, if you were able to set up a US subsidiary in any case that'd be great - access to US based geoIP services but from a quality provider)

    This way, we can still use you for the last mile with your service levels.

    ReplyDelete
    Replies
    1. I already wondered if the offering of L2TP access as a tail (as BT do for WBC) with choice of connection to separate company offering L2TP/IP connectivity could be useful. The ISP (L2TP/IP) provider need not have any contract with the end users and so not know their details to associate with an IP address. The L2TP access company would know end user details but may choose not to pass any circuit ID to the L2TP/IP companies. That would avoid some of the Data Retention stuff and some of the Digital Economy stuff and may even avoid some of this. The L2TP/IP may have no contract with any end user and so not count as a "provider" at all.

      Delete
  4. Of course, they'll have to define "Internet Service Provider" (and possibly "the internet"). Could you offer a "Wide area network connectivity service" instead or a "VPN endpoint provision" and the other end of the VPN terminates on "normal" internet routers (with Draytek routers, and may others, supporting VPN "out of the box" most customers might not notice any difference apart from you being able to say "Data encrypted over the BT backbone for your privacy and security").

    ReplyDelete
  5. Why not allow the sale of connection to go through with a warning that "your connection to the internet will be filtered", the "filtering" takes people to a single page that states "your connection is filtered, the websites you can access are: $ThisPage, To opt out of filtering and enable access to the rest of the internet, click the button below.

    Button enables un-filtered access, and it's "default on" (urgh) works. :-)

    ReplyDelete
  6. Another option for consideration for you list would be to examine the manner in which the obligation is imposed, and the end obligation itself, to check conformity with the EU communications framework.

    Since communications in Europe are regulated on a "general authorisation" basis (article 6, directive 2002/20/EC), and the framework sets out limitations on what Member States can impose as part of the general authorisation conditions — both in terms of the proportionality and transparency of the obligations, and that the obligations must come from a fixed list of obligations too, there may — depending on how things are done — be scope for a challenge that the requirement falls foul of the limitations of what can be ordered on a provider.

    Even though this may come through as a separate piece of legislation, a la Digital Economy Act, rather than a modification to the UK's general conditions of entitlement, the effect — an obligation on providers — would seem to be the same. I would need to check the details of BT's appeal against the DEA to see if this was brought up before the courts then and, if so, whether it was given short shrift or not.

    The limited list of what can be imposed (annex A to directive 2002/20/EC) contains 19 items, and only one of them would seem to be potentially applicable here: item 8, consumer protection.

    Given the general make-up of A&A's customer base, it might be interesting to consider arguments that the measure does not offer them protection, since they are already warned up front — "reminded" might be a better term — that the Internet contains both nice and nasty things, and that subscribers of the service are empowered to take their own steps to control what they do and do not wish to accesss.

    Even if it were still argued to be a "consumer protection" measure, there is the question of proportionality — the cost of implementing the measures and the wider impact on the ISP (which might include damage to reputation?) versus the benefit to end users. If, as above, A&A's customers are generally more technically adept than most, and buy services from A&A because of the technical benefits and control for doing so, is the imposition of the obligation proportionate, or is it incumbent on the legislature to ensure that the obligation only falls on those who have a wide customer base in need of this "protection"?

    It would need some more thinking — and probably some early lobbying, as well as potential funding for litigation, which might be a showstopper — but might be something to consider.

    ReplyDelete
  7. Don't make us all employees, the SA tax return implications don't bear thinking about!

    ReplyDelete
  8. I suspect that you won't like this, but to stay out of trouble, why not simply offer filtering, charge plenty for it (£25 per month) and get someone else whose core business this is to do it for you (if anyone wants it)? Could be quite tricky to force small, specialist ISPs to do this for free.

    Failing that, I like the L2TP and offshore options.

    ReplyDelete
  9. Item 4 sounds good. £10 discount if you do not want the internet filter. The object would be to de-stigmatize the clicking on the "so you admit you are a paedophile" button.

    ReplyDelete
  10. With the current (lack) of knowledge of the people "in charge" I really doubt they will be able to make the difference between IPSec, L2TP and PPP; I'm sure the law would be generic enough and probably full of shortfalls and opportunities to work around it.

    The fun part is 1) Push people towards encryption and off shore termination / VPN to avoid filter and 2) at the same time flag anything encrypted as a potential terrorist risk that GCHQ should keep indefinitely / until they can decrypt it.

    I'm gone buying some storage vendors shares :-)

    ReplyDelete
  11. I'd quite like to opt into filtering please - but please only filter out spam, junk email, advertising, scams and popups.
    Why is it they are not talking about blocking those? You know,something useful?

    ReplyDelete
  12. I wish to support your stance in any way I can. How would obfuscated/encrypted ppp work in terms of hardware? Give every customer a firebrick?

    ReplyDelete
    Replies
    1. I am sure there are routers that will do this, as a firebrick for every customer is likely to be too expensive, but something we could investigate if needed.

      Delete
    2. FB105s retasked as ppp bridges? Or are they not fast enough.

      Delete
  13. Is Cameron's proposal that specific urls or IPs (or erm something interwebby) have to be blocked and these are specified by the government? Or can the ISP have a filter database whose contents are chosen by the ISP or the customer?

    Letting the customer block some IPs or domain names by having a new per-customer setting in clueless could of course actually be really really useful, no? Surely this Camoronic measure only becomes evil state censorship if the customer can't control the contents of the filter database.

    ReplyDelete
    Replies
    1. The evil is that, in order to do that, we have to put in place some sort of filtering, possibly at URL level.

      The second we have that in place it can be abused - new laws saying some things have to be filtered by all ISPs get little opposition as it is not extra expense for ISPs now, just an extra line in a list.

      Also, it means courts can order blocks as the ISP has virtually no cost adding the blocks to the list.

      Censorship becomes normal and easy and we then move to the next "reasonable measures", one small step at a time.

      As they say: "And then they came for me". You have to stop censorship at the start!

      Delete
    2. If there’s some way that I can offer practical support then just shout. Many other AA customers will feel the same way and need to stand up and be counted.

      Delete
  14. What would your thoughts be on DNS-only filtering? I use OpenDNS on my router at home to filter out the nasties, and have a very simple ACL that blocks all DNS traffic that isn't destined to the router itself.

    If ISPs (or even router manufacturers) started building this is as a standard option, it would achieve the basic objectives of the policy, whilst still allowing customers to override it themselves (it could be a simple checkbox in the router settings). Granted, this wouldn't be difficult to get round, but neither would any other form of filtering (unless the Government also intend to ban VPNs).

    ReplyDelete
  15. Adrian,

    I'm not entirely clear on the implications of the possible new law and so am having difficulty taking a clear view.

    Key for me is whether or not ISPs will be required to inspect the content of Internet traffic in order to implement the required "filtering". I'm entirely opposed to this as it would provide a platform for uncontrolled Internet censorship at the whim of Government. We've had enough knee-jerk reactions to news stories for this to be be a valid concern.

    However, if the legislation can be satisfied only by adjustment to AAISP's nameservers then I'm not so worried. I imagine in this case your nameservers would parse a list of banned target sites and instead serve the address of a "Don't go here page" hosted at AAISP.

    I'd be interested to hear your views on a solution like this which could be switched by a user-controlled filtering flag. It seems simple and workable to me?

    ReplyDelete
    Replies
    1. Again we get back to the fact that such services already exist and are available to everyone now - so what is the problem! Generally such systems are also trivial to bypass, so again we have the question of why bother.

      Delete
  16. Block any non-TOR traffic and help-pages that detail how to get TorBrowser, or similar.

    ReplyDelete