Why Content Filtering doesn't work and is bad and wrong.

It is difficult to sum this up succinctly, so bear with me.

I am first of all NOT complaining about private content filtering by "Net Nanny" style software that runs on an individual computer or corporate or educational network. Those systems are private and the owner/administrator is and *should* be free to run any software they like.

There are those people out there who want the internet "sanitized". It can't be done, sorry. Yes, I realize there is a lot of information out there that may be offensive to one group or another, and indeed, some that is almost universally reviled. (Think child porn here, as that is the most common reason for content filtering by isp's) OK, now I made you go "EWWW"... I will try to explain why blocking their site just won't work.

Think for a second the way the internet works, I'll deal with the web first.

You request say, http://www.dirtysite.example/naughty/filename.jpg (here the term "request" means a request made by your web browser, this may have been triggered totally without you knowing, as in a popup ad, or a javascript "onLoad" statement, or any possible number of alternatives as well as by deliberately clicking a link or typing the address into your web browser).

Your web browser then does a "DNS" lookup for the IP address of the server. The internet works on IP addresses, not domain names, hard as this may be to believe. Every host domain has an equivalent number, in the famous dotted quad form of xxx.xxx.xxx.xxx where xxx is somewhere between 0 and 255 inclusive, with exceptions and modifications and "not in this case"s... (RFC 1597) In some cases, many hosts can have the same numerical address with the server deciding what particular page to serve up depending on the requested hostname. This is known as virtual hosting.

Anyway, your web browser gets told that "www.dirtysite.example" is say 127.24.33.218 (yes I know that's a non-routable loopback address, and everyone watching movies knows 555-xxxx numbers aren't real, shhhh.. or maybe they are ←Warning, 10,000 numbers). Your web browser then goes to 127.24.33.218 and asks for the file /naughty/filename.jpg. THIS is where it gets difficult to block things. Under the HTTP 1.1 standard, your web browser sends a host header of "www.dirtysite.example" which allows the server (if it is doing virtual hosting) to make sure it sends back the correct file, as www.perfectlyinnocentsite.invalid might also be hosted on the same machine because web hosting companies typically do not have the time or resources to check every single file that gets uploaded to their servers, and indeed, if any DID, nobody would use them because it would take away from the high speed that changes can be made.

I am sure it will become clear from the example, that if your ISP simply blocks 127.24.33.218, they will be blocking www.dirtysite.example AND www.perfectlyinnocentsite.invalid. This would be unacceptable.

So the next choice is, to attempt to block accesses to just www.dirtysite.example by creating false records in their DNS servers. This breaks several internet protocols, and is therefore a bad thing. It can also be circumvented by going straight to the IP address with your host header set to whatever site you want. I know, I did it as a test, (On a perfectly family friendly site by the way.)

It would in theory be possible to scan inside IP packets, and indeed this is done now by several large British ISPs for the purposes of proxy caching. It's an invasion of privacy, breaks several things, and is totally a bad idea, conserving bandwidth isn't important enough to break the entire functionality of parts of the network in my opinion.

So, if you are to retain comprehensive connectivity, what does your ISP have to do? The simple answer is the one that pro-censorship campaigners hate. Nothing. They can't do a damned thing, any attempt to block sites can be got around fairly trivially. Yes, it might keep J Random Pervert out of the site, but that's not the point is it? The whole idea is to get the illegal material offline surely? Blocking is a waste of energy, it doesn't even seek to address the PROBLEM!

The much much easier way is simple. Contact A.N.Onymous Webhosting in whatever country they're in, and tell them what law their hosted site is breaking, and to take it offline.

What, you say the site isn't illegal in that country?... In that case, I ask you very simply. Why Do You Seek To Block It?

Now for the much simpler part. Newsgroups. ISP's. British. Not carrying. Nice one. It takes all of 5 minutes to Google for free news servers and connect to one of them. Trivial. In fact, not even a circumvention of ANYTHING, the internet is MEANT to allow you to connect to servers in distant places, and I HAVE to use a news server that doesn't belong to my ISP to view the 3 entirely innocent and non-binary newsgroups I use, because my ISP's news server has a problem of ... kind of NOT letting you download new articles and then marking them as 'read' [might be the newsreader, but it doesn't happen on any other server, and they won't answer email or the phone, so I can't check].

Censorship is unacceptable in any society, for any reason, and especially when the reason is a misunderstanding of the facts. If it's online, it's available. Period. No matter what you do. Solution:Cut off the source. Do NOT attempt to throw a screen up in front of it and pretend it's not happening, and even worse, waste money doing this. If you try this, you're HELPING the abusers and users out there by diverting attention to getting those sites OFFLINE.


Rants Page

Back to Homepage

Viewable With Any Browser  Valid
HTML 4.01!  Valid CSS!

Last Modified 2005-11-18      

Apache Webserver