The Federal Government’s Internet filtering scheme is likely to impact ISP networks speeds, and ultimately, the cost of Internet access for consumers, a new report from the Australian Computer Society (ACS) e-security Task Force has found.
According to the Technical Observations On ISP Based Filtering Of The Internet report, while ISP-based filtering could help prevent "inadvertent exposure" to illegal material, doing so would come at a “dollar cost for ISPs to implement relevant filters and the potential impacts on the ISP networks, depending on the type and extent of filtering required by the Government”.
"Mandating or architecting a network so that all packets pass by a filtering point can create performance problems, duplicated traffic paths and may increase the bandwidth costs for ISPs," the report found. “Not all applications work well with a proxy server and so the performance of the ISP can degrade. Proxies can degrade ISP performance particularly during periods of high traffic – they become bottlenecks and can reduce Internet speeds.”
The report found that while smaller ISPs may have enough network performance to ensure that an ISP filter would not create a bottleneck and significantly affect user speeds, a failure in the Internet filter – based on the ISP side of the network – would become a source of service disruptions for customers.
ISPs operating with faster backbones would be required to invest in expensive higher capacity filters if they wished to filter all traffic at their maximum speed, the report found.
Larger ISPs running filters in the core if the networks would need to invest in load balancing and server clustering gear to ensure that filter placement did not lead to a single point of failure, and subsequent service disruption. However, having a single load balancer would introduce another single point of failure, while having multiple load balancers would lead to a complex network topology that may only be feasible for large ISPs, the report found.
“While filtering at the [ISP’s Points of Presence] would be another option, for a large ISP, this would require installation of dozens of gatekeeper boxes, which can make this option somewhat impractical,” the report reads.
“Another concern with filtering at the ISP core is the potential for it to necessitate changes in the ISP’s routing (depending on their existing routing, traffic flows, transit & peering arrangements and international gateways), and performance impacts as traffic is forced into sub-optimal paths in order to pass by or through the filtering systems. This could necessitate costly upgrades to backhaul capacity and increased transit costs.”
The report also found that ISP-based Internet filtering faced a number of technical challenges including the ease of which websites could change their addresses that they no longer matched black or white list and the fact that not all users access the Internet via an ISP.
“Push technologies (such as RSS) often bypass the proxy server and deliver content directly to the user so circumventing the filtering process,” the report found. “Many sites have mirrors and multiple URLs and if these are not included in the black list then the filtering process can be circumvented.”
Imperfect language translation tools, which were often automated, also resulted international sites may not be filtered effectively, the report found. Not all white and black lists contained domain names as well as IP addresses, meaning they were less effective.
“Although ISP-level filtering can reduce the likelihood of inadvertent exposure, it cannot completely prevent inadvertent exposure as it is only feasible to filter out those sites and pages that have been identified at an earlier time…” , the report reads.
“The technical assessment of the Task Force is that there is no single mechanism that can filter out or block illegal material on the Internet accurately 100 per cent of the time. A multi faceted approach is needed to address this issue that will involve filtering technologies at the ISP, user and enterprise levels, increased professionalism and tighter controls around domain name registration, education at all levels of society and parental oversight.”
The report also found that there was no technological substitute for appropriate education and parental supervision of young people who are using the Internet.
“Education and oversight remains the best method of ensuring that children (and other end users) are aware of online safety and are not viewing inappropriate material or engaging in inappropriate behaviour online,” the report reads.
ISP Filtering policy needs better articulation
The report also called on the federal government to clearly articulate whether the policy objective for filtering was based on avoiding inadvertent or unintended viewing of RC or illegal content; preventing, detecting, blocking and prosecuting deliverable access, publication or circulation of RC or illegal content; or, deterring both inadvertent and/or deliberate interaction with a wider ambit of RC, illegal or prohibited material using any method of Internet access
“It is vitally important to understand the policy for filtering, as the means of realising the filtering to achieve the policy will be quite different in each case,” the report reads.
According to the report, the Federal Government’s ISP filtering program objectives needed to be clearly defined including performance standards, clarity around the definition of material to be filtered, reporting processes and filtering processes to be used.
“However, even with the best ISP level and PC based security systems and education programs in place, it is unrealistic to expect that all illegal material will be caught,” the report reads. “A set and forget solution simply does not exist and filters do not replace adequate parental supervision.
“People will still open suspicious emails and click on malicious code. Empowering people with adequate knowledge of e-security threats and how they can take responsibility for reducing those threats remains the best defence against Internet security threats.”
Sign up for Computerworld newsletters here.