Transcript End User Filtering

Analysis of technical measures to
suppress online copyright infringement
Stakeholder Dialogue on Illegal Uploading and Downloading
Brussels 02nd June 2010
Malcolm Hutty
[email protected]
Solving copyright infringement online
 Demand-led solution is required

New business models that give consumers timely, affordable
and convenient access to digital content legally
 HADOPI-style disconnection is disproportionate and
contrary to the Digital Agenda
 Network based technical measures are inappropriate
on technical, legal, economic, and social policy
grounds
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Technical objections to network-based measures
 Ineffective

Cannot significantly inhibit infringing behaviour amongst
those that infringe
 Harmful to the network



Can reduce network speed, create congestion
Introduces new points of vulnerability, reduces network
resilience
Tendency for overblocking
 Harmful to innovation

Reduces network flexibility
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Harmful to innovation:
undermining the end-to-end principle
 The end-to-end principle is a basic organising principle of the
Internet
It says that intelligence occurs at the network edges, not in the
core routers
 It permits technological development, including invention of
web, VoIP, etc

 Requiring blocking at the network level undermines the endto-end principle and the capacity for invention
 Arguably, it invites network operators to subvert the end-toend principle further
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Harmful to the network
 Three ways network speed is harmed:
1.
2.
3.
Direct processing overhead
Architectural constraints frozen in place
Diversion of investment and innovation
 Network resilience is undermined



Introduces new potential points of failure
Blocking systems are an attractive target
Greatly increased attack surface



Now operating at application layer
Blocklist itself is vulnerable, and not only to technical attacks
Tendency to overblocking (depends on technique)
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Inherent inefficacy of network-based measures
as a policy response to
online copyright infringement
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Context:
Purposes of Content Blocking 1
 Protection
– Help the users to avoid material that they do not wish to
encounter
 Compliance
– Prevent users from accessing material that they are actively
seeking
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Context:
Purposes of Content Blocking 2
 Protection



User does not want to access blocked material
User will not deliberately subvert blocking system
User’s normal usage will usually not strain the blocking
system by introducing difficult cases
 Compliance


User wishes to access blocked material
User may deliberately subvert blocking system
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Examples
 Protection


Protecting families from accidentally stumbling across
child pornography sites
Protecting bank customers from phishing sites
 Compliance



Prevent people infringing copyright
Preventing people gambling online
Preventing religious extremists exchanging views
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Does blocking work?
 How hard is it to avoid so-called “mandatory”
blocking?
 Even if there are counter-measures to blocking,
is it still a significant barrier to infringement?
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Analysis methodology

Specify distinct levels of expertise

“proficiency levels”
Identify avoidance techniques for each technical
measure
 Ascertain proficiency level required to employ
avoidance technique
 Compare required proficiency level to engage in
infringement with required level to employ
avoidance technique

EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Proficiency levels required for avoidance
Advanced network software research
VERY HIGH
HIGH
Good understanding of networking
principles. Basic software development
skills.
MODERATE
Can search for and find obscure or
complex software. Can follow complex
instructions. Capable of imagining
secondary uses of “dual-purpose”
software.
LOW
Aware of common applications e.g. peerto-peer. Capable of following written
instructions to download, install and use
such software.
VERY LOW
Can use web browser, e-mail. Cannot set
up own computer to use Internet
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Methodologies of Blocking







End-user filtering
DNS poisoning
Web Proxy filtering
IP blocking
Hybrid IP blocking/proxy filter
Network-based deep packet inspection & filtering
Alternatives to blocking


Removal at source / Disconnection
Demand-led solutions
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Avoiding Blocking Systems 1
• End User Filters
– Removal by PC owner (LOW expertise)
 Surreptitious
by-pass by PC user (MODERATE to
VERY HIGH expertise)
• DNS poisoning
– Use different ISP’s DNS resolver (LOW expertise)
– Run your own DNS resolver (MODERATE expertise)
– Avoid or confuse DNS (MODERATE expertise)
– DNS-SEC will make this obsolete
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Avoiding Blocking Systems 2
 All methods except DPI and End-User Filters
– Use Peer-to-Peer (LOW expertise); only provides access to
content, not applications such as gambling sites
– “Anonymizer.com” style tunnel (VERY LOW expertise)
– Create your own encrypted tunnel (MODERATE expertise)
– Confuse the blocking system with technical attacks1
(MODERATE to VERY HIGH expertise, variable
effectiveness)
1Simple
examples include URL Character encoding, web file-path traversal with “..” etc
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Avoiding Blocking Systems 3
 Network-based Deep Packet Inspection
Avoidance technique: use file transfer software that
employs encryption
 Also (or alternatively), other built-in avoidance techniques
 Requires: install peer-to-peer software (LOW expertise)
 Requires no additional expertise for those who are already
installing such software

•Encryption is increasingly built-in and automatic
•In software that does not employ yet encryption (or another
effective technique), the user would simply experience this as
software failure and can simply select a new product that “works”.
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Beyond peer-to-peer
 Private, password-protected download sites


Easy to establish (VERY LOW expertise)
Essentially infinite pool of sites



Immune to blocking until infiltrated





No limit to number of sites any individual can establish, at least until
individual is brought to justice
Pool of opponents is entire file-sharing community
Location unknown to enforcers; encryption defeats DPI
Number of unknown locations is unknowable
Cannot appear on blocking list until location is known
Long life before being infiltrated
Swift recovery time once infiltrated
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Conclusion of analysis
 Network-based measures are inherently ineffective

All known measures have well known counter-measures



Counter-measures are intrinsic not implementation-dependent
Counter-measures are as easy or even easier to employ than
it is to infringe in the first place
Q.E.D., those people already infringing cannot be dissuaded
by such technical “barriers” to infringement
 It is unreasonable to expect ISPs to deploy inherently
ineffective measures

Especially considering other objections
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Supporting Annex
End User Filtering
 Methodology

Software installed on each PC prevents access to certain
materials
 Financial Costs


Varies; from bundled product to around €50 per PC
Falls on customer
 Non-financial costs


Choice of sites to block can be questionable
Classification of sites can be questionable
2
0
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
End User Filtering 2
 Features




Commonly targets web, e-mail
Rarely targets Games, IM, Peer-to-Peer etc
Vibrant commercial market means state of the art is
continually advancing
Customer has choice of a wide range of reasons for sites to
be blocked (e.g. pornography, violent imagery, gambling,
racism, even “lack of educational value”)
2
1
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Web Proxy Filtering
 Methodology

All web traffic passed through a proxy cache, which
selectively refuses access to particular web pages
 Financial Costs

Very high (€100,000s for an ISP with 50,000 customers)
 Non-financial costs



Can slow down network traffic
Can reduce network reliability
But no overblocking
2
2
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Web Proxy Filtering 2
 Features

Centralised mandatory blocking of all web traffic


Generally, limited block-list from a qualified source e.g. court, IWF
Does not block non-web traffic
2
3
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
DNS Poisoning 1
 DNS is the system that translate human-readable addresses
into machine-readable Internet protocol addresses


Example DNS address: www.google.com
Corresponding IP address: 216.239.59.147
 Every ISP provides a “DNS resolver” to look up these
translations for its customers.



Each customer configures their PC to use their ISP’s DNS resolver as
part of the process of connecting to that ISP
Whenever they visit a new website (or use any other Internet
resource), their PC contacts the DNS resolver to discover the IP
address to contact
Customer could instead configure their PC with any other DNS
resolver, e.g. from an American ISP or one they run themselves
2
4
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
DNS Poisoning 2
 Methodology

ISP configures DNS resolver to lie about existence of sites
to be blocked
 Financial costs

Low (Can be less than €5000 per ISP)
 Non-financial costs


Massive over-blocking, as a whole domain is blocked (e.g.
all of MySpace, Geocities, terra.es etc)
Surprisingly difficult to implement without errors
2
5
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
DNS Poisoning 3
 Features
Blocks more than just web;
 But non-use of DNS by site operators can limit
effectiveness; and
 Over-blocking is a serious problem, and can cause
user rejection

2
6
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
IP Address Blackholing 1
 Methodology

ISP prevents all traffic from routing to specified IP
addresses
 Financial costs

Depends on length of block list
 Non-financial costs

High level of overblocking due to shared web space (e.g.
all of MySpace, Geocities, terra.es etc)
2
7
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
IP Address Blackholing 2
 Features



Blocks access for all protocols
Over-blocking is again a serious problem
Danger of unintended outcomes

e.g. Pakistan YouTube incident
2
8
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
IP Blackhole/Proxy Hybrid (“Cleanfeed”)
 Methodology


Use the same technology for IP-based blocking to route
only selected traffic to a web proxy; the web proxy decides
what to block
Again, web proxy element means only blocks web sites
 Financial Cost

Less than full proxy, but still substantial
 Non-financial costs

Over-blocking greatly reduced compared with IP address
blackholing
2
9
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION
Encryption and peer-to-peer
 Can peer-to-peer file-sharing be protected by
encryption without defeating its purpose?
Encryption can defeat DPI
 Manual enforcement at edges can act post TLS decryption





DTECNET/Media Sentry approach
Only works for transport-layer encryption, not encrypted payloads
IP address thereby obtained can be used for enforcement
But DPI still cannot break encryption tunnel


Technically possible to spot (and block) all activity by same IP
address (super-HADOPI)
Still not possible to identify similar transfers by this or other IP
addresses
EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION