The Chief Executive of the new National Cyber Security Centre (NCSC) caused a stir recently when he announced a flagship project to use the domain name system (DNS) to block access to online criminal materials. Emily Taylor considers some of the questions raised as a result of the announcement.
What is the background to the reports of a ‘Great British Firewall’?
Ciaran Martin, chief executive of the UK’s new NCSC, announced in a speech in September 2016 that the NCSC is considering:
‘…a flagship project on scaling up DNS filtering: what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?’
This was quickly dubbed the ‘Great British Firewall’, conjuring a disturbing image of Mary Berry and the Great Firewall of China, which blocks and filters content from access by Chinese users.
How would this work?
The DNS is the Internet’s addressing system, and it translates numerical addresses that machines understand (IP addresses) to names that are more memorable for human beings. So DNS blocking and filtering gets into the middle of that process and prevents domain names from resolving. That in turn prevents a site or email from being accessed—it’s blocked.
DNS blocking and filtering is not a new technique, but it’s controversial and raises civil liberties concerns. For example, in 2011 and 2012, anti-counterfeiting legislative proposals the Protect IP Act (PIPA) and the Anti-Counterfeiting Trade Agreement (ACTA) was based on DNS blocking and filtering of sites. Both were criticised as likely to cause collateral damage to civil liberties, and be harmful for innovation and entrepreneurs. An ‘Internet Blackout‘ in 2012 saw Google, Wikipedia and Reddit going dark in protest, and helped to finish off these proposals.
At the same time, the UK’s Internet Watch Foundation relies on DNS blocking to combat images of child abuse. While some view the ‘block-list’ approach as inherently harmful to the Internet’s infrastructure and dangerous thin-end-of-the- wedge way, there is no doubt that the Internet Watch’s approach has been effective in driving such materials off UK servers. However, there are important differences between what the Internet Watch does and what Ciaran Martin appears to be proposing—Internet Watch has a very narrow remit over material which is illegal to access in practically every jurisdiction. A key criticism of PIPA and ACTA was the fuzzy definition of what material could be caught up in DNS blocking.
What are the downsides?
DNS blocking and filtering seem to be attractive options for policy makers because they’re so powerful. By interrupting address resolution, you stop people accessing harmful material. Problem solved, right?
So why don’t more countries, apart from China, implement it? The answer is because the potential harms often outweigh the perceived benefits.
The right to seek, impart and receive information is the basis for our fundamental rights of freedom of expression and opinion. DNS blocking and filtering is a blunt instrument—it effectively takes down an entire site, think YouTube or Facebook, or Google, in order to combat perhaps a single page, or a single element of a page.
False positives are a known problem with DNS blocking and filtering—a controversial Australian scheme was scrapped after it was revealed that up to 1,200 sites were wrongfully blocked.
Also, it’s not always clear that materials are illegal. If we think about the debates around PIPA and ACTA, copyright laws provide numerous exceptions (eg for educational purposes, or parody) which it’s not possible to encode into DNS blocking or filtering.
DNS blocking and filtering is easily circumvented (so it is pretty ineffective against even averagely-determined opponents), it also undermines aspects of DNS security such as the DNSSec protocol, and harms the utility of the network—notably, universal domain name resolution, which guarantees that each of the three billion users of the Internet can be confident that a given URL or email address will resolve to exactly the same destination regardless of whose network they are on, or where they are in the world.
Within a voluntary scheme (as seems to be envisioned in the UK proposals), there would be a risk of patchy implementation and poor transparency. Therefore, one person might be able to access materials, which would be inaccessible to another user on a different ISP’s network. Because filtering operates at such a low level, it can present as a fault rather than an act of law enforcement, unless operators agree to make error or notice pages visible to users. This creates a risk of insidious harm, if people are not even aware that they are being denied access to certain content or pages.
Is this comparable to the Chinese firewall and could it give rise to mass censorship?
The technological solution is similar to some of those employed in the Great Firewall of China. However, these are proposals—there is little clarity about what is intended to be covered and how it would work at this stage. Martin did say that the scheme would be voluntary and that users would have an opt-out.
One of the risks of a voluntary scheme is that it could sidestep legislative scrutiny, and could end up creeping into the UK Internet experience without proper safeguards or accountability being baked in.
While we’ve got a long way to go before our Internet experience is like that of Chinese users, we should be wary of the combined impact of multiple, well-intentioned measures that have an adverse impact on the security of the Internet as a network and our civil liberties. Therefore, we need to think about the combined effect of, for example, the upcoming Investigatory Powers legislation and voluntary measures that employ DNS blocking and filtering. Brexit apart, we risk being out of step with our European and international counterparts.
Let us hope that good sense prevails and that NCSC focuses its resources on more fruitful and less controversial areas— like helping to improve basic cyber hygiene for all.
Do you have any further comments?
It is clear that Ciaran Martin did not just wake up one morning with a bright idea. His remarks are well informed, thoughtful and for the most part reflect mainstream thinking on how to improve our cyber security. For example, the Global Commission on Internet Governance recently reported that 80% of cyber-attacks could be mitigated with basic improvements to cyber hygiene. Martin reflects this when he says:
‘The great majority of cyber-attacks are not terribly sophisticated. They can be defended against. And even if they get through, their impact can be contained.’
However, the use of DNS blocking and filtering is not a silver bullet. It is easily circumvented by bad guys, it undermines security protocols (such as DNSSec) and also undermines the universal resolution of domain names. We should be wary of measures—however well intentioned—that compromise the integrity and security of the network.
Interviewed by Alex Heshmaty.
This article was first publis