Journey with us to a state where an unaccountable panel of censors vets 95 per cent of citizens' domestic internet connections. The content coming into each home is checked against a mysterious blacklist by a group overseen by nobody, which keeps secret the list of censored URLs not just from citizens, but from internet service providers themselves. And until recently, few in that country even knew the body existed. Are we in China? Iran?
Saudi Arabia? No - the United Kingdom, in 2009. This month, we ask:
Who watches the Internet Watch Foundation?
It was on December 5, 2008 that the foundation decided that the Wikipedia entry for The Scorpions' 1976 album Virgin Killer was illegal under British law. The album-sleeve artwork, showing a photo of a naked ten-year-old girl with a smashed-glass effect masking her genitalia, had been reported to the IWF via its public-reporting system the day before. It was deemed to fall under the classification of "Child Abuse Imagery" (CAI). And because the IWF blacklists such material, and works with ISPs to stop people accessing it, an estimated 95 per cent of residential web users were not only unable to access the band's Wikipedia entry, but also unable to edit the site at all.
When Wired began investigating the foundation last December, our interest clearly lay not in advocating the use or distribution of child pornography. We simply wanted to know only what the Wikimedia Foundation, the owners of the Wikipedia, itself sought to know. "The major focus of our response was to publicise the fact of the block, with an emphasis on its arbitrariness and on the IWF's lack of accountability," says Wikimedia's general counsel Mike Godwin (incidentally famed for Godwin's Law, which he coined in 1990 and which states that "as a Usenet discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches 1".) "When we first protested the block, their response was, 'We've now conducted an appeals process on your behalf and you've lost the appeal.' When I asked who exactly represented the Wikimedia Foundation's side in that appeals process, they were silent. It was only after the fact of their blacklist and its effect on UK citizens were publicised that the IWF appears to have felt compelled to relent. "If we had not been able to publicise what the IWF had done, I don't doubt that the block would be in place today."
As it happened, the IWF reversed its decision a few days later, issuing a statement to the effect that, while it still considered the image to be technically illegal, it had evaluated the specific "contextual issues" of this landmark case and taken into account the fact that it was not hosted on a UK server. The incident marked a major step: the IWF had for once been held up to wider scrutiny.
Concern about the IWF has been voiced by critics such as John Ozimek - political journalist and author of New Labour, New Puritanism - and translated into a more explicit concern: that its lack of accountability could be used as a method of sneaking state censorship through the back door. The relationship between the IWF and Home Office is particularly worthy of scrutiny, as Ozimek explains: "Neither has shown much interest in civil liberties. Few people who know about the net know much about the IWF, and those that do know it mostly only as a heroic body fighting child porn.
It has thus been preserved from having to answer awkward questions about its legal qualifications for carrying out its role, its lack of public accountability and its failure to apply due process." "I think that so long as censorship decisions are being made by an unaccountable private entity," says Godwin, "the freedom of United Kingdom citizens is at risk."So how did we get here? In August 1996 - appalled by the distribution of child-abuse imagery on several newsgroups - Metropolitan Police chief inspector Stephen French sent an open letter to every ISP in the UK. "We are looking to you," French wrote, "to monitor your newsgroups, identifying and taking necessary action against those found to contain such material." It finished with a statement that was a game-changer: "We trust that with your co-operation and self-regulation it will not be necessary for us to move to an enforcement policy." In other words: you deal with this, or we'll deal with you. "There had been a failure to get industry consensus to act on the issue up to that point," remembers Keith Mitchell, who - as the head of Linx, the London Internet Exchange - was brought in to discuss the issue by the Department of Trade and Industry, alongside several major ISPs and representatives from the Internet Services Providers' Association (Ispa). Together they drew up a memorandum of understanding, a model for what would soon be relabelled the Internet Watch Foundation.
The document was called the R3 Agreement. The three Rs were: "rating", the development of labelling to address the issue of "harmful and offensive" content; "reporting", a notice-and-take-down procedure to all ISPs hosting CAI in the UK; and "responsibility", the promotion of education about such issues.
The categories still remain cornerstones of the expanded remit of today's IWF, which was (and is) self regulating. Trusting in this, the government left the ISPs to deal with the matter. "The IWF was originally very much seen as a positive measure to avoid a problem for the UK internet industry, rather than a coercive measure," explains Mitchell. "At first, the Home Office just seemed to be glad this problem was being taken care of for them. In terms of its original mission, I think that the IWF has done an excellent job of keeping CAI off UK-based servers."
In 1998, the government carried out an independent review on how the IWF was working. The Home Office called in consultants Denton Hall and KMPG, notes were duly taken, and a "revamped" IWF was launched in 2000. "The IWF had reached a point at which it needed to be seen to be more independent of the industry," explains Roger Darlington, former head of research at the Communication Workers Union, who was brought in as an IWF independent chair. "They weren't terribly clear how it was going to work," he remembers. "I said, 'Look, we should publish all our board papers and all our board minutes.'
That caused a number of people to swallow hard. But we did it."
Keith Mitchell regards this as the point at which things began to change for the worse. "Since Tony Blair got in," he says, "there has been visible mission creep. Various additions to the IWF's remit have occurred, increasingly without consideration of their technical effectiveness or practicality. Most notable has been the introduction of a blacklist."
Introduced in 2004, the blacklist is the IWF's method of ensuring that members block user access to CAI hosted outside the UK. This confidential list of URLs is sent in encrypted format to the ISPs, which are subject to similarly secret terms of agreement regarding their employees' access to the list. Lilian Edwards, professor of internet law at Sheffield University and author of Law And The Internet, feels that such guarded conduct suggests that more may be going on behind closed doors. "The government now potentially possesses the power to exclude any kind of online content from the UK, without the notice of either the public or the courts," she says. "Perhaps even more worryingly, any ISP that takes the IWF blacklist can also add whatever URLs they please to it, again without public scrutiny." Or even anyone necessarily noticing. It's like knowing that Google Safe Search is on, but not being able to change your settings.
Of course, blacklists are not infallible. The website Wikileaks recently obtained a copy of the list kept by the foundation's Danish equivalent - also unsupervised by government . It shows a number of erroneous blocks, such as the URL of a Dutch haulier , as well as legitimate adult domains.
For an organisation so often accused of being secretive, the IWF headquarters, in a converted townhouse on a leafy and innocuous Cambridgeshire housing estate, does not do much to dispel the image. At first glance the place resembles a large suburban home.
Inside, a spacious, bright reception leads to an equally airy office area and conference rooms. The sense of openness extends only so far, however. The IWF let us know beforehand that it refused to allow any photography on site.
As a charity, the IWF must publish accounts - most recently for the year ending March 2008. The largest single donor was the European Union. It gave the organisation £320,837 in 2007 and £146,929 in 2008. The largest revenue stream, however, was "subscription fee income". This was £623,542 in 2006, £700,533 a year later and £754,742 in 2008.
Who pays the "subscription fee"? The major ISPs and a clutch of big-name brands such as Royal Mail and Google. The IWF's website solicits such payments, explaining that "being a member of the IWF offers many benefits including practical evidence of Corporate Social Responsibility - enhanced company reputation for consumers and improved brand perception and recognition in the online and digital industries". All yours for £20,000 per annum - if you're a "main ISP". Smaller fish are advised to pay between £5,000 and £20,000, and "very small" firms are steered towards "£500 to £5,000". Sponsors, which "support us with goods and services to help us pursue our objectives", include Microsoft. Additional money comes from what the IWF calls "CAI income". This is revenue from licensing the list of prohibited URLs to private net-security outfits. It totalled £5,183 in 2007, but had jumped to £40,734 a year later. In 2006, the IWF also received £14,502 from the Home Office.
The Charity Commission accounts state that the IWF has 13 employees and no volunteers - unusual for a charity. Its staff costs were £520,847 in 2008, with one person earning more than £50,000.
But back to that £14,502 from government. We asked the IWF what the Home Office money was for, but Peter Robbins, the chief executive, would only say it was for "a project". "You don't need to know."
Sarah Robertson, IWF's head of communications, has dealt before with concerns about the IWF's links to the Home Office. She's quick to dismiss the notion that the blacklist is any way influenced by the government. "Supposedly, the IWF compiles the list, passes it on to the Home Office twice a day, the Home Office adds whatever they want to it, the IWF doesn't look at it, then it goes out...
Hmm." She smiles. "They don't. I don't see why they would. It's a voluntary initiative. The government has expressed an expectation, but they haven't legislated. The industry was already doing it.
Because they wanted to protect their customers."
Robertson lays out the process behind the blacklist. Updated twice a day, the URLs on the list are those reported to the IWF by concerned members of the public via the organisation's hotline and website. Relevant IWF staff - police-trained internet content analysts - then draw on their legal training to determine whether the content is "potentially illegal". "We use the term 'potentially illegal'," Robertson explains, "because we are not a court. It's assessed according to UK law. I read certain articles that talk about the IWF's 'arbitrary scale'. It's the law." The law she refers to is the Protection of Children Act 1978 (as amended by, among others, the Sexual Offences Act 2003), which makes it "an offence to take, make, permit to be taken, distribute, show, possess with intent to distribute, and advertise indecent photographs or pseudo-photographs of children under the age of 18".
Robertson insists that the Home Officen has never expressed a desire to get involved in the foundation's day-to-day proceedings, before elaborating on its independent nature. "We are inspected, not by the Home Office, but they expect us to subject ourselves to inspections. They ask us to subject ourselves to external scrutiny, despite the reams and reams of articles I've been reading about how we're 'shadowy' and 'unelected'. "Obviously we're not elected," she continues. "But we try to be as transparent as we possibly, possibly can. We're also audited externally by independent experts in law enforcement, forensics, technological security and HR issues."
This is true: the last independent audit of the IWF was in May 2008, and the organisation allegedly passed with flying colours. We have to say "allegedly", however, because the audit itself hasn't been published - and despite requests from Wired, the IWF intends to keep it confidential. The blacklist also remains undisclosed. "Obviously the list is never going to be given out," says Robertson. "No one gets it [unencrypted]. We don't allow a list of abusive images to be released to the public. What we can say is that details of every URL on it are shared with the police." She is unwilling to elaborate on other details: "I'm sure you'll understand that we can't give full details of how the list is provided. Sadly there are a lot of people out there who would take delight in getting it."
Robertson maintains that she can understand the concerns from certain quarters. "We do engage the civil-liberties groups; they help me understand their point of view, and I find it all very interesting."
Although the IWF has publicly said it " learnt lessons" from the Wikipedia-Virgin Killer fracas, its blacklist strategy is not changing. "As for the design of the list, there were meetings when we started with engineers from all the companies and everyone involved, very technical people - all of whom decided that [the status quo was] the simplest and easiest-to-implement way... People say, 'Why don't you just block the image?' You can't. When you've got a thousand different URLs on your list, you can't have different rules for each."
It is not a prerequisite for IWF members to implement the blacklist - it is simply there, should they want it. The IWF maintains that it strives to ensure cost is not a barrier to implementation by smaller ISPs. The IWF is also not the one carrying out the blocking - that is left to the actual ISPs. "We just provide a list of URLs," Robertson insists. Of course, the list is blind, and an ISP blocks all of it or none of it.
The Home Office declined an invitation to take part in an interview, and rejected our Freedom of Information requests. We asked for details of the relationship between the Home Office and the IWF, and in particular about the latter's discussions with Home Office minister Vernon Coaker. Our request was refused under the clause in the FOI Act that allows ministers to withhold information if they consider the disclosure might inhibit "the free and frank provision of advice and the free and frank exchange of views for the purpose of deliberation". It added: "We have decided that it is not in the public interest at this time to disclose this information." (You can read our entire correspondence with the Home Office at tinyurl.com/d67uzn.) It did issue this statement: "Over 95 per cent of consumer broadband connections are covered by blocking of child sexual-abuse websites.
The UK has taken a collective approach to addressing this issue and has had considerable success in ensuring that the sites on the IWF list are blocked. We will continue to consider what further action or measures might be needed."
What about the world outside CAI? Although the IWF is not solely responsible for blocking pornographic images of children, the other areas it deals with - incitement to racial hatred, criminally obscene content - are not subject to the blacklist. Robertson told us that there was no racial-hatred material hosted in the UK last year, and the number of cases of criminally obscene content per annum can be "counted on one hand".
Earlier this year legislation was passed that outlawed "extreme pornography", thereby adding the category to the IWF's watchlist of illegal material. And catching the eye of Parliament of late have been " anorexia promoting" websites. Mark Hunter MP in particular has been anxious to raise the issue.
Lilian Edwards, meanwhile, proposes a new direction for the IWF, which indicates an active preference for governmental administration and which would be more accountable under UK law and less susceptible to whispered doomsday scenarios. "It is high time that the IWF was reconstituted as a public body," she says. "Having the cooperation of the ISP industry does not give them the authority or the safeguards of a public or judicial body. Books get censored by independent and public courts. Why don't websites?"
John Ozimek has further concerns. "There is an interesting line of thought running around the security world that suggests that this is counterproductive. The majority of [CAI] material is not 'out there' on the web any more. It's available via P2P. The more pressure there is on net-based porn, the more networks move to circumvent government measures." So blocking may not be the best solution.
In January 2009 - shortly after the dust had settled on the Wikipedia case - the IWF found itself under scrutiny once more when a blacklisted image on the Internet Archive's Wayback Machine resulted in some UK internet users being unable to access the entire site. Later resolved and explained as a "technical error", the incident threw more meat to those who had already decided that the IWF was becoming increasingly maverick. "As an industry," Keith Mitchell elaborates, "we have done a lot, but the internet illegal economy, including spammers, botnets and those who host child porn, will not go away... It would be good to see some enforcement action rather than misguided censorship attempts, which damage freedoms for the majority of law-abiding internet users."
Among all parties, there is one agreement: the fight against CAI is an invaluable one. The killer questions revolve around the power behind that fight - can a non-governmental body be trusted with unprecedented censorship muscle? - and whether, by concentrating on URLs rather than file-sharing, that body is even fighting any longer in the right arena.
Author: CJ DAVIES
Source: http://www.wired.co.uk/article/the-hidden-censors-of-the-internet
