Saturday 19th April 2014 Login | Register

Our IWF Implementation

December 11th, 2008 at 13:13 by Kelly Dorset

The IWF LogoWe’ve written this blog post as a response to the large amount of commentary this week regarding the IWF Child Abuse Image list and our implementation of it. Although we’ve responded openly to questions about our implementation in the forums, it makes a lot of sense to have one official place for information about it, so that’s the purpose of this blog. The Plusnet IWF implementation has been covered on The Nock Blog, BoingBoing the The Guardian. The Wikipedia coverage can be read on http://en.wikipedia.org/wiki/IWF_block_of_Wikipedia

What’s the background to this?
For some time the issue of child abuse images (often wrongly referred to as child porn) has been a very sensitive issue, with government and some media calling on ISPs to take action. The Register wrote a detailed article on the issue two years ago. We support the work of the IWF and like most ISPs we help fund them.

What is the Internet Watch Foundation (IWF)?
For more information about the IWF, please read About the IWF and subsequent pages. We also have a Support Page about them. The IWF supply Plusnet, and several other major UK ISPs, with the Child Sexual Abuse Content URL list twice a day which we use to prevent our customers from accessing this content.

This blocking is designed to prevent ‘accidental and incidental’ access – no-one is in any doubt that it is not a complete solution to the problem of child abuse images on the Internet. Plusnet chose to use this IWF service as we believe it is the right thing to do for our customers. There could also be commercial risks in the future if we did not take some form of action in line with other ISPs.

How it works
When our routers receive a request for a web page, they first check the IP address of the server hosting the URL you’re trying to access. If they determine that the IP address is also used to host one of the websites on the IWF list, your request is passed to a proxy server. The diagram in this blog has been used by other blogs and media to describe how all IWF solutions work. That’s incorrect, the diagram refers specifically to Plusnet’s implementation and may well not represent other ISPs implementations.

On the proxy server, a lookup is then done and if the address you’re trying to access matches one on the list then the request is denied. If it doesn’t match, then the request will be honoured and the page you requested is delivered as normal.

A denied request is performed by sending back a TCP Reset to the customer which will be seen as a connection error page in the customers’ browser. There has been some debate in our forums (and elsewhere!) if this is the right approach. We’ll talk about that later.

This list is updated twice a day by an automated process. That means if the IWF add a URL to their list at lunchtime, by the end of the day access to that URL will be blocked on our platform automatically. We don’t view, verify or approve anything on the list as part of that process; it would be illegal for us to do so!

Does this have any side effects?
We’ve seen a small number of issues related to this implementation since we deployed them. Most of those issues, including the current problems with anonymous editing on Wikipedia, are down to the target websites seeing the customer requests as originating from our proxy servers. As we serve the ‘X-Forwarded-For’ header in the connection requests, Wikipedia were able to allow requests from these proxies for anonymous posting. In each case, we’ve worked with the websites to resolve these issues.

What about my privacy?
There have been quite a few posts on our forums and around on the web with people concerned about their internet traffic being filtered through proxy servers and the privacy concerns around this. As described above, the only time you web browsing will hit one of our IWF proxy servers is if IP address of the web address you are trying to visit matches a server on the IWF. If that IP address isn’t on the list, you won’t hit a proxy at all.

These proxy servers are Plusnet designed, bought and maintained. Access to those servers is strongly controlled via our change control process and an authorisation list to protect their contents. Accesses to the servers are notified to our Network Director daily to make sure all is is well – no third party including the IWF has any access to these servers.

Why do we do it?
We believe that preventing the access to, and prevention of the proliferation of the material on the list to be worth the side effects we’ve seen in it’s implementation. Of course, we must remain quick and responsive to problems caused by the implementation and we hope that our customers will hold us to that in our forums.

We use the IWF list rather than compiling our own because their employees are supported and trained at dealing with extremely shocking images. This means we don’t need to expose our own employees to this sort of content, and provide the extensive support network required to maintain it.

There will always be cases where the blocking of a URL debatable. The IWF have a complaints procedure which can be found on their website. If this procedure results in a removal or addition to the list, it will quickly be reflected within our system via the automated process detailed earlier.

Is the connection error right?
Our use of the TCP reset has generated some substantial debate on our community site. When we designed the system, we implemented it in a very similar way to a number of other service providers. A choice was made at the time to not specifically flag that the page had been blocked as we believed this would mean the list of sites could easily be ‘farmed’ which would undermine the confidentiality of the list. Since this debate has sprung up, we’ve reviewed the guidance from the IWF on how to handle a blocked page and have decided to change our implementation to return a 403 page, similar to the implementation by Thus/Demon and as requested by a number of customers on our forums. We expect to add detail to the error page which specifically refers to the IWF and our implementation of it. We are aiming to make that change before our Christmas code lock down next week.

We hope this blog explains our use of the IWF Child Sexual Abuse list and why we believe it is right for us to use it. If you have more questions or concerns, add them as a comment and we’ll try and address them as best we can. We’ll update this blog with anything raised that should be in here.

Kelly

This entry was posted by Kelly Dorset on Thursday, December 11th, 2008 at 1:13 pm and is tagged with , , , , and is posted in the category Customer Services, Plusnet News. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.


8 comments on "Our IWF Implementation"

Good post, very informative.

Kelly

Update: We ran into a couple of issues when trying to change the system to use a 403 error. As a consequence we'll pick this up in the New Year once the code freeze has lifted.

Could you add a test Web site address of your own to the list and provide that address to users - e.g. on this page - so that users can see the kind of error message that will be displayed when access to a IWF-listed site is denied?

Is the IWF filter blocking MegaUpload now? I'm getting this Error 503 for http://www.megaupload.com/ (note the IWF cache at the bottom) :-

"The requested URL could not be retrieved

While trying to retrieve the URL: http://www.megaupload.com/

The following error was encountered:
Unable to determine IP address from host name for http://www.megaupload.com

The dnsserver returned:
Server Failure: The name server was unable to process this query.

This means that:
The cache was not able to resolve the hostname presented in the URL.
Check if the address is correct.

Generated Thu, 02 Apr 2009 05:29:58 GMT by pcl-iwfcache04.plus.net (squid)"

And all MegaUpload is dead for me.

.... and now it's back. Still, it's worrying that great swathes of the Net can disappear at the whim of the IWF list compilers (if that's what happended?).

Well consider me officially leaving plusnet as soon as i can. internet censorship for whatever reason makes me sick

What an excellent article. I wish my ISP would respond in such a clear and honest way.

Plusnet Referrals

Photos

photo photo photo

View More

Forums

Users online: 94

  • Total Topics: 124283
  • Total Posts: 1092263
  • Total Members: 25408

Visit the Forums

Plusnet

Force9

Metronet

Free-Online

Madasafish

PAYH

Just The Name

Related Sites

Community Apps

Here at Plusnet we're always trying to use clever open source things to make our lives easier. Sometimes we write our own and make other people's lives easier too!

View the Plusnet Open Source applications page

About Plusnet

We're a Yorkshire-based provider selling broadband and phone services to homes and businesses throughout the UK. Winner of the ISPA 2010 'Best Consumer Customer Service ISP' Award, we're proud to offer the UK's best value standalone broadband.

© Plusnet plc All Rights Reserved. E&OE

Community Site News.. is powered by WordPress

Add to Technorati Favourites