For all blocking methods circumvention by site operators and internet users is technically possible and would be relatively straightforward by determined users. (p.5)
Despite this, however, one branch of the UK Government still appears determined to keep its head in the sand, and according to that report:
The Department for Culture, Media and Sport has redacted some parts of this document where it refers to techniques that could be used to circumvent website blocks.
Unfortunately, the technical competence of the DCMS appears to be somewhat limited, and the sophisticated redaction was (ironically?) also easily circumvented by copying and pasting from the PDF. Here are the portions of the report which the DCMS attempted to quash. Text in italics was not redacted but appears for context:
Bypassing IP address blocking is technically straightforward for those who have an incentive to do so.
The blocked site operator may:
• change IP address but stay on the same network (i.e. on the same hosting provider);
• move to an entirely new network (to a previously unobserved IP address);
• offer encrypted network services which obscure the true network address/destination such as Virtual Private Networking;26,27 or
• server operators may institute a Fast Flux network (where users run software on behalf of blocked site which hides the true network address of the blocked site).
There are other methods available to site operators. When moving to a new IP address a site operator may register multiple IP addresses for a given site in order to maintain service in the event that some of those individual IP addresses are blocked. This approach has legitimate purposes also.28 Furthermore, by setting a low ‘Time to Live’ (TTL) Domain Name System (DNS) record value, determining the length of time that the IP address for a particular domain (expressed in seconds) remains in remote name server caches, it is easier for a site operator to move IP addresses without end users losing access. Where a low TTL is expressed the ISP DNS name server resolution cache is purged quickly thereby ensuring that newly assigned site IP addresses are retrieved from the authoritative name server and site accessibility is maintained. Figure 13 below shows that the TTL value for ‘kickasstorrents’ is one hour, demonstrating that any changes to IP address to DNS name are refreshed and propagated within ISP DNS servers in just over an hour.
Figure 13: Kickasstorrents DNS record Time to Live (1 hour) Name TTL Class Record Address
www.kickasstorrents.com. 3600 IN A 184.108.40.206
www.kickasstorrents.com. 3600 IN A 220.127.116.11
www.kickasstorrents.com. 3600 IN A 18.104.22.168
www.kickasstorrents.com. 3600 IN A 22.214.171.124
www.kickasstorrents.com. 3600 IN A 126.96.36.199
26 Ipredator – Surf anonymously with VPN and proxy https://www.ipredator.se/?lang=en
27 UK based VPN services facilitating access to copyright infringed material may be subject to site blocking injunctions. UK VPN operators may institute site blocking at the VPN egress point. NB: we are not aware of any UK based VPN service marketed or positioned for such activity. Such services are likely to be non-UK based.
DNS blocking robustness
For site operators and end users with a sufficient incentive to engage in circumvention DNS blocking is technically relatively straightforward to bypass:
• the blocked site may offer services such as Virtual Private Networking, which is where encryption and other security measures are deployed to ensure that the data cannot be viewed by third parties (DNS name resolution may occur within the VPN providers network thereby bypassing the ISP based DNS site-blocking);
• the end-user can change their DNS name servers to 3rd party DNS name servers;32,33
• users may use anonymous web proxy or other anonymising services which are not reliant on the ISP DNS servers; or
• name resolution may be performed locally by adding an entry to a hosts file (IP address resolution information can be obtained from websites running a web-enabled equivalent of ‘nslookup’ command).
32 Google Public DNS – http://code.google.com/speed/public-dns/
33 OpenDNS Store > Sign up for OpenDNS Basic: – https://store.opendns.com/get/basic/
For end users who want to bypass blocks there are several options. For instance, there are many legitimate alternative DNS providers to ISP DNS registries. Examples include OpenDNS and Google DNS. We consider the changing of DNS servers to alternative providers to require low technical skills, as the providers offer clear instructions using plain English. For instance, switching to Google DNS requires 11 steps for Windows users and only 8 for those using MAC OS.
With a modest understanding of internet technologies it is possible to access a site by entering the site IP address (if multiple websites are hosted at the same IP address the user will be displayed the default web site or page for that web server/IP address). Site operators can draw attention to online web based and alternative sources of DNS name resolution within emails to their user base or via online forums.
Other channels that site operators could use to widely distribute advice on how best to circumvent DNS blocking could include posting to online forums, Really Simple Syndication (RSS) or updates via micro blogging sites such as Twitter ®. The advice could include changing to unblocked DNS name servers, Virtual Private Networks and proxy services or other anonymising systems. Similarly, site operators may quickly mirror or make copies of a blocked site on new top level or country code domains pointing towards new IP addresses e.g. www.blockedsite.cc; www.blockedsite.ru; www.blockedsite.vn; www.blockedsite.net.
Techniques that may undermine URL blocking include:
• web site operators providing encrypted access to their web sites via Secure Sockets Layer/ Transport Layer Security i.e. https connectivity https://www.example.com/downloads/pirate.zip;
• a site operator may run a website on a network port other than port 80;
• the site operator changing the IP address and bypassing the network routing announcements;
• a site operator registering a new domain name e.g. www.example.net or www.example.org;
• the blocked site offering services such as Virtual Private Networking;
• the use of anonymous web proxy or other anonymising services;
• the site operator reorganising the site structure if the blocking is conducted against specific URLs; and
• the site operator or end user encoding URLs to bypass blocking.
Packet inspection blocking robustness
Both shallow and deep packet inspection can be bypassed by site operators using the following means:
• changing the IP address but staying on the same network;
• moving to an entirely new network (to a previously unobserved IP address);
• the site may use network encryption techniques such as Virtual Private Networking to render scrutiny of the IP packet‟s payload or real IP address destination impossible, given the technology available today; or
• the site operator may add or remove site IP addresses from a pool of IP addresses.
End users who wish to circumvent packet inspection may opt to use anonymous web proxies or other anonymsing services.
As with the deployment of any of the single primary techniques, the hybrid approach is also susceptible to circumvention by the use of anonymising tools such as The Onion Router, VPNs or anonymous proxy services.
Anonymous Web Proxy Service that allows users to place web requests via an intermediary server. The proxy server makes the connection on behalf of the user thereby hiding originating IP address and bypassing blocking network techniques.
The Onion Router (ToR) Anonymity network originally developed by the United States Navy. Used in many countries to bypass state censorship.
Needless to say, a department which is unable to censor a single PDF does not exactly inspire confidence when it proposes to introduce blocking for the entire UK internet, and it is just as well that the UK government has today announced plans to abandon the blocking provisions of the Digital Economy Act.
Yesterday the UK government announced that following a report from regulator OFCOM, plans to block alleged copyright-infringing websites would be dropped. However, there was a second report where OFCOM detailed ways of keeping the costs of Digital Economy Act infringement appeals down. The document carried the usual redactions but TorrentFreak has put on its X-ray vision for your viewing pleasure.
Yesterday, detailing the government’s response to the Hargreaves report, business secretary Vince Cable confirmed that the website blocking provisions put in place under the controversial Digital Economy Act will be discontinued. The decision coincided with an OFCOM report which noted that website blocking would not be effective.
OFCOM also released a second report titled Digital Economy Act, Online Copyright Infringement Appeals Process: Options for reducing costs.
On the front page of the report there is a note that redactions have taken place to censor sections relating to ‘on-going policy development’ of the Department of Culture, Media and Sport.
The DCMS did a better job of hiding the blacked-out text than earlier in the week but not so good as to keep out TorrentFreak and our X-ray specs.
The first redaction on Page 3 says simply ‘Revisit the grounds for appeal set out in Ofcom’s draft Initial Obligations Code’ but two pages later things start to get much more interesting. It seems the government (or more likely their friends in the copyright lobby) doesn’t want talk of an error-prone system becoming public.
Page 5 – OFCOM wants rights holders’ accusations to be ‘quality assured’
Ofcom has also sought to ensure efficiency by introducing into the Code a requirement that Copyright Owners take part in a quality assurance process with the aim of minimising errors. This should help to reduce the number of wrongly identified infringements and subscribers. (ISPs can also have some impact here by ensuring that the letters they send to subscribers make clear the implications of receiving a notification).
A ‘quality assurance process’ sounds like a great idea, but who could be trusted to implement such a regime and ensure independent scrutiny? Anti-piracy tracking companies are notoriously secretive and unlikely to be open about the short-comings of their ‘proprietary systems’.
Page 11 – Government rejects OFCOM suggestion of subscriber appeal ‘on any reasonable grounds’
The grounds set out in the Act are non-exhaustive and we reflected this in our drafted Code by including an option to appeal on ‘any other reasonable ground’. This was intended to provide an efficient mechanism through which to avoid a lengthy revision of the Code should subscribers find additional, but reasonable, grounds for appeal as technologies and consumer behaviours evolve.
We understand that Government believes we should not include this mechanism in the final Code
It is far from clear why the government wishes to remove the right for a citizen to appeal a wrongful accusation on ‘any reasonable ground’. What is clear, however, is why the government might wish to redact this statement from the report – it looks very bad indeed.
Page 11 – ISP IP address matching to be ‘quality assured’
We have also introduced into the Code a requirement that Copyright Owners take part in a quality assurance process with the aim of minimising errors. We are proposing to sponsor a similar standard for the IP address matching processes of the ISPs, although participation will be voluntary. This should help to reduce the number of wrongly identified infringements and subscribers (appeal grounds (a) and (b)). We anticipate that the majority of appeals will rely on ground (c) in the absence of systematic failures by a Copyright Owner or ISP under the Code.
When it comes to copyright infringement cases ISPs make errors so it is good they will be required to adopt similar ‘quality assurance’ processes as rights holders. However, how many will choose to do so when participation is voluntary remains to be seen.
Redactions on page 17 merely repeat details covered in earlier redactions. Redactions on page 19 likewise, save a comment that a rightsholder ‘quality assurance’ process
….does not create a rebuttable presumption in favour of the rights holder but should help bring down the proportion of incorrect CIRs [Copyright Infringement Reports] and therefore appeals costs since there are likely to be fewer meritorious appeals in this respect. This quality assurance is also intended to make sure that the number of CIRs rejected by ISPs for process reasons is minimised
The full but redacted document can be downloaded here.
New website blocking regulations not on the agenda, Government says: “The Government has sidetracked plans to create new website blocking laws following a recommendation from the UK’s telecoms regulator.“
(Via OUT-LAW News.)
Individuals will have to pay to contest copyright infringement warnings, Government says: “Internet users who risk being blacklisted as illegal file-sharers will have to pay £20 to appeal against warning letters they receive about their behaviour, the Government has said.“
(Via OUT-LAW News.)