New Zealand's government-run Internet filtering system is now running, and two ISPs are already using the system. Seven thousand websites are on the list, most dealing with child sexual abuse, bestiality, and other illegal content, as classified by the country's official censors (you too can be a censor for a day). Such material has been illegal offline in New Zealand for years, so the expansion of the program to the Internet isn't a big surprise. But will it work?

The government runs the filter, but ISP participation remains voluntary. Currently, Maxnet and Watchdog are confirmed to be using the filter, though other ISPs are said to be interested. Maxnet CEO John Hanna explained his company's position to Computerworld New Zealand: "Filtering out child pornography is also very much in line with our company values—our customers would be disappointed to hear if we weren’t participating. So participation for us has always been a no-brainer."

The filter uses a BSD Unix-based appliance called WhiteBox from Swedish company Netclean ("We protect children on the Internet"). The government runs the filtering server and maintains the blocklist, which it advertises to ISPs using the Border Gateway Protocol (BGP). ISP routers then "know" that the best routing path to blocked addresses runs through the government's filtering servers; all other requests route through the conventional Internet as usual and are never scanned or logged by the government.

The WhiteBox

Because an IP address can host many domains, requests to blocked IP addresses are analyzed by the WhiteBox using deep packet inspection, rather than being blocked outright. If the requests are for non-problematic URLs, they are forwarded on; if they go to a banned site or link, they are blocked, the user's IP address is logged, and a block message appears on the screen.

"It feels pretty amazing that a country located on the other side of the globe turns to us, a small company with 22 co-workers in Gothenburg, to install blockage of child sexual abuse content," said NetClean CEO Christian Sjöberg last year when the system was being tested. "We are very pleased with the positive results in New Zealand."

But Tech Liberty NZ, a civil liberties group, is less pleased. The filter handles HTTP traffic—useful but quite limited. As Tech Liberty's Thomas Beagle points out, the WhiteBox can make it hard to access forums and Web search sites, but it misses all sorts of other things (as do most filters):

The filter can’t intercept encrypted Web traffic (https). It’s not hard to change your website from non-secure http to secure https.

The filter can’t intercept the file sharing, e-mail, chat, instant messaging or anything other than unencrypted Web traffic. (Although it does intercept people accessing those services via websites.)

Adding new entries to the filter is a manual process. When websites are so easy and quick to set up, we don’t see how it’s possible for them to do a good enough job to keep the filter list up to date enough.

The filter will only be used by some ISPs. If a number of major ISPs don’t use the filter, is there any point in implementing it for the ones that do?

There's certainly some point, but New Zealand does not appear to be hosting any public discussion about whether the limited utility of such a filtering system is worth the cost and the precedent. The decision to start filtering was made by the Department of Internal Affairs, based on its existing authority to rate and censor content, and not by any new decision of Parliament.

Tech Liberty admits in a January post that, on the world level, "it is apparent that the scheme proposed by the DIA is one of the least offensive ones to defenders of the Internet and civil liberties." Still, the group would like access to the blocklist to make sure the government stays honest; that request was denied, though the government did set up an "independent reference group" that can review the list.