Senator Conroy's office today provided answers to Questions on Notice asked by Greens Senator Scott Ludlam some months ago. Among the dozens of answers reiterating standard positions were some welcome details that have been frustratingly hard to come by before.

You can download the entire exchange (see below), but here are a few pieces of information we think are interesting.

On Circumvention:

Will an ISP be allowed to offer a service or product that aids in the bypassing or circumvention of the filter if;
(a) the product or service is solely for the purpose of circumventing or bypassing the filter; or (b) the product or service has other uses apart from bypassing or circumventing the filter.

ISPs will not be required to block circumvention attempts by their customers or other end users. [2580/1-3]

Our comment: It looks like there will be little risk in providing proxies, browser plugins and similar tools from day one to get around the filter. The Government must have accepted that they will wear this embarrassment.

On the blocking of entire domains:

What was the required behaviour of the filter when a Uniform Resource Locator (URL) consists only of the domain name?

Were all web pages on the domain blocked (or would have been blocked) at any point during the trial?

The ACMA Refused Classification Content list is a list of URLs of overseas hosted Refused Classifications material. The intended behaviour of the ISP filter is to prevent access to specific URLs. Were a domain name to be included on the Refused Classification Content list the intended behaviour would be to block that URL. It is not intended that other URLs on that domain be blocked unless they are also on the Refused Classification Content list.

This was not tested as part of the pilot and there was no URL on the list at that time that consisted solely of a domain name. See 2581 (5). [2581/5-6]

Our comment: This contradicts what we learned from the secret DBCDE forum that revealed, among other things, partial URL matching. If letter-for-letter URL blocking is what we get, then appending a "?" to any URL will possibly circumvent the filter.

On circumvention technology:

Has the Minister ever been shown how to circumvent ISP filters of the type tested by Enex Testlab in 2009; if so, where and when was that demonstration conducted, which acts were demonstrated, and how long did the demonstration take?

Yes, the Minister has been shown a demonstration of a number of circumvention techniques of the filter products used in the ISP filtering pilot. This demonstration took place on Friday 5 June 2009, at the Enex TestLab at RMIT in Bundoora, VIC. The demonstration was of one hour duration, and a number of circumvention techniques were demonstrated including VPN and TOR. [2582/4]

Our comment: Interesting to know the Minister has had a proper demo. He is clearly well informed of the flimsiness of the filter, yet must not feel this diminishes the policy - that is, political - usefulness of the plan.

On ISP support for the filter:


During consultations on the implementation of ISP-level filtering in Australia, a number of ISPs, including Telstra, have indicated their belief that filtering should be implemented on a mandatory basis through the implementation of legislation. [2583/3]

Our comment: This is interesting, if true, but is more likely to be a spinning of ISP opinion that they are not keen on voluntary filtering and only see it happening if it is indeed legislated.

On the size of the list:

Given that the report of the trial notes that it has been suggested by some stakeholders that 10,000 URLs may be a tipping point":
(a) does the department ever expect the blacklist to exceed this number of Uniform Resource Locators (URLs); if so, will further tests be conducted to test the censorware capabilities of filtering more than 10 000 URLs: and
(b) will the blacklist be restricted to under 10 000 URLs as a result of the knowledge from the trial?

The list will be regularly "washed" to remove URLs that no longer contain RC content. If the list approaches 10 000 URLs, the Government will undertake a technical review of filtering a larger list of URLs. [2583/14]

Our comment: This raises more issues than it answers. Firstly, the regular "washing" of the list will probably be a quarterly review, as indicated elsewhere in the document. If 10,000 does indeed cause a problem, there's a significant risk that the target will be reached very quickly. If a website contained 10,000 images, each at a separate URL, how would this be handled by ACMA? Or if somebody renamed a legal but RC image 10,000 times and uploaded them to a web server, and complained about all 10,000 URLs? Any such expensive and massive system needs to be more robust from the beginning.

On foreign sources of banned URLs:

As the Government has noted that URLs from "overseas agencies' will be added to the blacklist,
a) have these agencies previously agreed to this;
(b) which agencies does this include; and
(c) will the URLs obtained from these agencies be classified by the Classification Board.

(a) and (b) The Australian Communications and Media Authority has entered into a memorandum of understanding with the United Kingdom hotline operated by the Internet Watch Foundation, under which the Australian Communications and Media Authority has obtained access to a list URLs of known child abuse images compiled and maintained by the Internet Watch Foundation.

The Australian Communications and Media Authority has also obtained access to a list of URLs maintained by the Cybertipline, the hotline operated by the United States National Centre for Missing and Exploited Children. Access has been granted by the National Centre for Missing and Exploited Children, through the Australian Federal Police. The Cybertipline list contains URLs that provide access to depictions of pre-pubescent children being sexually abused. [2583/25]

Our comment: Mercifully, the NCMEC list and even the IWF list are much narrower in scope than the Government's proposed RC list, but there are obviously serious concerns in bulk-importing a list from an overseas agency unaccountable to the Australian public. The lists would have to be reviewed by Australian regulators.

On privacy:

Are the proposed censorware systems inconsistent with the Telecommunications (Interception and Access) Act 1979. whereby it is currently illegal for an ISP to intercept user requests: if so, is the Minister pursuing amendments to the Act to allow the censorware to legally intercept and block access to content?

The blocking of a defined list of URLs is not inconsistent with the Telecommunications (Interception and Access) Act 1979. Blocking URLs does not require the detailed inspection of web traffic.

Under the new ISP filtering scheme. ISPs will be free to choose the technical filtering solution most appropriate to their needs. However, the use of that solution must comply with relevant laws including the Telecommunications (Interception and Access) Act 1979. [2583/26]

Our comment: We'd dispute the assertion that "blocking URLs does not require the detailed inspection of web traffic", as it requires deep packet inspection, potentially exposing private information. As the system evolves, EFA will comment on whether any issues arise regarding compliance with the TIA.

On the cost to taxpayers:

What is the current typical cost of an ACMA investigation into a URL that is reported as potential prohibited or prohibited content where the content: (a) is referred to the Classification Board; and (b) is not referred to the Classification Board.

(a) In 2008-09. the average cost of investigating an item of online content that was referred to the Classification Board was approximately $685 per item.

(b) In 2008-09. the average cost of investigating an item of online content that was not referred to the Classification Board was approximately $173 per item.

Our comment: I hope you, as a taxpayer, feel like you're getting value for your money.

The full text is available here: Answers to questions on notice.


  1. I'd missed this, thanks for the update.

    There are some interesting answers/thought processes in there. Or maybe I should say lack of thought...

    It's worrying how some answers are so strange, especially given how long it's taken for them to be answered.

    Comment by Akira Doe on 4 May 2010 at 00:19
  2. re circumvention: That's gold! So ISPs are allowed to offer circumvention methods. I van just see the proliferation of VPN hosting services ISPs will offer that terminate on the other side of the filter.

    Comment by Justin on 4 May 2010 at 02:26
  3. I don't know why they are going to bother if the ISPs can offer these methods...

    You'd have to image they would need to use some of these techniques to troubleshoot issues anyway.

    Comment by Akira Doe on 4 May 2010 at 02:28
  4. Think about it.

    They state a specific URL blocking system. You'll find that anyone can just use an "addon domain" (in the form of a subdomain) to bypass the filtering system.

    Considering it takes them 2-3 months to act on a single item, it's not that hard to change a subdomain and do a htaccess redirect from the previous one...

    Comment by Anthony on 4 May 2010 at 05:18
  5. Most of the questions regarding the technical elements only highlight their own deliberate ignorance. For instance, censoring cloud applications and HTTPS.

    Oh, and the government is still holding hope that other high traffic websites will block whatever our government doesn't like. Sure Rudd and Conroy, everyone is willing to pander to your every desire when things aren't working to plan...

    Comment by Ben on 4 May 2010 at 05:22
  6. It seems to me that there's a reason the government isn't making circumvention illegal, that nobody seems to have thought of. Conroy isn't stupid, for all that he's a tyrant.

    That is, he WANTS us to circumvent the filter so his tame IT monkeys can see how we're doing it and update the filter software so that form of circumvention doesn't work any more. You can bet that while circumvention won't be made illegal, ISPs WILL be required to regularly update their filtering software to include the patches that neuter the latest circumvention methods.

    Look forward to constantly having to adopt new circumvention methods on a monthly basis once this goes through; once this war starts it will last forever, just like the ongoing battle with software DRM that's only been going on now for what, 30 years?

    Comment by Steve on 7 May 2010 at 21:33
  7. How can they block VPNs or HTTPS without destroying the Internet?

    Comment by Akira Doe on 7 May 2010 at 21:45
  8. @Akira Doe

    They will make it a crime but only selectively enforce it. They already do this elsewere, it is a crime here in South Australia to upload images that "could" be Classified as higher than MA15, but the police don't, and couldn't, charge every guy who emails his wife/girlfriend/boyfriend a picture of his knob on Valentine's day. It is a similar situation with X rated DVDs, it is illegal to sell them in this State, but not only are they being sold here but they are advertised on the front windows of Sex Shops, the police only choose to enforce this Law based on criteria known only to themselves *coughretalliation4insufficientbribescough*.

    Comment by Womp on 8 May 2010 at 22:49
  9. @Steve

    I think the evidence is very clear indeed that Conroy does not and will not use the advice of experts.

    He will make circumvention a crime, and he will simply use the argument he is currently using, making circumvention a crime will simply be making uniform the existing censorship standards.

    The ACMA takedown authority and Blacklist for optional filters was created to bring the Internet into line with Film and Video Classification.

    Conroy's filter is to bring the whole of the internet into line with the ACMA system.

    Making it illegal to circumvent the filter will be bringing the Law into line with the filter and the ACMA system.

    And, then the police will need the power to randomly search your home and computer so that their powers are brought into line with the filter, ACMA system and the Law.

    And, so it goes on, Conroy swallowed a spider, to swallow the fly, that wriggled an jiggled inside him, perhaps he'll die...

    Comment by Womp on 9 May 2010 at 08:49
  10. "Blocking URLs does not require the detailed inspection of web traffic" is quite correct if it's being done on a DNS basis. But is that how it's going to be done? Has this ever been established? DPI is only necessary if you go to the next level. I would think that would introduce unacceptable levels of latency - more than 1/70th of a blink.

    Comment by Graham on 10 May 2010 at 18:13
  11. The 1/70th of the blink of an eye is a term used by DBCDE (Conroy) that didn't actually appear in the Telstra trial. From memory the Telstra "trial" (lab test) involved 1 computer and DNS Poisoning. I can understand why Conroy would favour Telstra results over what is in the Enex report, but using that as scalable evidence for a mandatory national implementation is so ridiculously incompetent or deceptive that it boggles the mind...

    Your average Aussie (assuming they can remember how to do fractions, yes I'm disappointed in the education most of us get/got, which a stupid website ranking schools is not going to fix) can understand 1/70th of the blink of an eye, so it truly is effective deception. Wouldn't expect anything less from Conroy, certainly don't expect the truth or any sort of tangible evidence to base their policy off unless it suits his agenda either.

    Comment by Akira Doe on 10 May 2010 at 19:02
  12. @Womp

    I find it hard to believe that they've make it illegal and selectively enforce it. If that's the case we're already breaking the law at work because we have a VPN from our office here to another local one, and one in NZ.

    I VPN from home to work on the weekends/after hours if there is an issue so I'd be breaking the law then too.

    I also use Proxy servers in my day to day duties. Although this example was on a New Zealand client's computer (so outsite of Aussie's jurisdiction) I have had to use it here in the past closer to home. One of our clients was unable to access our website. After checking everything with them over the phone and checking our web server etc everything was setup correctly.

    We later had 5 other clients in NZ call with the same problem, they couldn't access our website. I called the first client back and we setup a Proxy to bypass their ISP and sure enough they could access our site again. Turns out it was a problem with their ISPs routing that just happened to knock out ours and any other website hosted on our web server. Using this proxy (should it have been on aussie soil which I've had to do before) would have also been breaking the law.

    Proxy Servers and VPNs are business essential and even business critical technologies and the Government making them illegal to enforce secretive Government controlled censorship is the most stupid idea ever (not poo pooing you Womp :D) and if the DBCDE even thinks about doing this they can be proud that they have screwed up every area of their responsibilities, Broadband (it's "filtered"), Communication (the NBN will be filtered, and everything will be on the NBN, if it's ever built) and the Digital Economy (filtered Internet, Proxies and VPNs made Illegal).

    They would need to rename their department TCF, and Conroy would have to be the Minister for TCF, Total Complete Failure.

    Comment by Akira Doe on 10 May 2010 at 19:16
  13. @Akira Doe

    Sorry, I thought I had made it fairly clear that I was using the future tense and speculating on future Laws. It would seem I wasn't as clear as I had thought. Sorry.

    VPNs are currently legal.

    Personal speculation based on the observation of the trend of events concerning censorship lead me to believe that at a *FUTURE DATE* the use of VPNs for specific purposes *WILL* be made illegal.

    The 4 Corners thing tonight added to this theory with Conroy comparing his filter to anti drink driving laws. They don't just have a law against drink driving they randomly stop people and check if they have been drinking, so if Conroy thinks they are the same why wouldn't he have the Police randomly go into people's houses to check that they are using the filter?

    Comment by Womp on 11 May 2010 at 10:40
  14. @Graham

    You're mistaken, DNS level blocking can only block specific servers (eg however the rest of the URL requires deeper inspection before it can be determined to be a RC url or not.

    As @womp said - it will be illegal (eventually) to circumvent the filter, but will be selectively enforced - eg when a paedophile is caught, and their computer seized they will get an extra couple of years because they also circumvented the filter. Or a "hacker" is caught also gets X years for the circumvention. (Like how Al Capone was caught for tax evasion) Which then re-enforces (to a political mind anyway) that the filter is a good idea etc etc.

    Comment by Ian on 11 May 2010 at 11:26
  15. @Womp - I made the same mistake as you, I was comparing what I can and need to do now that is currently legal that would then be outlawed if, at least these techniques (and also add to that using different DNS Servers to your ISPs for testing) were made illegal because they also bypass the filters.

    And you're right about the 4 Corners, I was shocked when Conroy made those links.

    Long story short, I am in total agreement with everything you've said. I just find it hard to believe (even after Conroy's latest comments on 4 Corners) that such business critical tools (and not just for where I work) that just happen to also be able to totally bypass the ISP Filters would be made illegal.

    Comment by Akira Doe on 11 May 2010 at 18:53
  16. It only makes sense not to require ISPs to detect and block proxies. Blocking proxies is easier said than done. I know this becuase I have had problems with one bloke who just does not get the message that he is not welcome on my web site. I block proxies, but he still gets back on after trying proxies for several hours until he finds one that works.

    That would be the kind of problems ISPs would have if they ever decided to make tham police/block proxy usage. They would be fighting a losing battle. A determined indvidual could keep trying proxies until they found one not blocked.

    Comment by Chilly8 on 13 May 2010 at 01:39
  17. Yes, a Law against using proxies will not work as stated.

    Why would you think a Government that insists on introducing a filter that won't work as stated wouldn't introduce other things that clearly won't work?

    As Ian stated the Law against filter circumvention would most likely be used to enhance other charges, plus the police would likely use it to legitimise what would otherwise be regarded as harassment ie searches without warrants and the like.

    Comment by Womp on 13 May 2010 at 03:13
  18. In response to Womp, it is not so much a law against blocking proxies, as it would be for someone to spend hours trying proxy after proxy until they found one that is not blocked, given the problems I have with one bloke who just does not get the message that he is not welcome on my site, and who will spend hours finding a proxy that does work.

    Before the government outlaws proxies, they will have to find a foolproof way to block them. As I have found out with this one unwelcome user I have problems with, blocking proxies is like playing "whack a mole". You are not going to get them all with current technology.

    And another problem with making it an offence to promote such services is that fact that most VPN providers are outside of Australia. There is one VPN provider who lives in China and has VPN servers all over the world. Being that his business is in China, and he lives there, Australia would have no jurisdiction to prosecute him, even if he broke Australian law offering his services.

    Comment by Chilly8 on 15 May 2010 at 01:15
  19. @Chilly8

    Yes, as you said a Law against VPNs won't work. Just like a Law requiring ISPs to filter won't work.

    A Law requiring a filter won't work.

    A Law against VPNs won't work

    If Conroy is dopey enough to have one Law that won't work why wouldn't he have a second, or third, or fourth?

    Comment by Womp on 15 May 2010 at 03:13
  20. Yes this filter will be easy to avoid if it's implemented but it will effectively be a tax on internet access. An additional $9 US a month will get you a "clean feed" (clean from deep packet inspection) from an overseas encrypted proxy and a connection with a higher latency and/or reduced bandwidth.

    With regard to some of the previous comments:
    - A htaccess redirect would not work; the dns needs to be resolved and the page fetched before a htaccess would happen. The filter would likely prevent this.

    - Deep packet inspection *is* required, at least to the point of inspecting packet headers. Blocking by DNS (ie, by target IP address) would be insane even by Conroy's standards. To block sites by DNS would require that any single infringing item would remove an entire site (or group of sites) from the internet. The list that leaked indicated that they're blocking by full URL's which means each individual item would need to take up one of the ~10,000 spots available in the list. Wildcards might reduce the load a little but would significantly increase the work being done by the equipment used for censorship.

    Comment by James on 16 May 2010 at 15:46
  21. Good luck with DNS poisoning when DNSSEC is fully implemented.

    Comment by Lachlan on 26 May 2010 at 02:50