Good intentions that fall woefully short: That's the quickest summation of a proposed U.K. law intended to get pedophiles offline.

The British government wants domestic ISPs to voluntarily introduce content filtering software to stop people from viewing child pornography by the end of 2007. Net and personal security experts, however, say that software only stops accidental viewing of such sites; and that the approach doesn't prevent content delivery over encrypted connections, email, instant messaging, or seemingly innocent P2P sites.

This turn has led some to question exactly who the government is trying to protect, and whether the millions that it will cost ISPs to install this software might be better spent elsewhere.

At the moment, the U.K. government is not requiring ISPs to install filtering software, but a private members bill that got its second reading before the House of Commons last month would "require Internet service providers and other commercial organizations to declare whether or not they have taken steps to prevent access to Websites containing indecent images of children," regardless of where in the world these pictures are hosted. As it stands, however, the government is only asking for the measure to cover home broadband users, not business users or dial-up accounts.

Vernon Coaker, Parliamentary Under-Secretary at the Home Office, said last month that the government wants all U.K. ISPs, large and small, to have such protections in place by the end of 2007. "If it appears that we are not going to meet our target through co-operation, we will review the options," Coaker said in a written answer to Parliamentary questions on May 15, 2006.

The Internet Watch Foundation (IWF) has been leading the charge to remove illegal material from U.K.-hosted sites and block harmful content from outside the British Isles. The not-for-profit group claims that a hotline where Internet users report suspected illegal images has been largely successful in stopping pedophile images being hosted in the U.K. The group claims that today only 0.4 percent of child abuse images on the Internet are hosted in the U.K., down from 18 percent in 1997.

Images hosted in the U.K. aren't really the main problem; rather, images hosted in the rest of the world are the main source of "illegal content" seen in the U.K. So the IWF has put together a "dynamic list" of "around 6,000 URLs" hosted outside the U.K. on servers in Russia, the U.S., and many other parts of the world that can be blocked by U.K. ISPs.

"We also pass reports on to police in the country involved via Interpol," says a spokeswoman for the IWF.

Filtering such URLs presents challenges, however, because an offensive image may be hosted on a large Web-hosting site, such as Tripod or Geocities. An ISP cannot, under English law, block access to all Geocities pages, only those pages or images that are deemed illegal.

So in 2004, BT came up with a two-stage filtering system called "CleanFeed," which filters the Internet requests from customers and checks for items on the IWF list. BT has never revealed exactly how the system works.

However, Richard Clayton, a researcher at the University of Cambridge Computing Laboratory, caused a minor media storm last year when he put out a paper detailing what he believes is BT's filtering system and how it could be used by tech-savvy pedophiles as an "oracle" of illegal sites.

Clayton says that under BT's system, suspect traffic is filtered onto a second level that returns an error message for illegal pages or images requested but returns all other requests normally if only part of a particular site is blocked. Clayton says those searching for child pornography can deduce whether a site is on the blacklist by seeing if it is routed through CleanFeed. He has written a program, which he refuses to release, to demonstrate the ways in which the system could be abused. "It's an inherent property of a two-tier system," he says.

Talking to us this week, however, Clayton suggests that people looking for such material would not have to go to the lengths of reverse-engineering the BT blocker to access child-porn. Merely using an SSL-encrypted connection could be enough, he says. "If it's encrypted they can't block at all."

Users could also resort to third-party Web proxy software that routes their requests through servers in a different country, and the people running the Websites can keep changing URLs and IP addresses in a cat-and-mouse game with the watchdogs, Clayton notes.

"In the end, the people who want to see this stuff have simply moved from BT," he says.

This suits BT just fine. "I don't think we make any pretense that there are ways around this for the most committed person," says a spokesman for British Telecom. "But we want to keep this material off our network."

It begs the question, however, of just who the government, watchdogs, and operators are trying to protect. "The innocent and the curious who just happen to be browsing and come across something wicked online," reckons Clayton.

Since the system does not currently block FTP or peer-to-peer servers, pedophile networks still have an effective means to deliver their illicit content. Meanwhile, their potential victims are still under threat via IM, email, and more recently, fast-moving social networking sites like MySpace.com.

"The popularity of social networking sites makes kids vulnerable in new ways," declares Michelle Boykins, Director of Communications at the National Crime Prevention Council (NCPC) in Washington, in a statement this week.

"The things that might actually damage children -- chatting to people online -- they can't block that," says Clayton.

Speaking of the proposed legislation, he says, “My general view is that this is a waste of time and money that doesn’t stop people who really want to see this material from viewing it.”

Parry Aftab, an Internet privacy and security lawyer and executive director of WiredSafety.org, argues that educating children about potential dangers online is the way to keep them safe. "No one in any country, no matter how well meaning they are, can block everything," she says. "It's about education. And most of it has to be done at a home, school, or kid level. It's the only way to protect them."

— Dan Jones, Site Editor, Unstrung. Special to Dark Reading

Organizations mentioned in this article: