The latest crazy law imposed, today, with no notice, is The Russia (Sanctions) (EU Exit) (Amendment) (No. 9) Regulations 2022. My good friend, and lawyer, Neil, has blogged on it already...
This is one of those rare cases I am blogging as director of AAISP rather than purely personally. See here for A&A news post on this.
The main issue is we, as an ISP, have to "take reasonable steps to prevent a user of the service in the United Kingdom from accessing, by means of that service, an internet service provided by a designated person."
I do wonder why - I mean this is asking anyone providing internet access, whether for their family at home, or via free wifi, or anything, to do this? Why not ask the handful of transit providers to do this instead - much simpler, surely? But OK...
My first issue as an ISP is what are those services? I mean these are not services offered by some corporate entity that happens to have a "designated person" as shareholder, officer, or even employee, but services actually provided by a "designated person", over the internet. This list of such persons is not simple or small, and working out which provide what services over the internet will not be a simple task.
So we plan to ask, maybe, OFCOM, as they have specific enforcement requirements in that legislation, for a list of such services.
But when we get that, what then? LOL, like we will get a sane answer, ha... But, well, then we have to try and block access somehow, if reasonable.
We do not have means to block access or filter anything by IP, or DNS name, in our network!
I can't stress this enough, we have never had any order to block anything or any previous legal requirement to do so, really. It is, in my opinion, not "reasonable" to expect us (for no payment at all, or otherwise) to magically implement such a measure, especially to do so between Laid before Parliament at 5.00 p.m. on 27th April 2022 and coming into force 29th April 2022, really. Or even (as it will cost a lot) later.
Update: As some people say, we have BGP routers that could have a black hole route added, and customer facing DNS servers that could have a bogus entry added. But this is the tip of the iceberg in terms of a "system" for blocking. There needs to be the management systems to maintain the blocked IPs and domains. Systems for who can add and remove entries. Systems to ensure they are applied correctly to the various config files. Procedures for handling mistakes. Procedures for handling support queries from customers relating to blocks (and mistakes in blocks, over-blocking, etc). Systems for getting the sanctions lists, processing it, researching the services provided by those Russian companies, and making changes over time. Yes, some ISPs have (most of) these systems and procedures in place for other reasons. We don't! On top of which, actual URL blocking is a completely different matter and simply impossible when considering the current use of https.
Update: That said, for a couple of domains, it is not impossible to add a DNS entry manually, but it is far from a scaleable solution.
What could we do?
At a push we could refuse to answer DNS for some domains on our customer facing DNS servers, but customer do not have to use them, so that would not be effective in meeting the requirement. And weirdly the providers of public DNS, like 8.8.8.8 and 1.1.1.1 are not subject to this order - why?
Indeed, if we had some way to block some routing to some IPs (and remembering we must not "over block" to meet net neutrality laws), customers are allowed to, and often do, use VPNs, so again, it would not actually be effective.
I am not sure we could "reasonably" take any technical measures. The closest we could get is not answering some DNS.
So what do we do?
Well, step one is we ask OFCOM for the list of services, and see what we get. That is it for now. I expect no list, to be honest, which sort of solves the problem.
Then we consider what next.
The other consideration is that we might "ask customers nicely" not to access such services. That sounds like a reasonable step to me. We might do that once we have a list of such services.
Update: The sanctions list has been updated - two "designated persons" have been listed: TV-Novosti and Rossiya Segodnya, with the web site rossiyasegodnya.com specifically listed. What is odd is that OFCOM have seen the list and decided that the sites rt.com and sputniknews.com should be "blocked" somehow. So which is it? What is the process for finding the "services" offered by the designated persons and how did OFCOM come up with those two domains? Is every coffee shop offering WiFi to somehow research some Russian companies to find what services they offer?
In practice, it looks like our (free) customer facing DNS servers may have to fib about a couple of domains for now. Not a scalable system, but hopefully "reasonable steps".
And just to be clear, I want the war to stop. But I am not sure how these sanctions help or are in any way effective. They are, however, a break from any notion of "mere conduit" for Internet Access. If they are needed, they are in the wrong place (surely transit providers, or DNS providers like 1.1.1.1 and 8.8.8.8, are more appropriate than every coffee shop offering WiFi). So we are doing what may be the only "reasonable steps" we can do.
Hmm. It requires a written definition of the terms "reasonable steps" and "internet service" and "designated person". Without that this law can surely only be deemed vague and thus unenforceable...?
ReplyDeleteI doubt that any "designated person" actually carries out any of their online activities in their personal name. I suspect it will all be in the name of a corporate entity established in one or more countries.
For a UK corporate entity Companies House now require an annual statement of which humans are Persons of Significant Control. But the information submitted could be lies and appears not to be checked by Companies House. So very hard to ascertain if a Russian person under sanctions is truly behind a specific business.
And this law seems only to apply to AAISP's customers physically inside the UK's geographic boundaries. What if you had an L2TP customer outside the UK? Would you have to block their access to such a web site? And how would you even determine whether that AAISP customer was outside the UK's borders? The customer might be establishing their L2TP link to AAISP over a VPN thus masking their true geographic location.
Or a global corporate might have an MPLS set up connecting 20 offices around the world. They may do their break-out to the public Internet in any country of their choosing and their network admins could change this config every few hours depending on their LAN and WAN loading.
It seems to be yet another attempt to legislate the Internet which is, by definition, extra-jurisdictional and by people who do not understand it.
> It requires a written definition of the terms "reasonable steps" and "internet service" and "designated person".
DeleteTwo of those three are covered.
Checking companies house seems pointless, as the requirement is for services provided by the designated person, not by some other legal entity by which they happen to be an officer, employee, or shareholder.
ReplyDeleteThe AAISP customers outside UK is an interesting one, not considered that added complication!
Given the DCMS guidance on this, I don’t see how implementing DNS blocking on ISP provided name servers will be avoidable.
ReplyDeleteIt’s also usually fairly simple to implement, so I don’t think you’d be able to claim it was unduly expensive to do.
Of course, there’s absolutely nothing to stop users using alternative DNS - or even running their own recursive resolver - but this is something that relatively few will do.
You could stop providing DNS services and just use third party ones, but from my testing A&A’s DNS servers are the best performing for A&A’s customers - compared to the major alternatives like Google or Cloudflare.
So, as much as it pains me to say, I think this will be unavoidable :(
I'm pretty sure that "blocking" in the UK just means "removing the DNS records from ISP-provided DNS servers". As far as I know that's how all of the existing "blocks" have been implemented, such as the Cameron porn filters, banning The Pirate Bay etc. Of course DNS blocks are trivial to get around but very few (if any) lawmakers actually have the technical knowledge to understand this. The laws are primarily symbolic — as long as the government can be seen to be "doing something", it doesn't really matter whether the law really has a useful effect.
ReplyDeleteI do wonder what the intent of this specific blocking regime is, though. Is the idea to try to prevent sanctioned individuals from making money through websites they happen to own, or is it a form of ideological censorship designed to "protect" UK users from having their fragile minds damaged by propaganda from RT?
A couple of things I forgot to mention in my previous comment:
ReplyDeleteRegarding "designated person", bear in mind that "person" in legal terminology can refer to both natural persons (human beings) and legal persons such as corporations. So it isn't a requirement that the internet service literally be provided by a single human being — the government can state that RT or SberBank are "designated persons" whose services need to be blocked.
"Why haven't they imposed the same requirement on 1.1.1.1 and 8.8.8.8?" — I'd say that if the government have finally figured out that they don't have jurisdiction over the content of servers outside of the UK, that's some progress at least. I assume that both Google and Cloudflare do have some assets in the UK so they are not totally outside the reach of UK law, but demanding that a worldwide service implement content restrictions (even if just for UK clients) would nevertheless raise questions about legal jurisdiction that might require litigation to resolve. Imposing obligations entirely on UK ISPs is legally much simpler even if it is technically ineffective.
'We do not have means to block access or filter anything by IP, or DNS name, in our network!'
ReplyDeleteYou've no route reflectors?
I hope Adrian looks at the bigger picture here, this is Orwellian research Biden's ministry of truth in the usa This is not about propaganda or disinformation , this is about silencing any criticism or dissent or GOVT policy and a slippery road into a totalitarian dictatorship on a global scale they are using the contrived UKRAINE war like they used and are still using the #SCAMemic to scare people into compliance, wait until this online harms bill gets passed this is censorship of social media and an end to online anonymity which means no more whistleblowers
ReplyDeleteFellow ISP/MSP person here that is familiar with black hole routing/DNS server admin. If a sanctioned person has a website, hosted on a server, and that IP has 1000 other websites on it, I would deem this as unreasonable to block with a null route. likewise, if they had a blog with blogspot.com or whatever, 1, i'd need to maintain a list for null routes (something that pulls DNS entry a lot...) which again is unreasonable for both points above, but likewise i could not DNS drop it either, as all the other non-sanctioned people would be impacted too. hence unreasonable, the problem will be if i think it's unreasonable, but the government think it's reasonable... regards AG
ReplyDeleteSky have today blocked Russia Today & Sputniknews. The first provider to do so I believe
ReplyDeleteWell 2nd maybe, LOL
DeleteJust out of interest, trying to reach both the mentioned sites, I find I can get to www.rt.com, but not to sputniknews.com.
ReplyDeleteTraceroute shows that Level3 seems to be dropping it (or null routing it) upstream:
3 g.aimless.thn.aa.net.uk (90.155.53.47) 26.038 ms 25.436 ms 26.114 ms
4 8-1-1.ear1.london2.level3.net (217.163.102.225) 26.653 ms 27.505 ms 27.836 ms
5 * * *
I know this is an old post, but this law is utterly LUDICROUS, it broke stuff for me, and now i must request an authoritative list of blocked domains, so I can ensure i never visit them [nudge nudge]
ReplyDelete