Thanks for reposting this. It really goes to highlight how the EFA and others are having the wrong conversation on this area. Why do I say this? The debate from the EFA is focused around FUD and is designed to cloud the issue, especially around one of the debate as to whether the Internet should be classified. The reality is classification has existed for quite some time in Australia already (see the Classification (Publications, Films and
Computer Games) Act 1995 as an example or the Broadcasting Services Act 1992, which itself includes the Internet).

The internet filtering debate should not be one as to whether classifying and restricting content is a good idea (we had that debate quite some time ago and as a society we decided that we did need to be protected from ourselves) but one of how to best enforce the existing requirement taking into account evolving technology. I am not sure how we can say that some media types should be classified and therefore restricted while other media types should not, simply because one represents a greater technical challenge than the other (and to date has not been pro-actively restricted in the same way as legacy media types).

Again, this is not/ should not be a discussion as to whether content on the Internet should be classified and restricted (as that is already set in law) but to whether a technical control which is “suitable” can be put in place to enforce existing requirements.

Therefore, would it not be better to focus the conversation on the best method to provide controls based around new media types such as the Internet, rather than simply permitting a bunch of existing product vendors set and push the agenda to a highly motivated Government?

To me it seems to be a waste of the excellent security talent present in Australia to permit ourselves to be distracted by having the wrong conversation. Especially given the significance of the overflow effect if the filter gets it wrong, or the potential of placing some level of trust and integrity into the Internet if we could in some way get it generally right.

Surely it would be of greater value to start discussing “what conditions need to be true in order for a content classification and control system to be considered generally “suitable” and what suitable actually means to the Australian community”?

To unintentionally accept a substandard system implemented by “experts” because we were too busy talking about a different issue (something I see frequently in corporate environments) just seems like a waste of good talent.

Even if you don’t agree with my thoughts, I have one final questions; If we implemented a filter which stopped those who could not be bothered navigating around the filter would we see a decline in malware and botnet infected consumer PC’s in Australia and therefore also see a decline in Internet Banking and other consumer based Internet fraud?

What I am saying is as a security professional if the Australian community wants a security control, we have an obligation as professionals to deliver them what they want, in the best fit for purpose manner. I see this as no different to delivering a bank an appropriate Internet Banking platform, or a consumer a software application which is fit for purpose for use on the Internet (that is one which has the required level of functionality, that is developed with secure application development lifecycle methodology, ie more like Microsoft, less like Apple).

So given the recent Hungry Beast survey, which can be found here: http://hungrybeast.abc.net.au/stories/internet-filter-survey-results

Said that; 80% of people said they were in favour of “having a mandatory Government Internet filter that would automatically block all access in Australia, to overseas websites containing material that is Refused Classification”.

So it is clear to me that;

1. The vast majority of the Australian public wants filtering
2. The Australian political system sets policy based on popularity
3. The filtering proposed to date is flawed and will generally serve to be ineffective.
4. The force of 2. is stronger than 3. and we will get based on current direction a flawed filtering system because of 1.

So my original post was to suggest based on experience that the current blackout approach will not be effective in changing the outcome and that a different approach would be more effective. That is to start to lobby for an effective filter system.

I will be quite candid and say that my concern is that the proposed system will be expensive (with no open source alternative for smaller ISP’s), fails to work across all internet traffic, and that ACMA should not determine the classification of content but this should be done either by the content providers themselves under a self regulation scheme (like how TV functions) or by the film classification board (like how movies work). Likewise I see little value in the blacklist being classified itself, if a website is refused classification the content owner and the general public should understand why.

I don’t see the above reasons however as a valid reason not to have a filter (if that’s what the public wants) but I see them as technical requirements which need to be overcome. My suggestion is that rather than continuing down a no filter path, if you really are concerned around the impact of a filter, your energy would be better spent providing workable alternatives to overcome the specific issues that the current proposed filter will cause. Continueing the no filter path will result in a bad filter. Given that it is 99% likely that we will get a filter, would it not be better to make it an effective filter instead?

That’s all I am saying. Hopefully readers can see that I am not pro filter as such, but anti bad filter. I figure if we are going to have one, it might as well be a good one.