What the new sanction covers
This new law says:
A person who provides an internet access service must take reasonable steps to prevent a user of the service in the United Kingdom from accessing, by means of that service, an internet service provided by a designated person.
We have no choice about this, and the penalty for non-compliance is a fine of up to £1 million.
You can read more about the law on Adrian’s blog, and on our lawyer’s blog.
How A&A will approach compliance
We have spent management, legal, and technical time on understanding our obligations, and identifying what we need to do and how we can do it. Measures of this nature are particularly problematic for smaller Internet access providers, especially those which do not have equipment in their networks for filtering and blocking.
At this time, a number of key aspects remain unclear:
- how we identify the Internet services to which we must take reasonable steps to prevent access.
- how often this list of services will change.
- how many services will, in total, be within scope.
All of these have a significant impact on what we can, and indeed must, do, and what is “reasonable” for us to do.
Our approach to identifying the in-scope Internet services
To identify the Internet services in respect of which we must attempt to prevent access, we will rely on the UK Sanctions List and an open letter from Ofcom.
This is not ideal, because the information in Ofcom’s letter differs from the information on the UK Sanctions List. To us, the reasonable step is to apply the measures below to domains which are contained in either of both Ofcom’s letter and the UK Sanctions List.
At the moment, we propose to check the UK Sanctions List on a weekly basis, to identify newly-added domains, and to check if any domains have been removed or modified.
Right now, we do not consider it is reasonable for us to attempt to identify what other domains or URLs might relate to people on the UK Sanctions List, as we have no mechanism for doing this. We will keep this under review. If, for example, Ofcom publishes a list – and we would encourage that – we will consider switching to using it, assuming that there is a means by which we can verify that the domains on that list are indeed operated by designated persons.
Our approach to preventing access
To attempt to prevent access to the domains we have identified using the mechanism above, we will configure our DNS servers to respond with a 'null' response of 0.0.0.0 or ::0 if a customer attempts a lookup for those domains.
In a practical sense, if a customer, who uses our DNS servers, attempts to connect to one of the sanctioned services, our DNS server will say that we cannot give them the IP address of the server they are trying to access.
Similarly, if a customer of our email services attempts to send an email to an account at one of the domains on the UK Sanctions List, they will be unable to do so, since our email services use our DNS servers.
(Please do not contact us to say that you can circumvent what we have done here. We know this is possible. The only sure way to prevent circumvention would be to stop selling the service, and clearly that is impractical. What we are doing is basically the only thing which we can reasonably do at speed – the law is now in force, and people have been designated under it – and possibly at all, given the need to take into account cost, complexity, feasibility, intrusion, and maintainability.)
Frankly, this will be by way of a manual bodge, which is not remotely sustainable or scaleable. However, until we know what things are going to look like, this is the most reasonable, proportionate mechanism we have for attempting to achieve the goal of the measure.
A downside of a NULL response approach is that the person attempting the lookup gets no indication of why the domain is non-existent. We cannot make use of the http status code 451 or redirect customers to an explanation page, and this would not work for these https sites anyway.
We will publish a list of domains for which we will be returning NULL responses at the bottom of this page so that we are being fully transparent about what we are doing.
When (if?) the sanction is lifted, we will reverse this change, returning the domains to their normal status.
Options we considered and ruled out
We considered a couple of other options, and ruled them out:
- Blackholing traffic for IP addresses associated with the Internet services. We do not consider this to be reasonable given the risk of overblocking: we do not know what other, if any, non-sanctioned, services might be accessible via the IP addresses used by the sanctioned Internet services. (For example, if any sanctioned services used shared hosting.)
We are aware that at least one of our transit providers is, or appears to be, blockholing traffic and clearly, if that is what they are doing, there is little to be gained from us doing so too: it would be unreasonable for us to duplicate an effective measure upstream of us.
- Using intrusive deep packet inspection, to attempt to detect traffic to sanctioned services, and blocking them once identified. We do not consider this to be reasonable given the cost and complexity, the impact of implementation of changing TLS standards (which would make the Server Name Indicator unavailable for inspection, without man-in-the-middle attacks, which we consider would be disproportionately intrusive), and the global challenges in obtaining new hardware.
Our stance on not filtering and blocking traffic remains unchanged
Our stance on filtering and blocking has not changed.
Strictly, what we are doing here does not entail the filtering or blocking of traffic. A better analogy would be instructing our servers to tell you lies, fibbing that they do not know to which IP address the domain in question resolves.
However, we appreciate that the effect of our chosen measure is likely to be the same, especially for our less technical customers.
We do not expect to do this type of interference on a routine basis, and we will remove the NULL responses as soon as we can.