I ran into an annoyance trying to clone some Ubuntu LAMP virtual machines that I was using for website development. Every time I cloned the virtual machine, eth0 would go missing, and ifconfig would show only the loopback device, lo.

It turns out that when you clone a VMware virtual machine, the cloned virtual machine’s network interface gets a new MAC address (which, of course, it must to work on the same LAN). But Ubuntu, and many other Linux distributions, cache the old MAC address in a configuration file.

In Ubuntu, the file is /etc/udev/rule.d/70-persistent-net.rules. After cloning, it will contain a reference to the old network interface as eth0:

The easiest way to fix this problem is to simply delete the file. Ubuntu will regenerate it properly the next time it boots up.

sudo rm /etc/udev/rule.d/70-persistent-net.rules

After deleting the file, you need to reboot. After rebooting, ifconfig should show eth0 and everything should just work.

If you’re feeling less adventurous, you can rename the file to *.old so that you can restore it if something doesn’t work:

sudo mv /etc/udev/rule.d/70-persistent-net.rules /etc/udev/rule.d/70-persistent-net.rules.old

You can also edit the file to remove the old reference to eth0, and rename the new eth1 reference to eth0. But deleting the file and rebooting seems more convenient.

The relevant filename is slightly different in other Linux distributions. For example, in Debian, the filename is /etc/udev/rules.d/z25_persistent-net.rules.

This article was originally published on 24 June 2010 on newmatilda.com.

Earlier this week, the Standing Committee on Communications tabled a report on its yearlong inquiry into cybercrime. The report, headed Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime makes 34 recommendations aimed at improving computer security in Australia. One of them in particular — a proposed industry code requiring Australians to install and maintain antivirus and firewall software to access the internet — has sparked some debate.

To assess the merits of that recommendation, it is necessary to understand how ISPs are presently (mostly not) regulated in the area of cyber security, and what exactly the report proposes to change.

The Internet Industry Association (IIA), a group representing ISPs, is largely responsible for writing the codes that regulate them. In relation to cyber security, the IIA recently released a voluntary code of practice titled icode. Among other things, this code lists a number of steps that ISPs may take when they become aware of malware-infected machines on their networks (such as notifying the user or disconnecting the user from the internet), but it leaves it up to the relevant ISP to decide which course of action is appropriate in the circumstances.

The current code is thus doubly voluntary. First, the code itself is voluntary, so ISPs can choose not to comply with it at all, and, second, ISPs that choose to comply with the code are not required to take any particular steps in relation to malware-infected machines on their network. That is, the current code does not provide for any mandatory steps to be taken in relation to malware-infected machines on ISPs’ networks. And in no way does it require users to install and maintain antivirus and firewall software.

The first thing that the new report proposes to change is to have an industry code that is registered. The Australian Communications and Media Authority (ACMA) presently has a power under the Telecommunications Act 1997 (Cth) to register industry codes that deal with certain things. Where such an industry code is registered, ACMA can direct an ISP to comply with the code. Failure to comply with such a direction exposes the ISP to a civil penalty of up to $250,000 per breach. A registered industry code is thus effectively mandatory.

Next, if the recommendations were adopted, ISPs would be required to take certain mandatory steps when malware-infected machines are found on their networks. Specifically, they would be required to notify the relevant users and implement graduated access restrictions (including disconnection) until the relevant machines are cleaned. Importantly, the report does not propose to require immediate disconnection of users whose machines are infected with malware, but rather a graduated response, where disconnection would presumably be the last step. This is important in particular because removal of malware often depends on the installation of up-to-date antivirus software, which is usually obtained online.

Most notably, though, the proposed code would require ISPs to include a contractual term in their acceptable use policies requiring users to install and maintain antivirus and firewall software before accessing the internet. It is this requirement that has raised the most eyebrows.

The most readily apparent problem with this recommendation is that enforcement would be impractical. The proposed code would require a new term in the contract between the ISP and the user, which could only be legally enforced by the ISP (and not, for example, by ACMA). It is not clear whether ISPs would be motivated to enforce these new contractual obligations. Most ISPs’ acceptable use policies currently prohibit the use of their services to infringe copyright, yet as the content industry will tell you, ISPs have not exactly been zealous in policing that part of their policies.

But even if the code required ISPs to actually enforce their contractual rights, for example by disconnecting users who did not comply, it would not be practical for ISPs to verify that their users have up-to-date antivirus and firewall software installed. Arguing that ISPs could manage this task, prominent cyber-security consultant Alastair MacGibbon has made the following point:

There is software available which could be on end-user machines that would allow my ISP, as I log in, to check that I have my firewall turned on, that I have an antivirus that they approve or recommend installed on my computer, and that my operating system and browser are patched — and if those things aren’t met then [my ISP would not] give me [access].

However, such software only works with certain antivirus and firewall products and only works on certain operating systems. And it would put ISPs in the position where they would have to approve particular antivirus and firewall software before users could use it, significantly limiting consumer choice. Approaching the issue of computer security this way appears to create more problems than it solves. Should ISPs be allowed — let alone forced — to dictate what antivirus and firewall products their users may use and what operating systems they may run? And should users be forced to install software from their ISPs that reports back what software they are running to their ISPs?

The other problem with the recommendation is that it is not clear what exactly users would be required to do to comply with these new contractual obligations. Would antivirus and firewall software need to be installed on all devices connected to the user’s network? Antivirus and firewall software for iPhones and iPads, for example, is not available or even possible presently. And there are many other devices for which such software is not as readily available as it is for Windows, including computers running Mac OS X and Linux (arguably because those devices do not need them to the same extent).

The question which then arises is whether any of this is really necessary. Most broadband connections are already provided using a modem-router that doubles as a firewall, and Windows itself (like most other operating systems) already includes a firewall that is on by default. While comprehensive antivirus software is not included with Windows itself (or most other operating systems), free solutions, including Microsoft Security Essentials are readily available. It is not clear how including a contractual term that most users will never read would be any more effective at encouraging use of appropriate security software than would educating users about the need for such software at the time they are provided with internet access (and perhaps via periodic reminders).

Notwithstanding the somewhat controversial recommendations discussed above, it is worth mentioning that the report does cover a lot of ground and makes many other good recommendations. They deal with three areas: aggregation and distribution of data about cybercrime, updating criminal and civil enforcement laws, and educating the public about computer security.

The report recommends setting up coordinated systems to gather and share information about cybercrime, with the aim of using that information to improve responses to online threats. Among other things, this would include developing a reporting system aimed at consumers and small and medium sized businesses, consisting of a centralised portal for reporting cybercrime (including malware, spam, phishing, scams, identity theft, and fraud) and a 24/7 reporting and helpline.

Criminal laws dealing with cybercrime would be reviewed and updated where necessary, and the Australian Consumer Law would be amended in two notable ways. First, consumers would gain a specific right to sue for unauthorised installation of software that monitors, collects, and discloses information about consumers’ activities (ie, spyware). Second, consumers would gain a right to sue a manufacturer for loss caused by a product that was released onto the Australian market with known security vulnerabilities.

Finally, and perhaps most importantly, the report sets out steps to improve community awareness of computer security issues. It does this in two ways. First, the report proposes a ‘public health style campaign’ to deliver messages about computer security issues as well as appropriate behaviours and technical precautions that users should take. Second, the report recommends specific changes to the law requiring, for example, the provision of security information about certain products (such as computers and routers) to users at the point of sale, and requiring also that certain products be designed to prompt and guide users to choose more secure settings (such as setting strong encryption on your wireless access point to secure your network).

While the report contains certain controversial recommendations, that’s normal for reports like this one. Meanwhile the many reasonable recommendations the committee makes — in particular the points about educating users — are a valuable contribution and deserve consideration.

This article was originally published on 18 May 2010 on newmatilda.com.

Electronic Frontiers Australia and the Australian Privacy Foundation raised concerns last week about Google’s use of its Street View cars to collect identifying information about Wi-Fi networks for use in its geolocation service. While that identifying information is relatively harmless, Google has now admitted that it has accidentally collected data sent by users on unencrypted Wi-Fi networks too.

The first half of this story concerns the identifying information about Wi-Fi networks that Google was trying to collect. To explain the practice, we need to cover some basic Wi-Fi concepts.

Each Wi-Fi network is identified by a human-readable name called an SSID (like ‘My Wireless Network’) and a unique hexadecimal number which is usually assigned by the manufacturer of the Wi-Fi access point and called a BSSID or MAC address (like ‘00-17-9A-76-CB-A6’).

Normally, a Wi-Fi access point will publicly broadcast its SSID and BSSID so that nearby computers can display the Wi-Fi network to users in a list of available networks — though most Wi-Fi access points allow you to disable this broadcast if you want.

In addition to that, the BSSID is always sent together with any data transmitted over the Wi-Fi network. Since multiple Wi-Fi networks can operate in the same space, devices connected to a Wi-Fi network need to be able to distinguish between data meant for their network and data meant for other nearby Wi-Fi networks. The devices do this by tagging transmitted data with the BSSID of the Wi-Fi network to which they are connected.

Finally, it is important that the SSID and BSSID are used in the way described above irrespective of whether the Wi-Fi network is secured with a password (WEP, WPA, or WPA2) or not.

It was Google’s collection of the SSIDs and BSSIDs of Wi-Fi networks around Australia that initially gave rise to privacy concerns last week. What Google did was mount Wi-Fi antennas to the roofs of the cars that drive around Australia taking photographs of the roadside for Google Maps Street View. As these cars mapped each city, they collected packets of data sent over nearby Wi-Fi networks. The idea was to take the SSIDs and BSSIDs from the collected packets of data, and to store them in a database together with the information about the location where the SSIDs and BSSIDs were seen.

Google could then use the collected information to provide a geolocation service to its users. The next time a user wanted to know his or her approximate location, he or she could send the SSIDs and BSSIDs of Wi-Fi networks that were nearby to Google. Google could then look up the SSIDs and BSSIDs in its database, retrieve the location where its Street View cars last saw those SSIDs and BSSIDs, and send that approximate location to the user.

In other words, Google’s geolocation service has the same function as GPS: it gives the user his or her location. However, whereas GPS uses the user’s distance from GPS satellites of known location to estimate the user’s location, Google’s geolocation service uses the distance from Wi-Fi networks of known location.

And there is nothing unique about Google’s geolocation service. There are many other geolocation providers that use Wi-Fi networks this way, such as Skyhook Wireless and Geomena.

Whether the practice poses privacy problems is a bit more complicated. In Australia, the principal privacy legislation is the Privacy Act 1988 (Cth), which regulates the collection, use, and disclosure of ‘personal information’. Personal information is defined as information about an individual whose identity is apparent or can be reasonably ascertained from that information.

Ordinarily, information about the location of a Wi-Fi network with a particular SSID or BSSID would not fall within this definition of personal information because it cannot readily be linked to an individual — although the position may be different with respect to Wi-Fi networks that use a surname or phone number as the SSID. It is because this information does not ordinarily identify an individual that its collection probably does not breach privacy laws, and does not pose a privacy problem for most people.

And it is for that reason that the common concern that you could be located using the information that Google collected about your Wi-Fi network is unfounded. Google does not store your details, it stores the SSID and BSSID of your Wi-Fi network. To get the location of your Wi-Fi network back from Google’s geolocation service, a person would have to supply, at the very least, your Wi-Fi network’s SSID and BSSID. It may be conceivable that such a person would guess the human-readable name or SSID that you have assigned to your Wi-Fi network, but he or she would not be able to guess the corresponding unique hexadecimal number or BSSID. The only way that the person could get that information would be to be within range of your Wi-Fi network, and at that point, the person would already know your approximate location.

Another concern — one with more merit — is that websites that you visit might know what Wi-Fi network you are connected to, or what Wi-Fi networks you are near, and then query Google’s geolocation service to find out your approximate location. The important thing here is that your browser does not send information about what Wi-Fi network you are connected to, or what Wi-Fi networks you are near, to the websites that you visit. Sites that you visit simply do not have access to it. The qualification here is that some browsers now have the ability to send information about your location to geolocation services. However such functionality works on an opt-in basis.

So that is the first half of the story. Things took a turn on Friday, however, when Google admitted that its Street View cars had collected not only SSIDs and BSSIDs as intended, but also some of the data that users sent over nearby unencrypted Wi-Fi networks. As its cars received packets of Wi-Fi data, rather than stripping the SSIDs and BSSIDs out of the packet and discarding the rest, the entire packet was saved and later stored on Google’s servers.

That means that if you were using an unencrypted Wi-Fi network as a Google Street View car drove past your house, a copy of whatever you were doing could have been collected and stored on Google’s servers together with your approximate location. Whether the data can identify you personally would depend on what you were doing at the time it was collected. If Google happened to come by your house as you were sending an email, then it may have collected personally identifiable information about you (the email together with the sender and recipient).

Collection of such data could very well breach the Privacy Act 1988 (Cth) or the Telecommunications (Interception and Access) Act 1979 (Cth), which prohibits the interception of communication, including email, passing over certain networks, including Wi-Fi networks. And quite irrespective of whether any law is breached, the practice is a cause for concern.

Google has explained that the collection of this additional data was a programming error. It maintains that it intended to collect and store only the SSIDs and BSSIDs of the Wi-Fi networks that its cars passed. And I have no doubt that that is true. The additional data is of minimal use to Google, and its deliberate collection would be an order of magnitude more irresponsible than what I would think Google could be.

However, that this additional data was collected in error does not make what happened here any more acceptable. This is the second time this year that Google has taken a cavalier attitude towards privacy.

In February, Google released Google Buzz, a Gmail-based social-networking tool. It quickly came to light that Buzz publicly disclosed the email addresses of people who Buzz users emailed most frequently, among other information, without seeking users’ specific consent first. Many users were caught off-guard when their data was unintentionally disclosed to other parties, like abusive ex-husbands.

Google has since corrected its problems with Buzz, but you cannot help but get a feeling of déjà vu as you read Google’s explanation of how it snared unencrypted Wi-Fi data. Google has now vowed to delete the collected data, and to submit itself to a third-party audit to verify that deletion — which was the right thing to do. And it has gone as far as to stop using Street View cars to collect Wi-Fi networking information altogether.

But in light of Google’s recent track record in safeguarding privacy, it would be wise for people to begin questioning what data they disclose to Google. Where people disclose data — whether by entering a search term in Google Search, sending email via Gmail, or broadcasting something as an SSID to the public — it is important that they understand how that data could be used, so that they question how that data is used.

Senator Stephen Conroy jumped the gun by 107 days, announcing that the Government would table legislation to mandate filtering of RC content hosted outside Australia during the autumn 2010 parliamentary sittings.

Depending on the technology, you can bypass the filter by changing your DNS servers, using an encrypted VPN service, or installing Tor (among other solutions). But some of these workarounds can take up to 60 seconds to set up. And using an encrypted tunnel, like a VPN or Tor, will slow your access while you’re using it.

Thankfully, you can also bypass the proposed mandatory filter more conveniently. Just add ?NoCleanFeed or &NoCleanFeed to the end of the blacklisted URL. If the URL doesn’t already contain a ?, add ?NoCleanFeed to the end. If it does contain a ?, add &NoCleanFeed to the end.

For example, if you try to access www.bannedsite.com/page.htm, but you’re blocked, try accessing www.bannedsite.com/page.htm?NoCleanFeed.

If you want to watch a YouTube video that was deemed too shocking for Australian citizens, like www.youtube.com/watch?v=tMiEagk2qN8, you can just try www.youtube.com/watch?v=tMiEagk2qN8&NoCleanFeed instead.

Why It Works

The proposed mandatory filter is to block individual pages containing RC content, and only those pages. It will not block all traffic to a particular IP address or to a particular website. That is, when www.youtube.com/watch?v=tMiEagk2qN8 is inevitably blacklisted as RC content, access will only be blocked to that URL, and not to any other page on www.youtube.com.

That means that you can still view Government-approved YouTube videos, like www.youtube.com/watch?v=03OJvZhU-3M.

To get that result, the filter must block access only where the host and path in the URL (the part before any ?) and the query string (the part after any ?) all match the blacklisted URL. If the filter blocked access where only the host and path matched, all YouTube videos would be blocked when any YouTube video was blacklisted because the host and path for all YouTube videos is the same (www.youtube.com/watch).

Web servers, however, normally ignore unrecognised query string parameters. For example, YouTube looks for a v parameter, which contains the ID of the video to play. You can also optionally specify a fmt parameter to specify the desired video format. And there are several others that YouTube understands. Changing these parameters will change the page that YouTube returns.

But if you pass YouTube a parameter in the query string that it doesn’t recognise, like NoCleanFeed or some other arbitrary string, it will just ignore it, and display the same content as if it were absent. But since the URL is no longer the same as the blacklisted URL, the filter won’t block it.

The same is true for most other web servers. For example, try www.google.com/search?q=test and www.google.com/search?q=test&NoCleanFeed. You should get the same page both times (though ads and other dynamic content may change).

When It Won’t Work

Most servers will ignore unrecognised query string parameters, but not all will. Where the server doesn’t ignore unrecognised parameters, you may get an error or an unexpected page. In that case, you’ll have to fall back to one of the other methods for bypassing the filter.

And, of course, if all else fails, you can still send your favourite RC content by carrier pigeon. It’s faster than Australian Internet access anyway.

Windows Live Writer (download) is an exceptional tool for blogging. But its most useful feature, WYSIWYG editing, relies on an inelegant mechanism to detect the theme used by your blog.

To detect the theme, Windows Live Writer will publish a skeleton post to your blog, read it and save its theme, and then delete it. Sometimes the post isn’t deleted. Other times, it’s indexed by Google, FeedBurner, or other similar services before it’s deleted.

The result is an Internet littered with Temporary Posts Used For Theme Detection.

Obsessive compulsives like me don’t want these posts associated with their blogs. Thankfully, it turns out that you can write a plugin for WordPress to prevent these posts from ever appearing on your website.

Create a new text file called orz-live-writer-helper.php. Copy and paste the above code into that text file, and save it.

Make sure that the very first characters in orz-live-writer-helper.php are <? and that the very last characters are ?>. If they’re not (for instance, if you have a space after ?>), you may get a ‘Warning: Cannot modify header information – headers already sent…’ message. More info.

Create a new directory called orz-live-writer-helper in your wp-content/plugins directory, and upload orz-live-writer-helper.php to the new directory. Finally, activate the plugin by logging into WordPress as an administrator, selecting Plugins from the menu, and selecting Activate for the Orzeszek Live Writer Helper plugin.

The plugin works by hiding any post where the title is ‘Temporary Post Used For * Detection (*)’ from all pages on your blog, as well as from your RSS feed. Users and bots accessing your site, or your RSS feed, won’t be able to see the temporary post.

You can still view the post when logged into the management interface (ie, when logged into wp-admin), so that you can delete the post if it hasn’t been deleted automatically. And, of course, Windows Live Writer can see it too, so that its theme detection engine continues to work.

Hopefully, this will end the flood of Temporary Posts Used For Theme Detection, at least on WordPress blogs.

Note: The present version of Windows Live Writer creates a post titled ‘Temporary Post Used For Theme Detection (*)’. Old versions created posts titled ‘Temporary Post Used For Style Detection (*)’.

If, in a future release, the title of the temporary post changes to something other than ‘Temporary Post Used For * Detection (*)’, you will need to update the code accordingly. (The % is a wildcard in the SQL WHERE clause.)

The Australasian Legal Information Institute (AustLII) site is a great resource for Australian legislation. While far from perfect, it’s considerably more convenient than the government-run alternatives, at least when you just want to check a section quickly.

However, if you want to check a section, say s 52 of the Trade Practices Act 1974 (Cth), you have to go to AustLII, select Commonwealth from the menu on the left, find and select Commonwealth Consolidated Acts, select T, scroll through the list to find the Act, and, finally, scroll through the list of sections to locate the right section.

There is a better way:

If you’re using a browser that supports search keywords, like Firefox, Chrome, or Opera (or Internet Explorer with the right tool), you can add a keyword for your favourite act. For example, you can add a tpa keyword, so that when you type tpa 52 in the address bar, you’re taken directly to s 52 of the Trade Practices Act 1974 (Cth).

Add an Act Keyword

To set up a keyword for an act in Firefox, first find the act on AustLII and go to any section. Add that section to your bookmarks, and open the new bookmark’s properties (right-click on the bookmark, and select Properties).

The location for the bookmark will be something like …/tpa1974149/s52.html. You’ll need to change this, replacing the section number with %s, so that it looks like …/tpa1974149/s%s.html. The browser will replace the %s with whatever you type after the keyword in the address bar.

Finally, you’ll need to choose a keyword. This can be whatever you like. The finished bookmark should look something like this:

Now, when you type tpa 52 in the address bar you’ll be taken directly to the correct section.

Things to Remember

Remember that the way this works is that the browser replaces the %s in the location for the bookmark with whatever you type after the search keyword. This has some consequences.

For example, even though s 51A of the Trade Practices Act 1974 (Cth) has a capital A, the address for that section is …/tpa1974149/s51a.html. A capital A won’t work, so you have to type tpa 52a.

Another example is the Income Tax Assessment Act 1997 (Cth). All of the sections in this act include an en-dash, like s 6–5. However, AustLII replaces the en-dash with a period, so that the address for s 6–5 is …/itaa1997240/s6.5.html. To use a keyword, you have to type itaa 6.5.

Advanced Keywords

Tax lawyers will be familiar with the two most fundamental tax acts: the Income Tax Assessment Act 1936 (Cth) and the Income Tax Assessment Act 1997 (Cth). Sometimes you need one, and sometimes you need the other. But it’s a pain to type itaa1997 6.5.

On AustLII, every section in the Income Tax Assessment Act 1997 (Cth) has a period in it, and no section in the Income Tax Assessment Act 1936 (Cth) does. So, we can use JavaScript to check whether the section typed after the keyword contains a period, and go to the right act accordingly.

To do that, replace the location in the relevant bookmark with the code below:

Make sure that all of the text is on one line and that there are no spaces.

Now, when you type itaa 6.5 you’ll be taken to s 6–5 of the Income Tax Assessment Act 1997 (Cth), but if you type itaa 65 you’ll be taken to s 65 of Income Tax Assessment Act 1936 (Cth).

On 20 June 2009, a young woman, Neda Agha-Soltan, was shot and killed during the Iranian election protests. Her death was captured on video, and spread virally on the Internet, becoming a rallying cry for the Iranian protests.

Given the notorious attempts by the Iranian government to censor the protests, both online and in the media, I thought it would be fitting to test Senator Stephen Conroy’s assertions that the Government’s proposed mandatory Internet filter was unlike the censorship that occurs in Iran and under other undemocratic regimes.

I submitted the following to ACMA:

I am an Australian resident. I believe the content at the following links is prohibited content or potential prohibited content hosted outside Australia within the meaning of the Broadcasting Services Act 1992 (Cth).

[URL 1: Boing Boing post with embedded YouTube video showing the death of Neda Agha-Soltan and associated commentary.]
[URL 2: YouTube video showing the death of Neda Agha-Soltan.]
[URL 3: YouTube video showing another angle of the death of Neda Agha-Soltan.]

Each contains graphic video, apparently real, of a young girl shot in the chest and bleeding to death over the course of a couple of minutes.

The first link has no restrictions for viewing the video (but contains a textual warning). The second two links require registration and a declaration of date of birth (and also contain textual warnings).

The videos document the recent violence in Iran.

I have removed the URLs for legal reasons. If you haven’t already seen these videos, they’re easy enough to find (but be warned: they are graphic).

Today, 64 days later, I received a notice from ACMA confirming that the content was prohibited content.

As part of the ACMA’s investigation of the complaint, it applied to the Classification Board for classification of the content concerned. As a result of the Classification Board’s decision, and as the content is not subject to a restricted access system, it is prohibited content under clause 20(1)(b) of Schedule 7 to the Broadcasting Services Act 1992 (the Act).

The videos are certainly graphic, and I can see why there would be demand for a service that allowed people to avoid content such as this, if that is their individual choice.

However, under both the current and the proposed systems of Internet censorship in Australia, the Classification Board’s decision is binding, to varying degrees, on individuals. For instance, now, Australian-hosted sites cannot link to these videos.

Not the Classification Board or ACMA’s Fault

The Guidelines for the Classification of Films and Computer Games provide that the Classification Board classify violent content with an impact higher than ‘strong’ R 18+ and that the Classification Board refuse classification of content that contains gratuitous, exploitative, or offensive depictions of cruelty or real violence that are very detailed or that have a high impact.

The relevant video certainly does have a high impact, and I don’t see a problem with the Classification Board’s decision. It is reasonable.

Similarly, ACMA has an obligation to blacklist (ie, add to the list of websites containing prohibited content, which is distributed to makers of IIA Family Friendly Filters) any site hosting prohibited content overseas. ACMA has no discretion not to blacklist content that meets the statutory definition of prohibited content.

You can, however, blame the people responsible for the law: the members of parliament responsible for passing this law originally, and the members of parliament today responsible for not repealing it.

Not Refused Classification

Although the position was ambiguous initially (and is arguably still uncertain), Senator Stephen Conroy has now stated that the Government wants to constrain mandatory Internet filtering to content that is refused classification. (Though, refused classification content is much broader than his statements suggest.)

The notice that I received from ACMA indicates that the content was classified R 18+. It made reference to the Broadcasting Services Act 1992 (Cth) sch 7 cl 20(1)(b), which relates to R 18+ content that is not subject to a restricted access system.

Although it’s implied, it’s not absolutely clear that the classification for each of the three submitted URLs was the same.

Because this content was classified R 18+ and not refused classification, this content would not be subject to mandatory filtering under a regime that mandated filtering only of content that has been refused classification.

Banned?

The proposed mandatory Internet filtering will only apply to content hosted outside of Australia. Presently, prohibited content hosted outside of Australia is added to a blacklist that you can opt into. Under the proposed system, the subset of prohibited content that is refused classification content would be blocked mandatorily.

However, none of this applies to sites hosted in Australia. ACMA can still issue a take-down, or link-deletion notice, to any site hosting, or linking to, R 18+ content that is not subject to a restricted access system (or other prohibited content). And you can be fined $11,000 per day if you don’t comply with the notice by 6:00 pm the next business day.

There are also state laws that are relevant. For example, the Classification (Publications, Films and Computer Games) Act 1995 (SA) s 75D makes it an offence to make available or supply R 18+ content using an online service, unless the content is subject to a restricted access system. So, it appears that it’s illegal for South Australians to link to this video (unless they comply with the very onerous restricted access system requirements). The law in your state or territory may vary.

What’s the Point?

The point wasn’t to criticise the Classification Board’s judgment or ACMA’s judgment. They’re merely fulfilling their obligations under the law. The point was to demonstrate how Australian classification law can affect your ability to view significant material because it is disturbing.

It also illustrates the hopeless of trying to suppress content on the Internet. It took 64 days for ACMA to respond to the complaint, and it’ll take even longer before the content is actually added to the IIA Family Friendly Filters.

Of course, it’s trivial to bypass IIA Family Friendly Filters, and it’ll be just as trivial to bypass any mandatory filter. And there are many sources for this particular content, other than the three URLs that ACMA has now blacklisted.

The final and most important point is that all of this is merely anecdotal. The treatment of this particular content is irrelevant. The question is whether you want to decide what content is significant, and what content is too disturbing, for yourself. Or would you like the Classification Board’s decision to be binding on you?

This post is not intended as legal advice. I make no representations whatsoever as to its quality, and will not be liable for any loss, injury, or damage howsoever resulting from it. Seek independent legal advice.

Today, Online Opinion posted an article by Abigail Bray, a post-doctoral research fellow at the University of Western Australia, which is summed up perfectly by Geordie Guy on Somebody Think of the Children:

She writes how a ‘couple of weeks ago’, which I’ll presume is some sort of modern parlance for the ‘in a reproducible experiment performed under controlled conditions’ we expect from academics who submit articles for publication, she went looking for pornography. Astoundingly she found it.

Naturally, people flocked to reproduce Abigail Bray’s experiment of searching Google for ‘sex’. What was surprising was that the results varied significantly for different people. So, I tried myself, and I found that the results were very different when searching Google for ‘sex’:

… than they were when searching Google Australia for ‘sex’ on Australian sites:

Both searches were performed with the default settings: SafeSearch set to medium, logged out of any Google account, and with no cookies. Your results may vary depending on your settings (and your location).

Of course, you would expect Google results to vary when searching different countries. But I hadn’t expected such a large degree of variation. I had assumed that sex was a universal topic.

Update: Made corrections in response to comments by Alan J Lee, Omegatron, and Jim Stewart below. In particular, I had forgotten to mention that I constrained the search on Google Australia to Australian sites.

Here are my results searching Google Australia for ’sex’ without limiting the search to Australian sites:

And I had forgotten (somehow) that hosting pornography in Australia is at least impractical, as ACMA can issue a take-down notice that requires the host to remove such content by 6:00 pm the next business day or face $11,000 per day fines.

So, it’s not at all surprising that far fewer pornographic sites would come up when searching only Australian sites.

I needed a simple countdown timer utility for Windows, but I wasn’t satisfied with any of the options available. So, I wrote Orzeszek Timer.

Just enter the time to count down in just about any format, and hit Enter to start the timer. When the timer elapses, you’ll be notified by an optional alarm.

Orzeszek Timer also supports specifying the time to count down as a command line argument, as well as the new Windows 7 Taskbar Progress Bar overlay.

You may also want to try out the excellent E.gg Timer web app by David LeMieux and Ben Lew available here.

If you use both Windows Media Player and iTunes to manage your music, keeping your ratings synchronised can be a pain. Orzeszek Ratings lets you sync your play counts and ratings between Windows Media Player and iTunes with two clicks.

Windows Media Player and iTunes must be installed on the same computer, and must be pointing to the same files for Orzeszek Ratings to sync the play counts and ratings for the files.

That means that ratings and play counts for any files that are converted when they’re added to your library (like WMA files added to iTunes) won’t be synced, since your Windows Media Player library and iTunes library are no longer referring to the same file.

You may also want to check out MusicBridge. MusicBridge has a few more options, including the ability to sync track number, name, artist, album, album artist, year, genre, album art, and rating (but no option to sync play count).

However, I’ve found that MusicBridge’s rating sync is quirky. Some 3-star ratings in Windows Media Player become 2.5-star ratings when synced to iTunes, etc. The reasons are explained somewhat here. This quirkiness is one of the reasons why I wrote Orzeszek Ratings.

A couple of days ago, Wired reported on the questionable use of Flash cookies revealed by a UC Berkley study. While non-novice Internet users are generally aware of cookies and their implications, fewer users are aware that Adobe’s popular Flash plugin stores its own cookies separately from normal browser cookies.

If you’re using Mozilla Firefox, you can use the BetterPrivacy add-on to automatically delete all of your Flash cookies each time you close your browser. You can also configure BetterPrivacy to delete the cookies every few minutes. Or to allow you to manually delete them using its interface.

If you’re using Internet Explorer, Chrome, or another browser, you can also use the Flash Settings Manager found here. It’s a good idea to browse through this anyway, as it contains some handy privacy settings (including the ability to disable Flask cookies entirely).

And, for Mac OS X, there’s Flush.app.

Slow and buggy file transfers are a problem with Windows Live Messenger (and MSN Messenger before it). Windows Live Messenger relies on UPnP to establish a connection between the sender and recipient of a file, and it doesn’t allow advanced users to specify the external port and IP address manually.

If you don’t have UPnP on your network, or if it fails for some reason, Windows Live Messengers falls back to a mode where it routes the transfer through an intermediary. This slows the transfer, and is often unreliable.

Orzeszek Transfer works as a simple HTTP server that serves only the files you have explicitly specified. When you add a file, it creates a URL that you can send to anyone who has a web browser or a download manager. They can then download that file directly from you.

It’s a convenient way to transfer larger files without using an intermediary. And it supports resuming broken transfers and multi-part transfers, so long as the client does.

Orzeszek Transfer doesn’t support UPnP though, since it’s intended to be used when UPnP has failed. (If UPnP was working, you wouldn’t need it in the first place.) That means that you’ll need to forward an external port, 30000 by default, to your local IP address.

Your external IP address is detected automatically, though you can override this behaviour if you want.

You can download Orzeszek Transfer here.

A lot of people got excited when Mozilla announced in 2007 that Firefox 3 would include a visual refresh focussing on system integration. Finally, Firefox would look like it belonged in Windows Vista. Sadly, that wasn’t the case, and Firefox today still looks like it belongs in the last decade.

Recently, a number of blogs have picked up these screenshots, showing mock-ups of the interface for Firefox 3.7. But what I found more interesting was the proposed interface evolution shown here:

After stopping off briefly at Firefox 3.7, the interface continues its evolution until it’s practically indistinguishable from Google Chrome.

I happen to love the Chrome interface, so, if accurate, this is nothing but good news. But it’ll be a long wait until Firefox 4.0. The question now is whether Google can add support for extensions to Chrome before Mozilla adds a modern interface to Firefox.

One of the annoyances about the default tag cloud widget in WordPress is that there is no easy way to change the minimum and maximum font size that the widget uses. While the recent release of WordPress 2.8 doesn’t add any UI to change those sizes, it’s now easier to change them than before.

WordPress 2.8 adds a new widget_tag_cloud_args filter, which you can use to override the default arguments that are passed to the wp_tag_cloud function. The filter provides a keyed array, where the smallest, largest, and unit keys represent the smallest font size, the largest font size, and the unit (‘pt’, ‘em’, ‘px’, etc) used by the default tag cloud widget.

You can change the minimum and maximum font size that the default tag cloud widget uses in WordPress 2.8 by creating a new plugin that hooks that filter as explained below.

Create a new text file called orz-tag-cloud.php. Copy and paste the following code into that text file, changing the relevant values (shown in bold) as desired, and save it.

Create a new directory called orz-tag-cloud in your wp-content/plugins directory, and upload orz-tag-cloud.php to the new directory. Finally, activate the plugin by logging into WordPress as an administrator, selecting Plugins from the menu, and selecting Activate for the Orzeszek Tag Cloud plugin.

Make sure that the very first characters in orz-tag-cloud.php are <? and that the very last characters are ?>. If they’re not (for instance, if you have a space after ?>), you may get a ‘Warning: Cannot modify header information – headers already sent…’ message. More info.

Update 1: I updated the plugin to be even simpler and more streamlined. I had originally adapted the plugin from a more complex plugin that provides certain functionality specific to my blog. The original class structure was unnecessary for this simple plugin, however.

Update 2: I updated the instructions to place the orz-tag-cloud.php in its own folder to minimise the potential for conflicts with other plugins.

Update 3: Added a note indicating the cause of the ‘Warning: Cannot modify header information – headers already sent…’ message, and how to avoid it.

I did it. I bought a Razer Mamba mouse. It’s a AU$200 mouse, AU$140 of which is in the form of its packaging. Besides being beautifully designed, it performs very well, and it’s highly recommended if you have the money.

Being inclined as I am, I decided to read through the legalese that accompanies the mouse, including the EULA for the driver software.

Razer™ IS WILLING TO LICENSE THE ENCLOSED SOFTWARE TO YOU ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT.

That’s generous. I wonder what kind of license they’re willing to grant.

Razer™ grants you a non-exclusive, revocable license to use one copy of the enclosed software program, licensed and not sold to you, (“Software”) on one computer only with the Razer™ product you have purchased. No other rights are granted. [Emphasis added.]

It’s good to know that I won’t be able to use this mouse with more than one computer, especially given that it comes with on-board memory specifically for the purpose of easily moving it between multiple computers.

Installation on a network server for the sole purpose of your internal distribution of the Software is permitted only if you have purchased an individual Software package or concurrent dedicated license for each networked computer to which the Software is distributed. …

You may not transmit the Software over a network (except as expressly permitted above) or electronically using any means. [Emphasis added.]

So I can’t store it on my home server either. Nice.

It goes without saying that Razer does not, I’m sure, intend to enforce any of this. Indeed enforcement would be difficult for a number of reasons, particularly Razer’s inconsistent advertising. (I would emphasise, however, that there is no fair use concept in Australia.)

One of the goals when drafting a contract is to protect your client’s interests. But the other is to give effect to the bargain struck. It’s incredibly frustrating when lawyers draft licenses such as this and completely ignore the latter.

Yesterday, Australian IT ran a story suggesting that Senator Stephen Conroy is backing away from the ‘mandatory’ in his mandatory Internet filtering plan. The story refers to statements that Senator Conroy made in a Senates Estimates hearing suggesting that filtering could be implemented with a voluntary industry code.

To explain what he (probably) meant, I have set out how filtering is governed by a voluntary industry code today, how this can be changed to make filtering mandatory, and what exactly is ‘voluntary’ about this industry code.

Status Quo

The Broadcasting Services Act 1992 (Cth) sch 5, which is presently in force and has been for years, already provides that ISPs must filter ‘prohibited content’ and ‘potential prohibited content’ hosted overseas notified to them by ACMA.

However, that filtering is subject to any industry code (a code made by a body or association that represents ISPs) that sets out a notification scheme for such content and procedures that ISPs will follow when notified of such content.

In other words, the Act provides that ACMA can direct ISPs to filter out ‘prohibited content’ and ‘potential prohibited content’ hosted overseas unless ISPs have made a code that says that they will deal with the content in some other way.

The Internet Industry Association (IIA) has made such a code. The most recent version is the Internet Industry Codes of Practice 2005, and it’s registered by ACMA here. The Code provides that ACMA will notify the content to makers of IIA Family Friendly Filters, and that ISPs will distribute those filters to customers who want them at no more than cost. Effectively, this creates an opt-in filtering system.

What Senator Conroy was saying was that there are two ways to introduce mandatory Internet filtering: change the legislation so that ISPs have to filter despite any code or change the code to require mandatory filtering.

Voluntary Codes are Mandatory

But if the industry code is voluntary, how can it provide for mandatory filtering? The answer is that compliance with a registered industry code is not really voluntary.

The code is voluntary in that the IIA (or some other body or association that represents ISPs) would have to voluntarily make it (as opposed to legislation which is simply imposed by Parliament). However, once it’s made and registered by ACMA, ACMA can direct an ISP to comply with it.

While failure to comply with the code is not itself an offence, failure to comply with a direction to comply with the code is. The penalty is $5,500 for each day of contravention for an individual and $27,500 for each day of contravention for a body corporate.

Effectively, compliance with the code is mandatory.

Conclusion

In this way, even though the code would be voluntarily made, ISPs could be required to comply with it, making filtering effectively mandatory. And even if compliance with the code were truly voluntary, filtering could still be mandatory from the perspective of the end user if enough ISPs chose to comply with it.

None of this is to suggest that the IIA is likely to change the code to mandate filtering. Indeed, given the opposition to filtering, it’s unlikely that ISPs would volunteer to implement filtering on a mandatory basis (especially with the overbroad definition of ‘prohibited content’ in the current Act).

Unfortunately, though, it’s a little too early to celebrate victory over mandatory filtering.

This post is not intended as legal advice. I make no representations whatsoever as to its quality, and will not be liable for any loss, injury, or damage howsoever resulting from it. Seek independent legal advice.

While I have attempted to write this post without bias, I am opposed to any plan for mandatory filtering of online content.

No normal person would care, but Microsoft has finally added support for OpenType ligatures in Microsoft Word 2010 (Word 14). I’ve posted previously about indications that OpenType ligatures would be supported in Word 2010, but since the Microsoft Office 2010 Technical Preview leaked, we know for sure.

OpenType ligatures aren’t enabled by default, though.

To enable OpenType ligatures, right-click on some text, select Font, select the Advanced tab, and select Standard Only from the Ligatures combo box. This enables the standard ligatures, like fi and ffi.

Depending on the font that you’re using, you can also select from a number of other sets of ligatures. And you can select from available stylistic sets and number forms, as well as change the number spacing.

You can also disable these OpenType features entirely by opening Word Options, selecting the Advanced tab, and checking Disable OpenType Font Formatting Features under the Layout Options that are right at the bottom.

This is all great news for the three people who were looking forward to this support in the next version of Word.

You can check out some more Office 2010 screenshots here and here.

This article was originally published on 16 April 2009 on newmatilda.com.

When Senator Conroy announced a live pilot to assess, among other things, the technical feasibility of filtering the ACMA blacklist of so-called ‘prohibited content’, he described the list as containing ‘child sexual abuse, rape, incest, bestiality, sexual violence, and detailed instruction in crime’.

So, when three copies of the list were posted on Wikileaks, people were surprised to find it included ordinary pornography, horror movie clips, anti-abortion sites, pro-euthanasia sites, and poker sites.

These are not errors. These sites are on the blacklist because the definition of ‘prohibited content’ under the Broadcasting Services Act 1992 (Cth) is much broader than people assume.

‘Prohibited content’ is not just illegal content. It includes all content classified RC and X 18+; content classified R 18+ that is not subject to a restricted access system (which I’ll explain later); and certain commercial content classified MA 15+ that is not subject to a restricted access system.

A ‘restricted access system’ is a system that requires a person seeking access to online content to apply for that access and either declare that he or she is at least 15, or prove that he or she is at least 18 (for example, by providing a valid credit card number), depending on whether the content is classified MA 15+ or R 18+. This is in much the same way that cinemas require proof of age for screenings of certain films.

It should be clear from the definition of ‘prohibited content’ that such content, as a class, is not illegal. MA 15+ and R 18+ movies screen in public cinemas after all. But what about X 18+ and RC content? Most people have some idea of the type of content that’s classified MA 15+ and R 18+, but don’t necessarily know what’s classified X 18+ and/or refused classification (RC).

Any real depiction of actual sexual activity is classified X 18+, so long as it doesn’t feature any RC content.

Content that’s refused classification (RC) is quite diverse. It includes depictions of sexual fetishes, like body piercing, application of substances such as candle wax, golden showers, bondage, spanking, and fisting.

It also covers extreme violence, sexual violence, child pornography, incest fantasies, and bestiality, as well as detailed instruction in crime and detailed instruction in the use of certain drugs.

The law regulating X 18+ and RC content in each state and territory of Australia is beyond the scope of this article. Suffice to say that in most places in Australia, possession of X 18+ and RC content is not an offence, though sale of X 18+ and RC content is. Possession of child pornography is, of course, illegal all over Australia.

So, if prohibited content, as a class, is not prohibited, what is it? The answer is that it’s merely a class of content in relation to which ACMA has certain powers when it’s found online.

Under the Broadcasting Services Act 1992 (Cth), when ACMA finds prohibited content hosted in Australia, it must issue a take-down notice directing the provider to cease providing the content to the public or, if it’s in relation to MA 15+ or R 18+ content, to make it subject to a restricted access system.

The provider must comply with the notice as soon as practicable, but no later than 6:00 pm on the next business day. Failure to do so can result in fines up to $11,000 per day (or $55,000 per day for corporations).

In addition to take-down notices, ACMA can also issue a service-cessation or link-deletion notice. These notices apply to live prohibited content (such as live video) and links to prohibited content respectively. They operate the same way, requiring the provider to cease providing the live content or the link.

When ACMA finds prohibited content hosted overseas, it notifies the content to the makers of the ‘Internet Industry Association Family Friendly Filters’ pursuant to an industry code that’s been registered under the Act. Under this code, each ISP provides at least one IIA Family Friendly Filter to users who want one, at cost.

IIA Family Friendly Filters are software packages approved by the IIA that users can optionally install on their systems to filter their Internet connections. It was from one of these filters, Integard, that the three ACMA blacklists posted on Wikileaks were extracted.

So, the regulation as it stands effectively creates an opt-in filtering regime for prohibited content hosted overseas, while at the same time making hosting prohibited content in Australia impractical, since providers have to remove such content when a notice is inevitably issued. Importantly, though, it’s not an offence to host or link to prohibited content in Australia. It’s only an offence to fail to comply with a notice from ACMA.

After Whirlpool was threatened with an $11,000 per day fine for linking to a blacklisted anti-abortion site, some people expressed concern that they’d be fined for linking to a site on a secret list, even though they had no way of knowing what was on that list.

As explained above, this isn’t the case. You could get a notice from ACMA if you host or link to prohibited content, but you won’t be fined unless you fail to comply with it. (Particular content may be illegal under state or territory law though. For example, possession and copying of RC content is illegal in Western Australia.)

Understanding that the ACMA blacklist is of prohibited content and that prohibited content is not just illegal content, it is clear why the sites mentioned earlier are on the list.

Ordinary pornography sites are on the list because they feature real depictions of sexual activity. Such content would be classified X 18+ or, if it featured a sexual fetish, RC.

A clip from a horror movie posted on YouTube is included because it would be classified R 18+. YouTube requires users to declare that they are at least 18 before viewing the clip, but in order for this site not to be listed as ‘prohibited content’ a restricted access system would have to require proof of age.

The anti-abortion sites on the list contain graphic images and video of abortions and aborted foetuses. The content is not subject to any restricted access system. Presumably, these images and videos would be classified R 18+ or RC.

The pro-euthanasia sites on the list provide detailed instruction in the use of drugs like Nembutal. Under current guidelines, such instruction is classified RC.

Finally, the list also contains some sites that don’t host prohibited content, like a Queensland dentist’s website and an astrology website. These sites were added to the list because, at the time, they had been defaced with prohibited content. The legislation makes no distinction between sites intentionally hosting prohibited content and those that have been defaced with such content.

But what about the poker sites? Poker sites, and other gambling websites, aren’t prohibited content under the Broadcasting Services Act 1992 (Cth), but they are ‘prohibited Internet gambling content’ under the Interactive Gambling Act 2001 (Cth).

Under that Act, ACMA has essentially the same powers in relation to overseas-hosted prohibited Internet gambling content as it does in relation to overseas-hosted prohibited content. That is, it notifies the content to makers of IIA Family Friendly Filters. This is why websites like PartyPoker.com end up on the blacklist too.

The most important thing about all of the above is that this is regulation that’s been in place since 2000. The current Government hasn’t clearly stated what it proposes to change.

Initially, the Government indicated it would mandate filtering of the existing ACMA blacklist. The Department of Communications website still says that ‘filtering would block content using a blacklist of prohibited sites … which are defined as “prohibited” under Australian legislation which has been in place since 2000’.

More recently, the Government said in a media release that it ‘has indicated an interest in [filtering] content that is Refused Classification’ (emphasis added). Senator Conroy made corresponding statements on SBS’s Insight and Triple J’s Hack programs. In the latter, he insisted that this has always been the case.

Even if that is the case, the nature of Internet filtering is such that any blacklist will have to be secret, mistakes will be made, and circumvention will be easy. And RC is a broad category that includes material that many Australians find unobjectionable.

Perhaps it would be better if each Australian could decide for him- or herself what is objectionable. This is how the Internet has always worked in Australia, and we haven’t descended into anarchy yet.

After ACMA issued a final link-deletion notice to EFA in relation to the AbortionTV website, it came out that the Classification Board had classified the relevant page R 18+. A number of people have suggested that you could still link to the AbortionTV website if you made the link subject to a restricted access system.

There are two problems with this under the current system in the Broadcasting Services Act 1992 (Cth) sch 7.

First, a restricted access system in relation to R 18+ content must require applicants for access to that content to provide proof of their age, not merely a declaration. Users aren’t going to hand out valid credit card numbers or copies of their birth certificates just to view links.

Second, the restricted access system must apply to the R 18+ content itself, and not to the link to the R 18+ content. That is, R 18+ content that’s not subject to a restricted access system is prohibited content. A link that’s subject to a restricted access system that points to R 18+ content that’s not subject to a restricted access system is still a link to prohibited content.

The test that ACMA applies when determining whether to issue a link-deletion notice is whether there is a link hosted in Australia that points to prohibited content. It’s not relevant whether the link itself is subject to a restricted access system or not.

I have provided details below.

Proof of Age

Under cl 14, ACMA has power to declare what is a ‘restricted access system’ in relation to particular classes of content. The most recent declaration is the Restricted Access System Declaration 2007.

Among seven requirements for restricted access systems in relation to R 18+ content, cl 13 provides

(1) Unless subsection 14(2) or (3) applies, the access-control system must verify that the applicant is at least 18 years of age by:

(a) requiring the applicant to provide evidence that the applicant is at least 18 years of age; and

(b) applying the risk analysis described in section 15.

So, a restricted access system in relation to R 18+ content must require proof of age, not merely a declaration. (Subsections 14(2) and (3) merely provide that the access-control system need not verify the applicant’s age more than once.)

What types of evidence? Clause 15(2) provides

The risk analysis must identify and assess the risk that a kind of evidence of age submitted to the access-control system could be held or used by:

(a) a person other than the person it purports to identify; or

(b) a person who is younger than the age which the form of evidence attributes to the person being identified.

Examples of sufficient evidence might include valid credit card numbers or copies of birth certificates, which, of course, users won’t be willing to provide to just any website.

Restricted Access Systems Don’t Relate to Links

Clause 20(1) states that content is ‘prohibited content’ if, among other alternatives,

(b) both:

(i) the content has been classified R 18+ by the Classification Board; and

(ii) access to the content is not subject to a restricted access system

From this, it’s clear that R 18+ content is prohibited content only if it’s not subject to a restricted access system. Division 5 then requires ACMA to issue link-deletion notices where

(a) end-users in Australia can access content using a link provided by a links service; and

(b) the content is prohibited content; and

(c) the links service has an Australian connection

So, the test is whether the content that is linked to is prohibited content, not whether the link itself is prohibited content.

If the content linked to were classified R 18+ and were subject to a restricted access system, then it wouldn’t be prohibited content and no link-deletion notice would be issued for the link.

However, if the content linked to were classified R 18+ but weren’t subject to a restricted access system, then it would be prohibited content and a link-deletion notice would be issued for the link. Here, it’s irrelevant whether the link itself is subject to any restricted access system.

In other words, the test for issuing a link-deletion notice is not whether you have a link that’s not subject to a restricted access system to R 18+ content. It’s whether you have a link to R 18+ content that’s not subject to a restricted access system.

There are only two scenarios for linking to the AbortionTV content that won’t risk a link-deletion notice. First, you can host the link itself outside of Australia. Then, the links service won’t have an ‘Australian connection’. Second, you can ask AbortionTV to require visitors to prove that they’re over 18. That won’t happen.

This post is not intended as legal advice. I make no representations whatsoever as to its quality, and will not be liable for any loss, injury, or damage howsoever resulting from it. Seek independent legal advice.

While I have attempted to write this post without bias, I am opposed to any plan for mandatory filtering of online content.

Today, Electronic Frontiers Australia (EFA) announced that its host had received a final link-deletion notice from ACMA directing them to remove a link to a page on the AbortionTV website that EFA included in an article appropriately titled ‘Net censorship already having a chilling effect’.

EFA has since complied, replacing the original link with the following:

REDACTED. The original title of the page was “AbortionTV Pictures #6”, and can presumably be found using major search engines.

One of the ironies is that by issuing these notices, ACMA has probably driven more traffic to the AbortionTV website than any other organisation. If googling the text quoted above is too much trouble, people can always use the notice itself as a handy reference.

The other interesting thing about this notice, as Mark Newton points out, is that Andree Wright from ACMA testified at a Senates Estimates hearing on 23 February 2009 that the AbortionTV site was added to the blacklist because there was a substantial likelihood that it would be refused classification.

From memory, it was a page that contained no text, just pictures. The pictures were of aborted and dismembered foetuses. The graphic nature of the presentation without any contextualisation of the images meant that the images were judged on their own merits for their impact and their severity. We have kept a careful watching brief on the way the Classification Board has handled those types of images. On a previous occasion, we made a referral to the Classification Board on very similar material and it came back as ‘refused classification’. So we juxtaposed the two decisions and judged it on the images.

That meant that, at the time it was added to the blacklist, the content was ‘potential prohibited content’, which meant that the Classification Board had not actually classified the content.

This latest notice states that the content is ‘prohibited content’. That means that the Classification Board has now actually classified it, and the notice states that the classification is R 18+. Presumably, the Board classified this content after ACMA issued Whirlpool’s host an interim link-deletion notice.

Download: Sublime IP Final Link-Deletion Notice (298 KB)

Update: Nic Suzor pointed out that a summary of the Classification Board’s decision is available here.

Today, The Daily Show website joins a long list of innovative online content services, such as Hulu and Pandora Internet Radio, that are unavailable to Australian residents:

Then there are the services, like iTunes and Audible, that offer limited catalogues of content to their Australian users. And movies and television series that are made available to Australians months after they’re made available elsewhere.

The frustration is ineffable.

A number of people have noted that you can use VPN services, such as HotSpotVPN, or other US-based proxies to make these sites believe you’re connecting from within the US. You can, of course. But, other than the extra cost, you’d be in breach of the terms of service:

This Site is offered and made available only to users 18 years of age or older who reside in United States of America. If you are not yet 18 years old, or do not reside in the United States, please discontinue using the Site immediately … by using or attempting to use the Site, you certify that you are at least 18 years of age and meet any other eligibility and residency requirements of the Site.

At least we have Foxtel.com.au, where you can watch ads for Foxtel 24-hours-a-day.

Around noon yesterday, four weeks late for April Fools’, Steve Waddington of Exetel announced that Exetel would run its own Internet filtering trial, independently of the Government-run trial. The kicker? There is no ability to opt-out of the trial.

The announcement states that the purpose of the trial is to give engineers and administrators an opportunity to understand the filtering technology, its implementation, and its costs.

We anticipate that the implementation of this NetClean system will have no impact for any end user. However, if you suspect you have been impacted, please post your experience here and we will investigate and report back.

Most curiously, the announcement states

Any opinions or comments relating to your personal views on government filtering should be directed to your local MP.

The trial is set to start today and is expected to run ‘a few days to a week’.

Technical Summary

Last Friday, Steven Waddington posted some technical details about the NetClean WhiteBox that Exetel would use. You can get the firsthand information here.

If I understand correctly, the system is set up as a BGP neighbour. It queries DNS servers for the IPs of all blacklisted sites. It then poisons the attached network by advertising hostroutes for these IP addresses with itself as the next hop.

Since ISPs do this kind of routing anyway, so long as the blacklist is small (less than around 10,000 IPs according to the system’s makers), there should be no discernible impact on performance.

When a request is routed to the filtering system, the filter inspects it to determine whether the specific URL requested is on the blacklist. That way, when blacklisted content shares an IP with non-blacklisted content, the non-blacklisted content isn’t blocked.

It’s an elegant solution, insofar as it’s a clever implementation of bad policy.

No Opt-Out

Steven Waddington confirmed in a reply to a comment to his technical post that there’s no ability to opt out. In the forum, it’s explained that it’s technically infeasible for this system to allow end-users to opt-out.

I’m not intimately familiar with this technology, but I don’t see why that would be the case. The system would only have to check for an opt-out preference after it receives a routed IP and has confirmed that the requested URL is blacklisted. This should occur for relatively few requests with a small blacklist.

Of course, you can still ‘opt-out’ by using a proxy server, a VPN, or Tor.

What’s Filtered

Steve Waddington’s technical post states that the makers of the NetClean WhiteBox, Watchdog International (whose motto is appropriately ‘get the worst out of the Internet’), are supplying Exetel with a list of 198 IPs. What does it contain?

It’s a technical trial so it really doesn’t matter. If ever a law is passed that requires Exetel [to] use a list of sites then the Australian Federal [Government] would be the only issuing authority.

So we don’t know what’s on the list, but we do know that the list won’t be expanded during the course of the trial. The system only works with small blacklists, and doesn’t support any kind of dynamic filtering.

Conclusion

The key points are that Exetel is running a filtering trial with no-opt out mechanism. It’s using a blacklist of 198 unknown IPs. There is no dynamic filtering, and seemingly no plans for any trial of such technology.

It’s likely that Exetel customers won’t notice a change, other than a sinking feeling of knowing that they are one step closer to an Orwellian Australia.

This post covers recent events and may contain errors or inaccuracies. Exetel hasn’t provided an official statement detailing this trial, and much of the information posted here is from semi-official sources.

I am opposed to any plan for mandatory filtering of online content.

On 26 March 2009, the Classification Board website was hacked, and the text on the homepage was replaced. The altered site was available for around three-and-a-half hours before it was taken offline. And, five days later, a placeholder page was posted.

Today, nearly a full month after the site was hacked, the site is now back online:

The entire website appears to have been overhauled. Most notably, the design and layout of the site has been updated. Presumably, attention was given to security too.

While I hadn’t spent much time on the old Classification Board website, the new site appears to be an improvement. It’s certainly better than the Courts Administration Authority of South Australia website, which is still firmly lodged in the ’90s.

In March 2009, ACMA issued a notice to Bulletproof Networks, who host the popular Whirlpool online discussion site. The notice required Bulletproof Networks to remove a link to a blacklisted anti-abortion site, and threatened an $11,000 per day fine if it failed to comply.

After this, some people expressed concern that they’d be fined for linking to a site on a secret blacklist. For example, this blog said

ACMA plans to fine any site that links to a blacklisted site up to A$11,000 per day. The catch is—doubtless you saw this coming, citizen—the blacklist’s contents are secret. If you link to its prohibited sites, you won’t know until ACMA fines you.

To explain why this isn’t the case, I have provided a summary of the regulation of prohibited content and potential prohibited content hosted in Australia found in the Broadcasting Services Act 1992 (Cth) sch 7.

I detailed the definition of ‘prohibited content’ and ‘potential prohibited content’ in a previous post that dealt with such content hosted overseas. Recapping briefly, ‘prohibited content’ is

• content rated RC or X 18+;
• content rated R 18+ and not subject to a restricted access system; and
• content rated MA 15+ provided by certain commercial services and not subject to a restricted access system.

When ACMA finds prohibited content or potential prohibited content, or links to such content, hosted in Australia, it issues the provider a notice that requires them to cease providing the content. The provider must comply with the notice by 6 pm the next business day or face fines up to $11,000 per day.

So it’s not an offence to host or link to such content in Australia. It’s only an offence to fail to comply with a notice from ACMA directing you to cease doing so. You won’t get a surprise fine.

Below, I provide a detailed look at the regulation.

Australian Connection

The first thing about the regulation of prohibited content and potential prohibited content in sch 7 is that it applies only to content services and hosting services that have an ‘Australian connection’. Clause 3 provides

(1) For the purposes of this Schedule, a content service has an Australian connection if, and only if:

(a) any of the content provided by the content service is hosted in Australia; or

(b) in the case of a live content service—the live content service is provided from Australia.

Note: A link is an example of content. If a link provided by a content service is hosted in Australia, the content service will have an Australian connection (see paragraph (a)).

(2) For the purposes of this Schedule, a hosting service has an Australian connection if, and only if, any of the content hosted by the hosting service is hosted in Australia.

Prohibited Content

The action taken by ACMA depends on whether the content is prohibited content or potential prohibited content. In relation to prohibited content, cl 47(1) provides

If, in the course of an investigation under Division 2, the ACMA is satisfied that:

(a) content hosted by a hosting service provider is prohibited content; and

(b) the relevant hosting service has an Australian connection;

the ACMA must:

(c) if:

(i) the content does not consist of an eligible electronic publication; and

(ii) the content has been classified RC or X 18+ by the Classification Board;

give the hosting service provider a written notice (a final take-down notice) directing the hosting service provider to take such steps as are necessary to ensure that a type A remedial situation exists in relation to the content

Essentially, a ‘type A remedial situation’ is one in which the provider no longer provides the content. Since the content has actually been classified by the Classification Board, the notice to stop hosting the content is final.

(d) if:

(i) the content does not consist of an eligible electronic publication; and

(ii) the content has been classified R 18+ or MA 15+ by the Classification Board;

give the hosting service provider a written notice (a final take-down notice) directing the hosting service provider to take such steps as are necessary to ensure that a type B remedial situation exists in relation to the content

A ‘type B remedial situation’ is essentially one in which the provider either no longer provides the content or makes the content subject to a restricted access system. This is because content classified R 18+ or MA 15+ isn’t prohibited content if it’s subject to a restricted access system.

(e) if:

(i) the content consists of an eligible electronic publication; and

(ii) the content has been classified RC, category 2 restricted or category 1 restricted by the Classification Board;

give the hosting service provider a written notice (a final take-down notice) directing the hosting service provider to take such steps as are necessary to ensure that a type A remedial situation exists in relation to the content.

The different classification level here matches the different definition of prohibited content applicable where the content is an eligible electronic publication, as explained in my previous post. Briefly, an ‘eligible electronic publication’ is an electronic version (or an audio recording) of a book, magazine, or newspaper that is or was available to the public in Australia.

Potential Prohibited Content

In relation to potential prohibited content, the procedure is essentially the same, except that the notice is only an interim notice until the content is actually classified by the Classification Board. Clause 47(2) provides

If:

(a) in the course of an investigation under Division 2, the ACMA is satisfied that:

(i) content hosted by a hosting service provider is potential prohibited content; and

(ii) the relevant hosting service has an Australian connection; and

(b) the ACMA is satisfied that, if the content were to be classified by the Classification Board, there is a substantial likelihood that:

(i) if the content does not consist of an eligible electronic publication—the content would be classified RC or X 18+; or

(ii) if the content consists of an eligible electronic publication—the content would be classified RC or category 2 restricted;

the ACMA must:

(c) give the hosting service provider a written notice (an interim take-down notice) directing the provider to take such steps as are necessary to ensure that a type A remedial situation exists in relation to the content until the ACMA notifies the hosting service provider under subclause (4) of the Classification Board’s classification of the content; and

(d) apply to the Classification Board under clause 22 for classification of the content.

Type A and type B remedial situations are the same as for prohibited content, so the effect of the above is that the provider must cease providing the content until it’s actually classified by the Classification Board.

Clause 47(3) continues

If:

(a) in the course of an investigation under Division 2, the ACMA is satisfied that:

(i) content hosted by a hosting service provider is potential prohibited content; and

(ii) the relevant hosting service has an Australian connection; and

(b) the content does not consist of an eligible electronic publication; and

(c) the ACMA is satisfied that, if the content were to be classified by the Classification Board, there is a substantial likelihood that the content would be classified R 18+ or MA 15+;

the ACMA must:

(d) give the hosting service provider a written notice (an interim take-down notice) directing the provider to take such steps as are necessary to ensure that a type B remedial situation exists in relation to the content until the ACMA notifies the hosting service provider under subclause (4) of the Classification Board’s classification of the content; and

(e) apply to the Classification Board under clause 22 for classification of the content.

The effect here is that the provider must either cease providing the content or make it subject to a restricted access system until the content is actually classified by the Classification Board.

Actual Classification

Once the Classification Board classifies the content (which used to be potential prohibited content), ACMA must notify the provider and, if the classification is such that the content is now prohibited content, issue a final take-down notice.

Clause 47(4) provides

If, in response to an application made as required by subclause (2) or (3), the ACMA is informed under paragraph 23(b) of the classification of particular content, the ACMA must:

(a) give the relevant hosting service provider a written notice setting out the classification; and

(b) in a case where:

(i) the content does not consist of an eligible electronic publication; and

(ii) the effect of the classification is that the content is prohibited content because it has been classified RC or X 18+ by the Classification Board;

give the hosting service provider a written notice (a final take-down notice) directing the provider to take such steps as are necessary to ensure that a type A remedial situation exists in relation to the content; and

(c) in a case where:

(i) the content does not consist of an eligible electronic publication; and

(ii) the effect of the classification is that the content is prohibited content because it has been classified R 18+ or MA 15+ by the Classification Board;

give the hosting service provider a written notice (a final take-down notice) directing the provider to take such steps as are necessary to ensure that a type B remedial situation exists in relation to the content; and

(d) in a case where:

(i) the content consists of an eligible electronic publication; and

(ii) the effect of the classification is that the content is prohibited content because it has been classified RC, category 2 restricted or category 1 restricted by the Classification Board;

give the hosting service provider a written notice (a final take-down notice) directing the provider to take such steps as are necessary to ensure that a type A remedial situation exists in relation to the content.

Since the content has now actually been classified by the Classification Board, the notices are all final.

Type A and Type B Remedial Situations

I have briefly summarised what type A and type B remedial situations are, but the specific wording of the definitions may be important. Clause 47(6) provides

For the purposes of the application of this clause to a hosting service provider, a type A remedial situation exists in relation to content at a particular time if:

(a) the provider does not host the content; or

(b) the content is not provided by a content service provided to the public (whether on payment of a fee or otherwise).

And cl 47(7) provides

For the purposes of the application of this clause to a hosting service provider, a type B remedial situation exists in relation to content at a particular time if:

(a) the provider does not host the content; or

(b) the content is not provided by a content service provided to the public (whether on payment of a fee or otherwise); or

(c) access to the content is subject to a restricted access system.

Compliance

Clause 53 provides

(1) A hosting service provider must comply with an interim take-down notice that applies to the provider as soon as practicable, and in any event by 6 pm on the next business day, after the notice was given to the provider.

(2) A hosting service provider must comply with a final take-down notice that applies to the provider as soon as practicable, and in any event by 6 pm on the next business day, after the notice was given to the provider.

Clause 53(6) provides that subclauses (1) and (2) are designated content/hosting service provider rules.

Criminal Offence

Clause 106 then provides

(1) A person commits an offence if:

(a) the person is a designated content/hosting service provider; and

(b) the person engages in conduct; and

(c) the person’s conduct contravenes a designated content/hosting service provider rule that applies to the person.

Penalty: 100 penalty units.

(2) A person who contravenes subclause (1) commits a separate offence in respect of each day (including a day of a conviction for the offence or any later day) during which the contravention continues.

Since the Crimes Act 1914 (Cth) s 4AA(1) defines ‘penalty unit’ as $110 and s 4B(3) provides that the maximum penalty is five times the specified amount when the person convicted is a body corporate, the maximum penalty here is $11,000 per day for an individual and $55,000 per day for a body corporate.

Civil Penalty

Clause 106 discussed above creates a criminal offence that requires the prosecution to prove its case to the criminal standard (that is, beyond reasonable doubt). In addition to cl 106, cl 107 provides

(1) A person must not contravene a designated content/hosting service provider rule if:

(a) the person is a designated content/hosting service provider; and

(b) the rule applies to the person.

(2) Subclause (1) is a civil penalty provision.

(3) A person who contravenes subclause (1) commits a separate contravention of that subclause in respect of each day (including a day of the making of a relevant civil penalty order or any subsequent day) during which the contravention continues.

Section 205F(1) of the Act provides that where a person contravenes a civil penalty provision, the Federal Court may order the person to pay the Commonwealth a pecuniary penalty on application by ACMA. This is called a ‘civil penalty order’.

The most important thing about civil penalty orders is that the Court will apply the civil rules of evidence and procedure during the hearing, as provided by s 205K. This means that the Court has to be satisfied of the contravention only to the civil standard (that is, on the balance of probabilities).

Section 205F(3) lists the factors relevant to determining the amount of the penalty, but sub-s (4) provides that the amount cannot be higher than the maximum penalty for the corresponding criminal offence.

Finally, s 205L provides such an order cannot be made against a person if that person has been previously found guilty of the corresponding criminal offence. Though, s 205N provides that a person can be convicted of the corresponding criminal offence after a civil penalty order has been made.

Links Services and Live Content Services

The regulation summarised above is the general regulation. There are separate provisions dealing with links services and live content services, which I won’t set out in as much detail since they operate much the same way.

A ‘links service’ is merely a content service that provides one or more links to content. Under pt 3 div 5, ACMA must issue a link-deletion notice if

(a) end-users in Australia can access content using a link provided by a links service; and

(b) the content is prohibited content or potential prohibited content; and

(c) the links service has an Australian connection.

Essentially, this means that ACMA will issue a link-deletion notice if a link hosted in Australia allows end-users in Australia to access prohibited content or potential prohibited content irrespective of where that content is actually hosted.

Relevantly, the definition of ‘content service’ in cl 2 explicitly excludes Internet search engines and directories, so long as they don’t specialise in prohibited content or potential prohibited content.

A ‘live content service’ is a content service that provides live content, unsurprisingly. Under pt 3 div 4, ACMA must issue a service-cessation notice if

(a) live content provided by a live content service is prohibited content or potential prohibited content; and

(b) the live content service has an Australian connection.

Both link-deletion notices and service-cessation notices operate fundamentally the same way as take-down notices. That is, a final or interim notice is issued depending on whether the content has actually been classified by the Classification Board and the provider must comply as soon as practicable but no later than 6 pm the next business day or risk a fine or civil penalty.

Maintaining Our Implied Freedoms

Finally, because Parliament had a sense of humour, cl 121(1) provides

This Schedule does not apply to the extent (if any) that it would infringe any constitutional doctrine of implied freedom of political communication.

We don’t have a right to freedom of expression in Australia. We only have a limited implied freedom to communicate on political matters, which is much narrower in scope:

Conclusion

While it’s not an offence to host or link to prohibited content or potential prohibited content in Australia, the effect of the regulation is that prohibited content and potential prohibited content isn’t hosted in Australia. No one will invest time or money in such a site, only to be required to take it down when ACMA inevitably issues a notice.

However, the definition of ‘Australian connection’ is such that Australian-controlled sites can still provide prohibited content and potential prohibited content to Australians, so long as all of the content that the sites provide is hosted outside Australia.

As explained in my previous post dealing with overseas-hosted prohibited content and potential prohibited content, it’s not an offence for Australians to view such sites, so long as the content in those sites isn’t illegal under some other law.

Update: You can see an example of a final link-deletion notice here.

This post is not intended as legal advice. I make no representations whatsoever as to its quality, and will not be liable for any loss, injury, or damage howsoever resulting from it. Seek independent legal advice.

While I have attempted to write this post (except the cartoon) without bias, I am opposed to any plan for mandatory filtering of online content.

There’s been some confusion surrounding the government’s use of the phrase ‘prohibited content’ to describe what’s on the ACMA blacklist.

The phrase suggests content that is illegal to view or possess, and that misconception is furthered by Senator Stephen Conroy’s constant references to the contents of the ACMA blacklist as being mostly child pornography and the ‘worst of the worst’.

In fact, ‘prohibited content’ is a legislative phrase defined in the Broadcasting Services Act 1992 (Cth) sch 7 cl 20. Briefly, it is

• content rated RC or X 18+;
• content rated R 18+ and not subject to a restricted access system; and
• content rated MA 15+ provided by certain commercial services and not subject to a restricted access system.

When ACMA finds prohibited content hosted overseas, it adds it to its blacklist. (The procedure dealing with Australian hosted content is different, and I don’t propose to deal with it in this post. I deal with it here.)

Under the present system, the ACMA blacklist is provided to the makers of IIA Family Friendly Filters. ISPs have an obligation to provide those filters to their customers at cost on an opt-in basis or face fines of up to $27,500 per day.

No other (relevant) legal consequences flow from content hosted overseas being ‘prohibited content’. Thus, it’s not illegal to view, distribute, or provide access to online content merely because it’s prohibited content.

The caveat is that accessing or distributing certain content is illegal for other reasons. The most obvious example is that it’s illegal to produce, disseminate, or possess child pornography.

Below, I have posted a detailed look at the law that governs what ends up on the ACMA blacklist and what ISPs must do about content on that blacklist.

What Is Prohibited Content?

The general definition of ‘prohibited content’ is found in the Broadcasting Services Act 1992 (Cth) sch 7 cl 20(1). That subclause provides that generally content is ‘prohibited content’ if

(a) the content has been classified RC or X 18+ by the Classification Board

In other words, all content refused classification or rated X 18+ by the Classification Board is prohibited content.

(b) both:

(i) the content has been classified R 18+ by the Classification Board; and

(ii) access to the content is not subject to a restricted access system

Content rated R 18+ by the Classification Board is prohibited content unless access to it is subject to a restricted access system.

Under cl 14, ACMA has power to declare what is a ‘restricted access system’ in relation to particular classes of content. The most recent declaration is the Restricted Access System Declaration 2007.

It provides guidelines that specify risk analysis factors that content providers must consider when assessing whether particular evidence is sufficient to verify the age of a person applying to access the content. (See here for more information.)

(c) all of the following conditions are satisfied:

(i) the content has been classified MA 15+ by the Classification Board;

(ii) access to the content is not subject to a restricted access system;

(iii) the content does not consist of text and/or one or more still visual images;

(iv) access to the content is provided by means of a content service (other than a news service or a current affairs service) that is operated for profit or as part of a profit-making enterprise;

(v) the content service is provided on payment of a fee (whether periodical or otherwise);

(vi) the content service is not an ancillary subscription television content service; or

(d) all of the following conditions are satisfied:

(i) the content has been classified MA 15+ by the Classification Board;

(ii) access to the content is not subject to a restricted access system;

(iii) access to the content is provided by means of a mobile premium service.

These last two paragraphs essentially provide that content classified MA 15+ by the Classification Board provided by certain commercial services is prohibited content unless access to it is subject to a restricted access system.

What If the Content Isn’t Classified?

Each of the subclauses above refers to content having been classified by the Classification Board. Since most Internet content wouldn’t be so classified, cl 21(1) provides:

For the purposes of this Schedule, content is potential prohibited content if:

(a) the content has not been classified by the Classification Board; and

(b) if the content were to be classified by the Classification Board, there is a substantial likelihood that the content would be prohibited content.

ACMA’s relevant powers in relation to content hosted overseas are the same with respect to prohibited content and potential prohibited content.

Eligible Electronic Publications

The definition of ‘prohibited content’ in cl 20(1) does not apply to eligible electronic publications. An ‘eligible electronic publication’ is an electronic version (or an audio recording) of a book, magazine, or newspaper that is or was available to the public in Australia.

A more constrained definition of ‘prohibited content’ is provided in cl 20(2) in relation to eligible electronic publications:

For the purposes of this Schedule, content that consists of an eligible electronic publication is prohibited content if the content has been classified RC, category 2 restricted or category 1 restricted by the Classification Board.

The definition of ‘potential prohibited content’ in cl 21(1) is correspondingly constrained in relation to eligible electronic publications by cl 21(2):

… content is not potential prohibited content if:

(a) the content consists of an eligible electronic publication; and

(b) the content has not been classified by the Classification Board; and

(c) if the content were to be classified by the Classification Board, there is no substantial likelihood that the content would be classified RC or category 2 restricted.

Why, for example, an electronic version of a printed newspaper should be treated differently than an online-only news website is not clear.

What’s Prohibited about Prohibited Content?

I’m only dealing with content hosted overseas in this post. And sch 5 cl 40(1) answers this question in relation to such content:

If, in the course of an investigation under Division 2 of Part 3 of Schedule 7, the ACMA is satisfied that Internet content hosted outside Australia is prohibited content or potential prohibited content, the ACMA must:

(a) if the ACMA considers the content is of a sufficiently serious nature to warrant referral to a law enforcement agency (whether in or outside Australia)—notify the content to: [police or an authorised person or body]

The above is fairly straightforward. The next paragraph is the most important.

(b) if a code registered, or standard determined, under Part 5 of this Schedule deals with the matters referred to in subclause 60(2)—notify the content to Internet service providers under the designated notification scheme set out in the code or standard, as the case may be

Part 5 authorises bodies and associations that represent ISPs to make codes dealing with certain matters. Those codes may be registered by ACMA. If there is no code, ACMA can determine a standard (basically a code, except that it’s made by ACMA). Why is this code or standard so important?

(c) if paragraph (b) does not apply—give each Internet service provider known to the ACMA a written notice (a standard access-prevention notice) directing the provider to take all reasonable steps to prevent end-users from accessing the content.

In other words, ACMA already has the power to direct ISPs to block prohibited content and potential prohibited content, but only so long as there is no code or standard under pt 5 dealing with the cl 60(2) matters.

What Are cl 60(2) Matters?

Those matters are found in paras (c) and (d) of cl 60(2), which provides

The Parliament intends that, for the Internet service provider section of the Internet industry, there should be:

(a) an industry code or an industry standard that deals with; or

(b) an industry code and an industry standard that together deal with;

each of the following matters:

(c) the formulation of a designated notification scheme;

(d) subject to subclause (8A), procedures to be followed by Internet service providers in dealing with Internet content notified under paragraph 40(1)(b) of this Schedule or clause 46 (for example, procedures to be followed by a particular class of Internet service providers for the filtering, by technical means, of such content).

(Subclause (8A) simply provides that the Minister can declare that filtering is not viable in relation to particular devices, like mobile phones.)

In other words, cl 60(2) allows a code or standard to provide that, instead of ACMA issuing a standard access prevention notice, some other procedure will be followed when ACMA finds prohibited content or potential prohibited content hosted overseas.

The Internet Industry Association (IIA) has made such a code. The most recent version is the Internet Industry Codes of Practice 2005, and it’s registered by ACMA here.

Clause 19 of this Code provides an opt-in scheme, whereby ISPs provide IIA Family Friendly Filters at cost to customers who request them. This effectively replaces the access-prevention notice regime, which would otherwise be mandatory, with an opt-in system.

What Are ISPs’ Obligations?

If there were no registered code or standard dealing with the cl 60(2) matters, ACMA would have the power to issue access-prevention notices. Clause 48(1) then provides

An Internet service provider must comply with a standard access-prevention notice that applies to the provider as soon as practicable, and in any event by 6 pm on the next business day, after the notice was given to the provider.

However, ACMA doesn’t have that power because there is a code dealing with the cl 60(2) matters. Compliance with that code is effectively mandatory. Clause 66 provides:

(1) If:

(a) a person is a participant in a particular section of the Internet industry; and

(b) the ACMA is satisfied that the person has contravened, or is contravening, an industry code that:

(i) is registered under this Part; and

(ii) applies to participants in that section of the industry;

the ACMA may, by written notice given to the person, direct the person to comply with the industry code.

(2) A person must comply with a direction under subclause (1).

Clause 72 similarly provides that a person must comply with any applicable ACMA standard.

What Are the Penalties?

Clause 79 provides that the clauses requiring compliance with access-prevention notices, codes, and standards are online provider rules. Clause 82 then provides

(1) A person is guilty of an offence if:

(a) an online provider rule is applicable to the person; and

(b) the person engages in conduct; and

(c) the person’s conduct contravenes the rule.

Penalty: 50 penalty units.

(2) In this clause:

engage in conduct means:

(a) do an act; or

(b) omit to perform an act.

The Crimes Act 1914 (Cth) s 4AA(1) defines ‘penalty unit’ as $110. And s 4B(3) of that Act provides that the maximum penalty is five times the specified amount when the person convicted is a body corporate. Thus, the maximum penalty here is $5,500 for an individual and $27,500 for a body corporate.

Finally, cl 86 provides

A person who contravenes clause 82 or subclause 83(4) is guilty of a separate offence in respect of each day (including the day of a conviction for the offence or any later day) during which the contravention continues.

In other words, the maximum penalty for failing to comply with an access prevention notice, code, or standard is $5,500 for each day of contravention for an individual and $27,500 for each day of contravention for a body corporate.

Conclusion

Presently, the obligations of ISPs in relation to the ACMA blacklist of prohibited content and potential prohibited content hosted overseas end with provision of IIA Family Friendly Filters at cost to customers who request them.

It’s also notable that the existing legislation could provide for mandatory filtering if the existing code is, at least to the extent that it deals with the cl 60(2) matters, removed. (Though, that’s unlikely given ISPs’ resistance to mandatory filtering.)

I hope that explains how the ACMA blacklist works in relation to overseas content. In a future post, I’ll cover ACMA’s powers in relation to prohibited content and potential prohibited content hosted in Australia.

This post is not intended as legal advice. I make no representations whatsoever as to its quality, and will not be liable for any loss, injury, or damage howsoever resulting from it. Seek independent legal advice.

While I have attempted to write this post without bias, I am opposed to any plan for mandatory filtering of online content.