Forgot your password?
typodupeerror
Censorship The Internet

Hundreds of Sites Blocked By Canadian ISP 302

Posted by Zonk
from the quite-the-smooth-move dept.
An anonymous reader writes "Last week Slashdot reported on the blockage of a union website by Telus, a leading Canadian ISP. Since that story, the company has restored access but the fallout continues. The move may lead to new ISP regulations in Canada and a study by the OpenNet Initiative has found that by blocking the union site, Telus also blocked an additional 766 websites including a breast cancer fundraising site." From the article: "While there are a number of different ways to block access to Web sites, the method Telus chose to block the Voices for Change site -- blocking its IP address -- produced massive collateral filtering. Filtering by IP address is efficient since ISPs can quickly and effectively block access to the target site using their existing routing technology. Many ISPs already block certain IP addresses to combat spam and viruses. Large networks, like Telus, have mechanisms in place to block IP addresses almost instantaneously, simply by updating their routers with a "block list" of addresses. However, it is common for many different, unrelated Web sites to share the same IP address."
This discussion has been archived. No new comments can be posted.

Hundreds of Sites Blocked By Canadian ISP

Comments Filter:
  • by Anonymous Coward on Thursday August 04, 2005 @08:18AM (#13238908)

    but expect to be sued for providing access to childporn, illegal software, coprighted material, terrorist training manuals, political sites, communists, bomb making equipment

    slippery slope egh ? see you in the next RIAA lawsuit !!
    • by Anonymous Coward
      Uh, Telus is in Canada & we don't have the RIAA up here.
    • by Patrik_AKA_RedX (624423) <patrik@vanostaeyen.gmail@com> on Thursday August 04, 2005 @09:24AM (#13239313) Journal
      So all I need to do the get the post office in trouble is mail something illegal to some random person? In essence the post office and an ISP provide the same kind of service. Both allow 2 individuals to send each other materials. If I send a list of instructions on how to build some kind of explosive device, does it make any difference if I send it by email or by regular mail?

      Besides can an ISP check on what you send without violating the law on privacy (the one that makes it illegal to read other peoples mail)?
      IMO an ISP can't be held resposible for a email or file transfered. However they can be held responsible if they, after being notified by other people or an authority, don't stop a certain person from continuing sending harmfull mails or don't remove illegal content from their webspace.

      Just my 2 cents.
      • DMCA (Score:5, Informative)

        by Chyeld (713439) <chyeld AT gmail DOT com> on Thursday August 04, 2005 @09:57AM (#13239543)
        In the US of A. If you are a common carrier, you can not be held liable for the information being transmitted over your lines. However, if you censor/filter/control access to what is sent over your lines, you no longer have that safe harbor and are considered to be liable for what is sent as if you are filtering and allow something to go through, it's an implict acceptance of it.

        I don't know if this is something that applies to Canada as well. But it's be biggest reasons why ISP's in USA will not filter or control access to parts of the internet based on content. The end user has the option to filter, but it must be controlled by that user, not the ISP.
      • Actually there is a difference between mail and email.
        Email is not considered "private" communications. Traditionally it would sent as clear text. If you made reading it illegal than any packet sniffer would be illegal.
        Laws on private electronic communications have not kept up. The problem is the balance of what should be protected by law vs freedom.
  • i'm confused.... (Score:2, Interesting)

    by BillyZ (169879)
    "However, it is common for many different, unrelated Web sites to share the same IP address."

    It is?
    • Re:i'm confused.... (Score:2, Informative)

      by [Galaxie] (40909)
      If your using hostname headers to distinguish between sites you host then yes, 1 ip can represent an unlimited number of websites.
    • Re:i'm confused.... (Score:4, Informative)

      by jez9999 (618189) on Thursday August 04, 2005 @08:21AM (#13238928) Homepage Journal
      Yyyyyes, it is. Name-based hosting allows the web server to serve multiple sites up, based on the browser's Host: header as well as the IP address connected to.
      • Which is what make it difficult to block. You need an layer 7 (application layer) firewall to block it, whereas any firewall can block a specific IP. While not unheard of, it requires a whole lot more processing power because you need to monitor the stream and parse text headers.
        • While not unheard of, it requires a whole lot more processing power because you need to monitor the stream and parse text headers.

          Ever heard about http proxy servers and transparant proxying?

          In case of http its really easy since the tools for doing it are readily available and have been for a long time.
          • ... Which does not change the fact that a layer 7 filter, such as an HTTP proxy, takes quite a bit more processing power than a simple IP-based (layer 3) ACL on a router.

            In short, of course the parent's heard of a proxy. Of course it's easy *to set up* and the tools are available. Now, build me one that can handle multiple OC-48 pipes without slowing down traffic and won't piss off paying customers by caching pages with old information (such as pages that a web designer is working on, or cnn.com).

            Not so e
            • ... Which does not change the fact that a layer 7 filter, such as an HTTP proxy, takes quite a bit more processing power than a simple IP-based (layer 3) ACL on a router.

              Definitely, but cost != technically difficult.

              In short, of course the parent's heard of a proxy. Of course it's easy *to set up* and the tools are available. Now, build me one that can handle multiple OC-48 pipes without slowing down traffic

              I have setup such things using a cluster of proxy servers. it will cost you a bit, but it is not tech
        • ISPs provide DNS services for their customers as well, why not just add a blank record for that domain on their nameservers so that it comes up unresolvable, or better yet, resolve it to an ISP run website telling the end user that the site has been blocked.

          I realize that this isn't going to block the site for 100% of the people, but I would wager that the same people who could defeat this system, could defeat the layer 7 firewall as well.
      • They could always be a little smarter and have the router look into the packets to see if they are HTTP and contain a Host header that is blocked.

        Note that SSL doesn't give much of a problem here Yes, the data (including the headers) is encrypted, but you can only have one SSL certificate per IP address (per port). I forgot the technical reason, but it seems silly that they haven't come up with a workaround yet.
        • Here's what happens when you use HTTP to talk to a site:

          1) Open socket to ip address and port.
          2) Send HTTP request, including the Host: header.
          3) Get response.

          Here's what happens when SSL gets added.

          1) Open socket.
          2) Negotiate SSL, including verifying the certificate, which contains the host name. If it doesn't match, fail.
          3) Send HTTP request, including the Host: header.
          4) Get response.

          Unless you want to replace every browser out there, along with every web server, to enable a new STARTTLS-enabled HTTP/2.
          • Apache can actually do name-based virtual hosting with *.domain.com certificates, as long as all your vhosts are in .domain.com. It appears that what happens in apache is this:

            Open socket
            Apache whines then picks the first vhost matching this hostname:port and loads its certificate.
            Client matches cert against hostname
            SSL is negotiated
            Client sends request including hostname
            Apache picks the by-name vhost matching the hostname given, and the transaction continues.
    • >>"However, it is common for many different, unrelated >>Web sites to share the same IP address."

      > It is?


      Surely you didn't think that for $30 a month Hostway was giving you your own box, did you?
    • Re:i'm confused.... (Score:5, Informative)

      by bmalnad (808193) on Thursday August 04, 2005 @08:22AM (#13238936) Homepage
      Yes! It is. It's called virtual hosting [apache.org].
      • That's interesting. I'm sure many people who aren't familiar with the inner workings of the net (myself included) are surprised. The attitude of one website, one IP address seems to pretty prevalant. Take this tool [mozilla.org], for instance, that shows the IP address of any website.

        So, I suppose that visiting any one of these addresses should show the same address, right? Thanks again for your helpful explanation! -- Paul

    • Re:i'm confused.... (Score:3, Informative)

      by jellomizer (103300) *
      Yes it is.

      From the Apache WebSite.

      http://httpd.apache.org/docs/2.0/vhosts/name-based .html [apache.org]

      IP-based virtual hosts use the IP address of the connection to determine the correct virtual host to serve. Therefore you need to have a separate IP address for each host. With name-based virtual hosting, the server relies on the client to report the hostname as part of the HTTP headers. Using this technique, many different hosts can share the same IP address.

      Name-based virtual hosting is usually simpler, since you nee
    • It's common because many IP issuing organisations (RIPE, etc.) will not issue IP's for individual websites. You have to use things like SSL hosting, multiple different service hosting, etc. as your justification.

      If you say I want 20 IP addresses because I want to run 20 websites, the issuing authority will turn you down flat. So you pretty much _have_ to do virtual hosting.
  • Uh oh (Score:4, Interesting)

    by coflow (519578) on Thursday August 04, 2005 @08:19AM (#13238914)
    From TFA: "the blockage occurred at the Internet backbone level, thereby blocking access for other ISPs (and their customers) that use Telus as their provider."

    I'm certainly no legal expert, but this seems like it could open the floodgate for litigation. Maybe by the time the regulations arrive the market will have already corrected this problem?
    • If it's been going on for so long and no one has sued yet, what reason is there to believe that anyone will? Plus, I'll bet that Telus has its butt covered with stuff in the license agreement about how they can block anyone and everyone they choose and you are not allowed to complain.
    • Why?
        The data passes over their network, so they can do as they wish with routing it. they're not stealing it, they're just not completing the route.

      Look at any dedicated service contract (T1's, ethernet, T3's etc) and you'll see lovely print saying they can do whatever they want.

      You are connecting to their network- not the other way around... hence you are subject to the way they run their network..

      -M
  • by TripMaster Monkey (862126) * on Thursday August 04, 2005 @08:19AM (#13238915)

    From The OpenNet Initiative PDF:
    Section 36 of the [Canadian Telecommunications] Act states that, without the approval of the Canadian Radio-Television and Telecommunications Commission, a "Canadian carrier shall not control the content or influence the meaning of telecommunications carried by it for the public," and Section 27(2) of the Act prohibits a Canadian character, in providing a telecommunications service, from "unjustly discriminat[ing] or giv[ing] an undue or unreasonble preference toward any person, includ[ing] itself, or subject[ing] any person to an undue or unreasonable disadvantage.
    Clearly, Telus violated the Canadian Telecommunications Act by their heavy-handed disconnection of www.voices-for-change.com. This alone should be grounds for revocation of their license, but the incidental blocking of an additional 766 unrelated websites is even more reprehensible than their intended censorship.
    • by BHearsum (325814) on Thursday August 04, 2005 @08:27AM (#13238965) Homepage
      Does this mean that the blocking of ports is illegal?
      • That would probably depend: Are you blocking it just for one customer? Or just from one site?

        The common case is that they are blocking all access to a port for a class of customers. (And they say this in the contract any customer in that class has signed.)

        There is no favoratism in that approach: Everyone is blocked, regardless of content, politics, etc. The service provider just does not provide service on that port. (And they don't claim to.) That would be legal.

        Providing limited service, when you say
    • I'm about the farthest from an expert on Canadian legal matters that one can be, so I'm truly curious, not trying to argue:

      Does the Canadian Telecommunications Act include ISPs as 'carriers'? Most legislation considering telecommunications and common carriers that I know of was written before the internet was as popular and vital as it is now.

    • If they are not enforcing the regulations they already have, then why are they making new ones?
  • i'm glad... (Score:5, Funny)

    by Anonymous Coward on Thursday August 04, 2005 @08:20AM (#13238919)
    i'm glad i live in the US where i don't have to worry about such things
    • In fact, worrying about such things is treason.

      The Computer knows that you don't want to worry about this and will ensure that anyone who disturbs your tranquility, including you, will be used as reactor shielding.

      The Computer is your friend. Trust the Computer.

  • Public Outcry (Score:5, Insightful)

    by Emperor Cezar (106515) on Thursday August 04, 2005 @08:26AM (#13238959) Journal
    The ISP was pretty much forced to take down the block because of public outcry. No one wants to do business with an ISP that does things like that. With regulation the Canadian government has two options:

    a) Force them to let everything through, but this means they can't block virus speading sites, etc

    b) Only allow them to block what the regulators seem fit. Which puts what you see and can't see into the hands of beurocrats. This would cover all ISPs in Canada so you can't switch to one that does block stuff you want it to (Porn if you have little kids, etc.)

    I personally prefer to let people hurt them in the wallet when they pull crap like this. Corporations take more notice when something hurts them in the wallet.
    • Re:Public Outcry (Score:3, Insightful)

      by Ingolfke (515826)
      The ISP was pretty much forced to take down the block because of public outcry... With regulation the Canadian government has two options:

      Ah yes, the old government needs to get involved where the peopl have already solved the problem argument. The Canadian government doesn't need to do anything here. If Telus did violate a law on the books then the ONLY thing government should do is prosecute them, and that should come from the judicial part of the government, not the legislative part (I'm not sure exac
    • Re:Public Outcry (Score:2, Interesting)

      by TCM (130219)
      a) Force them to let everything through, but this means they can't block virus speading sites, etc

      And why should they? Blocking the spreading won't make the viruses go away. Plus, if I were a researcher or hobby virus analyser, I couldn't get to them anymore.

      How about we get systems more secure so it wouldn't matter a single bit whether a site distributing some malware is reachable or not?
  • Wow (Score:5, Informative)

    by GordoTheGeek (608960) <<ac.nahcaurc> <ta> <nodrog>> on Thursday August 04, 2005 @08:27AM (#13238967)

    A buddy of mine is a desktop admin at Telus in Toronto (the strike is in Alberta and BC). That's a hell of a message to send to the rest of your employees: "We 'support' your right to strike, but we don't want your message to get out to the world."

    And he thought he hated his job before the strike. Yow.

    • Re:Wow (Score:3, Informative)

      by Malicious (567158)
      Recently, the CIRB ruled that employees in Quebec and Ontario aquired in the Clearnet take over were in fact to be considered members of the TWU.
      As such the job action encompasses the entire Union, not just Alberta and BC how ever Telus has refused to provide the Union with the names of the employees in Eastern Canada.
      Further, the job action is not actually a strike. Union members in BC and Northern Alberta were locked out of their jobs in an act initiated by Telus creating a 'Lock Out' and not a 'Strike'
  • Don't block IPs unless you're really really sure about it. Lasy bastard admins.
    • by Anonymous Coward
      If you are working with large-scale routing you aren't going to do application-layer filtering unless you have to. They didn't have to until this incident so the infrastructure (and it does require a massive one, transparent proxies for all their bandwidth) wasn't in place. Therefore, a quick instruction to the Cisco BFRs and no more website, based on IP.

      It's unfortunate that the virtual hosting got nailed by it but if their decision (a bad one, the PR in Canada right now is horrible) was to block it, that
  • Nothing new (Score:3, Informative)

    by vchoy (134429) on Thursday August 04, 2005 @08:35AM (#13239021)
    For those of us with Dynamic IP addresses: there always been those times where you get that one bad bad 'black-listed' IP (previously used for spamming, haxing etc).

    Worse still, 'black-list' blocks not JUST only the IP, but entire subnets or IP ranges...you spend a whole friggen day debugging your network-router-firewall setup and spend the rest of the week arguing with your ISP about who's fault it is.

    Solutions:
    ifconfig /renew? - sometimes does not work due to DHCP server keeps on serving you the same IP based on your MAC ADDR, and you are forced to wait for expiry lease to lapse.
    change MAC address? - an option, as 'most' routers can 'spoof' MAC addresses.
  • "It's in the Canadian Criminal Code eh, like there's legal precedents set in cases in law."

    "Yeah, so like give us our free beer, eh."

    "You want free beer? Go to the brewery. Now get outta here before I put the two of YOU in a bottle."

    On that good 'ole Canadian Criminal Code.
    (Special thanks to Bob & Doug [imdb.com])
  • by Winterblink (575267) on Thursday August 04, 2005 @08:46AM (#13239086) Homepage
    In my area I have a choice between two high-speed internet carriers, Telus and Shaw Internet. Telus has pretty much just cinched the deal for me, that I'll be moving to Shaw as soon as possible.
    • Just bear in mind that Shaw only allows SMTP/POP over their own network. So, if you are a typical geek and want to read your email from anywhere, then you may not like having to use webmail.
      • Yep, Telus is the same way actually. It's annoying as hell, if you ask me. But I don't use my ISP email anyway so it won't be as much a concern to me.
      • Just to clarify: While Shaw allows access to its POP/SMTP servers only over their own network, you can access outside POP/SMTP servers from their network without any problem. I do this all the time -- the @home thing years ago taught me not to trust my ISP's email. Their POP server not being available off-network is not so bad as you can set it to forward to another address via the web interface.
    • Whatever you do, don't calm down and change your mind. Shaw is much better on a day-to-day basis.
      • And you know, at one point it was reversed. Shaw's support was horrible, their service was flakey and slow. Now Telus is the worst of the bunch and seems completely incapable of fixing their problems. Oh well, I'll let them know by choosing with my wallet. :)
  • where IP addresses change pretty much at the whims and vaguaries of the sys admin and of reality interfering with assigning a 'stable' (not static) IP address.

    What if yourHost.site.tld is given an IP address that is 'banned' as belonging to undesirables?
  • by Ingolfke (515826) on Thursday August 04, 2005 @08:57AM (#13239136) Journal
    when big corporations would just hire a bunch of thugs to beat the hell out of union organizers.
  • by loyukfai (837795) on Thursday August 04, 2005 @08:57AM (#13239139)
    Used to see films set in the future that corporations had replaced governments and thought, it will never happen.

    But seeing more and more such news today, it happens to me that, are we in the midst of this change?

    In China, the government censors you, in Canada and Australia, the ISP censors you!
  • by webzombie (262030)
    I have long argued that the internet access business has needed regulations that govern Quality of Service, Code of Conduct and a Consumer's Bill of Rights.

    The behaviour of Telus is outrageous and is probably a VERY SMALL tip on a MASSIVE iceberg.

    As more and more services fight for consumer's internet pipe they should have protection against bad service and questionable tactics.
  • by Anonymous Coward on Thursday August 04, 2005 @09:13AM (#13239236)
    Ok fine it is a stupid move to have an ISP block access to any website and it should not be done... But the striking telus workers are just as much to blame. Those striking goons have been going about cutting fiber lines... Not to mention they have been asking people to pretty much DOS telus call centers with fake problems.

    PS: The website was blocked after Telus found that their striking workers where taking pictures of employees who were crossing the picket line for the purpose of later harrasing those said employees. In my opinion both parties are equally at fault for the nice mess they cooked up.
    • The argument that Telus had to block access to the site because it contained pictures of their employees for the purpose of harassing them is completely specious. If that were the case, then the Telus had the ability to do what anyone else could do in such a case: go through legal channels to get the offending pictures removed. Just because they happened to have the ability to unilaterally block access to the pictures doesn't give them the right to do it
    • I looked at the union's website when the story first came out. I looked at the picture. The closest I saw to what you were describing was a couple of pictures where managers were standing (not entering, standing or leaning against a wall) watching the picketers (and smoking a cigarette in one case if my memory serves aright.)

      I did not see any "pictures of employees who were crossing the picket line for the purpose of later harrasing those said employees."

      As to the other claims, so far the only corroborat
  • by StandardCell (589682) on Thursday August 04, 2005 @09:25AM (#13239318)
    http://www.crtc.gc.ca/RapidsCCM/Register.asp?lang= E [crtc.gc.ca]

    There's a five-step form, and they'll refer the complaint. For a quick cut-and-paste snippet, go to the following:

    Please be advised that Telus Corporation may be in violation of the Telecommunications Act, Section 36. Please see http://www.crtc.gc.ca/RapidsCCM/Register.asp?lang= E [crtc.gc.ca] for details on the violation.

  • Telus ethics (Score:5, Informative)

    by TeQGame (902612) on Thursday August 04, 2005 @09:27AM (#13239335)
    Here's an exerpt quoted directly from the Telus Ethics page at http://about.telus.com/governance/ethics1.html [telus.com]

    How can they possibly claim that they took an ethical approach when they unilaterally terminated access to a website that depicted Telus in an unfavorable light. Whether the site in question was violating other contractual obligations or law is independent of the actions of Telus.

    " Fellow TELUS team members:

    Central to TELUS' purpose is to make the future friendly for our stakeholders. One of the critical elements in realizing this ambition is to ensure our individual and collective reputation is above reproach. How we work is just as important as what we do. Our goal is to demonstrate the highest level of ethics and integrity in our business dealings with all stakeholders (customers, shareholders, suppliers, colleagues, community). This is a corporate priority and a shared responsibility for all TELUS team members as each one of our actions and decisions affect our company and its reputation."

  • The settlement, available as part of the settlement on the now-unblocked website, paints this as a little less one-sided that the slashdot article.

    Don't get me wrong, Telus is clearly stark raving mad with nuts on top, but maybe with not quite as nuts as the summary indicates. The settlement includes reference to voices for change removing threatening and revealing information (which we can't judge the merit of, since the information's been removed). Telus clearly has at least /some/ obligation to protect i
  • by Anonymous Coward
    The voices-for-change website was being put all over the news and the radio, saying GO AND SEE PICS OF THE SCABS AT www.voices-for-change.com

    The voices for change website was publicly posting pictures of telus employees, management and Union employees that crossed the picket lines, putting their saftey at risk. If you have not noticed, the union in BC can be pretty militant, so yes Telus Banned access to the website until they were able to get a court order to have the website admin remove the pictures, onc
  • Where are all the "lol only in america! lol" comments, huh?
  • I WANT A LAWSUIT (Score:4, Interesting)

    by FFFish (7567) on Thursday August 04, 2005 @11:22AM (#13240868) Homepage
    Does anyone know of a class action lawsuit against Telus for this act? I am *mighty* pissed that they blocked my access to the site, and I want to make them pay for it: I want to join a lawsuit against them.

    Please post a reply to this message if you know of a class-action lawsuit against Telus for IP blocking.

"Out of register space (ugh)" -- vi

Working...