Saturday, 21 December 2013

Why Internet Filters Are (Mostly) A Dumb Idea

Here in the UK the Conservative-led government has just introduced, to much fanfare, internet filters.  The idea is, of course, to "protect the children", that classic "vote winner" in the lead up to a general election.

Of course, well implemented filters do have their place.  Workplace networks are a good example, they're used to protect sensitive data and to protect against malware.  In the home, however, it's a slightly different story.

The filters that have been introduced are at the "ISP level", meaning they are run and implemented by O2, BT and the rest of the main household providers, and the settings are (by default) the same for every household in the country.  It's not some sort of government mandated censorship scheme, whoever is paying the bills is able to turn them off and browse the entire internet to their heart's content, so there's no real "but we're adults" argument.  The problem is that it doesn't only fail at its main purpose of "protecting the children", it may actually make things worse.

The internet is, like the rest of life, a big bad world containing plenty of things that children shouldn't be exposed to.  Young children using the internet should be supervised, and older children should at least have had a little bit of education in the potential dangers and how to handle them.

Even if these filters worked well (which they don't, it's still a trivial exercise for a 10 year old to find porn if they're determined to), you can't replace being a parent with a list of bad websites.  The filters are incomplete and always will be, and telling parents that they will protect children is akin to telling them their kids can drive a car as long as they're wearing a seatbelt. 

What the government should be doing is teaching parents about hacking.  Firstly, just how easy it is to work around these filters, and secondly (and most importantly) that the most effective form of hacking ever devised is called "social engineering" and has almost nothing to do with computers.  If you wanted to break into Company X's network then you could either spend days running various attack scripts, all of which will probably fail, or you could simply start phoning around the employees, claim to be from an IT contractor, and sooner or later one of them will hand over their login details.  It happens every day.

Children won't be protected by filters, and suggesting that it's even possible is dangerous and misleading to parents.  To protect their kids parents simply have to use a little social engineering - in this context it's more often called "talking to your children".  You're never going to stop a teenage boy finding porn on the internet, but what you can do is make sure that when they do find it they know what they're looking at - a commercialised parody of what the average sex life is actually like.  You can't prevent your daughter receiving a phishing email, but you can make sure that she recognises what it is and doesn't respond to it.

Imagine you'd never been allowed to cross a road until you were 18, what would your life expectancy be?   You don't stop children crossing roads, you teach them to do it safely, and that's exactly how we should be treating the internet, not with crude, politically motivated "solutions" that are worse than nothing.

No comments:

Post a Comment