False positive CSAM blocking attributed to RIPE
Dear all, I am new to this list, although I am not completely new to the Internet technical community, as I am a long-time IGF (and occasionally ICANN) participant. I am writing about a case that has been referred to my organization involving global blocking (packet dropping, apparently) of IP addresses that have been reported as hosting CSAM by the Canadian Center for Child Protection (C3P). According to public information, the C3P runs a web crawler called Project Arachnid which searches for instances of CSAM on the clearweb, and sends automated takedown notices to providers. However, in the case that was reported to me, rather than allowing the hosting provider to take down the offending image, the takedown notice was followed by global packet dropping of the hosting IP address, which took down the entire server and other websites along with it: the hosting provider has attributed this censorship to RIPE, although I cannot verify whether or not this is true. If I am able to obtain more details from RIPE staff, I will follow up with them. Moreover the website in question was not a CSAM website, and neither was the image reported by the C3P a CSAM image. It was a scan of a 1960s postcard of an indigenous family, sent through the mail, which was included in a detailed ethnographic blog article about indigenous women and girls. In other words, this is an obvious false positive, and it should never have been reported as CSAM at all. I'm writing to find out if anyone has more information that they can share about how this might have happened, and how it can be prevented from happening in the future. Many thanks in advance for any help that you can offer. Not sure if I should include the RIPE Cooperation ML on this, given that it relates to the actions of the C3P? -- Jeremy Malcolm PhD LLB (Hons) B Com Executive Director, Prostasia Foundation https://prostasia.org - +1 415 650 2557 ᐧ
RIPE does not handle abuse matters like this, that would be up to the connectivity and hosting providers involved. RIPE only enforces that each IP allocation and assignment has a valid abuse contact email. Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Jeremy Malcolm <jeremy@prostasia.org> Sent: Tuesday, September 28, 2021 8:56:44 PM To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: [anti-abuse-wg] False positive CSAM blocking attributed to RIPE Dear all, I am new to this list, although I am not completely new to the Internet technical community, as I am a long-time IGF (and occasionally ICANN) participant. I am writing about a case that has been referred to my organization involving global blocking (packet dropping, apparently) of IP addresses that have been reported as hosting CSAM by the Canadian Center for Child Protection (C3P). According to public information, the C3P runs a web crawler called Project Arachnid which searches for instances of CSAM on the clearweb, and sends automated takedown notices to providers. However, in the case that was reported to me, rather than allowing the hosting provider to take down the offending image, the takedown notice was followed by global packet dropping of the hosting IP address, which took down the entire server and other websites along with it: the hosting provider has attributed this censorship to RIPE, although I cannot verify whether or not this is true. If I am able to obtain more details from RIPE staff, I will follow up with them. Moreover the website in question was not a CSAM website, and neither was the image reported by the C3P a CSAM image. It was a scan of a 1960s postcard of an indigenous family, sent through the mail, which was included in a detailed ethnographic blog article about indigenous women and girls. In other words, this is an obvious false positive, and it should never have been reported as CSAM at all. I'm writing to find out if anyone has more information that they can share about how this might have happened, and how it can be prevented from happening in the future. Many thanks in advance for any help that you can offer. Not sure if I should include the RIPE Cooperation ML on this, given that it relates to the actions of the C3P? -- Jeremy Malcolm PhD LLB (Hons) B Com Executive Director, Prostasia Foundation https://prostasia.org - +1 415 650 2557 [https://mailfoogae.appspot.com/t?sender=aamVyZW15QHByb3N0YXNpYS5vcmc%3D&type=zerocontent&guid=6da5a3c0-b605-489c-a914-49bb037aca56]ᐧ
Jeremy While it’s possible that a network or networks might have stopped routing traffic to / from somewhere else that is a decision at the network level. It’s not something that an RIR like RIPE or ARIN can do. For example RIPE NCC has assigned my company multiple blocks of IPv4 and IPv6 space. They do not have any interaction with or control over which providers we use to connect our network to the rest of the internet. None. They have zero control over what traffic we accept or reject. So if traffic is being blocked it’s NOT being blocked by RIPE NCC. Regards Michele Mr Michele Neylon Blacknight Hosting & Domains https://www.blacknight.com @mneylon Sent from mobile so typos and brevity are normal On 28 Sep 2021, at 19:57, Jeremy Malcolm <jeremy@prostasia.org> wrote: [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Dear all, I am new to this list, although I am not completely new to the Internet technical community, as I am a long-time IGF (and occasionally ICANN) participant. I am writing about a case that has been referred to my organization involving global blocking (packet dropping, apparently) of IP addresses that have been reported as hosting CSAM by the Canadian Center for Child Protection (C3P). According to public information, the C3P runs a web crawler called Project Arachnid which searches for instances of CSAM on the clearweb, and sends automated takedown notices to providers. However, in the case that was reported to me, rather than allowing the hosting provider to take down the offending image, the takedown notice was followed by global packet dropping of the hosting IP address, which took down the entire server and other websites along with it: the hosting provider has attributed this censorship to RIPE, although I cannot verify whether or not this is true. If I am able to obtain more details from RIPE staff, I will follow up with them. Moreover the website in question was not a CSAM website, and neither was the image reported by the C3P a CSAM image. It was a scan of a 1960s postcard of an indigenous family, sent through the mail, which was included in a detailed ethnographic blog article about indigenous women and girls. In other words, this is an obvious false positive, and it should never have been reported as CSAM at all. I'm writing to find out if anyone has more information that they can share about how this might have happened, and how it can be prevented from happening in the future. Many thanks in advance for any help that you can offer. Not sure if I should include the RIPE Cooperation ML on this, given that it relates to the actions of the C3P? -- Jeremy Malcolm PhD LLB (Hons) B Com Executive Director, Prostasia Foundation https://prostasia.org - +1 415 650 2557 [https://mailfoogae.appspot.com/t?sender=aamVyZW15QHByb3N0YXNpYS5vcmc%3D&type=zerocontent&guid=6da5a3c0-b605-489c-a914-49bb037aca56]ᐧ
RIPE has so far firmly been in the “we are not the Internet police” category and I don’t see that changing. Not sure what happened here without any further context. --srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Jeremy Malcolm <jeremy@prostasia.org> Sent: Wednesday, September 29, 2021 12:26:44 AM To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: [anti-abuse-wg] False positive CSAM blocking attributed to RIPE Dear all, I am new to this list, although I am not completely new to the Internet technical community, as I am a long-time IGF (and occasionally ICANN) participant. I am writing about a case that has been referred to my organization involving global blocking (packet dropping, apparently) of IP addresses that have been reported as hosting CSAM by the Canadian Center for Child Protection (C3P). According to public information, the C3P runs a web crawler called Project Arachnid which searches for instances of CSAM on the clearweb, and sends automated takedown notices to providers. However, in the case that was reported to me, rather than allowing the hosting provider to take down the offending image, the takedown notice was followed by global packet dropping of the hosting IP address, which took down the entire server and other websites along with it: the hosting provider has attributed this censorship to RIPE, although I cannot verify whether or not this is true. If I am able to obtain more details from RIPE staff, I will follow up with them. Moreover the website in question was not a CSAM website, and neither was the image reported by the C3P a CSAM image. It was a scan of a 1960s postcard of an indigenous family, sent through the mail, which was included in a detailed ethnographic blog article about indigenous women and girls. In other words, this is an obvious false positive, and it should never have been reported as CSAM at all. I'm writing to find out if anyone has more information that they can share about how this might have happened, and how it can be prevented from happening in the future. Many thanks in advance for any help that you can offer. Not sure if I should include the RIPE Cooperation ML on this, given that it relates to the actions of the C3P? -- Jeremy Malcolm PhD LLB (Hons) B Com Executive Director, Prostasia Foundation https://prostasia.org - +1 415 650 2557 [https://mailfoogae.appspot.com/t?sender=aamVyZW15QHByb3N0YXNpYS5vcmc%3D&type=zerocontent&guid=6da5a3c0-b605-489c-a914-49bb037aca56]ᐧ
I am writing about a case that has been referred to my organization involving global blocking (packet dropping, apparently) of IP addresses that have been reported as hosting CSAM by the Canadian Center for Child Protection (C3P).
lose one point everyone who didn't read that this is a watchdog not the site owner -- and if you Google their name, one whose activities and focus has attracted some controversy
However, in the case that was reported to me, rather than allowing the hosting provider to take down the offending image, the takedown notice was followed by global packet dropping of the hosting IP address, which took down the entire server and other websites along with it:
there's no such thing as "global packet dropping" but if the website is offline then either traffic is being blocked near to the site itself by a hosting company or upstream provider, or some national level blocking is being applied (though often this takes the form of arranging that the website name does not resolve in DNS rather than packet dropping per se)
the hosting provider has attributed this censorship to RIPE,
RIPE NCC operates a directory service -- maintaining lists of which organisations have been assigned which IP addresses (along with 4 other Regional Internet Registries)
although I cannot verify whether or not this is true.
it is untrue, you should interrogate the hosting provider directly because their statement (whatever it was) has clearly been severely garbled before you reported it here
If I am able to obtain more details from RIPE staff, I will follow up with them.
that would be a waste of their time -- you need to backtrack to the hosting provider and, if you can obtain some technical help, ascertain the actual nature of the blocking (assuming it is still in place) or at least review what technical evidence there is about the impact (assuming that's the aspect you care about -- rather than what you describe as an error of categorisation by C3P)
I'm writing to find out if anyone has more information that they can share about how this might have happened, and how it can be prevented from happening in the future.
there is considerable information to be found online about how blocking works, the mechanisms used and how it regularly goes wrong. Entering this arena without attempting to do your homework is counterproductive. -- Dr Richard Clayton <richard.clayton@cl.cam.ac.uk> Cambridge Cybercrime Centre mobile: +44 (0)7887 794090 Computer Laboratory, University of Cambridge, CB3 0FD tel: +44 (0)1223 763570
El mar, 28-09-2021 a las 11:56 -0700, Jeremy Malcolm escribió: Dear all, I am new to this list, although I am not completely new to the Internet technical community, as I am a long-time IGF (and occasionally ICANN) participant. I am writing about a case that has been referred to my organization involving global blocking (packet dropping, apparently) of IP addresses that have been reported as hosting CSAM by the Canadian Center for Child Protection (C3P). According to public information, the C3P runs a web crawler called Project Arachnid which searches for instances of CSAM on the clearweb, and sends automated takedown notices to providers. However, in the case that was reported to me, rather than allowing the hosting provider to take down the offending image, the takedown notice was followed by global packet dropping of the hosting IP address, which took down the entire server and other websites along with it: the hosting provider has attributed this censorship to RIPE, although I cannot verify whether or not this is true. If I am able to obtain more details from RIPE staff, I will follow up with them. Moreover the website in question was not a CSAM website, and neither was the image reported by the C3P a CSAM image. It was a scan of a 1960s postcard of an indigenous family, sent through the mail, which was included in a detailed ethnographic blog article about indigenous women and girls. In other words, this is an obvious false positive, and it should never have been reported as CSAM at all. I'm writing to find out if anyone has more information that they can share about how this might have happened, and how it can be prevented from happening in the future. Many thanks in advance for any help that you can offer. Not sure if I should include the RIPE Cooperation ML on this, given that it relates to the actions of the C3P? Hello Jeremy RIPE did not block your site. What I can see happening is that when C3P found some "CSAM content" on your site, it looked up on the _RIPE database_ who was the appropriate contact to notify about this, and then either a) Notified both you and $someone_else or b) Notified just $someone_else (which would have then forwarded it to you) with $someone_else most likely being your hosting provider. Note that if you don't know to have your details in the whois database, then most likely they are not there, and the details will be to your hosting provider. Using the RIPE database to find out the owner of an IP address and the abuse contact for it is precisely the right thing to do here (assuming this is network range was allocated by RIPE). Finally, $someone_else filtered your site first (shutdown the machine, firewalled it…) and then asked questions. It may be harsh, but it's an understandable policy. Specially since they may not be allowed to identify what is CSAM and what isn't, and should they misclassify it as not being CSAM, while legally fitting into that category, could lead to Real Trouble.™ It is also possible that the filtering was done by a different entity, like the upstream provider of your hosting, but I would bet it was done by the hosting itself. And it is the filtering entity you should request to remove such filtering. You may be able to use different traceroutes to pinpoint the place where your server is being blackholed. Best regards -- INCIBE-CERT - Spanish National CSIRT https://www.incibe-cert.es/ PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ==================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ==================================================================== In compliance with the General Data Protection Regulation of the EU (Regulation EU 2016/679, of 27 April 2016) we inform you that your personal and corporate data (as well as those included in attached documents); and e-mail address, may be included in our records for the purpose derived from legal, contractual or pre-contractual obligations or in order to respond to your queries. You may exercise your rights of access, correction, cancellation, portability, limitationof processing and opposition under the terms established by current legislation and free of charge by sending an e-mail to dpd@incibe.es. The Data Controller is S.M.E. Instituto Nacional de Ciberseguridad de España, M.P., S.A. More information is available on our website: https://www.incibe.es/proteccion-datos-personales and https://www.incibe.es/registro-actividad. ====================================================================
participants (6)
-
Jeremy Malcolm -
Matthias Merkel -
Michele Neylon - Blacknight -
Richard Clayton -
Suresh Ramasubramanian -
Ángel González Berdasco