| Human Rights Protocol Considerations Research Group | S. Abraham |
| Internet-Draft | CIS India |
| Intended status: Informational | MP. Canales |
| Expires: January 16, 2018 | Derechos Digitales |
| J. Hall | |
| CDT | |
| O. Khrustaleva | |
| American University | |
| N. ten Oever | |
| ARTICLE 19 | |
| C. Runnegar | |
| ISOC | |
| S. Sahib | |
| Cisco Systems | |
| July 15, 2017 |
Implementation Report for HTTP Status Code 451 (RFC 7725)
draft-451-imp-report-00
This report describes implementation experience between various components working with the HTTP Status Code 451 [RFC7725], a risk assessment and recommendation for improvements.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 16, 2018.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document evaluates the usage of HTTP Status Code 451, which was standardized by the IETF in February 2016 [RFC7725]. This implementation report aims to illuminate whether the status code does what it set out to do (“provide transparency in circumstances where issues of law or public policy affect server operations”), the different ways it is being used, positive and negative impacts the standard might have and we end with suggestions for improvement of the standard.
Server operators that are being confronted with an order from a legal authority can use the HTTP Status Code to communicate to third parties why the resource is not available on the server.
Intermediaries such as Internet Service Providers, Content Distribution Networks and other might be obligated by a legal authority in their operational jurisdiction to filter certain content. The HTTP status code would add transparency to this practice.
Browser vendors might implement functionality to communicate the presence of a HTTP status code 451 to a user.
End users will be informed about why the information they are trying to access is not available, instead of merely concluding that the content is not available due to other reasons (e.g., 404 unavailable).
Researchers might want to scan for the prevalence of blocking, as well as trends in blocking behavior.
Civil society may want to use instances of HTTP status code 451 to highlight censorship and censorship trends, to challenge blocking.
Governments might want to verify compliance with blocking orders and use HTTP status code 451 to do so on the networks in their jurisdiction.
In the majority of cases in which HTTP status code 451 is being deployed [Censys], the status code reads as follows - “451 Unavailable For Legal Reasons” or “451” or “451 Unknown Error” or “451 Error” or “451 Unavailable For Legal Reasons (burned)” or “451 OK”. The Page Title could say “404 Not Found” or “Blocked” or “451 -“ or “Restricted access” or “Bloqueado por ordem judicial” (“Blocked by judicial order”) or “Sito censurato” (“Censored site”) or “Доступ ограничен” (“Access is restricted”) or “Зелёная точка - доступ к запрашиваемому ресурсу ограничен” (“Zelenaya tochka” - Internet and TV provider - access to the requested resource is restricted”)or “Violazione del bispensiero” or “Please report sexual abuse against children to the Swedish National Bureau of Investigation!” or “Copyright Notice” or “451 RKN Redirect” (RKN is likely Russia’s Roskomnadzor) or “ATTENZIONE!! - POLIZIA POSTALE E DELLE COMUNICAZIONI - PAGINA BLOCCATA” (“Attention! - Postal and Communications Policy - Blocked Page”) or “451 Unavailable For Legal Reasons 本网站由于国家政策而不可用” (Chinese: “This site is not available due to national policy”).
The hosts that were observed implementing the status code are located in Russia, United States of America, Singapore, Czech Republic, Thailand, Netherlands, Portugal, Spain, Italy, Greece, Bulgaria, Hungary, Germany, France, United Kingdom, Ukraine, Norway, Finland, Kazakhstan, United Arab Emirates, Japan, China, Philippines and Australia. In some cases - the visitor to the website is provided some context for the block – for example, a take-down notice for copyright infringment – in other cases the visitor is encouraged to cooperate with law enforcement agencies. The page title may have information that does not always make sense in the context of the error code, for example when the title says “404 Not Found” but the page is a 451 response body. These observations are based an examination of the search results from Censys.io on 15 July 2017 which featured 526 IPv4 Hosts of which 17 were included in the list of “Top Million Websites”.
Several large content providers are now supporting the HTTP 451 Status Code, such as [Github] and [Reddit], whereas other content providers such as [Twitter], [Facebook], and [Youtube] are currently not using the HTTP status code to indicate the blocking or takedown of specific content.
– Identification of the legal source on which the blocking request is based.
– Identification of the complainant/requestor if is an institution (not if individual because of privacy concerns). It could be useful to identify in this field if the request comes from a private or public entity, and in if there is a judicial order involved, or a law enforcement or other type of governmental request.
– Description of blocked content (example: ‘Non-consensual sexually explicit imagery’). It could be helpful to have suggested fields that standardize type of content in order to make easier the analysis and the evaluation about eventual challenge of the use of error 451 for the specific content removal.
– Determination of the geographical scope of the blocking. Increasingly blocks are being implemented at the level of the city or province. Therefore country codes may not be sufficient to describe the geographical scope.
– Date of block order and time-period for which the block has to be enforced.
– Date of start serving HTTP status code 451.
– Link to the final decision (if available). Again this should only be the case when the complainant is not an individual.
– Contact information for relevant authority for the purposes of verification of procedural stage and appeal or redress opportunities.
In the light of the use cases outlined above underneath we are providing an overview of legal frameworks in a number of countries that could be used to make a blocking request. This is to show that a reference to a the description of blocked content, the legal source on which the blocking order or request is based and the authority that is makes the order or request is crucial in understanding the context and nature of the blockage.
Blocking by the government:
Law No. 149-FZ on Information, Information Technologies and Protection of Information and its amendments:
This law was approved by the Parliament and, if passed, will oblige messaging apps to store messaging history and decrypt messages at prosecutors’ request.
The Law No. 20.435 (Copyright Act reform from 2010) contains a notice and take down procedure, for copyright infringements under which a court order is required -instead of a private notice like happens in the DMCA– to have content taken down. A Supreme Court decision from 2016 held that it was possible to request a news oulet to remove content in its website to enforce the constitutional right of privacy, when the data is no longer relevant and it availability on the network cause harm to the data subject. The case was controversial because the information was about a public servant condemned in a pedophilia case. This decision has been used to enforce a kind of ‘right to be forgotten’ for lower courts since the Supreme Court decision, but there is a lack of general legislation that clarify this cause of removals. On the other hand, the Law No. 20.453 tackles intermediary non-interference from the perspective of users by adding to the general rules within the General Telecommunications Act (Law Nº 18.168) new rules for internet service providers. Among those rules the internet service providers “shall not block or interfere in any way with the rights of the user to use any content, application or service on the internet; but they may take traffic management measures or block contents upon user requests (and to their cost)”.
The Committee Charged with Determining Offensive Content (CCDOC) is the official authority on censorship and blocking of web content in Iran. The Supreme Council of Cyberspace (SCC), established in 2012, develops policies related to cyberspace governance. However, blocking and filtering directives originate from various levels of the government, including through direct orders by the judiciary independent of the SCC and CCDOC. Other organizations involved in the censorship process include the Iranian Cyber Police (FATA) and the Telecommunication Company of Iran. By national law, the Telecommunication Company of Iran (TCI) is the exclusive provider of Internet bandwidth in the country. All ISPs have to purchase bandwidth from TCI and are legally bound to use censoring software. Such a system enables a centralized filtering program for all Internet traffic in the country.
In Iran, freedom of expression is regulated by the Penal Code and the Press Law of 1986. The Press Law was amended in 2000 to mandate that publishing online without a license was grounds for blocking, effectively censoring services such as Google, Facebook and Twitter. Iran also has Internet-specific laws, such as the 2001 resolution called “Regulations and Conditions Related to Computerized Information Networks” that ordered that ISPs remove ‘offensive’ websites and mandated the use of filtering technology. The main law in terms of applicability to Internet censorship is the Computer Crimes Law (CCL) of 2009. CCL prescribes articles that provide for content-based restrictions on the Internet usage of Iranian citizens. Articles 21 through 23, in particular, hold ISPs liable for filtering content and reporting illegal material (as described in the articles) to a ‘web crimes committee’ made up of government officials. ISPs are also required to store usage data and logs about visited web pages for a window of at least six months. It is worth noting that none of the terms used in the CCL are defined strictly, potentially over-broadening its scope. There have been many cases of Iranian bloggers being prosecuted for violation of censorship laws. National Internet Project: The Iranian government has been working towards the creation of a National Internet Network which would domestically host all accessible Internet content, isolating Iranian citizens from the World Wide Web. Implementation of the national network would make it easier for the government to block services and web pages through measures such as intelligent filtering. Already the use of social networking platforms such as Facebook, Instagram and Viber is heavily monitored and controlled.
Under Section 69A of Information Technology Act 2000, the executive branch of the government has “the power to issue directions for blocking for public access of any information through any computer Resource”. According to the law, any person can send a block request to a Nodal Officer. These Nodal Officers should be designated in all government entities to deal with block requests. The request is then approved by the state or central Chief Secretary. This step is not required if the Nodal Officer has initiated the blocking procedure without any complainant. The request is then forward to the head of CERT-IN. If it is not a public emergency, the persons or intermediaries should be given 48 hours to respond. But this is not required if the emergency provision has been invoked, but the block list still has to be reviewed by “Committee for Examination of Request” within 48 hours after the block been issued. The block lists are usually issued directly to ISPs and are marked confidential and are implemented unevenly with some ISPs providing sparse details if users try to access the blocked resources and other ISPs returning a 404 Error Code.
Increasingly Indian courts are issuing ex-parte John Doe orders for website blocking. These orders can be issued by courts for any illegal content. There are around 30 different laws that place reasonable restrictions on the right to free speech in India. For example: The Scheduled Castes and the Scheduled Tribes (Prevention of Atrocities) Act, 1989, The Prenatal Diagnostic Techniques (Regulation and Prevention of Misuse) Act, 1994 and The Juvenile Justice Act, 2000. Some of these laws have multiple provisions that regulate speech for ex. the Information Technology Act has 6 sections and the Indian Penal Code has 10 sections. Once a court order has been obtained, the order can be sent to Secretary of the Department of Electronics and Information Technology who will then forward it to ISPs. Or alternatively complainants could also send court orders directly to ISPs without following the procedure described above.
Under Section 79 of the Information Technology Act 2000, both the government and private parties can send take-down notices to web sites. Intermediaries can ignore private party take-downs without losing immunity but take-down notices from the government have to be complied with. Under Section 52(1)(c) of the Indian Copyright Act, take-down notices can be sent to websites who are engaged in infringement but they need to be followed by court orders otherwise the content can be reinstated.
The United States Digital Millenium Copyright Act (DMCA) has a provision that has greatly shaped the landscape of online content [Quilter]. Section 512 of the DMCA has a “notice and takedown” procedure that copyright holders can use to assert that a piece of copyrighted material has been posted against their wishes and that it should be taken down. Under this provision, after a website operator receives a 512 notice, it must: 1) remove the material “expeditiously”; 2) notify the poster that someone has alleged copyright infringement in that material and that the material has been removed; and 3) send any “counternotices” from the poster – objections from the poster to claims of copyright – to the original complaintant. The complaintant must notify the website operator that it has filed a lawsuite within 10-14 days or the website can reinstate the removed material.
There are a number of other legal methods that are used with much less frequency in the United States:
| [Censys] | Durumeric, Z., Adrian, D., Mirian, A., Bailey, M. and J. Halderman, "80.http.get.status_code: 451 - Censys", 2017. |
| [ElManzalawy] | El Manzalawy, M., "Should the Mugshot Industry be Regulated? States Push Legislation to Protect Individuals from Disproportionate Reputational Harm", 2017. |
| [Facebook] | Facebook, inc., "How do I add or edit country or age restrictions for my Page?", n.d.. |
| [Github] | Torikian, G., "The 451 status code is now supported", 2016. |
| [Quilter] | Urban, J., "Efficient Process or Chilling Effects? Takedown Notices Under Section 512 of the Digital Millennium Copyright Act", 2005. |
| [Reddit] | Turkey Blocks, "LGBTI sections disappear as Reddit complies with 100% of Turkey censorship orders", 2017. |
| [RFC7725] | Bray, T., "An HTTP Status Code to Report Legal Obstacles", RFC 7725, DOI 10.17487/RFC7725, February 2016. |
| [Twitter] | Twitter, inc., "Country withheld content", n.d.. |
| [Youtube] | Wikipedia, "Censorship of YouTube", 2017. |