Emails released to Newsroom under the Official Information Act show how Internet Service Providers and the Government used ad hoc tools – including a Google Doc – to deal with the fallout of the March 15 terror attack

The early response by ISPs to the Christchurch terror attack was ad hoc and scattered, emails provided to Newsroom under the Official Information Act show. The messages, at times frantic and contradictory, with unclear lines of command, point to the need for a crisis response plan in the future – something that the ISPs themselves noted in emails after the initial dust cleared.

Once it became clear that the accused gunman had livestreamed his actions on Facebook and released a manifesto – both of which were rapidly recirculated around the internet – the country’s three largest ISPs moved to block access to domains hosting the material. Vodafone, Spark NZ and 2degrees aligned their efforts, although some ISPs individually verified each URL to be banned.

After blocking a domain, ISPs contacted the owners and asked them to remove the footage of the killings in order to have their domain unblocked.

Spark also liaised with the Department of Internal Affairs, which enforces censorship rules in New Zealand. It quickly became a de facto representative of the other ISPs, a role it did not relish. DIA officials were added to an online Google Doc listing URLs that contained the footage of the shootings.

Response ad hoc

Around 6pm on March 15, a Spark NZ representative got in touch with DIA officials. “My colleague … is working as part of the industry technical team identifying and blocking sites and I have asked him to keep you posted on developments,” the representative wrote.

Spark then followed up six minutes later, listing seven websites with “blocks in place or being put in place”.

“These are DNS blocks across Global Gateway (corporate), Spark Broadband and Mobile,” they added.

DIA and Spark exchanged technical details before a DIA official sent over two new domain names. Spark then responded: “Can you pass the exact links if possible so we can confirm on our end please”.

At times, attempts to send the lists of links through email were foiled by spam filters, which interpreted incoming emails laden with URLs as junk mail. “Can’t include the links of what we blocked/didn’t as the spam filters keep blocking us,” a Spark representative wrote on March 18.

Over the next couple of weeks, DIA officials sent dozens of URLs to Spark to be passed on to the other ISPs. On March 17, an ISP representative emailed the Department of Internal Affairs a link “to a Google Sheet of the DNS entries that have been blocked by Spark Vodafone and 2Degrees”.

“Please do not distribute this sheet to anyone without my consent,” the representative added. “It is a live sheet we are keeping up to date and helping us sync across ISPs. The sheet may be nuked at any point if we feel it has been compromised – we have backup copies.”

New links to the spreadsheet were sent out on March 20 and March 26. DIA officials made a new gmail account,, to access the sheet.

“It was a very ad hoc approach,” said Andrew Pirie, the head of corporate relations at Spark. “It was an approach which everyone recognises in hindsight was undesirable, in terms of the way it all worked. At the same time, everyone acknowledges it was a rather extraordinary time, so therefore, people stepped up to the plate and made the best of it we could.”

An excerpt from a Spark presentation to DPMC, released under the Official Information Act.

ISPs acted independently

Representatives from all three major ISPs stressed that the companies kept one another up-to-date but did not make decisions jointly.

“We obviously have established processes in place with other major broadband providers at a technical level to let them know what we were doing, and also at a policy level,” Pirie said. “There was a quick sort of ring around with the other parties. There was never any conference call or joint discussion, it was very much saying, “Here’s what we’re doing, you might want to consider doing the same.’ But it was all done independently.”

ISPs also took it upon themselves to vet each URL to be blocked. Spark staff verified every link that the company blocked to ensure it was hosting the footage of the shootings. Vodafone staff did so early on as well, but a Vodafone spokesperson was uncertain whether that was the case as the block went on.

“We actually had to take people off that from a health and safety point of view,” Pirie said. “People were starting to get impacted by watching that video multiple times.”

Mat Bolland, the chief of corporate affairs at 2degrees, told Newsroom that 2degrees staff didn’t individually vet each link.

Spark also began to bristle at the role it had assumed as the go-between for ISPs and DIA. In a March 20 email, a Spark representative wrote, “I wanted to ensure we are all on the same page in terms of understanding of Spark’s role with respect to other ISPs. Although Spark has been acting as a de-facto clearing house in terms of providing information re websites to other ISPs, each ISP is taking their own position on how they act on this information, if at all.”

“The current position taken by Spark and other ISPs to voluntarily block certain websites is considered a short-term measure only, in the absence of any clear government directive to this effect.”

Government reluctant to shoulder responsibility

This lack of governmental direction also rubbed ISPs the wrong way. None of the companies felt comfortable making the decision to block content without a request from the Government. But DIA repeatedly stressed that it had no mandate to order or even ask companies to block content.

This was frustrating for ISPs, which were receiving multiple emails a day with links to block from DIA, but without an actual government mandate to block, just an expectation that this would occur. Many of these emails were phrased as if they were requests to block websites, but the ISPs understood that DIA could not ask this of them.

“For blocking Please,” one DIA official wrote in a March 18 email containing eight URLs. “Further URL to be blocked please,” an official wrote on March 17.

“The ISPs contacted us and said they were going to start undertaking blocks. While we were supportive of that, we never would have asked them to,” Jolene Armadoros, the director of digital safety at DIA, told Newsroom.

The situation came to a head a week after the attack. ISP and DIA officials held a teleconference on March 21 to discuss next steps on website blocking. Ahead of the conference call, a Spark representative wrote to DIA that ISPs were reaching “the point where it becomes difficult for us as broadband providers to continue the current exceptional blocking of certain websites, without further clarity from DIA and/or other appropriate government agencies”.

“In terms of the related matter of managing the list of blocked websites: at the moment, Spark has been administering this list, based on input from DIA and our own desk research. We are also being asked by our industry counterparts for this list, and our people are having to exercise judgment on whether to remove websites from the blocked list. We don’t believe this is a tenable approach.”

The representative asked DIA to take over the list and provide it to all broadband providers or make it available on request.

The ISPs came away from the meeting with the understanding that “DIA will now take ownership of the domain black listing,” according to a March 22 email from a Spark representative to ISP and DIA officials.

Under this framework, DIA would maintain a list of links that were hosting prohibited content, a list of domains that needed to remain blocked, and would also act as “the front-end/contact point, when the public or other ISP ask for a list of domains to be blocked”.

On March 23, DIA officials reached out with an email labelled “Clarity – ISP’s block list – URGENT”.

“I want to be VERY clear about our position and what was agreed in that teleconference as the message is getting very confused,” a DIA official wrote. “The Department does not own the URL list or decisions associated with it. This has been proactively fronted by the ISP’s and the decisions remain the responsibility of the ISP’s.”

DIA did offer to shoulder “responsibility for validating the URL’s and domains that you are being made aware of or that we send through so that ISP staff are not at risk of being exposed to objectionable / harmful material”.

After this, the ISPs largely resolved to end the blocking scheme. It wasn’t until the ISPs informed DIA that they would be lifting the blocks on March 26 that the Government reached out to ask for a delay of a few days, as Newsroom reported at the time.

The only other governmental action on online content further complicated matters. On March 19, Chief Censor David Shanks ruled that the video of the terror attack was objectionable.

“Once it became declared as objectionable, technically, under the law, [Spark employees vetting links] were breaking the law by watching the video,” Pirie said. “It wasn’t an altogether satisfactory position to be in.”

Crisis response plan needed

The ad hoc, fractured approach from ISPs, with insufficient support from the Government, led industry leaders to the realisation that a better crisis response plan was needed. As early as March 18, New Zealand Telecommunications Forum CEO Geoff Thorn told DIA, “at some point, there may be some value in discussing whether we need a more streamlined approach to these sorts of issues”.

“What it’s shown is that there were no preexisting policies or procedures to contemplate in this situation. It has shown that a more complete framework should be put in place,” Rich Llewellyn, Vodafone’s head of external affairs, said.

“There’s definitely been lessons learned since then,” Armadoros said. “We have been working with Internet Service Providers, as well as some [NGOs] and other Government agencies within New Zealand to build a domestic online crisis response process.”

“Now that process is about making sure we’ve got maximum coordination, that we’re effective in our response, we’re able to share information and speak to the situation as we see it so that we can address it in the best way possible. Now that isn’t about blocking – blocking is one mechanism, there will be other tools that are available too.”

It has now been more than eight months since the terror attack, but no new formal system is in place, ISPs say. In an April 18 briefing to the Department of the Prime Minister and Cabinet, which would go on to lead the Christchurch Call, Spark listed several potential changes to the existing legal framework.

It floated the idea of minimum requirements for ISPs, a “trusted independent party to identify sites/addresses to be blocked”, and a voluntary industry scheme. “Obvious option seems to be to expand DIAs Child Exploitation Filter,” Spark said.

Newsroom reported last month that the Government was exploring this option. However, it is still in the very early stages of this process.

“We’re getting to a point now where we recognise that it might take some time if there’s a proper legislative response, but it’s a question of what can be codified as a more agreed approach between now and then,” Pirie said.

“We’ve been working with the Government and I guess our message is, the sooner that can be finalised, the better,” Llewllyn agrees. “We’re encouraging the Government to find a more permanent solution.”

“We’re still keen to get towards a situation where there is a centralised filter or similar device that means things can happen much more quickly,” Bolland said.

Marc Daalder is a senior political reporter based in Wellington who covers climate change, health, energy and violent extremism. Twitter/Bluesky: @marcdaalder

Leave a comment