New Zealand’s only Government-run internet filter, which blocks access to child sexual abuse material, has suffered from significant performance issues in the past year, Marc Daalder reports

At various stages over the past year, a wide range of websites hosting child sexual abuse material that were meant to be blocked by the country’s only internet filter were in fact fully accessible.

The filter, called the Digital Child Exploitation Filtering System (DCEFS), is voluntary for Internet Service Providers to sign up to and blocks access to a list of sites curated by the Department of Internal Affairs (DIA). More than 90 percent of New Zealand’s internet traffic goes through providers who are signed up to the filter.

The performance issues began last year when a new company was brought in to run the filter, after the previous provider abruptly called it quits even though they were contracted to continue supporting the system through to 2023. Israeli company Allot was brought in to set up the new filter from July, despite the fact that the company’s New Zealand subsidiary was in liquidation.

Between July and September 2020, as the New Zealand Herald has reported, the filter was “not fully functional” and addresses that were meant to be blocked were in fact fully accessible.

A briefing to Internal Affairs Minister Jan Tinetti, obtained by Newsroom under the Official Information Act, now reveals that the performance issues did not end there. Between November 2020 and January 2021, “the filter was found to be blocking only a low percentage of URLs that were on the block list”, officials wrote.

This wasn’t noticed at first because the tool which showed DIA officials how many links were being blocked was faulty – it reported that the filter seemed to be blocking all of the URLs it was meant to.

“The severely shortened timeframe to implement the new filter system meant that the department’s standard implementation and testing protocols were constrained,” officials explained in the briefing. “Due to the termination of service by the previous filter provider, the department was unable to maintain the old filter system as a back-up. These circumstances likely contributed to the performance issues experienced.”

A dashboard attached to the briefing shows that at the start of January, when the performance issues were still ongoing, only about 200 users were detected and blocked each day. Once the issues were fixed, that surged to between 600 and 1000 daily users.

The January outage is visible in this dashboard from the official briefing to Tinetti.

Further issues persisted throughout the year. According to a briefing to the filter’s oversight group in November, a July review of the block list found that 35 of 356 URLs – about 10 percent – were not being blocked.

“URLs can have multiple IP addresses associated to it. These IP addresses can either be on the same range or completely different to each other. A feature of the DCEFS is to consolidate IP addresses that are on the same range. This is a common technique employed by networks to reduce internet traffic,” DIA’s director of digital safety Jared Mullen told Newsroom.

“Although ISPs are aware of this process, they do not accept consolidated IP addresses as it may pose a security risk to their systems. This led to some of the URLs not being blocked by the DCEFS. The department are working closely with Allot, the provider of the DCEFS, to develop a solution.”

The November briefing also revealed a week-long period in September where 85 percent of links on the block list were not blocked. On September 8, the block list of 418 links was mistakenly replaced with a shorter list of just 61. The issue was rectified on September 15.

A dashboard from the November briefing to the oversight group shows the July and September outages.

“Internal processes and assurance protocols have been put in place to prevent this issue from occurring again,” Mullen said.

“The DCEFS is regularly checked on a weekly basis to ensure the system is functioning as expected.”

National Party spokesperson for the digital economy and communications Melissa Lee said New Zealanders would expect the system to be blocking all the sites it was meant to.

“I think people do have these kinds of expectations when the Government is involved when you have outages,” she said.

“I have met the people who actually run the filter at DIA. They’re a very dedicated group of staff who actually do this. But it is concerning when there is an outage in the way they’ve actually done it.”

As of the November briefing, there were 449 URLs on the block list.

Marc Daalder is a senior political reporter based in Wellington who covers climate change, health, energy and violent extremism. Twitter/Bluesky: @marcdaalder

Leave a comment