An architecture of censorship, or “We need a futile gesture at this stage”

The Quebec government intends to interfere in commerce on the Internet, the free choice of Quebecers to choose with whom to do business, and to require ISPs to establish an architecture of censorship, all with a view to driving users willy-nilly to Quebec’s official gambling site.

These measures were announced in the Quebec budget of March 2015.

As an aside, I note there has not yet been a word of protest from any quarters, including the federal government. Why is this proposal to transgress federal jurisdiction over communications undertakings going unchallenged? Consider that the CRTC recently blasted its cable undertakings when the last minutes of the Letterman show were blocked by the faulty application of simultaneous substitution rules. Which of the two is the more potent threat to the CRTC’s jurisdiction? In fairness, complaints about Quebec’s move to build an architecture of censorship have yet to be made because the Quebec government’s attempts to build the Great Firewall of Quebec have yet to begin. This article is the first complaint.

The Great Firewall of Quebec will be futile, but unless it and attempts like it are opposed, it will be essayed, by Quebec and other provinces, each in the name of public virtue and the lessening of private vice.

I cite the Quebec Budget of March 2015, section G, page 21, in the section entitled “The Fight against Tax Evasion.”


“With a view to public health and in order to further channel the revenues that

escape the government [sic], three of the measures recommended by the working

group will be implemented during the next fiscal year.

— A legislative amendment will be proposed to introduce an illegal website

filtering measure. In accordance with this measure, Internet service providers

will not be allowed to provide access to an online gaming and gambling

website whose name is on a list of websites that are to be blocked, drawn up

by Loto-Québec. This measure will be applied by the Régie des alcools, des

courses et des jeux, which should have the necessary resources to fulfil its

new responsibilities.

— In addition, Loto-Québec will develop a portal to increase the ability of

Espacejeux, the only legal online gaming site in Québec, to attract players.

Loto-Québec will operate games on this portal offered by private operators. To

become a supplier of a game offered on the portal, operators will have to enter

into an agreement with Loto-Québec, who will become the exclusive operator

of the online game of chance or gambling game in Québec.

— Moreover, in accordance with the recommendations of the working group.

Loto-Québec will inform Quebecers about the legislation governing online

gaming through multimedia campaigns.

The Quebec government defends these measures as follows:

“Illegal websites do not apply the same responsible gaming rules as Espacejeux.

They thus pose a risk to the population, especially young people. Moreover, private

operators who wish to offer games on the Espacejeux portal will have to comply

with Loto-Québec’s high standards regarding responsible gaming measures.

In addition, the measures announced will enable the government to recover

revenues that are escaping it and to fund public services for the benefit of all

Quebecers. These three measures will increase the dividend that Loto-Québec

pays to the government by $13.5 million in 2016-2017 and $27.0 million a year thereafter.”


Let us leave aside the hypocrisy of a government trying to confer a monopoly on itself, on ground that its websites promoting vice are morally superior to the websites of others promoting the same vice. Here we observe the state seeking to erect an architecture of censorship in the name of increased revenue. [When China or Iran tries to do this sort of thing, we cry foul.]

The important thing for governments to understand is that an architecture of censorship is both complicated to establish, expensive for ISPs to try to maintain, possibly ruinously expensive for them, burdensome to an economy in widespread and unforeseen ways, and futile. Censorship adds to the costs of communicating across the Internet, both in terms of increased costs of running an ISP and in legal fees to deal with prosecutions. These must inevitably be passed along to consumers. For smaller ISPs, these additional costs may drive them out of business.

More than this expense and legal risk to ISPs however, such measures drive consumers to evasive measures which are freely available, render law enforcement more difficult as the Internet grows more opaque, and, at the limit, may break the Internet in ways that even the Chinese government does not attempt – and the Chinese know lots about censoring the Internet.

The futility of such measures is perhaps the hardest for governments unfamiliar with the Internet to understand, particularly if their knowledge is at the level of not knowing the difference between an IP address and a website. The technical information that follows is based on information supplied by Geoff Huston, Chief Scientist for APNIC, the regional Internet numbers registry for the Asia-Pacific region, to whom I am indebted and grateful.

The three available methods for blocking access to websites are

  • ·         route filtering,
  • ·         DNS name resolution filtering and
  • ·         traffic interception
  1. a) Route Filtering takes the IP address(es) of the service to the filtered and creates specific routing forwarding rules to treat all packets directed to this address in a manner that prevents the packets reaching their intended destination.

Route filtering adds to the noise in the name resolution system (the DNS) which generates the need for other measures to filter out the same noise. In addition, route filtering depends on a one-to-one relationship between the address and the website which government wants to block. This relationship no longer holds. IP level blocked sites can readily circumvent such IP-level interception mechanisms by shifting their content to other hosting agencies, so that the blocked content is no longer associated with a set of IP addresses. Second, users can avail themselves of virtual private network services that create a false geographic location for the end user so that they can evade local content restrictions. Canadians are becoming familiar with VPNs by reason of their desire to access all of Netflix’ stock of video.

  1. b)     In the simplest form of name filtering a list of proscribed DNS names is circulated to internet Service Providers, and this list is used to configure their user-facing DNS resolvers, so that queries directed to these resolvers for the filtered names result in a false response.

These too are easily circumvented. Users can go to alternative name resolvers, such as those operated by Google (Google’s Public DNS), OpenDNS or Level 3. By replacing the reference to the ISP’s resolver with a reference to one of more of these open resolvers in their devices, the user effectively restores a complete view of the Internet’s name space and bypasses the locally imposed name filter.

The use of more distant resolvers also has negative effects on service times, and the security of data usage, since foreign data may completely escape local rules on data protection. It also results in users becoming more apt to use services that hide their presence from local (national or provincial) jurisdictional policies. From a governmental perspective, the Internet gets darker and more out of control as users flee the rules of local jurisdictions. The Internet makes national boundaries permeable, and the more pressure which is exerted inside a jurisdiction, the more users squeeze out into untraceability.

  1. c)The technique of route redirection can be coupled with traffic interception in order to address some of the shortfalls of IP address filtering. This approach uses some form of routing level interception to direct the traffic to a traffic interceptor which can determine if the URL is part of some blocked list, in which case the connection can be terminated by the agent, or  the proxy can forward the fetch request to the intended destination as a conventional proxy.

This method of interception has been generally more successful than name filtering alone, but can be evaded by far more sophisticated technology that encrypts the user traffic and wraps it so as to obscure the user from their local network.

Your app is increasingly paranoid

Readers of this blog will be aware that some applications are able to tunnel down to obtain IP addresses completely outside the knowledge or detection by other devices on which the app runs or the carriers which carry the traffic (see “Your app is increasingly paranoid”.) One such service recently launched is a mobile application called Google Fi. It wraps the entirety of a conversation in an encrypted tunnel. If an app controls a handover, then the session keeps running as you change IP address, which normally occurs when you go from one cell tower to another. The effect of this is that carriers are prevented from charging an outrageous rate for mobile data for what is supplied by them at the cost of fixed data; the carrier has lost control of the session. Another example is Facebook, which contains its own protocol suite, which means it has its own DNS resolution, and thus can avoid the Apple device on which Facebook may run. The app is cloaked, and the device maker never knows what the app is doing.

The connection between ‘paranoid’ and cloaked applications and government attempts to build an architecture of censorship is this: the arms race between apps makers and device makers, and apps makers and carriers, is continuous. Each is seeking information and revenue from the end user, and each seeks to prevent the taking by any other of information – which can be readily monetized – or money directly.

Back to Quebec

The government of Quebec is also seeking money from the end user by channeling usage into a government gambling website, and preventing access to all rivals. They have no idea of what they are getting into. Many jurisdictions would seek to follow Quebec’s example if it were apparently successful.

Those forces that want to keep the Internet working right must raise the alarm about Quebec’s intentions. Besides Quebec consumers and ISPs, who stands to lose?

  • ·         The trade and commerce carried on over the Internet is threatened by numerous jurisdictions seeking to distort traffic in the name of local monopolies;
  • ·         The federal government is threatened when provinces trench on its jurisdiction over carriers;
  • ·         Police forces are threatened when the Internet goes dark on them, as it will when citizens use VPNs (virtual private networks) to evade restrictive policies.
  • ·         Banking and other normally secure communications would be threatened if the measures required to enforce the ban on gambling sites caused ISPs to have to inspect packets otherwise protected by standard security protocols.

A useful way to understand the technology of the Internet is that every intervention of the type proposed by Quebec drives users to evasive measures. The Internet is porous. It was built to be global and not local. Canadians are already becoming familiar with VPNs as they seek to get around intellectual property protections governing Netflix content; they will not hesitate to evade restrictions of the type sought by Quebec by the same and other methods.

Governments are not immune to futile gestures. Before the Government of Quebec attempts to direct some $27 million of revenue towards itself, which it will almost certainly not capture, it had better examine whether it would not also inflict tens or hundreds of millions of dollars of economic damage to commerce in Quebec in the attempt. 

This foray into Internet censorship needs a more profound and technically informed analysis of costs and benefits. When that analysis will have been concluded, the futility of the proposal will be evident.

Auriez-vous l’obligence, M. Couillard, de bien vouloir reçevoir mes sentiments les plus distingués.

To top