Prevent and Internet filtering policies

Jim Killock made this Freedom of Information request to University of East London

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was successful.

Dear University of East London,

Can you please supply:

(1) your policy or policy guidance for duties under the Counter-Terrorism and Security Act 2015 duties for the various local authorities listed in Schedule 6, known as “Prevent”;

(2) your policy relating to Internet filtering, blocking and prevention of access to material deemed inappropriate;

(3) the name of any providers of Internet filtering and blocking services that you use, or else a statement that you do not block or filter content at all;

(4) a list of agreements, arrangements or Memorandums of Understanding between yourselves and bodies such as the Internet Watch Foundation (IWF), the Counter Terrorism Internet Referral Unit (CTIRU) of the Metropolitan Police Service (MPS), or Police Intellectual Property Crime Unit (PIPCU) of the City of London Police, to receive lists of illegal or illicit content, for instance for the purposes of blocking.

Finally, can you:

(5) tell me if any filtering or blocking service that you use incorporates lists from the IWF, CTIRU or PIPCU, and which lists are incorporated; and

(6) provide to me any clauses within any contract or terms and conditions of service agreed with your filtering and blocking providers that relate to their use of information from the IWF, CTIRU or PIPCU.

Yours faithfully,

Jim Killock

Freedom Info, University of East London

Dear Mr Killock,

 

We acknowledge receipt of your inquiry sent on 8 May, which is receiving
attention.

 

Yours sincerely,

[1][University of East London request email]

University of East London

4-6 University Way

London

E16 2RD

--------------------------------------------------------------------------

From: Jim Killock <[FOI #405470 email]>
Sent: 08 May 2017 22:19
To: Freedom Info
Subject: Freedom of Information request - Prevent and Internet filtering
policies
 
Dear University of East London,

Can you please supply:

(1) your policy or policy guidance for duties under the Counter-Terrorism
and Security Act 2015 duties for the various local authorities listed in
Schedule 6, known as “Prevent”;

(2) your policy relating to Internet filtering, blocking and prevention of
access to material deemed inappropriate;

(3) the name of any providers of Internet filtering and blocking services
that you use, or else a statement that you do not block or filter content
at all;

(4) a list of agreements, arrangements or Memorandums of Understanding
between yourselves and bodies such as the Internet Watch Foundation (IWF),
the Counter Terrorism Internet Referral Unit (CTIRU) of the Metropolitan
Police Service (MPS), or Police Intellectual Property Crime Unit (PIPCU)
of the City of London Police, to receive lists of illegal or illicit
content, for instance for the purposes of blocking.

Finally, can you:

(5) tell me if any filtering or blocking service that you use incorporates
lists from the IWF, CTIRU or PIPCU, and which lists are incorporated; and

(6) provide to me any clauses within any contract or terms and conditions
of service agreed with your filtering and blocking providers that relate
to their use of information from the IWF, CTIRU or PIPCU.

Yours faithfully,

Jim Killock

-------------------------------------------------------------------

Please use this email address for all replies to this request:
[FOI #405470 email]

Is [University of East London request email] the wrong address for Freedom of Information requests to
University of East London? If so, please contact us using this form:
[2]https://www.whatdotheyknow.com/change_re...

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:
[3]https://www.whatdotheyknow.com/help/offi...

For more detailed guidance on safely disclosing information, read the
latest advice from the ICO:
[4]https://www.whatdotheyknow.com/help/ico-...

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

-------------------------------------------------------------------

--------------------------------------------------------------------------

This email has been scanned for email related threats and delivered safely
by Mimecast.
For more information please visit [5]http://www.mimecast.com

--------------------------------------------------------------------------

References

Visible links
1. mailto:[University of East London request email]
2. https://www.whatdotheyknow.com/change_re...
3. https://www.whatdotheyknow.com/help/offi...
4. https://www.whatdotheyknow.com/help/ico-...
5. http://www.mimecast.com/

Freedom Info, University of East London

Dear Mr Killock,

We refer to your inquiry dated 8^th May and set out below our response to
your inquiry.

Yours sincerely,

[1][University of East London request email]

University of East London

4-6 University Way

London

E16 2RD

 

Can you please supply:

Q1) Your policy or policy guidance for duties under the Counter-Terrorism
and Security Act 2015 duties for the various local authorities listed in
Schedule 6, known as “Prevent”.

A1) The University has created and has amended some existing policies in
relation to its obligations under the Prevent duty:-

* Safeguarding of Children and Vulnerable Adults Policy – the policy is
available at:
[2]https://www.uel.ac.uk/Discover/Governanc....

* Policy and Procedure for the Booking of On-Campus Speakers – the
policy is available at:
[3]https://www.uel.ac.uk/Discover/Governanc....

* The University’s information security policies, which mention Prevent
as a specific obligation are accessible under the following link:
[4]https://www.uel.ac.uk/Discover/Governanc...

Q2) Your policy relating to Internet filtering, blocking and prevention of
access to material deemed inappropriate.

A2) Please refer to the University’s Acceptable Use Policy and Guidance,
which deals with monitoring of the University’s IT facilities. The Policy
and Guidance are available on the following web link:

 

[5]https://www.uel.ac.uk/Discover/Governanc...

 

Please also refer to the University’s information security policies, which
are accessible on the links provided in answer to question 1 above.

Q3) The name of any providers of Internet filtering and blocking services
that you use, or else a statement that you do not block or filter content
at all.

A3) We believe that this information is commercially sensitive. We claim
an exemption under section 43 (2) of the Freedom of Information Act 2000:

Commercial interests
(1) Information is exempt information if it constitutes a trade secret.
(2) Information is exempt information if its disclosure under this Act
would, or would be likely to, prejudice the commercial interests of any
person (including the public authority holding it).
(3) The duty to confirm or deny does not arise if, or to the extent that,
compliance with section 1(1)(a) would, or would be likely to, prejudice
the interests mentioned in subsection (2).

Our reason for claiming this exemption is because the information you have
requested would be likely to prejudice our commercial interests. There is
the possibility that our ability to secure new contracts at the best
possible terms, and thus ensure value for money in relation to the
expenditure of public funds, could be compromised by the publication of
data relating to the names of suppliers for our current commercial
contracts. Potential tenderers might consider themselves to be
disadvantaged should we disclose commercially sensitive information to a
party, who, at some future date, might wish to submit a tender in
competition with others to whom such data has not been disclosed.

Q4) A list of agreements, arrangements or Memorandums of Understanding
between yourselves and bodies such as the Internet Watch Foundation (IWF),
the Counter Terrorism Internet Referral Unit (CTIRU) of the Metropolitan
Police Service (MPS), or Police Intellectual Property Crime Unit (PIPCU)
of the City of London Police, to receive lists of illegal or illicit
content, for instance for the purposes of blocking.

A4) We can confirm our web filtering solution incorporates lists from
external organisations. This data can be used in web visit classification
to permit/deny access.

Q5) Tell me if any filtering or blocking service that you use incorporates
lists from the IWF, CTIRU or PIPCU, and which lists are incorporated; and

A5) Our web filtering solution has a category named ‘Internet Watch
Foundation‘, fed from that named source, which we may elect to action as a
block category. Our web filtering solution does not source data from the
CTIRU of the Metropolitan Police or PIPCU as far as we are aware. No
information is received regarding the above, actions are taken when
visiting sites in the categories where access is blocked or denied as per
our applied policies for our web filtering solution.

Q6) Provide to me any clauses within any contract or terms and conditions
of service agreed with your filtering and blocking providers that relate
to their use of information from the IWF, CTIRU or PIPCU.

A6) We believe that this information is commercially sensitive. We claim
an exemption under section 43 (2) of the Freedom of Information Act 2000:

Commercial interests
(1) Information is exempt information if it constitutes a trade secret.
(2) Information is exempt information if its disclosure under this Act
would, or would be likely to, prejudice the commercial interests of any
person (including the public authority holding it).
(3) The duty to confirm or deny does not arise if, or to the extent that,
compliance with section 1(1)(a) would, or would be likely to, prejudice
the interests mentioned in subsection (2).

Our reason for claiming this exemption is that disclosure of this
information could be prejudicial to our commercial interests in relation
to the maintenance of security. Our IT systems are at risk of
cyber-attacks and we have in place appropriate risk mitigation strategies
to ensure that our systems are robust and that we are in a position to
safeguard the integrity of the data contained therein.  We are responsible
under the Data Protection Act 1998 for the safeguarding of the sensitive
personal data of approximately 25,000 individuals. We believe that should
information about the terms and conditions regarding our filtering and
blocking provider and the use of information provided to them, no matter
how general, be placed in the public domain, it could be of use to third
parties in terms of gaining unauthorised entry to the data stored on our
IT databases. 

If you are dissatisfied with the way the University of East London has
handled your request for information, you can request a review of this
decision by writing to:

The Head of Governance and Legal Services

University of East London

4-6 University Way

London

E16 2RD

E-mail: [6][University of East London request email]

 

If the review does not address your concerns, you can exercise a right of
appeal to the Information Commissioner at:

The Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire, SK9 5AF

Telephone: 08456 30 60 60 or 01625 54 57 45 Website: [7]www.ico.gov.uk

 

There is no charge for making an appeal.

--------------------------------------------------------------------------

This email has been scanned for email related threats and delivered safely
by Mimecast.
For more information please visit [8]http://www.mimecast.com

--------------------------------------------------------------------------

References

Visible links
1. mailto:[University of East London request email]
2. https://www.uel.ac.uk/Discover/Governanc...
3. https://www.uel.ac.uk/Discover/Governanc...
4. https://www.uel.ac.uk/Discover/Governanc...
5. https://www.uel.ac.uk/Discover/Governanc...
6. mailto:[University of East London request email]
7. http://www.ico.gov.uk/
8. http://www.mimecast.com/

Dear University of East London,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of University of East London's handling of my FOI request 'Prevent and Internet filtering policies'.

In relation to:

(3) the name of any providers of Internet filtering and blocking services that you use, or else a statement that you do not block or filter content at all;

In this question, we are only interested in content filtering. We are not interested in filtering or blocking for security purposes.

If you are not engaging in content filtering or blocking, a statement to say so would be more than adequate for our purposes.

Most Universities have been able to supply their acceptable use policies, and to tell us whether they block or filter content, and what content categories are blocked. A similar survey of libraries has also helped place this information in the public domain for that sector. In this case, 92% of libraries disclosed this information:

See: https://www.slideshare.net/infolit_group...

Some Universities have said they are worried about their own security in some cases. Where they rely on multiple sources of blocking malware, for instance, we do not believe that knowing the source of content and category blocking lists poses a security list. Normally, this should not be a problem.

We are not interested in how malware etc is blocked, so as long as the firewall product is not the only security measure you use, you may be able to judge that your own security is not at risk. Alternatively, you may be able to investigate your firewall product to find the source of the categorisation, which is likely to be separate from the security features.

Furthermore, there is a strong public interest in know what filtering products are being used where, as it is the only way for a website owner to know where their site may be being blocked, and therefore to resolve a problem if the website is being blocked incorrectly.

It should also be information that is in the public domain as to whether you block and filter content, and usually this is disclosed to students and staff, along with information about what is filtered. If this is the case, we doubt that disclosure to us also would pose a further security issue.

Commercial interests, other than your own network security, here should be a minor concern.

In relation to:

(6) provide to me any clauses within any contract or terms and conditions of service agreed with your filtering and blocking providers that relate to their use of information from the IWF, CTIRU or PIPCU.

It should not be a problem to be clear about whether law enforcement bodies are supplying content block lists to Universities, directly or through products. Most Universities have told us that they have no direct arrangements, but where they block, certain lists are incorporated, but not through contractual arrangements.

In relation to questions 5 and 6, we have already established that most products state when they incorporate these lists, but do not do so in contract. It would be helpful if you can confirm this in your case.

Blocking websites does not in itself constitute a law enforcement activity designed to have a serious impact on the prevention or detection of crime, nor a national security activity, in our view. This is firstly because it is not illegal to view websites, nor to provide access to them. In the case of IWF lists, where viewing material is illegal, use of their lists has always been framed as a service to customers, to prevent them from accessing this material inadvertently, rather than a law enforcement activity. The Prevent duty, meanwhile, is framed as an attempt to reduce radicalisation, rather than the commissioning of crime as such. Attempts have been made to ensure that it is not perceived as a “law enforcement” or national security issue, but as a safeguarding approach. As such, secrecy and non-disclosure would in our view be counter-productive.

Blocking is a form of censorship, which in order to be legitimate needs to be transparent and accountable. This is very important in an academic context, where access to information should not normally be restricted, and restrictions should have careful management.

This first stage of transparency and accountability is to know who is blocking what and why; with lists compiled by whom. Mistakes may need correction, and people who are subject to restrictions need to know that they are in place. When these restrictions are in partnership with or directed by law enforcement, this is of course even more important.

Commercial interests are subject to a balance of public versus private interests. In this case, commercial confidentiality would not in our view be a sufficient objection, as knowledge of what is blocked and what lists are incorporated would have no real impact on the companies supplying the products.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/p...

Yours faithfully,

Jim Killock

Freedom Info, University of East London

Dear Mr Killock,

 

We acknowledge receipt of your internal review sent on 16 June, which is
receiving attention.

 

Yours sincerely,

[1][University of East London request email]

University of East London

4-6 University Way

London

E16 2RD

show quoted sections

Please use this email address for all replies to this request:
[FOI #405470 email]

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:
[4]https://www.whatdotheyknow.com/help/offi...

For more detailed guidance on safely disclosing information, read the
latest advice from the ICO:
[5]https://www.whatdotheyknow.com/help/ico-...

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

-------------------------------------------------------------------

--------------------------------------------------------------------------

This email has been scanned for email related threats and delivered safely
by Mimecast.
For more information please visit [6]http://www.mimecast.com

--------------------------------------------------------------------------

References

Visible links
1. mailto:[University of East London request email]
2. https://www.slideshare.net/infolit_group...
3. https://www.whatdotheyknow.com/request/p...
4. https://www.whatdotheyknow.com/help/offi...
5. https://www.whatdotheyknow.com/help/ico-...
6. http://www.mimecast.com/

Freedom Info, University of East London

1 Attachment

Dear Mr Killock,

 

We refer to your e-mail in which you requested an internal review dated 16
June and attach our response.

 

Yours sincerely,

[1][University of East London request email]

University of East London

4-6 University Way

London

E16 2RD

--------------------------------------------------------------------------

This email has been scanned for email related threats and delivered safely
by Mimecast.
For more information please visit [2]http://www.mimecast.com

--------------------------------------------------------------------------

References

Visible links
1. mailto:[University of East London request email]
2. http://www.mimecast.com/

Dear Freedom Info,

Thank you very much that is very helpful.

Yours sincerely,

Jim Killock

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org