Prevent and Internet filtering policies

The request was successful.

Dear Anglia Ruskin University,

Can you please supply:

(1) your policy or policy guidance for duties under the Counter-Terrorism and Security Act 2015 duties for the various local authorities listed in Schedule 6, known as “Prevent”;

(2) your policy relating to Internet filtering, blocking and prevention of access to material deemed inappropriate;

(3) the name of any providers of Internet filtering and blocking services that you use, or else a statement that you do not block or filter content at all;

(4) a list of agreements, arrangements or Memorandums of Understanding between yourselves and bodies such as the Internet Watch Foundation (IWF), the Counter Terrorism Internet Referral Unit (CTIRU) of the Metropolitan Police Service (MPS), or Police Intellectual Property Crime Unit (PIPCU) of the City of London Police, to receive lists of illegal or illicit content, for instance for the purposes of blocking.

Finally, can you:

(5) tell me if any filtering or blocking service that you use incorporates lists from the IWF, CTIRU or PIPCU, and which lists are incorporated; and

(6) provide to me any clauses within any contract or terms and conditions of service agreed with your filtering and blocking providers that relate to their use of information from the IWF, CTIRU or PIPCU.

Yours faithfully,

Jim Killock

Barlow, Jackie, Anglia Ruskin University

2 Attachments

Dear Mr Killock,

Thank you for your request for information under the Freedom of Information Act 2000 (FOIA). I have provided our response below.

(1) This information is held. Please see attached our 'Prevent Policy' and also our 'Freedom of Speech Policy'.

(2) This information is not held.

(3)(4) (5) and (6) - The university holds information relating to your request but is unable to provide details of any internet filtering/blocking services or details of any memoranda of understanding between ourselves and other law enforcement bodies in accordance with s31 (1a) of the FOIA. S31 (1a) applies where complying with the request would prejudice or would be likely to prejudice various law enforcement purposes (listed in the FOA) including preventing crime.

In particular, the release of internet blocking/filtering information would create an extra risk of a denial of service attack against the university which is (a) an offence under the Computer Misuse Act 1990 and (b) would prejudice the prevention or detection of crime. Also, the release of information relating to agreements, arrangements or Memorandums of Understanding between ourselves and law enforcement bodies might prejudice the prevention or detection of crime. The public interest in the university maintaining the exemption outweighs the public interest in disclosure. The university is a large, diverse community of staff and students who have access to its IT systems and websites. Its IT systems are subject to regular phishing security attacks.

If you are not satisfied with our response to your request for information you can contact us to ask for our decision to be reviewed by our Secretary & Clerk.

If you are still not satisfied following this, you can then make an appeal to the Information Commissioner, who is the statutory regulator for Freedom of Information.

The address is: Office of the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Tel: 01625 545700.

Fax: 01625 524 510.

Website: http//www.informationcommissioner.gov.uk

This completes your request.

Yours sincerely,

Jacqueline Barlow MBA, MA, ACIS, ACIB
University Records Manager
Secretary & Clerk's Office
3rd Floor, Tindal Building
Chelmsford Campus
Anglia Ruskin University
Bishop Hall Lane
Chelmsford
CM1 1SQ

Direct line:- 0845 196 4215
Email:- [email address]
Fax:- 01245 495419

show quoted sections

Dear Anglia Ruskin University,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Anglia Ruskin University's handling of my FOI request 'Prevent and Internet filtering policies'.

(3) the name of any providers of Internet filtering and blocking services that you use, or else a statement that you do not block or filter content at all;

If you are only blocking malware and for computer security reasons, it may be that you can confirm to us that you do not engage in general content blocking.

Most Universities have been able to supply their acceptable use policies, and to tell us whether they block or filter content, and what content categories are blocked. A similar survey of libraries has also helped place this information in the public domain for that sector. In this case, 92% of libraries disclosed this information:

See: https://www.slideshare.net/infolit_group...

Some Universities have said they are worried about their own security in some cases. Where they rely on multiple sources of blocking malware, for instance, we do not believe that knowing the source of content and category blocking lists poses a security list. Normally, this should not be a problem.

We are not interested in how malware etc is blocked, so as long as the firewall product is not the only security measure you use, you may be able to judge that your own security is not at risk. Alternatively, you may be able to investigate your firewall product to find the source of the categorisation, which is likely to be separate from the security features.

Furthermore, there is a strong public interest in know what filtering products are being used where, as it is the only way for a website owner to know where their site may be being blocked, and therefore to resolve a problem if the website is being blocked incorrectly.

It should also be information that is in the public domain as to whether you block and filter content, and usually this is disclosed to students and staff, along with information about what is filtered. If this is the case, we doubt that disclosure to us also would pose a further security issue.

In relation to:

(4) a list of agreements, arrangements or Memorandums of Understanding between yourselves and bodies such as the Internet Watch Foundation (IWF), the Counter Terrorism Internet Referral Unit (CTIRU) of the Metropolitan Police Service (MPS), or Police Intellectual Property Crime Unit (PIPCU) of the City of London Police, to receive lists of illegal or illicit content, for instance for the purposes of blocking.

(5) tell me if any filtering or blocking service that you use incorporates lists from the IWF, CTIRU or PIPCU, and which lists are incorporated; and

(6) provide to me any clauses within any contract or terms and conditions of service agreed with your filtering and blocking providers that relate to their use of information from the IWF, CTIRU or PIPCU.

It should not be a problem to be clear about whether law enforcement bodies are supplying content block lists to Universities, directly or through products. Most Universities have told us that they have no direct arrangements, but where they block, certain lists are incorporated, but not through contractual arrangements.

In relation to questions 5 and 6, we have already established that most products state when they incorporate these lists, but do not do so in contract. It would be helpful if you can confirm this in your case.

Blocking websites does not in itself constitute a law enforcement activity designed to have a serious impact on the prevention or detection of crime, nor a national security activity, in our view. This is firstly because it is not illegal to view websites, nor to provide access to them. In the case of IWF lists, where viewing material is illegal, use of their lists has always been framed as a service to customers, to prevent them from accessing this material inadvertently, rather than a law enforcement activity. The Prevent duty, meanwhile, is framed as an attempt to reduce radicalisation, rather than the commissioning of crime as such. Attempts have been made to ensure that it is not perceived as a “law enforcement” or national security issue, but as a safeguarding approach. As such, secrecy and non-disclosure would in our view be counter-productive.

Blocking is a form of censorship, which in order to be legitimate needs to be transparent and accountable. This is very important in an academic context, where access to information should not normally be restricted, and restrictions should have careful management.

This first stage of transparency and accountability is to know who is blocking what and why; with lists compiled by whom. Mistakes may need correction, and people who are subject to restrictions need to know that they are in place. When these restrictions are in partnership with or directed by law enforcement, this is of course even more important.

General blocking agreements that also include the handing over of information to law enforcement agencies may constitute a form of surveillance activity, which may be in some cases justifiable, but in order to be lawful and fully accountable should be introduced through dedicated powers and warrants such as those specified in the Investigatory Powers Act. You would of course not be under an obligation to disclose this through FoI.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/p...

Yours faithfully,

Jim Killock

Barlow, Jackie, Anglia Ruskin University

Message sent for and on behalf of Paul Bogle, Secretary & Clerk

Dear Mr Killock,  

I write further to your email exchanges with Anglia Ruskin University
(“ARU”)’s Records Manager, Jacqueline Barlow, in June 2017, in which you
sought an internal review of ARU’s response of 12 June 2017 (the
“Response”) to your request for information dated 10 May 2017 (the
“Request”) relating to ARU’s policies, agreements and internet filtering
with regard to its Prevent duty.   

Internal review process

In line with ARU’s procedures for responding to requests for information
under the Freedom of Information Act 2000 (“FOIA”), I have undertaken a
review of the Response. 

In undertaking my review, I have considered whether ARU dealt with the
Request in accordance with its obligations under the FOIA, taking into
account all factors relevant to the issue.

In particular, I have considered:

1              The terms of the Request;

2              The information held by ARU within the scope of the Request
(including where appropriate making further enquiries of data custodians);

3              The Response (including disclosure of information requested
to date);

4              ARU’s obligations under the FOIA;

5              The positions of third parties potentially affected by
disclosure; and

6              Any relevant best practice guidance of the Information
Commissioner’s Office (“ICO”) and the Secretary of State for
Constitutional Affairs' “Code of Practice on the discharge of public
authorities' functions under Part I of the Freedom of Information Act
2000”.  

Outcome of the internal review

Summary

Having considered carefully the factors above, for the reasons which
follow, I have concluded that although most aspects of the Response should
properly be maintained, ARU should disclose some information beyond that
enclosed under cover of the Response. Details of this information is
provided below. 

The Request

For the purposes of my review, I will confirm my decision under the
separate headings that you have stated in your email of 16 June 2017.

(3)   “The name of any providers of internet filtering and blocking
services that you use or else a statement that you do not block or filter
content at all”.

In the course of undertaking my review, I have undertaken appropriate
searches and have determined that ARU holds some information under this
heading.  We use the URL filtering capabilities of our Palo Alto firewalls
which obtain their categorisations and content from Webroot. 

 

I can also provide details of our Acceptable Use Policy and our Social
Media Policy.  These can be found at
[1]http://web.anglia.ac.uk/it/policy/it_acc... and at
[2]http://web.anglia.ac.uk/anet/staff/sec_c...

 

 

(4) a list of agreements, arrangements or Memorandums of Understanding
between yourselves and bodies such as the Internet Watch Foundation (IWF),
the Counter Terrorism Internet Referral Unit (CTIRU) of the Metropolitan
Police Service (MPS), or Police Intellectual Property Crime Unit (PIPCU)
of the City of London Police, to receive lists of illegal or illicit
content, for instance for the purposes of blocking.

 

In the course of undertaking my review, I have conducted reasonable
searches and I can confirm that this information is not held.   

 

(5) tell me if any filtering or blocking service that you use incorporates
lists from the IWF, CTIRU or PIPCU, and which lists are incorporated; and

 

I can advise that Webroot (whom Palo Alto firewalls obtain their
categorisations from) are a member of the IWF 

 

(6) provide to me any clauses within any contract or terms and conditions
of service agreed with your filtering and blocking providers that relate
to their use of information from the IWF, CTIRU or PIPCU.

 

In the course of undertaking my review, I have undertaken appropriate
searches and have determined that no information is held by ARU.

Conclusion

This letter concludes ARU’s internal handling of your requests for
information.  If you are not content with the outcome of the internal
review, you have the right to apply directly to the Information
Commissioner for a decision.

The Information Commissioner can be contacted at:

Information Commissioner’s Office 

Wycliffe House 

Water Lane 

Wilmslow 

Cheshire

SK9 5AF

Yours sincerely

Paul Bogle

Secretary & Clerk

 

--
http://www.anglia.ac.uk/email-disclaimer

References

Visible links
1. http://web.anglia.ac.uk/it/policy/it_acc...
2. http://web.anglia.ac.uk/anet/staff/sec_c...

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org