White-listing/Black-listing URLs per country?

[agrabeli]

At TorDev 2016 it was suggested to OONI that instead of creating criteria for URL risk assessment, perhaps we could consider white-listing and black-listing URLs per country?

Whitelists can include URLs that are commonly accessed and present low risk (e.g. Alexa top 100), while blacklists can include pornography, hate speech, and other objectionable categories.

My main concern with this suggestion is that many URLs might not clearly fall in a "white" or "black" list, or it might not be clear/obvious if they should be white-listed or black-listed. In such cases, would we be creating even more risk for users (if, for example, we have white-listed a URL which is actually quite risky to test)? Furthermore, would this inevitably lead to fewer tests for URLs that are riskier and possibly more interesting to test?

[sneft]

It is an interesting idea, although I think I share some of your concerns - particularly the potential for us to create a false sense of security for testers.

Do you envision that the content categories to be blacklisted would vary per country? For example, all pornographic content would be blacklisted for, say, Saudi Arabia, but that content category would not be blacklisted in Greece? Or would it be the case that we pre-define certain content categories as sensitive (as you mention, pornography, hate speech, etc) and define them as blacklisted for all testing?

I think the primary difficulty in assessing low risk versus high risk is the difficulty in determining what constitutes risk. In theory, accessing the vast majority of the content on our lists is not strictly illegal, and we have limited knowledge of situations where accessing certain content types would be problematic that we can use to determine what constitutes high risk versus low risk. The only exceptions that immediately pop to mind are child pornography (which we do not include on any lists) or perhaps something like ISIS-related content in certain countries. As a result it strikes me as a highly subjective process and would rely heavily on the judgment of a small number of individuals, which could lead to situations where we falsely label certain content safe.

I'm also concerned that we could be lowering the value of testing (like you say, the Alexa 100 is generally less interesting) while potentially inaccurately portraying the risk, which is in a sense the worst of both worlds.

I'd be curious to hear what others think.