Website blocking in the European Union: Network interference from the perspective of Open Internet

By establishing an infrastructure for monitoring and blocking networks in accordance with European Union (EU) law on preventive measures against the spread of information, EU member states have also made it easier to block websites and services and monitor information. While relevant studies have documented Internet censorship in non ‐ European countries, as well as the use of such infrastructures for political reasons, this study examines network interference practices such as website blocking against the backdrop of an almost complete lack of EU ‐ related research. Speci ﬁ cally, it performs and demonstrates an analysis for the total of 27 EU countries based on three different sources. They include ﬁ rst, tens of millions of historical network measurements collected in 2020 by Open Observatory of Network Interference volunteers from around the world; second, the publicly available blocking lists used by EU member states; and third, the reports issued by network regulators in each country from May 2020 to April 2021. Our results show that authorities issue multiple types of blocklists. Internet Service Providers limit access to different types and categories of websites and services. Such resources are sometimes blocked for unknown reasons and not included in any of the publicly available blocklists. The study concludes with the hurdles related to network measurements and the nontransparency


Contributions
This study provides three main contributions: The study contributes by conducting a comprehensive analysis of the 27 EU countries, 1 based on three different sources.These include, first, tens of millions of historical network measurements collected in 2020 by volunteers from around the world; second, the publicly available blocking lists used by EU member states; and third, all reports of all blocked websites issued by each country's network regulators.
The analysis of 27 EU countries is based on ten million historical network measurements collected during 2020 by Open Observatory of Network Interference (OONI) volunteers around the world (Open Observatory of Network Interference [OONI], 2020).OONI is an organization that develops software to perform network measurements.OONI also administers the server infrastructure to store these data in a database (see the OONI Backend section), from which data can be retrieved for further analysis, for instance, to identify cases of Internet censorship or to detect surveillance network equipment.Over the years, different types of methodologies have been developed to detect filtering or blocking of network resources, tampering with communication channels, and intentional manipulation of network routes.These types of blocking methodologies can be evaluated with network measurements: data contributed to OONI gathered by anonymous volunteers from each country who use software probes (OONI, 2020).These data depict a rigorous perspective of the actual network filtering or content blocking that occurs in a specific network.Network measurements are challenging to conduct as they are deployed from vantage points that either probes have access to, or are located within the underlying network being measured.
This research also lists and catalogs publicly available blocklists in the EU.The blocklists are used by EU member states to block access to websites or services.In the early 2000s, the EU issued regulations blocking access mainly to online gambling services that were not licensed by all EU member states.Contrary to other services, the EU has constrained online gambling operators to operate in each EU country by paying a licensing fee to each EU member state in which they provide online services.One of the ways to enforce this regulation was to issue website blocklists of the unlicensed gambling websites and oblige ISPs to censor them in their networks.This is one of the first instances of EU-wide website blocking that drove ISPs to create a filtering infrastructure in their networks, frequently with many inconsistencies, over-blocking, and under-blocking websites (Ververis et al., 2015).Lately, the censorship of websites has increased and more categories have been added to the blocklists ranging from streaming websites, subtitles, file sharing, and torrents to tobacco, health, and medicine information resources, as discussed in the Data analysis results section.
Finally, this paper reviews and provides a summary of the reports issued by the National Regulatory Authority (NRA) of each EU member state with information concerning network interference such as website blocking.Other institutions than the NRAs in each country may also regulate networks there.

Structure
The paper is structured as follows.First, after related research is described in the second section.The third section presents some essential foundations of this research, explaining the OONI architecture and network measurements in detail.The fourth section describes our methods for collecting and analyzing the network measurement data used in this study.The fifth section presents the results of our overall data analysis.We discuss current challenges, point out avenues for further research, derive practical implications, summarize our findings, and conclude in, the sixth section.

FOUNDATIONS: OONI ARCHITECTURE AND NETWORK MEASUREMENTS
OONI data are publicly released and provided as an open access data set, available under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license (Filastò, 2018).OONI provides the blocking detection methodologies used by its software in the public domain for review, experimentation, and potential improvements by the community.
OONI software is released under a free license (GNU General Public License v3.0) and is publicly available for downloading, running, further distribution, modification, and improvement.Open methodologies build a capable and strong community of researchers, activists, policy advocates, hackers, data scientists, and others interested in researching Internet censorship.Having open methodologies and public access to the source code allows the community and volunteers to contribute to network measurements and make informed decisions about the potential privacy risks associated with the use of OONI software.In addition, such methodologies increase transparency regarding the validity of collected network measurements and allow a better understanding of the technical implementation and technical details of the lower level.A high-level diagram of the OONI infrastructure and software is shown in Figure 1.
The engine is the part of the software that runs the network measurements (nettests).OONI provides probes to perform the nettests.The probe software for mobile or desktop clients is based on different software implementations depending on the platform.Each probe (client) implementation uses a specific software architecture.The applications for mobile devices are developed in Java for Android (probe-android) and Objective-C for iOS (probe-ios).The desktop clients are developed in Go for the command-line interface (probe-cli) and JavaScript for the desktop applications of MacOS, Windows, and Linux (probe-desktop).The legacy implementation (probe-legacy) for the desktop clients (still used despite its legacy status) is being developed in Python.

OONI backend
A typical transaction of an OONI probe to the backend consists of the following steps: (i) the probe requests the available collectors and test helpers from the bouncer; (ii) the probe performs a geolocation lookup to find out its IP address (deduced by default for privacy considerations) and determine the Autonomous System (AS) number, the country code, and the name of the network entity owning the AS; (iii) the probe opens a report for the nettest; (iv) upon completion of the nettest, the probe submits the results to the collector as a JSON file.
Once the results have been submitted, they are sent to the OONI pipeline for archiving and further processing of the network measurements (reports).The pipeline aggregates the data (reports) submitted by the probes (network measurement clients) to the backend.Upon receiving the unprocessed reports, the pipeline performs the following steps: (i) canningcompacts the reports to occupy less disk space and helps to reprocess the reports faster; (ii) autoclaving-sanitizes and normalizes the report data, removing potential personally identified information and fixing inconsistent data formats; (iii) centrifugation-aggregates the important parts of the reports and stores these metadata to a database for further processing.
Powered with data from the metadata database, the Application Programming Interface (API) allows analysis of data collected from OONI probes.This component is based on the Open API specification and is extensively documented.Finally, OONI Explorer (OONI Explorer-Open Data on Internet Censorship Worldwide, 2022) provides a visual representation of all OONI data and allows performing quick queries with various constraints such as (nettest, country, Uniform Resource Locator [URL], and date) in an easy and graphically visual way without the need to download any data or use the API.

OONI methodology
In our research, we analyze network measurement data performed by the Web Connectivity OONI nettest (OONI, 2019).This test measures the reachability and possible blocking of a website given an IP address or a domain name.The test's methodology diagram is illustrated in Figure 2. The Web Connectivity test consists of the following steps: (i) performing an A Domain Name System (DNS) lookup and storing the results of the A records list, (ii) attempting

Criteria and distribution of data
In total, we analyzed almost one million unique network measurements (specifically 999,125) from 888 distinct ASes in 27 countries.The data distribution across networks and countries is not uniform.Some network measurements were submitted by volunteers at random intervals but many were submitted with consistent frequency.Figure 3 represents the distribution percentage of the analyzed network measurements per country.We use the Alpha-2 country code notation as described in the ISO 3166 international standard.Our data analysis criteria were the following: (i) network measurements present in the OONI meta database; (ii) data collected in the date range: 2020-01-01 to 2020-10-20; (iii) data flagged as anomalous (with signs of network interference); (iv) network measurements conducted from networks within the EU; (v) network measurements performed with the Web Connectivity test.

Data collection
To access the OONI data, we set up a PostgreSQL replica of the OONI meta database (Filastò, 2019) and we fetched the latest archived data required for a database cluster (Evdokimov, 2019).It took about 10 days to sync with the master database and required 800 GB of storage capacity to accommodate the OONI meta database.A helper script was used to fetch the OONI S3 bucket data and configure the PostgreSQL server as a replica (in a hot standby configuration).This script fetches the latest archived meta database replica instance using all the available CPUs for decompression.The main requirement of the replica is a system with enough storage capacity and network connectivity to host a PostgreSQL database.A description of the Web Connectivity OONI test methodology is provided in the OONI methodology section, and the test diagram is illustrated in Figure 2.

Data validation
We use the term blockpage to refer to an instance of deliberate blocking.The term has been, and sometimes also still is, used to refer to the error message displayed.From among the many network measurements with signs of network interference, we only included as blockpages those cases of which it could with some certainty be verified that they were neither false positives (for instance due to network connectivity errors) nor blocked due to internal network filtering rules (such as parental controls, antivirus filtering, or firewalls).For this, we derived a set of heuristics from certainly blocked instances and excluded all network measurements unless they satisfied the specified criteria: (i) existence of a blockpage or any indication of an error due to blocking (e.g., HTTP error codes); (ii) existence of DNS records that point to bogus IP addresses (such as 127.0.0.1); (iii) network measurements with correct AS information (i.e., if the probe's AS number is not shared, AS0).

Blockpage heuristics
Network measurements that present signs of network interference (anomalous data) are not always evidence of website blocking.In fact, it is quite common to find anomalies in network measurements due to transient network errors, website misconfigurations, geolocation blocking, or simply software issues and bugs.For this reason, we developed a number of heuristics to identify website blocking by manually looking into the data set, and verifying that is indeed a case of website blocking.We accept that website blocking has occurred when all the criteria set during the data validation process (see the Data validation section) are satisfied.
In addition to the data analysis criteria of Criteria and distribution of data section and the data validation criteria of the Data validation section, there is an additional test that a network measurement must satisfy for us to consider it to be a blockpage.On the validated data set we compare if the DNS A record of the website (IP address) is on the same AS as the one in the probe's network performing the measurement.This helps to detect the blockpages hosted within the same ISP or IP address ranges of the country.This is common and usual practice as it is unlikely that a website is hosted on the same AS as the one where the network measurement has been conducted.

National Regulatory Authorities' monitoring and reporting on Open Internet
As an obligation imposed by art.5(1) of the Open Internet Regulation, the NRAs should annually inform the European Commission about their activities in monitoring and enforcing the Regulation's rules.The reports would serve as summaries for the Commission on the state of affairs in national jurisdictions and would serve to provide a minimum level of transparency and comparability of the implementations across Europe.Among the things expected to this end from the reports are the overall description of the national situation regarding network neutrality, the description of the NRAs' monitoring activities, the number and types of complaints, ISPs' infringements related to the Regulation, and results of surveys, evaluations, and technical measurements implemented by the NRAs.The reports from the NRAs should present any network blocking or network neutrality issue to the European commission based on the Open Internet regulation (Council of the European Union, 2015).We collected, analyzed and summarized all reports issued by each EU member state's NRA from May 2020 to April 2021.Table 1 summarizes each country's reports and refers to any blocking of websites or services mentioned in the annual reports of NRAs.

DATA ANALYSIS RESULTS
In our data analysis, we discovered several blocked websites in each country that were not listed in any public blocklist or mentioned in the annual Open Internet monitoring reports prepared by the NRA.
Our findings show a lack of transparency regarding network blocking in the EU countries.The data demonstrate that, although website blocking is a current activity, regulators have not provided enough evidence on how such blocking is being conducted by the telecommunication operators.This may result in over-or under-blocking websites, or network services being wrongfully blocked, as occurred in past incidents highlighted by some studies (Ververis et al., 2015(Ververis et al., , 2021)).

Detected blockpages
We were able to identify 51 unique blockpages from 18 countries and 47 ASes that present a form of a blockpage or a generic error that is inconsistent with the network measurements of the control probe during the Web Connectivity test.Figure 4 illustrates all blockpages with the blockpage title per country code in the Alpha-2 ISO 3166 notation.Most countries present one or two blockpages while others present as many as seven.Such variation is due to network measurements performed nonuniformly by all countries, as we elaborate further in the Conclusion and further discussion section.Additionally, Figure 5 depicts all the categories of the blocked websites we detected in Figure 4, following the notation: The categories of the websites are extracted by Citizen Lab's URL test lists, the collaborative lists of websites or services curated and reviewed by community members to detect potentially blocked websites across countries (Citizen Lab et al., 2014).The details of the category description and code of each detected blockpage are listed in Table 2.  F I G U R E 5 Blockpages per title and country code (Alpha-2 ISO3166) and blocked website category as depicted in Table 2.The colored bars for each country code and website category illustrate the variety of blockpages found in Open Observatory of Network Interference data.
T A B L E 2 Categories of blocked websites illustrated in Figure 5 based on (Citizen Lab et al., 2014).

Category description Code Description
Anonymization, and circumvention tools ANON Used for anonymization, circumvention, proxy-services, and encryption.Human Rights Issues HUMR Sites dedicated to discussing human rights issues in various forms.Includes women's rights, and rights of minority ethnic groups. LGBT LGBT A range of gay-lesbian-bisexual-transgender queer issues (excluding pornography).
Media sharing MMED Video, audio or photo sharing platforms.
News Media NEWS This category includes major news outlets (BBC, CNN, etc.) as well as regional news outlets, and independent media.

Blocklists
A blocklist is a collection, put together by network regulators, of web addresses which may violate laws or regulations.For the sake of correct terminology and inclusive language, we use the word blocklist, instead of the word blacklist, used by almost all authorities in the EU countries that release such lists.During our research, we were able to find and identify official blocklists issued by 15 countries and one unofficial blocklist that is not issued by a country's authority, but is based on a court order.In total, we detected 23 blocklists with entries of websites from the categories regarding copyright, gambling, health, phishing, and tobacco.We developed a system that downloads, cleans, and assembles the blocklist files into Python Pandas data frames.This eases the data analysis and helps to get reproducible new versions of the blocklists in case of an update.The majority of the blocklists are released in a PDF file format which makes them nonideal for immediate processing.We converted these blocklists with the PyPDF2 and tabula-py Python libraries.We manually inspected the blocklist files and extracted relevant areas that include the blocked entries.Extracting data from PDF files in various languages and character encodings is a cumbersome process, but once the relevant areas of interest are isolated, we can then convert all the blocklists into data frames.The second most used file format, text file, is considerably easier to transform into data frames.Fewer blocklists are in HyperText Markup Language (HTML) and Comma-separated Values (CSV) file format; one is in Excel Workbook (XLSX) and another one in Extensible Markup Language (XML).All of these are simpler to extract into data frames.
We scanned them and thematically categorized the blocklists under the following categories: copyright, IP address based, health (including medical), gambling, phishing, or tobacco-related websites.The results are presented in Table 3 and in Figure 6 and follow the notation: The data for the phishing blocklist of Poland has been omitted from Figure 7 because the additional 14,522 entries would make the Figure look odd.All EU countries publish a gambling blocklist, most publish a copyright blocklist, Italy publishes a blocklist for tobaccorelated websites, Denmark publishes a blocklist for medical-related websites, and Poland a blocklist with website entries related to phishing attacks (not included in Figure 6).Finally, the Netherlands releases an IP-based blocklist as an additional blocklist to their domainname-based blocklist.The other 22 blocklists all contain only domain names (several include subdomains).
Because many countries publish more than one blocklist, we created Figure 7 to illustrate the cumulative number of blocklist entries per country.The data show that Poland has almost 15,000 entries (14,494) without including the phishing blocklist (with 14,522 entries), followed by Cyprus with 14,000 entries (13,789) and Italy with more than 11,000

Category description Code Description
Sex Education XED Includes contraception, abstinence, STDs, healthy sexuality, teen pregnancy, rape prevention, abortion, sexual rights, and sexual health services.
Terrorism, and Militants MILX Sites promoting terrorism, violent militant or separatist movements.
T A B L E 3 Detected blocklists per country.We sent an e-mail query to all gambling authorities, as well as other agencies, for information on restricted websites for the countries for which we were unable to find any official or unofficial publicly available blocklist online.Apart from the ones published by the gambling regulators, countries typically have various blocklists.Due to ethical, legal, and humane considerations, we did not seek blocklists of websites that included or are related to Child Sexual Abuse Material (CSAM).

Blocklist authorities
In this section, we provide an alphabetical list of the national authorities that create blocklists and compel ISPs to block websites or services.Table 3 summarizes our results on the blocklist authorities, listing for each country the responsible entity that issues and publishes a blocklist of websites along with its type, the file format, and the relevant reference.media content deemed illegal according to Belgian legislation.The error message for the blockpage links to a website in the source code of the blockpage that is dysfunctional (https://onlinefairplay.info/) and we were unable to obtain any information from the authority's website (http://belgianentertainment.be/) as it is also inoperative.The Belgian Institute for Postal Services and Telecommunications mentioned in their yearly report that there is no blocking of services or applications (section 5.117) (Belgian Institute for Postal Services and Telecommunications, 2021).The first blocklist entries date back to February 2012, as stated in the official website of the Belgian Gaming Commission (Belgian Gaming Commission, 2021).

Bulgaria
The National Revenue Agency in Bulgaria is responsible for publishing and issuing the gambling blocklist (NRA Gambling Authority blocklist, 2021).According to the blocklist file the first released blocked entry took place in June 2013 (NRA Gambling Authority blocklist, 2021).In its annual report the communications regulation commission mentions that access to websites and content is blocked only in accordance with the national legislative acts (section 1.2) (Communications Regulation Commission [CRC], 2021).

Croatia
The Ministry of Finance Tax Administration is the responsible entity for the release and publication of the gambling blocklist.It is issued as a PDF file and contains the domain names with their subdomains along with the issue date of the blocking order for each entry in the blocklist.According to the blocklist, the first blocked entry appeared at the end of May 2019 (The Republic of Croatia, Ministry of Finance, Tax Administration-Blocklist, 2021).There is no mention of Internet blocking in the country in the annual report issued by the Croatian Regulatory Authority for Network Industries (HAKOM, 2021).

Cyprus
The National Betting Authority of the Republic of Cyprus is responsible for publishing and releasing the gambling blocklist in text file format (Cyprus National Betting Authority, Blocklist, 2021).It was established as an independent authority in 2012 and although the law was issued in 2012, the first public release of the blocklist was issued in February 2013 (Ververis et al., 2017).In the annual report published by the Office of the Commissioner of Electronic Communications and Postal Regulation in Cyprus there is no mention of any Internet blocking taking place (Cyprus Office of the Commissioner of Electronic Communications and Postal Regulation, 2021).

Czech Republic
The Ministry of Finance of the Czech Republic is responsible for issuing and publishing the blocklist of gambling websites in the country.The first blocked entry appeared in July 2017; 15 versions of the blocklist are already published, given the file name prefix (v15) (Zveejovan daje ze Seznamu nepovolench internetovch her k 29.6.202Z,2021).There is no

Denmark
The Telecom Industry Association of Denmark releases a number of blocklists based on Danish court orders.Three different blocklist categories exist: i. the game category contains gambling websites; ii. the health category with medical and health-related websites; and iii. the intellectual property rights category with websites related to copyright infringement.All blocklists are published in the CSV file format, and a PDF file provides the date of each entry added to the blocklist.The Danish Energy Agency sent out a questionnaire to 40 ISPs in Denmark on the grounds of the EU net neutrality regulation.30% of the ISPs stated that they are partly blocking access to the Internet.Specifically, the ISPs mentioned blocking access to CSAM websites with extremist content, or calls for terror.Further, the ISPs mentioned blocking traffic to malicious servers related to COVID-19 crime (section 4.1) (Danish Energy Agency, 2021).

Estonia
The Republic of Estonia's Tax and Customs Board is responsible for issuing and publishing the blocklist of gambling websites in the country.It is distributed as a PDF file and is publicly available to download (Blocked illegal remote gambling sites: Estonian Tax and Customs Board, 2021).The annual report of the Estonian consumer protection and technical regulatory authority fails to mention any Internet blocking in the country (Estonian Consumer Protection and Technical Regulatory Authority, 2021).

France
In France, the National Commission on Informatics and Liberty publishes yearly reports on the administrative blocking of websites.The reports give an overview of the blocked websites related to terrorism and CSAM (Contrôle du blocage administratif des sites: la personnalité qualifiée présente son 5ème rapport d'activité, 2021).They have appointed a person to verify the validity of requests for removal of content and blocking made by the central office for combating information and communication technology crime.However they do not provide details as to which websites have been blocked, but only statistical information on the number of requests to block websites.The latest report covers the period from February to December 2019, and mentions that 18,177 blocking orders were made.Of these, 420 requests were related to blocked websites, 11,874 for content removal, and 5,883 for dereferencing of e-mail addresses (France: Freedom on the Net 2020 Country Report: Freedom House, 2021).Moreover, there is no mention of Internet blocking in France's Electronic Communications, Postal and Print Media Distribution's NRA annual report (Arcep, 2021).

Germany
Clearinghouse Copyright on the Internet is an independent body established by ISPs and rights holders.Its purpose is to review and propose the blocking of websites according to certain criteria and requirements related to copyright infringement.As mentioned on its website, a review board, at the request of the copyright holder, reviews the copyright allegedly infringing website and, if the requirements are met, recommends DNS blocking.They publish the recommendations for blocking domains on their website and the first entry appeared in February 2021 (Empfehlungen Clearingstelle Urheberrecht im Internet, 2023).According to the Federal Network Agency's annual report on net neutrality, there is no national law in Germany requiring ISPs to implement blocking in their networks.An unnamed (in the report) ISP was required to block access to some (unspecified) websites by means of DNS blocking due to a court ruling (section 3.1.2)(Bundesnetzagentur, 2020).

Greece
The annual report of the NRA in Greece (EETT, 2020) mentions that ISPs in the country block websites based on two public blocklists according to the laws related to the protection of intellectual property and blocking of gambling websites (Hellenic Copyright Organization, 2021; Official Webpage Of Hellenic Gaming Commission [Hgc], 2021).Additionally, the report mentions that ISPs block domain names to protect against phishing attacks and block IP addresses to protect their internal network and defend against distributed denial of service attacks.A user who visits one of the websites listed in the blocklist gets redirected (with an HTTP 301 redirect) to the websites of the blocking authorities.The servers of the authorities may potentially collect IP addresses and further information of users trying to access the blocked websites.Previous research observed that ISPs implemented their own blocking pages without redirecting the users to the website of the gambling regulation authority when they try to access a website on the blocklist (Ververis et al., 2015).

Hungary
The Supervisory Authority for Regulated Activities in Hungary is responsible for issuing and releasing a public blocklist for gambling websites (Blokkolt honlapok-Szerencsejáték Felü gyelet, 2021).There is no mention of the blocklist in the annual report published by the national media and communications authority (National Media and Communications Authority, 2021).

Italy
In Italy, we discovered three publicly available blocklists issued by two different entities.The Autonomous Administration of the State Monopoly lists websites related to gambling (Agenzia delle dogane e dei Monopoli, 2021a) and tobacco products (Agenzia delle dogane e dei Monopoli, 2021b).The Authority for Communications responsible for the blocklist of copyright infringement cases (AGCOM, 2023).There is no mention of any blocking in the NRA annual report (AGCOM, 2021).

Latvia
The Lotteries and Gambling Supervisory Inspection is the responsible authority for issuing and publicly releasing a gambling blocklist in Latvia.The first blocked entries appeared in August 2014 (Lotteries and Gambling Supervisory Inspection of Latvia, 2021b).

Lithuania
The Gaming Control Authority under the Ministry of Finance is the responsible authority for issuing the gambling blocklist of websites in Lithuania.The first entries were published in January 2016 (Gambling blocklist, 2021) in a text file format.However, there is no reference to blocking in the annual report (Communications Regulatory Authority of the Republic of Lithuania, 2021) published by the Communications Regulatory Authority of the Republic of Lithuania.

Malta
An e-mail communication from the Malta Gaming Authority (Malta Gaming Authority, 2021) revealed that they do not have the authority to block websites.However, they cooperate with Malta's police force to stop criminal gambling activity.Investigations and prosecutions are then carried out by the police, assisted by the Authority as necessary.Therefore, any repercussions (including website blocking) of illegal activities or services fall under the jurisdiction of the Malta police.The annual report of the Malta Communication Authority mentions an ongoing investigation to block specific IP addresses (undefined in the report), without saying that there was any website blocking (Malta Communications Authority, 2021).

The Netherlands
A blockpage (OONI Explorer-Open Data on Internet Censorship Worldwide: KPN Blockpage, 2020) in OONI network measurements probed on the KPN ISP mentions that the judge for provisional legal protection in Midden-Nederland ruled in January 2018 that The Pirate Bay's website should be blocked on all KPN networks including Telfort, Simyo, and KPN Hotspots.The decision lists several IP addresses, domains and subdomains that ISPs must block.The same blockpage mentions that the judicial decision (Central Netherlands Court, 2021) was also sent to other ISPs.The unofficial blocklist extracted from the blockpage (OONI Explorer-Open Data on Internet Censorship Worldwide: KPN Blockpage, 2020) lists 12 IP addresses (IPv4 and IPv6) and a list of 212 domains and subdomains that are proxies or mirrors of The Pirate Bay website.The Authority for Consumers and Markets released the annual NRA report without providing any information about the blocking of websites or services (Authority for Consumers & Markets, 2021).

Poland
The NRA report of the Office of Electronic Communications (Urząd Komunikacji Elektronicznej, 2020) mentions that ISPs are obliged to block gambling websites.The Polish Ministry of Finance releases the gambling blocklist (Polish Ministry of Finance, 2021), provided as a REST XML service that can be retrieved programmatically and includes the documentation of its specification.Another blocklist (called Warning List) (CERT Polska, 2021) has been created to block websites related to phishing activities.An agreement was made in March 2020 with the Minister of Digital Affairs, the Office of Electronic Communications and National Research Institute, and the four largest mobile network operators, Orange, T-Mobile, P4, and Polkomtel, to block specific websites (UKE przystąpił do porozumienia chroniącego abonentów-Urząd Komunikacji Elektronicznej, 2021).The CERT Polska team is responsible for the maintenance and release of this blocklist.On their website, they have created a form where individuals can report suspicious websites, and each report is manually verified by at least two persons.The blocklist is released in various file formats, updated every 5 min, and the full specification of the API is available on their website (CERT Polska, 2021).

Romania
The Romanian National Gambling Authority has released a gambling blocklist since 2015 (Oficiul National pentru Jocuri de Noroc, 2021).It is available on their website in a text file format.They also provide a helper script (written in the PHP programming language) that replaces the A and NS DNS records of the domain (and the www subdomain) for all the entries found on the blocklist, compatible with the BIND DNS server configuration.According to the annual report (ANCOM, 2021) of the National Authority for Administration and Regulation in Communications, that entity issued 15 blocking orders related to COVID-19 fake news, as well as protection and prevention measures during the state of emergency that ended in May 2020 (The National Authority for Administration and Regulation in Communications [ANCOM], n.d).The gambling blocklist is not mentioned in the report.

Slovakia
The annual report (Slovak Republic Regulatory Authority for Electronic Communications and Postal Services, 2021) published by the Regulatory Authority for Electronic Communications and Postal Services mentions that ISPs block access to applications or services in the event of illegal content as ruled by European or national legislation.Online gambling websites without a Slovak license are blocked, as well as websites that host CSAM.The Slovakian Gambling Regulatory Authority is responsible for issuing and publishing the gambling blocklist, and its first entry appeared in August 2019 (Gambling Regulatory Authority of Slovak Republic, 2021).

CONCLUSION AND FURTHER DISCUSSION
This study sheds light on how website blocking occurs in the European Union.The process of gathering data involved several steps and sources, sometimes not easily available.Some of the data sources were provided after e-mail communication with the regulators.The research identified blockpages and blocklists in jurisdictions across Europe.In our blocklist evaluation study (in the Blocklists section) we detected different types of blocklist publication and distribution methods.
We identified some issues with the reporting of such blocklists.Most regulators and authorities are using PDF files, others publish the blocklists on their websites, and a few release them in a CSV or other file format.All of these approaches are cumbersome and lead to error-prone processes for the ISPs maintaining updated lists of websites and services to block.This may result in over-and under-blocking (Ververis et al., 2015).Besides, most NRAs do not describe in their reports what blocking they do.Only a few authorities publish even limited details on the resources and websites blocked, with no references to the blocklists.Details for each country are provided in the Data analysis results section.A well-designed system can help address a number of these problems related to Internet regulations and blocking of websites and services, albeit the issue is not just technological, but may involve political and legal questions.
We focused on the overlooked trend of EU member states deploying surveillance and network infrastructures to adhere to the EU legislation.We focused on the publication and release of EU blocklists and website blocking in 2020.Based on historical network measurements data by OONI, this paper provides evidence that countries in the EU not only use blocklists as a means of blocking access to websites but also block different types and categories of websites and services that are not included in the publicly available (identified) blocklists.
All countries publish a gambling blocklist, most publish a copyright blocklist, Italy publishes a blocklist for tobacco-related websites, Denmark publishes a blocklist for medical websites, and Poland publishes a blocklist with entries on phishing websites.Finally, the Netherlands publishes IP-based blocklist as an additional blocklist to their domain-namebased blocklist.The other 22 blocklists all list only domain names or URLs.
In terms of the cumulative number of blocklist entries per country, Poland has just over 29,000 entries (including the phishing blocklist), followed by Cyprus with almost 14,000 entries and Italy with more than 11,000 entries.Latvia, Greece, Estonia, and Romania, with between 4000 entries and 1000 entries in blocklists, make up the midfield.The remaining countries have significantly fewer than a thousand entries.
We also analyzed data from the OONI project, a platform for detecting Internet censorship that has been actively developed since 2012.OONI network measurements are carried out on an ad-hoc basis by volunteers.The data submitted still rely on the availability and willingness of people to conduct network measurements, notwithstanding the software's ongoing improvement.Although OONI has collected and released data on network measurements from all countries worldwide, getting longitudinal network measurements is challenging.It is important that quantitative network measurements be carried out from diverse locations even for the same ISPs and ASes.

Regulatory sanctions and restriction to access to online resources
As the literature demonstrates, governments and state actors have used Internet censorship to influence political discourse and favor businesses under their own control (Greengard, 2010).Citizens can also potentially be denied access to services as a result of local regulatory laws, financial reasons, or because their country has fallen under sanctions and prohibits foreign companies from operating within their jurisdiction (Ververis et al., 2019).Some authors suggest that, having been characteristic of repressive regimes, Internet censorship could become almost ubiquitous in both democratic and authoritarian states (Bambauer, 2013).
As example, the EU has imposed a number of sanctions in response to Russia's invasion of Ukraine.In particular, the EU Council adopted Decision 2022/351, imposing new restrictive measures against the Russian state media and their subsidiaries (EU sanctions against Russia following the invasion of Ukraine, 2022).The Council decision does not specify exact websites, domains, or URLs to be blocked, but rather says that: "It shall be prohibited for operators to broadcast or to enable, facilitate or otherwise contribute to broadcast, any content by the legal persons, entities or bodies listed in Annex XV, including through transmission or distribution by any means such as cable, satellite, IP-TV, Internet service providers, Internet video-sharing platforms or applications, whether new or preinstalled" (The Council of the European Union, 2022).Annex XV lists only the names of the entities or bodies, specifically: RT-Russia Today English, RT-Russia Today UK, RT-Russia Today Germany RT-Russia Today France, RT-Russia Today Spanish and Sputnik.
This prohibition forces ISPs to make their own decisions about which websites and services to block, which is a difficult process with many implementation gaps and the risk of under-or over-blocking (Formal Internet Censorship: Copyright blocking injunctions, 2019).The EU council also calls for blocking content distributed via cable, satellite, ISPs, and IP-TV connections on video-sharing websites in addition to the websites owned by these entities.In reality, such extensive service blocking is impractical and results in the excessive overblocking of websites and services (Formal Internet Censorship: Copyright blocking injunctions, 2019; Open Rights Groups, 2012; Ververis et al., 2015).
ISPs in the EU are already employing various blocking techniques to block the websites of rt.com and sputniknews.com.The majority of them make use of their current blocking infrastructure, including the same blocking pages that falsely claim the websites are blocked because of copyright infringement, gambling, or other laws (The latest crazy law, 2022).These are similar to the blocking pages examined in The Detected blockpages section which have nothing to do with the blocking of these websites.The blocking infrastructure requires a significant number of labor hours and hardware infrastructure to be implemented and maintained (The latest crazy law, 2022).For instance, this is the situation with smaller ISPs in the United Kingdom, where new Internet service sanctions in the country require ISPs to block access to the websites and services listed in the sanctions.Failure to do so can result in fines of up to £1,000,000 (Ofcom, 2022; The latest crazy law, 2022).

Limitations
The conclusions of this paper have limitations which may prompt future research, especially regarding other forms of Internet censorship and further methods of network interference that may require a legal and policy analysis from the principles of network neutrality and Open Internet.
Slovenian Regulatory Authority for Electronic Communications and Postal Services, 2021) Spain Blocking of websites by request of the courts only, Sec.3.2 (State Secretariat for Telecommunications, Digital Infrastructures of the Ministry of Economic Affairs, and Digital Transformation, 2021) Sweden None mentioned (Market Regulation Department Swedish Post and Telecom Authority, 2021) F I G U R E 4 Blockpages per title and country code (Alpha-2 ISO3166).

F
I G U R E 6 Number of entries per blocklist and blocklist type: (C) copyright, (G) gambling, (M) health/medical, (IP) IP address based, (P) phishing, (T ) tobacco.POLICY & INTERNET | 15 19442866, 0, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/poi3.367 by Readcube (Labtiva Inc.), Wiley Online Library on [02/12/2023].See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions)on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License Austria Since 2016, the regulatory institution Telekom-Control-Kommission (Telekom Control Kommission [TKK], 2023) has published on their website the national proceedings and decisions regarding net neutrality and the blocking of websites.The first relevant decision was published in 2018.It obliges ISPs to block access to websites due to alleged claims for injunctive relief under the copyright law (Telekom Control Commission, 2023).There is no official blocklist and the blocked websites can be extracted from the PDF files of the decisions.Several ISPs provide a blocklist in their websites (kabelplus GmbH, 2023a, 2023b; LIWEST Netzsperren, 2020; Magenta Redaktion, 2022), although it is unclear if the blocklists are thorough and up to date.The NRA report specifies cases of blocking based on copyright claims, typically implemented via DNS blocking (section 3.4, part II) (Austrian Regulatory Authority for Broadcasting and Telecommunications, 2021).Belgium We detected two different blockpages in Belgium, one for gambling websites (The Gaming Commission-The regulator of the gambling sector in Belgium, 2023) directed by the Belgian Gaming Commission and another from the Belgian Entertainment Association for F I G U R E 7 Total number of blocklist entries (cumulative) per country.
Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/poi3.367 by Readcube (Labtiva Inc.), Wiley Online Library on [02/12/2023].See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions)on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License report of any blocking in the report of the Czech telecommunications authority (Czech Telecommunication Office, 2021).
Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/poi3.367 by Readcube (Labtiva Inc.), Wiley Online Library on [02/12/2023].See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions)on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License We discovered another blocklist published by the National Electronic Mass Media Council of Latvia with entries related to copyright infringement.Both blocklists are released in a text file format (National Electronic Mass Media Council of Latvia, 2021).The annual report published by the Public Utilities Commission didn't report any blocking (The Public Utilities Commission, 2021).