I don't doubt you, but could things have changed recently?

No, it's a question of technology. To implement this kind of filtering it has to be supported on a wide range of routing and switching gear. Traffic doesn't all take a single route through an ISP, hence it doesn't go through a single point you can filter at - you have to distribute the filtering across multiple routers and switches.

Cisco and Juniper between them account for 90% of the router market. Neither have any method for installing encrypted filters so the filtering information *has* to be in plaintext*.

Or is it possible that only one person at each ISP knows the URLs of the blacklist - or is the decoding software automatic? Either way, it doesn't encourage oversight.

No, unless the network has only one engineer. Generally good ISPs engineer networks so that there is no single point of failure - which should include staff as well as kit. You could engineer it so that only a few people knew the full URL list, but any technician with router access would be able to at least see the list of IP addresses filtered.

Knowing a lot of network engineers in the UK I'm quite confident that obvious misuse of the filter list for a non-stated purpose would get leaked very quickly.

That said, I'd still like to see some independent formal verification of the IWF filter list by a reliable third party. However, the law as it stands on child pornography makes it an offence to access a listed URL to check that it was child pornography (assuming it was) and not mere censorship

*It's not quite so simplistic but this isn't a treatise on how to implement transparent partial web proxying on an ISP network.