SCC's SmartFilter Bans Crypto/Privacy Website(s) as Naughty, not Nice?
--- begin forwarded text
Date: Thu, 24 Dec 1998 03:59:49 -0500
To: cryptography@C2.net
From: Vin McLellan
From: privacy@vortex.com [SMTP:privacy@vortex.com] Sent: Sunday, December 20, 1998 4:58 PM To: PRIVACY-Forum-List@vortex.com Subject: PRIVACY Forum Digest V07 #21
PRIVACY Forum Digest Sunday, 20 December 1998 Volume 07 : Issue 21
[...]
Date: Wed, 16 Dec 98 12:25 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Privacy Discussions Classified as a "Criminal Skill"
Greetings. Is discussing privacy in the PRIVACY Forum a criminal skill? According to one widely used commercial web filtering tool, the answer was yes! The controversy over software to block access to particular sites, based on perceived content, has been continuing to rage. Attempts to mandate the use of such software in environments such as libraries and schools have raised a variety of serious concerns. In addition to fairly straightforward freedom of speech issues, another factor revolves around how accurate (or inaccurate) these filtering systems really are.
I've now seen firsthand that errors by a filtering system can indeed be quite serious, an event that seems to certainly validate some of these concerns. But there is something of a silver lining to the story, as we'll see later.
I recently was contacted by someone at a large corporation, who was trying to reach the PRIVACY Forum web site, which is constantly being referenced by individuals and commercial, educational, government, and other sites around the world. This person was upset since whenever they attempted to reach the http://www.vortex.com site and domain that hosts the PRIVACY Forum, their web software blocked them, informing them that the block was in place due to the site being categorized as containing "criminal skills."
As the webmaster for the vortex.com domain, this certainly came as news to me. The message they received didn't give additional information--they didn't even know exactly where it came from. It was apparent though, that the entire organization was probably blocked from reaching the PRIVACY Forum, since the filtering software in question was affecting a main firewall system.
After a number of phone calls and discussions with the system administrator for that organization, the details began to emerge. The company was running a filtering software package from Secure Computing Corporation of San Jose, California. This package received weekly updates of blocked sites in a wide variety of categories, one of which was "criminal skills."
The administrator had no idea what rationale was used for these decisions, they just pulled in the list each week and applied it. He immediately placed vortex.com on a local exception list so that it would no longer be blocked to their users.
I then turned my attention to Secure Computing. After a number of calls, I found myself speaking with Ken Montgomery, director of corporate communications for that firm. He confirmed the information I had already received. The filtering product in question ("SmartFilter") was apparently not being marketed to individuals, rather, it was sold to institutions, corporations, etc. to enforce filtering policies across entire entities. The product covers a wide range of information categories that users of the software can choose to block. He said that the majority of blocked sites were in categories involving pornography, where there was (in his opinion) no question of their not belonging there.
The "criminal skills" category reportedly was broadly defined to cover information that might be "of use" to criminals (e.g. how to build bombs). He had no explanation as to why my domain had been placed in that list, since by no stretch could any materials that are or have ever been there fall into such a categorization. He did discover that the classification of my domain had occurred over a year ago (meaning other sites could have been receiving similar blocking messages for that period of time when trying to access the PRIVACY Forum) and that the parties who had made the original classification were no longer with their firm--so there was no way to ask them for their rationale. (All of their classifications are apparently made by people, not by an automated system.)
However, it seems likely that the mere mentioning of encryption may have been enough to trigger the classification. The administrator at the organization that had originally contacted me about the blocked access, told me that the main reason they included the "criminal skills" category in their site blocking list was to try prevent their users from downloading "unapproved" encryption software. This was a type of information that he believed to be included under the Secure Computing "criminal skills" category (the "logic" being, obviously, that since criminals can use encryption to further their efforts, encryption is a criminal skill). He also admitted that he knew that their users could still easily obtain whatever encryption software they wanted anyway, but he had to enforce the company policy to include that category in their blocking list.
As PRIVACY Forum readers may know, no encryption software is or ever has been distributed from here. The topic of encryption issues does certainly come up from time to time, as would be expected. For the mere *mention* of encryption in a discussion forum to trigger such a negative categorization would seem to suggest the fallacy of blindly trusting such classification efforts.
Mr. Montgomery of Secure Computing initially suggested that it was up to their customers to decide which categories they wanted to use in their own blocking lists -- he also stated that as a company they were opposed to mandatory filtering regulations. I suggested that such determinations by their customers were meaningless if the quality of the entries in those categories could not be trusted and if errors of this severity could so easily be made. I felt that this was particularly true of a category with an obviously derogatory nature such as "criminal skills"--the ramifications of being incorrectly placed into such a category, and then to not even *know* about it for an extended period of time, could be extreme and very serious.
To their credit, my argument apparently triggered a serious discussion within Secure Computing about these issues. I had numerous subsequent e-mail and some additional phone contacts with Mr. Montgomery and others in their firm concerning these matters. First off, they apologized for the miscategorization of vortex.com, and removed it from the "criminal skills" category (it was apparently never listed in any other of their categories).
Secondly, they have agreed with my concerns about the dangers of such miscategorizations occurring without any mechanism being present for sites to learn of such problems or having a way to deal with them. So, they will shortly be announcing a web-based method for sites to interrogate the Secure Computing database to determine which categories (if any) they've been listed under, and will provide a means for sites to complain if they feel that they have been misclassified. They've also suggested that their hope is to provide a rapid turnaround on consideration of such complaints.
While by no means perfect, this is a step forward. I would prefer a more active notification system, where sites would be notified directly when categorizations are made. This would avoid their having to check to see whether or not they've been listed, and needing to keep checking back to watch for any changes or new categorizations. If more filtering software companies adopt the Secure Computing approach, there would be a lot of checking for sites to do if they wanted to stay on top of these matters. Secure Computing feels that such notifications are not practical at this time. However, their move to provide some accountability to their filtering classifications is certainly preferable to the filtering systems which continue to provide no such facilities and operate in a completely closed environment.
So, we make a little progress. The PRIVACY Forum and vortex.com are no longer miscategorized and have been removed from all Secure Computing block lists. Secure Computing was polite and responsive in their communications with me, and will establish the system discussed above in reaction to my concerns. Web filtering of course remains a highly controversial topic with many serious negative aspects, but we see that when it comes to dealing with the complex issues involved, it would be a mistake to assume that all such filters all created equal.
--Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com
[...]
-----
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A Thinking Man's Creed for Crypto _vbm.
* Vin McLellan + The Privacy Guild +
participants (1)
-
Robert Hettinga