--- begin forwarded text Date: Thu, 24 Dec 1998 03:59:49 -0500 To: cryptography@C2.net From: Vin McLellan Subject: SCC's SmartFilter Bans Crypto/Privacy Website(s) as Naughty, not Nice? Sender: owner-coderpunks@toad.com This is an amazing story! Security Computing Corporation http://www.scc.com sells a content filter ("SmartFilter") which is used to restrict web access from within corporations and other organizations. Lauren Weinstein, the moderator of the widely respected Privacy Forum, a mailing list and website on the Internet at http://www.vortex.com, recently reported that for over a year (see the attached post) corporate employees at sites which use SCC's SmartFilter have typically been restricted from accessing the Privacy Forum website or archives because the Privacy Forum's occasional discussion of cryptography. These discussions -- no code, all high-level discussions of civil and ethical values, policy, and crypto politics -- were apparently enough to define the Privacy Forum website as a repository of "criminal skill." Some SCC corporate customers, according to Weinstein, had explicitly asked for crypto resource sites on the web to be defined as off-limits. It is still unclear how those requests (one from the corporate site which brought the matter to Weinstein's attention) resulted in SCC staff labelling the Privacy Forum website -- along with, one must presume, many _many_ others -- as a repository of criminal skills. (Other sites which fall into this SmartFilter category include, for example, websites which make available information about what ingredients can be used to make a bomb. Shades of Wassenaar and ITAR.) What is amazing, of course, is that Secure Computing is one of the more sophisticated vendors in computer security. There are a lot of smart people at SCC who will doubtless cringe when they hear this story. It may, in fact, seem hilarious to some of them that SCC's website evaluation staff (and the web filters they use to express and embody their judgements) could categorize a privacy site as "criminal" just because it archives discussions of cryptography and crypto politics. Some of the best of those discussions, for instance, may have involved SCC employees like cryptographer Rick Smith;-) What is _really_ sad is that -- when Weinstein complained that a website categorized as offering "criminal skills" by SCC's SmartFilter staff may, with no recourse, suffer irrepreparable harm -- the best and most daring response SCC could come up with was to promise to set up a website at which organizations and commercial entities could query the SCC database to see how SCC's website evaluators labelled them. (This, of course, presumes these organizations hear about SCC's Smartfilter product.... It also presumes that representatives of those agencies, firms, or organizations feel compelled to inquire to see if SCC's professional moralists labelled them in some similarly eccentric category.) Not exactly clear on the concept, those clever SmartFilter folk. Frankly, not in a million years would anyone outside of the bowels of the Hoover Building consider crypto savvy (or an obsession with privacy) as inherently "criminal." Not yet anyway. I do hope that SCC has sold a few thousand copies of SmartFilter which routinely block corporate employee access to some feisty, litigious, and well-networked civil libertarian groups like the ACLU, EPIC, CDT, or PI as repositories of Criminal Skills. Oh, yes indeed! In fact, if the Privacy Forum was labelled as "criminal" because of an ocassional discussion of crypto, does it make sense that the websites of SDTI/RSA, Entrust, IBM, MS, Netscape, et al, eluded the ban and some similar label? Inquiring Minds wanna to know. The SmartFilter has been awarded "certification" by the International Computer Security Association's testing labs: http://www.icsa.net. The SmartFilter data sheet is at: http://www.securecomputing.com/P_Tool_SF_Docs.html and there is a white paper at: http://www.securecomputing.com/sfwhitep.pdf SCC provides SmartFilter access controls adapted for both Unix and Windows NT, as well as for the Microsoft Proxy Server, the Netscape Proxy Server, several firewalls, the CSM Proxy Server, the NetCache Proxy Server, and the Squid Proxy Server. Feliz Navidad, _Vin ------- original message -----------------

From: privacy@vortex.com [SMTP:privacy@vortex.com] Sent: Sunday, December 20, 1998 4:58 PM To: PRIVACY-Forum-List@vortex.com Subject: PRIVACY Forum Digest V07 #21

PRIVACY Forum Digest Sunday, 20 December 1998 Volume 07 : Issue 21

[...]

Date: Wed, 16 Dec 98 12:25 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Privacy Discussions Classified as a "Criminal Skill"

Greetings. Is discussing privacy in the PRIVACY Forum a criminal skill? According to one widely used commercial web filtering tool, the answer was yes! The controversy over software to block access to particular sites, based on perceived content, has been continuing to rage. Attempts to mandate the use of such software in environments such as libraries and schools have raised a variety of serious concerns. In addition to fairly straightforward freedom of speech issues, another factor revolves around how accurate (or inaccurate) these filtering systems really are.

I've now seen firsthand that errors by a filtering system can indeed be quite serious, an event that seems to certainly validate some of these concerns. But there is something of a silver lining to the story, as we'll see later.

I recently was contacted by someone at a large corporation, who was trying to reach the PRIVACY Forum web site, which is constantly being referenced by individuals and commercial, educational, government, and other sites around the world. This person was upset since whenever they attempted to reach the http://www.vortex.com site and domain that hosts the PRIVACY Forum, their web software blocked them, informing them that the block was in place due to the site being categorized as containing "criminal skills."

As the webmaster for the vortex.com domain, this certainly came as news to me. The message they received didn't give additional information--they didn't even know exactly where it came from. It was apparent though, that the entire organization was probably blocked from reaching the PRIVACY Forum, since the filtering software in question was affecting a main firewall system.

After a number of phone calls and discussions with the system administrator for that organization, the details began to emerge. The company was running a filtering software package from Secure Computing Corporation of San Jose, California. This package received weekly updates of blocked sites in a wide variety of categories, one of which was "criminal skills."

The administrator had no idea what rationale was used for these decisions, they just pulled in the list each week and applied it. He immediately placed vortex.com on a local exception list so that it would no longer be blocked to their users.

I then turned my attention to Secure Computing. After a number of calls, I found myself speaking with Ken Montgomery, director of corporate communications for that firm. He confirmed the information I had already received. The filtering product in question ("SmartFilter") was apparently not being marketed to individuals, rather, it was sold to institutions, corporations, etc. to enforce filtering policies across entire entities. The product covers a wide range of information categories that users of the software can choose to block. He said that the majority of blocked sites were in categories involving pornography, where there was (in his opinion) no question of their not belonging there.

The "criminal skills" category reportedly was broadly defined to cover information that might be "of use" to criminals (e.g. how to build bombs). He had no explanation as to why my domain had been placed in that list, since by no stretch could any materials that are or have ever been there fall into such a categorization. He did discover that the classification of my domain had occurred over a year ago (meaning other sites could have been receiving similar blocking messages for that period of time when trying to access the PRIVACY Forum) and that the parties who had made the original classification were no longer with their firm--so there was no way to ask them for their rationale. (All of their classifications are apparently made by people, not by an automated system.)

However, it seems likely that the mere mentioning of encryption may have been enough to trigger the classification. The administrator at the organization that had originally contacted me about the blocked access, told me that the main reason they included the "criminal skills" category in their site blocking list was to try prevent their users from downloading "unapproved" encryption software. This was a type of information that he believed to be included under the Secure Computing "criminal skills" category (the "logic" being, obviously, that since criminals can use encryption to further their efforts, encryption is a criminal skill). He also admitted that he knew that their users could still easily obtain whatever encryption software they wanted anyway, but he had to enforce the company policy to include that category in their blocking list.

As PRIVACY Forum readers may know, no encryption software is or ever has been distributed from here. The topic of encryption issues does certainly come up from time to time, as would be expected. For the mere *mention* of encryption in a discussion forum to trigger such a negative categorization would seem to suggest the fallacy of blindly trusting such classification efforts.

Mr. Montgomery of Secure Computing initially suggested that it was up to their customers to decide which categories they wanted to use in their own blocking lists -- he also stated that as a company they were opposed to mandatory filtering regulations. I suggested that such determinations by their customers were meaningless if the quality of the entries in those categories could not be trusted and if errors of this severity could so easily be made. I felt that this was particularly true of a category with an obviously derogatory nature such as "criminal skills"--the ramifications of being incorrectly placed into such a category, and then to not even *know* about it for an extended period of time, could be extreme and very serious.

To their credit, my argument apparently triggered a serious discussion within Secure Computing about these issues. I had numerous subsequent e-mail and some additional phone contacts with Mr. Montgomery and others in their firm concerning these matters. First off, they apologized for the miscategorization of vortex.com, and removed it from the "criminal skills" category (it was apparently never listed in any other of their categories).

Secondly, they have agreed with my concerns about the dangers of such miscategorizations occurring without any mechanism being present for sites to learn of such problems or having a way to deal with them. So, they will shortly be announcing a web-based method for sites to interrogate the Secure Computing database to determine which categories (if any) they've been listed under, and will provide a means for sites to complain if they feel that they have been misclassified. They've also suggested that their hope is to provide a rapid turnaround on consideration of such complaints.

While by no means perfect, this is a step forward. I would prefer a more active notification system, where sites would be notified directly when categorizations are made. This would avoid their having to check to see whether or not they've been listed, and needing to keep checking back to watch for any changes or new categorizations. If more filtering software companies adopt the Secure Computing approach, there would be a lot of checking for sites to do if they wanted to stay on top of these matters. Secure Computing feels that such notifications are not practical at this time. However, their move to provide some accountability to their filtering classifications is certainly preferable to the filtering systems which continue to provide no such facilities and operate in a completely closed environment.

So, we make a little progress. The PRIVACY Forum and vortex.com are no longer miscategorized and have been removed from all Secure Computing block lists. Secure Computing was polite and responsive in their communications with me, and will establish the system discussed above in reaction to my concerns. Web filtering of course remains a highly controversial topic with many serious negative aspects, but we see that when it comes to dealing with the complex issues involved, it would be a mistake to assume that all such filters all created equal.

--Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com

[...] ----- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A Thinking Man's Creed for Crypto _vbm. * Vin McLellan + The Privacy Guild + * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 --- end forwarded text ----------------- Robert A. Hettinga Philodox Financial Technology Evangelism http://www.philodox.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'