May 27, 2004

Beyond blocking -- U.S. and open source censorship slims the Net

Author: Jay Lyman

Let's say you're a Chinese or Iranian citizen with the good luck to
have access to an Internet connection. If you were interested in finding
out about democracy, grass-roots political organization or privacy by
using that connection, you'd have a tougher time than necessary because of an
Internet filtering service sponsored by U.S. tax dollars.

The U.S. government's International
Broadcasting Bureau
service, using a product from San Diego-based Web filtering
company Anonymizer,
was found to be overblocking search keywords so broadly that it made
inaccessible such worthwhile site as and ("ass"),
("bush"), ("hot"), ("pic"), and ("trans").

A study
by the OpenNet Initiative published earlier this month highlighted the
growing level and sophistication of Internet censorship -- much of which
is assisted by top tech companies and products, including open source
-- as well as flaws in efforts to circumvent it. OpenNet Initiative is
a grant-funded partnership of the Munk Centre for International Studies' Citizen Lab at University of Toronto, the
Berkman Center for Internet and Society at Harvard Law School, and the
Advanced Network Research Group at the Centre for Security in
International Society at Cambridge University. The group, which partners with the Global Internet Policy Initiative and The Hacktivist, has a mission "to investigate
and challenge state filtration and surveillance practices."

Its study also found that foreign Internet users who attempt to get
around their governments' censorship by using the IBB Anonymizer can
expose themselves to their governments' surveillance. So not only is
their anti-censorship Web experience being censored, it may be pointing
them out for possible prosecution or penalty, which in Iran is not likely to be trash detail on a Saturday.

"The service claimed in Persian that Iranians could surf, search, and
read the Internet anonymously, without the fear of being traced by the
government, hackers, or other intruders," said Ronald Deibert,
co-author of the OpenNet Initiative advisory and director of The Citizen Lab at
the University of Toronto. "However, our research showed those claims
to be false. The IBB Anonymizer should either warn Iranians of the risks
outlined in our report or alter the service to make it more secure and

A case of too open

Deibert said most of the filtering technologies used by
Internet-censoring nations rely on keyword filtering systems, whereby the use of
certain names or words in the domain of the URL trigger denial of the
request -- a notoriously untrustworthy system prone to massive

"If you are going to put the effort into doing something, don't do
it halfway," Deibert said. "Do it properly or not at all. We found the
blocking on the IBB Anonymizer service was far from trivial, and
included human rights organizations, commercial services, and even the Web
site of the President of the United States. Given the point being made
about 'freedom of speech' that presumably drives the IBB Anonymizer
initiative, would it not seem more appropriate, indeed more American, to
allow unrestricted access to the entire Web?"

The recent study and advisory by the OpenNet Initiative
indicated that the vast majority of IBB Anonymizer traffic is exposed
to monitoring by Iranian authorities and corresponding local ISPs.

"Iranian users may not be aware that their use of the service may
identify them to Iranian government authorities as citizens wishing to
view forbidden content, or as supportive of the ideas found within that
content," said the report.

Anonymizer: "Much ado about nothing"

Anonymizer President Lance Cottrell called the criticisms "pure
hype" and the report "really much ado about nothing."

"We are working with the IBB to track actual government activity
from the ground in Iran," Cottrell said. "Our solutions are adaptive to
the actual threats. In China, we provide SSL for all connections because
that is what is required. It is not required at this time in Iran
because the Iranian government is not doing that kind of tracking."

Cottrell added that the government and Anonymizer, while capable of
providing better security for IBB users, are in no hurry to escalate
the censorship arms race with foreign governments.

"We are able to respond to content screening with SSL, as well as
many other more sophisticated threats, but we will not deploy them in
advance of a requirement for them," Cottrell said. "If we did so, it would
greatly increase the speed with which Iran would counter us, and make
it much more difficult and expensive to provide the service. It is key
to provide as little information to the Iranian government as possible
to slow the development of their censorship technologies."

As for criticisms on the overblocking of the IBB Anonymizer service,
Cottrell said that there had been no complaints from Iranian users, so
the policy had not been reviewed since the creation of the keyword list
in 2002.

"It is being reviewed by the IBB now," Cottrell said. "The list was
generated based on the most visited adult content sites accessed
through proxies. It has not been edited since it was created because of the
complete lack of negative feedback."

IBB engineer Ken Berman, the manager of the bureau's Internet
anticensorship program, said "soft" has been removed from the banned URL
words, since some folks use the Internet to use, find, buy, sell, and make
software. "Bush" is now gone too. Berman said no politics were
involved, but one can't help but wonder about the reaction from a sitting
president who finds his Internet site is being blocked by the U.S.
government because it's mistakenly considered obscene.

The collateral blocking of political material was not limited to the
country's chief executive. California governor Arnold Schwarzenegger's
site was filtered out too. The
offending keyword: "old."

IBB's Berman said that with an estimated 35 to 40 percent of
Internet proxies used for porn browsing, dirty pictures are a bandwidth hog,
and blocking them is worth the price of collateral overblocking.

"In a program which is supported with taxpayer money, there are
better ways to use that funding and bandwidth," Berman said.

Censorship gains steam and sales

Deibert said although most peoples' Internet
experience begins and ends with what they see on their computer screens, the
Internet architecture of trunk lines, routers, exchange points, and
autonomous systems are increasingly subject to state-imposed filters and

"I think most Internet users around the world would be surprised to
learn what they find were they to 'open the lid' on the Internet and
uncover what is going on beneath the surface," Deibert said.

The researcher also indicated that both transparent filtering and
hidden, subsurface filtering -- the vast majority of it -- are on the

"Five years ago, very few countries practiced Internet content
filtering," he said. "Among those that did, with the exception of perhaps
China, the filtering systems were relatively unsophisticated and simple
to circumvent."

Today, Deibert said, dozens of countries filter the Web at levels
ranging from Internet cafes to ISPs to international gateways and
exchange points. He said that the technologies being used to do the filtering
are becoming more fine-grained in terms of what they block, and more
customizable for the censoring countries that deploy them, whose
governments are the targets of marketing by system producers.

"Major Internet tech companies and router manufacturers used to be
associated with 'wiring the world' and unleashing the Net," Deibert
said. "Today, they are just as likely to be known for shutting it down.
Unfortunately, Internet censorship sells."

Next page: Open source on the list

While the Anonymizer service was criticized, that company is not on
a list
of technology providers that produce software to filter and conduct
surveillance on the Internet. Those providers are taking advantage of the
demand for censorship and monitoring, which is growing across the
globe, according to Deibert.

The list now consists mainly of Internet filtering product makers:
8e6 Technologies, CyberPatrol, eSafe, eTrust SCM, McAfee WebShield,
Sentian, SmartFilter, Smooth Guardian, SurfControl, and
Websense. Also present on the OpenNet Initiative filtering technology
database list are open source products SquidGuard and DansGuardian.

DansGuardian main developer Daniel Barron said he does not get
negative feedback or complaints that the product is censorware.

"Do I get a lot of grief from kids in schools or computer illiterate
people demanding I uninstall my Unix filter from their Windows PCs?
Yes," Barron said. "And I blame the administrators for not communicating
with their users. And, well, kids will be kids. They're probably annoyed
they can't waste time in [class] looking at time-wasting sites."

Barron defended DansGuardian as a tool to maintain free speech by
moving the ability to censor to individuals, such as parents and school
officials, rather than imposing a specific ideal on the whole world.

"Were there no free filters then laws would be made making adult
material illegal, which would deny adults who may choose to look at such
material their basic human rights of choice," Barron said. "If I choose
to look at a Web site detailing birth control, for example, then I
should be allowed to do so in the privacy of my own home, but a child in a
school or someone at work does not have the right to view material that
is inappropriate for the rules of the location and service

Barron downplayed the IBB Anonymizer issue, calling it a case of
poor judgment and an administrator's misconfigured filtering proxy.

"It is a very poor show that those responsible for organizing it did
not realize sooner and I would hope they sorted out the problems pretty
damn sharpish," Barron said. "I am also very disappointed that they are
using simply a URL filter. Years ago when I first started writing
DansGuardian, I realized that just doing URL filtering is completely
rubbish. You can't guess URLs and you can't possibly have a database to cover
even a small portion of the Web."

Barron argued open source filtering is an improvement because it
puts the administrator in charge of the filtering.

"There are no closed lists with ulterior motives, no buttons that
control a black box," Barron said. "Open source filtering with filtering
lists that are easily readable is the only way to be completely sure of
fair filtering."

Duane Wessels, developer of the Squid high-performance proxy caching
server that is used with the SquidGuard filter, said he would not call
Squid a form of filtering or censoring and instead portrayed it as an
anti-censorship tool.

"Squid is much more than that," he said. "Yes, it can be used to
block access to content, but Squid can also be used to bypass local
filters. For example, if your ISP blocks certain sites, you may be able to
use my proxy running elsewhere to still reach them."

Wessels said he and co-contributors rarely receive any grief from
anyone saying Squid is being used to filter Web traffic.

"I've probably received just one or two such messages within the
last eight years of working on Squid," Wessels said, adding that there is
no demand for a censorship application for the proxy. "I don't see a
lot of support from companies that offer filtering products, either
because they are afraid of the openness, or because they don't see Squid
users as a big market opportunity."

Censoring the censorship

OpenNet study co-author Diebert said while open source filtering software could
be a step in the right direction, it is still used by countries to
modify filtering lists to block political and other content that they
decide should be restricted.

"More important than the technology used to do the filtering is the
process by which filtering takes place, and whether it is transparent
or not," Deibert said.

Squid's Wessels, who said it was unfortunate the IBB has taken "such
a simplistic approach to blocking content using URL keywords," added
that open source gives people more options for implementing filters and
frees them to improve existing implementations and add new features.

IBB engineer Berman said that open source software had not been
considered for the IBB anti-censorship service, but added that following
the OpenNet Initiative report, there are now plans to do so.

"We're constantly seeking technical community focus on how filtering
can be improved," Berman said. "Let's get together and focus on
circumvention tools so we can make our circumvention tools even more

Click Here!