[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: PRIVACY Forum Digest V07 #21(excerpt)

Snip from the latest Privacy Forum Digest on commercial filtering software
for enterprises, encryption and "criminal skills".


A Navigo Farmer

> -----Original Message-----
> From:	[email protected] [SMTP:[email protected]]
> Sent:	Sunday, December 20, 1998 4:58 PM
> To:	[email protected]
> Subject:	PRIVACY Forum Digest V07 #21
> PRIVACY Forum Digest      Sunday, 20 December 1998      Volume 07 : Issue
> 21
> Date:    Wed, 16 Dec 98 12:25 PST
> From:    [email protected] (Lauren Weinstein; PRIVACY Forum Moderator)
> Subject: Privacy Discussions Classified as a "Criminal Skill"
> Greetings.  Is discussing privacy in the PRIVACY Forum a criminal skill?
> According to one widely used commercial web filtering tool, the answer was
> yes!  The controversy over software to block access to particular sites,
> based on perceived content, has been continuing to rage.  Attempts to
> mandate the use of such software in environments such as libraries and
> schools have raised a variety of serious concerns.  In addition to fairly
> straightforward freedom of speech issues, another factor revolves around
> how accurate (or inaccurate) these filtering systems really are.  
> I've now seen firsthand that errors by a filtering system can indeed be
> quite
> serious, an event that seems to certainly validate some of these concerns.
> But there is something of a silver lining to the story, as we'll see
> later.
> I recently was contacted by someone at a large corporation, who was trying
> to reach the PRIVACY Forum web site, which is constantly being referenced
> by
> individuals and commercial, educational, government, and other sites
> around
> the world.  This person was upset since whenever they attempted to reach
> the http://www.vortex.com site and domain that hosts the PRIVACY Forum,
> their web software blocked them, informing them that the block was in
> place
> due to the site being categorized as containing "criminal skills."  
> As the webmaster for the vortex.com domain, this certainly came as news to
> me.  The message they received didn't give additional information--they
> didn't even know exactly where it came from.  It was apparent though, that
> the entire organization was probably blocked from reaching the PRIVACY
> Forum, since the filtering software in question was affecting a main
> firewall system.
> After a number of phone calls and discussions with the system
> administrator
> for that organization, the details began to emerge.  The company was
> running
> a filtering software package from Secure Computing Corporation of San
> Jose,
> California.  This package received weekly updates of blocked sites in a
> wide
> variety of categories, one of which was "criminal skills."  
> The administrator had no idea what rationale was used for these decisions,
> they just pulled in the list each week and applied it.  He immediately
> placed
> vortex.com on a local exception list so that it would no longer be blocked
> to
> their users.
> I then turned my attention to Secure Computing.  After a number of calls,
> I
> found myself speaking with Ken Montgomery, director of corporate
> communications for that firm.  He confirmed the information I had already
> received.  The filtering product in question ("SmartFilter") was
> apparently
> not being marketed to individuals, rather, it was sold to institutions,
> corporations, etc. to enforce filtering policies across entire entities.
> The product covers a wide range of information categories that users of
> the
> software can choose to block.  He said that the majority of blocked sites
> were in categories involving pornography, where there was (in his opinion)
> no question of their not belonging there.  
> The "criminal skills" category reportedly was broadly defined to cover
> information that might be "of use" to criminals (e.g. how to build bombs).
> He had no explanation as to why my domain had been placed in that list,
> since by no stretch could any materials that are or have ever been
> there fall into such a categorization.  He did discover that the
> classification of my domain had occurred over a year ago (meaning
> other sites could have been receiving similar blocking messages for
> that period of time when trying to access the PRIVACY Forum) and
> that the parties who had made the original classification were no longer
> with their firm--so there was no way to ask them for their rationale.
> (All of their classifications are apparently made by people, not
> by an automated system.)
> However, it seems likely that the mere mentioning of encryption may have
> been enough to trigger the classification.  The administrator at the
> organization that had originally contacted me about the blocked access,
> told
> me that the main reason they included the "criminal skills" category in
> their site blocking list was to try prevent their users from downloading
> "unapproved" encryption software.  This was a type of information that he
> believed to be included under the Secure Computing "criminal skills"
> category (the "logic" being, obviously, that since criminals can use
> encryption to further their efforts, encryption is a criminal skill).  He
> also admitted that he knew that their users could still easily obtain
> whatever encryption software they wanted anyway, but he had to enforce the
> company policy to include that category in their blocking list.
> As PRIVACY Forum readers may know, no encryption software is or ever has
> been distributed from here.  The topic of encryption issues does certainly
> come up from time to time, as would be expected.  For the mere *mention*
> of
> encryption in a discussion forum to trigger such a negative categorization
> would seem to suggest the fallacy of blindly trusting such classification
> efforts.
> Mr. Montgomery of Secure Computing initially suggested that it was up to
> their customers to decide which categories they wanted to use in their own
> blocking lists--he also stated that as a company they were opposed to
> mandatory filtering regulations.  I suggested that such determinations by
> their customers were meaningless if the quality of the entries in those
> categories could not be trusted and if errors of this severity could so
> easily be made.  I felt that this was particularly true of a category with
> an obviously derogatory nature such as "criminal skills"--the
> ramifications
> of being incorrectly placed into such a category, and then to not even
> *know* about it for an extended period of time, could be extreme and very
> serious.
> To their credit, my argument apparently triggered a serious discussion
> within Secure Computing about these issues.  I had numerous subsequent
> e-mail and some additional phone contacts with Mr. Montgomery and others
> in their firm concerning these matters.  First off, they apologized
> for the miscategorization of vortex.com, and removed it from the
> "criminal skills" category (it was apparently never listed in any
> other of their categories).  
> Secondly, they have agreed with my concerns about the dangers of such
> miscategorizations occurring without any mechanism being present for sites
> to learn of such problems or having a way to deal with them.  So, they
> will
> shortly be announcing a web-based method for sites to interrogate the
> Secure
> Computing database to determine which categories (if any) they've been
> listed under, and will provide a means for sites to complain if they feel
> that they have been misclassified.  They've also suggested that their hope
> is to provide a rapid turnaround on consideration of such complaints.
> While by no means perfect, this is a step forward.  I would prefer a more
> active notification system, where sites would be notified directly when
> categorizations are made.  This would avoid their having to 
> check to see whether or not they've been listed, and needing to keep
> checking back to watch for any changes or new categorizations.  If more
> filtering software companies adopt the Secure Computing approach, there
> would be a lot of checking for sites to do if they wanted to stay on
> top of these matters.  Secure Computing feels that such notifications are
> not practical at this time.  However, their move to provide some
> accountability to their filtering classifications is certainly preferable
> to
> the filtering systems which continue to provide no such facilities and
> operate in a completely closed environment.
> So, we make a little progress.  The PRIVACY Forum and vortex.com are no
> longer miscategorized and have been removed from all Secure Computing
> block
> lists.  Secure Computing was polite and responsive in their
> communications with me, and will establish the system discussed above in
> reaction to my concerns.  Web filtering of course remains a highly
> controversial topic with many serious negative aspects, but we see that
> when
> it comes to dealing with the complex issues involved, it would be a
> mistake
> to assume that all such filters all created equal.
> --Lauren--
> Lauren Weinstein
> Moderator, PRIVACY Forum
> http://www.vortex.com