Filtering Facts

Back in January, I wrote about proposals in Japan to require filtering for minors using mobile phones.  Now there is a new proposal in Japan to require ISPs to block child porn sites: 

The ruling parties will introduce legislation for Internet service providers to block access to child pornography sites with major providers in favor of the move, sources said.  A project team of Liberal Democratic Party and New Komeito members will draw up a bill to revise the law prohibiting child pornography after the Golden Week holiday period. It will aim to have the bill passed by the Diet in the current session, the sources said.  If such a revision passes the Diet, it will be the first measure involving the legal blocking of specific Web sites, albeit in the form of a nonbinding guideline. 

This is an ongoing trend that isn’t going away, as it’s hard to defend not filtering child pornography.  This is an ongoing problem with the global Internet when you have certain countries (particularly in Eastern Europe) who are lazy about shutting down sites involved in criminal activity, including child porn.  The interesting question is - where does this lead? 

Google has been doing web filtering for awhile, doing mandatory filtering abroad,  filtering search engine results for inappropriate content and labeling sites containing “badware.”  But U.S. users have always been able to “opt out” of this type of filtering/labeling by either turning off the filtered search or going ahead and clicking on links labeled “badware.”  With today’s announcement  that Google will now sell web filtering to companies in the cloud (via Scan Safe), Google is now in the “mandatory” web filtering business in the U.S.  This from CNET:

Google announced Thursday its Web Security for Enterprise, which is designed to protect corporate Web surfers from viruses, spyware, and malicious Web sites. It also extends the protection to remote workers if needed. In addition to real-time malware protection and URL-filtering, the product also offers reporting and policy enforcement features. It’s basically a re-branded and more affordable version of a product from Postini, a company that Google acquired last year, a Google representative said.  With Web Security, companies have the option of adding protection for off-network employees who may be working in places such as hotels or airports, without requiring them to sign on to their secure corporate network. The product uses technology from ScanSafe and is accessible from the same administration console used for security and compliance services for Google Apps.

ScanSafe’s filtering database, which the company says contains 20 million URLs in 50 categories, is described here.  [Disclaimer -- I work on Microsoft's security products in my day job.]

Norman Oder has covered filtering in libraries for Library Journal since the controversy first began in the mid 1990s.  He likely has written more about the topic than any other journalists, so his thoughts on the subject are interesting. While I don’t agree with Norman’s assessment of the quality of filters, he really nails it pointing out some of the absurdities of how CIPA is actually being implemented by some libraries.  From New York Press:

Start to surf the net at the Brooklyn Public Library, and the screen says: “Please choose filtered or unfiltered access by clicking the appropriate button.” To comply with the Children’s Internet Protection Act (CIPA), the library has installed filtering software “designed,”-um, designed however poorly-to block visual depictions of obscenity and child pornography. But adults can turn the filter off. Since July 1, Brooklyn and the other two city library systems (New York and Queens) have been practicing this crazy-quilt Comstockery. Don’t blame them. If they want federal funds for discount internet access, they gotta censor-or at least pretend to. Blame Congress and the Supreme Court decision that upheld CIPA, albeit with a huge loophole.

The issue of if libraries actually have the ability to administer CIPA in this way has never actually been challenged.  The FCC order implementing CIPA is somewhat vague on the matter, and until someone brings a serious challenge before the FCC and they issue a ruling, it’s unclear.  Not surprisingly, conservative and liberal legal scholars take differing views on this issue.

Matt Villano address the complex topic of filtering in public schools in THE Journal, and I’m quoted:

David Burt, who runs the blog Filtering Facts, which is dedicated to providing the newest information and research about internet filtering, tells the familiar story about students who were searching for information about breast cancer, but were impeded because their search contained the word breast. “When they are turned up to the highest settings, many of these filters actually block good information, too,” says Burt, who works as a product manager at Microsoft. “For teachers who rely on the internet to help with specific lessons, this can become very frustrating, to say the least.”

This isn’t a new trend.  Back when the they did the Kaiser study on filtering and health information, they found that setting filters on too high a level removes a lot of useful information. The problem is that district technology coordinators would “rather be safe than sorry,” so they turn the filters up high. 

Matt also gives a very insightful view of what has happened to the education filtering since CIPA.  In a nutshell, it’s been commoditized.  I don’t know what market share my once-dominant former employer Secure Computing has now, but I’m guessing it’s quite a bit south of 40%: 

BACK IN THE DAYS before the federal Children’s Internet Protection Act came into being in 2000, choosing a K-12 web filter didn’t demand the kind of careful consideration that is needed today. Between a vendor named Secure Computing, which owned nearly 40 percent of the market share, and Websense, most schools could find a filtering product that suited them. Today, however, as demand for K-12 internet filtering has increased and the price for the technology has dropped, the market has been flooded with smaller, more agile vendors that have developed solutions specifically for the primary education market. Some of the most popular vendors include Check Point Software Technologies, 8e6 Technologies, and DeepNines Technologies, which all sell web filtering solutions. Most products cost less than $15,000.  For districts thoroughly pressed for cash, another reliable solution is the open source content filter DansGuardian. While commercial filters grade content against a banned list of sites, DansGuardian engages techniques such as phrase matching, PICS filtering, and URL filtering. The newest entrant to the filtering space is SafeSquid, headquartered in India. The company offers a software-based filter that addresses content review with the same strategy as a standard proxy server. School districts sign up, and all of their web traffic is routed through the SafeSquid server before moving on to the internet.

This from the security vendor Sophos, as reported in InfoWorld: 

Up to 80 percent of Web sites flagged as malicious by anti-virus and search engine indexes are legitimate businesses, according to security experts. Experts said while the security industry is on top of conventional spam and phishing attacks, more effort needs to be put into preventing and eliminating so-called drive-by-downloads. The attacks allow hackers to redirect massive amounts of traffic by inserting malicious iFrames into legitimate Web sites. The hacks are usually invisible to Web site visitors and do not often draw attention from security personnel because they only require a single line of code to be manipulated. A 2007 Sophos survey found that more than 80 percent of Web sites listed as malicious were legitimate organizations that had been compromised by various attacks including iframe injections. 

This is harsh for many small business that depend on search engine traffic for customers.  They get tagged by Google as a malware site and not too many potential customers will visit - or maybe ever go back.  As the article points out, it can very difficult to track down the right webmaster contact: 

“We’ve begun sending email notifications to some of the Web masters of sites that we flag for badware. We don’t have a perfect process for determining a Web master’s e-mail address, so for now we’re sending the notifications to likely Web master aliases for the domain in question,” Harton said. 

When I worked at Secure Computing and N2H2 people would sometimes ask why we didn’t notify webmasters that their site had been blocked, and the answer is that’s a lot more difficult than you would think.

Back in December, 2007 when the Websense acquisition of SurfControl closed, I wondered, “What will become of CyberPatrol?”  becasuse the consumer client product CyberPatrol obviously didn’t fit with the Websense product line.   Now comes the news that a group of security executives associated with the spyware company Pest Patrol will form a new company, PC World reports:

CyberPatrol LLC, a new company founded by former executives of PestPatrol, announced Wednesday that it has acquired the well-known CyberPatrol parental control utility from Websense. “CyberPatrol is committed to developing new and enhanced products that will place children’s online safety firmly in the hands of parents”, said CyberPatrol president and chief executive Bob Bales, in an interview. “Our plan is to provide simple and non-intrusive products that will work for families.”  Thecompany plans to aggressively promote, update and improve the CyberPatrol product, which hadn’t changed appreciably since April of 2005. By August 2008 they will release a re-branded version 7.6 reflecting the new company name and new vision, Bales said. This version will add some functionality and introduce a community resource for parents. CyberPatrol will also be ramping up their research department at this time.

I was at the RSA security trade show last week, but I was too busy with my day job launching the first public beta of Microsoft Forefront Stirling, so I missed this great bake off I could have attended.  I’ve added this test to my table of filter tests here.  The results, as reported by PC World:

The controversial ‘Deep Throat Fight Club’ test of porn filters held at this week’s RSA security show has declared a winner. According to organizers Untangle, the best performer was Fortinet.Fortinet detected 97.7 percent on the main blocking porn test, only a whisker ahead of rivals Watchguard (97.3 percent), Websense (97.0 percent), SonicWall (96.1 percent), and Barracuda (94.0 percent).

The full report inlcuding the entire sample, can be found on Untangle’s blog here.

I was forwarded a copy of this letter from the City Council of Linday, California expressing outrage over the firing of a librarian for reporting child pornography.  The full letter in PDF form is below the fold:

March 12, 2008

Tulare County Board of Supervisors
2800 West Burrel Avenue
Visalia, CA 93291

Honorable Supervisors,

This letter is written to reassert the position of the City Council of the City of Lindsay regarding its dealings with Tulare County Library personnel.  Specifically, the City Council expresses its concern over recent actions by senior management, most notably Mr. Brian Lewis and Ms. Judy Hill. Both Mr. Lewis and Ms. Hill have failed to meet the public trust in their supervisory roles within the County Library system. Their actions have broken and severely damaged the confidence and trust between the City of Lindsay and the Tulare County Library department.

Of foremost concern, the City Council is appalled with the way Mr. Lewis and Ms. Hill have handled the recent events surrounding the arrest of an adult male apprehended viewing child pornography in the Tulare County library located in Lindsay.  Below is a summary of misgivings regarding the incident:

Read the rest of the letter (PDF file)

The Fresno Bee reports:

A Tulare County library worker says she was fired for telling police about a man she saw viewing child pornography on a Lindsay branch computer. Brenda Biesterfeld’s allegations are creating a dustup in Lindsay, where federal law-enforcement agents are joining the investigation following last week’s arrest of Donny Lynn Chrisler for suspicion of possessing child pornography.

Biesterfeld, who had worked for the county for nearly six months, said she called her supervisor and told her what happened. “She told me to write him a note saying this was a first warning, and if he gets a second warning he’d be banned from the library.”

“So then I said, ‘I need to contact the police, right?’ and she said no,” Biesterfeld said. “She said it’s more common than I’d think.”

Those who have followed the issue of child pornography in public libraries will find this incident disturbingly similar to one of the most notorious incidents in “Dangerous Access 2000.”  I obtained this 1999 incident from a FOI request I made to the Sonoma (Cailf.) Public Library:

 Sonoma, California, Public Library, a staff member sent an e-mail message to his supervisor stating:
“There are 3 men on my shift who come in regularly, perhaps daily. One views child porn of nude boys in tubs. . . . These images are clearly visible. . . .What does it mean to have child molester posters up in our staff lounge & yet we make daily Internet appointments for someone to watch kiddy porn in the library on the library comp? Isn’t this crazy?”

But the supervisor responded:
“I don’t like it either, but there is nothing we can do about it. The best thing for staff is to ignore it . . . please use your time in more constructive ways.” [Emp. Added]

Update:

The City of Lindsay is outraged:

In a blistering letter, the Lindsay City Council late today said a supervisor at the Tulare County Library told Lindsay police they had “no business” interfering with a child pornography incident because the library staff was handling it.

Two new filings in the ongoing library filtering case Bradburn v. North Central Library:

03/03/08 Defendant reply in support of motion for Summary  Judgment.
03/03/08 Defendant Supplemental Statement of Facts in Support of Motion for Summary Judgment

 Two weeks ago I provided a batch of new legal motions and filings in preparation as both the library and the ACLU motioned for summary judgments.  Most of the new documents  are on my Bradburn page here.  Again, I didn’t include all the new filing - there were a bunch of routine declarations. But I did upload some deposition transcripts from two ACLU experts - June Pinnell-Stevens and Kenton Oliver.  Both are long time intellectual freedom activists deeply associated with the American Library Association Office of Intellectual Freedom.

–David Burt