22 April, 2009

Who watches the watchers?

"Quis custodiet ipsos custodes?" The question has been asked since more than 2,000 years and translates to "Who will guard the guards?" In developed democracies the risk of abusing military power is rather low; people would not accept it and it's questionable if the army would fire on their own people. The means are more subtle nowadays and an overhauled translation is more appropriate: "Who watches the watchers?"

The threats to democratic states and societies are no longer foreign armies (except maybe for India and Israel and despite Cold War rhetoric during last year's conflict between Russia and Georgia) but terrorism and organized crime. In the last years they often had to serve as reason for undermining civil rights, e.g. with the USA PATRIOT Act.

In the latest installment German government or more exact federal police Bundeskriminalamt BKA signed contracts (German) with major internet service providers to block access to child porn sites, the law is still due. Nobody reasonable will argue against fighting child pornography, but what is currently discussed is more than questionable. There are 3 major points of criticism: relevance, effectiveness, appropriateness.

Relevance

A special investigator of Lower Saxony's state police says (German) the internet is used for communication, but commercial distribution happens via classic mail. Only later on material is distributed via P2P or Usenet - for free. So it will hardly prevent any production of child pornography since it does not dry out the cash flow.

Effectiveness

Different techniques are possible: manipulating DNS, filtering by IP or filtering by URL. The first one seems to be the means of choice - and is totally pointless. Scandinavian countries are using DNS manipulation. Minister of Family Affairs Ursula von der Leyen, who is actually pursuing the access blocking, claims 50,000 clicks are prevented (German) in Sweden every day while the CEO of Verband der deutschen Internetwirtschaft (German Internet Business Association) eco claims that most "clicks" are caused by search engines (German). Both statements can't be proven but the Swedish chief inspector against child pornography and child abuse concludes (German):
Our blocking measures don't help to reduce the production of pornography.

IP filtering can't be bypassed that easily, it needs for example a proxy server. More important is the potential collateral damage: Behind one IP address can be many web sites. URL filtering can also be bypassed via a proxy server, but it does not have the side effects of IP filtering. Checking every URL costs enormous resources though and is not feasible. Therefore the British use a combined approach of IP and URL filtering in their Cleanfeed system to reduce collateral damage and necessary resources - which doesn't always work out as we will see later on.

Appropriateness

An expertise released (both German) by the Research Services (Wissenschaftliche Dienste) of the German parliament Bundestag states that the blockade imperils the freedom of communication as granted by the German constitution. The Minister of Justice Brigitte Zypries expressed concerns (German) about "major constitutional risks" - her ministry was not involved in the process.

The most critical point is the lack of control. It's the BKA compiling the blocking list, it has (obviously) to be kept secret and nobody can control what is on the list. And what happens if the objectionable contents were removed? I'm not suggesting that anybody is trying to introduce censorship since I'm just not a supporter of any conspiracy theory. But the infrastructure for censorship is created and it can be abused in the future with less noble intentions.

To make matters worse police is prosecuting people publishing leaked lists. After WikiLeaks released the lists of Australia, Thailand or Denmark the house of German domain owner was searched (German) for "distributing child pornographic material". Also the house search of - take a breath - a blogger who linked in his blog to another blog which linked WikiLeaks with the lists was ruled to be legal (German)! This example also points to another risk of those lists in case they are published: They help to distribute child pornography by providing link collections. To make it clear: In my opinion that's not a justification to prosecute publishers of those lists but a reason to not create them.

Other side-effects

Related to the lack of control is the question which links get on the list: End of last year Britain's Internet Watch Foundation ruled about the cover of the album Virgin Killer by German band Scorpions:
As with all child sexual abuse reports received by our hotline analysts, the image was assessed according to the UK Sentencing Guidelines Council. The content was considered to be a potentially illegal indecent image of a child under the age of 18.

The album was released in 1976 (!) and its cover has never been censored in the UK. It also used to be available on Amazon or other sites. After few days IWF rescinded the block. During the block British users could not access the page on the album (but the image by accessing the URL directly) and not modify any Wikipedia page.

The Australian list (of which it wasn't quite clear whether it is a fake or not) contained a dentist's website after it had been hacked, and artistic photographs by Bill Henson. Australian Communication Minister Stephen Conroy admitted they were added to the blacklist in error. But since people make errors who is controlling them?

Another critic is CareChild, a society to fight distribution of child pornography and child abuse, calling the plan of Minister of Family Affairs Ursula von der Leyen "symbolical politics" (German) promoting the distribution rather than fighting it. To prove their point they performed a test (both German) with 20 domains from the Danish list, 17 hosted in the U.S., 1 in England, 1 in the Netherlands and 1 in South Korea and Portugal (all different providers). Within hours 16 domains were switched off, the other 4 were determined to be according to the laws and the operators could provide necessary "record keeping documents", i.e. proving the age of the performers.

Quoting the Chaos Computer Club:
A statistical analysis of filter lists (German) from Switzerland, Denmark, Finland and Sweden revealed that more than 96% of the servers they banned are located in western countries, particularly the USA, Australia, Canada and the Netherlands. It is quite implausible that these servers and their operators cannot be shut down and prosecuted by means of international cooperation by law enforcement authorities. There is clearly a lack of political will here to establish appropriate priorities and to make the necessary resources available.

Both CareChild and CCC conclude that the blocking lists might encourage law enforcement agencies to simply put web sites on those lists rather than actually taking actions against their operators.

So in my humble opinion the blocking lists are not only questionable in pretty much every manner. When potentially illegal content is getting on those lists and nobody is allowed to control them they are also dangerous to the fundamentals of democracy with their lack of oversight. Read: Who watches the watchers? As I wrote I don't suggest anybody wants to introduce censorship. But with this populist acting for the sake of it the infrastructure for censorship is created. I don't want to rely on Plato's noble lie but not even provide the possibility to misuse.

PS: FoeBuD is starting an unfiltered DNS server (German) at 85.214.73.63.