Slashdot Mirror

Slashdot contributor Bennett Haselton writes: "Internet users in Saudi Arabia, along with most users in the United Arab Emirates, are blocked by their respective government censors from accessing the websites of the Trinity Davison Lutheran Church, Deliverance Tabernacle Ministries in Pittsburgh, the Amitayu Buddhist Society of Taiwan, and GayFaith.org. An attempt to access any of those websites yields an error page like this one. However, the sites are not blocked because they conflict with the religions beliefs of those countries' governments. Rather, they are blocked because Smartfilter -- the American-made blocking program sold by McAfee, and used for state-mandated Internet censorship in those countries -- classifies those sites as "pornography". You can see the screen shots here, here, here and here." Read on for the rest of Bennett's thoughts.

I found these blocked sites by starting with a combination of URL lists and ad hoc spidering, and running as many sites as possible through the Saudi filters to catch the ones that were blocked. Some of the sites were blocked for reasons that were easy to guess -- for example, http://www.bighornbasinsfw.org/, the home page of the Big Horn Basin, Wyoming chapter of Sportsmen for Fish & Wildlife, was almost certainly blocked because of the slang term "nsfw" in their URL. http://www.AgainstPornography.org and http://www.SearchingForMySpermDonorFather.org were presumably blocked because of the presence of the words "porn" and "sperm".

On the other hand, there appears to be no rational reason why the Filipino American Women's Network, the Tuscon Jazz Institute, or the Sacramento Police Activities League would have been blocked by Smartfilter, even by accident. A partial list of the blocked sites that I found is in the blog post I wrote for Citizen Lab, an Internet censorship research center at the University of Toronto.

Articles about sites that are erroneously blocked by Internet censorship software, have a storied history. The first widely read piece was the article "Keys to the Kingdom" written by Brock Meeks and Declan McCullagh in 1996, calling out Cyber Patrol for blocking EnviroLink.org and the University of Newcastle Computer Science Department, and CYBERsitter for blocking the National Organization for Women. I made a minor name for myself and the Peacefire.org site in the late 1990's by writing more pages about sites blocked by other products, including some (like X-Stop and SurfWatch) which no longer exist, and others that are still around, including Smartfilter. I was also one of six people comprising the Censorware Project, a loosely organized group of volunteers that published a few more reports.

By the early 2000's, however, it became clear that anyone whose mind was likely to be changed by information about what kinds of sites were blocked by blocking software, would have changed their mind already (or would, if they came across the research that had already been done up to that point). So the further reports on Internet blocking software errors, by me and other people, slowed to a trickle. I wrote a report in January 2002 on the latest list of sites blocked by Cyber Patrol, a product that most people today have forgotten. In 2006 I worked with the ACLU of Washington to publish a report on sites erroneously blocked by FortiGuard, a program used on computers in some libraries in central Washington, as part of the ACLU's suit to challenge the constitutionality of the program's use on public library terminals. (The Washington State Supreme Court rejected the lawsuit on the grounds that, regardless of what sites were blocked on the computers, it didn't matter because an adult library patron could request for the filter to be turned off.) In 2007 I wrote an article for Slashdot titled "From Bess to Worse" listing some sites that were blocked by an Internet filtering program called Bess (which was later bought out by Smartfilter and discontinued).

Most people's awareness of this debate, if they had heard about it at all, was limited to the perception that "breast cancer sites" and sites about "chicken breast recipes" were sometimes filtered by Internet blocking programs. Or they heard that "Beaver College" actually had to change its name to avoid being censored by web filters. As I tried to explain in a FAQ (written, according to the Wayback Machine, in 1999, but which still broadly holds true today), these examples are true, but they miss the point. These examples make it sound as if blocking software companies are doing the best job they can under the circumstances, and that the errors are unavoidable due to limitations on machine intelligence. In reality, any software algorithm that blocks the American Board of Vocational Experts, the Hopewell United Methodist Church, and the Patriot Guard Riders of Mississippi, as "pornography" (as Smartfilter currently does), is probably not the best algorithm the company could have come up with -- but there's no incentive for them to try harder, because few people will ever look that deep.

And yet, people continue to remember the "breast cancer site" examples. This sounds to me like an example of the narrative fallacy -- people remember that breast cancer sites were blocked, because there's a tidy explanation. There is no tidy explanation for most other examples of blocked sites, so the meme never spreads very far. Conveniently for the blocking companies, the blocked-site errors which make the company look most sloppy (the Kennels at Simpson Creek Farms, the St. Francis Institute of Milwaukee, etc.) are precisely the ones that, due to the narrative fallacy, most people won't remember or hear about.

One company, CYBERsitter, did manage to make a few blocking decisions in the 1990s that were egregious enough that their antics did make the news, and did finally raise some people's awareness that the controversy over private Internet filtering extended beyond "breast cancer sites". After TIME Magazine's website published an article (no longer online) that criticized CYBERsitter's blocking policies, CYBERsitter responded by blocking TIME Magazine's pathfinder.com domain. A few months earlier, CYBERsitter had blacklisted the monthly e-Zine "The Ethical Spectacle, after the Spectacle's founder, Jonathan Wallace, published an article criticizing CYBERsitter for blocking my own Peacefire.org website. And Peacefire.org had been blocked, in turn, because of a page I wrote (now very much out of date) listing some of the sites that CYBERsitter blocked, including the International Gay and Lesbian Human Rights Commission and Mother Jones. (Nowadays, of course, nobody would be surprised that filtering companies block Peacefire.org, since the site publishes ample instructions on how to get around Internet blockers. But at the time, the site's first and only article was the list of sites blocked by CYBERsitter, which is why CYBERsitter received so much criticism for blocking the domain in retaliation.) CYBERsitter also threatened to have Meeks and McCullagh criminally prosecuted for writing "Keys to the Kingdom" and threatened to sue me over the page that I had made.)

The moral, it seems, is that if you want an example of a censored web site to stick in people's minds, it either has to be a forgivable error, or an insane vindictive dick move -- because in either of those cases, people will understand why it happened. The vast swaths of censored websites on the spectrum in between, the ones for which there is no rational explanation for the blocking, go ignored.

These days, though, American and Canadian "censorware" makers have also come under fire for selling censoring software to foreign governments which use them for country-wide censorship. Most of the criticism focuses, naturally, not on the kinds of sites that are accidentally blocked by the blocking software, but on the immorality of these companies enabling statewide foreign censorship in the first place. Netsweeper, Blue Coat, and McAfee have all made the claim that "Once we sell their product to them, we have no control over what they do with it" -- which, as I wrote previously in Slashdot, is nonsense, because for the product to be effective, it has to rely on updates to the blocked-site list, which are provided at regular intervals by the manufacturer. Cut off the updates, and the product will not work, at least not as well.

So the fact that McAfee has classified the Boy Scout Troop 87 of North Andover, the Pan-Iranist Party of Iran, and Reptile Conservation International as "Pornography" is (rightly) overshadowed by the fact that McAfee is selling to government censors in Saudi Arabia and the UAE in the first place. However, as long as the filters are installed, these blocked sites are at least part of the problem for users in those countries, just as much as they are for students or cubicle workers in the U.S. whose network administrators happen to use Smartfilter. And, of course, I sampled only a miniscule fraction of the Web to find these examples of blocked sites, so the true number of stupid blocks affecting Saudi and UAE users is likely to be much larger. For each individual example, you might reasonably ask, "Is it really a big deal if Saudis are blocked from accessing Boy Scout Troop 87 of North Andover?" But it adds up.

Slashdot contributor Bennett Haselton writes: "Internet users in Saudi Arabia, along with most users in the United Arab Emirates, are blocked by their respective government censors from accessing the websites of the Trinity Davison Lutheran Church, Deliverance Tabernacle Ministries in Pittsburgh, the Amitayu Buddhist Society of Taiwan, and GayFaith.org. An attempt to access any of those websites yields an error page like this one. However, the sites are not blocked because they conflict with the religions beliefs of those countries' governments. Rather, they are blocked because Smartfilter -- the American-made blocking program sold by McAfee, and used for state-mandated Internet censorship in those countries -- classifies those sites as "pornography". You can see the screen shots here, here, here and here." Read on for the rest of Bennett's thoughts.

I found these blocked sites by starting with a combination of URL lists and ad hoc spidering, and running as many sites as possible through the Saudi filters to catch the ones that were blocked. Some of the sites were blocked for reasons that were easy to guess -- for example, http://www.bighornbasinsfw.org/, the home page of the Big Horn Basin, Wyoming chapter of Sportsmen for Fish & Wildlife, was almost certainly blocked because of the slang term "nsfw" in their URL. http://www.AgainstPornography.org and http://www.SearchingForMySpermDonorFather.org were presumably blocked because of the presence of the words "porn" and "sperm".

On the other hand, there appears to be no rational reason why the Filipino American Women's Network, the Tuscon Jazz Institute, or the Sacramento Police Activities League would have been blocked by Smartfilter, even by accident. A partial list of the blocked sites that I found is in the blog post I wrote for Citizen Lab, an Internet censorship research center at the University of Toronto.

Articles about sites that are erroneously blocked by Internet censorship software, have a storied history. The first widely read piece was the article "Keys to the Kingdom" written by Brock Meeks and Declan McCullagh in 1996, calling out Cyber Patrol for blocking EnviroLink.org and the University of Newcastle Computer Science Department, and CYBERsitter for blocking the National Organization for Women. I made a minor name for myself and the Peacefire.org site in the late 1990's by writing more pages about sites blocked by other products, including some (like X-Stop and SurfWatch) which no longer exist, and others that are still around, including Smartfilter. I was also one of six people comprising the Censorware Project, a loosely organized group of volunteers that published a few more reports.

By the early 2000's, however, it became clear that anyone whose mind was likely to be changed by information about what kinds of sites were blocked by blocking software, would have changed their mind already (or would, if they came across the research that had already been done up to that point). So the further reports on Internet blocking software errors, by me and other people, slowed to a trickle. I wrote a report in January 2002 on the latest list of sites blocked by Cyber Patrol, a product that most people today have forgotten. In 2006 I worked with the ACLU of Washington to publish a report on sites erroneously blocked by FortiGuard, a program used on computers in some libraries in central Washington, as part of the ACLU's suit to challenge the constitutionality of the program's use on public library terminals. (The Washington State Supreme Court rejected the lawsuit on the grounds that, regardless of what sites were blocked on the computers, it didn't matter because an adult library patron could request for the filter to be turned off.) In 2007 I wrote an article for Slashdot titled "From Bess to Worse" listing some sites that were blocked by an Internet filtering program called Bess (which was later bought out by Smartfilter and discontinued).

Most people's awareness of this debate, if they had heard about it at all, was limited to the perception that "breast cancer sites" and sites about "chicken breast recipes" were sometimes filtered by Internet blocking programs. Or they heard that "Beaver College" actually had to change its name to avoid being censored by web filters. As I tried to explain in a FAQ (written, according to the Wayback Machine, in 1999, but which still broadly holds true today), these examples are true, but they miss the point. These examples make it sound as if blocking software companies are doing the best job they can under the circumstances, and that the errors are unavoidable due to limitations on machine intelligence. In reality, any software algorithm that blocks the American Board of Vocational Experts, the Hopewell United Methodist Church, and the Patriot Guard Riders of Mississippi, as "pornography" (as Smartfilter currently does), is probably not the best algorithm the company could have come up with -- but there's no incentive for them to try harder, because few people will ever look that deep.

And yet, people continue to remember the "breast cancer site" examples. This sounds to me like an example of the narrative fallacy -- people remember that breast cancer sites were blocked, because there's a tidy explanation. There is no tidy explanation for most other examples of blocked sites, so the meme never spreads very far. Conveniently for the blocking companies, the blocked-site errors which make the company look most sloppy (the Kennels at Simpson Creek Farms, the St. Francis Institute of Milwaukee, etc.) are precisely the ones that, due to the narrative fallacy, most people won't remember or hear about.

One company, CYBERsitter, did manage to make a few blocking decisions in the 1990s that were egregious enough that their antics did make the news, and did finally raise some people's awareness that the controversy over private Internet filtering extended beyond "breast cancer sites". After TIME Magazine's website published an article (no longer online) that criticized CYBERsitter's blocking policies, CYBERsitter responded by blocking TIME Magazine's pathfinder.com domain. A few months earlier, CYBERsitter had blacklisted the monthly e-Zine "The Ethical Spectacle, after the Spectacle's founder, Jonathan Wallace, published an article criticizing CYBERsitter for blocking my own Peacefire.org website. And Peacefire.org had been blocked, in turn, because of a page I wrote (now very much out of date) listing some of the sites that CYBERsitter blocked, including the International Gay and Lesbian Human Rights Commission and Mother Jones. (Nowadays, of course, nobody would be surprised that filtering companies block Peacefire.org, since the site publishes ample instructions on how to get around Internet blockers. But at the time, the site's first and only article was the list of sites blocked by CYBERsitter, which is why CYBERsitter received so much criticism for blocking the domain in retaliation.) CYBERsitter also threatened to have Meeks and McCullagh criminally prosecuted for writing "Keys to the Kingdom" and threatened to sue me over the page that I had made.)

The moral, it seems, is that if you want an example of a censored web site to stick in people's minds, it either has to be a forgivable error, or an insane vindictive dick move -- because in either of those cases, people will understand why it happened. The vast swaths of censored websites on the spectrum in between, the ones for which there is no rational explanation for the blocking, go ignored.

These days, though, American and Canadian "censorware" makers have also come under fire for selling censoring software to foreign governments which use them for country-wide censorship. Most of the criticism focuses, naturally, not on the kinds of sites that are accidentally blocked by the blocking software, but on the immorality of these companies enabling statewide foreign censorship in the first place. Netsweeper, Blue Coat, and McAfee have all made the claim that "Once we sell their product to them, we have no control over what they do with it" -- which, as I wrote previously in Slashdot, is nonsense, because for the product to be effective, it has to rely on updates to the blocked-site list, which are provided at regular intervals by the manufacturer. Cut off the updates, and the product will not work, at least not as well.

So the fact that McAfee has classified the Boy Scout Troop 87 of North Andover, the Pan-Iranist Party of Iran, and Reptile Conservation International as "Pornography" is (rightly) overshadowed by the fact that McAfee is selling to government censors in Saudi Arabia and the UAE in the first place. However, as long as the filters are installed, these blocked sites are at least part of the problem for users in those countries, just as much as they are for students or cubicle workers in the U.S. whose network administrators happen to use Smartfilter. And, of course, I sampled only a miniscule fraction of the Web to find these examples of blocked sites, so the true number of stupid blocks affecting Saudi and UAE users is likely to be much larger. For each individual example, you might reasonably ask, "Is it really a big deal if Saudis are blocked from accessing Boy Scout Troop 87 of North Andover?" But it adds up.

The Register has a story today about Belkin routers redirecting their users' network traffic. To me, this seems like the logical next step after top-level domain name servers piping ads to your browser. Now the routers themselves hijack the traffic they are supposed to, uh, route -- and you'll love where they send you instead. But it's OK because you can opt out. Incidentally, the Crystal Ball Award goes to Seth Finkelstein, who in 2001 quoted John Gilmore's famous aphorism about the internet, and asked "What if censorship is in the router?"

MAPS has posted that it will be requiring a subscription fee starting in August. The note hasn't shown up on its PR page yet, but the readers of news.admin.net-abuse.email and SPAM-L are already finding it very interesting. I've included a copy below, along with selected commentary from those two forums. Anyone know more?

Path: ...!newsfeed.stanford.edu!news.isc.org!not-for-mail
From: Margie <margie@mail-abuse.org>
Newsgroups: news.admin.net-abuse.email
Subject: MAPS Subscription Policy Changes
Date: Thu, 12 Jul 2001 16:45:11 -0700
Organization: Internet Software Consortium
Message-ID: <nidsktsnci3cat0blc31qtanprifmek97v@4ax.com>

Effective Midnight 7/31/2001, all non-subscription access to MAPS services will cease. Anyone wishing to transfer or query MAPS data must have a signed contract with MAPS, and have access enabled in our ACL. There are several reasons for this change:

1) The data in the MAPS files belongs to MAPS and is copyrighted. MAPS, RBL, RBL+, DUL and RSS are all service marks of MAPS. MAPS must have the ability to protect its assets from unauthorized use or disclosure by third parties.

2) As MAPS popularity grew, the demand on our resources grew. We have continually upgraded systems, software, and added servers where necessary. The end result is our systems and connectivity are sufficient enough that providers have no incentive to pay for zone transfer subscriptions. When MAPS began to offer paid subscriptions, we believed that allowing access based on the ability to pay would allow the largest percentage of the net to access the services, while permitting MAPS to sustain itself with subscriptions from the large users of the services. What we have found instead is that we are our own worst "competition".

3) The economic conditions in the industry have hit everyone, including MAPS. MAPS' purpose is to stop spam on the internet. That purpose can only be achieved as long as MAPS can maintain itself as a corporation. Like any corporation, that takes income. There is very little debate about the effectiveness of the MAPS lists. This effectiveness saves its users time, bandwidth and other resources as well as giving them an added value to their customers by reducing the amount of spam the customer sees in their inbox. MAPS can simply no longer afford to foot the bill for the bulk of the internet community.

It is not our intent to put the use of the MAPS lists out of reach of the individual or hobby site. We will still offer some reduced fee or free query contracts under limited circumstances.

As usual, please direct requests for contracts to subscription-request@mail-abuse.org, questions and comments to margie@mail-abuse.org and flames to dev/null. ;)

--
Margie Arbon Mail Abuse Prevention System, LLC
Manager, Market and Business Development
margie@mail-abuse.org http://mail-abuse.org

Here are excerpted reader comments from SPAM-L and nanae which I found interesting:

"...people can no longer pass the buck when it comes to effectively blocking unwanted crap; they will have to now assume the responsibility for handling their own E-mail. I actually think that this is going to be a good thing for the long term." (Sam Varshavchik)

"...and so dies MAPS. You've just cut your own throats. The effectiveness of MAPS always depended on the number of users, which is now going to be a fraction of a percentage of what it was before." (John Oliver)

"I was under the impression that MAPS want a big number of subscribers, in order to have some force behind them when they educate and negotiate with spammers. Isn't that the reason big spamhausen like UUNet were not blacklisted, since many subscribers would stop using MAPS's tools because of too much collateral damage? Now MAPS is reducing its customer base. But perhaps we can now get eBay, UUnet and Qwest blacklisted, since only a small number of administrators will use MAPS tools..." (Karl-Henry Martinsson)

"...if the RBL listees think the RBL is a bitch, let them see what happens when they get dropped into who knows how many individual filters that won't get reviewed for removals until Hell freezes over. I think there is some serious potential for us to ALL gain from this move." (Jim Higgins)

"Anyway, now that the MAPS RBL user base has been reduced by at least a factor of 10, the mainsleaze spambags are not going to even CARE about MAPS. ... So the mainsleaze spambags are going to let loose on the remaining 92-96%. ... The way I look at it, Joe Sixpack is now going to see more spam than he's ever seen before. I think that a lot of Joe Sixpacks are going to get seriously pissed, and a fair amount of them are going to explore ways to effectively spamproof their INBOXes. This is a GOOD thing." ("Sam")

My own prediction: in the long run, this has no big effect on spam either way. Two things will reduce the hassle of spam, more legislation, or supplanting SMTP with a non-broken mail protocol. Costs have to be attached to sending mail to strangers, either micropayments or risk of jail. As long as mail's dirt-cheap to send, spam will be vying for our attention, scurrying-around clean-up crews notwithstanding.

Until SMTP is replaced, the great spam fight is a bunch of Libertarians trying to solve the tragedy of the commons. A pay-per-view clique seems like a suboptimal solution to me.

Stephen King is conducting a fiendish experiment. He - not his publisher - is putting the first installment of a novel online today, and then waiting to see how many people will pay a dollar for the download. The second part goes online next month, and then when it comes time to upload the third part, King will only release it if enough people have paid for the first two. This is the first high-profile test of a promising artistic compensation algorithm in the post-copyright world -- and when it fails, don't give up on it.

"The average writer is really more interested in writing than the transaction part of the process."
-- Jack Romanos, President/COO of Simon & Schuster, quoted in NYT

"We're confident that publishers add enough value to the process that authors are still going to want to use them."
-- Carolyn Reidy, CEO of Simon & Schuster, quoted by AP

"My friends, we have a chance to become Big Publishing's worst nightmare."
-- Stephen King

"Looks like the future of publishing to me."
-- Bruce Schneier

We've had a few people submit this news item, describing it as "shareware." It's not. This is shareware with a bite attached, something else entirely. What King is doing is a real-world test of the Street Performer's Protocol.

The SPP is a proposal for artists to make money without retaining any control over their work (since, on the net, copyright is rapidly being rendered irrelevant). Here's the paper by Kelsey and Schneier if you'd like to get all the technical details.

But the bottom line is that Stephen King is never going to have to publish the end of his novel.

Readers aren't going to send in a flood of cash and money orders (!) -- that's a given -- envelopes and addresses are a hassle. Luckily for him, he's brokered a deal with Amazon to accept credit cards, which is pretty sweet considering that most places won't even look at $1 credit card charges -- too much overhead. (My guess would be that Amazon is doing this as a loss leader to get the attention and signups. That won't work forever. Amazon PR didn't return my phone call by press time.)

But the real problem is that King demands that 75% of his readers be honest. That'll never happen.

Kelsey and Schneier's original SPP proposed thoughtfully that authors ask for a flat fee: say, $100,000 for a novel. If the majority of an author's readers never pay, that's fine: as long as the remaining minority is large enough (or rich enough) to collectively make the payment. (If not enough pay, the money stays in escrow and then reverts to its owners.)

King's terms make the question one of relative loyalty, not absolute popularity. He's not offering a transaction with his readers -- he's testing them. And the test is guaranteed to fail.

What he's proposing is a Prisoner's Dilemma played between thousands of people. Because of the large nature of the game, the actual statistical "profit" returned by sending in your dollar is a tiny fraction of the enjoyment you'd get from reading the third installment that King would post. Your payoff matrix looks like:

Novel Released Novel Not Released Cooperate
(pay $1) Get $10 reading enjoyment for $1, profit: $9 $-1 Defect
(pay $0) Get $10 reading enjoyment for free, profit: $10 $0

No matter what happens, you do better by not sending in your dollar. (It's fair to ignore the infinitesimal chance that your single dollar will be the one to hit the 75% mark.)

Of course there are other considerations (can you sleep at night knowing you cheated Stephen King out of a dollar?) but for the most part, people will weigh these options and decide they're not going to pay.

And once you start thinking that you're not going to pay, you realize that many others won't either, and it starts to look even more like throwing money down a drain. Vicious cycle.

The Prisoner's Dilemma is only interesting if the same players play together over and over. What we have here is a "one-shot" game, and in such a game the only rational strategy is to defect. Unfortunately, if everyone behaves rationally, we all merely break even (and the novel never comes out); if only we were a little more irrational we'd all make a profit of nine dollars - or however much King's story was worth to us.

Douglas Hofstadter ran an experiment for Scientific American in June 1983, asking twenty friends to play a similar one-shot Dilemma. Even though Hofstadter's was profit-only, no chance of losing money, and even though participants knew their choices would be reported in a national magazine, his cooperation rate was only 30%.

I predict King's return rate will be something like 15%. Maybe it will go as much as twice as high, thanks to his deal with Amazon to let people use credit cards -- much more convenient.

The disappointing thing is that two months from now he's going to announce that the experiment has failed and then either drop the novel, or keep writing it out of the kindness of his heart. Either way, the press is going to report that this new distribution method is a crock. Which is a shame because it only needs to be done right.

First of all, the percentage thing needs to go. King doesn't write for the satisfaction of knowing that he has honest readers. He writes to make money.

I suspect King is too used to thinking in terms of royalties, hoping for a good-sized slice of those unpredictably large pies he bakes. He might not know which novel will be the runaway best-seller that will make ten times the money he'd hoped for.

My advice to him would be to relax; don't try to look for the gravy train. You're on the internet now, that won't work. Set a price for your time -- an obscenely high price, to be sure, you're one of the world's most popular writers -- and be content with what you get. When contributions hit that number, release the book.

Second, invite readers to contribute as much as they like toward the novel. For some, a dollar; for real fans, ten dollars or more. Let us decide how much it's worth to us.

Third, hold contributions in escrow until the novel is released, and if the limit is not reached by a certain time, give us our money back. As a contributor, this makes my cost negligible, and changes my payoff matrix to, let's say...

Price Reached Price Not Reached Cooperate
(pay $3) Get $10 reading enjoyment for $3, profit: $7 Get my $3 back: $0 Defect
(pay $0) Get $10 reading enjoyment for free, profit: $10 $0

This way, there's no risk; the worst-case scenario is that I lose some time and energy at the mailbox. It's a win-win situation, and I'm much more likely to play.

If Stephen King wants to craft a real nightmare for Big Publishing, that's the plot he needs to use.

(P.S. If you're interested in reading more about the Prisoner's Dilemma, I've assembled a few references -- and thoughts -- at thedilemma.org. See in particular Hofstadter, pp. 740ff., re the one-shot PD.)

(P.P.S. Updated 90 minutes later. I had this link to "the download" up in the top paragraph, but took it out because some people didn't realize it led straight to the pay-me-a-dollar PDF file. Sorry; that's why the link is down here now. If you read it and want to pay your dollar, you can probably figure out to visit stephenking.com, eh?)

Maybe Peacefire's timing is bad. Two courts have recently said that the reverse-engineered DeCSS program is illegal to publish in the United States, and UCITA gets closer every second. Yet Peacefire today released a program that reverse-engineers the encryption on a list of sites blocked by a major censorware product. Maybe T-shirts that say 'X-Stop has a 68% error rate for blocking student homepages' will get classified as munitions next. Bennett Haselton shares his thoughts (below) on corporate crypto.

Bennett Haselton is the founder and head of Peacefire, an activist group to support the free-speech rights of young people. He suggests that you might want to download the X-Stop "smoking gun" evidence (4MB) before the company has a chance to remove it from their server.

The feature below was written by Mr.Haselton.

X-Stop is an Internet censoring program with an encrypted database of 370,000 URL's blocked under various categories: Sex, Drugs, Rock `n' Roll, etc. Their competitors like SurfWatch and Cyber Patrol also do not publish their blocked site lists; the officially given reason is to keep kids from using the lists to find smut on the Internet. This is silly, given how easy it is to find Internet porn without the aid of X-Stop's secret database (although if you still want to, you can download our codebreaker, follow the instructions to get the X-Stop list and decrypt it, and help yourself). But for the next part of our report, after we decoded the URL list, we looked at the first 50 URL's in the .edu domain that were still valid, and found that 34 of them were regular student home pages with nothing offensive (hence the "68% error rate" t-shirt slogan). None of those 34 students who responded to our e-mails could think of why X-Stop would want to block their pages.

X-Stop admits on their Web site that their database is put together by a Web spider called "Mudcrawler" and not by human reviewers, but even for a machine, a 68% error rate is pretty bad. And even though the real reason why these lists are encrypted is obviously to keep competitors from stealing them, this also makes it much harder for third parties to find out what the programs really block. In fact, X-Stop had once claimed that every URL on their list was reviewed by a human before getting blocked, but cyber lawyer Jonathan Wallace called them on it when he published "The X-Stop Files" in 1997, asking why X-Stop blocked several sites like the Quakers home page, the AIDS Quilt, and parts of Jonathan's own e-zine, The Ethical Spectacle. Peacefire also put up a page in 1998 about sites blocked by X-Stop, including an affirmative action site and a blind children's hospital. But these examples were all found through trial and error; today is the first day that the entire list of URL's has been made public. And to determine the 68% figure, it was necessary to have a copy of the entire list, so that the first 50 blocked sites could be used as a random sample.

So far, this is more or less the same story that took place in 1997 with another blocking program, CYBERsitter, right down to Jonathan Wallace posting a page about CYBERsitter and getting his site blocked. First, several people posted articles criticizing CYBERsitter's policies, and slowly CYBERsitter's public image deteriorated as word got out that they were blocking sites which criticized their company (even Time magazine got blocked, and then posted an article about how they found themselves on CYBERsitter's list). Then in April 1997, Peacefire released a program that broke the encryption on CYBERsitter's list of blocked URL's. CYBERsitter sent Peacefire a threatening letter demanding that we take down the program and remove all of our links to CYBERsitter's Web page. Jim Tyre, a volunteer lawyer and future founding member of the Censorware Project, sent CYBERsitter a reply telling them they had no case, and we never heard from them again. But UCITA, the Digital Millennium Copyright Act, and the two court injunctions against the right to post DeCSS, didn't exist in 1997. If we had released the CYBERsitter codebreaker today, would CYBERsitter actually file a lawsuit?

The outcome of the DeCSS court cases could, in fact, determine the rights of a private citizen to embarrass a big software company by reverse engineering their products and catching them in a lie. It's easy to forget the importance of legal protection for reverse engineering, because sometimes public opinion is enough: RealNetworks never sued Richard Smith when he revealed that copies of RealPlayer included a "globally unique identifier" to track user's listening habits, and Microsoft never sued Andrew Schulman when he discovered that Windows 3.1 threw up fake error messages about DR-DOS. These were large companies that would have been crucified if they had tried to sue someone for discovering something that the public thought they had a right to know anyway. But legal protections are still important, because sometimes public opinion isn't enough - when the software company doesn't have much of an online reputation to worry about, or when then they have a reputation but they don't care about it.

The RIAA, with their campaigns against MP3 technology and reverse-engineering SDMI, is an example of an organization that doesn't care about their online image - and why should they, since we all download our music for free anyway. CYBERsitter is another good example - they do care about their reputation, but in 1997 their image was that of a children's guardian angel and an ally in fighting government censorship, almost immune to criticism. It took an enormous amount of bad press - letters from CYBERsitter's CEO threatening ISP's and flaming people in general, and at one point actually mail-bombing a lady who sent them a complaint - before even advocates of blocking software started distancing themselves from the company. Even today, CYBERsitter's public image is fairly rosy, and their campaigns of legal harassment hardly affected their reputation at all. (What had you heard about CYBERsitter before you read this article?) It's hard to imagine Microsoft, for example, filing a similar lawsuit without embarrassing themselves and turning their intended target into a martyr. The real threat to "reverse engineering for the public good" is from medium-sized companies, small enough that not everything they do will get in the news, but still big enough to afford lots of lawyers.

This threat affects not just programmers, but even journalists who get anonymous tip-offs - like Brock Meeks and Declan McCullagh, who were threatened with an FBI investigation by CYBERsitter in 1996, after they published their "Keys to the Kingdom" article about sites that CYBERsitter and other "censorware" programs blocked. The part of the article that got them in so much trouble was this excerpt from CYBERsitter's bad- word file:

[up][the,his,her,your,my][ass,cunt,twat][,hole]
[wild,wet,net,cyber,have,making,having,getting,giving,phone][sex...]
[,up][the,his,her,your,my][butt,cunt,pussy,asshole,rectum,anus]
[,suck,lick][the,his,her,your,my][cock,dong,dick,penis,hard on...]
[gay,queer,bisexual][male,men,boy,group,rights,community,activities...]
[gay,queer,homosexual,lesbian,bisexual][society,culture]
[you][are][,a,an,too,to][stupid,dumb,ugly,fat,idiot,ass,fag,dolt,dummy]

If this now counts as a "trade secret" under the Digital Millennium Copyright Act, then our list of the 50 .edu sites blocked by X-Stop - and the study that found the 68% error rate - could be declared illegal. And under UCITA, CYBERsitter could even claim the enforceability of these excerpts from their license agreement:

Reverse Engineering Prohibited
Unauthorized reverse engineering of the Software, whether for edcucational, fair use, or other reason is expressly forbidden. For the purposes of this license the term "reverse engineering" shall apply to any and all information obtained by such methods as decompiling, decrypting, trial and error, or activity logging.

Non-Disclosure
Unauthorized disclosure of CYBERsitter operational details, hacks, work around methods, blocked sites, and blocked words or phrases are expressly prohibited.

So any CYBERsitter user who even discusses what the program blocks, would be in violation. Not that CYBERsitter would enforce this against everybody, but they probably would have liked to enforce it against Brock and Declan.

At this point, we don't know how X-Stop will respond to our report. But we do know that for all of their bluster, CYBERsitter never actually sued Brock, Declan or Peacefire. Given that CYBERsitter pursued the matter for months (and the fact that Brock and Declan had actual money), if CYBERsitter gave up, it's because they had no case. If the Digital Millennium Copyright Act, UCITA, or the DVD court rulings change that situation, then it will become much harder to criticize blocking software - or any kind of software - except for the user interface and other things that users can "see" without looking under the hood.

Maybe Peacefire's timing is bad. Two courts have recently said that the reverse-engineered DeCSS program is illegal to publish in the United States, and UCITA gets closer every second. Yet Peacefire today released a program that reverse-engineers the encryption on a list of sites blocked by a major censorware product. Maybe T-shirts that say 'X-Stop has a 68% error rate for blocking student homepages' will get classified as munitions next. Bennett Haselton shares his thoughts (below) on corporate crypto.

Bennett Haselton is the founder and head of Peacefire, an activist group to support the free-speech rights of young people. He suggests that you might want to download the X-Stop "smoking gun" evidence (4MB) before the company has a chance to remove it from their server.

The feature below was written by Mr.Haselton.

X-Stop is an Internet censoring program with an encrypted database of 370,000 URL's blocked under various categories: Sex, Drugs, Rock `n' Roll, etc. Their competitors like SurfWatch and Cyber Patrol also do not publish their blocked site lists; the officially given reason is to keep kids from using the lists to find smut on the Internet. This is silly, given how easy it is to find Internet porn without the aid of X-Stop's secret database (although if you still want to, you can download our codebreaker, follow the instructions to get the X-Stop list and decrypt it, and help yourself). But for the next part of our report, after we decoded the URL list, we looked at the first 50 URL's in the .edu domain that were still valid, and found that 34 of them were regular student home pages with nothing offensive (hence the "68% error rate" t-shirt slogan). None of those 34 students who responded to our e-mails could think of why X-Stop would want to block their pages.

X-Stop admits on their Web site that their database is put together by a Web spider called "Mudcrawler" and not by human reviewers, but even for a machine, a 68% error rate is pretty bad. And even though the real reason why these lists are encrypted is obviously to keep competitors from stealing them, this also makes it much harder for third parties to find out what the programs really block. In fact, X-Stop had once claimed that every URL on their list was reviewed by a human before getting blocked, but cyber lawyer Jonathan Wallace called them on it when he published "The X-Stop Files" in 1997, asking why X-Stop blocked several sites like the Quakers home page, the AIDS Quilt, and parts of Jonathan's own e-zine, The Ethical Spectacle. Peacefire also put up a page in 1998 about sites blocked by X-Stop, including an affirmative action site and a blind children's hospital. But these examples were all found through trial and error; today is the first day that the entire list of URL's has been made public. And to determine the 68% figure, it was necessary to have a copy of the entire list, so that the first 50 blocked sites could be used as a random sample.

So far, this is more or less the same story that took place in 1997 with another blocking program, CYBERsitter, right down to Jonathan Wallace posting a page about CYBERsitter and getting his site blocked. First, several people posted articles criticizing CYBERsitter's policies, and slowly CYBERsitter's public image deteriorated as word got out that they were blocking sites which criticized their company (even Time magazine got blocked, and then posted an article about how they found themselves on CYBERsitter's list). Then in April 1997, Peacefire released a program that broke the encryption on CYBERsitter's list of blocked URL's. CYBERsitter sent Peacefire a threatening letter demanding that we take down the program and remove all of our links to CYBERsitter's Web page. Jim Tyre, a volunteer lawyer and future founding member of the Censorware Project, sent CYBERsitter a reply telling them they had no case, and we never heard from them again. But UCITA, the Digital Millennium Copyright Act, and the two court injunctions against the right to post DeCSS, didn't exist in 1997. If we had released the CYBERsitter codebreaker today, would CYBERsitter actually file a lawsuit?

The outcome of the DeCSS court cases could, in fact, determine the rights of a private citizen to embarrass a big software company by reverse engineering their products and catching them in a lie. It's easy to forget the importance of legal protection for reverse engineering, because sometimes public opinion is enough: RealNetworks never sued Richard Smith when he revealed that copies of RealPlayer included a "globally unique identifier" to track user's listening habits, and Microsoft never sued Andrew Schulman when he discovered that Windows 3.1 threw up fake error messages about DR-DOS. These were large companies that would have been crucified if they had tried to sue someone for discovering something that the public thought they had a right to know anyway. But legal protections are still important, because sometimes public opinion isn't enough - when the software company doesn't have much of an online reputation to worry about, or when then they have a reputation but they don't care about it.

The RIAA, with their campaigns against MP3 technology and reverse-engineering SDMI, is an example of an organization that doesn't care about their online image - and why should they, since we all download our music for free anyway. CYBERsitter is another good example - they do care about their reputation, but in 1997 their image was that of a children's guardian angel and an ally in fighting government censorship, almost immune to criticism. It took an enormous amount of bad press - letters from CYBERsitter's CEO threatening ISP's and flaming people in general, and at one point actually mail-bombing a lady who sent them a complaint - before even advocates of blocking software started distancing themselves from the company. Even today, CYBERsitter's public image is fairly rosy, and their campaigns of legal harassment hardly affected their reputation at all. (What had you heard about CYBERsitter before you read this article?) It's hard to imagine Microsoft, for example, filing a similar lawsuit without embarrassing themselves and turning their intended target into a martyr. The real threat to "reverse engineering for the public good" is from medium-sized companies, small enough that not everything they do will get in the news, but still big enough to afford lots of lawyers.

This threat affects not just programmers, but even journalists who get anonymous tip-offs - like Brock Meeks and Declan McCullagh, who were threatened with an FBI investigation by CYBERsitter in 1996, after they published their "Keys to the Kingdom" article about sites that CYBERsitter and other "censorware" programs blocked. The part of the article that got them in so much trouble was this excerpt from CYBERsitter's bad- word file:

[up][the,his,her,your,my][ass,cunt,twat][,hole]
[wild,wet,net,cyber,have,making,having,getting,giving,phone][sex...]
[,up][the,his,her,your,my][butt,cunt,pussy,asshole,rectum,anus]
[,suck,lick][the,his,her,your,my][cock,dong,dick,penis,hard on...]
[gay,queer,bisexual][male,men,boy,group,rights,community,activities...]
[gay,queer,homosexual,lesbian,bisexual][society,culture]
[you][are][,a,an,too,to][stupid,dumb,ugly,fat,idiot,ass,fag,dolt,dummy]

If this now counts as a "trade secret" under the Digital Millennium Copyright Act, then our list of the 50 .edu sites blocked by X-Stop - and the study that found the 68% error rate - could be declared illegal. And under UCITA, CYBERsitter could even claim the enforceability of these excerpts from their license agreement:

Reverse Engineering Prohibited
Unauthorized reverse engineering of the Software, whether for edcucational, fair use, or other reason is expressly forbidden. For the purposes of this license the term "reverse engineering" shall apply to any and all information obtained by such methods as decompiling, decrypting, trial and error, or activity logging.

Non-Disclosure
Unauthorized disclosure of CYBERsitter operational details, hacks, work around methods, blocked sites, and blocked words or phrases are expressly prohibited.

So any CYBERsitter user who even discusses what the program blocks, would be in violation. Not that CYBERsitter would enforce this against everybody, but they probably would have liked to enforce it against Brock and Declan.

At this point, we don't know how X-Stop will respond to our report. But we do know that for all of their bluster, CYBERsitter never actually sued Brock, Declan or Peacefire. Given that CYBERsitter pursued the matter for months (and the fact that Brock and Declan had actual money), if CYBERsitter gave up, it's because they had no case. If the Digital Millennium Copyright Act, UCITA, or the DVD court rulings change that situation, then it will become much harder to criticize blocking software - or any kind of software - except for the user interface and other things that users can "see" without looking under the hood.

I'm halfway through Susan Blackmore's book "The Meme Machine," and it's rekindled my interest in meme dispersal. In a memetic sense, the battle over filters in the Holland library is just one of implanting the right ideas in enough people's minds by the day of the vote. Here's a look at one of the more annoying memes the opposition is using: a lie about the results of my very own organization. Click for more.

Everyone's familiar with the term "meme" by now, so I don't have to explain that it's the unit of idea transmission. The struggle over Internet filters, or any other conflict where ideas, facts, opinions, and outlooks collide, is memetic in nature: it's memetic warfare.

All's fair in war, supposedly, but I'm someone who has been infected by the meme that we should all fight fair, even - especially - in the war of ideas.

Will the "fight fair" meme become popular in the long run? I hope so. But the way I see it, that will only happen if it is more successful at reproducing than its alternative: "fight dirty." In the long run, it doesn't matter what's right, or what's good, or what benefits us humans the most. The memes just spread because they're good at spreading.

In early 1999, my friend (now Slashdot writer) Michael Sims started a long process to obtain some Web logs from the state of Utah. Internet access for schools and libraries across the state was provided by a single network, and all their Web traffic went through proxies that had the same blocking software running. Their Web logs were a gold mine of data, showing both blocked and unblocked accesses. When users were blocked from something, the logs showed what category it was blocked in.

Our group, the Censorware Project, had been looking for a real-world test case of this software. Michael did a tremendous amount of work to file the papers, get permission to get the logs, have them delivered, gather them, and analyze them. He then wrote a brilliant report (the rest of us helped too).

What this let us do was see how blocking software's errors show up in the real world. We had known for years that the software has many mistakes in its blacklists, in every product we'd studied. But we had no data on how that affected users.

When all the data was crunched, two numbers surprised us. First, the amount of material blocked was quite small: about 0.6%. People were interested in things besides pornography on the internet. Who would have thought.

Second, just looking at the wrong blocks that we were able to find, the proportion was quite high: about one block in every 20 was Constitutionally protected material. That's a minimum - the minimum we were able to confirm. All in all, we identified over 5,000 occasions when people were blocked from reading protected material (totalling 300 unique Web sites).

Most measures of blocking software effectiveness focus on how much pornography it blocks. We weren't able to test that because we couldn't look through the 99.4% of unblocked material - over 53million URLs. Just too much data. But we did learn that, in Utah, 5% of the time, when the software said "you can't look at that," it was just plain wrong.

Ninety-five percent accuracy might sound like a nice high figure to base a good meme around. Who could argue with a number like 95%? But consider what this means for the 300 Web sites in question: each of them was blocked from being read by a great many public institutions in the state of Utah.

And the First Amendment protects publishers, not readers: it's freedom of the press, not freedom to read the press. When you're blocked from reading your favorite author, you might be annoyed, but if the censor were taken to court, the injured party would be the author.

This is exactly what we fought against the Communications Decency Act for. Except, in many ways, censorware is worse. If your site is one of the 5% that's wrongly blocked, you won't know it. Our government will stop people from reading what you have to say even if your site is completely innocent (like the Candy Land website), and nobody will bother to notify you. You won't ever know.

At least with the CDA, you'd have gotten a letter from the prosecutor telling you your site was censored - and nobody, but nobody, would ever have been censored for publishing the Bible.

(Yes, the Bible was one of the banned books we found in Utah, along with the Declaration of Independence, the U.S. Constitution, etc. That kind of thing makes good memes.)

Michael put a lot of work into our report, and I even contributed a little, so I'm a little protective of that 5% meme. Which is why it was so jarring to open up a press kit distributed by the Family Research Council, last week, and find our work, cited in black and white, as support for the figure: "one in a million."

That's right, the exact same report which found one bad block in every twenty is now being cited as proving that Web sites are misblocked "one time in a million."

Now that's a good meme. "One in a million" sticks with you. It isn't backed up by any of the facts, but despite that handicap - or perhaps partly because of it - it has thrived.

It was first invented by a fellow named David Burt, who read our report not very carefully, and then decided he was going to do a little numerology of his own.

The first thing he did was ignore all the bad blocks we'd found that he thought were perfectly appropriate. For example, we'd found that the homepage of the band "The Offspring" was wrongly blocked - you may remember their songs from the fall of 1998. "I'm just a sucker with no self-esteem," and so on. (You're humming it now. Catchymeme.)

David Burt decided that The Offspring deserved to be blocked, and to illustrate why, quoted nine words from their Web site:

"These songs have ideas PLUS drugs, sex and ass-kicking"

He also decided it was OK to block BaywatchTV.com, BirthControl.com, the Starr Report, the Yahoo category "Society and Culture: Romance," and Glamour magazine. It was OK to block a page on the NASA Web site about a crackdown on hackers, because it "discusses hacking techniques." Both takedown.com and 2600.com should be blocked, he says, for the same reason. A fellow whose homepage includes a link to a PGP FAQ - no code or binaries - should be blocked for containing "cryptographic software."

Did I mention this man is a librarian?

After trimming out all the fat from our list, he got it down from over 300 sites to just 64. Of course, this was the list of unique sites. If he'd had all our numbers, he would have known that his changes affected our 5% figure by about 0.1% - this because the large majority of blocked sites are blocked few times.

There's some other nonsense he tried, like saying that we were deceitful to ignore blocked banner ads because they were surely all pornographic. In fact, four of the five top blocked ad sites were perfectly ordinary, and counting ads would have made our numbers more impressive, not less.

But his main meme was the number. Armed with his new figure "64", he performed a division by the largest number in our report, which was 54,000,000. Kind of like dividing apples by hydrogen. Of the 54,000,000 URLs, only 29% were page views; only 0.56% of those were blocked; and the previously-mentioned 5% of those were blocked incorrectly. From there he switched from blocks to unique blocks, cutting the actual figure of 5,000 down to his list of 64.

Then, dividing 64 by the original 54,000,000, he got 1 in 1.18... well, for the meme's sake he got one in a million.

Publishing this in April of 1999, David Burt ignored our corrections. Despite our offering all the raw data on CD-ROM, for the cost of the media, he just accused us of lying.

You can't say anything to that, without getting into a yes-you-are no-we're-not. We'd put out two press releases about this already. We told him to order the CD-ROMs and check for himself. Then we moved on.

But his meme began to spread. In June, the company that made the blocking software pulled the same trick, reported the results to Sen. John McCain - and then issued a press release about it. Our group was now cited as supporting their software by proving its accuracy. Since the numbers were so big anyway, they just used the 300 figure and called it an "accuracy rate of 99.9994%."

A group I've never heard of, the American Decency Association, now points to our study and says: "Filters Work!" They source is another group I've never heard of, the Michigan Decency Action Council. Word gets around.

So when I opened up the report "Internet Filtering and Blocking Technology," published by the Family Research Council and distributed at their Holland presentations, I was not surprised when I found the same meme on pages 9 and 14. (I was surprised to see them divide 64 into 54,000,000 and get 6 parts per million. But as long as they've blown the numbers so badly, a little botched division doesn't make any difference.)

I talked to two of the FRC techies about this and tried to explain what was wrong with the numbers. I got some mild interest. Will the FRC correct and reprint this report? Of course not. Admitting that DavidBurt fudges numbers might be a bad tactical move. The concluding two sections of the report have 31 footnotes, 28 of which reference no one but Mr.Burt.

I choose to be an optimist about the marketplace of ideas. I believe that truthful memes will proliferate in the long run, because enough people's brains select for truth.

But in the meantime, it's frustrating when my team takes below-the-belt punches from the guys who don't care about what's true.

I don't expect everyone reading this to share my memeplex on this issue. I know from reading the comments that many Slashdot readers think censorware in libraries is a good thing, and that's fine. In fact, I'll bet many of you are grinding your teeth that I keep using the word "meme" so damn much. That's fine too.

All I ask is that, when your memes start arguing with my memes, you make them fight fair. It's only right.

Our interview guests this week are American Jim Tyre and Australian Irene Graham. Both are long-time, well-known online free speech and anti-censorware activists; links from Monday's call for questions can tell you all about them. Anyway, here are their answers to your questions. They'll tell you everything you ever wanted to know about censorware and why it's not a good thing. There are also a lot of good tips about online and political activism in general contained in their answers; you may want to read this to pick up on those even if censorware and free speech aren't your personal "hot button" issues. (mucho more below)

1) Censorship: problem or symptom?
by Signal 11
I believe censorship is a result of various groups / countries wanting to protect their cultural identity (which includes their social taboos). The second thing I want to put forward is the fact that the internet is a culture-neutral medium - it breaks down the traditional geographical barriers that seperate us from other countries. Witness cultural exchange programs, founded under the premise that communication == exchange of ideas. That generally promotes a "blending effect" (for lack of a better description) between cultures.

My question is simple: in light of this, attacking censorware is only attacking the symptom, not the cause. What solutions do you believe are reasonable for accomodating the concerns of these groups? Going one step further, should they be accomodated?

Jim:
You're correct that censorware is only a symptom there is a reason why, for example, every year librarians and others "celebrate" Banned Books Week but I'm not certain that I agree with the premise that the Internet is a culture-neutral medium, particularly in the context of a censorship discussion.

To some cultures, whether national or here in the U.S., every advance in technology has been a threat. Planes, trains and automobiles have changed many cultures, and so has or will the Internet. In many nations, the Internet itself is a threat, which is why some try to keep it out completely, or to allow it only under highly controlled circumstances. A content-free Internet would be culturally neutral, but an Internet which includes hundreds of sites about The Satanic Verses can hardly be considered neutral to many in Tehran or Islamabad.

In the context of the Internet, any attempt to accommodate a particular group is fraught with danger. (Some) parents were concerned with what their kids might be exposed to, so censorware was developed for home use. But the moralists were not satisfied, so laws like the CDA were enacted. When it was struck down, in part because censorware was touted as a less restrictive alternative, legislators pounced and introduced legislation (still pending) requiring the use of censorware in certain schools and libraries, not just for children, but for adults as well. And of course, as discussed in YRO, there are renewed multinational efforts to revitalize and impose PICS.

History has shown that it is a fundamental mistake to believe that censors can be accommodated. If one wants to preserve a cultural identity, the way to do it is to inculcate the positive values of that identity, not to pretend that other cultures do not exist.

2) What can we do?
by Ex-NT-User
It seems the majority of governments that are instituting censorship legislation are doing this "behind their populations backs". And certainly without majority support of the people they govern over. Mailing/calling our representatives doesn't seem to help much since they just blow us off for special interest groups.

So what can we as individuals do prevent this? What other avenues can we take?

Irene:
I think one of the problems is that many politicians see the people on the Net as being a special interest group, so which special interest group should they listen to? Some politicians, for example, claim that people on the Net don't care about protecting children - you'd think no-one on the Net had kids if you didn't know better.

The problem of changing such perceptions is exacerbated by the tendency of people on the Net to do anything they can by email and not being willing to devote a little time to understanding the political processes involved.

So there's not just a question of what individuals can do, but what they shouldn't do. Here's some examples to explain what I mean from the recent anti-censorship campaign in Australia...

Some people set up email lists to automatically send the same message to all Australian politicians - it sounded like a great idea and heaps of well-intentioned people used these. The problem was, apparently, that many people sent rude, abusive emails. This is not the way to get one's point across and encourages the view that people on the Net are different from "ordinary" people. At the same time, the politicians who were already opposing the Bill received messages abusing them. Unfortunately, this encourages them to say "why bother?" - why shouldn't they support the pro-censorship lobby who quite likely aren't rude and say thank you?

During the campaign here, I rang the offices of my "representatives" who happened to be members of the opposition party just to say thanks for opposing the Bill. The staffers who answered the phone practically fell over themselves thanking me for bothering to call - they were so, so tired of the abusive emails and calls from people who hadn't even bothered to check what their policy was.

At one stage in the campaign here, it was reported that filter rules had been added to the Parliamentary email system, to give politicians the option of filtering anything about the Net censorship Bill into a separate folder. They were receiving too much email, which was interfering, apparently, with their ability to find email on other topics.

Another issue is that computers make it arguably too easy to just copy and paste texts that the cyber-liberties groups issue as suggestions, or that someone else has written. Standard texts are generally given little credence by politicians - they see it as just part of a campaign, too easy, from someone who doesn't care enough to bother writing their own views.

As well, there's the problem that many people don't even know what's going on. They don't read the newspapers regularly, certainly not the IT sections, and in Australia the TV news didn't mention the Bill until -after- the Senate approved it. Talk to people "in the streets" and you're likely to find even though they're not on the Net yet, they comprehend well enough to know the proposed legislation is silly, but hadn't heard about it. The spam problem has also made it quite difficult to get alerts out to a large portion of the Net community - those who don't subscribe to anti-censorshiop news/mail lists but who would be horrified to know what's happening in the halls of Parliaments.

So I think there's probably more don'ts than dos:

• discourage people from bulk emailing politicians,
• Discourage use of standard texts - and spend time writing in your own words,
• write snail mail or send faxes or phone up - in that order - don't email,
• ask for an opportunity to meet to discuss the matter - you've more chance of succeeding with this if your letter makes clear that you can provide useful information and are capable of rational, not emotional, discussion,
• find out what your representatives' views are before you contact them, or ask, or say something like "if you believe .... then....", don't assume what they know or think,
  
• respond to government inquiries, Senate Committee inquiries and the like. Don't leave this just to organisations and don't just write saying basically "I agree with [insert cyber-liberties group name]'s submission". Regrettably, this immediately marks you as just part of a "special interest" group,
• send thank you letters, or call to say thanks, when appropriate,
• talk to people off the Net about the Net - this is really important in terms of offsetting the power of the traditional media and the scare stories they love to distribute,
• write to newspaper/magazine editors etc when you see Net scare stories, and also write to them about why sensible stories are relegated to IT section (this happens in Australia more often than not, where they're mostly only seen by the already converted),
• read up on how to lobby politicians - there are books about this as well as Net resources such as:

Aust: http://www.zeta.org.au/~aldis/lobby.html
USA: http://www.neosoft.com/vtw/cda-lobby.html

Another idea is the "Adopt a Politician" efforts that have been undertaken in some areas. Individuals offer to help a politician learn about a particular Net issue - or the Net in general - before the next round of silly legislation hits their desk. Of course, not all politicians want to learn, but some do.

And:

"Never doubt that a small group of thoughtful, committed people can change the world. Indeed, it is the only thing that ever has." - Margaret Mead.

3) Free speech in other countries
by /
As more countries' citizens get exposed to the internet and to the ideas of unbridled free expression, do you see further local pushes to enshrine free-speech protections in their charters or constitutions? Or do you see technology being harnessed to keep the masses in check as it has or millennia?

Irene:
I'd like to think the former, but I fear the latter's more likely.

Speaking from an Australian perspective, I think mere access to the Net has changed a lot of peoples' views about the supposed merits of censorship. When people see the potential for being jailed for saying something on a mailing list that they can say without fear off-line, what censorship is suddenly looks entirely different. No longer is it something that only applies to film distributors, publishers and the like.

Knowledge that people in other countries aren't subject to the same level of censorship can certainly encourage and bolster opposition to it. We had a case, http://rene.efa.org.au/censor/rabelais.html, in Australia recently where the student editors of a university journal were prosecuted for publishing an article called "The Art of Shoplifting". The judge said something like "nowhere in the world" would they be allowed to publish it. Someone on the Net knew that wasn't correct and drew relevant information to the defence team's attention which helped in their decision to appeal. Although they lost the appeal, a lot of attention was drawn to the case, surprisingly even in the traditional media - it seemed everyone was opposed to the prosecution. Eventually the prosecution dropped the charges. The law's still in place, but maybe the politicians etc who called for the students' scalps so to speak will think twice in future. I think the Net made a difference in this case in several ways - easier access to relevant information and knowledgeable people overseas and as a medium for communicating what was happening.

In short, it's becoming much more difficult for governments to justify their policies by saying "nowhere in the world" etc because ordinary individuals can more easily find out it isn't true. Not only that, they can read about, and discuss, why other countries have different policies and make up their own minds about what's best.

That is, of course, frightening to governments, so there's undoubtedly a severe risk of "technology being harnessed to keep the masses in check as it has for millennia". Many people saying no to censorship is the only thing that's even likely to stop it happening.

The question is, who'll win the race? Censorware developers claiming to have the "perfect" censorware seeking government contracts and/or industry contracts "encouraged" by government? Or increasing numbers of people on the Net getting informed and deciding to make their views known to politicians?

The "Internet industry's" reaction to government demands for censorship can also present problems as we're seeing in Australia right now. Government enacts legislation saying ISPs must block sites on government demand or face large fines. The Internet Industry Association (IIA) comes up with a way around the technical problems for them, that will make their life easier. IIA represents 60 of the some 700 ISPs in Australia but their recently approved Code of Practice for ISPs is now effectively law applicable to all ISPs.

The IIA Code requires that ISPs "provide for use, at a charge determined by the ISP, an Approved Filter" to each customer. So we're going to have users paying for censorware whether they want it or not. The IIA says that some ISPs will provide it for free, but the censorware vendors obviously won't give it to ISPs free. Even if the ISPs don't charge for it separately, they'll include the cost in Net access fees. There's no requirement for ISPs to offer users their choice of censorware, or provide any warnings as to the shortcomings of the filter, yet IIA claims this forced provision of censorware "empowers" the user.

Although users don't have to install or use the censorware, there's several potential censorship problems and I'll mention just one here.

ISPs complain about "clueless" requests for technical help from users. I've no doubt they do get such calls and that they take up a lot of their time. But what will happen when they start getting calls from those people who want to install the censorware (I assume there'll be some) but who have problems doing so? It will be an extremely undesirable outcome of the law if the ISPs incorporate censorware in their registration process/disk so it's automatically installed on a user's computers with the defaults set to block=on. Many people won't want to use censorware and a lot of these programs are very difficult to uninstall. Will ISPs themselves know how to do that, or give any sort of priority to customers trying to get rid of something the government requires the ISPs to provide? Will the censorware block access to the few (if any) web pages around that explain how to remove it? This scenario may not happen, but it's certainly possible some ISPs could do this. As it is, many people don't know the questions they should ask before opening an account with an ISP and this Code seems likely to make the problem worse for unknowledgeable people.

The Australian government has, for the moment anyway, dropped its requirement that ISPs block overseas content at the server level, probably because of a combination of massive public opposition and the industry etc pointing out that it's not "technically and commercially feasible" at present. Some of the censorware vendors tell the government it is and/or soon will be. Government mandated provision of censorware to every Australian Internet user will certainly place a great deal of extra money in the pockets of censorware suppliers - money that may well be used for developing censorware more suitable for installation on ISPs servers or backbones. I don't think the threat of censorship facilitated by technology is over in Australia yet, it may just be on hold. The Code of Practice ISPs have to comply with by law can be changed quite easily.

So, looking at the Australian experience for example, it's difficult to say whether access to the Net will lead to further local pushes to enshrine free-speech protections in law, or whether technology will be harnessed to keep the masses in check. There are numerous governments far more repressive than Australia's and technology being harnessed is obviously more of a threat in countries that don't claim to be democratic. One thing I am sure of is that anyone who promotes the development of censorware as a means of staving of government censorship either has rocks in their head, or doesn't know how repressive some governments can be. If you build tools that facilitate censorship, some governments will use them.

4) A proposal
by dclydew
It is obvious that "censorware" is a fatally flawed tool. Using technical solutions for social issues doesn't work. However, it's also clear that many parents don't want a T-1 full of porn available to their child every Monday through Friday. So I'd like feedback on the following proposal:

In areas where minors have access to public internet services (school/libraries), they would be given an account. This account would be accessible via a smart "library" card. The account is identified by account# only. These account#'s are logged along with sites that are visited by minor. At the request of a parent/gaurdian, a report can be generated so that they can determine if their child is acting within the acceptable boundaries set by the family unit. No one else would be permitted to use this reporting tool. This takes censorship out of the hands of everyone except the people legally responsible for the minor.

I belive that this approach removes all unnecessary layers of argument and leaves us with one question:

Should anyone (parents/gaurdians included) have the right to control what their child sees/hears/views for entertainment/etc. ?

This question obviously has a precedence: Children under 18 are not permitted to purchase pornography, tobacco, etc. However, a parent could permit their child to have such things. Perhaps by purchasing the items for the minor.

Please give me your thoughts....

Jim:
To be honest, my first thought is Orwell's 1984, or perhaps even some of David Brin's writings. You've just made it legal for the government to keep tabs on every Internet site visited by every minor, so long as the minor is using a government machine (public schools and libraries are a part of the government). Those who know me know that I'm not ultra-paranoid about government, but giving this much data to the government frightens me. I recognize that your intent is that the data only be made available to the parent or legal guardian, but can you think of a meaningful guarantee that it can't be misused? As I write this, I can't. (I suppose a script could be written which would automatically encrypt the data only to the parent's PGP public key or similar, but I'm thinking in terms of what would work for the vast majority, not just a fairly small minority.)

Now suppose, hypothetically, that rock-solid guarantees could be made. Where, and how, do you draw the age line? The actual age of majority differs somewhat among the states, but let's assume it is 18. Should a 17 year old be scrutinized as closely as a 9 year old? What if the 9 year old is particularly mature, the 17 year old particularly immature? And by the way, some states grant far more independent rights to minors than do most states or the federal government. For example, in California and Florida, a first trimester pregnant 14 year old has exactly the same right to an abortion as does a first trimester pregnant 30 year old no parental consent or judicial approval is required. (The U.S. Constitution sets minimum standards for individual rights; the states can not drop below the federal minimums, but they can, and some do, recognize more rights as a matter of independent state law.) If a 14 year old California girl has a right to an abortion without parental consent, would you give the parent access to the log of abortion-related web sites the girl has visited?

Then one gets to discrimination based on medium. In most public libraries, an unattended 15 year old can pull any book he or she wants off the shelves and read it cover to cover without the parent ever knowing. Should the rules be different if the text of that same book happens to be on the Internet?

Parents have the right, perhaps even the duty, to raise their children as best they can, to try to instill in them a moral code, whatever that code might be. If the parents choose to home school, that is their right, but if the parents let their children go out into the world, as most do, they do so knowing full well that their children will see/hear/read/do things which the parents will never know about, hoping that the children's upbringing will serve them well. Why should exposure to the Internet be different from everything else to which the minor is exposed?

Incidentally, proposals like yours have been considered and rejected both by pro-censorship types and by anti-censorship types. The pros don't want anyone, and particularly not minors, to have access to certain kinds of information. The antis don't want government assisting restrictive parents. What the so-called silent majority would say is anyone's guess.

5) Rhetoric of anti-censorship
by H3lldr0p
What arguments have you used to try and persuade people that censorware is not an acceptable answer to whatever problem they are currently having with the world at large?

I ask for two reasons. I have been a fan of Bradbury for some time and will always suggest that everybody needs to read _Fahrenheit 451_, but I have also recently read Ken Burke's "Rhetoric of Hitler's 'Battle.'" He argues therein that _Mein Kamf_ should not be censored on the grounds that history might repeat itself if we are unaware of what has gone on before.

Jim:
As a preliminary note, I am not familiar with Burke's work, but absolutely I oppose censoring Mein Kampf, or any other work I find extremely distasteful. And I say this as a Jewish person who had a number of ancestors exterminated in the Holocaust.

What works? One thing I've learned in more than twenty years as a lawyer is that you have to tailor your approach, consistent with that which is verifiably true, to your intended audience, while (hopefully) adding in something new and unexpected. For example, in our early reports, we at The Censorware Project stressed what we sometimes call collateral damage or overblocking -- wrongful bans of innocuous and valuable sites. This emphasis worked fabulously in our early reports, such as our first report on X-Stop in October 1997. Not only did the usual suspects take notice, but groups such as Filtering Facts and Family Friendly Libraries, which previously had specifically endorsed X-Stop, abandoned it like rats fleeing a sinking ship.

But while the point remains as valid today as it was then, more people have heard it before and say, in effect, "tell me something new." So in our most recent report on Bess, done about five months ago, we did exactly that, in part because a major focus of Bess is schools instead of public libraries.

In K-12 schools, you would think that the primary focus would be on blocking hard core sex sites, so we opened some eyes when we reported, based on our tests of real proxies actually in use in a number of schools, that Bess did not block HardCoreSex.com, as well as lots of other porn sites, most of which were not new - and we did not spend a great deal of time searching extensively for unblocked porn sites. In other words, while showing plenty of examples of the usual overblocking, we added in the new (for our reports) element of meaningful underblocking, a more attention-getting point to those who don't care about overblocking, because "It's for the children."

Not coincidentally, our Bess report was released on the day of the IPO of N2H2, Inc., the company which makes Bess. The stock price plummeted on the first day, and continued to do so for a good long while after, though it has since rallied. Whether there was a cause and effect is an exercise I will leave to market analysts and Slashdot readers.

One point which has to be emphasized, particularly if addressing a new product: there is no magic bullet, nor will there be absent a quantum leap in artificial intelligence technology. Each new product, and even each new release of an existing product, comes to the market with an almost teflon-like quality, magically cleansed of the foibles of its predecessors, because so many want to believe that censorware can do what the vendors claim it can do. It isn't so.

6) How much is too much?
by zantispam
I for one dislike censorship in all of it's forms. However, does government demand it?

Let me explain a bit...

Ok, here in the US, we have a right to free speech. Conversely, we have no right to be heard. What this means is that it's theoretically ok for me to say "I think that Clinton is a green donkey!". It also means that no one has to hear what I just said. Whether it be a function of censorship, or just because most people think I'm nuts, my view has not been heard. Nowhere am I guaranteed this right.

The problem with this is that it makes censorchip `legal', in a way. The [insert favorite agency to pick on here] can choose not to grant my right to be heard, and that's (unjustly, IMHO) ok.

My question is: Does government, in any form, require censorship to function? Put another way, do we necessarily have to give up our right to be heard by choosing to live in any type of society? Put a third way, is the right to be heard equal to the right to privacy (unlawful search and siezure).

Jim:
An important distinction needs to be made here, and that is where you want to be heard. If you want me to hear you while I am in my private home, you can't barge into my home, uninvited, in order to make sure that I hear you. Similarly, if a parent chooses to use censorware on their home computer in an attempt to protect or isolate a child, you can't force your Internet speech onto that home computer.

But while "censorship" can be used with a broader meaning, your reference to a favorite agency leads me to believe that you are talking about censorship by the government. If that is the case, then your premise is largely incorrect. There is a substantial body of case law dealing with so-called public forums, and their offshoot, limited public forums. There are exceptions to every rule (I did say that I'm a lawyer, didn't I?), but generally speaking, if the government makes available a public forum, it can not deny your right to be heard based on the content of your speech, so long as the speech itself is not unlawful (shouting "fire" in a crowded theater is the usual example). A public library is not constitutionally required to offer any Internet connections at all, but if it does provide access, it cannot discriminate based on the desirability of the speech, particularly with adult listeners. As a private citizen, I can decide that I only want to "hear" comments on slashdot which are scored 3 or better, but the government cannot decide that for me.

Of course, while I may have a right to have my lawful Internet speech heard in a wired library, this does not mean that I have a right to equal time with cnn.com. If their site gets more views than mine, c'est la vie.

You might be able to tell that I've been struggling a bit with your question, and it just occurred why - you really aren't talking about censorship at all if, at long last, I'm getting the question. In the narrow sense, it is censorship if the government prevents or deters me from speaking or you from hearing me. In a broader sense, it is censorship if any third person (or software imposed by a third person) prevents or deters me from speaking or you from hearing me. But it is not censorship at all, using any common meaning of the word, if I decide, of my own volition, that I simply do not want to hear what you have to say. Contrary to what at least one person has written, censorware opponents do not want to force anyone to read that which they do not want to read. Sorting information, deciding what is important to us, what is not, is something we do constantly, on and off of the Internet.

That is entirely different from someone else, and particularly the government, blocking you from information which you do want to read.

7) censorship, apathy, and the general population
by Requiem
How can we attempt to show the general population that censorship is not a good thing? It seems that people accept the spoonfed excuse of "it's for your own good"; how can we get people to think critically about the situation and come to their own conclusions?

Irene:
I'm not at all sure that people do accept "it's for your own good". In my experience, people in favour of censorship are usually worried about the effect seeing or knowing something will have on _other_ people. They're usually quite confident of their own ability to critically analyse information and decide for themselves whether or not it's a good idea to act on it, and of their own ability to control their own children (usually anyway). It's what other people, or other people's children, will do that worries them.

Try reversing that - saying to such people that _other_ people approve of censorship because they're worried about that person's inability to cope with information and you could have quite an interesting conversation. This won't work with everyone, but it will make some people start to think about their assumptions.

The American Library Association's site contains some useful information about motivations for censorship and tactics.

One thing that can make people start to question the merits of censorship is to make them aware of what's censored. The problem with censorship is most people have no idea - they never see what's censored - so they assume it's really really bad stuff (whatever that is in their view).

The banning of the shoplifting article I mentioned earlier was quite useful in this regard in Australia. Although it was banned in print, someone put it on the Web. A lot of people who read it couldn't believe there were laws that could put people in jail for distributing it - they saw it as intended humour, satire (not the best literary work but all the same). The law was made to look more ridiculous when one of the judges included the whole article in his decision upholding the ban on it. The Court decision, including the article, was published on the Web.

The Net's very helpful in this regard. When, say, a film's banned or cut, one can usually find a detailed review of it, or people overseas talking about in newsgroups or wherever. Governments' claims that banning is necessary to protect society etc. sound very silly when it's known that the film was released uncut in numerous other countries and there's no reports of any harm being caused.

It only takes a few examples of what's banned outright, or cut from films, to make some people start questioning their previous certainty that "government knows best."

With regard to the people who believe studies have proven that viewing something causes violence or whatever, about the only thing you can do is to learn about the research and studies for yourself so you can speak knowledgeably and argue about it if necessary. A section of my web site contains useful information and links in this regard.

8) Legal question.
by Weezul
Frequently censorware seems to target anti-censorship (sites/people) as much as they target porn (this was especially a problem in Australia). What can be done about this?

Are there laws in the U.S. or Australia that would allow people who censor anti-censorship sites to be sued?

Irene:
I don't know of any Australian anti-censorship sites targeted by censorware. If you have details I'd be interested in hearing about it.

In Australia, it's doubtful such sites/people would have much redress other than defamation, and proof of damage would be difficult. Same applies to ordinary user sites. A business blocked by censorware could consider an action for defamation, or deceptive business practices under the Trade Practices Act.

Jim:
Targeting anti-censorship sites is a problem here in the U.S. as well (Irene has answered about Australia). The Censorware Project, Peacefire and The Ethical Spectacle are among many anti-censorship sites which have been banned at various times by the censorware makers. (Interestingly, pro-censorware/censorship sites such as Filtering Facts and The American Family Association have been blacklisted as well.)

There is no specific law which would allow the owner of a blocked anti-censorship site to sue the censorware maker. Censorship, in the legal sense, involves state action, but there is no state action involved in the mere fact that a censorware vendor has added an anti-censorship site to its blacklist. However, there are at least three instances in which the owner of a wrongfully blocked site might be able to sue a censorware vendor or user.

First, if the censorware is being used in a public institution such as a public library, the site owner may well have standing to sue the institution for blocking the constitutionally protected speech at the site. In the Loudoun County, Virginia Public Library lawsuit, the action was commenced by library patrons, but the ACLU intervened on behalf of content providers whose sites were blocked in the library. The Library Board tried to argue that the providers had no standing to intervene, but the Court disagreed.

Second, one needs to look at the blocking category being used to block the site. The ACLU, for example, has been blocked by some vendors under the category "activist" or similar. Certainly I don't condone such blacklisting, but the categorization is factually correct. On the other hand, suppose that the site is miscategorized by the censorware vendor as a porn site instead of an activist one. (If you think that is ludicrous, read a mini-essay I wrote earlier this year.) Some have posited that the censorware vendor might be liable for libel. I would not bring such an action I defend those sued for libel, regardless of whether I agree with their particular speech but I do expect that the owner of some site wrongfully blocked as a porn site will test the waters.

Third, under either federal law or the laws of various states, there may be a claim for consumer fraud or false and misleading advertising if the vendor bans sites under incorrect categories. Most of the vendors have wonderful sounding statements on their sites about how carefully they make their lists and check them twice, but virtually every serious investigation of censorware has shown such statements to be utterly false. In some states, a remedy under this theory may be available only to customers who purchased the censorware in reliance on the false representations, but in other states, such as mine (California), virtually any member of the public could bring such an action.

----------

Next week we have *two* interviews to celebrate the year's end: First, L0pht Heavy Industries, with answers Friday. And in a separate "bonus" interview post Monday we'll be collecting questions for Jon "Maddog" Hall about Linux in the next century; Jon's answers will run Saturday (for obvious symbolic reasons). Enjoy!

Enoch Root was the first to submit a new briefing paper on internet anonymity, published by the libertarian Cato Institute and written by Jonathan Wallace. Wallace cites Supreme Court cases and important historical precedents in favor of anonymity - "Given the importance of anonymity as a component of free speech, the cost of banning anonymous Internet speech would be enormous."

TRUSTe, the steward of the most visible symbol on the internet, is making a tough decision today. Today, it reveals what it intends to do about its client Real Networks. At stake is whatever's left of its credibility. (Update: 11/08 02:55: Real got off on a technicality: "because the transmission of user data ... did not involve collection of data on the RealNetworks Web site, the privacy incident was outside of the scope of TRUSTe's current privacy seal program.")

Unquestionably TRUSTe is the leader in third-party privacy assurance. Its only alternative is BBBOnline, which can boast only 100 members to TRUSTe's 750. But it's having a hard time living up to its motto, "Building a web you can believe in": sometimes it's hard to know what to believe.

TRUSTe's original idea was to allow a website to display one of three icons, indicating whether its privacy policy was good, ok, or bad. There turned out to be problems with this - strangely enough, no site wanted to post an icon saying that their privacy sucked - and the icons looked too similar anyway. So they went with one icon, a "badge" that every member site posts.

All the badge means is that the site has a privacy policy, and that, as far as TRUSTe knows, they haven't violated it.

If you think this is a questionable basis for a consumer advocacy group, you're right. But the real question is how it plays out in practice. Let's take a look at TRUSTe's track record.

Round I: TRUSTe and GeoCities. In June 1998, the FTC announced - to everyone's surprise - that it and GeoCities had come to a settlement regarding violations of consumer privacy.

Everyone was surprised because this was the first anyone had heard of it. Where was TRUSTe?

Caught flat-footed, TRUSTe scrambled for a few days, then made its own announcement. It pointed out that GeoCities had begun the alleged privacy violations before applying to become a member (in April) and being accepted (in May). Therefore, TRUSTe claimed, the violations were technically not under the scope of their investigation.

But turn that around and put it another way - it was able to become a TRUSTe member even while under investigation by the FTC, and TRUSTe said nothing.

It gets worse. The FTC and GeoCities issued conflicting releases about what the settlement actually meant. The FTC said that GeoCities had "misrepresented the purposes for which it was collecting personal identifying information" (including children's). GeoCities denied the charges.

So who was right? We still don't know. Despite this being precisely the issue that TRUSTe was set up to resolve, TRUSTe refused to confirm or deny the FTC's allegations.

In a 1998 open letter, I asked whether TRUSTe's initial review of GeoCities had included any really tough questions such as "are you currently under investigation by the Federal Trade Commission?" No answer. In fact, mention of the GeoCities incident seems to have been removed from TRUSTe's website.

The organization that wanted to make the FTC obsolete was not off to a good start.

Round II: TRUSTe and Microsoft. March 1999. This was the "Global User ID" case. It turned out Microsoft had been embedding a user ID into every document you created with their software. Since they put that ID on file when you registered their software, they have been capable for years of tracking authorship of even supposedly-anonymous documents.

And don't think it's just a theoretical concern. Just weeks later, the Melissa macro virus was unleashed, and its author was tracked down using this same ID. Any technology that can lead the cops to your door is potentially dangerous technology.

TRUSTe announced that this "compromises consumer trust and privacy" (duh), but said that since the Global User ID does not, strictly speaking, involve the Microsoft.com website, it had no jurisdiction. Their conclusion: "TRUSTe has determined that Microsoft.com was in compliance with all TRUSTe principles."

In reality, Microsoft's privacy page (prominently labeled with the TRUSTe seal) also discusses online registration of software products, and notes that the "personal profile" from their software registration appears on the website and is editable from the website. And that page claims that registration is covered by the TRUSTe guidelines. For TRUSTe to claim it's not requires some Clintonesque redefinitions.

CNET's headline was exactly right: "TRUSTe Clears Microsoft on Technicality."

Round III: TRUSTe and Deja News. April 1999. Again TRUSTe is taken by surprise when a computer sleuth discovers that Deja News has been collecting data on email sent by its users. When a reader clicked on an email link in a discussion posting, the destination email address was recorded, along with the presumable topic of discussion, the sender's IP number, and if registered, the sender's personal data.

This is not what one expects when sending private email! And this clearly involved Deja's website, so there was no question of another technicality.

TRUSTe's analysis of this situation was only two paragraphs long; here's all that happened:

"TRUSTe specified certain clarifying language to be included in the privacy statement. Deja News, independent of TRUSTe, then decided to discontinue the practice of tracking IP addresses in conjunction with the mail-to feature."

In fact, the situation was resolved long before TRUSTe even bothered to issue that statement. TRUSTe's suggestion of "clarifying language" had been obviated long before by Deja's indepedent action. See ZDNet's story of May 4th, which hopes that TRUSTe "will likely issue some sort of statement...this week." But TRUSTe stayed silent for four weeks.

Round IV: TRUSTe and Microsoft (again). A wide-open security hole in Microsoft's Hotmail is breached, and for a few hours everyone's inboxes are public domain. (If you don't think this is a serious privacy violation, read the stunning anonymous tale of cracking into an enemy's email, published on Salon.com the next day.)

TRUSTe's response is to call in an independent accounting firm to talk with Hotmail's programmers and security people, look over the source code, and generally try to make sure such a problem won't happen again. This isn't a bad idea - it just wasn't much of anything that Microsoft wouldn't have done on its own. Locking the barn door after the horse is gone doesn't help the people whose privacy has been lost. Microsoft is out of pocket a few bucks for the audit, and gets more than its money's worth by being able to say that TRUSTe still gives them a clean bill of health.

How can all these incidents have passed by without punishment of any kind? It's because of what TRUSTe is actually guaranteeing. Not that any company will actually keep its data private - but that the company is not lying in its privacy assurance.

That's right. You know those privacy promises you never read, the ones that are different on every website and all seem ten pages long? What TRUSTe does is promise you that, if you had read them, you'd know your rights.

If it wanted, a company could have its lawyers dress up "we will spam your email every day and sell your name and address to anyone who asks for them" in legalese, and get a TRUSTe badge on their homepage. Would you know you were being screwed? Not unless you speak fluent lawyer.

Is the FTC such a bogeyman that we really need to sell our privacy so cheap?

When Ralph Nader was pressing the government to impose strict safety standards on the auto industry, Henry Ford II complained that they were "unreasonable, arbitrary and technically unfeasible." After the laws were enacted anyway, a decade later he conceded: "We wouldn't have [these] kinds of safety ... unless there had been a federal law."

Imagine if our only automotive safety regulations were that Detroit must abide by its lawyers' fine print!

The usual argument is that requiring an actual guarantee of privacy would stifle business. The purpose in forming TRUSTe was to keep the internet corporation-friendly, by keeping the government out. TRUSTe was well-intentioned, no question. It was a noble experiment.

But, according to some influential people and groups, it has failed.

Forrester Research studies topics related to the internet and made privacy its concern in its September 1999 report, "Privacy Wake-Up Call." Its conclusions should not be surprising:

"Most privacy policies are a joke." Forrester says corporate privacy policies are legalese set up mostly to protect the corporations.

"Few companies meet key privacy protection principles." About 10%.

"Third-party programs show little traction." Hundreds of TRUSTe licensees don't amount to much on the billion-page net.

And, "third-party privacy firms...like TRUSTe...become more of a privacy advocate for industry rather than for consumers."

(Slashdot has more on this study.)

Even the Electronic Frontier Foundation, after years of straddling the fence on the issue, has finally recognized that self-policing just doesn't work. The EFF is not just the best-recognized internet rights advocacy group; it created TRUSTe.

Yet, in an October letter to the FTC, the EFF laid down its cards:

"Creation of TRUSTe and its seal program was one such early innovation of EFF. TRUSTe was successful in several areas. ... We now must move out of this awareness-raising mode and into an action mode where real protection can be achieved. Legislation is needed in order to achieve that goal. ... we think it is time to move away from a strict self-regulation approach to protecting privacy online."

The latest nail in the coffin came on November 1, when EFF Program Director Stanton McCandlish laid out the facts on the fight-censorship mailing list:

"Our stance has basically been that industry self-reg would be worth trying, but might or might not be enough. We did the 'proof of concept' ourselves, by launching and spinning off TRUSTe. But TRUSTe was intended to be and is a separate, independent entity, and was created as an experiment. The experiment is in many ways a failure..."

(McCandlish's personal opinion is even more scathing. Follow the link to read it.)

You wouldn't know this if you read the TRUSTe website. Their homepage proudly tells you about the six-month-old Georgetown study, but makes no mention of the Forrester Research report. It tells you that the FTC supports self-regulation (based on Georgetown), but won't tell you that its own parent, the EFF, thinks the ride is over.

If TRUSTe is a consumer rights and advocacy group, why are they only feeding us the feel-good stories? Aren't consumer groups supposed to be the ones that dig up dirt and tell us about potential problems?

The money trail leads to the answer. TRUSTe isn't a consumer advocacy group. TRUSTe doesn't get its money from consumers. Its money comes from corporate sponsors, and nobody wants to bite the hand that feeds them. Besides, those corporations want the message to be one of constant calm. Concerned customers are not good for sales.

Remember the GeoCities FTC findings that TRUSTe wouldn't comment on? GeoCities had just done an IPO and millions of dollars were at stake. GeoCities' sister corporation Engage Technologies (they are both subsidiaries of CMG Industries) was a Contributing Corporate Sponsor of TRUSTe. That conflict of interest was never mentioned.

(GeoCities has since been purchased by Yahoo.)

Remember the Microsoft incidents that TRUSTe waffled on? Microsoft is not just a member, but also a Premier Corporate Sponsor of TRUSTe. That conflict of interest totals $100,000 per year.

Round V. By now you've guessed that this is leading up to the current furor over Real Networks. Real is a TRUSTe member. Do I need to mention that it's also a Contributing Corporate Sponsor?

TRUSTe said that it would render judgement on Real Networks by the end of last week. Now it's saying today.

And it's making noises like they're actually going to do something this time:

"We could take the company to court for breach of contract, since they do have an agreement with us. Or, we can forward the case to the FTC... I guarantee that the damage to the reputation of the first company that we do that to will be big."

For its own sake, it had better. We're talking about a company whose product is a Trojan Horse that secretly scans your hard drive for valuable personal data. If TRUSTe doesn't unload with both barrels, its credibility will be negative zero.

Anything TRUSTe does may have a negligable effect in any case. Corporations only understand the bottom line, and RealNetworks stock shot up 25% in the five days following the privacy debacle. With the company's market cap $1.9 billion higher than it was a week ago, how much are they really going to care about some nonprofit gnat?

We can hope. Real.com today unveiled its new website, a music portal, which investors will be watching carefully. Also happening today is a conference held by the FTC and Commerce Department for data-profilers to announce what they're going to do to protect privacy. So if TRUSTe were trying to maximize the effect of their announcement, today would be the day they'd pick. It could be that the gnat will have a nasty bite that surprises everyone.

Still - you can dress an organization up in not-for-profit clothes, but that doesn't change that it's beholden to its revenue stream. TRUSTe says we can trust them to be objective, on the theory that their revenue stream will dry up if they don't do right by consumers. So far, there doesn't seem to be much truth to that. They haven't been doing us right, but their number of contributors and members just keeps growing.

I enjoy reading about the future envisioned by people like Gibson and Stephenson, where the net is totally unregulated and a "right to privacy" is a dim memory, or a joke. That doesn't mean I want to live in that future. Europe has consumer protection laws that are, from an American perspective, astonishingly strong. Maybe we should take a look at other countries' solutions, to see if there's something we could learn.

So far, all we've learned is what fails.

- Jamie McCarthy