Symantec Tries to Censor Criticism

KnobDicker writes "Wired News reports Symantec is pressuring the ISP that hosts the Peacefire anti-censorware organization." Peacefire's founder, Bennett Haselton, wrote a decryptor for Symantec's software's blacklist and posted just that. His tests found that 76% of its .edu blocks were incorrect and that the software violates its privacy policy. Symantec's response? Threaten a lawsuit. But Peacefire isn't backing down. More below...

Let's first get the facts straight. Peacefire has not posted copyrighted material. It has posted code to decrypt I-Gear's encrypted blacklist. This is exactly like the DeCSS case, except the goal is criticizing a product instead of space-shifting movies.

The criticism here is that 76% of the .edu-domain blocks are wrong. This is a huge number. This suggests that, for every time the product blocks you from offensive material at an .edu Web site, there are three other times it blocked you from perfectly ordinary material.

While there are some people (like Bruce Taylor of the National Law Center for Children and Families) who would like to deny it, nobody's making this stuff up. Censorware really does suck. In fact, Peacefire did the same thing to X-Stop, another blocking package, two weeks earlier, and found a 68% .edu error rate. (But its maker hasn't threatened to sue. Yet.)

So what did Peacefire learn about I-Gear? A description of a milking machine system written in Spanish - blocked. Tricks for a flight sim game - blocked. A page entirely in Latin - blocked. Volumes 4 and 6 of "Decline and Fall of the Roman Empire" - blocked (but you can still read Volumes 1, 2, 3, and 5, go figure).

Furthermore, Peacefire revealed that Symantec is apparently violating its privacy policy by sending information to its servers without telling the user. Your Windows-registered "real name" and "company name" secretly get sent back to Symantec.

You may recall Haselton's Slashdot story "Keep it Legal to Embarrass Big Companies," from two weeks ago. He wondered if these kinds of pressure tactics would be the response to his efforts. It's already started.

The legal issue appears to be whether Symantec's End-User License Agreement (EULA) can contain a clause prohibiting reverse-engineering - and whether that clause can be enforced. UCITA will be the thousand-pound gorilla here, providing real legal muscle behind onerous EULAs. Fortunately, the current legal situation is more iffy, and cnet's story talks about that a little.

Symantec wants to distribute I-Gear only on the condition that nobody looks under the hood or says anything bad about it. And UCITA would back that up - by sending people like Haselton to jail for revealing products' flaws.

And then there's the question of why Symantec is using lousy crypto in the first place. As KnobDicker concludes: "Rather than being thankful that Haselton has conducted testing and work that they should have done themselves in the first place (for *free*), Symantec is crying in their beer and threatening to break out the lawyers to quash the bad press. Chalk up another one for the Open Source model's system of thorough peer review instead of development in a proprietary vacuum."

Give a little, get a lot

[alighieri]

I urge everyone who supports anti-censorship causes like this one go to the PeaceFire site and buy a t-shirt and give a donation. The last time PeaceFire was featured in an article a number of people bought shirts, but nobody made a donation. Bennett is not making money off the t-shirt sales. Giving a little, even just $US5-10 would be helpful, and would bring the price of the t-shirt up to what you'd normally see.

----------

Re:Give a little, get a lot

[Weezul]

Yes, we should all contribute to peacefire.org (and the ACLU, and the EFF), but do not forget that there is activism we can do on the coding side too. Examples:

(1) We need to get as many people as possible to link to peacefire.org and censorware.org. Actually, we need an XML blocked site of the day list which people can display on their web pages (ala a slashbox). Banned book lists are very effective in raising awairness of printed media censorship, but only when everyone displays the banned book list. Plus, this convinces members of special interest groups that their sites are being blocked.

If we could really get a campaign going to link to peacefire and mirror peacefire's info on banned sites and instructions for disabling the software.

(2) We need a Perl/CGI module to identify any blocking software that the person viewing your page is using. This allows your page to react diffrently depending upon wether it's viewer is using censorware or not. This could have a variety of intersting effects including:

(a) People putting up pages which turnned into pornography when viewed via censorware. This would be funny as shit; and lots of people doing this would mean that the chances of accedentally viewing porn would go way up when you install censorware.

(b) Technically, pedofiles could use these types of CGIs to identify children browsing the internet, so censorware could be accused of *possibly* attracting pedofiles to kids! More realistically advertisors would use the script to make advertisments which exploited children more effectivly and further endangered privacy.

(3) We need ActiveX controls which disable censorware! I know peacefire has instructions on disabling censorware, but an ActiveX control would be simple and lots more people would put it on their web pages.

There are a lot of other purely code / web projects which need people to work on them (like finding flaws in censorware).. these above projects are just the most obnoxious.. so they seem like fun to discuss.

Fair Use

[348]

The DMCA does permit cracking devices to conduct encryption research for the purpose of interoperability and to test computer security systems. Fair Use. This is what Haselton has done, plain and simple. Reverse engineering is addressed in the DMCA for certain areas. Haselton was fully within the realm of information security validation.

Remember when Sony filed suit against Connectix for essentially the same thing? End result was Sonly lost because the court of appeals stated that Connectix was in compliance with the DMCA and that this use of reverse engineering is protected under fair use.

Re:Fair Use

[Kaa]

The DMCA does permit cracking devices to conduct encryption research for the purpose of interoperability and to test computer security systems.

True. So far so good.

Fair Use. This is what Haselton has done, plain and simple.

That's not a question of fair use. It is explicitly permitted to sue people under DMCA even if there was no copyright infringement whatsoever. Yep, that's one of the beauties of DMCA: the act of breaking protection is the offense in itself, regardless of the rights that you might have with regard to the protected copyrighted material.

So fair use doesn't fly here.

Reverse engineering is addressed in the DMCA for certain areas. Haselton was fully within the realm of information security validation.

See, the problem is that judges (with some notable exceptions) are not stupid. They can understand why Haselton broke the encryption just as well as we all do. There is no interoperability issue (interoperability with what??) and the "testing security" defence looks *very* shaky to me.

I'm getting tired of pointing out that DMCA does, really really does criminalize standard actions that we all take for granted. It's not the case of some judge "not getting it", it the case of a very bad law that must be repealed or at the very least castrated.

Remember when Sony filed suit against Connectix for essentially the same thing?

Not the same thing. Connectix did the full-blown clean-room reverse engineering thing and they were able to show and document that the room was "really clean". That's why they won. Besides what Connectix was doing was a straight interoperability example.

You've been warned: until something is done about DMCA we are going to see uglier and uglier applications of it.

Kaa

Honestly, no suprises...

[Count+Spatula]

At least, I'm not suprised. Symantec has lots of money and lawyers, and they are the average petulant company, pissed that someone isn't playing exactly by their rules.

Some of you may recall that Solid Oak Software has threatened Peacefire in the past. Hell, Solid Oak has even mail-bombed detractors and has recompiled their CYBERSitter software to generate a fake error message if it finds peacefire.org in your browser cache on install. Don't be suprised if Symantec does equally vile things to their consumers. After all, censorship is vile business. Certainly, there is no reason for this attack on Peacefire other than to "get even" for questioning their "moral" authority.

The only thing we can hope for is that this will result in a win for Peacefire. Otherwise, get ready for Big Brother in full effect...

How about doing it right then??

[whoop]

One large arguement I see from many of you is that censor proxies have too many valid sites blocked. Well, how about taking the Open Source/distributed.net approach? I know there are some for squid. How about a system where each morning/once a week/whatever a group of moderators are sent URLs to check up on. They do so, trying to determine if it's some directory, or the whole domain that gets listed. If there is porn (a set of standards would have to be established), they report back and it's added to the blacklist. I know I would be willing to take a few minutes every once in a while to do so. You could have a whole system of checks on the web site, if someone doesn't agree with a blacklisting, it's sent to two or three moderators and if they don't agree it's removed. If someone finds a new porn page, they can submit it and it's added to the queue. If there were hundreds of moderators, like Debian does with it's packs, each individual has only a small workload.

Then every week or so the HQ web site puts out a new blacklist. We can have all kinds of easy update utils to help those not squid-knowledgable, and some folks could make a Windows application to do it for those folks as well. Heck, if the existing censorware's methods are decrypted like this one, we could write utils to encrypt it again and drop it in to their directory.

I'm not going into whether you like blacklists or not, so let's keep these to ways of doing it correctly, since these other prorgams don't seem to do it very well. Using an open source list, and appropriate means of rectifying errors, we can do it properly.

Re:Why edu?

[Kevin+T.]

There is no implication that a similar number of .com sites are blocked. The only way to determine that is to do what Peacefire did with .coms.

The reasons .edu is a good target for Peacefire are:
1) k12.edu sites often have pages made for group projects by kids under 18, the ones who are supposedly being protected.
2) These same kids will probably end up looking at university sites (or the Smithsonian, if their project is on George Lucas's use of mythology...blah) for those same projects. Doing a report on Diocletian? Go to that Calvin College site and grep (or "find" in Netscape) for his name. Unless, that is, the pages are blocked.
3) The signal/noise ratio on .edu sites must be relatively good-- .com has too many sites, and too many lousy/ trivial sites, to be a good test subject. Sure, there are lots of pointless student homepages, but most students don't have time to completely fill up their 5 MB with pictures of their friends. Moreso, .edus must have very strict rules governing what students can put up-- most student-run porn sites on a Uni server will go down really quickly. Finally, .edu sites tend to be well-indexed by search engines, including their own internal engines (meta-crawlers get a lot of .edu hits).
4) If you are out to Prove Something, like Peacefire, Greek and Roman histories/ literature translated into English SGML are valuable statistics-boosters. I haven't gotten to Vol. IV of Gibbon yet, but I would venture that any good translations of Sophocles's plays have frequent use of words like "bitch." Despite this, who's going to argue that high schoolers shouldn't read Sophocles? (Thomas Bowlder would, but he's dead.) It's very convincing to point a figure at the percentage of .edu blocked.

Remember that, at least according to the Al Gore types, the Big Use for the Internet is .edu. That's what Internet 2 is supposed to be-- returning the bandwidth to .edu and .gov. So, it seems reasonable to plant the battle flag on .edu

--Kevin T.

More proof that censorware does not work

[Tassach]

Given the highly dynamic nature of the web, it's impossible to assemble a definitive list of offensive sites. Keyword blocking will never work, given the fact that many words have multiple meanings. Even the most advanced AI cannot make the kind of intelligent value judgements that are required. Blocking lists will never work, period. The only software system that could possibly achive the goal of keeping kids from seeing things you don't want them to see is to develop a list of approved web sites, and only allow access to those sites. Of course, this destroys virtually all the useful value of the web; and such a system would be totally unacceptable for adults. Censorware is nothing more than snake oil; sold to the fearful and paranoid who don't know any better.

Even if you had 95% accuracy (which is far, far better than anything on the market actually achieves), there would still be an unacceptable number of unblocked sites and mistakenly blocked sites. Let's assume there are 10,000,000 web sites; under a given rating system, 1,000,000 are blockable, and 9,000,000 are permissable. With 95% accuracy you would have 50,000 sites that should be blocked that are not, and 450,000 sites blocked that shouldn't be.

What really makes me scratch my head is why adult-oriented sites provide links to the various censorware sites. Webmasters, particuarly adult webmasters, should be the LAST people on the planet to lend legitimacy to these snake-oil salesmen and wanna-be thought police.

The internet is an amazing resource. Like the real world, cyberspace has much to offer; some of it appropriate for children, some of it not. Parents need to be educated that they need to supervise their children in cyberspace just as much as they do in meatspace. If people spent half as much money and effort promoting parent education as they did promoting ineffectual censorware, they might actually achive their stated goal of protecting the children. Unfortunatly, for most of these people "protecting the children" is a merely convienient cover for their real agenda of forcing their religious beliefs down everyone else's throats.
"The axiom 'An honest man has nothing to fear from the police'

An offtopic anecdote re: cum

[Savage+Henry+Matisse]

My girlfriend was in a Women's Studies program at a major midwestern University for a few semesters. She recalls one lecture when a prof-- a fairly well-known feminist theorist who'd done a lot of work on porn-- stopped mid lecture to relate this anecdote. She (the feminist prof) had been lecturing on "facial cum shots" in porn videos and photography, talking about what the act of ejaculating on a woman signified. Apparently (and this highlights one of those "academia in a vacuum" sort of problems) she'd researched this sort of material for years, always referring to them as cum shots (pronounced "koom," Latin for "with") She had a classical education (including Latin and Greek) and couldn't for the life of her figure out why the Adult Entertainment Industry (not usually a bastion of the classically educated) chose to give such images a latinate name. And what did they mean by "cum"? A "with" shot? With what? Ejaculate, she assumed, but the name was still something of a mystery. It was years later, midway through delivering a speech at a symposium, when she had the sudden revelation that this cum was pronounced come not koom and had nothing to do with latin prepositions.

(I know, it's miles off-topic, but still a good story.)

Re:Come on...

[Quintin+Stone]

You were welcome to conduct your own analysis of Symantec's blocked site list. Peacefire made their software freely available and posted a link to the URL database on Symantec's server... until Symantec rendered their link useless. Kind of makes it hard for anyone to counter Peacefire's numbers, and it was Symantec's decision to do so.

Maybe they do have something to hide?

Did you read Peacefire's site? According to them:

We found that portions of the Web sites of the American Civil Liberties Union (ACLU.org), the Electronic Frontier Foundation (EFF.org), the Center for Democracy and Technology (CDT.org), the Electronic Privacy Information Center (EPIC.org), and the Censorware Project (Censorware.org) were blocked by I-Gear in its "pornography" category. On the other hand, none of the major pro-censorship groups (enough.org, frc.org, afa.net, fotf.org, etc.) had portions of their Web sites blocked.

And the pro-censorship response?

"I don't trust that Peacefire is telling the truth," Taylor said. "It's all part of the cyberpunk revolution. They don't like the government telling them that they don't have free access to the Internet. It's like 'Lord of the Flies,' and they think they have the conch."

Oh, God, what an idiot. There are so many things wrong with that statement, I don't know where to begin!

St. Augustine is apparently smut!!!

[Lucretius]

OK, I now I'm really begining to wonder. One of the pages that was censored was 75k of latin (at least according to the description). Well, being a latin major I was intrigued and decided to check this out. It turns out that this is part of the Confessions of St. Augustine, perhaps one of the most famous theologans in christianity!!! The rest of the corpus is located in the same directory, but apparently not blocked either, but I still find it quite humorous that Symantech thinks St. Augustine to be worthy of censorship. Must be Calvanists and Lutherans, only plausible explanation. :-)