[Infowarrior] - ISPs pressed to become child porn cops
Richard Forno
rforno at infowarrior.org
Fri Oct 17 01:41:15 UTC 2008
http://www.msnbc.msn.com/id/27198621/
New law, new monitoring technology raise concerns about privacy
By Bill Dedman and Bob Sullivan
msnbc
updated 4:40 p.m. ET, Thurs., Oct. 16, 2008
ISPs pressed to become child porn cops
New technologies and changes in U.S. law are adding to pressures to
turn Internet service providers into cops examining all Internet
traffic for child pornography.
One new tool, being marketed in the U.S. by an Australian company,
offers to check every file passing through an Internet provider's
network — every image, every movie, every document attached to an e-
mail or found in a Web search — to see if it matches a list of illegal
images.
The company caught the attention of New York's attorney general, who
has been pressing Internet companies to block child porn. He forwarded
the proposal to one of those companies, AOL, for discussion by an
industry task force that is looking for ways to fight child porn. A
copy of the company's proposal was also obtained by msnbc.com.
Privacy advocates are raising objections to such tools, saying that
monitoring all traffic would be an unconstitutional invasion. They say
companies can't start watching every customer's activity, and blocking
files thought to be illegal, even when the goal is as noble as
protecting children.
But such monitoring just became easier with a law approved unanimously
by the Congress and signed on Monday by President Bush. A section of
that law written by Republican presidential candidate Sen. John McCain
gives Internet service providers access to lists of child porn files,
which previously had been closely held by law enforcement agencies and
the National Center for Missing and Exploited Children. Although the
law says it doesn't require any monitoring, it doesn't forbid it
either. And the law ratchets up the pressure, making it a felony for
ISPs to fail to report any "actual knowledge" of child pornography.
That actual knowledge could be handed to the Internet companies by
technologies like the one proposed by the Australian company,
Brilliant Digital Entertainment Ltd. Known as CopyRouter, the software
would let ISPs compare computer files — movies, photographs and
documents — against those lists. Banned files would be blocked, and
the requestor would receive a substitute file provided by law
enforcement, such as a warning message: "The material you have
attempted to access has been identified as child pornography." The
attempt to send or receive the file could then be reported to law
enforcement, along with the Internet Protocol address of the requestor.
The CopyRouter relies on a controversial new technology called "deep
packet inspection," which allows Internet companies to analyze in real
time the river of data flowing through their networks. The pipeline
would know what was passing through it. You can read more about this
technology in Bob Sullivan's Red Tape Chronicles.
Child porn foes give proposal to AOL
A PowerPoint slide show from Brilliant Digital Entertainment
describing the technology was passed on to AOL last month by two
powerful forces in the fight against child porn: the office of New
York Attorney General Andrew M. Cuomo, who has been calling out ISPs
that won't agree to block sites with illegal images, and Ernest E.
Allen, the president and CEO of the National Center for Missing and
Exploited Children, a nonprofit given by Congress a central role in
the fight.
When msnbc.com inquired about the proposal, both Cuomo's office and
Allen said they were not promoting the technology, merely passing it
along to a committee of Internet service providers and software
companies as part of "brainstorming" on new technologies to detect
illegal images.
One of the leading experts on electronic privacy in the U.S. says the
proposal would clearly run afoul of the U.S. Constitution, essentially
setting up a wiretap without obtaining permission from a judge.
"This would be plainly illegal in the United States, whether or not a
governmental official imposed this on an ISP or the ISP did this
voluntarily," John Morris of the Center for Democracy and Technology
said after viewing Brilliant Digital's slide show. "If I were the
general counsel of an ISP, I wouldn't touch this with a 10-foot pole."
A spokesman for Brilliant Digital Entertainment disputed that, saying
the technology would be "non-invasive," would not compromise privacy,
would be legal in the U.S. and elsewhere, and most important, would
curtail the global proliferation of child pornography.
"I don't think it takes many voices before the Internet industry
separates out those who are prepared to build a business on the
trafficking of child sexual exploitation," said Michael Speck,
Brilliant Digital's commercial manager in charge of law enforcement
products. "If boxes started turning up with Pablo Escobar's special-
delivery cocaine inside, they'd stop it, they'd do something about it."
How it would work
Here's how CopyRouter would work, according to the company's slide show:
# A law enforcement agency would make available a list of files known
to contain child pornography. Such files are commonly discovered in
law enforcement raids, in undercover operations and in Internet
searches that start with certain keywords (such as "pre-teens hard
core"). Police officers have looked at those files, making a judgment
that the children are clearly under age and that the files are illegal
in their jurisdiction, before adding them to the list. Each digital
file has a unique digital signature, called a hash value, that can be
recognized no matter what the file is named, and without having to
open the file again. The company calls this list of hash values its
Global File Registry.
# Whenever an Internet user searched the Web, attached a file to an e-
mail or examined a menu of files using file-sharing software on a peer-
to-peer network, the software would compare the hash values of those
files against the file registry. It wouldn't be "reading" the content
of the files — it couldn't tell a love note from a recipe — but it
would determine whether a file is digitally identical to one on the
child-porn list.
# If there were no match, the file would be provided to the user who
requested it. But if there were a match, transmission of the file
would be blocked. The users would instead receive another image or
movie or document, containing only a warning screen. The makers of
CopyRouter claim that it can even be used to defeat encryption and
compression of files in the Internet's Wild West: the peer-to-peer
file-sharing tools such as Gnutella and BitTorrent. Many people use
those file-sharing systems for legal traffic, such as independent
artists distributing their music, or software developers sharing open-
source code. But others use them for illegal traffic in copyrighted
music and movies. They also are popular for distributing adult
pornography, which is legal, and child pornography, which is not.
Can software fool encryption schemes?
Encrypted files on the peer-to-peer network could not be decrypted by
CopyRouter, but the company claims it can fool the sender's computer
into believing that the recipient was requesting an unencrypted and
uncompressed file. The slide show calls this "special handling." This
is done by changing the underlying protocol settings that establish
how the sender and recipient exchange the file. This trickery, unknown
to either the sender or recipient, would make it possible for
CopyRouter to see the underlying files, calculate a hash value and
compare the files to the list of illegal files, Brilliant Digital says.
A photo of the company's first test machine can be found online, in
the online photos of the company's systems architect, Norberto "Beto"
Meijome, author of the PowerPoint presentation. Meijome's portfolio
of online photos on Flickr includes photos of his Cisco SCE router on
the day he unpacked and installed it, Sept. 11, 2007. He labels the
SCE router "the new toy."
Brilliant Digital Entertainment has a complicated past. Its
subsidiary, Altnet, made news in 2002, when its software shipped with
the Kazaa file swapping software, then heir to Napster’s throne as the
favored way for file swappers to illicitly trade music. Altnet's
program was designed to use unused bandwidth and processing power of
Kazaa users for such uses as paid advertising and promotions for
commercial products. The company claimed that this activity only
occurred if the customer allowed it, but some antivirus firms labeled
the software as spyware. Later, Altnet was sued by the recording
industry for its role in helping spread the popularity of Kazaa.
After settling a lawsuit with the music industry, Brilliant Digital
decided to approach file sharing from a new direction, selling
products designed to help copyright holders protect their intellectual
property. It now describes itself as a "significant online provider of
licensed film and music content."
Seeking allies to move the new product to market
Now the company wants to expand into a new product line: fighting
child porn.
"We have been working on it for some time," Speck said in a telephone
interview from Australia.
"We've been in negotiations with ISPs and law enforcement agencies and
content owners." Speck said he previously led the anti-piracy
organization of the Australian sound recording industry.
Now he's lining up meetings in the U.S. next month with Internet
providers and the National Center for Missing and Exploited Children.
In advance of his trip to the U.S., Speck spoke with the staff of
Andrew Cuomo, whose New York attorney general's office has been
pressuring Internet service providers to fight child porn. In June,
Cuomo announced he was investigating ISPs, using a modern version of
the public stocks to encourage cooperation. He set up a Web site
listing Internet providers around the nation that made the changes he
demanded, as well as "ISPs that have failed to make the same
commitment to stop child porn." Cuomo, who was recently cited by
McCain as one Democrat he would like to appoint to federal office, has
urged Internet service providers to block access to child porn news
groups and "purge their servers of child porn Web sites."
Speck had a conference call in September with Cuomo's staff, which he
said gave him a blunt description of the legal and privacy landscape
in the U.S.
"We'd be grateful for any assistance in getting this to the relevant
ISPs and law enforcement agencies, and making any adjustments
necessary," Speck said, recounting the conversation with Cuomo's
staff. "It was made very clear that, for this to be a viable law
enforcement tool, this would have to operate within the legislative
framework within the country."
After talking with Speck, Cuomo's office passed the proposal on to
John D. Ryan, AOL's senior vice president, deputy general counsel and
head of its public safety and criminal investigations unit. Ryan
received the slide show on Sept. 18, the day before attorneys from
Cuomo's office arrived at AOL's headquarters in Virginia to discuss
new technologies to fight child porn. Both Cuomo's office and AOL said
that the CopyRouter was not discussed explicitly during what was
described as a brainstorming session.
‘We have nothing to do with this technology’
"We have not pressured anyone to use this technology," said a Cuomo
spokesman, Matthew Glazer. "We have nothing to do with this technology."
At the same time, AOL's Ryan received a copy of the slide show from
the National Center for Missing and Exploited Children. Known as
NCMEC, this private nonprofit organization has an increasing role in
the law enforcement effort against child porn, and receives more than
$35 million in taxpayer funds each year. NCMEC and Cuomo's office have
worked together this year on the child-porn fight, holding a joint
press conference to announce Cuomo's Web site.
Ryan also has close ties to NCMEC, serving as a member of the board of
directors and as leader of its industry Technology Coalition on child
porn. Members of that group also include Yahoo, Microsoft, Google and
others. (Msnbc.com is a joint venture of Microsoft and NBC Universal.)
AOL officials said they did not feel pressured by Cuomo or NCMEC to
adopt any particular technology, adding that the company has a long
history of fighting child porn on its own initiative. "The
relationship with the attorney general is positive and partnering,"
Ryan said.
AOL's has a system of its own
AOL officials told msnbc.com that they already examine some files for
child porn, block access to those files, and provide evidence to law
enforcement. That system (called image detection filtering protocol)
apparently is based on the same general principle as CopyRouter,
comparing the hash values of files to a known list. But there are
significant differences between the two approaches.
AOL checks files uploaded as attachments to e-mail against a list of
files that AOL has identified as child porn. If the file matches one
on its list, the sender is led to believe that the file has been sent,
but it has not. AOL's methods have been shared with other Internet
service providers.
But AOL officials said a device like the CopyRouter would be more
extensive and more efficient for two reasons: AOL checks only e-mail
attachments, not Web searches or other Internet traffic, and its home-
grown list of banned files is much shorter than the lists compiled by
law enforcement and NCMEC.
"The library of hash values that AOL has, has been derived over time,
completely in house from reports from users and files we've stumbled
upon," said Christopher G. Bubb, an AOL assistant general counsel in
the public safety and criminal investigations unit. "So it's not a
government list. Courts have likened it to citizen provided
information."
Government role would be problematic
That distinction is important. Internet service providers could be
considered agents of law enforcement if they began comparing files to
a list provided by the police and intercepting traffic by substituting
a legal file for an illegal one. The Fourth Amendment to the U.S.
Constitution forbids unreasonable search and seizure by the
government. Courts have held that Internet service providers are
within their rights to examine the traffic that flows through their
pipeline — as they must do, for example, to combat spam — because the
scrutiny is being done by a company, not the government.
Although they said they could not pass judgment on software proposed
by any vendor, the AOL officials suggested that Brilliant Digital's
proposal might not work in the U.S., at least not without Congress
providing ISPs more legal cover.
""Keep in mind that this is developed in a totally different cultural
and legal regime. The Australian legal system is quite different from
an American legal system," said Ryan, the AOL executive. "It would
raise concerns. ... Would we be deemed an agent of the government?"
‘Not an intelligence-gathering tool’
Speck, the Brilliant Digital official, argued that CopyRouter would
not put ISPs in a law enforcement role because the list of banned
files would be managed by the law enforcement agency, not handed over
to the private companies. CopyRouter would consult that list, but at
arm's length from the companies.
"The responsibility is shifted to law enforcement," Speck said. "We've
delivered to Internet service providers something they've called
for. ... This is not an intelligence-gathering tool. This is not for
developing a list of users. This is an extension of what routers
already do."
But wouldn't the Internet service provider know which traffic
CopyRouter had blocked, and which user had sent or attempted to
download it? No, Speck said, because his company's product would be a
neutral middleman, not sharing information with the ISP or law
enforcement.
"All hashes are provided to Global File Registry, which manages a
secure data base and communications channel between law enforcement
agencies and the ISP such that the illicit file hashes targeted by law
enforcement remain private and secure to the relevant law enforcement
agency," he said in an e-mail after the interview. "There is no
personal (sender/receiver) information identified, and privacy is
maintained."
The company's slide show, however, does describe information on users
being passed directly to law enforcement. Any files that matched the
child porn list would be reported to a "law enforcement data
collector," along with IP addresses identifying the user's computer.
The slide show says, "Any hits here will generate a 'red' report,
which will be routed to the police collector server ONLY. These
reports contain full IP information."
Although Brilliant Digital says no law enforcement agency has signed
on to the CopyRouter plan, that hasn't kept the company from including
a familiar blue seal in its slide show. At each point when a law
enforcement computer is depicted, it bears a mark that closely
resembles the FBI logo. Only when the logo is magnified can one see
that it says "Friendly Bus Investigator" rather than "Federal Bureau
of Investigation." The FBI hasn't signed on to the plan, Speck said,
and the logo was not meant to imply any endorsement.
The FBI met a hailstorm of criticism in 2000 when the existence of its
Carnivore project was revealed. The packet-sniffing technology was
used to monitor and log traffic when installed at an Internet service
provider. The FBI by 2005 had stopped using the technology, in favor
of commercial tools.
New law may take law enforcement out of the loop
Under the new U.S. law, a system like CopyRouter might not require
involvement of law enforcement. The McCain portion of the new child-
porn law allows such a system to be set up by the Internet service
providers, because it gives them access to those lists of illegal files.
The key player in that transfer is the National Center for Missing and
Exploited Children. Although it's a nonprofit organization, NCMEC has
increasingly taken on law enforcement roles, with Congress requiring
that complaints of child pornography be sent to its CyberTipline.
Since 1998, NCMEC says, it has received more than 300,000 reports from
ISPs. And it gives them a daily list of Internet addresses that appear
to host child porn, so the companies can choose to block those Web
pages.
The new law authorizes NCMEC to go further, handing to Internet
service providers the list of files judged to be child porn. Law
enforcement agencies give those hash values to NCMEC, which will be
allowed (but not required) to give them to the ISPs. That cooperation
would allow the ISPs to use CopyRouter or their own home-grown
solutions, without including cops in the loop directly.
That provision was part of the SAFE Act, a bill introduced by Sen.
McCain and Democratic Sen. Chuck Schumer of New York. A McCain aide
called the bill a "NCMEC wish list." The SAFE Act also made it a
felony for ISPs to fail to report child porn, if they discover it,
with penalties up to $300,000 for each instance.
McCain's bill got caught in a tug-of-war with a broader bill written
by another player in the presidential election, Sen. Joe Biden, the
Democratic vice presidential candidate. Biden's solution leaned more
toward law enforcement, giving more money to the Justice Department
and state Internet Crimes Against Children task forces, which
investigate child pornography.
With NCMEC lined up behind McCain's bill, and other child protection
activists (and Oprah Winfrey) pushing for Biden's bill, Congress
finally passed them both: McCain bill was folded into the Biden bill,
which passed the House and Senate without objection. Republicans were
able to cut the spending in the Biden bill, down to $300 million.
With the new law in place, NCMEC has a plan for ISPs to use their new
access to the hash values.
"We believe that there needs to be more proactive, voluntary methods
to identify illegal child pornography content that bring it to their
attention," said Allen, the NCMEC president. "We are working with
leading ISPs to do that."
He said NCMEC's Hash Sharing System would share with Internet service
providers information on only the " worst of the worst" images of
child pornography. An image must depict a pre-pubescent child who has
been identified by law enforcement. And it must depict one of the
following: "oral, vaginal or anal penetration and/or sexual contact
involving a child whether it be genital, digital, or a foreign object;
an animal involved in some form of sexual behavior with a child; or
lewd or lascivious exhibition of the genitalia or anus. "
"Through this project, NCMEC is also working with the members of the
Technology Coalition to test existing software and develop new
technologies that will enable ISPs to identify apparent child
pornography images by hash value and block them," Allen wrote in an e-
mail.
Some ISPs willing to police copyright law
The idea of turning Internet service providers into cops has been
opposed and embraced by different ISPs in a different realm —
copyright protection. The recording and movie industries have pressed
ISPs to monitor their customers to detect traffic copyright
violations. AT&T has said it hopes to monitor for pirated content, and
has been in discussions with content companies, including NBC
Universal (co-owner of msnbc.com), which has pushed for such
filtering. Microsoft (the other co-owner of msnbc.com) has said it
opposes filtering by ISPs.
ISPs also have run into public and government opposition just for
slowing down, not blocking, some Internet traffic. The Federal
Communications Commission ruled in August, on a 3-2 vote, that
Comcast's limiting of BitTorrent traffic was illegal. Comcast said it
was merely trying to keep the flood of peer-to-peer file sharing from
slowing down the Internet for everyone else. As for CopyRouter, the
company's manager said it would not slow down Internet traffic
noticeably, because it's not inspecting the contents of files, merely
comparing their hash values to a list, which can be done quickly.
Privacy advocates have already raised objections to deep-packet
inspection. Earlier this year, a California company named NebuAd
proposed a service that would observe Web surfers’ Internet habits
through machines installed at ISPs, then inject context-sensitive
advertising into the Web sites the consumers visited. It called the
system "Behavioral Targeting." Public outcry and rumblings of an
investigation from Congress led firms considering the technology to
pull out.
Morris, of the Center for Democracy and Technology, said Brilliant
Digital's plan constitutes an illegal wiretap, and would run afoul of
the Electronic Communications Privacy Act. No firm can listen in on
private communications unless it is instructed to do so by a law
enforcement official with a proper court order, he said.
‘Enormous First Amendment problems’
Even then, no government agency — even a law enforcement agency or
state attorney general's office — could impose a requirement to stop
all files on a blacklist, or otherwise create a list of forbidden
content, Morris said. Such a list would not pass constitutional muster.
"You can't declare speech, or images, illegal without judicial
proceedings," Morris said. "... That creates enormous First Amendment
problems. You can't have an agency or outside firm acting as judge and
jury on these images."
Also, blocking images before they were delivered would constitute a
prior restraint of communication, Morris said, violating the First
Amendment right of free speech.
Other methods used to combat child porn — logging IP addresses of
frequent senders and investigating them, by using a subpoena to force
ISPs to reveal the name, and then knocking on the user's door — raise
no such constitutional issues, Morris said. He compared that to a law
enforcement official overhearing illegal speech in a public place and
prosecuting a speaker. Brilliant Digital's scheme, he said, is more
like picking up a telephone and listening in on private conversations.
"As horrible as child pornography is, and it is horrible, you still
have to follow the Constitution," Morris said.
At NCMEC, Allen said the privacy interests are being heard. "We have
been very sensitive to legitimate free speech and privacy-related
concerns. That is one of the reasons we are focusing exclusively on
pre-pubescent children and the most egregious images. That does not
suggest that child pornography images involving 13-year-old children
are acceptable or less serious, however, traditional law enforcement
investigation and prosecution efforts are being used for those
situations."
A different approach
Another child protection group has a different approach. The National
Association to Protect Children, which advised Sen. Biden on his bill,
said that blocking of files by Internet service providers could easily
be seen by the public as "overreaching," making it harder to get
public support for efforts of law enforcement. What's needed, said the
group's executive director, Grier Weeks, is for cops to investigate
the leads they already have.
"The Department of Justice and all 50 attorneys general are sitting on
a mountain of evidence leading straight to the doors of child
pornography traffickers," Weeks said. "We could rescue hundreds of
thousands of child sexual assault victims tomorrow in America, without
raising any constitutional issues whatsoever. But government simply
won't spend the money to protect these children. Instead of arrests by
the Federal Bureau of Investigation, the child exploitation industry
now faces Internet pop-ups from the Friendly Bus Investigators. That
was always the fundamental difference between the Biden bill and the
McCain bill. Biden wanted to fund cops to rescue children. McCain
wanted to outsource the job."
Sen. McCain's general counsel, Lee C. Dunn, said that he's happy that
both the law enforcement and technology approaches became law, that
his focus was on protecting children. She said the new law does not
require any Internet provider to monitor traffic.
"They have the responsibility and their right to manage the network as
they wish," Dunn said. "If AOL wants to monitor their network for
child porn, some customers may go to them, because they'll keep them
from getting this stuff showing up in their e-mail. Other companies
may choose not to, and other people may prefer that. We're not
dictating to them that they monitor their network."
Brilliant Digital Entertainment is betting that most internet
companies will choose to monitor their customers. Michael Speck said
his company's product pitches have been well received by law
enforcement agencies, government officials and Internet service
providers.
"I don't think there's anyone in the Internet space," Speck said, "who
doesn't think fighting child sexual exploitation is good business."
© 2008 msnbc.com
URL: http://www.msnbc.msn.com/id/27198621/
More information about the Infowarrior
mailing list