SCC's SmartFilter Bans Crypto/Privacy Website(s) as Naughty, not Nice?

New Message Reply About this list Date view Thread view Subject view Author view

Vin McLellan (vin@shore.net)
Thu, 24 Dec 1998 03:59:49 -0500


        This is an amazing story! Security Computing Corporation
<http://www.scc.com> sells a content filter ("SmartFilter") which is used
to restrict web access from within corporations and other organizations.

        Lauren Weinstein, the moderator of the widely respected Privacy
Forum, a mailing list and website on the Internet at
<http://www.vortex.com>, recently reported that for over a year (see the
attached post) corporate employees at sites which use SCC's SmartFilter
have typically been restricted from accessing the Privacy Forum website or
archives because the Privacy Forum's occasional discussion of cryptography.

        These discussions -- no code, all high-level discussions of civil
and ethical values, policy, and crypto politics -- were apparently enough
to define the Privacy Forum website as a repository of "criminal skill."

        Some SCC corporate customers, according to Weinstein, had
explicitly asked for crypto resource sites on the web to be defined as
off-limits. It is still unclear how those requests (one from the corporate
site which brought the matter to Weinstein's attention) resulted in SCC
staff labelling the Privacy Forum website -- along with, one must presume,
many _many_ others -- as a repository of criminal skills. (Other sites
which fall into this SmartFilter category include, for example, websites
which make available information about what ingredients can be used to make
a bomb. Shades of Wassenaar and ITAR.)

        What is amazing, of course, is that Secure Computing is one of the
more sophisticated vendors in computer security. There are a lot of smart
people at SCC who will doubtless cringe when they hear this story.

        It may, in fact, seem hilarious to some of them that SCC's website
evaluation staff (and the web filters they use to express and embody their
judgements) could categorize a privacy site as "criminal" just because it
archives discussions of cryptography and crypto politics. Some of the best
of those discussions, for instance, may have involved SCC employees like
cryptographer Rick Smith;-)

        What is _really_ sad is that -- when Weinstein complained that a
website categorized as offering "criminal skills" by SCC's SmartFilter
staff may, with no recourse, suffer irrepreparable harm -- the best and
most daring response SCC could come up with was to promise to set up a
website at which organizations and commercial entities could query the SCC
database to see how SCC's website evaluators labelled them.

        (This, of course, presumes these organizations hear about SCC's
Smartfilter product.... It also presumes that representatives of those
agencies, firms, or organizations feel compelled to inquire to see if SCC's
professional moralists labelled them in some similarly eccentric category.)

        Not exactly clear on the concept, those clever SmartFilter folk.

        Frankly, not in a million years would anyone outside of the bowels
of the Hoover Building consider crypto savvy (or an obsession with privacy)
as inherently "criminal." Not yet anyway.

        I do hope that SCC has sold a few thousand copies of SmartFilter
which routinely block corporate employee access to some feisty, litigious,
and well-networked civil libertarian groups like the ACLU, EPIC, CDT, or PI
as repositories of Criminal Skills. Oh, yes indeed!

        In fact, if the Privacy Forum was labelled as "criminal" because of
an ocassional discussion of crypto, does it make sense that the websites of
SDTI/RSA, Entrust, IBM, MS, Netscape, et al, eluded the ban and some
similar label? Inquiring Minds wanna to know.

        The SmartFilter has been awarded "certification" by the
International Computer Security Association's testing labs:
<http://www.icsa.net>. The SmartFilter data sheet is at:
http://www.securecomputing.com/P_Tool_SF_Docs.html and there is a white
paper at: http://www.securecomputing.com/sfwhitep.pdf
SCC provides SmartFilter access controls adapted for both Unix and Windows
NT, as well as for the Microsoft Proxy Server, the Netscape Proxy Server,
several firewalls, the CSM Proxy Server, the NetCache Proxy Server, and the
Squid Proxy Server.

        Feliz Navidad,

                _Vin

------- original message -----------------

> From: privacy@vortex.com [SMTP:privacy@vortex.com]
> Sent: Sunday, December 20, 1998 4:58 PM
> To: PRIVACY-Forum-List@vortex.com
> Subject: PRIVACY Forum Digest V07 #21
>
> PRIVACY Forum Digest Sunday, 20 December 1998 Volume 07 : Issue
> 21
>
[...]
>
> Date: Wed, 16 Dec 98 12:25 PST
> From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
> Subject: Privacy Discussions Classified as a "Criminal Skill"
>
> Greetings. Is discussing privacy in the PRIVACY Forum a criminal skill?
> According to one widely used commercial web filtering tool, the answer was
> yes! The controversy over software to block access to particular sites,
> based on perceived content, has been continuing to rage. Attempts to
> mandate the use of such software in environments such as libraries and
> schools have raised a variety of serious concerns. In addition to fairly
> straightforward freedom of speech issues, another factor revolves around
> how accurate (or inaccurate) these filtering systems really are.
>
> I've now seen firsthand that errors by a filtering system can indeed be quite
> serious, an event that seems to certainly validate some of these concerns.
> But there is something of a silver lining to the story, as we'll see
> later.
>
> I recently was contacted by someone at a large corporation, who was trying
> to reach the PRIVACY Forum web site, which is constantly being referenced by
> individuals and commercial, educational, government, and other sites around
> the world. This person was upset since whenever they attempted to reach
> the http://www.vortex.com site and domain that hosts the PRIVACY Forum,
> their web software blocked them, informing them that the block was in place
> due to the site being categorized as containing "criminal skills."
>
> As the webmaster for the vortex.com domain, this certainly came as news to
> me. The message they received didn't give additional information--they
> didn't even know exactly where it came from. It was apparent though, that
> the entire organization was probably blocked from reaching the PRIVACY
> Forum, since the filtering software in question was affecting a main
> firewall system.
>
> After a number of phone calls and discussions with the system administrator
> for that organization, the details began to emerge. The company was running
> a filtering software package from Secure Computing Corporation of San Jose,
> California. This package received weekly updates of blocked sites in a wide
> variety of categories, one of which was "criminal skills."
>
> The administrator had no idea what rationale was used for these decisions,
> they just pulled in the list each week and applied it. He immediately placed
> vortex.com on a local exception list so that it would no longer be blocked to
> their users.
>
> I then turned my attention to Secure Computing. After a number of calls, I
> found myself speaking with Ken Montgomery, director of corporate
> communications for that firm. He confirmed the information I had already
> received. The filtering product in question ("SmartFilter") was apparently
> not being marketed to individuals, rather, it was sold to institutions,
> corporations, etc. to enforce filtering policies across entire entities.
> The product covers a wide range of information categories that users of the
> software can choose to block. He said that the majority of blocked sites
> were in categories involving pornography, where there was (in his opinion)
> no question of their not belonging there.
>
> The "criminal skills" category reportedly was broadly defined to cover
> information that might be "of use" to criminals (e.g. how to build bombs).
> He had no explanation as to why my domain had been placed in that list,
> since by no stretch could any materials that are or have ever been
> there fall into such a categorization. He did discover that the
> classification of my domain had occurred over a year ago (meaning
> other sites could have been receiving similar blocking messages for
> that period of time when trying to access the PRIVACY Forum) and
> that the parties who had made the original classification were no longer
> with their firm--so there was no way to ask them for their rationale.
> (All of their classifications are apparently made by people, not
> by an automated system.)
>
> However, it seems likely that the mere mentioning of encryption may have
> been enough to trigger the classification. The administrator at the
> organization that had originally contacted me about the blocked access, told
> me that the main reason they included the "criminal skills" category in
> their site blocking list was to try prevent their users from downloading
> "unapproved" encryption software. This was a type of information that he
> believed to be included under the Secure Computing "criminal skills"
> category (the "logic" being, obviously, that since criminals can use
> encryption to further their efforts, encryption is a criminal skill). He
> also admitted that he knew that their users could still easily obtain
> whatever encryption software they wanted anyway, but he had to enforce the
> company policy to include that category in their blocking list.
>
> As PRIVACY Forum readers may know, no encryption software is or ever has
> been distributed from here. The topic of encryption issues does certainly
> come up from time to time, as would be expected. For the mere *mention* of
> encryption in a discussion forum to trigger such a negative categorization
> would seem to suggest the fallacy of blindly trusting such classification
> efforts.
>
> Mr. Montgomery of Secure Computing initially suggested that it was up to
> their customers to decide which categories they wanted to use in their own
> blocking lists -- he also stated that as a company they were opposed to
> mandatory filtering regulations. I suggested that such determinations by
> their customers were meaningless if the quality of the entries in those
> categories could not be trusted and if errors of this severity could so
> easily be made. I felt that this was particularly true of a category with
> an obviously derogatory nature such as "criminal skills"--the ramifications
> of being incorrectly placed into such a category, and then to not even
> *know* about it for an extended period of time, could be extreme and very
> serious.
>
> To their credit, my argument apparently triggered a serious discussion
> within Secure Computing about these issues. I had numerous subsequent
> e-mail and some additional phone contacts with Mr. Montgomery and others
> in their firm concerning these matters. First off, they apologized
> for the miscategorization of vortex.com, and removed it from the
> "criminal skills" category (it was apparently never listed in any
> other of their categories).
>
> Secondly, they have agreed with my concerns about the dangers of such
> miscategorizations occurring without any mechanism being present for sites
> to learn of such problems or having a way to deal with them. So, they will
> shortly be announcing a web-based method for sites to interrogate the Secure
> Computing database to determine which categories (if any) they've been
> listed under, and will provide a means for sites to complain if they feel
> that they have been misclassified. They've also suggested that their hope
> is to provide a rapid turnaround on consideration of such complaints.
>
> While by no means perfect, this is a step forward. I would prefer a more
> active notification system, where sites would be notified directly when
> categorizations are made. This would avoid their having to
> check to see whether or not they've been listed, and needing to keep
> checking back to watch for any changes or new categorizations. If more
> filtering software companies adopt the Secure Computing approach, there
> would be a lot of checking for sites to do if they wanted to stay on
> top of these matters. Secure Computing feels that such notifications are
> not practical at this time. However, their move to provide some
> accountability to their filtering classifications is certainly preferable
> to
> the filtering systems which continue to provide no such facilities and
> operate in a completely closed environment.
>
> So, we make a little progress. The PRIVACY Forum and vortex.com are no
> longer miscategorized and have been removed from all Secure Computing block
> lists. Secure Computing was polite and responsive in their
> communications with me, and will establish the system discussed above in
> reaction to my concerns. Web filtering of course remains a highly
> controversial topic with many serious negative aspects, but we see that when
> it comes to dealing with the complex issues involved, it would be a mistake
> to assume that all such filters all created equal.
>
> --Lauren--
> Lauren Weinstein
> Moderator, PRIVACY Forum
> http://www.vortex.com
>
[...]

-----
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A Thinking Man's Creed for Crypto _vbm.

 * Vin McLellan + The Privacy Guild + <vin@shore.net> *
      53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:17:38