Monday, December 15, 2008

IWF v Wikipedia and the Rest of the World (except OUT-LAW)

Ever late to the party, still-bronchitic Pangloss would just like to make a few points about the Great Wikipedia Cleanfeed Debacle, if only for her own aide memoire, as she's still re-writing her porn chapter, and so she can say I told you so before it moves completely off the national radar.

In brief: IWF, allegedly little known (though much written about by Pangloss) non elected, industry based censorship quango, were told about dubiously legal naked picture of pre pubescent child on ancient record sleeve; IWF, after usual behind closed doors consideration, added image to "Cleanfeed" (as it's wrongly known) blocklist of child sexual abuse images distributed to almost every UK ISP; image found on page on Wikipedia, a high traffic site, m'lud, so more cumbersome than usual to block; (some) UK ISPs implemented IWF block requirement by funnelling their entire subscriber traffic to Wikipedia through two proxy servers, making only 2 IP addresses visible ; Wikipedia's systems interpreted this as a vandalism attack and closed down write access from UK servers; meanwhile most UK ISPs except , notably, Demon, configured their servers to return 404 error (site not found) when UK surfers searched for this page, rather than the more honest 403 (site prohibited); Demon however truthfully announced that the site had been bl0cked by the IWF as they believed it to be child porn.

Internet predictably plunged into maelstrom of geek horror at censorship of t'net; image reposted on every virtual frat dorm door; IWF reconsiders ban; and for confused reasons not apparently wholly to do with the law ("in light of the length of time the image has existed and its wide availability"), rescinds ban. Everyone happy, sort of, except OUT-Law, who stick to original guns and back IWF original ban.

Pangloss has no yearning for freedom of access to child porn and no dislike for the IWF, who are individually and collectively a most worthy and unselfish set of individuals, but she has long felt worried about the existence of Cleanfeed ever since the government effectively forced every ISP of any size in the UK to install it as proactive upstream filtering, back in late 2007, by threatening that otherwise legislation would be introduced to impose this.

Why is the IWF blocklist worrying? Not because banning access to child porn is in itself wrong - indeed since possession is a crime, preventing possession of child sexual images is arguably doing those seeking it a favour , as well as prtecting the public - but because the mechanism of censorship here employed is non transparent, covert, undemocratic, non judicial and non accountable. I argued this in a SCRIPT-ed editorial at the original time of government backed imposition of Cleanfeed, and have been glad to see this quoted in a few places lately.

I am also glad this particular incident has arisen, because it exemplifies rather beautifully some of the reasons why, although stopping child porn is a Very Good`Thing, this is not, yet, quite the right way to do it. (I am not concerned here with the isue of incompatibility between Wikipedia's defences and the IWF tactics.)

Non-transparent: it is the essence of accountable censorship in a democracy that we know that something has been censored and why, even if we are, correctly and according to law, not allowed to see it. In this incident, only Demon provided that information (and apparently against their own best legal advice!) Why did no other ISP supply this information?

One problem suggested is that if an ISP says "You cannot see this because it is child porn" and it turns out not to be in law, then an action for libel might fall against the ISP. However this can be easily avoided by wording such as Demon indeed used ("we aren't showing you it because the IWF said it might be unlawful"). As`an even more belt and braces excuse, even draconian English libel law clearly allows for public interest privilege, ie, that sometimes there is a duty to say what you believe to be true for the benefit of the public, even though there may be legal dubiety as to its truth. That would surely apply to a warning that a user could not access an image because it was believed to be child pornography.

As a first step, the IWF must (as ORG has also suggested) issue guidelines to UK ISPs that there must be 403 transparency in cases like this in the future, not 404 obfuscation.

Non-judicial: the IWF has often said, when criticised in the past, that it does not need to be a court, nor composed of lawyers and/or judges to do its job, while its scope is restricted to simple images of child sexual abuse. With child porn, they say, "an elephant is an elephant". Yet the case in point clearly stood at the edge of legal certainty. And this case did not even concern less well defined legal areas the IWF purports to review, such as hate speech (added to its remit relatively recently, and unlilaterally.)

Non-accountable: the IWF`applied their own appeals procedure to the decision, after media pressure, and reversed it. Effectively they changed their mind. This is not how true courts and tribunals work, where an appeal must be heard by a seperate body with an account of what factors lead to a different legal decision. The IWF may have truely reconsidered their opinion as to the law (although their own press release rather speaks against this), but they may equally well have simply bent to public pressure, or practical enforcement problems. For those who truly want an objective system which responsibly cracks down on child porn, this is surely unacceptable. Justice is a system, not an arbitrary private discretion.

Combining the two factors above, we come to a simple conclusion that the IWF to meet basic principles of due process and retain respect and public confidence must consist of judges, or at least be chaired by, a judge.

It is simply historical accident that this is not the case already. The IWF was set up in haste in the early days of the Internet, not as a government agency or tribunal, but as a protective self-regulatory watchdog body, whose aim was to to protect the ISP industry from being prosecuted as distributors of child porn.

In the years since, the IWF has done a great deal to up its"pro bono" profile, eg added members from children's charities, released statistics and minutes, trained its members (though exactly how is not clear); but it remains fundamentally a self appointed quango of non judicial, and non elected membership. This is simply not the right way to deal with as important a decision as the one it makes, which simultaneously label sites as criminal suppliers of child porn, users as criminal possessors, and restricts public freedom of expression.

Having the IWF chaired by a judge would also enable it to resist popular or media - or governmental - pressure to remove - or add - an item to the blocklist. Here we come to the most worrying part of this whole affair; the fact that IWF censorship is covert. Court based, conventional justice is public; proceeding are public, reports are available. With the IWF, however, not only are the decisions taken behind closed doors, arguably understandable in the light of the sensitivity of the matter under concrn, but so is the implementation.

The IWF blocklist is encrypted; arguably so that when it is sent to ISPs, the number of people who can actually read it is minimised. Again, many would agree with this as an aim - a comprehensive list of illegal child porn sites and images (effectively a user's guide to finding child porn) would certainly be worth a great deal to some people, and would not be in the public interest to releease.

But the consequent opacity of the blacklist and the lack of any public vetting of it or access to it, means that in theory almost anything could be added to the list without almost anyone in the country knowing. (And this could be done by the ISP, as well as by the government pressurising the IWF.)

As I wrote in 2007, it is widely rumoured that the IWF has already come under some governmental pressure to add sites containing pro-terrorist images, notably videos of hostage executions. These images may be unpleasant but they are not AFAIK illegal to view. Have we done right to construct a system which provides for secret nationwide blocking of any kind of unwanted online content?

Again I would suggest the presence of a judge as chair of the IWF should restrain these fears, and restore national confidence. As OUT-LAW noted we DO certainly already have censorship in the UK and yes, it is sometimes a good thing; but I want the kind of censorship we already have : acountable, publicised, judicial censorship. Struan says "The government trusts it[the IWF] to do this job." Well, I don't. I trust judges, as any good law student should. Censors should be independent, not just of the state, but of other interest groups, such as the industry itself, and yes, the child protection sector. There is no good reason other than cost (which is not a good reason) why the Internet alone of media should be subject to non judicial yet government imposed censorship.

Finally, what this incident has also revealed is the strangeness of a system where illegal material is successfully and swiftly removed in the UK primarily by means of notice and takedown (the IWF boast, quite rightly, that in their few years of existence they have managed to almost wholly remove child porn from UK servers) but where we apparently make no effort to procure take down abroad, before blocking, even from well known and responsible sites like Wikipedia. (And yes, Wikipedia refused to take down this time - but that does not mean they always would, or that all other sites would act in the same way.)

As Richard Clayton has pointed out in the past, international co-operation now means that foreign phishing sites can usually be taken down in hours , not days; why can we not achieve this for foreign servers hosting child porn? There may be legal dificulties outstanding here I am not aware of, but it seems obvious that more take down means less need for blocking, means less oportunity for covert censorship - unless that is the aim..?

I hope these concerns will be taken forward, perhaps as one of the research projects sponsored by the Safer Internet Programme mentioned below?

Gowers Rides Again

Stunning polemic by Andrew Gowers, author of the eponymous report, in the FT today. Disses term extension of sound recording copyright, and the "moral case" for it, as the lobby-driven, celebrity-star-struck tosh it is, but also says much much more. Bravo.

"First, to music companies: you have moved beyond trying to close the internet down as a distribution channel, but you have still not done enough to exploit the swirl of creative and commercial opportunities unleashed by the world of social networks and web 2.0. Please focus on innovation, not on trying to eke more rent from the successes of yesteryear.

Second, to policymakers: many of you are debating how government can support business in these challenging times, and that is fine. But you would do well to pick the targets for assistance and the instruments you use with care. Get it wrong, and you will end up looking silly and out of touch like Mr Burnham."

Cyber(in)security roundup

Producing the Macafee VCR makes you more than normally aware that every vendor and their (robo)dog , plus apparently most NGOs, produces a report on some aspect of online spam, crime, fraud etc in that vital run up period to Christmas when apparently our minds are focused on fun, festivity and, er, fraud:

My esteeemed co-author Blogzilla helpfully summarises a few from the US and international organisations:

"Securing Cyberspace for the 44th Presidency — the Center for Strategic and International Studies argues that President Obama should create a comprehensive national security strategy for cyberspace, echoing many of [the Macafee] recommendations.

Financial Aspects of Network Security: Malware and Spam — the International Telecommunications Union develops a framework for assessing the financial impact of malware.

The OECD calls for a global partnership against malware, and a move from reactive responses to proactive threat reduction and mitigation."

But there's also been some more local offerings:

The Garlik UK Cybercrime Report 2008 - which, like our report, top-lines the credit crunch and its effect on cyberfraud. Despite the name the figures appear to relate to 2007. For the UK, it is claimed,we have seen
  • Overall cybercrime has risen by 9% from 2006
  • Online financial fraud is up by 24%
  • Online card fraud is up 45%
  • 84,700 cases of online identity fraud
  • 40% of all identity frauds are facilitated online
  • "More than two million victims suffered abusive or threatening emails, false or offensive accusations posted on websites and blackmail perpetrated over the internet, up from 1,944,000 in 2006." Much of this apparently tookplace on social network sites. Pangloss is curious where they got this figure - must go print out the whole report.
ENISA, the EU's security agency, also produced in early December a rather underlooked report ENISA - Photo Sharing, Wikis, Social Networks –Web 2.0 and Malware 2.0.
This has an interesting analysis of risks primarily to *systems* from the hard technical viewpoint, as opposed to the emphasis most the other reports place on risks to *users* (though of course the two are connected.) The risks of cross - scripting exploits in multi-origin environments like SNSs are highlighted, along with typically weak control of authentication and access privileges. The policy recommendation to governments are interesting:

"Policy incentives for secure development practices such as certification-lite, reporting exemptionsand the funding of pilot actions. These incentives are needed to address the large number of, eg,cross-site scripting vulnerabilities caused largely by poor development practice.
• Address/investigate Web 2.0 provider concerns about conflicts between demands for content
intervention and pressure to maintain ‘mere conduit’ or ‘common carrier’ (US) status. This is
considered a very important problem by Web 2.0 providers because of the strong user-generated
content component.
• Encourage public and intergovernmental discussion on policy towards behavioural
marketing (eg, by the Article 29 Working Party)."

Perhaps unsurprisingly in light of all this, the EU has just announced (9/12/08) its plans to continue funding its Safer Internet Programme to the tune of 55 million Euros:

"The EU will have a new Safer Internet Programme as of 1 January 2009 (to 2013) . ..While 75% of children (aged between 6 and 17 years) are already online and 50% of 10-year-olds have a mobile phone, a new Eurobarometer survey published today shows that 60% of European parents are worried that their child might become a victim of online grooming (when an adult befriends a child with the intention of committing sexual abuse) and 54% that their children could be bullied online.. The new Safer Internet Programme will fight grooming and bullying by making online software and mobile technologies more sophisticated and secure."

The money is to go to:

  • Ensure awareness of children, parents and teachers, and support contact points that are providing them with advice on how to stay safe online.
  • Provide the public with national contact points for reporting illegal and harmful content and conduct, in particular on child sexual abuse material and grooming.
  • Foster self-regulatory initiatives in this field and stimulate the involvement of children in creating a safer online environment.
  • Establish a knowledge base on the use of new technologies and related risks by bringing together researchers engaged in online child safety at European level.
So more media literacy, more research, more IWF style hotlines, but no apparent endorsement of the ISP or mobile coms sectors being required to impose mandatory "upstream" filtering: either of the IWF-lead UK Cleanfeed inititiative or the disputed new Ozzy variety. Interesting..

Friday, December 12, 2008

Macafee Virtual Criminology Report 2008, and Predictions for 2009 in the IT Law World

Pangloss is back in town (well, Edinburgh) after her jaunts to Israel and London, which culminated in a brief and rather bronchitic appearance on the Today programme talking about cybercrime - the germ (contracted in Israel) was clearly genetically engineered by Mossad to take out the EC's top legal brains. Er, well, or something like that:)

The 2008 Macafee Virtual Criminology Report, which I was plugging on the aforesaid Today prog, is now available free online in a variety of languages, edited by myself and Dr Ian Brown of the OII, with this year an even wider selection of contributing international experts we interviewed - read and comment here should you wish!

Our top level findings this year included:

- the credit crunch will inspire greater investment in cybercrime by criminal gangs etc, especially in the financial phishing area where the confusion of mergers and bankruptcies in the financial sector has left the consumer confused and vulnerable
- difficult financial prioritising may also leave both the conmercial and public sectors vulnerable to further security and personal data breaches, and compliance action must take this into account
- local individuals may be pulled into international phishing as "money mules"; new e-payments and virtual world payments systems are also likely to be utlised to launder the profits of cybercrime
- cyber terrorism continues to be an issue, with more attacks from alleged sources in China and Russia, especially against the likes of Georgia in 2008
- however some excperts also suspect misdirection and obfuscation as to where the true sources of both cybercrime and cyberterrorists attacks are; it is easy to direct Internet traffic via "scapegoat" countries and some cybercrime overlords may be much more local than we think.
- creating "cybercops" is a tough job for nation states, especially in the non Western countries and we may need to look at the creation of a NATO-style transnational "standing cyber-police".

Meanwhile Pangloss was also one of a number of practitioners and academics asked to contribute ideas to the SCL's round up of predictions for what the IT law field may see happening in 2009. The results make interesting if relatively consistent reading (credit crunch will reduce IT and law spending, more out sourcing, more clampdowns on personal data breaches , more powers for ICO, more copyright maximalism by rightsholders, more attempted IP infringement by the bored/unemployed) which probably means something entirely different wil happen instead..

Israel was a remarkable experience, which I hope to write more about at some point. It is quite something for a privacy scholar, even of the non-fundamentalist variety, to see in action a society which so clearly thinks in the majority, that in its unique case, security simply demands substantial inroads into what we would see here as basic personal autonomy and privacy standards. As my niece, studying in Tel Aviv, put it; "It makes me feel safe".

There is a norm of having bags searched on entry to most public places; cars and travellers can be stopped for no reason; security alerts closing public transport and roads down are commonplace. On the other hand Tel Aviv is extremely Western and secular (it reminded me of a cross between LA and Barcelona) and the privacy and technology lawyers at Tel Aviv University who hosted me are as involved as any at Berkeley and Harvard in promoting human rights standards, anti racism, and running pro bono clinics etc. As I visited they had just been involved in condemning e-voting in Tel Aviv local elections which did not meet democratic standards, and they are helping Israel to apply for privacy "adequacy" certification under the EC Data Protection Directive. It was a fascinating time and I hope to go back and discover more in the not too distant future. Thanks to Michael Birnhack and Assaf Jacob especially for inviting me!