The Dawning of Internet Censorship in Germany

This post was written by Markus Beckedahl and published first at Netzpolitik.org. The Creative Commons license for it is CC-BY-NC, as the other posts here. RB

Germany is on the verge of censoring its Internet: The government – a grand coalition between the German social democrats and conservative party – seems united in its decision: On Thursday the parliament is to vote on the erection of an internet censorship architecture.

The Minister for Family Affairs Ursula von der Leyen kicked off and lead the discussions within the German Federal Government to block Internet sites in order to fight child pornography. The general idea is to build a censorship architecture enabling the government to block content containing child pornography. The Federal Office of Criminal Investigation (BKA) is to administer the lists of sites to be blocked and the internet providers obliged to erect the secret censorship architecture for the government.

A strong and still growing network opposing these ideas quickly formed within the German internet community. The protest has not been limited to hackers and digital activist but rather a mainstreamed effort widely supported by bloggers and twitter-users. The HashTag used by the protesters is #zensursula – a German mesh up of the Ministers name and the word censorship equivalent to #censursula.

As part of the public’s protest an official e-Petition directed at the German parliament was launched. Within three days 50,000 persons signed the petition - – the number required for the petition titled „No indexing and blocking of Internet sites“ to be heard by the parliament. The running time of an e-Petition in Germany is 6 weeks – within this time over 130,000 people signed making this e-Petition the most signed and most successful ever.

During the past weeks, protests became more and more creative – countless blogs and twitter-users followed and commented the discussions within governments and opposing arguments. Many mainstream media picked up on this and reported about the protest taking place on-line. A working group on censorship was founded and the protest coordinated with a wiki, mailing lists, chats and of course employing twitter and blogs. One website „Zeichnemit.de“ created a landing page explaining the complicated petitioning system and making signing the petition easier and more accessible for non net-experts.

Over 500 people attended the governments official press conference on the planed internet censorship – a number of whom used this occasion to demonstrate and voice their concerns. In fact, demonstrators began attending some of the Minister von der Leyens public appearances, carrying banners and signs to raise attention to the stifling of information freedom in Germany.

The net community did not only oppose the governments plans, but also made constructive suggestions how to deal with the problem of child pornography without introducing a censorship architecture and circumcising constitutional freedoms. The working group on censorship demonstrated the alternatives for instance by actually removing over 60 websites containing child pornographic content in 12 hours, simply by emailing the international providers who then removed this content from the net. The sites were identified through the black lists of other countries documented on Wikileaks. This demonstration underlines the protesters main arguments: instead of effectively investing time and efforts to have illegal content removed from the internet, the German government is choosing censorship and blocking – an easy and dangerous way out. The greatest fear of the protesters is that once in place, the infrastructure will be used to censor other forms of unwanted content, not only child pornography. German politicians already seem to be lining up with their wish-list of content to be censored in future – the suggestions ranging form gambling sites, islamist web pages, first person shooters, and the music industry cheering up with the thought of finally banning pirate bay and p2p.

You can find a detailed linklist of the zensursula-debate here (in german).
Thanks to Geraldine de Bastion for the translation.

UK introducing "Three Strikes and Your Traffic will be Censored"

The UK government just produced a comprehensive "Digital Britain" report that lays out its strategy to improve broadband connectivity. While there has been significant media coverage of the proposed levy of 50 pence a month to fund better broadband rollout in rural areas, the really interesting part are the copyright enforcement ideas. The Hermes Project reports:

The government will give powers to Ofcom to put in place a system for repeat offenders that is known as "write and sue", and they will also work with the ISPs on technical measures against the problem - which is a eminently sensible response given the lack of scaleable technical solutions for such incredibly complex requirements - which is naturally not something that the people at the BPI agree with.

As the "write and sue" name suggests, ISPs will be required to work with Ofcom under the terms of a Code of Practice to write to those infringing copyright, followed by a court process of the release of identity information and civil action if users do not desist. The interesting part is the technical measures that may happen if this is still not effective. From the report:

"The Government will also provide for backstop powers for Ofcom to place additional conditions on ISPs aimed at reducing or preventing online copyright infringement by the application of various technical measures. In order to provide greater certainty for the development of commercial agreements, the Government proposes to specify in the legislation what these further measures might be; namely:

* Blocking (Site, IP, URL)
* Protocol blocking
* Port blocking
* Bandwidth capping (capping the speed of a subscriber’s Internet connection and/or capping the volume of data traffic which a subscriber can access);
* Bandwidth shaping (limiting the speed of a subscriber’s access to selected protocols/services and/or capping the volume of data to selected protocols/services);
* Content identification and filtering– or a combination of these measures."

And that's where things start to get incredibly complex and costly - although no doubt there are plenty of DPI vendors who won't complain if the need to undertake these measures is enshrined in law.

This is where the interests of ISPs (saving bandwidth) and the content industry (filtering copyrighted content and punishing file-sharers) finally align. The Deep Packet Inspection (DPI) industry will love this.

I am not a lawyer, but I guess there will be serious problems with the EU's e-Privacy directive and the human right to telecommunications privacy in the EDHR. The EU commission has already opened an infringement procedure against the UK because of their weak position on Phorm.

German Debate about Child Porn "Filters": Delete - don't Censor!

In Germany, we are approaching the show-down in a heavy political battle around how to fight "child pornography" (correct: documentation of child sexual abuse) on the internet. The government, lead by family affairs minister Ursula von der Leyen, is proposing a filtering system based on DNS poisoning. The Federal Criminal Police (BKA) would maintain the block list and send it to the ISPs once a day. Domains on the list would then be re-directed to a "STOPP" website instead of the originnal IP address. The list of course would be secret (as long as it does not end up on Wikileaks like many such lists from other countries before), no judicial oversight is planned, and people visiting a site on the block list (Rickrolling and tinyURL, anyone?) would have to fear criminal investigations, because the law enforcement agencies would get access to IP addresses ending up at the "stopp" site.

The plan has met heavy opposition from the already politicized German internet community. An online petition to the German parliament to not adopt this law today broke the barrier of 100,000 signatures. A parliament hearing yesterday showed massive problems with the current draft. The crucial question in the next two weeks, before the parliament ends it's session and everybody is heading towards the election campaign, will be if the Social Democrats, who are ruling together with the Conservatives, will understand that it does not make sense to adopt a quick&dirty law around such a serious topic.

The German blogosphere and twitterverse are furiously analyzing the factual errors in data presented by the government to support their proposal, discussing the constitutional problems, and pointing to the massive overblocking on leaked lists from other countries. They are organizing most of the core work in the "Working Group against Internet Blocking and Censorship" (Arbeitskreis gegen Internetsperren und Zensur / AK Zensur), which is more or less modeled after the successfull Working Group against Data Retention (AK Vorrat).

But interestingly, a lot of things are also happening extremely decentralized, only glued together by hashtags on twitter and similar microblogging services. The most popular hashtag is "#zensursula", which is a play of words with the German word for censorship (Zensur) and the minister's first name (Ursula). Last Saturday, there were public readings of the German constitution and many other protests on the streets in around 30 German cities, all triggered just by a blogpost and a tweet.

I'll speak about these methods of "activism 2.0", among other things, next week at the "Computers Freedom and Privacy" conference in Washington DC.

Now, a member of AK Zensur has made an interesting experiment and showed that it is not even necessary to block sites, because you can easily take them down completely. Stefan Graunke was so kind to do an English version of the press release:

Delete, don’t block: It works!

This is the English version of a German press release on ak-zensur.de

Within 12 hours, 60 child pornography sites were removed from the internet

In the ongoing German dispute over the appropriate action against documented child abuse on the Internet(child pornography), the supporters of a mere blocking solution argued that it is often not or only with considerable effort possible to remove the illegsl content or to get hold of it’s originator.

Alvar Freude of the Working Group against Internet blocking and censorship (AK Zensur) put this argument to the test. He analyzed the various European blocking lists via automatic procedures and wrote to each provider on whose servers child pornography was located according to lists. He received an impressive response: Within 12 hours after sending the first e-mail 60 websites were already deleted.

Further results and insights:

• The first reactions respectively deletions followed after a few minutes and came among others from the USA, Holland, Denmark, Russia and Germany.
  
• Three of the the deleted websites were located on servers in Germany.
  
• A total of 348 providers in 46 different countries were contacted automatically and informed of 1943 allegedly illegal websites. A previous individual analysis of the web sites content has not been made. (It is completely illegal in Germany to look at child pornographic content.)
  
• 250 providers have responded to the request, but they mostly found legal content. Samples that were taken afterwards confirmed the legal content.
  
• Ten providers indicated that a total of 61 cases of illegal content had been removed. With a simple e-mail you can achieve a lot.
  
• The examination through the providers showed that the vast majority of websites, including some from Germany, appeared to have no child pornographic content, some do not contain any objectionable material at all – therefore the websites were blocked in error. In Finland several domestic websites were blocked, that contain a critical examination of the blocking issue.
• The providers have not been informed that some of their hosted websites were put on the blocking lists.
  
• When made aware of this fact, the providers are more than willing to cooperate and remove illegal content as soon as possible.
• A certain part of the illegal material was located on ‘hacked’ websites, ie sites that were exploited through security holes to spread external material. Here too the providers were very grateful for the supplied information.

The process to shut down websites with child pornographic content does not take longer than the transmission of a blocking list. This shows the absurdity of the reasoning behind simple blocking – there is no rational reason to just block criminal content and leave it on the Internet, still accessible for everyone who uses minimal effort to circumvent the block.

What was possible for a citizens’ initiative, such as the Working Group against Internet blocking and censorship, should be even easier for the German government and law enforcement agencies and their results should by far exceed the results of AK Zensur.

Delete, don’t block – the motto of AK Zensur – is possible!

Released by: Working Group against Internet blocking and censorship (AK Zensur)
Web: http://ak-zensur.de/ (in German)

Press Contact:
Alvar Freude
presse@ak-zensur.de
+49 179 13 46 47 1

About the Working Group against Internet blocking and censorship (AK Zensur):

The Working Group on Internet blocking and censorship (AK Zensur) speaks out against the Federal Government’s planned Internet blocking and promotes an effective fight against child abuse instead of ineffective symbolic politics that only promotes ‘looking the other way’, does not help the victims and establishes an infrastructure that restricts basic public rights. AK Zensur coordinates the work of Internet blocking opponents, but is also appreciates the many activities that are happening decentralized in the on- and offline world.

The members of AK Zensur are amongst others: Chaos Computer Club (CCC), FoeBuD, Association for Information Technology and Society (FITUG), Forum of Computer Scientists for Peace and Social Responsibility (FIfF), Victims Of Abuse Against Internet Blocks (MOGIS), netzpolitik.org, the online platform ODEM.org, Trotz Allem e.V. and numerous individuals.

Privacy International Position on Behavioural Targeted Advertising

A lot of folks have been waiting for this. PI has been working with Google and other online marketers recently to enhance their privacy understanding and practices. But they never openly spoke about the dangers of Deep Packet Inspection and related tracking technologies. In my research paper, I took this as one reason for the fact that UK-based Phorm is still alive, while NebuAd and related US-based companies are more or less out of business, after American net advocacy groups heavily criticised the monitoring of customer traffic by ISPs.

But finally, PI has issued a statement on behavioural advertising, and Alexander Hanff from nodpi.org is even joining their team.

Online Behavioural Targeted Advertising – Privacy International’s position

Privacy International believes that online behavioural targeting for online commercial advertising using the technology of Deep Packet Inspection (DPI) is a dangerous and potentially unlawful technique that is fraught with unethical practice. This industry extends across multiple models and strategies including the use of Deep Packet Inspection, Flash Cookies, Tracking Cookies and other emerging technologies.

We believe that, particularly in the long term, the threat arising from these technologies is of such gravity that commercial organisations must not be permitted to adopt Opt-Out solutions. Without care, industry will within three years adopt a default opt-out platform upon which can be built a limitless spectrum of intrusive technologies. Governments need to legislate in a way that protects the rights of the general public. From any ethical standpoint such interception of web traffic must be conditional on the basis of explicit and informed consent.

We are concerned that almost all the major online commercial players worldwide are moving in this direction. This is not a model that will be limited to issues such as Deep Packet Inspection that has raised concerns in the UK. With Cloud Computing, 3g and 4g Mobile technologies and Public Wifi Networks the issue extends into all markets involved in data communications and increasingly voice communications due to the global take up of Voice Over IP. It is critical that we set the bar now, whilst these technologies are still developing, in order to prepare for the future.

There is an urgent need for the EU and US Congress to recognise that the entire online economy is shifting its business models in the direction of communications interception, almost always at the expense of privacy rights. Seismic shifts are occurring in the online advertising market, and these shifts are polarising on both sides of an economic fault line. Furthermore, globally governments must create and fund initiatives that engage all stakeholders. Care must be made to educate people with regards to what privacy is and why privacy is so important to quality of life. Whereas the commercial sector need to behave ethically and responsibly, society as a whole need to take more responsibility and care with the way they share their personal data. For this to happen education has to play a key role.

Legal protections with regard to these technologies must be enforced. Where organisations can be shown to have acted unlawfully action must be taken. The lack of action against BT Group in the UK with regard to covert trials of Deep Packet Inspection must never be repeated. Corporations that act unlawfully must be prosecuted. (...)

Essay Collection on Deep Packet Inspection

The Privacy Commissioner of Canada has just published a nice collection of essays on deep packet inspection (french version). I am one of the authors, among the others are e.g. Roger Clarke, Richard Clayton, Susan Crawford, Danielle Citron, and Paul Ohm.

The website dpi.priv.gc.ca they set up for this also presents an opportunity for readers to comment, excerpt and even vote on essays that "interest or frustrate" them. A print version of the essays in the form of a small book is expected to be ready by the end of April.

Deep Packet Inspection: Reading List and Call for Papers

When I started my research project about the governance of Deep Packet Inspection (DPI) almost a year ago, there was basically no social-scientific or even political science literature about it. Some political reporting about it was done by specialized online sources like Ars Technica (hat tip to Nate Anderson for covering the issue so well and early), but all the academic literature on DPI was from some geeks publishing in computer engineering journals. Don't get me wrong, I love geeks, but sometimes they just get lost in the amazing technology options and forget about the political implications.

Times seem to change, and part of the reason for this is a more general awareness of this new technology and its powers. So, for all of you who want to understand more of the DPI debate, and who would be curious to find out how bandwidth management, ad injection, government surveillance, and internet censorship belong together and still often get different rules and regulations, here is a little reading list, in chronological order:

• Christopher Parsons has published a working paper as early as 2008 for the New Transparency Project overseen by surveillance studies guru David Lyon. The paper is called "Deep Packet Inspection in Perspective: Tracing its lineage and surveillance potentials". Parsons argues that DPI equipment "should be identified as surveillance technologies that can potentially be incredibly invasive". He argues that ISPs "implicitly ‘teach’ their customers norms about what are ‘inappropriate’ data transfer programs, and the appropriate levels of ISP manipulation of customer data traffic."
• Paul Ohm of the University of Colorado Law School was the first to make the link between the network neutrality debate and the unavoidable privacy invasions that come with any traffic discrimination approach: "The Rise and Fall of Invasive ISP Surveillance". A lengthy, but recommended legal paper that is a good read even for non-lawyers like me.
  
• Ben Wagner presented a paper titled "Modifying the Data Stream: Deep Packet Inspection and Internet Censorship" at the 3rd Annual Symposium of the Global Internet Governance Academic Network last December.
• Joseph Noel, a stock market analyst, has recently published an interesting analysis of the still emerging market for DPI gear. He is guessing that the FCC's decision last year is slowly making clearer where the rules for network management are going, and that this will break the "Traffic Management Deployment Logjam". His recommendations: Cisco Systems - Hold; Procera Networks – Strong Buy; SandVine Corp. - Buy; Allot Communications - Hold. I wonder about all the other DPI vendors, but I also wonder if he knows that the FCC's decision is still being challenged at the U.S. Court of Appeals (DC Circuit).
  
• My own paper I presented at the International Studies Association's 50th Annual Convention in February is now available in an updated version: "Global technology trends and national regulation: Explaining Variation in the Governance of Deep Packet Inspection". I go through different use-cases and a few countries and try to explain the variation in DPI governance with the strategic actor setting shaped by each use case as well as with the institutional framework in which the governance debates took place. I also try to lay the groundwork for a "technology-aware policy analysis"-approach to internet governance studies (yes, feedback is welcome!).
  
• Chris Riley and Ben Scott of Free Press, not really an academic institution but a lobbying think tank, just published a nice paper about the impact of DPI on Net Neutrality and ISPs' revenue considerations: "Deep Packet Inspection: The end of the internet as we know it?". A good provocative piece that points out potential "winners and losers" in the traffic management arms race (but hell - why did they steal my title?).
  
• Nate Anderson again has already written a good summary of the Riley/Scott paper and put it into perspective: "This is the way the Internet ends: not with a bang, but DPI".
  

Of course, there is a lot more literature around on Net Neutrality, Internet Privacy and other related issues. But the fact that so few researchers have yet even mentioned Deep Packet Inspection or even systematically addressed it is also a sign that many of them are not really aware of the underlying technology trends here.

I would love to see more social-scientific, legal, and philosophical studies on DPI, e.g.

• from a governmediality or "code is law" perspective, analyzing how the injection of DPI in our technology-mediated environment shapes the way we as Internet users can behave and which choices we have;
  
• from a discourse-analytical perspective, tracing the discoursive frames and public perceptions around DPI;
• from a governance perspective, explaining the variations in DPI governance and regulation from perspectives other than the "interaction-oriented policy analysis"-approach I used for my paper - hey, what about regulatory capture, agenda-setting, new modes of government, or plain old economic pressure?
  
• with empirical data from beyond the U.S. or the english-speaking Western world (Wagner tries this, but the sources from China are limited so far);
• with quantitative data on DPI usage by different ISPs in different countries, linking it with the regulatory and market environment and showing statistically significant links;
• from a human rights perspective, making clear the possible conflicts of DPI with freedom of speech, freedom of assembly and freedom from intrusion (a.k.a. privacy) online;
• edited to add: from a legal perspective, analysing the regulations for DPI and related technologies in different countries;
• edited to add: [fill in your favourite social sciences / humanities / legal and related perspective here].
  

So, here is my pledge: If I get enough feedback and ideas for possible papers in these or other interesting directions, I promise to you that I will take the task of organizing a workshop or a conference where we can all meet and discuss wildly. How does this sound?

Trusted Traveller or Trusted Bar-Crawler?

The Wired national security blog "Danger Room" was celebrating its 2nd birthday on the weekend with a party at a bar in Washington DC. I was going there with a few friends and colleagues, and we had our share of fun. Unfortunately, one of my Canadian friends had trouble getting in: The bouncer would not accept his "trusted traveller" card, which is issued by the U.S. Government's Department of Homeland Security. It was only after a we convinced him that a national security party is the worst place to prevent someone with a DHS-issued ID from entering that my friend finally could join us. My friend clearly looks older than 21, needless to say.

Except for the fun we made of this afterwards, as a thought-experiment this was an interesting experience in identity and risk management. You could say that the bouncer's calculus seemed to be: Not everybody who is a certified non-terrorist is also a reliable and nice company at a bar. This is a clear and sensible separation of roles. But on the other hand: Why should a random 21-year-old with a state-issued driving license be a more reliable beer drinker?

Of course, the main problems were: The bouncer had not even heard of this trusted traveller program before, and he just checked the IDs of anybody who wanted to enter, no matter how clearly he looked over 21. This is what annoys me most, I guess: That people only follow dumb procedures without any idea of common sense. That certainly will not bring greater overall security, it will just cover the bouncer's ass.