Tuesday, December 24, 2013

Blocking of Material on the Internet

This article had been lost in Hyperspace for some time now, so i decided to revive it. As the current discussion about the porn filters in the UK shows, centralized approaches to blocking content don't work. This here is my way of saying "Told you so". Though many technologies have changed in those years and many of those site mentioned ceased to exist, the basic mechanisms and therefor the problems of central censorship are still the same. -- Martin Seeger, 24th December 2013

Blocking Material on the Internet

A systematic analysis of the "censorship debate"

Kristian Köhntopp
Marit Hansen
Martin Seeger

Kiel, 14 May 1997


Like any other communication medium, the Internet is used also for the dissemination of radical right-wing information, child pornography, etc. Such misuse has recently led to calls for state intervention to enforce centralized blocking of certain materials.

The authors take the view that such action would be inappropriate. All technological approaches for implementing such blocking have so far failed, and it can be assumed that, with the Internet structure being what it is, future approaches will fail as well. Secondly, blocking will always affect material that is not intended to be blocked. The more effective the blocking action, the more serious the undesired side effects.

Decentralized blocking approaches would enable users to filter content themselves. If rating of content is performed by private organizations therating mechanism could be used to promote questionable interests. To avoid the risk of misuse, it is absolutely necessary that all rating criteria and all ratings are disclosed.

State regulation of any kind will increase costs. The effort to rate Internet material is expected to involve high payroll costs. But even today the cost of communication is substantially higher in Germany than in competing countries like the United States. Regulation would hence be a competitive disadvantage.

What is the objective of blocking?

Before discussing the technical means of blocking material accessible on the Internet and the prospects of achieving such blocking, it is necessary to identify the goals to be achieved by blocking. Potential goals include: 

  • Law enforcement: preventing the subjects of a national or regional legal system from accessing or publishing material which is illegal as measured by the criteria of such legal system, even if the place of publication is outside the jurisdiction of the legal system concerned. Using technical means to render such offences impossible would be the perfect solution.
  • Prohibiting the provision of indecent material: Various parts of the US Communication Decency Act (CDA) tried to establish an even stricter rule: the Act prohibited the provision, via data networks, of material which is indecent, obscene or in some other way offensive as measured by contemporary moral standards (for "free speech" see for instance The Electronic Frontier Foundation (EFF).
  • Protection of minors: Access by minors (children and adolescents) to harmful material is to be prevented while adults would continue to be able to access the complete range of material offered on the Internet.
  • Rating: All users of the Net would continue to be free to choose the material they wish to receive, but a rating mechanism would be established enabling consumers to indicate their own preferences ("no sexual material" /"a lot of sexual material", /"no violent material" /"blood and splatter", "politically left-wing"/ "politically right-wing material", "content that is in conformity with the moral standards of the Catholic Church" /"correct in accordance with Muslim moral standards"); consequently consumers only receive that portion of Internet material which passes the filter chosen by them.
  • Non-regulation: Every user would have free access to all information offered. Even the existence of rating criteria applied by third parties is considered detrimental, and the establishment of a rating infrastructure is not encouraged or even discouraged..

Which services are discussed in this paper?

"Material provided on the Internet" is understood to mean content accessible through a number of services which use completely different technologies and many of which have separate administrative structures. The only common feature of all these services is the data transmission protocol TCP/IP, which serves as a joint basis.
There are at least two services to be distinguished:
  • WWW, World Wide Web: The World Wide Web is the graphically most appealing service of the Internet. This service is rendered by a network of servers which, on request, furnish the user with "pages" containing the requested material by delivering them to the browser of the user's computer. As a rule, access to these pages is provided by means of the HyperText Transport Protocol (HTTP). For this protocol no identification or authentication of the user and the provider is necessary; the data transmitted are plaintext and not tamperproof.
  • An optional modification of HTTP communicates requests and replies by using the encryption technique called Secure Socket Layer (SSL). At least providers using this system have to inform the person making the request of their identity. Furthermore the SSL system prevents monitoring of the plaintext of the communication (third parties cannot find out what requests were made and what the subject matter of the pages provided is) and ensures that the material concerned cannot be falsified undetected by third parties during transmission.

    The pages provided contain formatting instructions in the HyperText Markup Language (HTML) and, if requested, further visual, sound or video data. Small servers often can provide the pages requested only as a pre-produced database supplied unchanged from their hard disks. Big servers, by contrast, frequently produce the requested pages on an individual basis, i.e. depending on the user's identity, his or her Net address, the national language preferred (can be configured in the browser), the type of browser employed by the user, the exact time of request or other programmable criteria. This means that two successive requests of the same page will not always result in identical replies.

    If pages from the database are produced dynamically, the data of the Web server may be subject to constant change as a result of the updates of the database. This is what happens for instance in the case of catalogue systems for online commerce (price and product updates, changed inventory affecting delivery, etc.), news agencies connected to press release and ticker services and in the case of Web inventories and search engines which generate a full-text index for pages and permit searches by subjects.

    In general the Web database is highly dynamic: new versions of pages can be produced and marketed at very low cost. The electronic nature of the medium and its centralized data storage (no distributed copies of a page have to be updated) are clear advantages for producing a very large number of copies.
  • USENET news: USENET is a distributed system of newsgroups. It is a partially interconnected network of servers, each of which stores a selection of articles ready to be supplied on request. As a rule, the articles are filed in accordance with thematically arranged newsgroups and time of receipt. Users can establish a link to the most favourably located server and request articles selected by news group and date of receipt.
  • Users can follow up on any article read or can post their own articles to the server. The server will then inform its neighboring servers that it has a new article available and, where appropriate, will feed this article to its neighboring servers. These, in turn, will communicate the article to their neighboring servers, etc. (flood fill algorithm of USENET). Within a few hours' time there are hundreds or thousands of copies of this article available throughout the world. The cross-linking of servers is highly redundant; interruptions on the server routes usually have no or only local effects on the availability or transport speed of the articles.

    To gain space, the longest held articles are deleted after a certain period of time, which is determined by the configuration of the individual server and by the space needed. As a rule, it does not exceed a period of two weeks. Some news archives, however, store news group discussions for several years and make this database accessible via ample search capabilities (e.g. Dejanews, AltaVista in the news mode).

    As every user reading such articles can reply to any of these articles directly and without any pre-editing or post-editing, the results are unmoderated public discussions about a wide range of topics. A large part of these news group discussions are conducted globally. Hence the participants in newsgroup discussions come from all over the world and group membership is constantly changing.

    Communication between user and server as well as communication among servers are usually not encrypted and take place without identification or authentification of the users or authors of articles. Falsifying the address of the sender or the path of an article is very easy and even common practice with some newsgroups. There are converters from e-mail to USENET news as well as anonymous and pseudonymous servers which use cryptographic methods, some of them very effective, to try to conceal the sender's identity and location within the Net. Some news servers allow any user or author access without requiring authentication (open servers): it is up to the authors to decide whether or not they wish to disclose their identity in the article provided.

    It is the operator of a server who decides which newsgroups can be accessed via its server. There are some lists of "official" newsgroups, but usually they are neither complete nor binding for anyone. Names or headings of newsgroups have the nature of recommendations only. Off-topic postings or spam make up a fixed percentage of all articles.
The IRC service (Internet Relay Chat) and e-mail (private electronic mail and semi-public mailing lists as discussion forums) could also be discussed in this paper. However, to make this analysis compact, we do not wish to discuss them here, since they are not at the centre of public debate. A discussion would lead to similar results as in the case of the World Wide Web and USENET news. There are other services most of which are of less importance for public communication (telnet) or the discussion of which would not reveal any new aspects (ftp, see http).

How can the material to be blocked be identified?

In order to block material reliably it is necessary first to identify such material in some way. The resolution of such identification may vary.
An individual computer can be identified on the basis of IP addresses. However, the identified computer usually performs a large number of services for several providers. Some Web servers of IP providers feed the material of thousands of information content providers into the Net under one single IP address; computers of small providers in some cases offer all the provider's services under one single IP number. The blocking of IP numbers consequently affects not only the material to be blocked but also a large amount of material and services that were not intended to be blocked.
By expending more cost and effort, it is possible to identify service-specific characteristics of individual units of the material provided. In the World Wide Web, a page is characterized by its "name" (its Universal Resource Locator - URL), while the USENET news uses message ID of an individual news item or the name of a news group as means of identification. For newly emerging services it is necessary to devise new service-specific methods for identifying individual units.
The amount of data to be identified and rated is huge: In May 1996, 30 million Web pages were stored in the full-text database of the Altavista search engine; in April 1997 the amount of data recorded exceeded 72 gigabyte for some 5.4 million articles (statistics supplied by Eunet Deutschland GmbH taken from de.admin.lists of 1 May 1997).
There is still the problem of isolating the material to be blocked from all other material. There are two completely different ways to do this:
  • automatic rating of material by looking for formal characteristics such as whether the text contains certain key words,
  • manual rating of material by providers or third parties using a set of criteria (rating).
Automatic rating of material by using key words is a complete failure when applied to components containing no text (audio files, images or animations). Several online services (Prodigy, AOL) tried to have discussions rated in chat rooms similar to the IRC service by using certain key words, but the results have been hardly satisfactory. One result was that normal discussions on certain topics were no longer possible: blocking of the word "suck" made it difficult to exchange views and experience concerning vacuum-cleaners in a housekeeping news group; blocking of the word "breast" was a handicap in discussions on breast cancer and cooking recipes ("chicken breast"); and the pages fed into the Web by Mrs Cindy Tittle Moore (tittle@netcom.com) were blocked by the Cybersitter program on account of her name.
Another result of blocking was that the group whose material was blocked simply changed its vocabulary so that blocking had only negligible effects on the group's material. There are other automatic rating methods, but they are unable, too, to recognize the meaning of the material to be rated. Knowledge of these formal blocking criteria enables newsgroups to re-formulate their information without changing its meaning so as to avoid the words that would "trigger" blocking. The Cybersitter program designed to protect children is able, for example, to cut from the Web pages those passages containing words rated offensive. Ingenious formulation of a statement will ensure that its meaning is reversed when the statement is viewed under control of the Cybersitter filter program (information and example by Bennett Haselton on the mailing list fight-censorship@vorlon.mit.edu, message ID: <01IAZF6R8I0I8XKGCV@ctrvax.vanderbilt.edu>).
Procedures and standards for the rating of material by providers or third parties have already been developed for the World Wide Web, with PICS currently being the leading system (Platform for Internet Content Selection). With PICS it is possible to install rating criteria of any definition and any desired resolution. URLs can be rated by the information content providers themselves or by third parties. Common rating criteria include violence, sex or indecent language, with rating systems ranging from digital 0 to 1 scales to systems with very fine ratings. The PICS ratings can be evaluated either by the user's client program (currently supported by the Microsoft Internet Explorer) or on routers while the material is being transferred to the user (this procedure is not being used as yet).
The main problem with manual rating of content is coping with the large number of new or modified pages generated. The operator of the news server www.msnbc.com (a joint venture by NBC and Microsoft) has discontinued the rating of its content by means of the RSACi rating system supported by Microsoft, because the rating of individual contributions was too costly and laborious and PICS rating of all material offered by the server would have prevented minors to access the server (see exchange of letters between Irene Graham, Michael Sims, Stephen Balkam (RSAC rating supervision) and Danielle Bachelder (MSNBC system operation) quoted in <3339dd1a.500215@mail.thehub.com.au> and <199703191314.IAA03203@arutam.inch.com> on the same mailing list).
Another difficulty is that a Web page may differ depending on the characteristics of its request so that rating by means of the PICS system would cause problems. Precisely the pages making use of the interactive component of the Internet could, due to their dynamic generation, remain unrated and would hence no longer be displayed by browsers and search engines of appropriate configuration.
The rating of material by using the PICS system is currently performed by private organizations. The possibilities of raising objections to a certain rating are limited: It is difficult for a netizen to demand correct rating, in particular if the rating organization is located abroad. This difficulty is similar to that encountered by prosecutors trying to punish providers of illegal content originating in a foreign country, but it is completely different in terms of availability of resources and burden of proof. In case of incorrect rating, content providers have to prove that their material is not illegal and they have to overcome the difficulty of asserting their claims outside their own country. Compared with prosecutors, providers of Web pages are on average less well trained and have fewer resources at their disposal.
Rating organizations make their judgements in accordance with the values and cultural criteria common in their own countries. The adoption of foreign ratings for German users therefore causes problems. But since there is no German access software, it is very common to support only foreign rating systems (in particular US systems).
Most rating organizations do not disclose their rating criteria or are very reluctant to do so. Some of them do not even inform content providers about the rating of the material they provided. Complete inventories of all ratings awarded are usually kept secret because it is argued that these lists might be used as catalogues of trash and obscene material. In the case of programs which receive ratings of the Web pages produced by third parties not through online means but have the ratings included as a database installed on the local hard disk, this list is always encrypted and, more often than not, outdated. This means that the users of such software are not aware of the material which they are prevented from accessing.
Meanwhile there are (illegally) decrypted versions of the blocking lists of all producers of rating programs with a static blocking list supplied as a database. An evaluation of blockings has shown that all producers act in line with clear political attitudes or out of personal enmity. Content frequently censored included material provided by women's organizations, information provided on abortion as well as content provided by gay and lesbian groups. It is also common to include in the blocking lists those Web pages which contain criticisms of the producer of the blocking program, disclose the blocking list or oppose any rating. The producers of the Cybersitter program have even adopted a practice which means that people having installed the Cybersitter program can no longer access those pages which mention the names of critics of the Cybersitter program.

How can blocking be achieved?

Blocking can be effected at different levels of Internet communication:
In order to be able to communicate with each other, the two partners communicating need some physical link such as a dedicated line, a telephone line or a radio relay link. One way of blocking such a link, which is normally not practicable, would be to prevent physical communication from taking place, for instance by barring a telephone line or making certain telephone numbers inaccessible, by disconnecting a dedicated line or by inserting a jamming transmitter into a radio relay link. As a result, the victim of blocking is usually deprived of all its means of telecommunication.
Communication within the Internet usually does not use a homogeneous physical link but a link consisting of various elements of different technologies. At the connection points between these elements, there is a router that transfers IP packets from one element to the next. For this process, the operations of the router are controlled by the adresses in the individual IP packets and by its routing tables. The routing tables indicate the direction into which the router has to transmit the packets labeled with a certain destination. The typical service of a provider is selling international connectivity via one or more leased lines to locations abroad for dial-up customers (private customers) or customers with a leased line (business customers). The service provider is not aware of the type of services used by the customer or the requested data.
Blocking can be achieved by interfering with the routing tables of the routers. It is easy, for instance, to discard all packet bound for certain destinations when they arrive at the router ("grounding the route"). This is done by grounding the route. In this way entire computers are made inaccessible: when the DFN-Verein (DFN = Deutsches Forschungsnetz - German Research Network Association) blocked the computer named www.xs4all.nl, the Web pages of more than 6,000 information content providers could no longer be obtained, no mail could be fed into the computer www.xs4all.nl, and all other communication between the DFN-Verein and the computer was interrupted.
In accordance with the TCP/IP protocol, a service is usually selected by indicating a TCP port number. By using this port number, a more selective blocking of a service would be possible. If being given the appropriate configuration, some routers are, for instance, able to prevent TCP traffic for port 80 (HTTP) from reaching a certain destination while permitting traffic on port 25 (mail) destined for the same address.
By using a proxy or other firewall software which have access to the higher levels of the network structure, selective blocking at the level of individual pages or news items can be achieved. For this purpose, however, the firewall software has to be adapted to each service concerned (WWW, news, mail, IRC, etc.). As a rule, the operation of such systems is very cumbersome and costly, because, for the clients using them, they have to simulate full rendering of all services used by the client. It is very difficult to scale up these systems when the number of clients increases. Nevertheless they are being employed by several totalitarian governments, which hope to make it difficult for undesired material to enter their countries: In China, Singapore and the Gulf countries all communication with abroad has to pass through government-operated firewalls.
The blocking of IP addresses and the use of firewalls can, under certain conditions, be combined to reduce the workload of the firewall computer. Rather than grounding the route to a computer that is to be blocked, all routes to the computer to be blocked are directed to a firewall which monitors the services provided by the computer to be blocked. For this combined approach, which has to be adapted to each type of service to be blocked and simulated, technically complex and costly configurations and maintenance are required. First of all there must be a central connection point between the German network to be monitored and the rest of the world. In addition, this technique is a typical "man-in-the-middle" attack: it will fail in the case of highly encrypted communication which is not vulnerable to such attacks.
The adverse effect of filtering mechanisms on computer performance increases as the resolution of blockings is raised and the list of the information sources to be blocked is extended. Systems such as PICS cannot be established efficiently at central points of the network but can only function as decentralized systems.
All blocking procedures discussed so far involve third-party computers to be inserted between the provider of the information to be blocked and the user. The blocking of material either at the information provider's end or at the user's end are also conceivable; this would, however, require cooperation of the provider or the user.
Blocking at the provider's end would mean that the provider does not offer the material to be blocked to anyone or that he offers it to certain persons only. Even if providers are ready to cooperate, offering material only to selected persons will be possible only if providers can reliably identify the user of a piece of information and have decision tables which are flawless and watertight from a legal point of view, enabling them to automatically decide which material to deliver to whom. Today there is not even a rudimentary identification mechanism which would achieve that goal, and no such mechanism is expected to be developed and produced in the foreseeable future. It is impossible in particular to infer the sender's identity or physical residence from the IP address and the computer name: German customers of US online services are identified on the Net as residents of the United States. Almost the same is true of staff members of multinational companies.
Blocking at the user's end would mean that the material offered would have to be rated by using well-defined criteria (e.g. by those of the PICS system) and that users themselves configurate their software in such a way that pages given certain ratings can no longer be requested and received. Cooperation by the provider would be desirable, but is not necessary since rating can be carried out by servers of third parties.

How can blocking be evaded?

For users, the blocking of material is an operating problem. They will try to restore full working power, which means they will try to overcome blocking. Their efforts will be the greater, the more they feel hampered as a result of the blocking.
If the physical communication link is interrupted through blocking, the only solution will be to use a different means of communication: if, for example, a jamming transmitter interrupts the radio relay link, it is still possible to use the telephone network and if a telephone line is barred, a radio relay link will be used..
If certain IP addresses are blocked, there are several possibilities for the user to solve the problem: all of them are aimed at completely avoiding the blocking router (see Ulf Möller: "Internet-Zensur: Routingsperren umgehen"):
  • The user changes his Internet provider; if necessary, he becomes a customer of a provider located abroad. He establishes a telephone connection or a dedicated line to this provider and handles all his communication via this non-blocking provider. He no longer uses the blocking router of the local provider, and consequently blocking no longer bars his way to obtaining the information desired.

    This change of provider in case of blockings takes place automatically if the user is a staff member of a (multinational) company with its own Intranet, which is linked to the Internet at several locations (abroad).
  • The user becomes a customer of a second, non-blocking Internet provider, if necessary a foreign provider. The user establishes a TCP/IP connection to this provider and has his applications handled by the distant computer, if necessary a computer located abroad.

    There are now a number of providers offering such services as a routine matter. The services provided range from individual services (e-mail boxes, e.g. pobox.com, Web services, e.g. geocities.com etc.) to complete exile log-ins (e.g.c2.org.acm.org.xs4all.nl).

    The blocking router of the local provider does not register any communication with the blocked address but only communication with the distant provider. Access to the blocked addresses is effected via the distant provider, that is from behind the blocking router. The blocking caused by the router ceases to have effect.
  • The user becomes a customer of a second, non-blocking Internet provider, if necessary a provider located abroad. The user establishes a mobile IP connection to this provider. This means that his IP packet are packed into other IP packet, are sent to the second Internet provider, are unpacked there and are fed into the Net. If desired, communication with the second provider can be encrypted.

    In Linux the following two commands have to be given for this procedure:
    1. Activating of the tunl0 interface to the distant provider myriad.ml.org
      > ifconfig tunl0 (your.ip.address) pointopoint myriad.ml.org
    2. Establishing a route to www.xs4all.nl via tunl0
      > route add www.xs4all.nl tunl0

      To an observer, the user appears to be a normal customer of the second IP provider. The blocking router of the local provider only registers a connection to the distant, second provider. Hence blocking is without effect: Mobile IP is a routine service for IP providers serving business customers.
The content provider of the information blocked can assist the user by trying himself to evade blocking. When the computer www.xs4all.nl was blocked, the blocked content provider changed the Internet address of his computer every other quarter of an hour. As a result, blockings of individual addresses had no effect; entire parts of networks had to be blocked now, which meant that blocking became even more unspecific, and another side effect was that even more content providers were blocked although they had nothing to do with the target to be blocked.
While the methods for evading blockings that have been discussed above can be applied to any service blocked, the following methods can be used for specific services:


  1. Automatically changing the address of the page on a server is an approach similar to that of modifying the IP number of a server computer. The automatic blocking of individual pages would thus be evaded, and again the entire computer would have to be blocked. Such general blocking could again be overcome by applying the methods for evading complete blocking.
  2. If there is a search engine for a service which can search all pages of the server material by using certain terms, then an individual page can be obtained virtually under any address, namely by using the terms which help to find a text in the database of the search engine. In this case blocking would have to prevent access to the search engine, too.
  3. The indirect access approach discussed in connection with the mobile IP method can, if modified, be used also for the WWW. By using a distant Web server providing access on behalf of third parties (proxy server), it is possible to request the page desired in an indirect way. Since proxy servers having an intermediate storage are a common tool used to speed up delivery, it is usually easy to find such a third server. The recent censorhip debate has led to the setting-up in Germany and abroad of proxy servers explicitly for evading blockings (there is a proxy server at MIT, for instance, for Chinese nationals wishing to avoid censorship in their own country).
  4. If communication is encrypted (for example by using the SSL support incorporated in all common browsers), a secure channel between the server and the user is created in which real-time understanding is not possible and falsification is not easy. Third parties are not able to identify the pages requested nor the information they contain.


  1. Numerous copies of articles posted to the USENET news are available on thousands of servers all over the world. Calls to cancel articles are meanwhile ignored by many of these servers since there have again and again been fake cancellation calls made by saboteurs. The large archives for USENET news (DejaNews and AltaVista) never make any cancellations. By sending a request to an archive, it is usually possible to get access to less recent texts and those which cannot be obtained locally. Like Web pages that can be located by means of search engines (see above), articles can be requested and found not only by indicating their message ID, but also by checking for any key word contained in the article.
  2. During an investigation conducted by prosecutors in Bavaria, Compuserve was called upon to no longer provide access to some newsgroups since the articles from these newsgroups had been found to mostly contain material which is considered illegal in Germany. Users who wish to access and read the articles of these groups now request them directly from other, non-blocking news servers. Also the authors of articles for poorly disseminated newsgroups increasingly tend to post their articles also to other groups that are well disseminated but deal with a completely different topic. For example, when the server www.xs4all.nl was blocked because it had offered the prohibited journal "Radikal, Ausgabe 154", the complete volume of "Radikal" was posted to the newsgroups "de.soc.zensur" (discussion on censorship and monitoring of content) and "de.org.politik.spd" (news group of the virtual local association of the SPD).
  3. Since new newsgroups can be established automatically, poorly disseminated groups are often re-established under new names or notorious newsgroups offer their services under aliases. This is illustrated by the following example: after a German university decided that groups whose name contained the word "sex" should no longer be offered, a group previously called de.talk.sex (a news group on sexuality) has been made available under the alias name de.talk.verkehr for several years.

Other effects of blocking attempts

Any blocking can be overcome by replicating the information blocked. Each copy of the information replicated has to be blocked separately. As a result, the undesired side effects of blocking are multiplied until the costs of blocking exceed its benefit. When www.xs4all.nl was blocked because it had offered the banned volume "Radikal 154", 40 copies of the information blocked appeared within a very short time. However, the pages of the 6,000 content providers which had unintendedly been blocked, too, because of technical reasons were not replicated. Blocking was counterproductive: instead of preventing dissemination, the blocking led to the replication of the blocked information. At the same time many content providers suffered losses as a result of the unintended side effects.
By means of the USENET news network, information can automatically be replicated thousandfold with a minimum effort. That is why the Web pages of the Radikal journal were disseminated in the news after the xs4all had been blocked (the Web pages of the other 6,000 customers of xs4all were not fed into the news).
Because of the protocol design, all communication using the TCP/IP protocol is an individual end-to-end communication between two partners. Even an observer monitoring a piece of information cannot find out whether the information requested is of a private nature (it is possible and - for many users also - necessary to read their private mail through WWW) or whether it is of a public nature. Private as well as public information can even appear together on a Web page. It is doubtful whether monitoring of such communication by unspecific interception (without a judicial decision having been sought) is legal, even if such monitoring is performed by a robot responding to keywords or ratings.
Disclosure of any and all blockings effected is absolutely necessary not only in order to supervise those awarding the ratings, but also in the interest of smooth technical operation of the network. If a huge number of computers or individual pages is blocked, neither the individual operator of a computer nor the individual user will know whether there is a technical defect that can be eliminated or whether some content has been blocked. Reliable error analysis by the operators of networks or individual computers is thus made totally impossible: from the fact that there is some operational problem no reliable conclusion can be drawn as to what action should be taken to solve the problem. On the other hand, blocking lists, if published, of course tend to be misused as catalogues of sexually explicit or violent materials. Blocking could thus be turned into a kind of "quality label". Moreover, disclosed blockings can be overcome automatically by means of programs modified for the purpose.

Modification of the Internet

It is obvious from the above that blocking of material on the Internet with its present characteristics can only be implemented at inacceptable costs and side effects. These findings lead on to the question of how the Internet would have to be modified to permit effective blocking of certain materials.
In principle, firewall systems (employed by companies to protect their network from unauthorized entry from the Internet) provide a suitable approach to achieve effective blocking. The philosophy of allowing through only those data which are explicitly allowed to cross the barrier helps to enforce certain guidelines or codes of conduct.
Similarly, a code of conduct would have to be established for the use of the Internet services, and adherence of users to this code be enforced. This can be ensured by employing the firewall technology as a barrier between users and the Internet or by using proprietary protocols. Some essential requirements of such a code would be: subscribers can only use the network if they identify themselves; services, protocols and data formats have to be authorized before they can be used; the use of cryptographic techniques is prohibited and all activities have to be logged. These rules would ensure that users cannot evade blockings by changing their identity, the protocol or by disguising data.
If we leave aside the question whether such a code of conduct would be compatible with a democracy based on the rule of law, there are still economic and technical reasons against enforcing this kind of guidelines. A network functioning in accordance with such rules would be under centralized control and could be not adapted to changing requirements without spending a tremendous amount of time and money. Pressured by their commercial users, all online services have given up this concept. The administrative overhead of such a solution at the national level would be enormous. Also, any restriction with regard to cryptographic techniques would prejudice the use of the Internet for transmitting sensitive information.
Altogether such a type of Internet could be disastrous for a country's competitiveness. Communication is an economic resource by no means less important than human capital or the transportation infrastructure. On the other hand, China's example has shown that even such a type of Internet would prevent the dissemination of unwanted material only to a limited extent because counter-measures have been devised for any of the measures mentioned above.


Centralized, selective blocking of material on the Internet without side effects cannot be implemented; it would be evaded by users, if necessary, and it would entail high costs (confer Heimo Ponnath: "Pornographie im Internet? Dichtung und Wahrheit (Pornography on the Internet? Facts and fiction)", inside online 2/3 1996). As a result of the operation of global data networks, changes take place with regard to government tasks in the information society. This has been described by Alexander Roßnagel in "Globale Datennetze: Ohnmacht des Staates - Selbstschutz der B=FCrger (Global data networks: Powerless government - self-protection by citizens)", ZRP 1977, Heft 1, 26-30). The "feeling of powerlessness" in our globalized world need not, however, lead governments to surrender in the face of the newly emerging dangers; modern information technologies provide numerous possibilities for citizens to protect themselves. Hence governments should accept the obligation to establish structures "which enable their citizens to safeguard their interests in today's world of networks on their own."
Decentralized control and filtering by users themselves provide a suitable approach for solving the problem. If this approach is to be successful, the ratings awarded by third parties (using the PICS system, for instance) and the rating criteria used must be made transparent. Exemplary filter configurations can be proposed by a large number of interest groups; but users must be in a position to design their own individual configurations or adapt other configurations to their own needs.
Universal rating by a system such as PICS involves more time effort and additional costs. Therefore, a number of providers will not offer universal rating. The rating organizations bear great responsibility because any preliminary rating will influence the opinions of potential users and because deliberately or unintentionally false ratings may cause great damage. For ensuring the protection of minors on the Internet, the approach of labelling material suitable for children by providers on a voluntary basis and displaying such material by means of special "child browsers" similar to the TV children's channel would be by far cheaper and less controversial (see "The Net Labeling Delusion: Protection or Oppression").
Experience in the United States has shown that organizations use the rating tool for pursuing their own political goals while pretending to aim at the protection of minors or to maintain decency standards. However, private organizations must not become responsible for defining moral, ethical and social values. The risk of ratings being misused for other purposes can be reduced by disclosing the rating criteria used as well as all ratings.


We are indebted to Hannes Federrath and Andreas Pfitzmann of Dresden Technical University for numerous suggestions and discussions that helped us to write this paper.

The authors

Kristian Köhntopp is a graduated computer scientist (Diplominformatiker) and worked as a free-lance consultant for heterogeneous data networks and computer security and nowadays works as Senior Scalability Engineer for Booking.com.
Marit Hansen is a graduated computer scientist (Diplominformatikerin) She works for the Privacy Commissioner for the state of Schleswig-Holstein and is responsible for new media and information technologies as well as technology assessment.
Martin Seeger is a graduated computer scientist (Diplominformatiker) and one founder of the NetUSE AG, a company dealing with Internet and Intranet technology and the security of heterogeneous computer networks.

Sunday, December 22, 2013

Review: Supervolcano Series by Harry Turtledove

Harry Turtledove is considered a specialist for alternative timeline novels. But usually his narrative splits away from what really happened much earlier. In this book series it all starts in 2011 when the Yellowstone supervolcano breaks out once again and ruins more than just a few days.

The stories follows loosely the extended Ferguson family: father (a disgruntled cop in LA), mother (freshly divorced, falling for her yoga instructor), two sons (band singer and long term college student), daughter  (professional malcontent) and her ex-boyfriend (academic of unpractical science). 

With a starting title like "Eruption" and the authors reputation for fast paced action, you would expect the supervolcano to blast it all spectacularly to pieces. But you get served with a slow-motion-landslide burying the struggling victims. Instead of lava bombs, the characters rather get hit by a falling economy instead. This does not improve the fun upon reading.

While a death spiral of U.S.A. in the aftermath of the gigantic disaster may sound interesting, the sluggish tempo takes a heavy toll on the reader as well. While i think this to be an intentional choice by the author to offer an alternative to a cataclysmic end of the world scenario, i would say he has overdone it in this books. The gems, the surprising insights i got in heaps from a lot of his other novels, they were rather rare finds in the three books. A 3:1 compression would greatly improve this series.

I would recommend this books only to his die-hard fans. If you are among them, you can start here on Amazon.

Tuesday, December 17, 2013

Murder on Fleet Street - Sherlock and the case of the dead Mr. Newspaper

The scenery is somewhat antiquated, the furniture went out of style dozens of years ago, the lamp still has an old fashioned light bulb and the large desk features a typewriter. Half on the desk, covered with a white sheet, lies a body, slumped forward in his chair. In the background one can heard the fading sound of offset printing machines. Footsteps are approaching outside, two people seem to be arguing.

Watson: "I don't understand it why we are here. The case is already solved!"

Sherlock: "Is it, my dear Watson?"

Two men are entering the room.

Watson: "Of course it is. That young pretty thing, this Ms. Internet, has been caught close to the victim and been found in possession of the readers of the deceased. Surely those readers are the motive."

Sherlock: "An our Ms. Internet took them away by force?"

Watson: "Not really, the victim has accused his future murderer of luring them away by unfair competition. Mr. Newspaper has been preparing legal action against the culprit and was therefor killed before he could bring the charges forward."

Sherlock: "I am impressed, with two sentences we have changed it from a holdup murder to a cover-up crime. If we continue at this speed, we will have cleared the suspect in record time."

Watson: "Who else should have done it? Nobody was that close to the victim that he or she could have done it." 

Sherlock: "Did you have a look at the corpse?"

Watson: "Not yet, but what should it show me?"

Sherlock: "Please do me the favor."

Watson walks over to the chair and lifts the sheet and begins to retch. He turns away, breathing heavily, struggling to regain control. "My god!"

Sherlock: "It's not you who will talk to that particular respondent but him. Now tell me, what did you notice?"

Watson: "He is totally bloated. I knew Mr. Newspaper when i was young. He was always a slim and trim guy, a fine appearance and always clean. He seems to have changed."

Sherlock: "Has changed or been changed?"

Watson: "What?"

Sherlock: "I am disappointed. You should have looked more closely."

Watson controls himself, breathes two or three times and lifts the sheets again. This time he manages to keep himself steady and takes a longer look. Than he raises his eyebrows in surprise. "It is not just Mr. Newspaper here. It is also his pet, i think 'Advertisement' he called it. In fact it seems to be more Advertisement than poor Mr. Newspaper here."

Sherlock: "Very good. You knew them both?"

Watson: "I have never seen Mr. Newspaper without his pet. But it was small, adoring him, chasing after him wherever he went. But this, this is like a strangling vine."

Watson picks his handkerchief and holds it before his nose..

Sherlock: "What are you smelling?"

Watson: "The corpse of course"

Sherlock: "This is why i usually omit your title, since you are disgracing it by forgetting even the most basic facts you learned. He is just one hour dead, the room is rather cool, so how can you smell him yet already?"

Watson, now visibly shaken, this time energetically lifts the sheets and starts sniffing at the corpse. "The foul smell comes from the Advertisement. This is why...."

Sherlock: "Why what?"

Watson: "Some of the former readers i talked to mentioned something i discarded in the past. They mentioned that the pet was starting emitting such smells when Mr. Newspaper was granting them too much attention instead of it."

Sherlock: "Very good, Watson, you are starting to approaching the truth. What was the effect on the readers you talked to?"

Watson (now clearly picking up speed) "They withdrew. They turned in flocks to the new star. They mentioned that Ms. Internet also had pets, but you could always block the away, when or if you wanted her all for yourself."

Sherlock: "So, the readers where turning away in droves. He became more and more alone. What did Mr. Newspaper do?"

Watson: "Of  course, he turned his attention more and more towards his pet which in turn became his pest. I heard this happened to some of his friends as well, they devoted all of their attention to it."

Sherlock: "So?"

Watson: "The Advertisement grew and grew, feeding on him till it strangled him, poor Mr. Newspaper. Thank god it is dead too."

Sherlock sounding dubiously: "Let us hope there are not more of them."

Watson: "I am impressed, in just five minutes you solved another case."

Sherlock: "No, i googled it on the way here with my iPhone."

Friday, December 6, 2013

Gadget: Nest Protect

Smoke detectors have been an annoyance to me since from the first time we met. They go off without warning (i had dozens of false alarms already) and they tend to run out off battery typically at 2 a.m. in the morning. In later case, they give off that "click" sound every ten minutes which you (sleep deprived) can't locate. That entices you to disable all of them. On the other hand, they are cheap life savers. Well, the Nest fixes the cheap price but maintains a lot of the existing problems.

The Nest Protect smoke and carbon monoxide detector does not really fix the problems mentioned above but takes care of the "cheap" attribute. It combines a more stylish approach together with WIFI, an easy user interface and voice output. Steve Jobs lessons have clearly fallen onto some fertile ground. Also a nice touch (without touching) has been disabling the alarm by waving you hand close to the Nest Protect. But this very useful feature has been removed lately.

The setup is done through a mobile phone (Android or iPhone required). This is a very easy procedure, it only took a short time till the setup WLAN became visible. After that, everything went as smooth as in the demo video.

You need to setup an account with Nest Labs. Beyond voice and alarm output, the Nest Protect only talks to its home base by IP. There is no documented API or local interface. The information in the cloud is accessible by Web UI or the app on the mobile phone (see screenshot to the left). The actions you can take through the app or the Web UI are limited. You can only specify the location and configure minor options (like enabling a nightlight if someone moves in the dark close to the Nest). Really important features like disabling a Nest are missing.

I usually fix Smoke Detectors with Magnetolink. My mechanical skills are nothing to write home about (Screw you, you screws!), so i prefer to glue things. The Nest Protect is significantly heavier (372g for the battery version) than the usual smoke detector. So i will need someone capable operating a drill machine successfully four  times in a row to create a safer connection to the ceiling. With a price tag of 129 US$ (without shipping an import tariffs in Germany) it is a bit too valuable to conduct gravity tests.

It is at this time not officially available in Germany, but Borderlinx helps you to work around that. Therefor it is no surprise that the output language can only be set to English or Spanish yet. Furthermore the wired versions currently only supports 110V. Since only few people will take the effort to extend their power lines to every Smoke Detector, the later will not really matter. The battery version takes six Energizer Ultimate Lithium AA batteries to operate which accounts for a significant part of the weight. I cannot tell anything about the battery lifetime yet, i will update this blog article once i have run through the first battery set.

One of the theoretical strengths of the device is a pre-alarm stage where the device notifies you that the levels of Smoke or Carbon Monoxide are closing on the threshold. This may save you from some embarrassing panic action. Also it differentiates between both alarms. Also it has ways to signal its status through a colored LED ring. In reality the Smoke detector cooks off with a false alarm as spontaneous as its 5$ counterpart and is even more bothersome to disable.

Another issue i have with the Nest Protect is the lack of any kind of API. I can live with the lack of a local interface (though i would prefer one), no API will keep me from purchasing more of them for the time being. Perhaps Nest Labs believes that it is my ultimate goal to use 20 different apps to monitor everything in my house. Well, it surely isn't. I want the information integrated into a central monitoring even if it takes a rather complicated way (e.g. like with the Twine).


The device does a lot of things right:
  • WIFI integration
  • Status information even when away from home
  • Pre-Alarm stage (in theory)
  • Style
  • Easy network setup
And it is clearly a technological step up from the typical smoke detector.


But as clearly, it is not perfect yet:
  • Lack of API
  • High weight
  • No way to disable a false alarm (see below)
Especially the first bullet point is a no-go in a cloud based device where such interface should be a cheap feature to add. Until now there is only a vague promise of a developer program for the next year.