Blocking Material on the Internet
A systematic analysis of the "censorship debate"Kristian Köhntopp
Kiel, 14 May 1997
Like any other communication medium, the Internet is used also for the dissemination of radical right-wing information, child pornography, etc. Such misuse has recently led to calls for state intervention to enforce centralized blocking of certain materials.
The authors take the view that such action would be inappropriate. All technological approaches for implementing such blocking have so far failed, and it can be assumed that, with the Internet structure being what it is, future approaches will fail as well. Secondly, blocking will always affect material that is not intended to be blocked. The more effective the blocking action, the more serious the undesired side effects.
Decentralized blocking approaches would enable users to filter content themselves. If rating of content is performed by private organizations therating mechanism could be used to promote questionable interests. To avoid the risk of misuse, it is absolutely necessary that all rating criteria and all ratings are disclosed.
State regulation of any kind will increase costs. The effort to rate Internet material is expected to involve high payroll costs. But even today the cost of communication is substantially higher in Germany than in competing countries like the United States. Regulation would hence be a competitive disadvantage.
What is the objective of blocking?
- Law enforcement: preventing the subjects of a national or regional legal system from accessing or publishing material which is illegal as measured by the criteria of such legal system, even if the place of publication is outside the jurisdiction of the legal system concerned. Using technical means to render such offences impossible would be the perfect solution.
- Prohibiting the provision of indecent material: Various parts of the US Communication Decency Act (CDA) tried to establish an even stricter rule: the Act prohibited the provision, via data networks, of material which is indecent, obscene or in some other way offensive as measured by contemporary moral standards (for "free speech" see for instance The Electronic Frontier Foundation (EFF).
- Protection of minors: Access by minors (children and adolescents) to harmful material is to be prevented while adults would continue to be able to access the complete range of material offered on the Internet.
- Rating: All users of the Net would continue to be free to choose the material they wish to receive, but a rating mechanism would be established enabling consumers to indicate their own preferences ("no sexual material" /"a lot of sexual material", /"no violent material" /"blood and splatter", "politically left-wing"/ "politically right-wing material", "content that is in conformity with the moral standards of the Catholic Church" /"correct in accordance with Muslim moral standards"); consequently consumers only receive that portion of Internet material which passes the filter chosen by them.
- Non-regulation: Every user would have free access to all information offered. Even the existence of rating criteria applied by third parties is considered detrimental, and the establishment of a rating infrastructure is not encouraged or even discouraged..
Which services are discussed in this paper?
There are at least two services to be distinguished:
- WWW, World Wide Web: The World Wide Web is the graphically most appealing service of the Internet. This service is rendered by a network of servers which, on request, furnish the user with "pages" containing the requested material by delivering them to the browser of the user's computer. As a rule, access to these pages is provided by means of the HyperText Transport Protocol (HTTP). For this protocol no identification or authentication of the user and the provider is necessary; the data transmitted are plaintext and not tamperproof.
- An optional modification of HTTP communicates requests and replies by using the encryption technique called Secure Socket Layer (SSL). At least providers using this system have to inform the person making the request of their identity. Furthermore the SSL system prevents monitoring of the plaintext of the communication (third parties cannot find out what requests were made and what the subject matter of the pages provided is) and ensures that the material concerned cannot be falsified undetected by third parties during transmission.
The pages provided contain formatting instructions in the HyperText Markup Language (HTML) and, if requested, further visual, sound or video data. Small servers often can provide the pages requested only as a pre-produced database supplied unchanged from their hard disks. Big servers, by contrast, frequently produce the requested pages on an individual basis, i.e. depending on the user's identity, his or her Net address, the national language preferred (can be configured in the browser), the type of browser employed by the user, the exact time of request or other programmable criteria. This means that two successive requests of the same page will not always result in identical replies.
If pages from the database are produced dynamically, the data of the Web server may be subject to constant change as a result of the updates of the database. This is what happens for instance in the case of catalogue systems for online commerce (price and product updates, changed inventory affecting delivery, etc.), news agencies connected to press release and ticker services and in the case of Web inventories and search engines which generate a full-text index for pages and permit searches by subjects.
In general the Web database is highly dynamic: new versions of pages can be produced and marketed at very low cost. The electronic nature of the medium and its centralized data storage (no distributed copies of a page have to be updated) are clear advantages for producing a very large number of copies.
- USENET news: USENET is a distributed system of newsgroups. It is a partially interconnected network of servers, each of which stores a selection of articles ready to be supplied on request. As a rule, the articles are filed in accordance with thematically arranged newsgroups and time of receipt. Users can establish a link to the most favourably located server and request articles selected by news group and date of receipt.
- Users can follow up on any article read or can post their own articles to the server. The server will then inform its neighboring servers that it has a new article available and, where appropriate, will feed this article to its neighboring servers. These, in turn, will communicate the article to their neighboring servers, etc. (flood fill algorithm of USENET). Within a few hours' time there are hundreds or thousands of copies of this article available throughout the world. The cross-linking of servers is highly redundant; interruptions on the server routes usually have no or only local effects on the availability or transport speed of the articles.
To gain space, the longest held articles are deleted after a certain period of time, which is determined by the configuration of the individual server and by the space needed. As a rule, it does not exceed a period of two weeks. Some news archives, however, store news group discussions for several years and make this database accessible via ample search capabilities (e.g. Dejanews, AltaVista in the news mode).
As every user reading such articles can reply to any of these articles directly and without any pre-editing or post-editing, the results are unmoderated public discussions about a wide range of topics. A large part of these news group discussions are conducted globally. Hence the participants in newsgroup discussions come from all over the world and group membership is constantly changing.
Communication between user and server as well as communication among servers are usually not encrypted and take place without identification or authentification of the users or authors of articles. Falsifying the address of the sender or the path of an article is very easy and even common practice with some newsgroups. There are converters from e-mail to USENET news as well as anonymous and pseudonymous servers which use cryptographic methods, some of them very effective, to try to conceal the sender's identity and location within the Net. Some news servers allow any user or author access without requiring authentication (open servers): it is up to the authors to decide whether or not they wish to disclose their identity in the article provided.
It is the operator of a server who decides which newsgroups can be accessed via its server. There are some lists of "official" newsgroups, but usually they are neither complete nor binding for anyone. Names or headings of newsgroups have the nature of recommendations only. Off-topic postings or spam make up a fixed percentage of all articles.
How can the material to be blocked be identified?
An individual computer can be identified on the basis of IP addresses. However, the identified computer usually performs a large number of services for several providers. Some Web servers of IP providers feed the material of thousands of information content providers into the Net under one single IP address; computers of small providers in some cases offer all the provider's services under one single IP number. The blocking of IP numbers consequently affects not only the material to be blocked but also a large amount of material and services that were not intended to be blocked.
By expending more cost and effort, it is possible to identify service-specific characteristics of individual units of the material provided. In the World Wide Web, a page is characterized by its "name" (its Universal Resource Locator - URL), while the USENET news uses message ID of an individual news item or the name of a news group as means of identification. For newly emerging services it is necessary to devise new service-specific methods for identifying individual units.
The amount of data to be identified and rated is huge: In May 1996, 30 million Web pages were stored in the full-text database of the Altavista search engine; in April 1997 the amount of data recorded exceeded 72 gigabyte for some 5.4 million articles (statistics supplied by Eunet Deutschland GmbH taken from de.admin.lists of 1 May 1997).
There is still the problem of isolating the material to be blocked from all other material. There are two completely different ways to do this:
- automatic rating of material by looking for formal characteristics such as whether the text contains certain key words,
- manual rating of material by providers or third parties using a set of criteria (rating).
Another result of blocking was that the group whose material was blocked simply changed its vocabulary so that blocking had only negligible effects on the group's material. There are other automatic rating methods, but they are unable, too, to recognize the meaning of the material to be rated. Knowledge of these formal blocking criteria enables newsgroups to re-formulate their information without changing its meaning so as to avoid the words that would "trigger" blocking. The Cybersitter program designed to protect children is able, for example, to cut from the Web pages those passages containing words rated offensive. Ingenious formulation of a statement will ensure that its meaning is reversed when the statement is viewed under control of the Cybersitter filter program (information and example by Bennett Haselton on the mailing list email@example.com, message ID: <01IAZF6R8I0I8XKGCV@ctrvax.vanderbilt.edu>).
Procedures and standards for the rating of material by providers or third parties have already been developed for the World Wide Web, with PICS currently being the leading system (Platform for Internet Content Selection). With PICS it is possible to install rating criteria of any definition and any desired resolution. URLs can be rated by the information content providers themselves or by third parties. Common rating criteria include violence, sex or indecent language, with rating systems ranging from digital 0 to 1 scales to systems with very fine ratings. The PICS ratings can be evaluated either by the user's client program (currently supported by the Microsoft Internet Explorer) or on routers while the material is being transferred to the user (this procedure is not being used as yet).
The main problem with manual rating of content is coping with the large number of new or modified pages generated. The operator of the news server www.msnbc.com (a joint venture by NBC and Microsoft) has discontinued the rating of its content by means of the RSACi rating system supported by Microsoft, because the rating of individual contributions was too costly and laborious and PICS rating of all material offered by the server would have prevented minors to access the server (see exchange of letters between Irene Graham, Michael Sims, Stephen Balkam (RSAC rating supervision) and Danielle Bachelder (MSNBC system operation) quoted in <firstname.lastname@example.org> and <199703191314.IAA03203@arutam.inch.com> on the same mailing list).
Another difficulty is that a Web page may differ depending on the characteristics of its request so that rating by means of the PICS system would cause problems. Precisely the pages making use of the interactive component of the Internet could, due to their dynamic generation, remain unrated and would hence no longer be displayed by browsers and search engines of appropriate configuration.
The rating of material by using the PICS system is currently performed by private organizations. The possibilities of raising objections to a certain rating are limited: It is difficult for a netizen to demand correct rating, in particular if the rating organization is located abroad. This difficulty is similar to that encountered by prosecutors trying to punish providers of illegal content originating in a foreign country, but it is completely different in terms of availability of resources and burden of proof. In case of incorrect rating, content providers have to prove that their material is not illegal and they have to overcome the difficulty of asserting their claims outside their own country. Compared with prosecutors, providers of Web pages are on average less well trained and have fewer resources at their disposal.
Rating organizations make their judgements in accordance with the values and cultural criteria common in their own countries. The adoption of foreign ratings for German users therefore causes problems. But since there is no German access software, it is very common to support only foreign rating systems (in particular US systems).
Most rating organizations do not disclose their rating criteria or are very reluctant to do so. Some of them do not even inform content providers about the rating of the material they provided. Complete inventories of all ratings awarded are usually kept secret because it is argued that these lists might be used as catalogues of trash and obscene material. In the case of programs which receive ratings of the Web pages produced by third parties not through online means but have the ratings included as a database installed on the local hard disk, this list is always encrypted and, more often than not, outdated. This means that the users of such software are not aware of the material which they are prevented from accessing.
Meanwhile there are (illegally) decrypted versions of the blocking lists of all producers of rating programs with a static blocking list supplied as a database. An evaluation of blockings has shown that all producers act in line with clear political attitudes or out of personal enmity. Content frequently censored included material provided by women's organizations, information provided on abortion as well as content provided by gay and lesbian groups. It is also common to include in the blocking lists those Web pages which contain criticisms of the producer of the blocking program, disclose the blocking list or oppose any rating. The producers of the Cybersitter program have even adopted a practice which means that people having installed the Cybersitter program can no longer access those pages which mention the names of critics of the Cybersitter program.
How can blocking be achieved?
In order to be able to communicate with each other, the two partners communicating need some physical link such as a dedicated line, a telephone line or a radio relay link. One way of blocking such a link, which is normally not practicable, would be to prevent physical communication from taking place, for instance by barring a telephone line or making certain telephone numbers inaccessible, by disconnecting a dedicated line or by inserting a jamming transmitter into a radio relay link. As a result, the victim of blocking is usually deprived of all its means of telecommunication.
Communication within the Internet usually does not use a homogeneous physical link but a link consisting of various elements of different technologies. At the connection points between these elements, there is a router that transfers IP packets from one element to the next. For this process, the operations of the router are controlled by the adresses in the individual IP packets and by its routing tables. The routing tables indicate the direction into which the router has to transmit the packets labeled with a certain destination. The typical service of a provider is selling international connectivity via one or more leased lines to locations abroad for dial-up customers (private customers) or customers with a leased line (business customers). The service provider is not aware of the type of services used by the customer or the requested data.
Blocking can be achieved by interfering with the routing tables of the routers. It is easy, for instance, to discard all packet bound for certain destinations when they arrive at the router ("grounding the route"). This is done by grounding the route. In this way entire computers are made inaccessible: when the DFN-Verein (DFN = Deutsches Forschungsnetz - German Research Network Association) blocked the computer named www.xs4all.nl, the Web pages of more than 6,000 information content providers could no longer be obtained, no mail could be fed into the computer www.xs4all.nl, and all other communication between the DFN-Verein and the computer was interrupted.
In accordance with the TCP/IP protocol, a service is usually selected by indicating a TCP port number. By using this port number, a more selective blocking of a service would be possible. If being given the appropriate configuration, some routers are, for instance, able to prevent TCP traffic for port 80 (HTTP) from reaching a certain destination while permitting traffic on port 25 (mail) destined for the same address.
By using a proxy or other firewall software which have access to the higher levels of the network structure, selective blocking at the level of individual pages or news items can be achieved. For this purpose, however, the firewall software has to be adapted to each service concerned (WWW, news, mail, IRC, etc.). As a rule, the operation of such systems is very cumbersome and costly, because, for the clients using them, they have to simulate full rendering of all services used by the client. It is very difficult to scale up these systems when the number of clients increases. Nevertheless they are being employed by several totalitarian governments, which hope to make it difficult for undesired material to enter their countries: In China, Singapore and the Gulf countries all communication with abroad has to pass through government-operated firewalls.
The blocking of IP addresses and the use of firewalls can, under certain conditions, be combined to reduce the workload of the firewall computer. Rather than grounding the route to a computer that is to be blocked, all routes to the computer to be blocked are directed to a firewall which monitors the services provided by the computer to be blocked. For this combined approach, which has to be adapted to each type of service to be blocked and simulated, technically complex and costly configurations and maintenance are required. First of all there must be a central connection point between the German network to be monitored and the rest of the world. In addition, this technique is a typical "man-in-the-middle" attack: it will fail in the case of highly encrypted communication which is not vulnerable to such attacks.
The adverse effect of filtering mechanisms on computer performance increases as the resolution of blockings is raised and the list of the information sources to be blocked is extended. Systems such as PICS cannot be established efficiently at central points of the network but can only function as decentralized systems.
All blocking procedures discussed so far involve third-party computers to be inserted between the provider of the information to be blocked and the user. The blocking of material either at the information provider's end or at the user's end are also conceivable; this would, however, require cooperation of the provider or the user.
Blocking at the provider's end would mean that the provider does not offer the material to be blocked to anyone or that he offers it to certain persons only. Even if providers are ready to cooperate, offering material only to selected persons will be possible only if providers can reliably identify the user of a piece of information and have decision tables which are flawless and watertight from a legal point of view, enabling them to automatically decide which material to deliver to whom. Today there is not even a rudimentary identification mechanism which would achieve that goal, and no such mechanism is expected to be developed and produced in the foreseeable future. It is impossible in particular to infer the sender's identity or physical residence from the IP address and the computer name: German customers of US online services are identified on the Net as residents of the United States. Almost the same is true of staff members of multinational companies.
Blocking at the user's end would mean that the material offered would have to be rated by using well-defined criteria (e.g. by those of the PICS system) and that users themselves configurate their software in such a way that pages given certain ratings can no longer be requested and received. Cooperation by the provider would be desirable, but is not necessary since rating can be carried out by servers of third parties.
How can blocking be evaded?
If the physical communication link is interrupted through blocking, the only solution will be to use a different means of communication: if, for example, a jamming transmitter interrupts the radio relay link, it is still possible to use the telephone network and if a telephone line is barred, a radio relay link will be used..
If certain IP addresses are blocked, there are several possibilities for the user to solve the problem: all of them are aimed at completely avoiding the blocking router (see Ulf Möller: "Internet-Zensur: Routingsperren umgehen"):
- The user changes his Internet provider; if necessary, he becomes a customer of a provider located abroad. He establishes a telephone connection or a dedicated line to this provider and handles all his communication via this non-blocking provider. He no longer uses the blocking router of the local provider, and consequently blocking no longer bars his way to obtaining the information desired.
This change of provider in case of blockings takes place automatically if the user is a staff member of a (multinational) company with its own Intranet, which is linked to the Internet at several locations (abroad).
- The user becomes a customer of a second, non-blocking Internet provider, if necessary a foreign provider. The user establishes a TCP/IP connection to this provider and has his applications handled by the distant computer, if necessary a computer located abroad.
There are now a number of providers offering such services as a routine matter. The services provided range from individual services (e-mail boxes, e.g. pobox.com, Web services, e.g. geocities.com etc.) to complete exile log-ins (e.g.c2.org.acm.org.xs4all.nl).
The blocking router of the local provider does not register any communication with the blocked address but only communication with the distant provider. Access to the blocked addresses is effected via the distant provider, that is from behind the blocking router. The blocking caused by the router ceases to have effect.
- The user becomes a customer of a second, non-blocking Internet provider, if necessary a provider located abroad. The user establishes a mobile IP connection to this provider. This means that his IP packet are packed into other IP packet, are sent to the second Internet provider, are unpacked there and are fed into the Net. If desired, communication with the second provider can be encrypted.
In Linux the following two commands have to be given for this procedure:
- Activating of the tunl0 interface to the distant provider myriad.ml.org
> ifconfig tunl0 (your.ip.address) pointopoint myriad.ml.org
- Establishing a route to www.xs4all.nl via tunl0
> route add www.xs4all.nl tunl0
To an observer, the user appears to be a normal customer of the second IP provider. The blocking router of the local provider only registers a connection to the distant, second provider. Hence blocking is without effect: Mobile IP is a routine service for IP providers serving business customers.
- Activating of the tunl0 interface to the distant provider myriad.ml.org
While the methods for evading blockings that have been discussed above can be applied to any service blocked, the following methods can be used for specific services:
- Automatically changing the address of the page on a server is an approach similar to that of modifying the IP number of a server computer. The automatic blocking of individual pages would thus be evaded, and again the entire computer would have to be blocked. Such general blocking could again be overcome by applying the methods for evading complete blocking.
- If there is a search engine for a service which can search all pages of the server material by using certain terms, then an individual page can be obtained virtually under any address, namely by using the terms which help to find a text in the database of the search engine. In this case blocking would have to prevent access to the search engine, too.
- The indirect access approach discussed in connection with the mobile IP method can, if modified, be used also for the WWW. By using a distant Web server providing access on behalf of third parties (proxy server), it is possible to request the page desired in an indirect way. Since proxy servers having an intermediate storage are a common tool used to speed up delivery, it is usually easy to find such a third server. The recent censorhip debate has led to the setting-up in Germany and abroad of proxy servers explicitly for evading blockings (there is a proxy server at MIT, for instance, for Chinese nationals wishing to avoid censorship in their own country).
- If communication is encrypted (for example by using the SSL support incorporated in all common browsers), a secure channel between the server and the user is created in which real-time understanding is not possible and falsification is not easy. Third parties are not able to identify the pages requested nor the information they contain.
- Numerous copies of articles posted to the USENET news are available on thousands of servers all over the world. Calls to cancel articles are meanwhile ignored by many of these servers since there have again and again been fake cancellation calls made by saboteurs. The large archives for USENET news (DejaNews and AltaVista) never make any cancellations. By sending a request to an archive, it is usually possible to get access to less recent texts and those which cannot be obtained locally. Like Web pages that can be located by means of search engines (see above), articles can be requested and found not only by indicating their message ID, but also by checking for any key word contained in the article.
- During an investigation conducted by prosecutors in Bavaria, Compuserve was called upon to no longer provide access to some newsgroups since the articles from these newsgroups had been found to mostly contain material which is considered illegal in Germany. Users who wish to access and read the articles of these groups now request them directly from other, non-blocking news servers. Also the authors of articles for poorly disseminated newsgroups increasingly tend to post their articles also to other groups that are well disseminated but deal with a completely different topic. For example, when the server www.xs4all.nl was blocked because it had offered the prohibited journal "Radikal, Ausgabe 154", the complete volume of "Radikal" was posted to the newsgroups "de.soc.zensur" (discussion on censorship and monitoring of content) and "de.org.politik.spd" (news group of the virtual local association of the SPD).
- Since new newsgroups can be established automatically, poorly disseminated groups are often re-established under new names or notorious newsgroups offer their services under aliases. This is illustrated by the following example: after a German university decided that groups whose name contained the word "sex" should no longer be offered, a group previously called de.talk.sex (a news group on sexuality) has been made available under the alias name de.talk.verkehr for several years.
Other effects of blocking attempts
By means of the USENET news network, information can automatically be replicated thousandfold with a minimum effort. That is why the Web pages of the Radikal journal were disseminated in the news after the xs4all had been blocked (the Web pages of the other 6,000 customers of xs4all were not fed into the news).
Because of the protocol design, all communication using the TCP/IP protocol is an individual end-to-end communication between two partners. Even an observer monitoring a piece of information cannot find out whether the information requested is of a private nature (it is possible and - for many users also - necessary to read their private mail through WWW) or whether it is of a public nature. Private as well as public information can even appear together on a Web page. It is doubtful whether monitoring of such communication by unspecific interception (without a judicial decision having been sought) is legal, even if such monitoring is performed by a robot responding to keywords or ratings.
Disclosure of any and all blockings effected is absolutely necessary not only in order to supervise those awarding the ratings, but also in the interest of smooth technical operation of the network. If a huge number of computers or individual pages is blocked, neither the individual operator of a computer nor the individual user will know whether there is a technical defect that can be eliminated or whether some content has been blocked. Reliable error analysis by the operators of networks or individual computers is thus made totally impossible: from the fact that there is some operational problem no reliable conclusion can be drawn as to what action should be taken to solve the problem. On the other hand, blocking lists, if published, of course tend to be misused as catalogues of sexually explicit or violent materials. Blocking could thus be turned into a kind of "quality label". Moreover, disclosed blockings can be overcome automatically by means of programs modified for the purpose.
Modification of the Internet
In principle, firewall systems (employed by companies to protect their network from unauthorized entry from the Internet) provide a suitable approach to achieve effective blocking. The philosophy of allowing through only those data which are explicitly allowed to cross the barrier helps to enforce certain guidelines or codes of conduct.
Similarly, a code of conduct would have to be established for the use of the Internet services, and adherence of users to this code be enforced. This can be ensured by employing the firewall technology as a barrier between users and the Internet or by using proprietary protocols. Some essential requirements of such a code would be: subscribers can only use the network if they identify themselves; services, protocols and data formats have to be authorized before they can be used; the use of cryptographic techniques is prohibited and all activities have to be logged. These rules would ensure that users cannot evade blockings by changing their identity, the protocol or by disguising data.
If we leave aside the question whether such a code of conduct would be compatible with a democracy based on the rule of law, there are still economic and technical reasons against enforcing this kind of guidelines. A network functioning in accordance with such rules would be under centralized control and could be not adapted to changing requirements without spending a tremendous amount of time and money. Pressured by their commercial users, all online services have given up this concept. The administrative overhead of such a solution at the national level would be enormous. Also, any restriction with regard to cryptographic techniques would prejudice the use of the Internet for transmitting sensitive information.
Altogether such a type of Internet could be disastrous for a country's competitiveness. Communication is an economic resource by no means less important than human capital or the transportation infrastructure. On the other hand, China's example has shown that even such a type of Internet would prevent the dissemination of unwanted material only to a limited extent because counter-measures have been devised for any of the measures mentioned above.
Decentralized control and filtering by users themselves provide a suitable approach for solving the problem. If this approach is to be successful, the ratings awarded by third parties (using the PICS system, for instance) and the rating criteria used must be made transparent. Exemplary filter configurations can be proposed by a large number of interest groups; but users must be in a position to design their own individual configurations or adapt other configurations to their own needs.
Universal rating by a system such as PICS involves more time effort and additional costs. Therefore, a number of providers will not offer universal rating. The rating organizations bear great responsibility because any preliminary rating will influence the opinions of potential users and because deliberately or unintentionally false ratings may cause great damage. For ensuring the protection of minors on the Internet, the approach of labelling material suitable for children by providers on a voluntary basis and displaying such material by means of special "child browsers" similar to the TV children's channel would be by far cheaper and less controversial (see "The Net Labeling Delusion: Protection or Oppression").
Experience in the United States has shown that organizations use the rating tool for pursuing their own political goals while pretending to aim at the protection of minors or to maintain decency standards. However, private organizations must not become responsible for defining moral, ethical and social values. The risk of ratings being misused for other purposes can be reduced by disclosing the rating criteria used as well as all ratings.
We are indebted to Hannes Federrath and Andreas Pfitzmann of Dresden Technical University for numerous suggestions and discussions that helped us to write this paper.
Marit Hansen is a graduated computer scientist (Diplominformatikerin) She works for the Privacy Commissioner for the state of Schleswig-Holstein and is responsible for new media and information technologies as well as technology assessment.
Martin Seeger is a graduated computer scientist (Diplominformatiker) and one founder of the NetUSE AG, a company dealing with Internet and Intranet technology and the security of heterogeneous computer networks.