ISPs are pressed to become child porn cops

‘Not an intelligence-gathering tool’
Speck, the Brilliant Digital official, argued that CopyRouter would not put ISPs in a law enforcement role because the list of banned files would be managed by the law enforcement agency, not handed over to the private companies. CopyRouter would consult that list, but at arm's length from the companies.

"The responsibility is shifted to law enforcement," Speck said. "We've delivered to Internet service providers something they've called for. ... This is not an intelligence-gathering tool. This is not for developing a list of users. This is an extension of what routers already do."

But wouldn't the Internet service provider know which traffic CopyRouter had blocked, and which user had sent or attempted to download it? No, Speck said, because his company's product would be a neutral middleman, not sharing information with the ISP or law enforcement.

"All hashes are provided to Global File Registry, which manages a secure data base and communications channel between law enforcement agencies and the ISP such that the illicit file hashes targeted by law enforcement remain private and secure to the relevant law enforcement agency," he said in an e-mail after the interview. "There is no personal (sender/receiver) information identified, and privacy is maintained."

The company's slide show, however, does describe information on users being passed directly to law enforcement. Any files that matched the child porn list would be reported to a "law enforcement data collector," along with IP addresses identifying the user's computer. The slide show says, "Any hits here will generate a 'red' report, which will be routed to the police collector server ONLY. These reports contain full IP information."

Click for related content Live vote: Do you want the Net watched for child porn? Red Tape Chronicles: The trouble with 'deep packet inspection' Discuss this article on Newsvine Feedback: Send an e-mail to Bill Dedman and Bob Sullivan

Although Brilliant Digital says no law enforcement agency has signed on to the CopyRouter plan, that hasn't kept the company from including a familiar blue seal in its slide show. At each point when a law enforcement computer is depicted, it bears a mark that closely resembles the FBI logo. Only when the logo is magnified can one see that it says "Friendly Bus Investigator" rather than "Federal Bureau of Investigation." The FBI hasn't signed on to the plan, Speck said, and the logo was not meant to imply any endorsement.

The FBI met a hailstorm of criticism in 2000 when the existence of its Carnivore project was revealed. The packet-sniffing technology was used to monitor and log traffic when installed at an Internet service provider. The FBI by 2005 had stopped using the technology, in favor of commercial tools.

New law may take law enforcement out of the loop
Under the new U.S. law, a system like CopyRouter might not require involvement of law enforcement. The McCain portion of the new child-porn law allows such a system to be set up by the Internet service providers, because it gives them access to those lists of illegal files.

The key player in that transfer is the National Center for Missing and Exploited Children. Although it's a nonprofit organization, NCMEC has increasingly taken on law enforcement roles, with Congress requiring that complaints of child pornography be sent to its CyberTipline. Since 1998, NCMEC says, it has received more than 300,000 reports from ISPs. And it gives them a daily list of Internet addresses that appear to host child porn, so the companies can choose to block those Web pages.

The new law authorizes NCMEC to go further, handing to Internet service providers the list of files judged to be child porn. Law enforcement agencies give those hash values to NCMEC, which will be allowed (but not required) to give them to the ISPs. That cooperation would allow the ISPs to use CopyRouter or their own home-grown solutions, without including cops in the loop directly.

That provision was part of the SAFE Act, a bill introduced by Sen. McCain and Democratic Sen. Chuck Schumer of New York. A McCain aide called the bill a "NCMEC wish list." The SAFE Act also made it a felony for ISPs to fail to report child porn, if they discover it, with penalties up to $300,000 for each instance.

Steve Pope / Getty Images file Republican presidential candidate Sen. John McCain wrote the section of law allowing the list of child porn files to be given to internet providers.

McCain's bill got caught in a tug-of-war with a broader bill written by another player in the presidential election, Sen. Joe Biden, the Democratic vice presidential candidate. Biden's solution leaned more toward law enforcement, giving more money to the Justice Department and state Internet Crimes Against Children task forces, which investigate child pornography.

With NCMEC lined up behind McCain's bill, and other child protection activists (and Oprah Winfrey) pushing for Biden's bill, Congress finally passed them both: McCain bill was folded into the Biden bill, which passed the House and Senate without objection. Republicans were able to cut the spending in the Biden bill, down to $300 million.

With the new law in place, NCMEC has a plan for ISPs to use their new access to the hash values.

"We believe that there needs to be more proactive, voluntary methods to identify illegal child pornography content that bring it to their attention," said Allen, the NCMEC president. "We are working with leading ISPs to do that."

He said NCMEC's Hash Sharing System would share with Internet service providers information on only the " worst of the worst" images of child pornography. An image must depict a pre-pubescent child who has been identified by law enforcement. And it must depict  one of the following: "oral, vaginal or anal penetration and/or sexual contact involving a child whether it be genital, digital, or a foreign object; an animal involved in some form of sexual behavior with a child; or lewd or lascivious exhibition of the genitalia or anus. "

"Through this project, NCMEC is also working with the members of the Technology Coalition to test existing software and develop new technologies that will enable ISPs to identify apparent child pornography images by hash value and block them," Allen wrote in an e-mail.

Some ISPs willing to police copyright law
The idea of turning Internet service providers into cops has been opposed and embraced by different ISPs in a different realm — copyright protection. The recording and movie industries have pressed ISPs to monitor their customers to detect traffic copyright violations. AT&T has said it hopes to monitor for pirated content, and has been in discussions with content companies, including NBC Universal (co-owner of msnbc.com), which has pushed for such filtering. Microsoft (the other co-owner of msnbc.com) has said it opposes filtering by ISPs.

ISPs also have run into public and government opposition just for slowing down, not blocking, some Internet traffic. The Federal Communications Commission ruled in August, on a 3-2 vote, that Comcast's limiting of BitTorrent traffic was illegal. Comcast said it was merely trying to keep the flood of peer-to-peer file sharing from slowing down the Internet for everyone else. As for CopyRouter, the company's manager said it would not slow down Internet traffic noticeably, because it's not inspecting the contents of files, merely comparing their hash values to a list, which can be done quickly.

Privacy advocates have already raised objections to deep-packet inspection. Earlier this year, a California company named NebuAd proposed a service that would observe Web surfers’ Internet habits through machines installed at ISPs, then inject context-sensitive advertising into the Web sites the consumers visited. It called the system "Behavioral Targeting." Public outcry and rumblings of an investigation from Congress led firms considering the technology to pull out.

Morris, of the Center for Democracy and Technology, said Brilliant Digital's plan constitutes an illegal wiretap, and would run afoul of the Electronic Communications Privacy Act. No firm can listen in on private communications unless it is instructed to do so by a law enforcement official with a proper court order, he said.

MORE FROM SECURITY

Security Section Front

Facebook hit by ‘Control Your Info’ intruder Twitter phishing ploy goes for ‘Direct Messages’ Red Tape: Your chance to spy on Google Hacking ring caught in $9 million fraud Tagged.com settles with states in invite fight Framed for child porn — by a PC virus In China, battles over a new wall Spain: Internet-related child porn on the rise Google providing better view of personal data EU agrees on new Internet user rights Security Section Front   Add Security headlines to your news reader: