Filtering, free speech and combatting child abuse images

A Pennsylvania state law that required ISP to block access (from Pennsylvania) to web sites suspected of hosting child pornography violates the First Amendment according to the Federal District Court in Philadelphia. The ruling details the process, both legal and technical, that lead to the blocking of 1.5 million legitimate websites while trying to block access to approximately 400 websites suspected of containing child abuse images. ISP’s used IP filtering and/or DNS spoofing to block access to domain names and IP addresses. URL filtering, which would avoid much of the overblocking, was deemed to be too expensive and difficult for ISP to implement on a large scale. Due to procedural design each ISP was not required to block access to all 400 suspect sites, rather only reported sites accessed through the specific ISP. There was a lack of continuing review of the blocked content to see if the offending material had been removed. The blocking also affected Internet users outside of Pennsylvania and, in some cases, the USA. The ruling also indicates that the measures used to block access can be circumvented.

Suspect websites (sometimes URL’s, at other times IP addresses and/or domain names) were identified by agents of the Child Sexual Exploitation Unit (CSEU) and/or reports from citizens and block notices were sent by the Pennsylvania Attorney General’s Office (OAG) to “the ISP through whose service the agent or the citizen complainant had accessed the site”. It does not appear that all ISP’s were required to block the websites identified as possibly containing child abuse images.

Starting in late April 2002, when an agent or citizen complainant identified a suspected child pornography web site and Agent Guzy reviewed the site and concluded that it displayed child pornography, as defined by 18 Pa. Cons. Stat. § 6312, an agent sent a document titled “Informal Notice of Child Pornography” to the ISP through whose service the agent or the citizen complainant had accessed the site. Each Notice identified the URL (or URLs) of the site(s) to which the Notice was directed.

Based on the evidence compiled by Mr. Clark, the total number of innocent web sites blocked by the Informal Notices discussed in this section is approximately 1,190,000. This number does not include the “upwards of 500,000” web sites hosted by Terra.

The OAG also sent the offending website addresses to National Center for Missing And Exploited Children but not to other ISP’s. Also, “[i]n no instance did the OAG agents inform the owner of targeted web site(s) that her site was being targeted” although in one case the own of a nudist site was contacted and the offending contact was promptly removed. In fact, in most cases where hosting services were contacted (by the OAG or by the ISP that received the block order) the offending content was removed.

The OAG contacted the web host in more than 70 cases involving Web Hosting Services. All such contacts resulted in removal of the designated child pornography from the Web Hosting Service.

When filtering was implemented ISP used IP filtering or DNS spoofing or a combination of the two. When IP filtering is implemented requests to the specified IP address are blocked. This is the easiest and most effective blocking mechanism, most ISP have this capacity in place already and use it fight spam and viruses, but this will block all content on the target IP address. This results in overblocking especially in cases where the IP address is used for virtual hosting and hundreds of unrelated domains are blocked because they share the same IP address. DNS spoofing refers to the modification of entries in DNS servers so that specific domain names do not resolve to their proper IP address. Since users do not have to use their ISP’s DNS servers, and many don’t, this is not a completely effective blocking method. Also, if the user knows the IP address that the domain resolves to, DNS spoofing can be circumvented. The ISP’s all indicated that it would be prohibitively expensive to implement URL filtering, a filtering system in which only specific URLs would be blocked, thus avoiding the overblocking problem.

(I’m surprised that no experts from Saudi Arabia, which has an advanced nation-wide filtering system in place were called to testify concerning the cost and efficiency of large scale filtering systems, or representatives of filtering technology companies for that matter).

However, all these methods can be circumvented using proxy servers and anonymous communications systems.

After blocking a website ISP’s continued to block the website without further review.

In practice – consistent with the Act – the OAG did not undertake any later review to determine whether the content of a blocked URL had changed. The OAG conducted a review 30 days after the block was reported to verify that the URL was still blocked; such review did not cover the content of the blocked site.

In addition to the 45 web sites that no longer exist, on December 1, 2003, 100 of the web sites tested by Mr. Clark resolved to a different IP address than the IP addresses that were blocked by AOL and Comcast in response to the Informal Notices.

It appears that only WorldCom “instituted a process to track the IP addresses of the sites it blocked in response to the court order so that it could change the block if the IP addresses of the targeted URLs were changed”, the IP addresses did change on at least 2 occasions. WorldCom still blocked the original IP address as well.

Expired domains remained blocked even when they were acquired by others and the content changed:

A wholly unrelated web publisher can acquire a domain name without any idea that the domain name is blocked by an ISP. For example, the URL was blocked by AOL in response to Informal Notice 4391. In January of 2004, the domain name was made available for registration. CDT purchased and registered the domain name and created a web site located at the As demonstrated at trial, the web site now describes the actions taken by defendant pursuant to the Act and the instant litigation.

ISP’s were also unable to restrict the blocking to Pennsylvania:

The blocking actions taken by AOL to comply with the Informal Notices were applied to AOL’s entire global network and thus halted communications that took place entirely outside of Pennsylvania (and the U.S.).

The court order issued to WorldCom under the Act resulted in obstruction of communications on WorldCom’s entire North American network. This blocking affects all WorldCom customers in the United States and Canada and some WorldCom customers located overseas.

The protection of children and the elimination of child abuse images is am extremely important concern. But actions taken to fight the production and dissemination of child abuse images should be effective and not impinge of the free speech rights of others. It appears that from the outset this law was not effective, not even all the ISP’s were blocking the same suspect websites. There was no follow up process to determine if the offending content had been removed. The filtering systems that were implemented can be easily circumvented. It only affected web sites, not p2p file sharing systems and all other mechanisms where child abuse images are distributed. There was considerable overblocking.

While not an option in all circumstances, the fact that the OAG had a 100% success ratio when contacting web hosting companies to have child abuse images removed – without impinging on the free speech rights of others – indicates that an increased effort in this area would have a significant impact in fighting child pornography. The ISP’s and webhosting companies involved with this case were more than willing to help fight the proliferation of child abuse images. It seems to me that a greater effort to consult with (free) web hosting operators and ISP’s worldwide along with the development of technologies to make it easier for them to track and eliminate child abuse images from their networks and help prosecute people who post such images is in order.

Post a comment.