Making waves for safe surfing software

A pair of code-crackers have exposed the flaws in so-called 'censorware' filtering programs
Click to follow

Let's play spot the connection: 11,000 words written in Latin; a description in Spanish of a milking machine; volumes four and six (but not one, two, three or five) of Gibbon's The Decline and Fall of the Roman Empire. Also, Carnegie Mellon University's quilting club, and its ultimate frisbee, volleyball and robotics clubs.

Got it? Obvious, of course - they're all about smut, filth, violence and drugs culture.

Well, that's how it looks to two pieces of Internet filtering software: I-Gear, published by Symantec, and CyberPatrol, now owned by the United States toy giant Mattel. You may think it's not good software design to block innocuous pages, though if you have a long memory you may recall exactly this problem being highlighted in 1996, when two American journalists, Declan McCullagh and Brock Meeks, got their hands on the decrypted lists for a number of filtering (or "censorware", as opponents call them) programs.

Lots of Internet service providers offer "safe surfing" programs, often for free. The trouble, though, is that they are utter pigs in a poke: you, the "administrator", can't review what sites they block and which they allow. But you do know this: filtering software faces an impossible task. Amidst the vastness of the Web, some person (for the process cannot be automated) has to identify the sites which contain illegal/sexual/drugs/alcohol/intolerant/racist material (singly or in combination) and categorise them accurately. You don't have to do much maths to realise that, with hundreds of million of pages already out there, and thousands more appearing every day, it would take a staff of thousands of people working flat-out to review and categorise every page already there, not including the ones which change and the new ones that pop up.

However, filtering software companies never admit their mistakes. Partly, they achieve that by keeping their list of blocked sites hidden from users - and hence from people who might otherwise get angry (and sue) over being wrongly blocked. And when those errors are exposed, the companies' reaction is uniform -they reach for their lawyers to shut off the criticism, rather than improving their own systems.

That has been demonstrated again with two elegant cracks of those encrypted lists earlier this month. First, Bennett Haselton's Peacefire group (, for years a constant thorn in the filtering companies' side, produced a code-breaker program that lets you look at the 470,000 sites blocked by I-Gear on 3 March. They immediately found a 76 per cent error rate in .edu (American university) sites blocked under the category of "pornography".

Then on 11 March, two youth Internet activists, Eddy Jansson and Matthew Skala (living in Sweden and Canada respectively), published some code called "cphack" which can decrypt the "CyberNOT" list of 80,000 sites that CyberPatrol blocks from its claimed 10 million users.

I-Gear promptly faxed Peacefire's service provider, demanding that they remove Peacefire's link to I-Gear's blocked site list (which actually sits on Symantec's server). They also demanded that Peacefire should remove its code-breaking program -which Haselton refused to do.

Mattel, meanwhile, got a court order forcing Jansson and Skala to remove their site from the Net, and stop distributing information about how to decode the list. Perhaps not a smart move: within hours, mirror sites with the code and the data were popping up all over the Net. Mattel simply ramped up its lawyers, who began bulk-e-mailing anybody with even a link to the "cphack" code - including McCullagh (who disdainfully commented "a subpoena sent via e-mail [isn't] usually viewed as proper ... at least where I come from"). In response, Mattel sent him a paper subpoena, by registered mail.

But Mattel is still on a hiding to nothing, since he only linked to the code, rather than carrying it. And many of the other people it has e-mailed are outside the US, which has led some of them - including Jansson and Skala - to question what authority the first injunction carries. More mirrors are popping up daily: William Geiger III, an American programmer, has created an extensive list (plus the original) at - which will anonymise your access, so that if you mirror the data on creating cphack, he would be unable to identify you, even when injuncted.

Once again the genie is whirling out of the bottle, leaving the companies involved looking foolish. CyberPatrol could clean up its list by unblocking all those innocent pages. But it won't. It still prevents users seeing the entire corporate site of Golden West Companies, for example.

McCullagh said he was "pleasantly unsurprised by [CyberPatrol's] zaniness, idiocy and sheer lunacy. Incompetence and prudishness are still alive and well in the censorware industry!"

The only pity is how healthy that industry seems to be.