Tool To Allow ISPs To Scan Every File You Transmit 370
timdogg writes "Brilliant Digital Entertainment, an Australian software company, has grabbed the attention of the NY attorney general's office with a tool they have designed that can scan every file that passes between an ISP and its customers. The tool can 'check every file passing through an Internet provider's network — every image, every movie, every document attached to an e-mail or found in a Web search — to see if it matches a list of illegal images.' As with the removal of the alt.binary newgroups, this is being promoted under the guise of preventing child porn. The privacy implications of this tool are staggering."
Re:Probably just for P2P (Score:2, Insightful)
On the flip side, having this would in place could potentially make you liable for the material your customers are transmitting. So much for common carrier status. If I were an ISP I'd be fighting this thing tooth and nail.
Huh? (Score:5, Insightful)
"The tool can 'check every file passing through an Internet provider's network -- every image, every movie, every document attached to an e-mail or found in a Web search -- to see if it matches a list of illegal images.' "
How exactly is this going to be accomplished? The equipment cost must be staggering and would consume allot of power. Way to conserve electricity, I thought we were trying to reduce the amount of power the Internet consumes. Does also this remove the common carrier status of ISP's?
I hope this never comes to fruition.
Re:Probably just for P2P (Score:5, Insightful)
This will cause huge latency issues and cost beaucoup bandwidth.
A soft touch with this would yield far better results depending on your intent. I would imagine an ISP that is sick and tired of certain traffics could utilize a system like this to start taking a closer look. Catch a few token users and then you have a excuse to throttle/monitor/block at will. I mean think of the children! What worries me is that with so many computers doing the bidding of people other than their owners, who knows what kind of traffic is being exchanged. Seems like an easy way for law enforcement to take a closer look at an individual... I've come across very questionable images via Google from rather inane, yet obscure, search queries. You could be one Russian rickroll away from the authorities and those around you having some nasty suspicions in their head.
One question (Score:5, Insightful)
So what happens when... (Score:2, Insightful)
So what happens when the malware guys decide to have their malware fire off images that are on this list of banned files/images?
Suppose that their 'smart' and have the image embeded in the malware (or otherwise obscured). the malware sits there for a while and infects as many systems as possible... then the SPAM event happens. With this crap... I mean "wonderful, keep-our-kids-safe" software kicks in and drags even more of the internet down, who's gonna pick up the tab?
I know... have the **AA morons... I mean overlord masters, sign an iron-clad agreement to pick up that tab and I'll gladly get infected. :|
Except... I don't really feel like being arrested for having been infected by perverted malware. :(
You know, it really makes me wonder... (Score:5, Insightful)
Easily gotten around (Score:4, Insightful)
Time to make a utility that puts a file into an encrypted 7Zip archive, with the password stored in some reversable encryption method (encrypt the password with all zeroes as a key 1 million to 2 million times), so it would take x CPU seconds on some hardware to decrypt it.
This would allow files to still go across the net without requiring passwords or keys, but prevent utilities like this from just passively obtaining traffic, just due to the CPU cycles involved.
Of course, just stuffing a password in the comments field works too, but with a decent text parser, it can be extracted.
Its just more of the same cat and mouse game. The real crooks will not be affected while Joe ISP User will lose his privacy even more.
Re:Huh? (Score:2, Insightful)
Does also this remove the common carrier status of ISP's?
That's a myth. They don't have it.
Re:Probably just for P2P (Score:3, Insightful)
Comment removed (Score:3, Insightful)
Re:Probably just for P2P (Score:2, Insightful)
"Each digital file has a unique digital signature, called a hash value, that can be recognized no matter what the file is named, and without having to open the file again. The company calls this list of hash values its Global File Registry."
Wait a second. Hash value? I sure hope the law enforcement people have been told about hash collisions [wikipedia.org]! I know it's unlikely in a large binary file like images or videos, but, taking one example, md5 hash collisions and ways to find them do exist, and it's inevitable that this fact about hashes could be put to some pretty nefarious uses (e.g., poisoning traffic with legal files that happen to yield the same hash as illegal ones).
And then, of course, there's encryption or other techniques which could be used to obfuscate traffic to the point it wouldn't work.
Quite apart from the awful possibility of a tool that would monitor traffic for all images and other files, I'm not even sure it would work as intended to catch the bad guys. Once they know it exists it would be easy for them to avoid. Sounds like a big waste of money.
Ways to abuse/defeat this... (Score:4, Insightful)
They're claiming they'll man-in-the-middle p2p users to disable encryption. Major problems there.
They're using a hash for the images/movies. Alter the image tags, or change a pixel, you've beat it. The more they ignore diffs, the more false positives they'll get.
There's my five seconds of thought on the efficacy/ethics of this. If you manage to solve all those problems, come back and I'll give it another five seconds. See you in ten years.
But hey, once it's in place they can use it for the *AA! Which is really what this is about, more free handouts to obsolete business models.
This is Fantastic (Score:4, Insightful)
A better use for this technology... (Score:4, Insightful)
One answer (Score:4, Insightful)
Can it decrypt SSL/SSH in real time?
According to the article they use man-in-the-middle attacks. This is probably quite easy if the server is using self-signed certs.
Child porn is perfect for framing people (Score:5, Insightful)
The problem with all the hysteria around child pornography is that it's too easy to frame someone. A little research, five minutes alone with your computer, and an anonymous phone call are all someone needs to ruin your life and reputation.
Let me be perfectly clear: Even if you're completely innocent, this is a serious threat to you. If someone decides to frame you, you won't be able to prove your innocence, and it won't matter even if you can. That's unacceptable. Yes, child porn is bad, but a society where anyone can anonymously destroy anyone else is much, much worse.
Re:Probably just for P2P (Score:4, Insightful)
If my ISP told my opponent what porn i watch, they'd be sued. To the GROUND.
Re:Probably just for P2P (Score:5, Insightful)
Re:Probably just for P2P (Score:5, Insightful)
The makers of CopyRouter claim that it can even be used to defeat encryption and compression of files in the Internet's Wild West: the peer-to-peer file-sharing tools such as Gnutella and BitTorrent.
What are they going to do? Detect and Man in the Middle [wikipedia.org] every single connection attempt that goes through their router? The file sharing tools will simply upgrade to stronger encryption, such as AES [wikipedia.org], and harden the connection handshaking against MITM attacks (perhaps by introducing public key infrastructure with well known key server(s)). It was my understanding that the present crop of file sharing tools provide obfuscation (ROT13 and the like) and not real encryption to set the bar just high enough to prevent packet inspection. However, it would not be difficult to implement stronger encryption methods (if they haven't done so already), should that prove necessary. In fact, the CopyRouter folks are at a distinct disadvantage in any encryption arms race since MITM and other cryptanalysis techniques are much more computationally expensive than the encryption itself AND the users outnumber the routers by thousands or even tens of thousands to one. The NSA might more credibly claim to be able to do this, but they have acres of underground super computers consuming as much electrical power as a small country, so I am very skeptical when anyone claims to be able to "defeat encryption" and doubly so when a private company mentions it as a bullet point in their power point presentation. It is more likely that this is a private company trying to sell a pig in a poke to ISPs and governments who don't inspect the merchandise to carefully or don't know any better.
Re:Probably just for P2P (Score:5, Insightful)
Yet, for all your noise and handwaving - you fail to establish that an ISP isn't a common carrier.
Re:Probably just for P2P (Score:5, Insightful)
But if all they are doing is comparing hash files, couldn't you just as easily change the resolution of the file, or insert a couple different bits around to change the file slightly, which ends up with a completely different hash?
Big Daddy knows best (Score:5, Insightful)
You know what? In a dozen years of actively surfing porn, I've never encountered kiddie porn in the wild. This great big threat to all mankind so severe that we all need to put woolly pullovers over all our electronic gear and filter all telecommunications is simply and plainly crap. It's a ruse.
There are some people who want to control everyone else. They want to control what you see, what you hear, and as much as is humanly possible, what you think. They want to monitor us all (but not themselves, of course) and make us all cookie-cutter little clones who all think the same harmless little thoughts and are all scared of their authority.
F * U * C * K them.
Anyone telling you this sort of "protection" is necessary is deluded or a liar. Either way, such people should be ignored or in extreme cases, put somewhere they cannot bring harm to others.
Re:Probably just for P2P (Score:5, Insightful)
But if all they are doing is comparing hash files, couldn't you just as easily change the resolution of the file, or insert a couple different bits around to change the file slightly, which ends up with a completely different hash?
Yup. That, along with good encryption, means the bad guys get around this easily, while innocent bystanders are caught up by hash collisions.
Re:Probably just for P2P (Score:2, Insightful)
My ISP is AT&T.
They're not a common carrier?
I agree with you though, that Net Neutrality is the answer to this puzzle. Without it, the Internet will be a pale shadow of what it once was, and what it could be.
Re:Probably just for P2P (Score:3, Insightful)
So now it's our responsibility to make sure our ISP doesn't get "sick and tired" of our traffic? And we're supposed to give up the privacy of our transmitted data to insure that our ISPs are happy?
Interesting, I was just thinking about how seldom I see anything remotely offensive in my regular use of Google Images. Of course, I seldom go to the 20th page of search results.
This might be more of an issue for Google to refine its search engine rather than us letting our ISPs examine our every packet at will.
Re:Probably just for P2P (Score:5, Insightful)
Best way to get anyone to get rid of something is to make them hate it. All my email blocked today? You bastards! Turn that thing off.
Re:Probably just for P2P (Score:5, Insightful)
Your ISP doesn't care about your stroke material.
This is all about P2P, the RIAA and collecting data for government and marketing purposes. Don't kid yourself that your ISP is so broken up about the possibility of sketchy porn traveling their network.
Just today I read an article quoting telecom execs about how SKYPE and other VOIP applications are going to make us less safe from terrorists. It's about profit and control, nothing more nothing less.
Re:Probably just for P2P (Score:4, Insightful)
absolutely. U.S. ISPs continue to justify overselling while complaining about "power users" using too much bandwidth and overloading their network.
when will they realize that packet shaping and other intrusive network filtering/monitoring technologies such as this generate more overhead and are a waste of resources. instead of trying to manipulate/control subscribers, they should be upping bandwidth supply to meet the growing demand. then perhaps the U.S. wouldn't be left in the dust both in terms of average broadband speeds as well as cost of broadband.
you don't employ mandatory property searches to combat child pornography. not only would it be ineffectual, but even if it did it still wouldn't be worth the encroachment of our civil liberties. frankly, idiots who use the banner of fighting child pornography to pass stupid laws to destroy our democratic freedoms or strip away the rights of individuals are a much greater threat to society than someone who just downloads child pornography. those are the real sociopaths IMO.
if you want to protect children, give them free access to health care. give them free access to high education. create outreach programs to at-risk youth. employ social workers at school to watch for warning signs of abuse and provide counseling services at school for victimized children. narrow the disparity in education between the rich and poor so that poor children have equal opportunity to succeed in life.
you don't protect children by creating a fascist society around them.
Re:Probably just for P2P (Score:5, Insightful)
That's not hostile, much. As is common in our corporatocracy, here's a company that starts from the assumption that their customers are their enemy. So now we're going to pay our ISPs to "fool" our computers. Some "customer service" huh?
No thank you.
How about this: We pay you, and you give us bandwidth and stay the fuck out of our business. If we're using too much bandwidth, then spell it out in our contract and charge us more, so we can choose to give our business to someone else.
Comment removed (Score:3, Insightful)
Re:Probably just for P2P (Score:4, Insightful)
If you think that this has anything to do with combating child pornography, then you are seriously naive.
Re:Probably just for P2P (Score:2, Insightful)
Re:Probably just for P2P (Score:3, Insightful)
Yes, but his basic point is still valid. The DMCA only provides a shield against claims of copyright infringement. This isn't the issue here at all.
Once the justice system recognizes some kind of legal obligation for the ISPs to scan the files passing through their pipes for child porn it is only a matter of time until some mother of an abused child sues the ISP for failing to properly monitor it's customers on the theory this would have prevented the abuse of her child.
Now you might respond that any law placing such a requirement on the ISPs might immunize them against any such lawsuit provided they implemented the required monitoring. Perhaps, but as a practical matter that will bring little comfort to the ISPs.
I mean even if the mother of an abused child doesn't have a legal leg to stand on once the public starts to think of ISPs as being responsible for child-porn monitoring just the bad PR alone from this kind of lawsuit poses a serious threat to the company. Moreover, when talking about child porn and child molestation you can't discount the total irrational fervor that comes over people.
I mean if you were an ISP would you really want to bet that some crusading attorney general wouldn't go over every last nitpicking detail of the monitoring safe harbor in the hope of crucifying the company that (perhaps in the name of protecting privacy) wasn't aggressive enough in their monitoring. And even if some kind of safe harbor works the first time congress and the states would rush to change the law to prevent 'negligent' companies from getting off the hook.
------
Don't get me wrong, this isn't a guarantee something like this won't happen. Sure, your local neighborhood ISP might not like the idea but this doesn't mean it's in the interest of AT&T or Verizon to risk being seeing as insufficiently outraged about child porn.
The last page (4) of the article reveals the truth (Score:5, Insightful)
"...Internet service providers could easily be seen by the public as "overreaching," making it harder to get public support for efforts of law enforcement. What's needed, said the group's executive director, Grier Weeks, is for cops to investigate the leads they already have..."
and
"The Department of Justice and all 50 attorneys general are sitting on a mountain of evidence leading straight to the doors of child pornography traffickers," Weeks said. "We could rescue hundreds of thousands of child sexual assault victims tomorrow in America, without raising any constitutional issues whatsoever. But government simply won't spend the money to protect these children. Instead of arrests by the Federal Bureau of Investigation, the child exploitation industry now faces Internet pop-ups from the Friendly Bus Investigators. That was always the fundamental difference between the Biden bill and the McCain bill. Biden wanted to fund cops to rescue children. McCain wanted to outsource the job."
This my friends is about the money! The U.S. Government and Brilliant Digital (ironic business name!) both know this won't work. Brilliant Digital see this as a market to exploit and make millions of dollars. The U.S. Government get a "cheap" way of "dealing" with child pornography and a perception from the general public as "something being done".
I'm sure the Government know about Brilliant Digital's dubious past but the percieved "benefits" are too good to miss.
It's a win-win for both parties!
I have children myself and I find developments like this horrifying.
Someone does not become a paedophile by looking at images on the internet, it's deeper and more complex then this - blocking content will not cure the problem or reduce related crimes in any way.
The last quoted paragraph sends chills down my spine and really makes me angry.
Children can be rescued if the funding is available but a company like Brilliant Digital will recieve the funding instead and the problem is never solved - people are made richer instead.
I really mean Think of the children
Forget privacy - how about hiding the truth? (Score:1, Insightful)
Imagine a net where we wouldn't know Saddam had no weapons of mass destruction.
Imagine a net where we wouldn't know the three WTC centre buildings were taken down by demolition.
Imagine a net where we wouldn't know of Israel's ethnic cleansing of palestine.
Imagine a net where we wouldn't know that the accusations made against Iran are bogus.
Imagine a net where we wouldn't know of the Coup in Venezuala sponsored by the CIA.
Imagine a net where we wouldn't know about Abu Ghraib.
Imagine a net where we wouldn't know about Extraordinary rendition, torture and murder of innocents.
Imagine a net where we wouldn't know about warrantless wiretapping and domestic spying.
Imagine a net where we wouldn't know about the USS Liberty.
Child pornography is NOT the focus of implementing these systems - it is putting into place the mechanisms that will allow some future government to clamp down on information of their crimes and those of their allies and take another small step towards the totalitarian state.
Re:Probably just for P2P (Score:3, Insightful)
No problem the next step will be just to make encryption illegal.