The Wall Street Journal published an article Monday listing the Western-made Internet censoring programs used by several Middle Eastern governments, in countries that filter what their citizens can access on the Web. Like a similar 2011 report from the OpenNet Initiative, hopefully this listing will shine a spotlight on the problem, and make it easier for human rights groups to call for these companies to stop aiding censorious governments.
However, I wish that the article had quoted someone giving a rebuttal to the several companies which claimed, "Once the customer buys the product, we have no control over it," as stated variously Netsweeper, Blue Coat, and McAfee (which makes Smartfilter). For a product that relies on continuous updates provided by the software company, this claim, of course, is nonsense. Unfortunately, the claim seems to go unchallenged so often, that there's a risk that it will start to affect policy -- people may believe that we can't regulate how American censorware is used by repressive countries, so we shouldn't even try.
Some background: When a customer buys a standard network filtering program like Websense, SmartFilter, or Blue Coat, the product comes with a built-in list of websites to be blocked by the software. (The customer can select or de-select categories of sites to be blocked, like "pornography" or "gambling".) The purchase of the software typically comes with a year or two of free updates to the blocked-site list. The software vendors employs a combination of human reviewers and (more often) automated crawlers to scour the Web looking for new sites that fall into their categories, and add these sites to their database. Customers who are within their subscription period can download periodic updates to this blocked-site list. After a customer's initial free subscription period runs out, they can opt to continue purchasing updates to the database. If they don't, then the product will continue to work, but the blocked-site list will be frozen (except for any new sites that the customer finds on their own and adds manually to their own blocked-site list).
Once the blocked-site list is frozen, the filtering product becomes ineffective against any user making a serious effort to get around it. This is because there are many mailing lists like mine that mail out new proxy sites every week (a proxy site is a site which contains a form that allows the user to access third-party Web sites indirectly, usually to circumvent Internet blocking). And as long as the user can access at least one unblocked proxy site, they can access any other blocked site by going through the proxy. So when a censorious regime stops updating their blocked-site list, the product becomes ineffective almost immediately. (For that, I suppose, the blocking companies should be grateful to us proxy site makers, since we make it necessary for their customers to keep renewing their blocked-site subscriptions year after year.)
So, even if one were to accept the (highly dubious) claim that the software vendors didn't realize what was going on when a foreign government approached them to buy their software, once they realize that their software is being used to violate the rights of the country's people, they can easily stop providing updates to that customer. This can be done by either (a) blocking the IP addresses that the customer uses to download the updates, or (b) blocking any further updates using that customer's license key. (Each installation of a blocking program like Websense comes with a license key unique to that customer, and the program has to submit the license key to the download server in order to download the latest update to the blocked-site list. If the customer's subscription runs out or gets cancelled, no more updates.)
This is roughly the situation that exists in Iran. The Iranian government claims to use McAfee's Smartfilter to filter Internet access for their citizens, despite McAfee's claim that they don't sell to Iran because of the embargo. But the evidence suggests that while Iran may have once acquired Smartfilter along with a copy of their filter list that was current at the time, they're not getting regular updates to the blocked-site list. From corresponding with Iranians and testing the filter through a server located inside Iran, I've found that most of the proxy sites we mail out never get blocked at all in Iran, even as they eventually get blocked in countries like Bahrain and Kuwait that are using Smartfilter with a subscription to the blocked-site database. The proxy sites we mail out that do get blocked in Iran are usually blocked a few days later than they are in Bahrain and Kuwait. This suggests that the Iranian censors are finding and blocking new proxy sites by ad hoc methods, and that they're not as effective at it as American censorware companies. So the Iranian situation proves two points: that Western blocking companies really can prevent a foreign government from using their products (well, duh), and that this restriction actually works, in the sense of making the country's filter less effective.
So when a McAfee spokesman told the WSJ reporters, "You can add additional websites to the block list; obviously what an individual customer would do with a product once they acquire it is beyond our control," that's true only in the most literal sense. Yes, Bahrain can add human rights web pages to their list of sites blocked by Smartfilter, and McAfee can't stop them, but the effectiveness of this block depends on the Bahrani censors using Smartfilter to block new proxy sites as well, which McAfee continues to aid them in doing, as a matter of choice.
Websense, incidentally, announced in 2009 -- in response to an earlier ONI report describing how their software was used to censor Internet access in Yemen -- that they would stop providing censoring software to the Yemeni government. But ONI's current report claims that the Yemeni government continued to use Websense into 2011, and Websense declined to comment. Maybe the Yemeni government was using Websense with a "frozen blocked-site list" -- but the ONI report includes at least one instance where a site that was un-blocked by Websense (the opennet.net domain itself!) became un-blocked in Yemen shortly afterwards. So maybe Websense just lied about canceling the Yemenis' license.
Could some censorious country like Yemen continue using the Websense filter -- with a continuously updated blocked-site list -- even after Websense truly tried to cut them off? Possibly, but it would probably be more trouble than it's worth. Yemen would have to set up a shell company outside of their own borders, with an overseas bank account, in order to purchase the software. Then after Yemen had installed Websense on their servers, they would have to download the updates indirectly by going through an anonymizing proxy set up in some other country as well. And if Websense ever found out which of their customers was a shell company used by the Yemeni government, they could cut off that customer's license, and the Yemeni censors would have to start all over again. It's probably safe to say that most Middle Eastern countries wouldn't find this worth the trouble. (After all, Iran could do everything I've just described, but apparently they haven't; they still seem to be using Smartfilter with an outdated copy of the blocked-site list, and adding new proxy sites to their blacklist manually.)
So far, proposals to ban American censorware companies from selling to foreign governments have not gotten off the ground -- and now with several Middle Eastern countries using or looking at Netsweeper, we'd have to get Canada on board as well. But at the very least, let's start calling out censorware companies on the canard that "We just sell the software and have no way of controlling who uses it." The companies know that foreign governments are using it to censor their own people, and they can cut them off as customers any time they want to; they just don't.