Who is reading your email?

[As ever, you can read this on the BBC News website]

Every time you send an email it passes through a series of computers on its way to the intended destination. Most of them are owned and managed by internet service providers, although if you use webmail from Yahoo!, Google or Microsoft then it may take a different route.

But whoever provides your email, the chances are they are having a look at every message you send or receive.

At the moment their reasons are mostly benign since they are looking for spam, viruses and other nasty stuff that we wouldn’t want anyway.

Google Mail users have got used to the fact that their emails are being read by a machine looking for context-sensitive ads to put on the same page, and most of us have encountered a company that reads all incoming email looking for rude or inappropriate words, even if it sometimes appears absurd.

I used to edit an arts email newsletter, and one issue was rejected by several recipients because it had an article on the ‘ars electronica’ prize, but even with its flaws this helpful scanning is something that has obvious benefits.

And my ISP helpfully lets me choose whether to have them look for spam or let it all through for me to deal with.

But if a plan being put forward by five US-based net companies goes ahead the same approach could be used to look for emailed images of child abuse, material that is still sometimes called ‘child pornography’.

And the consequences for all net users could be more serious than just losing the odd legitimate message to the spam filters.
AOL, Yahoo!, Microsoft, EarthLink and United Online have joined with the US National Center for Missing & Exploited Children to create what they call a ‘Technology Coalition’ to look for new ways to safeguard children.

Their first initiative is a plan to create a database of the images of child abuse they find and process each to create a ‘digital fingerprint’.

They will then look at email attachments and images traded over peer to peer networks, swapped on messaging services or posted on websites to try to spot illegal images.

However they haven’t yet said what will happen if they find one.

I rather hope they won’t simply call the cops, since with millions of images of all types being sent over the net every day the chances of some false positives, when an entirely innocent drawing of a tree happens to generate the same code as an image of abuse, must be quite high.

But the lack of detail is typical of this sort of proposal.

The real goal, as so often with big initiatives from large companies around areas of public concern, is designed to show that ‘something is being done’ and to tell government – in this case the US Attorney General Alberto Gonzales – that the situation is under control and no new laws or regulations are needed.

The scheme may actually work, especially since recent research from Binghamton University in New York indicates that every digital camera has a different ‘signature’ that can be used to identify which pictures it took. Looking for photos taken with known abusers’ cameras might pay dividends.

However the initial funding for the new coalition is only one million dollars, or roughly four cents for each of AOL’s twenty-five million customers, so the suspicion has to remain that this is an attempt to get friendly headlines rather than really make a difference.

Yet it may be enough to deter the sort of government interference in their business that ISPs in the UK seem to be about to experience, since while the Senate likes to talk about how it will regulate the industry they rarely get round to passing any actual laws.

Over here things tend to take a different course.

Just last week the British Board of Film Censorship expressed an interest in taking web content under its wing, and Vernon Coaker, a Parliamentary Under-Secretary, Home Office told MPs that the government expected that ‘by the end of 2007, all ISPs offering broadband internet connectivity to the UK general public [will] put in place technical measures that prevent their customers accessing websites containing illegal images of child abuse identified by the IWF’.

The clear implication is that if they don’t do it voluntarily then the law will be changed to force them to do so.

The list of websites to which he referred is drawn up by the self-proclaimed guardians of Internet morality, the Internet Watch Foundation. The IWF, which has no statutory authority and no real legal powers, provides a hotline for people to report images of child abuse and works with the police to get sites hosting such abhorrent content removed.

Not content with this role, it also provides ISPs with a list of sites and web pages it has not managed to remove but which it considers unacceptable or illegal under current law.

The ISPs then stop their customers from viewing the sites concerned, although generally they don’t actually tell you that the material concerned is banned because it is considered illegal, they just return a ‘page not found’ error.

Both schemes, one for tracking images as they are exchanged and the other for stopping web users from accessing pages that contain banned material, offer the illusion of effectiveness while doing nothing to deal with the real problem of adult paedophiles using the network to help them abuse children.

It is clear that most of the trade in these appalling images happens on restricted servers, and most of the files are carefully encrypted or obfuscated before they are sent over the public network.

The real danger with media-friendly announcements of new Internet Coalitions or self-congratulatory annual reports on the number of reports of abusive images made to the authorities is that it encourages a belief that the situation is somehow under control, when it so clearly is not.

The tension between our freedom to use the network and the need to safeguard children is a driving issue for the internet’s development, and we need to think far more deeply about it than we have managed to do so far. There is no simple answer, and if we settle for one then we will neither protect children nor safeguard our liberties.

Bill’s Links

Press release

BBC on the new coalition
Wired news coverage
Signatures of digital cameras
Home Office policy

This entry was posted in billblog. Bookmark the permalink.

6 Responses to Who is reading your email?

  1. barryd says:

    Oh what utter tosh. I must object to

    “since with millions of images of all types being sent over the net every day, the chances of some false positives, when an entirely innocent drawing of a tree happens to generate the same code as an image of abuse, must be quite high”

    For someone who purports to being an expert you are very found of hyperbole.

    Admittedly MD5 has collisions, even SHA1 has collisions however when comparing actual files, as opposed to the brute force conditions used to produce the breaks the actual chance of a naturally occurring collision is extremely minimal. Then of course there’s SHA-128,-256 and 512, reducing the chance further. And these are common fingerprinting techniques.

    Simply by changing a single bit in the image the fingerprint would change, lo, it’s all useless. But I guess that’s not as emotive as the nonsense about a picture of a tree.

  2. Secret Admirer says:

    You are a big idiot who doesn’t know shit from a tree. I have been developing all of my young adult life and truly your comment about MD5 hashing is completely taken out of context.

    Therefor, you are a complete and utter idiot.

  3. The popularity of the internet has been fueled by its unrestricted freedom. I believe that regardless of any restrictions we put inplace, (bad) people will always circumvent our technological barriers. Therefore scanning mail for known images or textual phrases will only work for a limited time before as you say everything is encrypted. As we know encryption of messages brings with it its own problems for the state (proposed 90 day detention limit).

    An independant body to keep tags on illegal sites is a good step. Forcing ISPs in our country to adhere to making them unavailable is probably also a good step. Protecting our children is very important. We put dirty mags on the top shelf in newsagents. Doing the same on the internet should also be a priority i.e. via a .xxx domain which can be restricted by responsible parents via software.

  4. Pingback: Security and Privacy News Info

  5. VIMI says:

    Not to mention how easy to trace an email.
    Tracing Email
    Though the idea of Lennie Briscoe of designating domains rather than trying to control or censor the whole network (an idea of a lazy mind and quite counter productive if not achievable)is the right way. Its some sort of zoning. Any adult sites outside that zone should be arbitrarily shut down in combination of parents awareness and self education.

  6. Pingback: Channel 9

Leave a Reply

Your email address will not be published. Required fields are marked *