al live: filtering: the man in the middle
TRANSCRIPT
THE MAN IN THE MIDDLEERATE, FILTERING, AND CYBER-SECURITY
Office for Intellectual FreedomAmerican Library Association
Sept. 15, 2016
The issue
• New money!• ALA’s history with filtering• Cybersecurity issues• The FCC• Questions
The panelists• Bob Bocher, Fellow, ALA's Office for Information Technology
Policy
• Doug Archer, Peace Studies and Global Affairs librarian at University of Notre Dame’s Hesburgh Libraries
• Michael Robinson, Chair of the ALA's Intellectual Freedom Privacy Subcommittee and Head of Systems at the Consortium
Library at the University of Alaska Anchorage's Consortium Library
• Deborah Caldwell-Stone, Deputy Director of the ALA’s Office for Intellectual Freedom
• Moderator: Jamie LaRue, Director, ALA’s Office for Intellectual Freedom
Bob Bocher• Fellow, ALA Office for Information Technology Policy • Wisconsin State Library E-rate and Broadband Support Team
E-rate and Filtering: An Overview
• E-rate provides discounts of 20-90% on:– Telecommunication services (Category 1)
– Internet access (Category 1)
– Internal connections (Category 2)
• Filtering mandated by CIPA applies to:– Internet access– Internal connections– But not telecommunications
Impact of 2014 FCC E-rate Reforms• Focus on broadband – 62% of libraries had <10Mbps– 41% of libraries had insufficient
broadband– POTS discounts phased-out
• Increase funding from $2.4 to $3.9 billion– Ensures all applications are funded• Past fund limits meant no internal
connections were funded
High-speed broadband is critical for 21st century libraries. With it patrons can participate in the digital world. --FCC E-rate Order
It is in the national interest to increase funding for library broadband capacity. -- ALA comments to FCC
E-rate Reforms And Filtering
• Lost: POTS discounts • Gained: Sufficient funding • Result: Some libraries may review
use of filters• OITP working with SLD, FCC– Review CIPA requirements• Focus on ways to disable filter
– CIPA summary in July 21 SLD News Brief
FCC rules when to disable the filter would likely be overbroad and imprecise, potentially chilling speech. We leave this to the local library. --FCC CIPA regulations, April 2001.
Doug Archer• Peace Studies and Global Affairs
librarian at University of Notre Dame’s Hesburgh Libraries
ALA & Filters -- THEN
• ALA opposed filters in libraries because they– Over blocked constitutionally protect speech– Under blocked their stated target
• ALA opposed CIPA– Facial challenge: unconstitutional on its face– SCOTUS: constitutional if unblocking possible• Only required blocking of images (plus a policy)• Only if one wanted federal funds
ALA & Filters -- NOW
• ALA still “cannot” recommend filters– Filters continue to over and under block– See: Batch, Kristen R. Fencing Out Knowledge.
ALA OITP & OIF, Policy Brief No. 5, June 2014 • ALA supports libraries that don’t filter• ALA understands that some libraries feel that
they must filter– For local considerations (e.g., local politics)– For the money (e.g., need it to have any access)
Minimizing the Negatives
• If a library feels that it must use filters,ALA recommends that it:
– Do its best to minimize the impact of filters by• Selecting the most flexible filter possible• Maintaining as much local control as possible• Using the lowest settings possible
– That is, block as little as possible consistent with CIPA– Do not be tempted to block “offensive” content
just because it’s easy to do
Michael Robinson• Chair of the ALA's Intellectual Freedom
Privacy Subcommittee and • Head of Systems at the Consortium Library at
the University of Alaska Anchorage's Consortium Library
The Man in the Middle
Unfiltered
Filtered
Browser Filter
Website
Website
Browser
Techniques for Content Filtering
• Block or allow based on domain name or URL– i.e. blacklists or whitelists
• Block or allow protocols / ports– http, https, ftp, ssh, proxies, streaming, etc
• Inspect content of web page to block or allow– Keywords, phrases, or patterns in content– Types of embedded content (media, scripts, etc)– Source of embedded content (e.g. YouTube)– Metadata of embedded content (e.g. jpg name)
HTTPS
• Encrypts communication between browser and website
• Contents of the web page is encrypted• Domain name is unencrypted• But rest of URL path is encrypted, i.e. what
specific section, page or file is requested
https://somewebsite.com/
HTTPS
Unfiltered
Filtered
Browser
Filter
Website
Website
Browser
Encrypted Content
Encrypted Content & URLs
HTTPS & Content Filtering
• Block or allow based on domain name or URL– i.e. blacklists or whitelists
• Block or allow protocols / ports– http, https, ftp, ssh, proxies, streaming, etc
• Inspect content of web page to block or allow– Keywords, phrases, or patterns in content– Types of embedded content (media, scripts, etc)– Source of embedded content (e.g. YouTube)– Metadata of embedded content (e.g. jpg name)
HTTPS Decryption
Unfiltered
Filtered
Browser Filter
Website
Website
Browser
Encrypted
Encrypted Content
Encrypted
HTTPS Decryption
• Filter presents certificates pretending to be requested HTTPS website
• Activities on supposedly secure websites can now be monitored, inspected and logged– Financial, commercial, legal, medical, educational– Usernames, passwords, account numbers, PII
• Technically qualifies as a Man-in-the-Middle Attack although that is not the intent
Movement to Encrypt the Web
• Recent study 50% of Web encrypted• Presents challenges to content filtering– HTTPS “breaks” filtering– But decryption compromises privacy & security
• Optics are bad for libraries– Is filtering only on domain name good enough?– If decryption is enabled, what does user notification
look?We can see and record all your activities on secure websites but promise we won’t do anything bad
Deborah Caldwell-Stone• Deputy Director of the ALA’s Office for
Intellectual Freedom
What CIPA Requires
• the filter must be set to block visual images that are obscene or child pornography.
Adults
• the filter must be set to block visual images that are obscene, child pornography or harmful to minors.
Minors
What CIPA Does NOT Require
Blocking access to narratives or other text-based material.
Blocking access to controversial viewpoints or subjects.
Blocking access to social media sites or search tools.
Tracking or monitoring users' web surfing habits.
Defining Illegal Speech
Two categories of speech receive no First Amendment protection:
• Obscenity• Child pornography
A third category of protected speech for adults is unprotected for persons under 17
• "harmful to minors" or "obscene as to minors"
The Federal Communications Commission is responsible for implementing and enforcing the provisions of CIPA.
• The FCC has given libraries wide latitude on how to implement CIPA's requirements.
• Enforcement is a civil, administrative matter – not a criminal proceeding.
“Maximum Flexibility”
• "We have attempted to craft our rules in the most practical way possible, while providing libraries with maximum flexibility. We conclude that local authorities are best situated to choose the technology measures and Internet safety policies most appropriate for their communities.”
• Allows libraries that must filter opportunities to innovate within the boundaries of the CIPA statute
Panelist comments?
Audience questions
Summary
• E-rate changes may give some libraries incentive to review the filtering issue
• Money is good.• Values are forever.
Resources• SLD CIPA Information --and -- July 21, 2016 CIPA News Brief
– http://www.usac.org/sl/applicants/step05/cipa.aspx – http://www.universalservice.org/sl/tools/news-briefs/preview.aspx?id=709
• State E-rate Coordinators for Libraries– http://www.ala.org/advocacy/e-rate-state-coordinators
• Batch, Kristen R. Fencing Out Knowledge: Impacts of the Children's Internet Protection Act 10 Years Later. Policy Brief No. 5, June 2014. ALA Office for Information Technology Policy and ALA Office for Intellectual Freedom. – http://connect.ala.org/files/cipa_report.pdf
• Filters and Filtering – http://www.ala.org/advocacy/intfreedom/filtering
• Internet Filtering: An Interpretation of the Library Bill of Rights – Adopted June 30, 2015, by the ALA Council.– http://www.ala.org/advocacy/intfreedom/librarybill/interpretations/internet-filtering
• This slide deck and related resources:<hyperlink here>
QUESTIONS?