FilterGate, or Knowing What We're Walling In or Walling Out
by Art Wolinsky, Southern Regional High School • Manahawkin, New Jersey
MultiMedia Schools • May/June 2001 
Recently, I decided to take a closer look at the technologies and the blocking strategies used by filtering companies, a task I warmed to for reasons you'll see very soon below. As I did so, it appeared to me that the public has a picture of filtering that is much like the picture of the elephant in the parable of the Elephant and the Blind Men, in which six blind men were asked to describe an elephant. The first one felt its side and said an elephant was like a wall. One felt the leg and said it was like a tree. Another touched the tusk and said it was like a spear, and so on. They were all partly right, but no one had the full picture.

Elephants, Blind Men, and Internet Filtering
Our view of filtering is much like the blind men's view of the elephant. This is, of course, not because we are blind. (We can sometimes seem to be a bit myopic on this issue, however. See "Putting Things in Perspective: Taking a Trip to the Zoo" on page 24.) Rather, it's because parts of the issue are being hidden from us. We each have a personal view of filtering that is incomplete. It's is partly right and partly wrong. The problem with filtering is that it's what we don't know that can hurt us.

The ACLU and the ALA are challenging the Children's Online Protection Act (CIPA) and its filtering mandate (see "The Children's Online Protection Act, Filtering, and Legal Challenges" on page 26), but from what I've learned in my look at filtering technologies, it's clear to me that even if the ACLU and the ALA suits succeed, these groups will have only treated the symptom rather than the cause of the problem. The way filters function results in erroneously blocked sites. Defeating the law on constitutional grounds would not change filtering practices. Filtering companies might not get the windfall created by CIPA, but neither would the companies be required to change their technologies, and it would be business as usual.

However, a possible private sector class-action lawsuit being considered against one or more filtering companies is not aimed at the legislation. If implemented, it would send ripples throughout the filtering industry and have significant impact on filtering decisions already made or yet to be made. I have been conducting investigations relating to this issue and lawsuit, so let me tell you a little more about it.

I Thought It Would Be Easy
In early November last year, the day after I agreed to write an article on filtering for MultiMedia Schools, I received an e-mail that asked me what OII, the non-profit Web site [] I am involved in, was doing to get itself blocked by a certain filtering company. I didn't have the slightest idea why we would be blocked. I created the Web site and knew all of the content. There was nothing objectionable. This was obviously fodder for my article ... and incentive for my investigations.

Now I'm no novice when it comes to filtering. I've been working with national and international organizations on online safety and privacy issues for 2 years and thought I knew all the arguments about filtering. I thought it would be simple to resolve. All I would have to do is call the company in question, let them know we were being blocked in error, and that would remedy the situation. I was wrong.

I was told they would look into it and get back to me about the situation. To my amazement, I was told that there was no way of getting our site unblocked.

FilterGate: Donning the Trench Coat
I put on my Columbo trench coat, checked my Woodward and Bernstein decoder ring, and got down to work. I had agreed to write the article on filtering and I was involved in the filtering debate at the national level. I participated in discussions that would be reported back to Congress. This gave me a little more leverage when I began calling people about my organization's situation.

After numerous phone calls to the company and some muscle flexing to get through the multiple layers of customer assistance, I was able to get a more detailed explanation. I was told that our Web site was hosted on a computer that housed a significant number of adult sites, and that the ISP used technology called Round Robin DNS that made it impossible for the filtering company to block individual sites on the computer. As a result, the company had to make a decision either not to block the adult sites or to block all the sites hosted on this ISP's server. That made a sense in an Orwellian way, but if I punished an entire school because of a few misbehaving students I would probably be out of a job.

After talking with system engineers and other experts, I found out that Round Robin DNS has been around since before the Internet was popular. They told me that this technology shouldn't pose a major problem to filtering companies. It appeared that the representatives of the company that was blocking the OII site were not up on their technology, or that they were still trying to treat me like a mushroom by keeping me in the dark and covering me with fertilizer.

If the technology wasn't new and the filter shouldn't have a problem with it, what was the real problem? More digging revealed that it stems from something called IP-Independent Virtual Hosting.

How Filtering Technology Works or Doesn't Work
Most filters can be configured to block all kinds of things like e-mail, chats, newsgroups, IRC, and more. However, I will focus on Web filtering, because it is the primary and most problematic consideration for schools and libraries in regard to CIPA.

When it comes to blocking Web sites, everyone wants to know what sites are on a company's blocked list. Since almost all lists are encrypted, this can be difficult to determine. However, with access to firewall logs, some technical background, an understanding of ISP technologies, and a little creative thinking, it isn't difficult to get a clearer picture of what is happening.

We know every filter misses adult sites simply because of the sheer volume of existing sites and the number of new sites popping up daily. Filtering critics point this out, and filtering companies readily admit this.

We are also familiar with the argument that some companies have blocked sites inappropriately based on political or religious agendas. Unfortunately, there are very few companies that will confirm this kind of information, and, as mentioned, encrypted lists make it difficult to see how pervasive the practice is.

So What's the New News?
But as it turns out, the number of such blockages is insignificant, when compared to the number of other sites that are blocked by a lesser-known practice.

I suspect that many filtering companies want to keep your eyes on the sites blocked for political or religious reasons. This is because the filtering technology of some companies has not kept pace with the evolution of Internet technologies, and so the number of sites being inappropriately blocked has increased tremendously in the past 2 to 3 years. It is difficult to determine how dramatic this increase is, but I wouldn't be surprised to see a nearly exponential growth curve.

If we take a step back from this filtering elephant and focus on how a blocked-sites list is compiled rather than what is on the list, we get a much different picture.

A Web site can be blocked by URL, by IP number, or different combinations of the two methods. The URL is the name you type into a browser. The IP number is the numerical representation of what you typed. People type URLs that are translated into IP numbers that computers use. The method chosen by a filtering company makes a big difference.

URL and IP Blocking
Blocking by Web site URL might seem the most effective technique if done properly. For example, a filter might block or sexsite. However, it is time consuming and expensive for a company to maintain such a list. It also creates a huge list that can be a problem to update.

To avoid huge lists, a single IP number can be used to block hundreds of sites. For example, a server that houses hundreds of adult sites can be blocked by a single IP number (or four, if Round Robin DNS is used).

This is fine if only adult sites are on the server. However, if other legitimate sites are on the server, these are also blocked. This is one of the major reasons sites have been blocked erroneously and is one of the major criticisms of filters. The practice is not new or unknown. What is new and mostly unknown to the lay public is that with the rise in popularity of IP-Independent Virtual Hosting—a technology that enables ISPs to have hundreds or thousands of Web sites represented to the outside world through a single IP number—the problem of inappropriately blocked sites has been growing like a cancer, and the magnitude of the problem has apparently been undetected by watch dog groups.

Neither Method Works Alone
Blocking by URL alone doesn't work, nor does blocking by IP alone. URL-only blocking results in huge lists that could be made shorter by using IP numbers of adult servers. Also, anyone with a little knowledge can get around IP blocking instantly. IP-only blocking often blocks sites in error.

I don't know that any filtering company uses one method to the exclusion of the other, but the extent to which companies rely on one over the other—and whether or not the companies take virtual hosting into consideration—strongly influences the number of sites blocked in error.

I have examined firewall logs that record blocked sites, and I have used other creative techniques to peek at what is happening inside the filter that is blocking the OII site. I presented my thoughts to a representative of the filtering company in question, and to my surprise the reply I got was, "I can't find anything wrong with your logic."

I estimate that on our ISP's server there are at least 10 sites blocked inappropriately for every site blocked appropriately. I wouldn't be the least bit surprised to find that the ratio was actually much higher.

I believe all filtering companies use IP blocking of some type. But if IP-Independent Virtual Hosting is taken into account, the number of sites blocked in error is significantly lower than for companies that don't take it into account or make a serious attempt to avoid blocking innocent companies.

Why Haven't We Seen the Whole Elephant?
This question has been bothering me for 3 months, but I realized that our focus on the law and the perpetuation of myths has taken our attention off the new technologies that were compounding the problem. Companies that weren't taking virtual hosting into consideration would certainly be content to have people think sites were being blocked because of a stray word or a political agenda. These were old arguments that diverted attention from the real reason sites are being blocked in error.

To make matters worse, some filtering companies confounded things very nicely by providing misleading information on their Web sites. A statement like "Professional researchers compile these lists and organize the sites into categories" may ease the mind of Web site visitors, but this one presented a little problem when I asked which one of the company's professional researchers determined there were sex acts and nudity at the OII site.

Checking via the Web with a filtering company to see whether a site is blocked can also confound the issue. In our case, if you type in or the URL of any of thousands of other sites on the cluster of servers accessed through the four IP numbers of our ISP, the company's search tool will tell you that they are not on the blocked list. Though technically correct, this is deceptive, because if you type in any of the four IP numbers, it will tell you that those IP numbers are on the list. People don't use IP numbers, computer do. When was the last time you typed to visit CNN?

Will Things Change?
CIPA increased public awareness and should have some impact. The challenges to the legislation will make it clear that filters have to do a better job. There are also newer technologies and startup companies that hold promise for more effective solutions, including ones that put the filter override into the hands of students. The Internet Content Rating Association [] hopes to provide an alternative to filtering. However, it is too early for any of these technologies to make a difference today.

Many filtering companies have been around for a long time, and some of their methods have not evolved with the Internet. I pointed this out to a top executive in the company blocking OII. I also pointed out that I was talking to a high-tech law firm about possible legal action.

Legal challenges to filtering issues are not unusual, but during the course of one of my conversations with the law firm, there was a plot twist that rivaled anything that Hollywood could concoct. The attorneys asked me to take a look at their newly designed Web site and critique it. After I hung up, I tried to visit the site ... and called them back to explain that I couldn't critique the site because it was being blocked. That comment got the rapt attention of the law firm and the filtering company.

Some time later, I received a message from the filtering company indicating that they recognize that they must change some of the things they were doing to keep pace with the industry. Their product support division was working on a solution they hoped to report to me before this article was submitted.

On the day before deadline, I received a call from the vice president of the company. She acknowledged that there was a problem with the 4.0 client version of the software and some versions of firewall software (OEM versions) that companies licensed from them. She stressed that other solutions sold under their name do not have this problem. To address the problem the company is issuing 5.0 software that takes IP-independent hosting into account and contacting its OEM licensees concerning the issue. It will be up to each licensee to determine whether or not to switch technologies.

If nothing else, this reaffirmed my long-standing opinion that the Internet is a powerful tool for social, political, and economic change. One person can make a difference, not by acting in a solitary manner, but by using the power of the network to gather resources, raise awareness, and tap into the vast amount of talent and support available for important issues.

More Questions Than Answers
So, having read this story, now you ask me which filter you should select? The answer to that question would take another whole issue of MMS. Do you filter at the machine level? Do you place the filter on a server at the school? Do you filter through your ISP or at the district level? If you must filter, can you configure the filter to block only what is required by law? What about being able to filter differently for different groups of students? The answers depend on you, your hardware, your philosophy, and all of the other factors that make your district or school unique. What is clear is that there will be significant changes in the filtering industry in the not-too-distant future. Rushing to filter is not the solution to anything.

There are two key points you should address regardless of your situation. Before you make a filtering decision, or even if you have a filter in place, ask the filtering company how it handles IP-Independent Virtual Hosting and how it deals with Round Robin DNS. Understanding that a single IP can represent thousands of sites should make it relatively easy to determine whether you are getting a straight answer or the mushroom treatment.

But perhaps the first and most important question we have to ask is why must we filter? The ones making the decision must understand the problem and the solution. Instead of looking at the problem through the eyes of alarmists or those who stand to profit from filtering legislation, decision-makers need to open their eyes. They need to step back from the elephant and look at the problem and the solution in terms of those who are faced with it and have to deal with it on a day-to-day basis. Media specialists, students, and teachers are the ones who face the problem and are the ones who hold the solution.
Putting Things in Perspective: 
Taking a Trip to the Zoo
The situation of bringing your students online is not unlike that of a teacher who brings children on a field trip to the zoo. Consider this: When you choose to take small children to the zoo, you first make sure that it is an appropriate place for them. You have probably been there or know people who have been there. While you are there, you keep close watch on them and make sure they don't wander off. You have given them lessons about talking to strangers, and you have taught them what to do if one approaches them.

Yes, it is possible for them to see animals engaged in sex acts. Is there any strategy that will prevent that scene from unfolding in front of their eyes? Should we blindfold them and allow them to look only when the teacher says it's OK? I don't think so, but there certainly is a strategy for dealing with the situation. It is called education!

Using the Internet with small children is no different. You plan their travels. You don't let them wander off aimlessly, and you educate them to the fact that there are things they should be careful about.

The fear that children will accidentally access pornography is something that has been perpetuated by the media and exploited by those who stand to profit from that paranoia. It can happen. But that possibility must be put in proper perspective in order to make intelligent decisions.

Start with the assumption that you should never allow small children to use search engines unless you are teaching them search skills. In that case you should be using child-friendly search engines. You should be choosing the Web sites your students are going to visit, and you should provide them with the links. Given this sort of direction, what do you think the chances are that they will end up at an inappropriate site? Think of your own experience on the Internet. When you were researching school-related topics, how many inappropriate Web sites did you accidentally stumble upon as you were exploring a quality Web site? Not many, if my own considerable experience is any guide. And you are probably spending much more time online than your students will while with you.

Take them to safe places, give them engaging activities while there, teach them what to do if they get lost, and watch them to try to keep them from getting lost. Cyberspace should not be any more scary than a trip to the zoo, and filtering should be no more necessary than requiring children to wear blindfolds when visiting the zoo and looking only when they are told to do so.

— AW
The Children's Internet Protection Act, Filtering, and Legal Challenges
In order for schools and libraries to receive E-Rate funding, the Children's Internet Protection Act (CIPA) requires them to establish Internet safety policies and to provide filtering to prevent children from accessing pornography. But don't go out and spend good money on filters just yet.

As of this writing, the FCC was still seeking comment about how to implement rules. Right now, any school seeking E-Rate funding for 2001-2002 would have to certify, when filing a Form 486, that it is in compliance with CIPA. Under the law, schools can get a waiver the first funding year of the new requirement if they are in the process of fulfilling the requirements. Under the law, the FCC is supposed to have issued its final regulations by April 20, when the law is to go into effect. After you read this article, get online for the latest updates. For more details on the CIPA and what you should be doing (or not doing), check the ALA CIPA Web site [].

Another reason not to rush is that there will be legal challenges to the law. Some challenges will be aimed at its constitutionality, others may focus on the fact that there are no filters on the market that can do only what the law requires, and others may be directed at individual filtering companies based on practices I have been investigating.

The biggest challenges to the law will probably be those of the ALA and the ACLU, with the ACLU filing a suit as early as mid-March. By the time this article appears, there may already be a ruling by a lower court. However, you can be sure that if is it possible to appeal, either side will take it to the Supreme Court.

— AW

Art Wolinsky is a Technology Infusion Consultant for the Manahawkin, New Jersey, school district. Communications to the author may be addressed to him at Southern Regional HS, 600 N. Main St., Manahawkin, NJ 08050; phone: 609/597-9481, ext. 337; fax: 609/978-5357;

[Information Today Inc.]
Information Today Home Page
[MultiMedia Schools]
Home Page
[Current Issue]
Current Issue
[Current Issue]

Copyright © 2001, Information Today Inc. All rights reserved.