Tonnerre Lombard

FFII’s coordinator for Switzerland

« New «OSS Jam» with a lecture from my part
An attempt at forbidding «hacker tools» in Switzerland »

German petition against Internet censorship attracts attention

A petition against Internet censorship launched on the petition web site of the German parliament has recently gained a lot of attention, and consequently, a lot of signatures.

The subject of the petition is a proposal of the German federal police, which aims to introduce an infrastructure using which the government can block arbitrary sites on the infrastructure of all ISPs in Germany. The basic idea is that if cases of child pornography or similar are brought to the attention of the federal police, the sites are added to a blacklist. This blacklist is then distributed to all ISPs in Germany, which consequently have to redirect the users to a server of the federal government using DNS spoofing. This server will then record the IP address of the person visiting the site as a suspected consumer of pornographic material involving minors.

Ineffective measures

The Chaos Computer Club, as well as a lot of other organizations and computer magazines such as c’t, have already protested against the proposal, calling it ineffective — which is indeed the case. Any potential consumer of child pornography can simply configure their own  name server or set one of a server hosted by a friend or not located in Germany, thus escaping the measure. Also, the whole material remains on the Internet, for everybody not living in Germany to see. In order to stop the abuse of the children in question, the only effective measure would be to ask the content provider, which means the company providing hosting or housing to the web site owner, to take down the web site. Experience shows that in the vast majority of cases, this happens immediately.

Moreover, the proposal will simply not work, for a very simple reason. What the German government wants to impose here is simple basic DNS spoofing, just like the DNS spoofing attack presented by Dan Kaminsky. Since susceptibility to DNS spoofing is a serious security issue, measures have been proposed and built into major DNS servers and clients now. The principle, nowadays known as DNSSEC, is a simple public key infrastructure by the means of which every DNS zone owner (i.e. every person hosting host name records for a domain) signs their zone digitally using a so-called zone key. The public part of this key is then published to a special, cryptographically secured, service which can then subsequently be queried for such keys. If the presence of the DNS Security extension is detected on a domain, the client host will then request the public key and verify the signature of the queried data.

Since there is no way the federal police could forge such a signature, the modified DNS data would be noticed immediately and cause an error to be displayed to the user. But not only will this ruin the use case of finding people visiting child pornography sites, it will also potentially affect other data in the same zone, thus having a serious effect on the end user experience.

Creating terrorists

Another case which could be brought against these measures is that they enable an arbitrary attacker to generate terrorists. The procedure is very easy to implement, hard to notice and can be used by any random home page owner. The only thing one needs to do is to include a small iframe or image on one’s home page which leads to a server on the child pornography block list. This will get every visitor of the web site onto the list of suspected consumers of child pornographic material.

If this appears too offensive, it is possible to have a server side include or CGI script which only includes the iframe or image every once in a while. This will make the mechanism very hard to detect.

Another method would be to include an URL to the site in a banner exchange facility. This would mark a small fraction of the visitors of every web site which is a member of the banner exchange as a suspected consumer of child pornographic material.

As a summary, the mechanisms are very easy to overcome and carry a massive inherent potential for abuse. (The government could for example block the web sites of political activists, automatically, and nobody would be able to tell.) The fact that the governmental agencies threatened to sue everybody who receives, owns or publishes a copy of the list does not really help to establish the trust that this list will not be abused for somebody’s agenda.

References

If you want to help fighting this, here are some links:

This entry was posted on Wednesday, May 6th, 2009 at 10:08 pm and is filed under Censorship, Net Neutrality, Referendum. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “German petition against Internet censorship attracts attention”

  1. jcom Says:
    May 8th, 2009 at 1:27 am

    Actually we’re more than 50.000 subscribers :)
    But hopefully it won’t stop and go on, the more the better. First of all there’s a certain amount of fake entries which must be filled with valid subscriptions.
    The other aspect is that it’s better to have more subscribers so it’s harder for the politicians to ignore it…
    All fingers crossed :)

  2. jcom Says:
    May 16th, 2009 at 7:20 pm

    Update:

    For the statistic freaks:
    http://sejmwatch.info/petition-internet-zensur.html

    As you can see we’ve breached the 83k mark. The German politicians, mainly Ursula von der Leyen (http://en.wikipedia.org/wiki/Ursula_von_der_Leyen) and Karl-Theodor zu Guttenberg (http://en.wikipedia.org/wiki/Karl-Theodor_zu_Guttenberg) are heavily shooting against the activists and supporters of the petition. In tv-interviews Guttenberg said:
    “Es macht mich schon sehr betroffen, wenn pauschal der Eindruck entstehen sollte, dass es Menschen gibt, die sich gegen die Sperrung von kinderpornographischen Inhalten sträuben.”
    “It shocks me if the the overall impression comes up that there are people who are resisting the blocking of childpornographical material”.

    The supporters (which are cleary for an effective fight against childporn) are very upset because he implies that we don’t want to fight against childporn. The sad thing is that the parts of the population which are not really into this topic believe this which makes it very hard to find new supporters.

    The politicians have upset also abuse victims which have founded MOGIS (http://mogis.wordpress.com/), MissbrauchsOpfer Gegen InternetSperren, which is a association of former abuse victims against internet blockades.

    So, there are lot more information, but unfortunately all in German :(

    Cheers Jcom

  3. M.A. Says:
    June 3rd, 2009 at 7:33 am

    Hey everyone,
    I just want to point out (or try to with my bad English) that EVERYONE in the whole world is allowed to support this petition, because german constitution grands everyone to write petitions to the german parliament (or any other public institution of germany). This right has the totality of a human right in germany (some might say, because we are a nation of complainers ;-)) - Even childern may.
    If you can read German, in this thread of the discussion site of the online-petition, you can read exactly the laws that grand you these rights:

    https://epetitionen.bundestag.de/index.php?topic=1564.0

    (starts with a discussion to fill out the registration correctly - later that foreigners are allowed to sign the petition also)

    So - why should foreigners sign a petition - THIS petetion - in germany:

    1.) Even if you are a visitor in Germany, you have the right (again granted by german constitution) to get information by every (legal) public source you like - without censoring. Of course child porn illegal. But the mechanisms to block this content can easily exended to every content - and there are no general control mechanisms - the BKA (german FBI) decides by itself which sites should be blocked - the perfect mechanism for censoring.

    2.) If you are in germany, and let’s say, go to an internet cáfe or use the connection of your hotel - and you reach a blocked website with bad luck, your IP is stored by the BKA. And the BKA has then officially thinks you are searching for cild porn - and because you are using internet not from home - there is the danger that it is not possible to find you the very next day. It might be not nice, if the police awaits you in the lobby of your hotel - only because some spambot or cyber-worm “helps” you to find illegal sites.

    3.) The lists of blocked sites are secret. If you are not using a german provider, you will never know if YOUR homepage, blog, commercial website, ect. is blocked.

    4.) This is an infrastructure for censoring - and we all know, if its installed, it will be used and extended. Do anyone in the world wants to have the germany Nation to be uninformed, wrong informed, censored? - AGAIN. History shows - we can do this quite effective and with uncontrolable consequences.

    sign the e-petition to show, that even foreigners don’t want Germany to be censored again.

    1.) make an account on the petition portal of the german parliament:
    https://epetitionen.bundestag.de/index.php?action=register

    email (repeat email), password (repeat password)

    And then your name and adress:
    Frau/Mann = Mrs./Mr.
    Name = sirname
    Vorname = first name
    organisation = institution, company… (optional)
    Titel = academic title if any (optional)
    Straße und Hausnummer = street and house number
    Postleitzahl = postual code/zip code
    Wohnort = place of residence/city
    Land = country
    Bundesland = federal state of germany/foreign countries - choose the last one (AUSLAND) if you are not living in germany
    Telefonnummer = telefon-number (optional)

    then activate option “Ich bin einverstanden” - which says, you are ok with the privacy-policy of the portal.

    At last prove, not to be a bot with:
    “Visuelle Verifizierung” - type in the letters you see in the picture on the bottom of the site,

    Then push “Registrien”-Button.

    Your username is generated automatically: “NutzerXXX” - XXX is a number.

    2.) sign in with the username and your password.

    3.) Sign the e-petition:
    You find the right one at:
    https://epetitionen.bundestag.de/index.php?action=petition;sa=details;petition=3860

    click on: “Petition mitzeichnen” - sign petition
    Its in the field “Anzahl Mitzeichnungen” (number of signings) - the forth blue box.

    Congratulations: You have signed a e-petition to the german parliament - against censoring the internet.

    greetings,
    M.A.

  4. sergey_shepelev Says:
    December 25th, 2009 at 6:02 pm

    I want to quote your post in my blog. It can?
    And you et an account on Twitter?

  5. tonnerre Says:
    January 8th, 2010 at 1:40 am

    Hi Sergey,

    You can quote every post in my blog if you retain enough of the context for people to understand it.
    I don’t have an account on Twitter, but you can find me on identi.ca.

    Regards,
    Tonnerre

Leave a Reply