Al Live: Filtering: The Man in the Middle

1. THE MAN IN THE MIDDLE
ERATE, FILTERING, AND CYBER-SECURITY
Office for Intellectual Freedom
American Library Association
Sept. 15, 2016

2. The issue
• New money!
• ALA’s history with filtering
• Cybersecurity issues
• The FCC
• Questions

3. The panelists
• Bob Bocher, Fellow, ALA's Office for Information
Technology Policy
• Doug Archer, Peace Studies and Global Affairs librarian
at University of Notre Dame’s Hesburgh Libraries
• Michael Robinson, Chair of the ALA's Intellectual
Freedom Privacy Subcommittee and Head of Systems at the
Consortium Library at the University of Alaska Anchorage's
Consortium Library
• Deborah Caldwell-Stone, Deputy Director of
the ALA’s Office for Intellectual Freedom
• Moderator: Jamie LaRue, Director, ALA’s Office
for Intellectual Freedom

4. Bob Bocher
• Fellow, ALA Office for Information
Technology Policy
• Wisconsin State Library E-rate and
Broadband Support Team

5. E-rate and Filtering: An Overview
• E-rate provides discounts of 20-90% on:
– Telecommunication services (Category 1)
– Internet access (Category 1)
– Internal connections (Category 2)
• Filtering mandated by CIPA applies to:
– Internet access
– Internal connections
– But not telecommunications

6. Impact of 2014 FCC E-rate Reforms
• Focus on broadband
– 62% of libraries had <10Mbps
– 41% of libraries had insufficient
broadband
– POTS discounts phased-out
• Increase funding from $2.4 to $3.9 billion
– Ensures all applications are funded
• Past fund limits meant no internal
connections were funded
High-speed broadband is
critical for 21st century
libraries. With it patrons
can participate in the digital
world. --FCC E-rate Order
It is in the national interest
to increase funding for
library broadband capacity.
-- ALA comments to FCC

7. E-rate Reforms And Filtering
• Lost: POTS discounts
• Gained: Sufficient funding
• Result: Some libraries may review
use of filters
• OITP working with SLD, FCC
– Review CIPA requirements
• Focus on ways to disable filter
– CIPA summary in July 21 SLD
News Brief
FCC rules when to disable the
filter would likely be overbroad
and imprecise, potentially
chilling speech. We leave this
to the local library. --FCC CIPA
regulations, April 2001.

8. Doug Archer
• Peace Studies and Global Affairs
librarian at University of Notre Dame’s
Hesburgh Libraries

9. ALA & Filters -- THEN
• ALA opposed filters in libraries because they
– Over blocked constitutionally protect speech
– Under blocked their stated target
• ALA opposed CIPA
– Facial challenge: unconstitutional on its face
– SCOTUS: constitutional if unblocking possible
• Only required blocking of images (plus a policy)
• Only if one wanted federal funds

10. ALA & Filters -- NOW
• ALA still “cannot” recommend filters
– Filters continue to over and under block
– See: Batch, Kristen R. Fencing Out Knowledge.
ALA OITP & OIF, Policy Brief No. 5, June 2014
• ALA supports libraries that don’t filter
• ALA understands that some libraries feel that
they must filter
– For local considerations (e.g., local politics)
– For the money (e.g., need it to have any access)

11. Minimizing the Negatives
• If a library feels that it must use filters,
ALA recommends that it:
– Do its best to minimize the impact of filters by
• Selecting the most flexible filter possible
• Maintaining as much local control as possible
• Using the lowest settings possible
– That is, block as little as possible consistent with
CIPA
– Do not be tempted to block “offensive” content
just because it’s easy to do

12. Michael
Robinson
• Chair of the ALA's Intellectual Freedom
Privacy Subcommittee and
• Head of Systems at the Consortium Library at
the University of Alaska Anchorage's
Consortium Library

13. The Man in the Middle
Unfiltered
Filtered
Browser Filter
Website
Website
Browser

14. Techniques for Content Filtering
• Block or allow based on domain name or URL
– i.e. blacklists or whitelists
• Block or allow protocols / ports
– http, https, ftp, ssh, proxies, streaming, etc
• Inspect content of web page to block or allow
– Keywords, phrases, or patterns in content
– Types of embedded content (media, scripts, etc)
– Source of embedded content (e.g. YouTube)
– Metadata of embedded content (e.g. jpg name)

15. HTTPS
• Encrypts communication between browser
and website
• Contents of the web page is encrypted
• Domain name is unencrypted
• But rest of URL path is encrypted, i.e. what
specific section, page or file is requested
https://somewebsite.com/

16. HTTPS
Unfiltered
Filtered
Browser
Filter
Website
Website
Browser
Encrypted Content
Encrypted Content & URLs

17. HTTPS & Content Filtering
• Block or allow based on domain name or URL
– i.e. blacklists or whitelists
• Block or allow protocols / ports
– http, https, ftp, ssh, proxies, streaming, etc
• Inspect content of web page to block or allow
– Keywords, phrases, or patterns in content
– Types of embedded content (media, scripts, etc)
– Source of embedded content (e.g. YouTube)
– Metadata of embedded content (e.g. jpg name)

18. HTTPS Decryption
Unfiltered
Filtered
Browser Filter
Website
Website
Browser
Encrypted
Encrypted Content
Encrypted

19. HTTPS Decryption
• Filter presents certificates pretending to be
requested HTTPS website
• Activities on supposedly secure websites can
now be monitored, inspected and logged
– Financial, commercial, legal, medical, educational
– Usernames, passwords, account numbers, PII
• Technically qualifies as a Man-in-the-Middle
Attack although that is not the intent

20. Movement to Encrypt the Web
• Recent study 50% of Web encrypted
• Presents challenges to content filtering
– HTTPS “breaks” filtering
– But decryption compromises privacy & security
• Optics are bad for libraries
– Is filtering only on domain name good enough?
– If decryption is enabled, what does user
notification look?
We can see and record all your activities on secure
websites but promise we won’t do anything bad

21. Deborah
Caldwell-
Stone
• Deputy Director of the ALA’s Office for
Intellectual Freedom

22. What CIPA Requires
• the filter must be set to
block visual images that are
obscene or child
pornography.
Adults
• the filter must be set to
block visual images that are
obscene, child pornography
or harmful to minors.
Minors

23. What CIPA Does NOT Require
Blocking access to narratives or other text-
based material.
Blocking access to controversial viewpoints or
subjects.
Blocking access to social media sites or search
tools.
Tracking or monitoring users' web surfing habits.

24. Defining Illegal Speech
Two categories of speech receive no
First Amendment protection:
• Obscenity
• Child pornography
A third category of protected speech
for adults is unprotected for persons
under 17
• "harmful to minors" or "obscene as to
minors"

25. The Federal Communications Commission is
responsible for implementing and enforcing
the provisions of CIPA.
• The FCC has given libraries wide
latitude on how to implement CIPA's
requirements.
• Enforcement is a civil, administrative
matter – not a criminal proceeding.

26. “Maximum Flexibility”
• "We have attempted to craft our rules in the most
practical way possible, while providing libraries
with maximum flexibility. We conclude that local
authorities are best situated to choose the
technology measures and Internet safety policies
most appropriate for their communities.”
• Allows libraries that must filter opportunities to
innovate within the boundaries of the CIPA statute

27. Panelist comments?

28. Audience questions

29. Summary
• E-rate changes may give some libraries
incentive to review the filtering issue
• Money is good.
• Values are forever.

30. Resources
• SLD CIPA Information --and -- July 21, 2016 CIPA News Brief
– http://www.usac.org/sl/applicants/step05/cipa.aspx
– http://www.universalservice.org/sl/tools/news-briefs/preview.aspx?id=709
• State E-rate Coordinators for Libraries
– http://www.ala.org/advocacy/e-rate-state-coordinators
• Batch, Kristen R. Fencing Out Knowledge: Impacts of the Children's Internet Protection Act 10
Years Later. Policy Brief No. 5, June 2014. ALA Office for Information Technology Policy and ALA
Office for Intellectual Freedom.
– http://connect.ala.org/files/cipa_report.pdf
• Filters and Filtering
– http://www.ala.org/advocacy/intfreedom/filtering
• Internet Filtering: An Interpretation of the Library Bill of Rights
– Adopted June 30, 2015, by the ALA Council.
– http://www.ala.org/advocacy/intfreedom/librarybill/interpretations/internet-filtering
• This slide deck and related resources:
<hyperlink here>

31. QUESTIONS?