Facing Facts About Internet Filtering

With the growth of the Internet, it's time to accept filtering as a fact of life.

Over 1,200 categories of Internet content can be blocked, including streaming media and games. Blocking works through a network appliance stationed at an Internet gateway. Based on a set of business rules that an organization can define at will, the appliance blocks Internet content or mail that is considered objectionable, and it compiles a report on content that was blocked.

We all know about parental content controls for children's use of the Internet and television, but Internet content filtering is far more pervasive than that. It is widely used by companies, schools, and governments -- and its use appears to be increasing.

“Most companies internally try to establish an Internet 'accepted use' policy, which they communicate to employees,” says Eric Lundbohm, VP of marketing at filtering provider 8e6. “Within this, there are some Internet activities or Websites that can clearly be classified as 'bad,' but there are also many gray areas where companies choose to let employees have flexibility. For example, if an employee needs to send an email home, or if he takes a couple of minutes to place an order at amazon.com, these activities are convenient, and they probably save employee time away from work."

This “give and take” process is maturing with widespread Internet use on the job. Meanwhile, it provides intrigue for HR and IT managers who work on Internet policy.

For example, what about the employee who visits a sexually explicit Website at work that he does not personally find offensive, but which an employee passing by him does? Does the situation leave the company open for a sexual harassment lawsuit? What if multiple employees download songs or visit YouTube to the point where overall corporate network performance degrades?

Equally challenging are the legal responsibilities that U.S. K-12 schools must uphold. “Schools are required to filter Internet content,” says Lundbohm. “Commonly, this includes content from pornographic and ethnic hate Websites. Other Websites that schools filter include those that encourage cheating by offering to sell term papers.”

Internet-savvy students have succeeded in giving the slip to some filters by using anonymous proxy Websites that hide their identities and allow them to surf the Web without being detected. “Increasingly, schools are hiring kid hackers and are learning everything from the kids to improve their filtering policies,” says Lundbohm. “We have also evolved our tools to where we can block anonymous proxies by detecting and blocking their protocols."

In the United States, there are strict rules about sexual content that includes or targets people under the age of 18. Internet content filtering is generally done to block “undesirable” Websites from general access.

The U.S. is not alone. In China, people are prohibited from “undesirable” Websites, and police can interrogate ISPs about the identities of their subscribers.

In North Korea, the Internet does not even exist. There are no ISPs and no servers to relay domestic email.

In contrast, there are those who advocate that the Internet should be entirely unfettered from censorship and filtering, and that limiting Internet use is a violation of constitutional rights.

"As we move more of our communications into social networks, how are we limiting ourselves if we can't see alternative points of view, if we can't see the things that offend us?" asked Fred Stutzman, a University of North Carolina researcher who tracks online communities. (See News.yahoo.com/s/ap/20080706/ap_on_hi_te/tec_disappearing_freedoms.)

But as Lee Tien, senior staff attorney for the Electronic Frontier Foundation recently shared with me, “The Internet is not free.” There are still limits that need to be placed on it to ensure that its activities are not entirely lawless.

The real question about filtering is, not whether to use it or not, but "What's next?"

“We are moving into a phase where there are blended threats that organizations want to filter out," says Jeff Lake, VP of federal operations for Fortinet, a filtering supplier. “When spam first became an issue, you would filter on words to stop nuisance emails. Now there are more multifaceted threats. Email comes in and the user clicks on a link and is taken to a phishing or a spam site. Even a Trojan can be downloaded.”

Lake says the industry has moved away from pure content filtering to more blended threat detection that works on the overall reputations of senders: “Based upon the emails sent, the Websites trafficked, and the IP addresses themselves, we assemble a database of profiles and begin to establish an entire picture of what these malicious sources are so they can be filtered."

“In the future, we also will continue to see more issues related to Web 2.0 technology and blogs,” says 8e6’s Lundbohm. “There may be some pressures on sites that use blogs to control content for 'good' and 'bad.' "

Regardless of how filtering evolves, two things are clear: First, organizations need to customize their filtering to their own particular circumstances -- and they need to have policies that articulate to their constituents why the policies exist.

Second, they should ensure that their filtering processes conform to accepted laws, regulations, and practices.

“From a filtering perspective, it comes down to understanding transactions in a blended fashion, and then applying appropriate security guidelines for filtering, whether they are HIPAA, Gramm Leach Bliley, PCI, or something else,“ says Fortinet’s Lake. “The industry is focusing more on the avoidance of data and information leakage than it is on strictly 'bad' content.”

— Mary E. Shacklett, President of Transworld Data