A Reactionary Rant by The Famous Brett Watson, 20-Mar-2001.
It came to my attention via an article in The Register that John Gilmore, one of the founders of the EFF, has had his email server blocked on the grounds that it was available as an open relay. Assuming that The Register has its facts straight (well, SecurityFocus.com actually, since that is the original source), the facts of the matter significant to this particular rant are as follows.
The main purpose and scope of this rant is to examine the issues here, with particular emphasis on whether this is "censorship" or not, and what the implications are for each particular point of view. I'm explicitly not discussing whether spam is a nuisance — I basically assume that it is, and I don't think John Gilmore disagrees on this point. I'm also not discussing what can be done about spam in general: the issue at hand is whether or not anti-spam measures are censorship; whether or not an anti-spam stance conflicts with free speech.
John would have us believe that Verio's blocking of his mail is censorship. What is censorship anyway? There is no one strict definition, but let's have a look at a couple of dictionary definitions as a starting point. The Macquarie Concise Dictionary has the following to say on the matter of censors and censorship.
- censor
- noun 1. an official who examines books, plays, news reports, films, radio programs, etc., for the purpose of suppressing parts deemed objectionable on moral, political, military, or other grounds. 2. any person who supervises the manners or morality of others. 3. an adverse critic; a faultfinder.
- --verb (t) 4. to examine and act upon as a censor does. [Latin]
- --censorial, adjective
- --censorship, noun
John is an American, not an Australian, so I'd better include at least one definition from an American dictionary here. I choose the eminently useful Merriam-Webster OnLine for this purpose.
- Main Entry: cen·sor·ship
- Pronunciation: 'sen(t)-s&r-"ship
- Function: noun
- Date: circa 1591
- 1 a : the institution, system, or practice of censoring b : the actions or practices of censors; especially : censorial control exercised repressively
- 2 : the office, power, or term of a Roman censor
- 3 : exclusion from consciousness by the psychic censor
- Main Entry: 1cen·sor
- Pronunciation: 'sen(t)-s&r
- Function: noun
- Etymology: Latin, from censEre to give as one's opinion, assess; perhaps akin to Sanskrit samsati he praises
- Date: 1531
- 1 : one of two magistrates of early Rome acting as census takers, assessors, and inspectors of morals and conduct
- 2 : one who supervises conduct and morals: as a : an official who examines materials (as publications or films) for objectionable matter b : an official (as in time of war) who reads communications (as letters) and deletes material considered sensitive or harmful
- 3 : a hypothetical psychic agency that represses unacceptable notions before they reach consciousness
- - cen·so·ri·al /sen-'sOr-E-&l, -'sor-/ adjective
- Main Entry: 2censor
- Function: transitive verb
- Inflected Form(s): cen·sored; cen·sor·ing /'sen(t)-s&-ri[ng], 'sen(t)s-ri[ng]/
- Date: 1882
- : to examine in order to suppress or delete anything considered objectionable
Quite a lot of verbiage there, no? Not that I can call the kettle black, I suppose. Still, taking a guess at what John means by "censorship", I'd say that we came closest to the mark with Merriam-Webster's definition of "censor" in its verb form: "to examine in order to suppress or delete anything considered objectionable". Let me extract a couple of quotes from John's page to demonstrate what I'm talking about here — it allows me to be specific, and the content of the page might change at some later time. I quote from the version that existed at time [2000/03/19 1:38 +1100].
"I'm pushing back by publicizing the problem, and meanwhile allowing their censorship to take effect. If you ever want to get an email from me again, it's time to speak up about this!"
"If you send me email, don't expect an email reply. Include some contact information for an uncensored medium, where the providers are common carriers, take no notice of the content of messages, and don't put arbitrary restrictions on what their customers are permitted to communicate."
"If what I am doing is not illegal, then get the hell out of my way, so I can exercise my right of free expression -- to send ordinary person-to-person email to my friends and other correspondents."
—John Gilmore, "Verio is censoring John Gilmore's email under pressure from anti-spammers." (selected quotes)
The most immediate and important thing to recognise about what John is calling "censorship" here is that it's not about offensive content. When a movie is censored, for example, it is done on the basis of the content of the movie: violence, nudity, depictions of sexual acts, and so on are the typical grounds on which a movie might be censored (refer Merriam-Webster's definition of "censor" in the noun form, item 2). Verio hasn't so much censored John's email as unconditionally blocked it; and the block wasn't put in place because of the content of the mail.
I emphasise, this is not, and never has been, about the content of the email. Spam is offensive not because of its content, but because of the means in which it is distributed. Anything offensive in the actual content of a spam email is just adding insult to the injury.
I submit that "censorship" is the wrong word to be using here, or at least that John is using the word in a sense not defined by either the Macquarie or Merriam-Webster. We came close with "to examine in order to suppress or delete anything considered objectionable", but the fact of the matter is that no examination is going on here. Sure there's suppression or deletion, but it's unconditional, not based on an examination of the content.
My counsel in the matter is this: use "censorship" to describe suppression or deletion which is based on the content of the message. That kind of discrimination is important to recognise: it's not necessarily wrong to censor, but it should be very heavily scrutinised, particularly when someone claims that the censorship exists to "protect" someone or something. Other forms of censorship are routinely practiced and considered a good thing, such as when a moderator censors someone for straying off topic. The question of suppression or deletion on the basis of factors other than content, however, should be treated as a separate issue to the maximum possible extent.
If the block is not about content, then what is it about? This can best be understood by taking another of John's statements and considering the consequences.
"Ultimately, they should be a pipe. They shouldn't care what content goes through. For them to say, well, we'll send your IP packets....except when you send this particular type of IP packet, it takes them out of the realm of a common carrier," says Gilmore. "That puts the entire Internet in jeopardy."
—Kevin Poulsen (quoting John Gilmore), "Verio gags EFF founder over spam"
Much as ISPs would like (I expect) to be "common carriers", they aren't. A telephone company is a common carrier, as is the postal service. The "common carrier" status means that they are indemnified with regards to the way people use their services. If someone commits a fraud, say, using the telephone service, the telecommunications provider is not liable for that fraud. I am not an expert in this area of law, but that's the general principle as I understand it. Of course ISPs want to be like common carriers and not take any responsibility for the actions of their users, but the Internet is not quite like a telephone system, and the "common carrier" thing has not borne out in theory or in practice.
The reality of the matter is much more subtle and nuanced than Gilmore would have us believe. In days of yore there were no specific regulations covering the Internet and ISPs, and in those days they claimed the status of "common carriers" — or at least tried to do so. These days, there are specific laws in specific juristdictions which cover the behaviour of ISPs and what they are liable for. It's now relatively common for ISPs to be liable for the copyright infringements of their users if the ISP has been notified of the infringement and fails to act. Whether or not this is a good thing is beside the point for the moment: the point is that most places now have laws which mean that ISPs are definitely not "common carriers".
But regardless of the law in any particular place, the whole notion of "common carrierhood" never really worked in its purest sense in the first place. John thinks that ISPs should be a pipe — utterly unconcerned about what goes through that pipe. What if I have a bigger Internet connection than he: unlikely, but assume it to be so for the moment. I decide that I don't like him, and mount a denial-of-service attack against his network by the simple process of opening a big pipe to his computer and pouring junk down it. He can firewall me, refusing to accept any packets from my network, but generally speaking one's firewall is on the local end of the Internet connection, so the packets only get discarded after they've done their damage. If John is to live up to his statement above, then he can't legitimately complain to anyone about this attack on his network. After all, the ISP is just providing the pipe — they can't be held responsible for the actions of their users.
Is it censorship for an ISP to kick someone off for mounting a denial of service attack? Is it censorship to terminate their access for hijacking the services of other machines? Is it censorship to firewall someone because you aren't happy with the way they are accessing your network? Is it censorship for Gilmore himself to shut down spammers when he detects them using his network, as he claims he does?
Yet this is exactly the kind of attitude that most large ISPs tried to take in days of yore. They wanted to be common carriers, mostly because they wanted to be able to bill people for using the network and not suffer any of the overhead of taking responsibility for the actions of their users. Alas for the ISPs (and fortunately for everyone else) a remarkably pure form of democracy has spontaneously arisen on the Internet and determined that ISPs will be held accountable. This "emergent democracy" is one of the truly amazing things about the Internet at large: it's anarchic in the sense that nobody has absolute control over it, but it's also self-organising and self-policing to a large extent. The anti-spam movement is probably the best example of this.
The way that it happened, as I understand it, is this. As the Internet went from being a friendly place full of people with an aptitude for technology to a medium for the masses, the scam-artists came along for the ride. The scam artists saw an absolute gold mine opportunity to play the numbers game. Imagine you could attempt to scam a million people out of, say, twenty dollars each. Imagine that you could do this at almost no cost. Even if you were only successful in scamming 0.1% of all those people, you'd wind up collecting twenty thousand dollars! Ethical behaviour be damned: that kind of opportunity is too good for many people to pass up, and so the spammer was born. They collected as many email addresses from as many locations as they could, and started sending out millions of junk emails for dubious pyramid schemes and other questionable things.
As it happens, one of the prime sources for email addresses in the early days of spamming was the database of network administration contacts usually referred to as the "whois" database. If you ask this database "whois nutters.org", for example, you'll get my email address and my telephone number and my postal address. If you have a problem with my network, I want you to be able to contact me about it! And so the systems administrators and network engineers were the first and hardest-hit of all by the spam phenomenon. This had a surprisingly uniform effect: it pissed them all off mightily, and made them very hostile to the notion of spamming. After much communal grumbling about it and various attempts to filter out spam (a kind of arms race against the spammers), the idea of the Realtime Blackhole List was born. That eventually grew into the Mail Abuse Prevention System.
The mail abuse prevention system is simply a collection of lists, categorising various mail hosts across the Internet. In itself, the only "power" the organisation has is that people trust it to accurately categorise mail hosts. What people do with this categorisation information is entirely up to them. In practice what people actually do is refuse mail from hosts which are listed as potentially open to abuse for one reason or another. This usage is so widespread (thanks to the annoyed systems administrators mentioned in the previous paragraph) that being listed in one of these systems is something like an Internet blackout.
This is more or less the point of the matter. ISPs have tried to say "not our problem" or "common carrier", but the Internet at large has decreed that ISPs will be hostile to spammers or be listed in the RBL. This is a grass-roots movement that has stood up to such large players as the Microsoft Network. If Verio did not take the action against John Gilmore that it did, it may well have been listed in the RBL, and that would have resulted in far greater negative implications than the block they placed on his own connection. "Verio is filtering me because they were pressured by a pressure group, and they don't have enough intelligence to stand up against that pressure," says John, but the truth is that Verio has the intelligence to know when it's up against insurmountable odds. It's pressure alright, and I'm one tiny piece of that pressure because I subscribe to the RBL.
The key words here are responsibility and accountability. We don't have the sharp distinction between service providers and users that we do in the telophony and postal services worlds. Even the average ignorant end-user is providing his own piece of the network when he connects to the Internet: a computer which is every bit as capable of being a server as every other computer on the network. When I allow others to use my network infrastructure, I must be willing to accept some level of responsibility for their actions; accountability for what I allow others to do with my network resources. Clearly it's unfair to expect me to have complete control over them, but it's not unreasonable to expect me to act to whatever extent I can when I'm notified of issues. John Gilmore wants us to put up with the occasional spate of network abuse from his computers on the grounds that its all in a good cause.
"If one user connects to my machine from an unknown address and sends a message, my machine forwards it on. It's happy to. That could be John Perry Barlow sending e-mail from Africa to his girlfriend."
—Kevin Poulsen (quoting John Gilmore), "Verio gags EFF founder over spam"
That's all very well, John, but by allowing people to use your network infrastructure you are agreeing to take responsibility for their actions. You claim, "I am not a spammer, and have never sent any spam," but you have enabled spammers to send spam using your resources, and the buck stops with you. You want to be an indemnified "common carrier" with regards to your own mail relay service, but you aren't, and no amount of huffing and puffing about free speech and censorship will change that.
This isn't really just a matter of my opinion versus John Gilmore's, either. (If it were that, my money would be on him.) The actual practice of the Internet today is that a very substantial percentage of networks are RBL subscribers, essentially demanding, "be accountable for your customers or we will firewall you." Verio has little choice but to cooperate with this requirement or it will lose its ability to communicate with a large portion of the Internet — they aren't just doing this to be politically correct (for some value of "politically correct"). The Internet exists because networks have agreed to interconnect using a shared set of protocols. It so happens these days that most of the networks also demand a certain protocol with regards to end user behaviour — the end users must not abuse or facilitate the abuse of the network. Failing to follow this protocol can be nearly as deadly for your connectivity as failing to abide by the RFCs.
It used to be the case that you could trust just about everybody on the Internet to use network resources in a reasonable and responsible manner, but those days are history. These days if you want to open up your network resources to other people, be prepared to take the consequences of their actions.
John also mentions his "right of free expression", and that highlights a particular problem, even if we grant that such a right exists. The right of free expression that he demands involves the usage of a large number of private networks. Sending an email to me, for example, unavoidably involves the use of my network and my computing resources. Those resources are mine, and nobody else has any right to them. I happen to make them generally available because it is in my interest to do so: I like to communicate with other people about my ideas. I do my level best to fight spam at every opportunity because I consider spam to be an abuse of my network resources. Spammers might have a right to express their ideas, but they do not have any right to do so with my network resources unless I grant them permission. I am an anti-spammer, and I am not pro-censorship, nor am I infringing on anyone's rights: I am merely defending my property from abuse.
You have a right to free expression within the bounds of your own property. Your government may also grant you (or recognise a right to) free expression on public property. But you have no right to use my property in your exercise of free expression unless I grant you that right.
Finally, John would have us believe that anti-spam measures are futile, and should therefore be dropped.
"It reminds me of the X-ray machines they have in airports and the security checks they put people through," says Gilmore. "It doesn't actually solve the problem, it just infringes on the rights of the innocent."
—Kevin Poulsen (quoting John Gilmore), "Verio gags EFF founder over spam"
It's true that anti-spam measures have not been completely effective. I still get spam regularly, and I am obliged to continue my fight against spam as a result of this. The price of freedom is, as it always was, eternal vigilance. Spammers are playing the numbers game, and combatting spam will not be a definite win or lose for either side. X-ray machines at airports may not prevent determined hijackers from taking over a plane, but it makes planes a lot safer. How secure would you feel when flying if any idiot were able to carry on their gun? How would you feel knowing that some substantial percentage of your fellow passengers were armed? It only takes one idiot to threaten someone else with a gun to put the entire plane in danger. Similarly, anti-spam measures make spamming more costly and raise the bar on who can send spam. My goal is not to eliminate spam, although that would be very nice, but to simply make it as costly, inconvenient, and ineffective as possible for spammers to go about their odious work.
Any measure for stopping spam should have as its first goal "Allow and assist every non-spam message to reach its recipients." No current anti-spam policy I know of, including Verio's, SpamCop's, or MAPS's, even views this as a desirable goal, let alone implements it.
—John Gilmore, "Verio is censoring John Gilmore's email under pressure from anti-spammers."
It's truly a shame that any legitimate mail gets blocked by anti-spam measures, but as someone who runs a mail host that subscribes to the various mail-abuse prevention lists, I can say that it's far easier for me to chase up the odd legitimate mail that gets blocked rather than deal with all the spam. Blockage of legitimate mail usually results from some other service provider having a badly configured mail server, and this allows me to assist them by alerting them to the problem. When another mail server is fixed, everyone wins.
Those of us involved in the RBL project have spent most of our professional careers trying to improve open network connectivity. It is therefore with very mixed feelings that we deliberately seek to make any part of the network inaccessible to us or to make ourselves inaccessible to it. Desperate times call for desperate measures.
Our ultimate goal, however, is not to stop connectivity but rather to stop spam from being sent to hosts we pay for or over links we pay for. Anyone who wants to work with us toward that goal does not belong on the MAPS RBL. This document will help you categorize yourself and help you identify yourself to us.
—Paul Vixie and Nick Nicholas, "MAPS RBL Candidacy"
Perhaps John Gilmore would only be happy with anti-spam measures if they could be guaranteed never to interfere with any legitimate mail. I think that's unrealistic, if not outright impossible. Even assuming that there were no such thing as an anti-spam measure, the mere presence of spam may result in annoyed end-users accidentally deleting something that looks like spam but is actually legitimate email. Spam itself interferes with legitimate email whether we attempt to block it or not; the best that we can do is make our targeting of spam as directed as possible. If we do not combat spam, then there will be more of it, and mail may well get lost as a result of not combatting spam. If John has any suggestions as to how spam might be more accurately targeted, I'm sure the folks at MAPS are interested to hear about them.
In the meantime, I have a suggestion for John Gilmore: either be prepared to accept responsibility for the way people abuse your network, or secure it. There are dozens of ways to do the latter, but my preferred method is using SSH tunneling. Configure your mail server so that it will only relay mail from machines on your network, then provide your friends like John Perry Barlow with an account on one of your computers that they can access via SSH. They then forward the mail over the SSH link. I do this all the time, and it's quite convenient and secure. I can potentially forward mail via my own mail server from anywhere in the world without running an open relay for spammers to abuse.
John's bleating about "freedom of speech" looks a whole lot less persuasive when you know that there are easy options available which allow legitimate use and prevent abuse. Is he defending his right to free speech, or his desire to be a lazy systems administrator?
Author: The Famous Brett Watson