When US-made 'censorware' ends up in iron fists
Despite Burma's record of repression, it's probably legal for American companies to sell Internet filters there, export lawyers say. But is it ethical?
Oakland, Calif. — During Burma's short-lived uprising late last month, young dissidents risked their lives to smuggle news of their peaceful protest to the outside world. They may have been up against Internet censorship software designed in America, if a connection found to exist in 2005 still holds.
Moreover, if a US firm wanted to sell Internet filters to Burma (Myanmar) today, despite several layers of economic sanctions against the government there, it would probably be legal to do so, say export lawyers.
Absence of federal regulation has allowed so-called censorware of at least four California companies to end up in the hands of foreign governments shown to block citizens' access to political, religious, and other websites.
Events in Burma provide new fodder for a censorware debate that had focused, until now, on China. Some experts note that repressive regimes might never have allowed Internet access at all if not for the filters, which tech-savvy citizens can overcome. But critics say US companies are breaking American values by abetting such censorship.
"Where the best and the brightest of Silicon Valley had been wiring the world, they are now, in these cases, doing the opposite," says Ronald Deibert, an investigator for the OpenNet Initiative (ONI), a collaboration of Harvard, Oxford, and Cambridge universities and the University of Toronto.
ONI researchers are conducting tests that have so far found censorship in 24 of 40 countries. Testing involves local users in each country trying to access various websites. Certain patterns and failure messages emerge, indicating which filtering system a country uses.
The software companies involved sell this technology primarily to private companies in the US and abroad. Companies use these tools to keep employees from accessing pornography sites and websites infected with viruses.
Repressive governments also turn to these American systems, not only to filter out porn and viruses, but also to block political, religious, and other websites.
ONI testing in 2005 indicated that Burma censored the Internet using software made by Fortinet, a Sunnyvale, Calif., company. The firm, says ONI, responded by saying it doesn't sell software directly to end-users. ONI challenges Fortinet's claim, pointing to a 2004 article, reachable online, by the official New Light of Myanmar newspaper. The story covers a ceremony bringing together Burma's prime minister and Benjamin Teh, described as "an official representative of Fortinet."
"Given Mr. Teh's participation, it seems unlikely that Fortinet did not know of the sale of its software to Burma," notes the ONI report.
Fortinet did not respond to two e-mail and at least five phone messages to three company officials over the course of last week.
Other ONI research revealed that Iranian Internet service providers (ISPs) have used filtering software of two other California firms: Websense Inc. and Secure Computing Corp.
A Websense spokeswoman denies the firm has sold software to Iran, which would be illegal. A published study by Nart Villeneuve at the University of Toronto found that from 2004 to 2005 the Iranian ISP ParsOnline used Websense's product. By 2006, the ISP had dropped Websense, he said in an e-mail.
The company's website advertises Websense's ability to categorize, and therefore filter, websites in categories such as "advocacy groups" and "religion" – specifying, among others, Christian Science. However, the Websense spokeswoman said, in an e-mail, its contracts forbid customers from using the technology to censor Internet content without permission from both the affected consumers and Websense's "express prior written approval."
Secure Computing has said publicly in the past that the Iranians may have obtained an illegal copy of its software. A company executive, Atri Chatterjee, says the software, called SmartFilter, would still function without frequent database updates from Secure Computing, though at a degraded capacity. Such updates could also be obtained illicitly, he says.
ONI also found in 2005 that Tunisia, Saudi Arabia, and United Arab Emirates, countries with Internet censorship, use SmartFilter. The company wouldn't confirm or deny.
"We are a US organization that adheres to US rules. We only do business with organizations and countries we are approved to do business with," says Mr. Chatterjee.
That position is echoed by Blue Coat Systems Inc., whose sales materials have boasted that Internet access across Saudi Arabia is "monitored and controlled" by its technology.
US export rules focus mainly on national-security criteria, says Clif Burns, a partner at Powell Goldstein LLP in Washington and editor of exportlawblog.com. "It may well be the case that something doesn't have a [security] impact on the US but is otherwise improper or not good citizenship to export," says Mr. Burns.
The only cases where censorware cannot be sold, he says, involve certain forms of encryption or countries under broad US trade sanctions. In the case of Burma, sanctions probably don't outlaw a sale, he says, because the sanctions mostly prohibit imports from Burma, not exports of US goods to it.
Moves are afoot in Washington to take a harder line against censorware exports. High-profile congressional hearings last year examined the roles of Yahoo!, Google, Microsoft, and Cisco in helping China censor the Internet. Rep. Christopher Smith (R) of New Jersey has introduced the Global Online Freedom Act, a bill that would, among other things, study the feasibility of restricting censorware exports.
There is some debate over whether such filtering software merits real concern. In Burma, the regime ultimately decided to shut off the country's Internet access after it appeared unable to selectively filter out antigovernment communication.
As of on Sept. 28, the main Burmese ISP completely severed its connection to the outside world, and only occasionally reconnected starting last week, says Steve Gibbard, a researcher at the Packet Clearing House, a nonprofit research institute focused on Internet security and stability. The shutdown did not appear to be the work of a software filter, but "a matter of unplugging a cable or flipping a power switch," says Mr. Gibbard.
The filtering software, in fact, may have given the Burmese regime enough of a false sense of security to allow Internet access in the first place, some suggest.
"Without [Internet filtering tools], there wouldn't have been access to begin with because [citizens] wouldn't have been trusted with it," says Bill Woodcock, also with the Packet Clearing House. Nor does pressure for censorship always come from the top, he adds. "In much of the world, the Internet is seen as this horrible sewer that is bringing things in that the government [feels popular pressure] to stop."
Internet-censorship tools can be defeated with the use of proxy servers. But many people living under repressive government are not going to hear about, or dare to try, methods to get around Internet fire walls, say experts.
"Some people say [censorware] is ineffective because dissidents can get around it," says Seth Finkelstein, a programmer and anticensorship activist. "I say political control doesn't have to be 100 percent to be effective. Controlling the ability of the vast majority of the population to see outside information is still very effective for the goals of the totalitarian regime."