July 14th, 2014 - kyledrake

Germany has a federal censorship agency called BPjM. The BPjM maintains a "secret" list of about 3000 URLs that is distributed to search engines (including Google, Bing and Yahoo) and router manufacturers to block web sites in Germany. The blocking filters for the search engines are mandatory, you can't turn them off. To keep the list "secret", it is published and distributed in the form of MD5 or SHA1 hashes as the "BPJM-Modul".

An anti-censorship activist, concerned citizen and security researcher has proved that the hashes are very easily reversible, and published the disclosure, including a plain-text list of the censored sites on a Neocities page. Now the German government is pressuring Neocities to take the site down, and are claiming we were breaking German (and possibly US) law by hosting a copy of the list of sites that they distribute.

The censorship list is published quarterly in the magazine "BPjM-aktuell" which can be read in any major library in Germany. Though hashed, this list is essentially public information, because it's published by the German government in a way that is trivially easy to brute force to reveal the web sites (SHA1 is weak, MD5 has been broken for over ten years, and lists of web sites to compare against these hashes are plentiful). Anyone with a basic understanding of cryptography and a few hours could have easily derived this list.

Sites on this list are alleged to contain illegal content in Germany according to the BPjM. As far as I understand (I have not viewed any of the sites for legal liability reasons), this can include such things as pornography they deem objectionable, and references to Nazi information (I'm not even going there).

One of the sites blocked is an article on bible.org about spanking misbehaving children according to the Christian bible (As I've been told... again, I have not visited any of the sites). Personally, I'm completely opposed to corporal punishment (for both moral and scientific reasons). But why is an opinion article on spanking worthy to be included in a country-wide censorship list? How exactly do you contest questionable entries in secret government censorship lists? Where's the due process here?

There is apparently no legal way to challenge the list. It is decided by fiat in secret by a German government agency, and there is little or zero recourse for those falsely condemned. The author of the disclosure documents that attempts to audit this list and challenge the sites on it via the legal process have failed:

In 2011, "porno lawyer" Marko DÃ¶rre requested access to the list in order to do his work. This was denied two years later in a court decision, stating publication of the list could harm public safety. The court further justifies its decision by stating that there are agreements with the 27 companies which have access to the hashed blacklist in place to ensure the list stays secret. This methods could be considered safe as there is no unauthorized use of the module data known since its creation in 2005.

This leak proves that the BPjM-Modul is not a secure way to distribute a secret Internet censorship list. It is not difficult at all to extract the list from different sources and calculate the cleartext URLs of the hashes. It proves as well that secret Internet censorship lists are of bad quality, with many outdated and absurd entries harming legitimate businesses.

I agree.

As far as I see it right now, the BPjM leak is a responsible and justified disclosure to highlight the glaring security problems with the German government censorship system. But much more importantly than that, it highlights the chilling implications of allowing an unelected, anti-judicial government censorship agency to publish an arbitrary, secret blacklist with no public inspection or due process of law for those who have been falsely accused. Neocities does remove sites due to content from time to time, but the context here is different. As I understand it right now, this is fundamentally about disclosing insecure, unfair, and unaccountable government censorship on the web. That seems like a legitimate use of Neocities to me.

But hosting the site puts me in a very dangerous situation. If I remove the site, I am curtailing discussion on the problems with internet censorship. If I leave the site up, it means that Neocities may get banned in Germany, using the same censorship list. The German censorship list would then, in essence, be used to prevent discussion on the problems with the censorship list, which is something I find to be thoroughly abusive. It's also possible that hosting this list (even as plain-text) violates United States law, as the German censorship agency suggests.

I was able to discuss this (informally) with EFF staff attorneys on Monday (I hope you're a member of the EFF, this is why they're important), and unfortunately, the legal implications of hosting the plain-text list are currently uncertain. I'm pretty worried about that, obviously.

Both for the protection of Neocities, and for the protection of myself, I have (per the discloser's own suggestion and the EFF's informal opinion) requested that the discloser remove the list of sites for the moment, until I can get some legal clarity on the situation. Disclosure of the vunerability, however, will remain intact, and the discloser's rights to use Neocities will not be curtailed unless I am forced by US law to remove them. If I receive legal clarity that it is legal to publish the list in the United States, I will inform the discloser, and they will be free to add the list back to the site, if they choose to.

Despite the legal considerations here, I strongly believe that legally mandated censorship of the internet is wrong. It's the wrong solution to the problem of objectionable content. It's the wrong way to prevent these sites from being viewed (this is textbook "Streisand Effect"). It's the wrong way to protect internet free speech from over-zealous parentalism masquerading shamelessly as protection. It's something I would expect from an autocratic police state, not from a developed, prosperous, democratic, freedom-loving nation like modern Germany. You don't get rid of history by blacklisting people from viewing it, you don't convince people that Nazis are bad by, literally, stooping to their level and censoring (okay, I went there). And, as this leak clearly proves, it doesn't work anyways.

As far as I can tell, Germany is planning to block Neocities on this very same censorship list unless we remove this site completely, proving that this internet blacklist is being abused to censor democratic political debate. If you find that concerning, citizens of Germany, it's time to stand up against internet censorship and demand reform of this obviously broken censorship system, before you stop having a country that looks like a prosperous, peaceful, tolerant democracy and ends up looking more like, you know, *INSERT CENSORED CONTENT HERE*.

Donations to help us deal with this and get legal representation would be really, really helpful right about now.

Follow us on Twitter

Permalink