Sandwich Meat, or How Not To Protect Kids From Porn

Talking with parents of young children about the Internet quickly raises the topic of adult content on-line, and how anxious / desperate parents are to keep their kids from seeing it (either accidentally or on purpose).

At a conference (see Bill’s post) at Michigan State (run by the indefatigable, immensely connected Peter Yu), I came across a proposal to help Internet users avoid porn. Intrigued, after years spent working with the ONI on filtering issues, I gave the Web site (at cp80.org) a read. The purported solution incorporates both legal and technical elements. My analysis: it’s not only a terrible idea, but it won’t work on either front. I’ll go through the problem statement, the technological proposal, and the legal proposal, then give my own thoughts.

Problem Statement

CP80 starts with some rather overwrought facts about Internet porn. The site’s front page claims that there are 400 million pornographic Web pages and that, if printed and stacked, they’d be over 15 miles high. (How does this compare to Web pages about kittens and other cute things? Or sports trivia? And how would one store a 15-mile high stack of porn under one’s bed? Just thinking.) The site also rolls out a parade of horribles that viewing harder-core porn leads people to minimize rape, be less likely to have a family or hold a job, become more likely to lose their job (sure, if you view it at work!), etc. (The supporting material hasn’t been peer-reviewed, or even published, based on my inspection.) It also claims that businesses lose money from having to install filters and firewalls (um, ever heard of viruses?), lost bandwidth, reputational harm from firing someone for viewing porn (a key factor for most consumer decisions), and so forth. The cites here are to a Websense study – after all, a filtering software vendor will have an objective take on the problem! – and to a consulting group in Atlanta.

The assessment suffers from two flaws (in addition to a dearth of documentation). First, it doesn’t measure risks from Internet porn relative to other potential problems. Sharks are dangerous, but pigs cause more deaths per year. Second, it doesn’t address causation versus correlation. Does viewing porn make you more likely to lose your job, or are workers who are less successful (poor work ethic or other loser habits) more likely to watch dirty stuff on their screens? These two issues are important because they drive how much we should worry about this problem relative to others (legal and technological effort are both limited quantities), and because they determine what it is we should do (focus on porn vs. improving job skills).

Technological Proposal

The technological proposal put forth by CP80 suffers from a problem common to lawyers and the technologically unsophisticated: reasoning by analogy. CP80 wants to categorize Web content into channels, as with cable television. The major failing is that it compares HTTP over port 80 to a single cable television channel. This is ludicrous from a technical perspective, and misleading from a policy one. A better analogy – though still flawed – is spectrum. TV broadcasts travel over the same part of the electromagnetic spectrum, but we don’t think that CBS, the Playboy Channel, and PBS are the same. Moreover, CP80 makes the mistake of treating “well known” ports (such as 80 for HTTP, 25 for SMTP, and 53 for DNS) as mandatory port numbers. There’s nothing to prevent you and I from coming up with our own software that exchanges information using these ports; other applications on the Net may get confused, but if our computers agree on how to handle traffic on those ports, we’re set. This works much less well for TV – in part because of legal controls over broadcasting.

CP80’s solution is, essentially, a mandatory family-friendly Internet, over what it calls “Community Ports.” There would be a new port for sanitized HTTP content, and another port for any HTTP content. Sending non-sanitized content to the family-friendly port would be illegal. Thus, claims CP80, “a child using a Community Port [Family-Friendly] Internet connection attempting to access pornographic content… whether deliberately or inadvertently, would not be able to access the mature content.” Oh, really? How about port redirection? Proxy servers? Anonymizers? P2P? Kids are incredibly tech-savvy, especially when motivated. The popularity of file sharing demonstrates that.
CP80 also believes that consumers should be able to request ISPs to block traffic from all IP addresses in countries that don’t implement this type of legislation. That’s going to cut off a lot of the Net.

Legal Proposal

The legal solution is equally dicey. It would be unlawful to publish knowingly obscene material (which may be constitutionally proscribed, so no problems there) or content “inappropriate for minors” to the Community Port (paragraph B). If consumers find such content on the Community Port, they can notify a federal agency, which verifies whether the content is unlawful; if so, it issues a compliance order demanding that the material be removed from the Community Port, and can also issue a “Right to Sue” letter allowing the complainant to sue the content provider (paras. C-D). ISPs would have to track which IP addresses they issued, and to whom (para. G). Anyone with a wireless network would have to enable password protection (good-bye, Open Wireless Access) (para. H). The term “inappropriate for minors” means material that

  • is designed to appeal to, or is designed to pander to, the prurient interest, or describes or depicts Sexually Explicit Conduct;
  • depicts, describes, or represents, in a manner patently offensive with respect to Minors, an actual or simulated sexual act or sexual contact, an actual or simulated normal or perverted sexual act, or a lewd exhibition of the genitals or post-pubescent female breast;
  • and taken as a whole, lacks serious literary, artistic, political, or scientific value for Minors. (para. J)

Note that the definition, oddly, looks at what an adult would consider inappropriate. Well, it looks like Lego Sex is out on the Community Ports.

My Take

I think the scheme has constitutional and practical infirmities. First, it’s a content-based regulation of speech, so it gets strict scrutiny. So, one needs a compelling government purpose and narrowly tailored means. Assume for the moment the purpose is compelling (arguable). Are the means narrowly tailored? Is there a more limited option? Yes, there are several. First, client-side filtering – install NetNanny or a competitor. Second, require sites with content that’s inappropriate for minors to protect material with a password. (This in itself probably wouldn’t survive scrutiny, but I think it’s less broad than shunting all such content off into a single “channel.” See the Child Online Protection Act, Section 231(c), then look at ACLU v. Gonzales and the government’s failed attempt on remand.) Note that there is the threat of criminal prosecution here (para. E), which is likely to make a reviewing court apply scrutiny with particular rigor. Finally, the administrative agency makes a determination of whether the content is lawful (para. D). Arguably this is acceptable in the television context – the FCC can impose fines for showing Janet Jackson’s breast on network TV. However, the FCC’s regulation seems to depend on spectrum scarcity after Red Lion – and scarcity for all practical purposes doesn’t exist on the Net. (Reno v. ACLU, and the decisions on COPA, make this clear.)

Overall, the goal of protecting kids from Internet porn is laudable. But instead of proposing an approach that’s both unconstitutional and technologically moronic, how about using the market? Places like Singapore have family-friendly ISPs – for a few bucks a month, you can buy a “filtered tap” that excludes porn and such. A smarter proposal would have the government offer tax breaks to companies that offer such services or to consumers who use them, without trying to turn the Net into cable TV. (As Bill notes, the kids.us domain seems to show that the market for this type of service is limited – or maybe the adults in the household want to make sure they retain access to naughty stuff.) Or the government could just subsidize the purchase of filtering software for home consumers

This proposal demonstrates the Law of Sandwiches: no matter how thin you slice it, it’s still baloney.

14 Responses to “Sandwich Meat, or How Not To Protect Kids From Porn”

  1. [...] Derek Bambaur at Harvard Law School has written one of the best examinations of CP80 I have seen yet. His summary that the market should decide is what I’ve been saying since HB260. [...]

  2. [...] Derek Bambauer at Harvard Law School has written one of the best examinations of CP80 I have seen yet. His summary that the market should decide is what I’ve been saying since HB260. [...]

  3. Why CP80 Won’t Work…

    There’s been a lot in the news about the recent CP80 initiative, and sides have been pretty polarized. I wanted to formulate and write down my stance so I can use it as a reference.
    In short, I think it won’t, and shouldn’t work.
    CP80…

  4. The technical and legal arguments you present seem sound to me, and they (especially the pragmatics resulting from them) are my main reason for not jumping on the CP80 bandwagon. But to pooh-pooh the research on the negative consequences of pornography on human interactions is to be intentionally ignorant of a large body of research. Maybe CP80′s site doesn’t give much hard info, but it’s out there.

    There is both correlational and experimental research going back at least three decades, demonstrating pretty clearly that pornography is bad for us. It strongly influences the way we think about women (and for child porn, about children), leading to objectifying them sexually and mentally rationalizing sexual exploitation and violence. It contributes to sexual violence in society. Even “soft” porn. And this is not, overall, research done by special-interest groups with an axe to grind. Look it up. It’s pretty solid.

    Of course, not everyone who watches porn is sexually coercive, but that’s no argument. Not everyone who smokes gets lung cancer, either. That doesn’t mean smoking is good for you, or even neutral.

    CP80 probably won’t do much to solve our porn problem. But that’s not because it’s not a problem.

  5. Darrin, thanks – this is a good point. I’ve no expertise in the cognitive effects of pornography. In part, though, this is my point – if an organization such as CP80 wants to make some rather strong claims regarding the need for technical and legal regulation, I think it’s incumbent upon them to support their contentions about porn’s ill effects with, at least, a few footnotes or citations. If you have any suggested references, I’d be glad to read them and, if they’re publicly available, will link to them from the blog post.

    Part of my worry about efforts like CP80 is that they are likely to have very large unintended consequences, both for the Internet and for our access to information. Porn is the thin edge of the wedge – there is considerable research (which I view as methodologically suspect, but that’s somewhat beside the point) showing harm from watching violent material. Slippery slopes…

  6. [...] Bambauer at the INFO/LAW blog concludes against the CP80 Initiative, which proposes a means of regulating internet pornography.  This is what [...]

  7. I am a firm believer in the first amendment and I do not want to see it weakened by laws which would add a chilling effect to it. The law already has the Miller test for obscenity and that should be enough–except for one thing–The Miller Test is clearly not being enforced!

    Hard core pornography, which would clearly be deemed obscene by the Miller test is widely rampant on the internet. Presently, local, state, and federal govenments seem impotent to do any significant thing about it. The harm that could come to society, and especially children, should be of concern to everyone. The old line that “parents should watch their children” isn’t going to solve this problem

    If our government won’t enforce the laws against “non protected” speech like hard core pornography, then I suspect we are going to see any number of work arounds like CP80 until something effective is done.

    CP80 May not be ideal, but the social fallout from pornography could be worse. Personally, I would like to see existing laws enforced; then maybe we wouldn’t need any more.

  8. David, this is an interesting point. I believe that the Justice Department has stepped up its prosecution of obscenity – if memory serves, this was a heightened priority under former Attorney General John Ashcroft, and has received attention under AG Alberto Gonzales as well. And some US attorneys are taking this up as well:

    http://www.nytimes.com/2007/09/28/us/28obscene.html

    I have my own issues with client-side filtering (NetNanny and its ilk), but this approach looks like the best compromise at the moment. There will always be some obscene material that is beyond the reach of US enforcement (e.g., that hosted overseas) or that isn’t deemed problematic enough when allocating scarce prosecutorial resources.

    CP80 remains a terrible idea for all the reasons I put forth in the post…

  9. The answer always has been to make the tools available so those who want to filter can and those who dont are not burdened. We will always have different jurisdictions and varying community standards that judge different content and its importance differently and there is no way we can offer a one-size-fits all internet which is going to be satisfactory to everybody. The online adult industry has taken it upon itself to embrace labeling (RTA and the older ICRA standards), so anyone who wants to filter their experience can using any freely or commercially available software. To try to legislate a pre-free-speach but “safe and clean” internet is ludicris.

  10. You claim to be knowledgable. Offer to help the Cp80 Foundation if you think their plan needs some “tweaking” I think it is the best idea out there at the moment and deserves some serious scrutiny and positive support. If great minds would work together to form viable solutions instead of distantly picking apart all possible flaws we would get much further in solving this and many other problems.

    I disagree with your assessments. I think their proposed laws (state and federal) will make a big positive difference.

  11. The technical problems inherent in the CP80 proposal aren’t resolved by “tweaking” – the fundamental model is flawed. Simply put, things don’t work that way.

    As someone who is a senior technology executive for a Fortune 250 firm’s governance, risk and compliance organization, inappropriate content is an issue we deal with as well. In our case, we prohibit this type of content for different reasons – e.g. safe workplace, preventing sexual harassment issues, reducing the frequency of inappropriate use of company resources, lowering the likelihood of the introduction of malware which highly correlates with inappropriate content sites, etc.

    Having previously worked directly with the firewall team (in an organization with over 200 firewalls domestically alone), and working with traffic environments where a single firewall can have as many as 100 million logged session events (web hit, email transfer, etc.) daily, there is a bit more to how TCP/IP works than something as simplistic and unfortunately technically incorrect as the CP80 proposal.

    TCP/IP and ports-specific behavior simply don’t work the way the CP80 people would hope or expect. This is not the best idea out there, nor is it one that can be modified to work. The foundational assumptions are wrong, and the Internet doesn’t function in the manner those proposing this approach would hope. It’s unfortunate that someone didn’t guide them earlier on to direct them to a cause that wasn’t so technically silly – in a sense, they’re doing the equivalent of a movie actor pretending to conduct an orchestra, while instead flailing their arms around like a angered bear swatting at bees.

    As a parent of two school-age children, I share the concern about inappropriate content. My wife and I both have accidentally hit “the wrong sites” when searching for sites with our kids – Barbie happens to be a high risk keyword for instance. Messing with the plumbing when there is no meaningful relationship nor viable method of creating one given the architecture of TCP/IP isn’t the solution. I’d actually encourage consideration of PKI to support a content rating model and expand definitions to include assessment categories (e.g. type of site, maturity rating of site, whether site has been verified by an accredited third party to be consistent with this rating, etc.). Directory service architectures underlying PKI may have the capacity to provide for content extension and quite possibly work has been done in this space.

    In this event, https and the PKI exchange can serve as a method of securely communicating the attributes of the respective website, and browser development (or even firewall rules) can be pursued to limit non-https traffic. As http really needs to be retired due to other issues (e.g. coffee shop use where http is really a poor idea due to too many vulnerabilities from exposed data), a child-safe content initiative that embraced this model might find other advocates to attain sufficient momentum.

    Per CP80′s “port channel” model – either drop it and move onto something viable for the benefit of the kids, or get stuck in the mud chasing something that just won’t work.

  12. Hi Flyoversam – this is a great post – thanks for it. I agree completely that CP80 simply doesn’t understand the underlying technical architecture of the Internet. Ports, just to take one example, are a *voluntary* convention. If you and I decide to write a program that ships data back and forth to port 25 (SMTP) or 80 (HTTP), we can do so – there’s absolutely nothing in the Net’s architecture that prevents this. Now, if we try to have our app interact with other servers, they’re going to get very confused, but that’s our problem. (Lotus Notes, for example, has the ability to use port 80 as a pass-through to traverse firewalls that refuse to open 1352.) The idea of mandating legally that traffic pass to a given TCP port is unworkable, and a bad idea technically to boot. (There’s a larger story here about the problems of lawyers regulating highly dynamic technologies, but that’s a different conversation.)

    Do you find Google’s SafeSearch feature helpful in screening out inappropriate search results?

    Back when Larry Lessig first wrote his book Code and Other Laws of Cyberspace, PICS looked like it would do exactly what you propose: allow us to tag content with metadata that would alleviate some of these problems. But it’s essentially dead on the vine. I’m with you that a more widely adopted PKI system would solve all sorts of problems – spam not least – but I am very pessimistic that this will happen.

    Protecting kids on-line is tough. My own tentative view is that client-side filtering may be the best answer, but it’s an imperfect one.

    It’s also not clear to me that CP80 is a kid-focused proposal. I think it’s tied to a more general disapproval / concern about porn, and that opens up a different set of policy and legal concerns.

  13. Very interesting article

  14. Love the logic here and your suggestions. And you’re right, it’s completely backwards…but I see the people behind these sites as two steps ahead. No matter what family friendly ISPs put in place or anything else of the sort, they’ll find ways around these things. Very tough issue to figure out how best to deal with regardless.