IP: Follow-up to UK scanning PCs for Net porn

[Dave Farber <farber () cis upenn edu>]

My personal advice is to remove all confidential corporate information and personal information prior to arriving in 
the UK . A 32 meg flash chip holds a lot and is easily pocketed. As to the confidentiality of the info they scan, I 
know a bridge for sale.


Dave


: Tue, 25 Aug 1998 18:44:19 -0400
From: "K. N. Cukier" <100736.3602 () compuserve com>
Subject: Follow-up to UK scanning PCs for Net porn
Sender: "K. N. Cukier" <100736.3602 () compuserve com>
To: "farber () cis upenn edu" <farber () cis upenn edu>




Dave,


Here's a quick update on the issue of UK customs scanning PCs for Internet
porn, which you sent to the IP list two weeks ago. It wraps up some of the
new information that has been uncovered.


Cheers,


Kenn


______________


I.
Many newspapers did stories on the incident, and were able to get comments
from Her Majesty's Customs and Excise office (as well as compelled it to
release a statement on their practices). The office confirmed the policy,
but refused to explain how the scans are technically carried out, since
that could compromise the effectiveness. However, contradictions emerge in
the customs office's comments published in news reports and their own media
statement: 


1. Are travelers randomly searched, or only if they fit a profile or
customs is tipped off in advance?:
* "All travelers entering the country should be prepared to have their
equipment scanned." spokesman at UK Customs and Excise office. (The Daily
Telegraph)
*  "If we have had some intelligence in advance that suggests the owner of
a computer may be carrying suspicious material, that's when we are likely
to want to search a computer. ... But on a day-to-day basis we will not
check computers." UK customs spokesperson. (Press Association, UK)
* "We're targeting people who fit particular profiles." UK customs
official. (BBC Online)
* "According to a Customs spokesperson, seizures are a regular occurrence
although 'we don't do things randomly. We work on intelligence received,'
she claimed." (VNU)


2. Do the scans happen systematically or rarely?:
* "Just as Customs regularly intercept and examine baggage, items of mail,
courier despatched material, and consignments of freight which might
contain indecent or obscene material or other prohibited items we also
examine the content of computer files." (HM Customs & Excise office)
* "We do not search computers as a matter of policy... usually only if we
think there is some reason to." UK customs spokesperson. (Press
Association, UK)
* "There's a variety of software we can use and we've been using CD-Rom
readers for some time to check disks for pornography." UK customs
spokesperson. (BBC Online)


3. Have the border searches yielded illegal pornographic material?:
*  "But we're daily seizing images from pedophiles." Mark Thompson, British
Customs and Excise office. (The New York Times) [NOTE: It is not clear if
it refers to electrically-stored images, or hard copies--KNC.]
* "The spokesman said a number of paedophiles who had downloaded images
from the Internet and stored them on their hard disk had been apprehended
through Customs work. But he could not cite any cases of this happening at
border inspections. He said discoveries were made mainly by intercepting
mail." (BBC Online) [NOTE: is it not clear if it refers to e-mail or the
post--KNC.]
* "Officers may examine laptop computers because experience has shown that
these are being used to smuggle appalling paedophile images. (HM Customs &
Excise office)


4. The admissibility of evidence and protections of privacy are unclear:
* "Still, the scanning technology promises to exact a penalty from some
computer users who get snagged by it: Customs officials may confiscate a
computer containing pornographic images. "We would probably put forward a
legal case to retain the computer," Thompson said." (New York Times)
* "So far as we are concerned, there is little difference between an
encrypted file and a locked suitcase." UK customs spokesman. People
refusing to open encrypted text will be subject to a court order; the
penalty for refusing the order is contempt of court, which can result in
imprisonment. (Daily Telegraph)
* Travelers need not be concerned about the privacy of business or personal
documents,  the spokeswoman said, because the service "has a duty of
confidentiality. The  information goes no further". (VNU Newswire)
* "These "scans" are done in the presence of the passenger. ... [T]echnical
staff are available to assist where necessary." (HM Customs & Excise
office)


Sources:
* BBC Online August 13, 1998; by Chris Nuttall.
<http://news.bbc.co.uk/hi/english/sci/tech/newsid_150000/150465.stm>
* The Daily Telegraph, 20 Aug 1998; by Simon Davies.
<http://www.telegraph.co.uk>
* HM Customs & Excise office (public statement), August 1998
<http://www.open.gov.uk/customs/discscan.htm>
* The New York Times, 15 August 1998; by Peter Wayner.
<http://www.nytimes.com/library/tech/98/08/cyber/articles/15border.html>
* Press Association, UK, 17 August 1998; by Giles Turnbull.
<http://www2.crosswinds.net/london/~gilest/cukier.html>
* VNU Newswire, August 1998; by Graham Lea. VNU Business Publications Ltd.
London UK.




II.
New questions remain unanswered:
* What if Customs accidentally unleash a computer virus on a traveler's
machine during a search? Can the traveler sue for damages?
* If a traveler refused to submit to a PC scan search, is the person simply
not allowed to enter the country, or could the UK authorities demand a
search of computer files nevertheless?
* How does the scan work? "Her Majesty's Customs and Excise Press Office
[said in an interview with Bentley] their scanning involves booting from a
"one-time" floppy which does the scanning and which they then discard.  ...
[I]f there is nothing inserted into the scanned notebook but a single
floppy, then their scope for copying data off the notebook is very
limited." (Source: Pete Bentley <pete () sorted org>, correspondence with KNC;
posted in different form on "ukcrypto" mailing list.)




III.
As for the IP posting itself, it has had an interesting lifespan, and
serves as a terrific example of the Internet's power to inform and
contribute to setting the political agenda.


The IP post's diaspora was fast and broad, much aided by Declan McCullagh's
popular Politech list. Within hours, my mailbox was teeming with messages
from people extending their support, and sharing their indignation. One FCC
official called the incident "amazing"; a vice president at a large US
backbone ISP likened it to Monty Python; a world-renowned cryptographer
commiserated on the excesses of government snooping....


Britain's newspaper The Independent "reprinted" the essay (17 August 1998),
citing the original "publication" as the IP list, in what may be the first
time the traditional media has shovelwared online media...!  Many
newspapers and online media sites reported the incident. And the IP post
has even been translated into Spanish
<http://www.zonezero.com/magazine/articles/kcukier/searched.html> .




IV.
In Richard Solomon's message, which you posted over the weekend, he argued:
"this is a pure excuse for industrial espionage." I disagree with Richard,
actually, though respectfully defer to him as an expert in his field. I
think there is a great and real danger that scanning laptops could *become*
a smokescreen for industrial espionage, but I suspect the reason UK customs
authorities peruse this policy today has less to do with nefarious
interests and more to do with stupidity. 


The e-mail of Vin McLellan of The Privacy Guild, on how executive's laptops
have been targeted in the past, is unsettling. Clearly, the UK will be
forced to re-examine its policy as soon as they demand a scan not of a
harried reporter's computer, but of a senior French executive, who says
those immortal, firecracker words: "Please call my embassy before you
proceed." (Actually, I giggle when I think of what British business
executives would do if China had a similar customs scanning policy under
the pretext of Internet porn!)


For policy makers, they see the matter in the same perspective as classic
paper-bound regulations: And if you've implemented a bad policy, you can
change it. What policy makers don't understand -- but the geeks do -- is
that in terms of technology, there's a far larger burden: Once you've
deployed the infrastructure for this sort of thing, it's extremely
difficult to turn back. 


The message: Don't build short-sighted, silly policy into the
infrastructure. Do we really want a world where our private thoughts -- as
expressed by the Web sites we visit, our e-mail records, our date book and
address book -- can be readily submitted to a scanner, under whatever
pretext, whenever we cross a border? Hey, maybe we do -- but if that's the
case, I'm certain we ought have a transparent and frank public policy
debate on the effectiveness versus the potential social consequences of
such as policy, not fiat that question to a lone customs guard at
Checkpoint Doom.




V.
While the experience underscored the fragility of privacy and ease of
government surveillance in the digital age, I also believe it demonstrates
why our society is healthy and the political-governing process works quite
well. I have been able to speak out publicly about the incident without
fear of either France or the UK government requesting my address from my
ISP to arrest me. Days after the incident, I was in Kuala Lumpur talking
with an official at MIMOS, Malaysia's government-backed networking center,
which revealed the identities of three Internet users to the Mahathir
government who arrested them for "rumor mongering" over e-mail. By
comparison, I feel I was treated as if a member of the Royal Family. Of
course, it is precisely because I believe these freedoms are worth
protecting that I raise questions about the UK policy.




VI.
British (pundit) sentiment is divided on the matter. A couple of days after
my experience at Waterloo station, ironically, the director of the British
Board of Film Classification, James Ferman, who oversees and censors UK
films, announced his retirement and spoke to the press about Britain's
pornography policy. 


Ferman is quoted as saying:
* "As we enter a new millennium, we must find a solution to the problem of
pornography, which will not go away. The law has been applied by police and
magistrates in too strict a manner to allow the material the customers
want." (The Independent, 16 August 1998).
* "A little of what people want is OK as long as  it's on the harmless end
of the spectrum." (Sunday Times, 16 August 1998).
* "We are left with a flourishing black market which mixes pornography with
obscenity." (The Independent, 16 August 1998).


The Sunday papers:
* "[T]he scale of the Net is such that any attempt by British police to
pursue produces and consumers of hard pornography would be futile. [...]
Thanks to technology and the market, the hard and the obscene are here to
stay." (Bryan Appleyard in the Sunday Times, 16 August 1998, speaking out
*against* pornography in society.)
* "[T]he Internet and satellite television in the 1990s ... have also
by-passed almost every legal obstacle, avoiding any form of import
control...." (Tobias Jones, in The Independent, 16 August 1998).




VII.
Since the essay, many people have sent me information on Britain's customs
laws:


* "Section 42 of the Customs and Consolidation Act 1876 prohibits the
importation into the UK of indecent or obscene prints, paintings,
photographs, books, lithographic cards or other engravings, or any other
indecent or obscene articles. ... Following Derrick v. Commissioners of
Customs and Excise  it is clear that any kind of computer disk will be
covered by the Act. But as far as the electronic transmission of computer
data is concerned, HM Customs and Excise stated to the Home Affairs
Committee that: 'Computer pornography transmitted into this country from
overseas via telephone lines, etc., is not within the scope of the import
prohibition since such transmission does not constitute an importation of
goods or articles'." (Source: Akdeniz, Yaman <lawya () leeds ac uk>, "Computer
Pornography: A Comparative Study of the US  and UK Obscenity Laws and Child
Pornography Laws in Relation to the Internet," [1996] International Review
of Law, Computers and Technology 10 (2), 235-261.)


* Customs and Excise Management Act 1979; section 14 (1): "without
prejudice to any other provision of the Customs and Excise Act 1979, where
anything has become liable to forfeiture under the Customs and Excise Acts:
(a) any ship, aircraft, vehicle, animal, container, (including any article
of passengers' baggage) or any thing whatsoever which has been used for the
carriage, handling, deposit or concealment of the thing so liable to
concealment, either at a time when it was so liable or for the purposes for
the commission of the offence for which it later became so liable, and  (b)
any other thing mixed, packed or found with the thing so liable to
forfeiture shall also be liable to forfeiture." (Source: Law Report,  The
Independent,  4 Nov. 1997 by  Kate O'Hanlon, Barrister. Sent to me by A.R.
in Brussels.) 




VIII.
Two things I would have done differently had I known that the message would
get the attention it did: Re-read it before sending it (after writing it at
3am, atop a 15 hour fight!) to correct all the spelling errors. Also,
chastise one last group that sort of gets off scot-free: The complicity of
politicians who incite, then exploit, citizens' fears of new technology to
curry electoral favor by masquerading as tough on Net porn. 




Thanks for passing this (verbose screed) along to the list,


Kenn