An activist published Germany's "secret" internet censorship list on Neocities. Now the German government is threatening Neocities with... censorship.
Image: Wikimedia Commons
Since 2005, the German government has been keeping a secret list of websites that it requires be censored from search engines and blocked by router manufacturers. The agency tasked with producing the quarterly list, BPjM (Bundesprüfstelle für jugendgefährdende Medien, or Federal Department for Media Harmful to Young Persons), is run by unelected officials, and largely free from public scrutiny.
In response to BPjM's secretive powers, an anti-censorship activist, security researcher, and self-described "concerned citizen" decrypted the agency's secret list and published it on Neocities, a 21st century reincarnation of the free web hosting platform site Geocities. Now the German government is threatening to, yes, censor Neocities if it doesn't keep the list off its web hosting service.
After consulting with the activist (who wishes to remain anonymous), Neocities creator Kyle Drake decided to temporarily remove the list of nearly 3,000 URLs while exploring his legal options. But already, as so often happens with censored content, the list multiplied across the internet.
Drake notified the Neocities community of his move on The Neocities blog.
"The censorship list is published quarterly in the magazine 'BPjM-aktuell' which can be read in any major library in Germany," wrote Drake. "Though hashed, this list is essentially public information, because it's published by the German government in a way that is trivially easy to brute force to reveal the web sites."
As Drake explained it, anyone with a basic understanding of cryptography and a few spare hours could have easily cracked the censorship list, which is distributed to search engines and router manufacturers in and outside of Germany. As the leaker told Drake, they were able to take one of the routers, and simply "suck the list out by logging into the machine and copying the file."
In addition to blocking search engines like Google, Yahoo, and Bing, the BPjM-Modul can censor internet content at the router level. As Drake told me, whenever a user accesses a web site, the router intercepts the domain, uses MD5 or SHA1 to compute the hash of the site, and then blocks the content if the site matches the hash on BPjM censorship list.
After publishing the Neocities blog, Drake spoke to me about the activist's leak and how it made him aware of both BPjM's existence and the historical revisionism that lies at the heart of Germany's internet censorship complex.
"That's why I went public with this information: to prevent [Germany] from silently banning Neocities without anybody knowing about it."
"I was aware of Nazi content being illegal in Germany, the stupidest of which was when they banned the game Castle Wolfenstein," Drake said. "So, I remember getting a laugh out of that because the game doesn't exactly glorify Nazis. But I didn't know that they were also censoring results on search engines and routers."
"Now that Neocities is being threatened by them in a very abstract way, I can sympathize with the many sites that have likely been unfairly targeted by them," he added.
When Drake received the letter, he realized that there wasn't an explicit legal threat. The letter, written by Birgit Braml, Head of Division Protection of Minors in the Media (part of the Joint Management Office of the German Media Authorities), is rather polite. In it, Braml asks Drake to remove the activist's list, which included plaintext links to around 3700 sites, including such unsavory places as child pornography hubs, to fulfill Neocities' goal of allowing people to "harness the creativity, beauty, and power of creating your own web site."
"They haven't said what they're going to do, but I'm sure their intention is to block the site," Drake said. "I'm not sure if they're going to block just the leak site, or the entire neocities.org domain. If they block the domain, they block everybody on Neocities (now over 22,700 sites), just because of this one site."
Drake stressed that Neocities monitors site content, and hasn't yet seen a single site with illicit content, like child pornography. For that reason, he finds Braml's argument confusing, and he doesn't expect the arbitration process to be fair.
"That's why I went public with this information, to prevent them from silently banning Neocities without anybody knowing about it," he said. "I would have rather dealt with this silently, but I had to shine a light on it for our own protection. It really highlights the problems with the current system, and the need for reforms to protect legitimate sites and businesses."
Drake, who lives in Portland, Oregon, noted that Neocities operates under United States law. Based on the little official and informal legal advice he's received, Drake thinks it's "probably legal" to host the list in the US.
"[P]roviding a translated list of plaintext sites that (allegedly) link to child pornography for reasons of political activism against unaccountable censorship may be illegal," he said. "There's no precedent for it in the United States, so it's something of an unanswered question. I don't think it's worth going to court to find out, because it's not really the core of this discussion. And we can't afford a lawyer anyways. Neocities is being funded by donors, we don't have that kind of money."
Neocities' Kyle Drake "slinging cyberpunk in Shanghai, China." Image: Kyle Drake
However, nobody knows for sure since the discussion of child porn on the internet, in his words, "turns free speech protections into minefield very quickly." Which is why Neocities took down the plaintext links.
"Since then, of course, the list has spread to pretty much every site except Neocities, because that's what the internet does when you try to censor information," said Drake.
Drake believes that with Germany's censorship move against Neocities, the crusade to protect children becomes a "bully pulpit to shut everybody up and silence criticism."
"Now we can prove that they're abusing this list by censoring sites that have nothing to do with protecting children," he said. "That needs to be looked into, and there needs to be, at a bare minimum, public discussions [about] the flaws within this system."
And Drake and the activist leaker said the system's flaws extend beyond the issue of censorship. Neither the MD5 or SHA1 hashes are the latest and greatest in crypto. Describing them as "one-way cryptographic hash functions" mainly used to store passwords on websites, Drake said that MD5 has been broken for years, while SHA1 is currently very weak.
With MD5, a user can take a bit of text, run it through the hash function, which will return a series of unrecognizable characters, guaranteed to be the same every time a user feeds in the same test. It's not easily reversible without knowing the input text. For example, with MD5, "google.com" looks like "1d5920f4b44b27a802bd77c4f0536f5a." Ideally, a user should not be able to take the hash string and figure out that "google.com" was the input, which is exactly what the activist did with the BPjM-Modul list.
"[T]he list of possible hashes is just a list of every web site in existence," Drake said. "So, you can brute force MD5, and SHA1 is also pretty easy to brute force with modern hardware. Failing that, if you have some things to try for the input, you can compare that to the hashes and see which things match, and then you know what's on the list. The leaker basically just utilized one of these methods to derive the list."
As the leaker explained to Drake, there is no legal recourse in Germany to challenge the censorship list. Lawyers have attempted to obtain a list of the censored sites, but Drake said the courts have told them that they can't see the contents. Why? The official line is that disclosure would allow people to get a concentrated list of the illegal sites they're trying to prevent people from seeing.
"As we can see, all it's done is made the problem worse," Drake said, fully aware of the irony in the Germany government's stated position. And the country has pulled what would otherwise be anti-censorship companies into this Orwellian black hole. Drake said that he has been told Google, Bing, and Yahoo cooperate with the German government, as do many router manufacturers.
"I'm sure many other search engines have agreed to block the sites from showing up in search engines," Drake said. "For search engines like Google, I'm sure it was more of a business decision. If they didn't agree to do this, they could have been banned from Germany, and that was a risk they weren't willing to take. I wish they had, because they have the resources to fight legal battles like this, and I unfortunately don't."
"Censoring your history (or pornography, or anything) doesn't prevent people from viewing it if they want to. The only way to stop illegal content is to go after the people making it, because the only way to stop information from flowing on the internet is to ban the internet itself."
Drake now finds himself in a censorship Catch-22. If he doesn't return the censorship list to Neocities, he effectively censors the security researcher. And if he doesn't comply, he might find Neocities added to the German government's censorship list. It's a surreal quandary worthy of a Franz Kafka short story, and Drake is trying to find his way out of it.
As much as child pornography and Nazism disgust Blake, he thinks censorship is the wrong approach to tackling the problems.
"I'm a passionate person, and I get pretty angry reading about how disgusting and insane the Nazis were," he said. "I think the best way to prevent them from getting power again isn't to stoop to their level and censor their opinions. The best way is to let people read their garbage ideas, listen to their garbage music (neo-nazi punk is the worst music I have ever heard in my life), and realize how much they suck."
"When thought is free, the best ideas win. Neo Nazis don't have the best ideas, so they lose," Drake added.
Whether one believes Germany's stated intentions or not, it results in something close to historical revisionism. Not with the blocking of online child pornography, but the erasure of anything that hints at Nazism or fascism more generally.
"The more I learn about this, the more I believe that historical revisionism may be the real issue here," Drake said. "This is revisionism by omission, with child pornography being used as a bully-pulpit to shut people up and prevent debate on what gets added to the censorship list. China does exactly the same thing when they filter results for the Tienanmen Square massacre or Falun Gong. They want people to forget about it, or at least be pressured into not viewing it."
Despite the Neocities censorship battle, Drake finds encouragement in the internet's ability to circumvent censored content. He agrees with the EFF co-founder John Gilmore's thought that the internet interprets censorship as damage and routes around it.
"Censoring your history (or pornography, or anything) doesn't prevent people from viewing it if they want to," Drake said. "The only way to stop illegal content is to go after the people making it, because the only way to stop information from flowing on the internet is to ban the internet itself. Even increasing the amount of censorship doesn't work, because people find ways around it."
"Because of that, I fear that all Germany is ultimately doing is legitimizing extremists like the neo-Nazis by censoring their content," Drake said. "Sure, the Nazis censored content, but so does the Democratic Germany. They'll ask, 'What's the difference?' And I can't answer that question."