Computerworld
Print Article
Close Window

Symantec: List of Blocked Sites Breaks Copyright Laws

Group decrypts lists to blocked sites, posts them and charges company with privacy violations

Ann Harrison
 

March 20, 2000 (Computerworld)

Symantec Corp. is pressuring a Massachusetts Internet service provider to remove links to a list of Web sites blocked by Symantec's I-Gear Internet filtering product and to a program that decrypts the list. Symantec charges that the information is protected by copyright laws and trade secret laws.
Peacefire, the group that posted the links on its Web site, contends that the links reveal a tool with a high error rate that also violates users' privacy.
Symantec's effort to yank the links reflects a strategy some companies are using either to prevent the distribution of information they consider damaging or to ban software created by reverse-engineering of their products.
Peacefire.org, a Seattle-based organization, posted the link that listed 470,000 sites blocked by the I-Gear product. The link to the I-Gear list is included in a report that provides another link to a code-breaker program called igdecode that decrypts the list.
According to Bennett Haselton, a freelance programmer in Seattle who maintains the Peacefire site, the group also found that the I-Gear installer retrieves the user's "real name" and "company name" from Windows registration information on the user's computer and sends that information back to Symantec without notifying the user -- apparently in violation of the privacy policy on Symantec's Web site.
I-Gear is used in New York public schools to filter out pornographic or offensive sites. But Haselton said the decrypted list reveals a 76% error rate for .edu pages that aren't pornographic.
Symantec Vice President and General Counsel Arthur F. Courville fired off a letter to Peacefire's Internet service provider, Media3 Technologies LLC in Pembroke, Mass., demanding that it remove the links to the I-Gear blocked-sites list on Symantec's server and to the code-breaker program.
In his March 1 letter to Media3, Courville stated that the I-Gear filtering list is copyrighted by the company and contains trade secrets owned by Symantec. Courville added that the list of barred sites was gained with a key number from a licensed copy of I-Gear, which violates Symantec's copyrights and trade secret rights as well as the I-Gear license.
"To publish that list to the world is not permitted in the license agreement," said Courville.
"(Haselton) posted a copy of, or a part of, our product for free distribution and I don't think there is any context where he could claim that is not a copyright infringement," he added.
Haselton emphasized that Peacefire didn't break into Symantec's server to decode the list. Instead, the organization reverse-engineered I-Gear's protection scheme -- a maneuver that consisted of swapping the first few bits at the beginning and end of the list of blocked sites. He said he installed I-Gear and then used a network capture tool to see what bytes it sent out when it updated the blocked site list by downloading the latest version from the Symantec server.
Civil libertarians say that reverse engineering is supported by fair use provisions of the copyright laws. In February, Sony Corporation of America brought an intellectual property case against Connectix Corp. in San Mateo, Calif., charging that Connectix was illegally reverse-engineering Sony's copyrighted material to make a rival product that allowed Sony PlayStation games to run on Apple Computer Inc.'s Macintosh operating system.
The U.S. 9th Circuit Court of Appeals ruled that Connectix's actions were protected as fair use.
The 1998 Digital Millennium Copyright Act outlaws technologies that can defeat copyright protection devices, but permits reverse engineering for encryption, interoperability and computer security research.
To find the error rate on the cross section of I-Gear's blocked-sites list, Haselton said the entire list had to be decrypted. He said it's a good example of why reverse engineering and code-breaking should be legal.
"He did something improper before he even got to the reverse engineering stage," countered Courville. "I think reverse engineering is an important issue in the industry and I am watching what is happening in the courts, but I don't think it's relevant."
Peacefire said it hasn't removed the link to the Symantec server. But Haselton said the link contains a serial number that has to be verified before the list can be downloaded, and Symantec has deactivated that serial number to stop the link from working.
Media3 has yet to take action on the complaint.
As for the alleged privacy violation, Courville said that when Symantec acquired the I-Gear product last year, the company wasn't aware that user information was being collected by Windows NT versions of the software. While Courville said the Symantec privacy policy applies only to the material on its Web site, not its software, he said the company will remove this feature of the product.