.:aaron.helton:.
musings.of {'husband', 'father', 'technologist', 'international civil servant', 'humanist', 'skeptic', 'gamer', 'dreamer'}

I work for a government agency, a federal one. In the course of my work, and for admittedly personal reasons, I encounter a great number of different sites via news articles and Google Reader. Like so many others at federal agencies, I am often stopped dead in my tracks as I encounter the dreaded web filter (in my case, WebSense; I don’t know and don’t care how many other companies provide this “service.”) It’s dreaded because 1) you never know when it’s going to strike and 2) the categories under which some sites fit (legitimately or not) might trip someone’s radar, assuming anyone is watching. I won’t go into the actual efficacy of web filters, nor the intent behind them, as I’ve already covered these well enough. Suffice it to say that I think their intent is misguided and their efficacy is questionable. No, today I want to talk about a particular aspect of their efficacy, which is how well or evenly they are applied, and how robust the categorizations are.

I guess I should note, in case you haven’t surmised already, that I run into these filters A LOT. I am almost never surprised when I run into them. More than half the time the blocked URLs are masked by URL shorteners that lead to YouTube, Vimeo, or some other video site. The rest of the time they are either miscategorized or unevenly applied. This article would have been much shorter if the agency in question hadn’t suddenly turned on another bone-headed feature: quota time. So now I am greeted with warnings that the site falls into a certain category (usually Blogs and Personal), but I can click a button to start using quota time. What actually surprises me, and I will expand on this below, is which sites AREN’T automatically blocked, and how easy it is to work around the filters (thus undermining their efficacy).

First, some evidence.

WebSense has miscategorized the personal blog of journalist Alyssa Rosenberg as a “sex site.” This was an example that actually surprised me, because it was incredibly unexpected, but also because such a category should, if organization processes are configured correctly, generally alert someone. Nobody wants to generate that kind of alert, because it can attract unwanted attention and uncomfortable questions. What also surprises me is that it has not been corrected.

Next up, WebSense has also miscategorized the Free Range Kids site as a “streaming media” site, despite the fact that there is no trace of streaming media anywhere on it. No archived podcasts, embedded videos, or hosted audio/video content appear anywhere on the site that I could find, making this categorization a complete mystery.

Yet another site, Rational Moms, is categorized by WebSense as “Web and Email Spam,” which is just as baffling as the others in this list. I have no idea what information on a site qualifies it as spam, but it clearly is not. Because it’s categorized this way (instead of, say, “blogs/personal,” which it is), it is ALWAYS blocked.

One other site I couldn’t help but mention is blackbag, a treasure trove of information of interest to serious security professionals, in the form of articles and demonstrations of weaknesses in locks, encryption, and the RF spectrum. Underscoring the fine line between security awareness and unethical behavior, WebSense has categorized this as “potentially unsafe/illegal,” which is another category that probably trips someone’s radar. Score two for me, I guess.

And finally, let’s take a look at what kinds of things WebSense categorizes as “blogs/personal,” which are technically allowed, but only if I want to use some allotted “quota time.” Almost any site on a WordPress domain (wordpress.com) or a Blogspot domain (blogspot.com) falls under this category, though it’s not evenly applied. For instance, the official Google blogs (blogspot-domained), are all accessible, but the toolbars at the top are not. WordPress and Blogspot blogs hosted ELSEwhere (i.e., with different domain names) do not suffer from this.

The Rub: Unequal Application

Because of unequal application of categorization rules, WebSense completely fails as an effective means of preventing access to all but the most well-known sites. If the goal is malware prevention, or preventing access to porn sites, illegal activities, and the like, then we have to assume that WebSense is aware of phishing sites, malware hosts, porn sites, and illegal activities in pretty much real time. That’s not a reachable goal. If the goal is to prevent people from accidentally disclosing sensitive information (ala social networks), then the particular policy fails when some networks are blocked and some aren’t. And if the goal (likely) is to prevent people from wasting time by blocking access to known time-wasters, then the policy also fails because of unequal application. If a policy and the programs that support it consistently fail, then the answer is not to strengthen the program (which will still fail). The answer is to revise the policy.

One final thing that really makes my blood boil in this case is that even if something is clearly miscategorized, WebSense does not have any appeal mechanism available to the general public. It rules this space by fiat, meaning it can arbitrarily censor information based on either accidental categorizations or by actual intent. While these cases are most likely accidental, where such accidents can happen, ill intent is also enabled. Whether a public entity’s use of such a product constitutes any violation of free speech is not for me to decide, but it certainly would be if the government used it to keep private citizens from accessing parts of the Web.

I am calling for the complete abolition by IT departments of tools like this. They annoy users, treat people like children, and at best provide a false sense of security and control.