The following text is copyright 2004 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Simple solutions are often wrong
By Scott Bradner
One of the longest running problems with the Internet is the assumption by too many people that it is simpler to control than it is. This problem manifests itself in many ways, but it shows up most reliably when lawmakers try to write laws covering the Internet. Almost always the laws they write are atheistic in regards to the way the Internet works. The laws demand that someone do something that cannot actually be done or can only be done by significantly changing the network itself or by impacting far more people than the law is intended to impact. An example of the latter was the subject of a U.S. Federal District Court decision on September 10th. In this case, as it has been in a number of other cases, the court seems far more willing to think than are lawmakers.
In 2002, Pennsylvania adopted the Internet Child Pornography Act. This Act required ISPs must "remove or disable access to child pornography items residing on or accessible through its service in a manner accessible to persons located within this Commonwealth within five business days" of when the ISP was notified by the Pennsylvania Attorney General. This must have sounded like an easy thing for an ISP to do to the Pennsylvania lawmakers but that is not the case.
That requirement might not be all that hard to meet for child porn residing on the ISP's own servers because the ISP could just remove the bad content. Things get rather much harder if the content is somewhere outside of the ISP's reach. The only thing the Pennsylvania Attorney General provided the ISP was an IP address or a URL. The law required that the ISP ensure that its customers could not access the bad content. The ISP needed to do this based on the IP addresses or URL but the ISP had to take into account the actual capabilities of its equipment and operations.
At first glance it might seem that an ISP could easily meet the law's requirements by just blocking access to the IP address by filtering the address or by tweaking their routing tables and block the URL by tweaking their name servers. It is true that these techniques will do the job but they have significant side effects since many web sites can share the same IP address or bas domain name. Blocking access to a single IP address can block as many as half a million web sites. In fact, during the time that this law was in effect the Attorney General asked ISPs to block access to about 400 sites based on the claim that child porn was present. This resulted in the ISPs blocking access to as many as 1.6 million innocent web sites. This side effect did not seem to bother the Attorney General.
The Pennsylvania Attorney General was sued over the less than limited impact of the blocking and other issues. A U.S. federal court has just ruled that the Act violates the U.S. Constitution for a number of reasons including the wholesale blocking of innocent web sites. The court's decision is very clearly written and carefully reasoned, descriptors that cannot be applied to the Act itself. (http://www.cdt.org/speech/pennwebblock/20040910memorandum.pdf)
Child porn is very bad stuff. Child porn itself is, and deserves to be, illegal everywhere. But that does not mean that lawmakers should disregard technical reality when trying to control it. The Pennsylvania Act did nothing to actually limit child porn -- instead it hurt innocent bystanders and again demonstrated that lawmakers frequently think it's more important to do something than to do something useful.
disclaimer: I do not know if Harvard's JFK School of Government has a class in technical reality, I hope so. In any case the above is my own view.