 Also, a warm welcome to Alvar Freude, who is now going to talk to us about internet filters, gone wrong, in particular, infotended filters. And it's about youth threats against media competency. Welcome to this translation. Hello. Good morning, everyone. Ah, we're actually ahead of time. Something I never managed to do. I'm normally one that's late. I'll tell you a bit about the horror youth protection software. I'll rush through things a bit, but we'll have a few minutes for questions. So these are the topics I'm going to talk about. And at the end, there's going to be something about the illegal data collection by German Telecom. So if you watch TV, everything is very simple, right? There's the crime program at eight, monsters at 10, and semi-nude people at 11 p.m. And well, what about the internet? Looks the same, doesn't it? Rectangular box. And do they still have the crime program at eight, monsters at 11, semi-nude monsters at 10, and semi-nude at 11, or is it simple, right? But the fact that there's a difference, disturbed not just us, but also those that sell pictures of semi-nude people, which meant that there was a state treaty, interstate treaty between the German federal states on the protection of minors in the media. And that included filter programs. And those that include filter, those that support filter programs, those websites can actually show these images at lunchtime, too, which didn't quite work. As a reason in 2010, there was the establishment that there was a new reform of that interstate treaty on youth protection, which was to support filter programs more and set up basically a world community for children where they can play and all those even monsters stay out. Very typical gated community, therefore, which leads us to the motto of this year's Congress. So that was the wish of the professional youth protectors, well, senior people mostly that have little idea of how things are in practice. But unfortunately, that's how things go. And the whole thing didn't, doesn't quite work, is not quite working. One of those protected surf rooms is called Ask Fin, it's a supposedly child-friendly search engine, which has a whitelist, which is then published to filter programs. And this whitelist has as little as 10,000 domains roughly, not as visible normally, but there are ways and means to find these. So if you remove all the duplicates without www, you have about 5,000 domains that are actually allowed, and that's what 6 to 12-year-olds are supposed to be able to access. Everything else on a typical filter program is all blocked, which is kind of ridiculous, of course, if you assume that you have 30,000 schools, primary schools, 15,000. So most children will not even be able to visit their own primary schools' website. There is not a single newspaper, only a newspaper museum included, well, leave out the state broadcast, the Kinder Canal, the Children's Channel. So allegedly, these data are updated regularly, daily it even says, but if you look at the timestamp in the XML file that contains all these URLs, then the last one was from 2013. If that's true or not, we will leave open, but that's what the timestamp says. So I accessed this file in June this year, and I accessed it a few days ago, mid-December, there was no change. So 2013 seems to be right. Here's a small selection of the websites. Some of them actually are quite suitable for children. But there are a few things where you really wonder, how does a skin cream website get in there? There it is. So how does that, does that get in there? And a few more things where you ask yourself, the Swedish website is included. So there are some things where you really wonder, oh, there is a, there is a for-pay which type of course, of course there are no free ones for that, you have to send children to those that have to be paid for. Sounds like, seems like an internal work on this, of course, all the websites of the members of the interstate commission on the protection of youth and the media is in there. So this isn't quite working. The internet is much too large, much too fast and much too interesting. So any kind of editorial team that perhaps tries to register all this won't work and without any updates, it won't work either and many sites interesting for children aren't in there. I asked around my daughter that, who's going to be nine this next year, the most website she uses would be blocked. There is one popular program called the mouse program, not a computer mouse by the way. So that's included, but there's a lot missing and of course YouTube is blocked. So as a six to 12 year old, you would not be able to access that. The telecom filter was so clever that until recently all HTTPS pages, each and every HTTPS page in the world was blocked. The default setting was now changed. So when I tried this, this December HTTPS was allowed and that would at least get you to some websites Wikipedia, for example, was not included earlier, which they had recommended. So things happen. Interesting ones. So because all these things don't seem to work and no editorial team is able to travel through the whole internet, there is another idea, genius idea since 1997. Well, let's do some labeling. This works in the cinema with games. So you can do this online, just tell every website operator to labor their website for the ages that it's supposed to be good for. This is in the law in the old and the new law or the interstate treaty, not too many changes in the new one. I'm going to talk about that in 2010. There was a lot more reworking in the last reform, but self labeling is in the law and you are all supposed to self label or at least those that running that run a website at a large scale. Who of you runs a website or operates one professionally and who of you has self labeling? There's no hand and before that there was about a third, oh, one hand is showing up. Yeah. Okay. One, two. YouTube actually has self age labeling, which is why the telecom filter blocks it even for 16 year old because the XML that's being shown has 18. Uploading in particular is actually uploading would be a different domain, wouldn't it? That should work and embedding with the no cookie website should actually work because it's another domain again. So what you need to do is embed them on a different website with a no cookie version and that should work. I haven't tested it. So the YouTube problem hasn't really been solved this way. And this short example already shows us that self labeling doesn't really work at all. It's quite an effort to do. It costs. It ignores real time communication. How are you supposed to label a chat? It could change by any second or this video transmission right now I could now start showing semi-nude pictures that would be at least rated 18 or in the US and 16 or 12 here. So you see that there are lots of problems and attempts at self labeling have been there since the mid 90s. There was something called PIX from the World Wide Web Consortium that was an attempt that failed. Internet Content Rating Association developed a system that failed. There are still websites that carry that label but ICRA is defunct the domain is actually in the hands of some domain grabber now. So the consortium had a second attempt called powder which also didn't quite have a success. So the principle of self rating in itself well it is extremely hard to do to label that content how are you supposed to label Wikipedia for example. You could say well okay the whole Wikipedia 18 because somewhere in there there could be some article about sexual practices practices is that what you want. So that's not what you want that can't be it. So the way these people imagine these things to be is just not working. And I did actually do a practice test as well. I tested four and a half million domains asking myself myself how many of those would have a label according to the German Interstate Treaty on Youth Media Protection. And well of those four and a half thousand there was about one thousand six hundred that were rated it's about zero point zero point three six percent. Okay that was worldwide where you could object including some Chinese or whatever. So let's take all the German ones again it's just zero point two two percent. What about Tudon's pages? Tudon's pages should have an interest of labeling themselves saying from six from zero ages but again more than nine thousand and zero point six eight percent had a label. So again we see it is not working. And for the hackers among us a little insert here to actually go through these websites I had to access a certain file on all these websites to see if it was there and immediately there were several abuse complaints from some banks in Hong Kong and things like that because I had the audacity to access this file. Fortunately my provider isn't very sensitive about these things. So you simply access an XML file which gives a 404 response but you get also a response an abuse response and that's what the filter calls as well. So if a child with a filter was to access this Hong Kong bank well if the provider would then contact the parents they would be quite surprised what was going on. So probably that bank would not be accessed by children but the whole thing can be done in reverse to how many people actually use a state verified youth protection program. So that's what you can try to do if you run a web server look for accesses to that XML file. I did that on my website and asked a few other people that run large websites. This is all in the area of vanishing these small numbers about 0.00 something percent. I had three zeros after the comma two with one page. So I can say hyzer online who gave me those numbers efficiently that was 15 accesses with about 650,000 visits per day. So if you calculate the percentage is even lower. If you want to see it as a percentage okay hyzer online is a specific case but there is 10 million in the line above. That is a very common website. I can't name it. It's a website that is used by completely normal families and the rate again 10 million visits 450 for that XML file and some others from the top 10 websites in Germany numbers very similar again. I'll try to get some numbers some official ones that I can quote from the operators. If you run a website yourself that is kind of large. Please tell me you don't have to name the website but you can. There is an article on my blog that tells you how to contact me and how to get those statistics. So why does no one use that? The programs are terrible. You can see that they are just an emergency plug for the porn industry. Because the porn industry even before 11 p.m. would like to show some semi-nude women and it's an alibi, a fig leaf which you could say is not that bad. It doesn't really concern us but we have the problem with self-labelling and self-labelling is a problem that goes further. I did just recently, I did show a moment ago that the law says that someone who runs a website at large scale or commercially is supposed to self-label, self-rate. The lawyers in this room will then know what should means in a legal sense. It means have to with exceptions. If you are not one of these exceptions you have to label those pages even if they are not a threat to minors. So the question then is if someone is going to enforce this and when but that's what is the state of things right now and we have to be alert. So that's the face my daughter's face if she would have to face a filter. Well I think she would just call me stupid but well I don't know. So what is the solution if as a lawmaker you see the filters are not being used? That's what they know as well. They are not stupid of course. If no one is using those filters and the websites are not labeled what do you need to do well you have to see that as many people as possible introduce self-labeling and make sure filters are spread further so the best way to do is the UK way enforce filters oblige people perhaps not the way that Germany tried with web-blocking but enforce filtering which default installation in routers or operating systems so everyone has them so the Interstate Commission for Youth Protection in the media that deals with implementing that Interstate Treaty has been calling for this for a long time the federal states are saying no for now but who knows how long this will stay the same if usage is as stays as slow as it is if does any one of you have children up to 12 years let's say and does any of you is anyone of you using a state verified filter program one okay right I will I will get your complaints later on I suppose and everyone's working fine right there was a response which I couldn't couldn't hear well uninstalled would be my suggestion but I heard another suggestion from a maker of such a fit program well you shouldn't choose the actual age of your child in the settings go one or two further above so if you set from 18 that means that all only those things on an index by a federal authority for certain media would be blocked so enforcing filters would be what things would be what how things would progress and if you look at the judgment on web blocking that is being called for by the copyrights lobby that has been rejected for now but the door has been opened and we will see how things go and it's not looking good so let's move to another area we're actually the same area now telecom the German telecom there are four officially approved filters by the Commission and three of those are essentially the same they're all made by the same company who gives them to a non-profit organization and they themselves have have two offerings like one of them hot hardware one of them software based and the telecom has its own product it's based on a software that belongs to IBM in the meantime some of you might have heard of it everyone's free to use it on Windows and it does great things like at each startup it does sense this request and we can see that each time the system starts each time the system starts the MAC address is sent that's the globally unique hardware address of your network card that means that an IBM server belongs to IBM and it each time you start your program it doesn't only get your private IP address but also your MAC address of the MAC address of your network card without asking the the program doesn't ask for permission it's not down in the terms of contract or the privacy policy or anywhere else is this is obviously against law and program should be taken off the market immediately because it's illegal in according to German law because it's sending personal data without asking to a server in another country but not only that without permission it also sends well the the other one this one is manually encrypted with the proprietary protocol and they send data to a telecom server over HTTP for almost all websites that you try to access not not entirely clear when you look at what actually being accessed but probably just about all of them it sends the current URL and because the data is encrypted with some block cipher in CBC mode no not in CBC mode so it repeats every 16 bytes like it does with a 128 bit key well it's some some encryption method that I have managed to crack yet and well you should be just need to get some debugging tools if there's somebody in the room who knows about Windows debugging then we can I'd love to have a look at what's actually being sent here but I managed to find out that it changes with each URL it gets longer the longer your URL is and if you have the same letters in a URL the block is going to repeat so it's very likely it's essentially sure that this code in coded block contains the URL that your child is accessing so the telecom gets in gets the entire surf protocol of your children without asking and without a possibility to change this for the other for the other options you can actually you can at least change them at setup in a competing program and I'm having second thought about this because it's not anybody's business really what my daughter is doing online if she had this kind of filter installed and if we had windows at home of course so you can see that these programs only exist for Windows but the new law is supposed to change all of this because the hurdles are being lowered but well the details that we don't really have time for I think the the central point is that it's easy to to bash these companies who make these filters I mean they only do it to to be able to show naked ladies online before 11 o'clock that's a reason behind these filters so the the actual the actual perpetrator is politics but the problem is that it's state politics in Germany so all 16 federal states of Germany have to sign a common contract and then it has to go through has to be ratified by the state parliaments and it's connected to the German public service child broadcaster and the likelihood that the state parliaments are going to say no it's pretty unlikely because all of them want to have the child broadcaster and well this state the state treaty yeah it's just something attached to to that so it's a massive problem on a political scale and I and some other people tried to get these programs to at least have a high privacy threshold but the states rejected that and now we can see why so the filter companies apparently did some lobbying and said no programs aren't going to work anymore so this is about politics and I'm certain that it has to be discussed on a federal level and not on a state level because 16 federal states on a global medium it doesn't work and if we were discussed on a federal scale would have more transparency would have more opportunities to change because on on a federal scale it's easier to change things when you don't have to consult 16 states and of course well it's not a problem for a large company like YouTube to label it stuff but who knows if they're not you know if they're not working on on algorithms to to label individual videos instead of labeling their entire website for 18 year olds but small bloggers can't do that and you can always say yeah it's not you know he doesn't have to worry because he doesn't have any any dangerous dangerous contents but that's not true because as soon as you target as you as soon as you have contents that are not appropriate for under 16 year olds you're in trouble and that can happen very quickly so this is down to lawmakers to actually start doing something we need discussion we need a debate we can't just say yeah no we're not we won't do anything but filters don't solve the problem another large topic is the convergence of media online and offline kind of melt together but they're doing it wrong I mean a book that you can buy in a shop or that as a publisher you can sell in a shop needs age labeling online even though it doesn't do in a physical shop if it were full over 16 year olds it has to have a labeling has have an age label if it's targeted at over 16 year olds but they this is silly I mean nobody can explain this to you there's nobody can explain to me what the higher what what the increased danger it would be here and why an e-book should have a label but not a printed one so things that have already been labelled and and opt-in labels they're okay labels that particularly label child friendly content which would give them higher priority so and the real risk should be looked at which is not that 10 year old goes through some weird website well one in 10,000 cases there might be but the child would get there somehow anyway people the pupils will show each other films at in the schoolyard so communications risks are the ones that really exist and and filters will never be able to address those media competency is the answer that area has to be supported and enlarged and parents that really really want to install a filter should be able to do that I'm not going to bash anyone if they if they do well whether they I'm going to disagree with them is another matter but those that want to can do it and they have a choice they're not just a few state verified or acknowledged ones there are a few others too so no one is keeping you from from installing those but the state should not enforce this that was a quick run through any any questions I have four minutes so three questions also okay now it's working I have a question from the other side I'm a teacher and I keep battling with these filter systems at school and the problem of course is making pornography accessible is a crime which is as a school and the provider that's a school provider have to install them so what options do you see for that well I'm not sure about having to do that people always say that you have to do that but there's no judgment on this there's no I remember a case at our schools and some people at a slide show had a porn pornographic image that's that's something that can happen when students want to want to have fun and these things could happen today as well I think it's important that schools ensure that the teacher can see all the monitors all the computer screens but I wouldn't install a filter in a school I don't think there's a legal basis for this and I think it's simply something that some people you know don't understand the the legal grounds for this I I understand that this happens but it's not the solution there is a question about about regulations for open source my daughter is able to install a YouTube unlock a plug-in that exists in the 10,000th version my father is able to to read user ratings but there are many parents that would be interested to rate themselves I don't think there's a chance yeah you could do that but I don't think there's a chance to create a rating system that completes the the the needs of those the reasonable people have would have I think it's more important that the parents tell their children and they they teach their children how to use the internet and that the computer is in a common area where where children can be supervised and yes we need filters for families who don't look after their children that's what everyone says I mean most people aren't going to say that out loud but there are people who live under under bad conditions but you're not going to get to get them to install filters you can only force them to do it but that's something that's quickly you know quickly undone so yes it could be done it's going to be difficult to get get these open source filters approved has the telecom said anything about the fact that they collect all these data this is not data they need IPs from a local network on max I haven't asked him yet I have to admit it's simply because I was working on these slides until five minutes before my talk yeah he has I helped him