from the let's-keep-it-quiet-by-making-it-even-more-public dept
A few weeks ago, an anonymous internet user was able to acquire and subsequently extract a website blacklist used by Germany's Federal Department of Media Harmful to Young Children (Bundesprüfstelle für jugendgefährdende Medien [BPjM]). This un-hashed list was posted to the user's Neocities blog, along with some analysis of the blacklist's contents and a rundown on the minimal protective efforts used for the list.
The actual blacklist is much more extensive than what's published here. In fact, as is noted in the post, a majority of the list is publicly viewable.
The censorship list ("index") is split into various sublists:Sublists C and D are what's been withheld from the public, even as these URLs are distributed once a month to software and hardware companies. As of the time of the posting, there were more than 3,000 URLs on the blacklist.
Sublist A: Works that are harmful to young people
Sublist B: Works whose distribution is prohibited under the Strafgesetzbuch (German Criminal Code) (in the opinion of the BPjM)
Sublist E: Entries prior to April 1, 2003
Sublist C: All indexed virtual works harmful to young people whose distribution is prohibited under Article 4 of the Jugendmedienschutz-Staatsvertrag
Sublist D: All indexed virtual works, which potentially have content whose distribution is prohibited under the Strafgesetzbuch.
The sublists A, B and E contain about 3000 movies, 400 games, 900 printed works and 400 audio recordings. That sublists are quarterly published in the magazine "BPjM-aktuell" which can be read in any major library in Germany.
The leaker spotted some unusual things in the list of banned URLs. To begin with, it appears that there's very little effort being made to keep the blacklist current.
On only about 50-60% of the domains on the list the questionable content is still accessible: About 10% of the domains are not registered at all, another 10% are parked domains, and about 20% don't provide any content at all (either no DNS A record, no webserver on port 80 or a redirect to another domain).Beyond that, the government body building the list seems to be suffering from technical ineptitude, resulting in supposedly blocked sites not being blocked at all.
The domain "homo.com" offers a wildcard domain which echoes anything that is entered as a subdomain on the website, eg. visiting "Fritz.homo.com" results in a webpage "Haha, Fritz is gay!". On the BPjM list there is a entryirgend.ein.name.homo.com – the German "Irgend ein Name" stands for "any name". Contrary to the belief of the BPjM public servants this doesn't work as a wildcard – just this specific domain will be blocked…As is inevitable when entities pursue bulk website blocking, non-offending content is part of the collateral damage.
several URLs with a wrong trailing slash:
A URL path with a trailing slash means that the part before the slash is a directory and not a file. The examples above are filenames. The entries on the list with the trailing slash are invalid and return a 404 file not found error. The correct URLs without the trailing slashes won't match the hash and are not blocked. Explanation here...
[T]he complete sell list of leading online music database Discogs. Probably at one point in time there was a listing of a music album which is forbidden in Germany – this was enough to block access to the "eBay of music" for years...This is on top of strange and very arbitrary blockages, like a listing for the videogame Dead Island at amazon.co.uk and a few offending YouTube accounts whose account pages are blocked, but not the offending videos themselves.
[A]ccording to archive.org the domain facegoo.com is since at least 3 years not an porn website anymore. Now it is the website of an iPhone App for fun picture manipulation. The startup has no chance to be listed in German search engine results at all...
Beyond that, the list covers a wide variety of offensive-to-the-German-government (and in some cases, offensive to nearly everyone) content, including "normal porn, animal porn, child/teen porn, violence, suicide, nazi or anorexia." Notably, the Wikipedia page quoted in this post points out that BPjM is an anomaly in the "free" world.
Germany is the only western democracy with an organization like the BPjM... The rationales for earlier decisions to add works to the index are, in retrospect, incomprehensible reactions to moral panics.With its secret list exposed, the German government has gone after Neocities in a belated attempt to keep its no-longer-secret list secret. Neocities has complied, but not without protest.
An anti-censorship activist, concerned citizen and security researcher has proved that the hashes are very easily reversible, and published the disclosure, including a plain-text list of the censored sites on a Neocities page. Now the German government is pressuring Neocities to take the site down, and are claiming we were breaking German (and possibly US) law by hosting a copy of the list of sites that they distribute.The letter from KJM (Commission for the Protection of Minors in the Media) makes some rather odd statements.
Two lists (containing URLs) were published on one of your blogs, namely https://bpjmleak.neocities.org/. The list of URLs contains child sexual abuse material (CSAM), animal pornography, nazi propaganda, minors in poses involving unnatural sexual emphasis and content inciting hatred, just to name a few. All of the URLs are illegal under German law. Since CSAM is also illegal under US law, we are of the opinion that this site violates the laws applying to your service and also violates your terms of conditions.More properly stated, the websites contain the offensive material, not the URLs themselves. And, as was pointed out by the person researching the list, much of what's in the list is out of date (i.e., the URL no longer contains the illegal content, domain is expired, etc.) or is ineptly targeted (typos, invalid URLs, etc.), which means the list isn't nearly as useful as the government believes.
And, if the statement about violating two countries' laws wasn't (theoretically) frightening enough, KJM goes on to claim that posting this content violates Neocities own mission statement. (No. Really.)
The KJM sees that neocities values anonymity and states to be uncensored. But the KJM thinks that https://bpjmleak.neocities.org/ is not what your service is intentionally for as your website states: “But our goal is clear: to enable you to harness the creativity, beauty, and power of creating your own web site. To rebuild the web we lost to monotony, and make it fun again.”The statement is truly wondrous in its inanity, approaching the level of non sequitur. At no point does the mission statement encourage the stripping of anonymity or encourage censorship. Neocities is a platform for website construction, something KJM believes is somehow contrary to sticking up for its users and their content. Leave it to a government agency to craft one of the emptiest paragraphs to ever grace an official takedown request.
The biggest issue is the list itself, the one the government wants to keep out of the hands of the public, as Neocities points out.
There is apparently no legal way to challenge the list. It is decided by fiat in secret by a German government agency, and there is little or zero recourse for those falsely condemned.By keeping it secret -- ostensibly to prevent the public from accessing illegal content -- website owners are kept in the dark about the German government's censorious efforts. This sort of power is dangerous without accountability. The list is outdated and composed carelessly. Sites like Discogs are blocked off while true offenders remain uncensored because the "for the children" agency can't be bothered to ensure its slash marks are properly used or that the URL is free of typos.
Neocities has discussed this unofficially with the EFF but, as the post notes, the legal implications of this leaked list are still very murky. As a precaution the list has been removed. (It survives, for now, at the Internet Archive.) And, if given notification that the posting of the list does not violate US law, the BPjM blacklist will be reposted. Either way, Neocities states that it will not punish the end user in any way and that his/her access to the site will remain intact.
The ultimate stupidity of this debacle is the fact that the German government thinks it can undo what's been done. By acting in this fashion, it's only drawn more attention to the list it wants to remain a secret. Worse, it's drawn more attention to the blog post highlighting the many failures of the list itself. It's one thing to want to prevent access to clearly illegal material. It's quite another to slap together a list composed of dead sites, mistyped URLs and a variety of bizarre blockings based on "incomprehensible reactions to moral panics."