Akamai caught in Net filtering cross fire

Akamai fends off criticism from both sides of the content filtering debate, vowing to seal a back door that lets people use its servers to get around filtering software.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
Networking firm Akamai has been dragged into the censorware debate, thanks to a hole affecting Web site blocking software that exploits the company's data delivery system.

Many consumers and businesses use filters to prevent children and employees from accessing certain sites, such as those with sexual content. But under the workaround, such sites are accessible by tacking the location onto the end of another address.

For example, someone surfing the Web with filtering software installed could access "sex.com" by typing: http://a1.g.akamaitech.net/6/6/6/6/sex.com/.

Akamai, which uses a network of computers to store Internet content closer to consumers to speed delivery, acknowledged today that the technique is effective. But the company said the responsibility for fixing the problem lies with filtering software companies and not Akamai.

"We don't commit to filtering," said George Kurian, Akamai's vice president of product management. "The filtering companies need to fix it."

Technology glitches have been an ongoing setback for Web filtering companies that promise to make the freewheeling Internet safe for children by blocking access to content they deem inappropriate. Censorware has touched off a fiery policy debate over mandatory pornography filters for library and other public computers available to children and has drawn sharp criticism for blocking both more and less than it advertises.

The Akamai back door is only the latest example of content filtering workarounds. One recent example afflicted America Online, allowing teenagers to bypass parental filters by adding a "." at the end of a blocked URL.

But the Akamai bug could raise new and potentially far-reaching questions about the filtering responsibilities of Internet infrastructure companies. Censorware technologies are mostly voluntary, but they may soon become mandatory in some cases.

In the latest effort to legislate Web filters, the Senate in June was asked to consider a bill that would require schools and libraries that benefit from federal subsidies to install some form of blocking or filtering technology to restrict children's access to pornography and other obscene material.

Kurian said he would not speculate about how far Congress might eventually go in pushing network infrastructure companies to create filter-friendly services. He said there are many ways this might be accomplished, such as installing filter features in the Web browser or at the level of Internet service providers.

But he said Akamai is not in the filtering business and does not want to be in that business.

Filtering company N2H2, which sells the "Bess" filtering software, said it had urged Akamai to plug the filtering hole identified with its network, with little result.

"We have talked to Akamai about this and have not gotten a response," said Kevin Fink, chief technology officer at N2H2. "We discovered this quite some time ago, but I don't think they did anything about it."

Akamai said it publishes guidelines to help filtering companies create effective tools for its service.

Fink said N2H2 had devised its own fix to the problem. That patch would detect Web addresses included in Akamai URLs and filter based on those nested addresses. It will ship with the next version of Bess.

Meanwhile, anti-content filtering see story: Raising the ire of filtering
firmsactivist Bennett Haselton, who described the filter-evasion method on his Peacefire.org site, said it provided access to sites blacklisted by filters including Bess and JSB Software Technologies' SurfWatch.

"The way Akamai software works, their software doesn't do any checking about what page you're trying to load," Haselton said. "I think it's surprising that this didn't come up before now, because it was always there and not that hard to figure out how to do."

Haselton said the method sometimes requires additional tricks. Because some filtering software checks the text of a Web address for forbidden sites and content, the back door sometimes requires the use of numerical instead of alphanumeric Web addresses. For example, instead of entering "playboy.com," an obvious red flag for filtering software, one would enter the numerical address ""

Fink said N2H2's patch would filter nested numerical URLs as well.

Other filtering companies vowed to ensure their services screen for Akamai URLs.

"Although it is a challenge to keep up with hackers who attempt to undermine filtering software, the result in the long run is a better product," SurfControl vice president Kelly Haggerty said in a statement. "We will investigate this and other hacking claims as they arise."