As per Relevance of the word recipient, we have this rfc below:
Network Working Group S.
Request for Comments: 2057 Harvard
Category: Informational November 1996
Source Directed Access Control on the
Status of this
This memo provides information for the Internet community. This
does not specify an Internet standard of any kind. Distribution
this memo is unlimited
1.
This memo was developed from a deposition that I submitted as part
a challenge to the Communications Decency Act of 1996, part of
Telecommunications Reform Act of 1996. The Telecommunications
Act is a U.S. federal law substantially changing the
structure in the United States in the telecommunications arena.
Communications Decency Act (CDA) part of this law has as its aim
desire to protect minors from some of the material carried
telecommunications networks. In particular the law requires that
sender of potentially offensive material take "effective action"
ensure that it is not presented to minors. A number of people
requested that I publish the deposition as an informational RFC
some of the information in it may be useful where descriptions of
way the Internet and its applications work could help clear
confusion in the technical feasibility of proposed content
regulations
2. Control and oversight over the
No organization or entity operates or controls the Internet.
Internet consists of tens of thousands of local networks
millions of computers, owned by governments, public institutions
non-profit organizations, and private companies around the world
These local networks are linked together by thousands of
service providers which interconnect at dozens of points
the world. None of these entities, however, controls the Internet
each entity only controls its own computers and computer networks
and the links allowed into those computers and computer networks
Although no organizations control the Internet, a limited number
organizations are responsible for the development of
and operational standards and protocols used on the Internet.
standards and protocols are what allow the millions of different (
sometimes incompatible) computers worldwide to communicate with
Bradner Informational [Page 1]
RFC 2057 Source Directed Access Control November 1996
other. These standards and protocols are not imposed on any
or computer network, but any computer or computer network must
at least some of the standards and protocols to be able
communicate with other computers over the Internet
The most significant of the organizations involved in defining
standards include the Internet Society (ISOC), the
Architecture Board (IAB), Internet Engineering Steering Group (IESG),
and the Internet Engineering Task Force (IETF). The
summary outlines the relationship of these four organizations
The Internet Society (ISOC) is a professional society that
concerned with the growth and evolution of the worldwide Internet
with the way in which the Internet is and can be used, and with
social, political, and technical issues which arise as a result.
ISOC Trustees are responsible for approving appointments to the
from among the nominees submitted by the IETF nominating
and ratifying the IETF Standards Process
The Internet Architecture Board (IAB) is a technical advisory
of the ISOC. It is chartered to provide oversight of
architecture of the Internet and its protocols, and to serve, in
context of the Internet standards process, as a body to which
decisions of the IESG may be appealed. The IAB is responsible
approving appointments to the IESG from among the nominees
by the IETF nominations committee and advising the IESG on
approval of Working Group charters
The Internet Engineering Steering Group (IESG) is responsible
technical management of IETF activities and the Internet
process. As a part of the ISOC, it administers the process
to the rules and procedures which have been ratified by the
Trustees. The IESG is directly responsible for the
associated with entry into and movement along the Internet "
track," including final approval of specifications as
Standards
The Internet Engineering Task Force (IETF) is a self-organized
of people who make technical and other contributions to
engineering and evolution of the Internet and its technologies.
is the principal body engaged in the development of new
standard specifications. The IETF is divided into eight
areas. They are: Applications, Internet, IP: Next Generation
Network Management, Operational Requirements, Routing, Security
Transport and User Services. Each area has one or two
directors. These area directors, along with the IETF/IESG Chair
form the IESG
Bradner Informational [Page 2]
RFC 2057 Source Directed Access Control November 1996
In addition to these organizations, there are a variety of
formal and informal groups that develop standards and
about specialized or emerging areas of the Internet. For example
the World Wide Web Consortium has developed agreements and
for the Web
None of these organizations controls, governs, runs, or pays for
Internet. None of these organizations controls the
content available on the Internet. None of these organizations
the power or authority to require content providers to alter, screen
or restrict access to content on the Internet other than content
they themselves create
Beyond the standards setting process, the only Internet
that are centralized are the allocation of numeric addresses
networks and the registration of "domain names." Three
around the world share responsibility for ensuring that each
and computer on the Internet has a unique 32-bit numeric "IP"
(such as 123.32.22.132), and for ensuring that all "domain names
(such as "harvard.edu") are unique. InterNIC allocates IP
for the Americas, and has counterparts in Europe and Asia.
allocates large blocks of IP addresses to major Internet providers
who in turn allocate smaller blocks to smaller Internet
(who in turn allocate even smaller blocks to other providers or
users). InterNIC does not, however, reliably receive information
who receives each numeric IP address, and thus cannot provide
central database of computer addresses. In addition, a
number of computers access the Internet indirectly through
translating devices such as application "firewalls". With
devices the IP address used by a computer on the "inside" of
firewall is translated to another IP address for transmission
the Internet. The IP address used over the Internet can
dynamically assigned from a pool of available IP addresses at
time that a communication is initiated. In this case the
addresses used inside the firewall is not required to be
unique and the IP addresses used over the Internet do not
identify a specific computer. Neither the InterNIC nor
counterparts in Europe and Asia control the substantive
available on the Internet, nor do they have the power or authority
require content providers to alter, screen, or restrict access
content on the Internet
Bradner Informational [Page 3]
RFC 2057 Source Directed Access Control November 1996
3. Characteristics of Internet
There are a wide variety of methods of communications over
Internet, including electronic mail, mail exploders such as listserv
USENET newsgroups, Internet Relay Chat, gopher, FTP, and the
Wide Web. With each of these forms of communication, the speaker
little or no way to control or verify who receives the communication
As detailed below, for each of these methods of communications, it
either impossible or very difficult for the speaker to
access to his or her communications "by requiring use of a
credit card, debit account, adult access code, or adult
identification number." Similarly, for each of these methods
communication, there are no feasible actions that I know of that
speaker can take that would be reasonably effective to "restrict
prevent access by minors" to the speaker's communications
With each of these methods of communications, it is
technologically impossible or practically infeasible for the
to ensure that the speech is not "available" to a minor. For most
these methods--mail exploders such as listserv, USENET newsgroups
Internet Relay Chat, gopher, FTP, and the World Wide Web--there
technological obstacles to a speaker knowing about or
access by minors to a communication. Yet even for the basic point
to-point communication of electronic mail, there are practical
informational obstacles to a speaker ensuring that minors do not
access to a communication that might be considered "indecent"
"patently offensive" in some communities
3.1 Point-to-Point
3.1.1 Electronic Mail
Of all of the primary methods of communication on the Internet,
is the highest likelihood that the sender of electronic mail
personally know the intended recipient (and know the
recipient's true e-mail address), and thus the sender (i.e.,
speaker or content provider) may be able to transmit
"indecent" or "patently offensive" content with relatively
concern that the speech might be "available" to minors
There is significantly greater risk for the e-mail speaker who
not know the intended recipient. As a hypothetical example, if
AIDS information organization receives from an unknown individual
request for information via electronic mail, the organization has
practical or effective way to verify the identity or age of the e
mail requester
Bradner Informational [Page 4]
RFC 2057 Source Directed Access Control November 1996
An electronic mail address provides no authoritative
about the addressee. Addresses are often chosen by the
themselves, and may or may not be based on the addressees'
names. For millions of people with e-mail addresses, no
information is available over the Internet. Where information
available (via, for example, inquiry tools such as "finger"), it
usually provided by the addressee, and thus may not be
(especially in a case of a minor seeking to obtain information
government has restricted to adults).
There exists no universal or even extensive "white pages" listing
e-mail addresses and corresponding names or telephone numbers.
the rapidly expanding and global nature of the Internet, any
as such a listing likely will be incomplete (and likely will
contain information about the age of the e-mail addressee). Nor
there any systematic, practical, and efficient method to obtain
identity of an e-mail address holder from the organization
institution operating the addressee's computer system
Moreover, it is relatively simple for someone to create an e-
"alias" to send and receive mail under a different name. Thus,
given e-mail address may not even be the true e-mail address of
recipient. On some systems, for example, an individual seeking
protect his or her anonymity could easily create a temporary e-
address for the sole purpose of requesting information from an
information resource. In addition, there exist "anonymous remailers
which replace the original e-mail address on messages with a
chosen new one. The remailer keeps a record of the
between the original and the replacement name so that return
will get forwarded to the right person. These remailers are
frequently for discussion or support groups on sensitive
controversial topics such as AIDS
Thus, there is no reasonably effective method by which one can
information from existing online information sources about an e-
address sufficient to ensure that a given address is used by an
and not a minor
Absent the ability to comply with the Communications Decency
based on information from existing online information sources, an e
mail speaker's only recourse is to interrogate the intended e-
recipient in an attempt to verify that the intended recipient is
adult. Such verification inherently and unavoidably imposes
burden of an entirely separate exchange of communications prior
sending the e-mail itself, and is likely to be unreliable if
recipient intends to deceive the speaker
Bradner Informational [Page 5]
RFC 2057 Source Directed Access Control November 1996
This separate preliminary communication is required because
electronic mail, there is a complete electronic and
"disconnect" between the sender and recipient. Electronic mail
be routed through numerous computers between the sender and
recipient, and the recipient may not "log in" to retrieve mail
days or even weeks after the sender sent the mail. Thus, at no
in time is there any direct or even indirect electronic
between sender and recipient that would allow the sender
interrogate the recipient prior to sending an e-mail. Thus
unavoidably, the Communications Decency Act requires that the
incur the administrative (and in some cases financial) cost of
entirely separate exchange of communications between sender
recipient prior to the sender having sufficient information to
that the recipient is an adult. Even if the sender were
establish that an e-mail addressee is not a minor, the sender
not be sure that the addressee was not sharing their computer
with someone else, as is frequently done, who is a minor
If an e-mail is part of a commercial transaction of sufficient
to justify the time and expense of obtaining payment via credit
from the e-mail addressee, an e-mail sender may be able to
the credit card or debit account options set out in
Communications Decency Act. At this time, however, one cannot
a credit or debit transaction over the Internet, and thus an e-
speaker would have to incur the expense of verifying the
via telephone or separate computer connection to the correct
entity. Because of current concerns about data security on
Internet, such an e-mail credit card transaction would likely
require that the intended e-mail recipient transmit the credit
information to the e-mail sender via telephone or the postal service
Similarly, utilizing the "adult access code" or "adult
identification number" options set out in the statute would at
time require the creation and maintenance of a database of
codes. While such a database would not be an
technological problem, it would require a significant amount of
clerical time to create and maintain the information. As with
credit or debit transactions, an adult code database would
likely require that information be transmitted by telephone or
mail
Moreover, such an adult access code would likely be very
at screening access by minors. For the adult access code concept
work at all, any such code would have to be transmitted over
Internet, and thus would be vulnerable to interception
disclosure. Any sort of "information based" code--that is, a
that consists of letters and numbers transmitted in a message--
be duplicated and circulated to other users on the Internet. It
Bradner Informational [Page 6]
RFC 2057 Source Directed Access Control November 1996
highly likely that valid adult access codes would themselves
widely distributed on the Internet, allowing industrious minors
obtain a valid code and thus obtain access the material sought to
protected
A somewhat more effective alternative to this type of "
based" access code would be to link such a code to the unique 32-
numeric "IP" addresses of networks and computers on the Internet
Under this approach, "adult" information would only be transmitted
the particular computer with the "approved" IP address. For tens
millions of Internet users, however, IP addresses for a given
session are dynamically assigned at the time of the access, and
users will almost certainly utilize different IP addresses
succeeding sessions. For example, users of the major online
such as America Online (AOL) are only allocated a temporary
address at the time they link to the service, and the AOL user
not retain that IP address in later sessions. Also, as
above, the use of "firewalls" can dynamically alter the apparent
address of computers accessing the Internet. Thus, any sort of
address-based screening system would exclude tens of millions
potential recipients, and thus would not be a viable
option
At bottom, short of incurring the time and expense of obtaining
charging the e-mail recipient's credit card, there are no
effective methods by which an e-mail sender can verify the
or age of an intended e-mail recipient even in a one-to-
communication to a degree of confidence sufficient to
compliance with the Communications Decency Act (and avoid the Act'
criminal sanction).
3.2 Point-to-Multipoint
The difficulties described above for point-to-point
are magnified many times over for point-to-multipoint communications
In addition, for almost all major types of point-to-
communications on the Internet, there is a technological
that makes it impossible or virtually impossible for the speaker
control who receives his or her speech. For these types
communications over the Internet, reasonably effective
with the Communications Decency Act is impossible
3.2.1 Mail
Essentially an extension of electronic mail allowing someone
communicate with many people by sending a single e-mail, "
exploders" are an important means by which the Internet user
exchange ideas and information on particular topics with
Bradner Informational [Page 7]
RFC 2057 Source Directed Access Control November 1996
interested in the topic. "Mail exploders" is a generic term
programs such as "listserv" and "Majordomo." These programs
receive electronic mail messages from individual users,
automatically retransmit the message to all other users who
asked to receive postings on the particular list. In addition
listserv and Majordomo, many e-mail retrieval programs contain
option to receive messages and automatically forward the messages
other recipients on a local mailing list
Mail exploder programs are relatively simple to establish.
leading programs such as listserv and Majordomo are available
free, and once set up can generally run unattended. There is
practical way to measure how many mailing lists have been
worldwide, but there are certainly tens of thousands of such
lists on a wide range of topics
With the leading mail exploder programs, users typically can add
remove their names from the mailing list automatically, with
direct human involvement. To subscribe to a mailing list, a
transmits an e-mail to the automated list program. For example,
subscribe to the "Cyber-Rights" mailing list (relating to
and other legal issues on the Internet) one sends e-mail addressed
"listserv@cpsr.org" and includes as the first line of the body of
message the words "subscribe cyber-rights name" (inserting a person'
name in the appropriate place). In this example, the
program operated on the cpsr.org computer would automatically add
new subscriber's e-mail address to the mailing list. The
inserted is under the control of the person subscribing, and thus
not be the actual name of the subscriber
A speaker can post to a mailing list by transmitting an e-
message to a particular address for the mailing list. For example
to post a message to the "Cyber-Rights" mailing list, one sends
message in an e-mail addressed to "cyber-rights@cpsr.org".
mailing lists are "moderated," and messages are forwarded to a
moderator who, in turn, forwards messages that moderator approves
to the whole list. Many mailing lists, however, are unmoderated
postings directed to the appropriate mail exploder programs
automatically distributed to all users on the mailing list.
of the time required to review proposed postings and the large
of people posting messages, most mailing lists are not moderated
Bradner Informational [Page 8]
RFC 2057 Source Directed Access Control November 1996
An individual speaker posting to a mail exploder mailing list
control who has subscribed to the particular list. In many cases
the poster cannot even find out the e-mail address of who
subscribed to the list. A speaker posting a message to a list
has no way to screen or control who receives the message. Even
the mailing list is "moderated," an individual posting to the
still cannot control who receives the posting
Moreover, the difficulty in knowing (and the impossibility
controlling) who will receive a posting to a mailing list
compounded by the fact that it is possible that mail exploder
can themselves be entered as a subscriber to a mailing list. Thus
one of the "subscribers" to a mailing list may in fact be
mail exploder program that re-explodes any messages transmitted
the first mailing list. Thus, a message sent to the first
list may end up being distributed to many entirely separate
lists as well
Based on the current operations and standards of the Internet,
would be impossible for someone posting to a listserv to
recipients to ensure the recipients were over 17 years of age.
of not speaking at all, I know of no actions available to a
today that would be reasonably effective at preventing minors
having access to messages posted to mail exploder programs
Requiring such screening for any messages that might be "indecent"
"patently offensive" to a minor would have the effect of banning
messages from this type of mailing list program
Even if one could obtain a listing of the e-mail addresses that
subscribed to a mailing list, one would then be faced with the
obstacles described above that face a point-to-point e-mail sender
Instead of obtaining a credit card or adult access code from a
intended recipient, however, a posted to a mailing list may have
obtain such codes from a thousand potential recipients, including
mailing list subscribers who may have only subscribed moments
the poster wants to post a message. As noted above, complying
the Communications Decency Act for a single e-mail would be
difficult. Complying with the Act for a single mailing list
with any reasonable level of effectiveness is impossible
3.2.2 USENET Newsgroups
One of the most popular forms of communication on the Internet is
USENET newsgroup. USENET newsgroups are similar in objective to
exploder mailing lists--to be able to communicate easily with
who share an interest in a particular topic--but messages
conveyed across the Internet in a very different manner
Bradner Informational [Page 9]
RFC 2057 Source Directed Access Control November 1996
USENET newsgroups are distributed message databases that
discussions and exchanges on particular topics. USENET
are disseminated using ad hoc, peer-to-peer connections
200,000 or more computers (called USENET "servers") around the world
There are newsgroups on more than twenty thousand different subjects
Collectively, almost 100,000 new messages (or "articles") are
to newsgroups each day. Some newsgroups are "moderated" but
are open access
For unmoderated newsgroups, when an individual user with access to
USENET server posts a message to a newsgroup, the message
automatically forwarded to adjacent USENET servers that
access to the newsgroup, and it is then propagated to the
adjacent to those servers, etc. The messages are temporarily
on each receiving server, where they are available for review
response by individual users. The messages are automatically
periodically purged from each system after a configurable amount
time to make room for new messages. Responses to messages--like
original messages--are automatically distributed to all
computers receiving the newsgroup. The dissemination of messages
USENET servers around the world is an automated process that does
require direct human intervention or review
An individual who posts a message to a newsgroup has no ability
monitor or control who reads the posted message. When an
posts a message, she transmits it to a particular newsgroup
on her local USENET server. The local service then
routes the message to other servers (or in some cases to
moderator), which in turn allow the users of those servers to
the message. The poster has no control over the handling of
message by the USENET servers worldwide that receive newsgroups
Each individual server is configured by its local manager
determine which newsgroups it will accept. There is no mechanism
permit distribution based on characteristics of the
messages within a newsgroup
The impossibility of the speaker controlling the message
is made even more clear by the fact that new computers and
networks can join the USENET news distribution system at any time
To obtain newsgroups, the operator of a new computer or
network need only reach agreement with a neighboring computer
already receives the newsgroups. Speakers around the world do
learn that the new computer had joined the distribution system
Thus, just as a speaker cannot know or control who receives
message, the speaker does not even know how many or which
might receive a given newsgroup
Bradner Informational [Page 10]
RFC 2057 Source Directed Access Control November 1996
For moderated newsgroups, all messages to the newsgroup are
to an individual who can screen them for relevance to the
under discussion. The screening process, however, does not
the ability of the original speaker to control who receives a
message. A newsgroup moderator has as little control as the
speaker over who receives a message posted to the newsgroup
Based on the current operations and standards of the Internet,
would be impossible for someone posting to a USENET newsgroup
screen recipients to ensure that the recipients were over 17 years
age. Short of not speaking at all, I know of no actions available
a speaker today that would be reasonably effective at
minors from having access to USENET newsgroup messages.
such screening for any messages that might be "indecent" or "
offensive" to a minor would have the effect of banning such
from USENET newsgroups
A speaker also has no means by which he or she could
listeners to provide a credit card, debit account, adult access code
or adult personal identification number. Each individual
server controls access to the newsgroups on that server, and
speaker has no ability to force a server operator to take
particular action. The message is out of the speaker's hands
the moment the message is posted
Moreover, even if one hypothesized a system under which a
server would withhold access to a message until the speaker
a credit card, debit account, adult access code, or adult
identification number from the listener, there would be no
way for the speaker to receive such a number. Because a listener
retrieve a message from a newsgroup days after the speaker posted
message, such a hypothetical system would require the speaker
to remain at his or her computer 24 hours a day for as many as
days after posting the message, or to finance, develop, and
an automated system to receive and validate access numbers. All
this effort would be required for the speaker to post even a
potentially "patently offensive" message to a single newsgroup
Moreover, even if such a hypothetical system did exist and a
were willing to remain available 24 hours a day (or operate a
automated system) in order to receive access numbers, not
computers that receive USENET newsgroups could reasonably
such access numbers. Some computers that receive newsgroups do
only by a once-a-day telephone connection to another
server. Some of these computers do not have any other type
Internet connection, and indeed some computers that receive
newsgroups do not even utilize the TCP/IP communications
that is required for direct or real time communications on
Bradner Informational [Page 11]
RFC 2057 Source Directed Access Control November 1996
Internet. These computers would have no means by which a
listener's access code could be communicated back to a speaker
It is my opinion that if this hypothetical access system ever
created, it would be so burdensome as to effectively ban from
newsgroups messages that might be "indecent" or "patently offensive."
Moreover, the communications standards and protocols that would
such a hypothetical access system have not as of today
developed, and no Internet standards setting body of which I am
is currently developing such standards and protocols. Specifically
such a hypothetical access system is not part of the "
generation" Internet Protocol that I helped to develop
3.2.3 Internet Relay Chat
Another method of communication on the Internet is called "
Relay Chat" (or IRC). IRC allows for real time communication
two or more Internet users. IRC is analogous to a telephone
line, using a computer and keyboard rather than a telephone.
IRC, however, at anyone time there are thousands of different
lines available, in which collectively tens of thousands of users
engaging in discussions, debates, and conversations on a huge
of subjects. Moreover, an individual can create a new party line
discuss a different topic at any time. While many discussions on
are little more than social conversations between the participants
there are often conversations on important issues and topics
Although I have not personally operated an IRC server in my career,
am familiar enough with the operations of IRC servers to be able
identify the obstacles that a speaker would encounter attempting
identify other participants and to verify that those
were not minors
There exists a network of dozens of IRC servers across the world.
speak through IRC, a speaker connects to one of these servers
selects the topic the speaker wishes to "join." Within a
topic (once a speaker joins a topic), all speakers on that topic
see and read everything that everyone else transmits. As a
matter, there is no way for each person who joins a discussion
interrogate all other participants (sometimes dozens of participants
as to their identity and age. Because people join or drop out
discussions on a rolling basis, the discussion line would
overwhelmed with messages attempting to verify the identity of
participants
Also as a practical matter, there is no way that an
speaker or an individual IRC server operator could enforce an "
only" rule for a selection of the discussion topics. Dozens of
servers are interconnected globally so that people across the
Bradner Informational [Page 12]
RFC 2057 Source Directed Access Control November 1996
can talk to each other. Thus, a speaker connected to an IRC
in the United States can speak directly to a listener in Asia
Europe. There is no practical way that a speaker in the
States can be reasonably certain that a given IRC discussion is
fact "adults only."
Nor can a speaker, prior to or at the time of joining an
discussion, ascertain with any confidence the identity of the
participants in the discussion. Individual participants in an
conversation are able to participate anonymously by using
pseudonym. A new speaking joining the conversation can see a list
pseudonyms of other participants, but has no possibly way
determining the real identify (or even the real e-mail address)
the individuals behind each pseudonym
Based on the current operations and standards of the Internet,
would be impossible for someone participating in a IRC discussion
screen recipients with a level of certainty needed to ensure
recipients were over 17 years of age. Short of not speaking at all
I know of no actions available to a speaker today that would
reasonably effective at preventing minors from having access
speech in an IRC discussion. Requiring such screening of
by the speakers for any IRC discussions that might be "indecent"
"patently offensive" to a minor would have the effect of banning
discussions
4.0 Information Retrival
With FTP (or File Transfer Protocol), gopher, and the World Wide Web
the Internet is a vast resource for information made available
users around the world. All three methods (FTP, gopher, and the Web
are specifically geared toward allowing thousands or millions
users worldwide to access content on the Internet, and none
specifically designed to limit access based on criteria such as
age of the Internet user. Currently much of this information
offered for free access
4.1 Anonymous
"Anonymous FTP" is a basic method by which a content provider
make content available to users on the Internet. FTP is a
that allows the efficient and error free transfer of files from
computer to another. To make content available via FTP, a
provider establishes an "Anonymous FTP server" capable of
FTP requests from remote users. This approach is called "anonymous
because when a remote user connects to an FTP server, the remote
enters the word "anonymous" in response to the server's request for
user name. By convention, the remote user is requested to enter
Bradner Informational [Page 13]
RFC 2057 Source Directed Access Control November 1996
or her e-mail address when prompted for a "password." The user
then given access to a restricted portion of the server disk and
the files in that area. Even though the user may have entered
e-mail address in response to the password prompt, there is
effective validation or screening is possible using the FTP
software that is currently available. Using currently available
software, a content provider has no way to screen access
"anonymous" users that may be minors. Even if a content
could determine the age of a particular remote user, the
available FTP software cannot be set to limit the user's access
non-"adult" file areas
FTP server software can allow non-"anonymous" users to access the
server, and in that mode can require the users to have
passwords that are verified against a pre-existing list of passwords
There are two major problems, however, that prevent this type
non-"anonymous" FTP access from being used to allow broad access
information over the Internet (as anonymous FTP can allow). First
with current server software each non-"anonymous" FTP user must
given an account on the server computer, creating a
administrative burden and resource drain. If more than a
number of users want access to the FTP system, the requirement
separate accounts would quickly overwhelm the capacity of the
to manage the accounts--the FTP server software was not designed
manage thousands or millions of different user/password combinations
Second, under existing FTP server software, each of these named
would have complete access to the server file system, not
restricted area like the anonymous FTP function supports. This
create a significant security problem. For these two reasons, as
practical matter FTP cannot be used to give broad access to
except via the anonymous FTP option (which, as noted above, does
allow for screening or blocking of minors).
As discussed below with regard to the World Wide Web, even if
re-designed the currently available FTP server software to allow
screening of minors, the administrative burden of such
would in many cases overwhelm the resources of the content provider
Bradner Informational [Page 14]
RFC 2057 Source Directed Access Control November 1996
Based on the current operations and standards of the Internet, it
not possible or practically feasible for someone operating
anonymous FTP file server to screen recipients with a level
certainty needed to ensure the recipients were over 17 years of age
Short of not operating an anonymous FTP server at all, I know of
actions available to a content provider today that would
reasonably effective at preventing minors from having access
"adult" files on the FTP server. Requiring such screening
anonymous FTP server operators to prevent minors from accessing
files that might be "indecent" or "patently offensive" to a
would have the effect of banning such anonymous FTP access
4.2 Gopher
The gopher program is similar to FTP in that it allows for
transfer of files from one computer to another, but it is also
precursor to the World Wide Web in that it allows a user
seamlessly jump from one gopher file server to another in order
locate the desired information. The development of gopher and
linking of gopher servers around the worlds dramatically improved
ability of Internet users to locate information across the Internet
Although in many ways an improvement over FTP, gopher is simpler
FTP in that users need not enter any username or password to
access to files stored on the gopher server. Under
available gopher server software, a content provider has no built-
ability to screen users. Thus a content provider could not
minors from retrieving "adult" files
As discussed below with regard to the World Wide Web, even if
gopher server software allowed the screening of minors,
administrative burden of such screening would in many cases
the resources of the content provider
Based on the current operations and standards of the Internet, it
not possible for someone operating a gopher file server to
recipients with a level of certainty needed to ensure the
were over 17 years of age. Short of not operating a gopher server
all, I know of no actions available to a content provider today
would be reasonably effective at preventing minors from having
to "adult" files on a gopher server. Requiring such screening
users by gopher server operators to prevent minors from
files that might be "indecent" or "patently offensive" to a
would have the effect of banning gopher servers wherever there is
such material
Bradner Informational [Page 15]
RFC 2057 Source Directed Access Control November 1996
4.3 World Wide Web (WWW).
Fast becoming the most well known method of communicating on
Internet, the "World Wide Web" offers users the easy ability
locate and view a vast array of content on the Internet. The
uses a "hypertext" formatting language called hypertext
language (HTML), and Web "browsers" can display HTML
containing text, images, and sound. Any HTML document can
links to other types of information or resources anywhere in
world, so that while viewing an HTML document that, for example
describes resources available on the Internet, an individual
"click" using a computer mouse on the description of the resource
be immediately connected to the resource itself. Such "hyperlinks
allow information to be accessed and organized in very flexible ways
and allow individuals to locate and efficiently view
information even if the information is stored on numerous
all around the world
Unlike with USENET newsgroups, mail exploders, FTP, and gopher,
operator of a World Wide Web server does have some ability
interrogate a user of a Web site on the server, and thus has
ability to screen out users. An HTML document can include a fill-in
the-blank "form" to request information from a visitor to a Web site
and this information can be transmitted back to the Web server.
information received can then be processed by a computer
(usually a "Common Gateway Interface," or "CGI," script), and
on the results of that computer program the Web server could grant
deny access to a particular Web page. Thus, it is possible for
(but not all, as discussed below) World Wide Web sites to be
to "screen" visitors to ensure that they are adults
The primary barrier to such screening is the administrative burden
creating and maintaining the screening system. For an individual
site to create a software system capable of screening thousands
visitors a day, determining (to the extent possible) whether
visitor is an adult or a minor, and maintaining a database to
subsequent access to the Web site would require a significant on
going effort. Moreover, as discussed above with regard to
mail, the task of actually establishing a Web visitor's identity
"verifying" a credit card would require a significant investment
administrative and clerical time. As there is no effective method
establish identity over the Internet, nor is there currently a
to verify credit card numbers over the Internet (and given
current cost of credit card verifications done by other means),
type of identification process is only practical for a
entity that is charging for access to the Web information
Bradner Informational [Page 16]
RFC 2057 Source Directed Access Control November 1996
Beyond the major administrative burden that would be required for
Web site host to comply with the Communications Decency Act,
are two additional problems presented by the Act. First, many
publishers cannot utilize computer programs such as CGI scripts
process input from a Web visitor. For example, I have been
that the major online services such as America Online and
do not allow their customers to run CGI scripts or other
that could be a significant drain on the online services'
as well as a potential security risk. Thus, for this category of
publisher, the Communications Decency Act works as a ban on
arguably "indecent" or "patently offensive" speech. It is
for this category of Web publisher to control access to their
sites
Moreover, even for Web publishers who can use CGI scripts to
access, the existence of Web page caching on the Internet can
such screening ineffective. "Caching" refers to a method to speed
access to Internet resources. Caching is often used at one or
ends of, for example, a transatlantic or transpacific cable
carries Internet communications. An example of caching might
when a Internet user in Europe requests access to a World Wide
page located in the United States. The request travels
transatlantic cable to the United States, and the Web page
transmitted back across the ocean to Europe (and ultimately to
user who requested access). But, the operator of the
cable will place the Web page in a storage "cache" located on
European side of the cable. Then, if a second Internet user
Europe requests the same Web page, the operator of the
cable will intercept the request and provide the page from
"cache" (thereby reducing traffic on the transatlantic cable).
type of caching typically occurs without the awareness of
requesting user. Moreover, in this scenario, the original
provider is not even aware that the second user requested the
page--and the original content provider has no opportunity to
the access by the second user. Nevertheless, the original
provider risks prosecution if the content is "adult" content and
second requester is a minor. The use of caching web servers
rapidly increasing within the United States (mostly to help
the all too rapid growth in Internet traffic), and thus can
entirely domestic communications. For example, a growing number
universities use caching web servers to reduce the usage of the
to their Internet service provider. In light of this type
caching, efforts to screen access to Web pages can only at best
partially effective
Bradner Informational [Page 17]
RFC 2057 Source Directed Access Control November 1996
In light of the existence of Web page caching on the Internet,
would be extremely difficult if not impossible to for
operating a World Wide Web server to ensure that no minors
"adult" content
Moreover, for those Web page publishers who lack access to
scripts, there is no possible way for them to screen recipients
ensure that all recipients are over 17 years of age. For
content providers, short of not supporting World Wide Web access
their materials, I know of no actions available to them that would
reasonably effective at preventing minors from having access
"adult" files on a World Wide Web server. Requiring such
by these Web publishers to prevent minors from accessing files
might be "indecent" or "patently offensive" to a minor would have
effect of banning their speech on the World Wide Web
The Web page caching described above contributes to the difficulty
determining with specificity the number of visitors to a
Web site. Some Web servers can count how many different Web clients
some of which could be caching Web servers, requested access to a
site. Some Web servers can also count how many "hits"--or
file accesses--were made on a particular Web site (a single access
a Web page that contains a images or graphic icons would likely
registered as more than one "hit"). With caching, the actual
of users that retrieved information that originated on a
Web server is likely to be greater than the number of "hits"
for the server
5.0 Client-end
As detailed above, for many important methods of communication on
Internet, the senders--the content providers--have no ability
ensure that their messages are only available to adults. It is
not possible for a Internet service provider or large
provider of access to the Internet (such as a university) to
out all or even most content that could be deemed "indecent"
"patently offensive" (to the extent those terms can be understood
all). A large institution could at least theoretically screen
portion of the communications over the Internet, scanning for
for "indecent" words, but not pictures. Such a screening
capable of screening a high volume of Internet traffic at the
of its entry into the institution would require an investment
computing resources of as much as one million dollars per
Internet information conduit. In addition it would be quit
to configure such a system to only control the content for
users that are under-age recipients, since in many cases
information would be going to a server within the university
many users, under-age and not, would have access to it
Bradner Informational [Page 18]
RFC 2057 Source Directed Access Control November 1996
Based on my experience and knowledge of the Internet, I believe
the most effective way to monitor, screen, or control the full
of information transmitted over the Internet to block
content is at the client end--that is, by using software installed
the individual user's computer. Such software could block
forms of incoming transmissions by using content descriptive tags
the messages, or could use content ratings developed by third
to select what can and cannot be retrieved for display on a user'
computer
6.0 Tagging
I am informed that the government in this action may advocate the
of special tags or flags in electronic mail messages,
newsgroup postings, and World Wide Web HTML documents to
"adult" material. To my knowledge, no Internet access software
World Wide Web browsers are currently configurable to block
with such tags. Thus, the headers and flags the government
advocate is currently an ineffective means to ensure the blocking
access by minors to "adult" material. Even in a predictable
where there are defined standards for such tags and there
readably available browsers that are configurable to make use
those tags, a content provider--e.g., a listserv or Newsgroup
or a Web page author--will have little power to ensure that
client software used to receive the postings was in all
properly configured to recognize these tags and to block access
the posting when required. Thus I feel that the tagging that may
proposed by the government would in fact not be "effective"
ensuring that the poster's speech would not be "available to a
under 18 years of age," as the Communications Decency Act requires
Although I strongly support both voluntary self-rating and third
party rating (as described in the preceding paragraph), I do not
that the use of tags of this type would satisfy the speaker'
obligation to take effective actions to ensure that "
offensive" material would not be "available" to minors. Furthermore
since it is impossible to embed such flags or headers in many of
documents currently made available by anonymous FTP, gopher and
World Wide Web without rendering the files useless (
programs for example), any government proposal to require the use
tags to indicate "adult" material would not allow the continued
of those methods of communication for speech that might be
"indecent" or "patently offensive."
With the exception of electronic mail and e-mail exploders all of
methods of Internet communications discussed above require
affirmative action by the listener before the communication
place. A listener must take specific action to
communications from USENET newsgroups, Internet Relay Chat, gopher
Bradner Informational [Page 19]
RFC 2057 Source Directed Access Control November 1996
FTP, and the World Wide Web. In general this is also true for e-
exploders except in the case where a third party subscribes the
to the exploder list. These communications over the Internet do
"invade" a person's home or appear on a person's computer
unbidden. Instead, a person must almost always take
affirmative steps to receive information over the Internet
7.0
I owe a great deal of thanks to John Morris of Jenner and Block,
of the law firms involved in the CDA challenge. Without
extensive help this document would not exist, or if it did, it
be even more scattered
8.0 Security
To be actually able to do the type of content access control that
CDA envisions would require a secure Internet infrastructure
with secure ways to determine the minor status of
reciepiants around the world. Developing such a system is outside
the scope of this document
9.0 Author's
Scott
Harvard
1350 Mass Ave
Cambridge MA 02138
Phone: +1 617 495 3864
EMail: sob@harvard.
Bradner Informational [Page 20]
if you see any problems within the linking, don't worry be happy,
this is version 0.1 of the Relevance System and you gotta expect some crappy subroutines sometimes,
just be content we did not write this in Java, which would have made this "bigger and better" HAHAHHA.
RFC documents can be found at I.E.T.F.
Relevance System Copyright © 2002 Spectrum WorldResearch
other technical nosh by ServerMasters Corporation
collaboration of BobX
