BESS's Secret LOOPHOLE (censorware vs. privacy & anonymity)

An anticensorware investigation by Seth Finkelstein

(original version August 2001, revised and updated, November 2002)

Abstract: This report examines a secret category in N2H2's censorware , a product often sold under the name BESS, The Internet Retriever . This category turns out to be for sites which must be uniformly prohibited, because they constitute a LOOPHOLE in the necessary control of censorware. The category contains sites which provide services of anonymity, privacy, language translation, humorous text transformations, even web page feature testing, and more.


N2H2 is an Internet infrastructure company that delivers industry-leading content management, categorization and value-added services that empower choice - promoting safety, productivity, privacy and a positive Web experience while promoting bandwidth efficiency.

-- "N2H2 Solutions" page, August 14 2001 (emphasis in original)

N2H2 is a maker of censorware, i.e. software which is designed and optimized for use by an authority to prevent another person from sending or receiving information. Their product (sometimes called BESS) is server-based. That is, the blacklist is kept on a remote machine, and all requests to read anything on the web have to first go through that machine (or similar) for approval. The server is a kind of choke-point, or censor in the military sense of the term (checking communications for forbidden content, then approving or denying based on commands from on high).

While many people think that censorware blacklists only deal with SEX, that's never been the case. They're like potato chips. There's a package of a few dozen, and almost nobody takes just one. For example, N2H2's category list defines many categories. There's the usual suspects, Sex and Drugs and Rock-And-Roll, err, Recreation / Entertainment, and so on. But this blacklist laundry-list is promoted, per above, as choice.

BESS's LOOPHOLE secret, or Censorware Is About Control

Wife: ... What does he want?

Number 2: What some of us want ultimately: to escape.

-- The Prisoner

The most interesting category of BESS turns out to be one which isn't mentioned in the documentation or PR. In particular, N2H2 has a category called LOOPHOLE which is, to put it politely, undocumented. This is nowhere to be seen in their public discussion of what can be banned. However, its existence can be discovered by looking at the category list inside binaries associated with N2H2's server. There is also a corresponding code LH which appears in log files of a N2H2 server.

The LOOPHOLE category can be verified by using N2H2's single-site blacklist checking form . Just test it with an anonymizer or privacy site, e.g. , using their web form, or an equivalent URL such as The result should come back as, for example:

The Site:
is categorized by N2H2 as:
Loop Hole Sites

But one will have a hard time discovering the meaning of this mysterious description from N2H2.

So what's in a LOOPHOLE? This turns out to be N2H2's way of handling a standard problem of censorware. For censorware to perform its intended task (the control of information) there must never be any escape from that control. Thus it must ban any site which has the effect of allowing a person to receive information outside of the tracking of the censorware program. So sites which provide privacy, anonymity, and even language translation, must be banned. This is an absolutely necessary feature of censorware which deserves more emphasis in the discussion (previously this has been discussed in earlier reports such as SmartFilter's Greatest Evils - censorware & privacy/anonymity ).

It should be stressed again that these bans are considered a feature, a necessary and integral part of the functioning of censorware. The LOOPHOLE category cannot be de-activated. Once more, you cannot choose not to use it. Indeed, from the point of view of the imperatives of control, what authority would allow a subject such an escape?

This is critical because too much of the discussion about censorware takes place in terms of the misnomer "filtering". That conjures up an image of removing evil, yucky, even toxic material, while leaving a purified result. The constant chant of "porn, pornography, harmful to minors, obscenity, child porn, pr0n, porno, PORN ..." often keeps issues framed in these terms. People sometimes gets the idea that censorware is intended to remove evil sites. No. It is designed to control what people are permitted to read. That is a very different problem. It implies that even if there was a perfect blacklist for sex or other prohibited material, censorware would still need to ban anonymity, privacy, language translation sites and more. Because all these sites, no matter how functional and useful they may be, have the capability to allow a reader to view any other site.

BESS followed the pattern above exactly, blacklisting as a LOOPHOLE sites such as (just for example, not exhaustive):

Anonymity and Privacy

Sites which offer privacy and anonymity are intrinsic enemies of censorware. Their very existence is dedicated to providing the ability to read material without leaving records or allowing observation by a third party who wishes to forbid it. There is no differentiation possible as to whether that third party is invoking the authority of a parent, an employer, or a government. These are social distinctions. The technical problem concerns escaping the control of authority (or not).

Any of these sites would render censorware useless. So they must all be banned.

After this report was first published, N2H2 in fact revamped their web site (around August 16 2001), adding a page which discusses the implications of SafeWeb . They now state outright that
"N2H2 tags http:// and as 'LOOPHOLE' sites."
and explicitly note how
"The entire connection is encrypted making it nearly impossible to monitor." (and so must be forbidden).

There's a nice page of resources at (or ), a list which N2H2 of course bans as a LOOPHOLE

But many people consider anonymity/privacy somehow disreputable anyway. However, the following sites are less subject to such marginalization.

Language Translation Sites

Think about it. A language translation site reads in a web page, and returns a transformed copy of that web page. Any web page. Generally, you can ask to translate anything. And translating English documents from Chinese to English tends to work very well. That's too dangerous to be permitted. So, for example, BESS blacklists

Also prohibited are Google's translation script and Babelfish's translation script .

HTML language-checking sites

The same principle applies, with a vengeance, to sites which let someone check that a web page is compatible with various web standards, and to view the page as it would appear with or without certain web features. The key aspect is to realize that this is allowing someone to escape, to read a page which might be forbidden. In its twisted way, N2H2 is correct. BESS must ban something as innocuous as these pages. Because they count as security holes against control.

Online image-editing site

If HTML page-checking must be banned, imagine how much more threatening is . That's a site which provides for "... your own free everything online image editor! Upload or call images from anywhere on the web and edit them freely with the dozens of tools ...". Note the phrase from anywhere on the web. That makes it a LOOPHOLE

Making Sure

... Obie said he was going to put us in the cell. Said, "Kid, I'm going to put you in the cell, I want your wallet and your belt." And I said, "Obie, I can understand you wanting my wallet so I don't have any money to spend in the cell, but what do you want my belt for?" And he said, "Kid, we don't want any hangings." I said, "Obie, did you think I was going to hang myself for littering?" Obie said he was making sure, and friends Obie was, cause he took out the toilet seat so I couldn't hit myself over the head and drown, and he took out the toilet paper so I couldn't bend the bars roll out the - roll the toilet paper out the window, slide down the roll and have an escape. Obie was making sure, ...

--- part of the song Alice's Restaurant , by Arlo Guthrie

But hanging yourself with a belt is possible, that's why the belt has to be contraband. And even the toilet paper, so the prisoner can't also commit suicide using it. Someone who is absolutely "making sure" has to take it away. It's actually possible for a prisoner to commit suicide with toilet paper. That's happened. Not by sliding down the roll, but by a man having "stuffed wet toilet paper up his nose and down his throat." Let us not discuss the toilet seat.

Some of the things BESS calls a LOOPHOLE have exactly that flavor. N2H2's Obie is making sure. And silly as it sounds, from the point of view of trying to leave the prisoner no conceivable way to harm themselves (that is, harm themselves by reading forbidden sites), they have to blacklist the equivalent of toilet paper.

Perhaps the best example is The Dialectizer (note - requires accepting cookies for some reason). This is a site which displays pages in Pig Latin, or Elmer Fudd style, or other dialects. In effect, it's a language translation site, though a humorous one. But, as a kind of language translation site, it lets a person read other material. So it has to be banned.


Amusingly, I noticed that one banned directory , from the old Censorware Project website, had not existed for many months, because of what happened to . But Obie, err, BESS, was making sure.

A Legal Argument!

The Supreme Court has consistently held that anonymous and pseudonymous speech is protected by the First Amendment.

-- Nameless in Cyberspace: Anonymity on the Internet , by Jonathan Wallace

Once more, it is a common misconception that censorware is to "filter" rather than control. But none of the sites listed above is in the least sexual. They are not "harmful to minors", "obscene", or anything to do with "child pornography". Their sole and only reason for being blacklisted by N2H2 is that they could potentially be used to escape from the blinder-box imposed by the BESS censorware.

There is no way censorware makers can claim this is an error, to be fixed in the next release. It cannot be blamed on an errant employee, someone to be fired or conveniently no longer employed there. It is an intrinsic necessity flowing from the needs of enforcing the ban on forbidden material.

In the context where the authority which controls the subject is a parent or an employer, this is of course a legal right of absolute control. But although I am not a lawyer, I suggest that in the case of US government-mandated censorware laws (e.g. "CIPA" ), it would not be Constitutional in the United States to mandate the blacklisting of sites providing anonymity and privacy and language translation and more.

More concretely, it is one thing for the US government to argue that obscenity or child pornography is not protected by the First Amendment, and so can be banned or similar. That argument may not work en masse because of, perhaps, "prior restraint" grounds. (i.e., roughly, material is presumed innocent until judged guilty). But the legal logic is understandable. However, it is vastly more expansive to argue, for example, that a citizen in a public library must be prohibited from using a language translation site, because of the potential for that site to be used as an escape-route from the blacklist of banned sites. That is taking prior restraint issues to a level which is orders of magnitude more extreme.

This evidence and architectural argument, has found favor with expert-witness testimony, and ultimately a three-judge panel which has struck down the "CIPA" law. To wit:

Expert witness report citation

From the Edelman Expert Report for Multnomah County Public Library et al., vs. United States of America :

Expert Report of Benjamin Edelman (October 15 2001)

"In addition, a variety of services on the Internet provide proxy servers, translation servers, and other methods by which a user might retrieve Internet content via a third party rather than directly from the content provider. The use of such devices may stem from an interest in privacy, since proxy servers can prevent web server operators from gathering a variety of facts about a web user. Proxy servers may also provide other helpful services, such as translation of web content into other languages, addition of links to sources of related content elsewhere on the web, removal of unwanted or potentially- hazardous software code otherwise present in some web pages, or removal of advertisements. However, such servers also provide a possible means of circumventing the restrictions of popular blocking programs. Thus, it has been documented that blocking programs seek to prevent access to these proxy servers even when such blocking is not requested by the administrator of a blocking program and even when such sites are not within the specific descriptions of categories requested for blocking. 27 My testing found multiple examples of blocking of these sites, including translation service and privacy service"

27 "BESS's Secret LOOPHOLE." <>

Expert Rebuttal Report of Benjamin Edelman (November 30, 2001)

"Similarly at least one of the programs tested blocked each of privacy service, the web-based translation service, and online dictionary These sites (and the other web-based services referenced in Appendices A and B to my first report) all offer a large amount of valuable content, and research of others indicates that many other similar web-based services are also restricted by blocking software. 10"

10 "BESS's Secret LOOPHOLE." <>

Court Ruling

Direct from the CIPA decision:

"Another technique that filtering companies use in order to deal with a structural feature of the Internet is blocking the root level URLs of so-called "loophole" Web sites. These are Web sites that provide access to a particular Web page, but display in the user's browser a URL that is different from the URL with which the particular page is usually associated. Because of this feature, they provide a "loophole" that can be used to get around filtering software, i.e., they display a URL that is different from the one that appears on the filtering company's control list. "Loophole" Web sites include caches of Web pages that have been removed from their original location, "anonymizer" sites, and translation sites.
Some sites on the Web serve as a proxy or intermediary between a user and another Web page. When using a proxy server, a user does not access the page from its original URL, but rather from the URL of the proxy server. One type of proxy service is an "anonymizer." Users may access Web sites indirectly via an anonymizer when they do not want the Web site they are visiting to be able to determine the IP address from which they are accessing the site, or to leave "cookies" on their browser.(8) Some proxy servers can be used to attempt to translate Web page content from one language to another. Rather than directly accessing the original Web page in its original language, users can instead indirectly access the page via a proxy server offering translation features.

As noted above, filtering companies often block loophole sites, such as caches, anonymizers, and translation sites. The practice of blocking loophole sites necessarily results in a significant amount of overblocking, because the vast majority of the pages that are cached, for example, do not contain content that would match a filtering company's category definitions. Filters that do not block these loophole sites, however, may enable users to access any URL on the Web via the loophole site, thus resulting in substantial underblocking."


We are paid for our suspicions by finding what we suspected.

--- Thoreau

Censorware is not about "filtering". BESS's secret LOOPHOLE underlines that censorware is about control, and applying whatever technical means are necessary to enforce that control. This should be more widely understood as part of the intrinsic nature of censorware.

Note: Oh, the irony. Over the last year, there have been several articles about circumvention systems receiving funding from US government agencies, to aid escapes from The Great Firewall Of China. For example:

See also: The Pre-Slipped Slope - censorware vs the Wayback Machine web archive

Mail comments to: Seth Finkelstein <>

For future information:   subscribe    to   Seth Finkelstein's Infothought list    or read the    Infothought blog

(if you subscribed a few months ago, please resubscribe due to a crash)

See more of Seth Finkelstein 's Censorware Investigations