Blue Coat Products Enable Web Censorship in Syria

It's illegal for Blue Coat to sell its technology for this purpose, but there are lots of third-parties who are willing to act as middlemen:

"Blue Coat does not sell to Syria. We comply with US export laws and we do not allow our partners to sell to embargoed countries," [Blue Coat spokesman Steve] Schick told the Bureau. "In addition, we do not allow any of our resellers, regardless of their location in the world, to sell to an embargoed country, such as Syria."

However, Schick did not rule out the possibility that the equipment could have been bought via a third party re-seller, noting that Blue Coat equipment can be found on websites like eBay.

Bet you anything that the Syrian Blue Coat products are registered, and that they receive all the normal code and filter updates.

EDITED TO ADD (11/14): The Wall Street Journal confirms it:

The appliances do have Blue Coat service and support contracts. The company says it has now cut off contracts for the devices.

Posted on October 24, 2011 at 1:39 PM • 26 Comments

Comments

timOctober 24, 2011 2:00 PM

There are dozens of web content filtering products out there so I'm not sure what the point of the article is. That's its made by a US company? Would the article's tone be different if it was made by a German company? Or the fact that a web content filtering product is used at all? I would be shocked if one wasn't used. And one doesn't need all the "normal code and filter updates" to actually use the systems. My guess is that many of these types of "customers" maintain a comprehensive list of sites they want to block on their own.

Brian RaaenOctober 24, 2011 2:10 PM

I really doubt that they even block Syrian ip's from downloading the updates. I know it can be evaded, but I'd bet they don't even try that. They probably rely on the fact that the operator clicked the "i'm not evil" checkbox.

CP ConstantineOctober 24, 2011 2:12 PM

I find this just to be a 'bleeds, it leads' story.

If syria had implemented their Great Firewall using linux and squid, would we be chest-beating over a story titled "linux enables web filtering in Syria" ?

However, if they haven't taken steps to prevent updates and service to those systems, yeah, they're crossing the line on lack of due diligence to regs here.

Frankly, I'm not much of a fan of bluecoat, but I'm in their defence here that it's likely beyond their control. It's the internet, and I'm sure they could surreptiously acquire filter updates (and of course, they're definitely managing their own) without Bluecoat being able to directly ID their systems (sneakernet still works very well, even in the 21st century).

ScottOctober 24, 2011 2:21 PM

@tim, the point of the post seem is clear:

Blue Coat products are used to enable censorship in Syria. While Blue Coat does not sell directly to Syria, there is one more step Blue Coat could take to reduce the usefulness of their products being used by Syria: don't allow Syria to register these products or revive code-updates.

A better question is what is the point of your post?

Brett OOctober 24, 2011 2:47 PM

On the note "registered, and that they receive all the normal code and filter updates."
Is that a problem and is it illegal? I'd have to double check the regulations, but Blue Coat would probably not be in violation for providing updates - which arguably aren't selling to banned states. They are might legally required to provide updates (I dont have a copy of BC's Terms and Licences), within some limits. I mean, if you have their product, doesnt that mean you get the updates?

Bruce SchneierOctober 24, 2011 3:31 PM

"On the note 'egistered, and that they receive all the normal code and filter updates.' Is that a problem and is it illegal? I'd have to double check the regulations, but Blue Coat would probably not be in violation for providing updates - which arguably aren't selling to banned states."

I'm sure it's not illegal. But it does seem like a problem to me. How does it make sense for a company to not be able to sell a product to certain countries, but be able to maintain them if those products somehow get sold to those countries.

NobodySpecialOctober 24, 2011 3:31 PM

The OFAC bans "doing business with" - the US's definition of "doing business with" can be pretty broad when they feel like it.

John HardinOctober 24, 2011 3:46 PM

@scott: "...don't allow Syria to register these products or revive {sic} code-updates."

Better yet, if receiving an update request from a Syrian IP block, download an update that will disable/destroy the software.

MarkOctober 24, 2011 4:30 PM

As for receiving code and filter updates, if they are, I'd think that at best, it is a situation of adhering to the letter of the law /regs while evading the spirit. At worst, of course, it's against the law/regs.

James SutherlandOctober 24, 2011 5:09 PM

"there is one more step Blue Coat could take to reduce the usefulness of their products being used by Syria: don't allow Syria to register these products or revive code-updates."

From the article, there's no indication the Syrian kit IS registered or being updated - nor much of a reason the Syrians would do so: registered or not, they are hardly likely to receive direct customer support from Blue Coat if they asked for it, and filter updates probably wouldn't make much sense either: Blue Coat's commercial filters are probably intended to block very different types of site than Syria would want to block - and would Syria trust outsourced American filtering lists rather than using their own?

If I were running the Syrian setup ... I'd probably use Squid on *nix anyway, but failing that, I'd get something like Blue Coat hardware on eBay and make very sure it DOESN'T phone home in any way - otherwise, what's to stop a future update shutting it down permanently, or indeed helping aconym-people sending the next Stuxnet my way?

Dirk PraetOctober 24, 2011 5:19 PM

My image of the average corporate or government spokesman is that of a clean-cut idiot in a three-piece suit who has undergone media training and is telling whatever it is his master is paying him for without having a clue what's really going on.

Picture yourself the Bhopal PR-man being interviewed in front of an exploding chemical plant, an orange cloud in the background, hazmat teams in bio suits running for cover, then making a statement to the Fox News reporter that there is absolutely no danger for public health and that the situation is totally under control. The role was taken to new and unseen heights by one Muhammad Saeed al-Sahhaf, the former Iraqi Minister of Information, during the 2nd invasion of the country in 2003. Most of us remember him as Comical Ali.

That said, there are indeed US and international laws restricting export of certain technologies to certain countries, but it is downright ridiculous to assume that any commercial company specialising in filtering and surveillance equipment will not at least try to bend or circumvent the rules. After all, that's their core business and if they don't sell, someone else will.

And Bluecoat is really not alone. Cisco and Nortel have equally been taking quite some flak for their role in the great firewall of China. To put it simply: 99% of corporations don't give a rat's *ss about regulations or ethical considerations. These are business inhibitors and therefor appropriately addressed by secrecy or any loophole the legal team can come up with.

kurtisjOctober 24, 2011 6:54 PM

hah, how many times do you think any of their registration info has been reviewed by a US export office? a big fat zero.

that sort of stuff is nothing but an HR training checkbox in the US.

ScottOctober 24, 2011 6:58 PM

@Dirk_Praet: "After all, that's their core business and if they don't sell, someone else will."

With that kind of thinking anything can be justified in the name of making a sale... anything.

maelorinOctober 24, 2011 9:42 PM

it is not unlikely that these products are sitting on servers 'owned' by, say, sanfu.com - a trading company registered in the bahamas - using ip addresses issued from the bahamas, france, luxembourg.

there is no absolute connection between ip address an geography.

there is no requirement for syria's filters to be located in syria (though they probably are). traffic could go into syria, then out to filters, then back in to their domestic subnet. not to mention, the machines could be configured to *say* they're in bolivia, or israel.

bluecoat are right insofar as they have no absolute way of preventing syria from acquiring or using their software. they also have limited means to control distribution: they can use contract law, but once in the possession of another party, the trail can quickly become convoluted.

this is not to say they *shouldn't* try; just that the practical realities are that it's not impossible to disguise the location of the use of the software.

and they may not have to try.

"do not sell" is different from "do not support" in the world of regulatese (the land where legalese is spoken by bureaucrats, and has it's own dialects). if governments want to ensure a thing, they ought be *doing* something about it *themselves*; but that gets costly, and politically awkward - so they make up stories to tell us at bedtime. [laws are mere scratchings on paper unless *someone* does *something* to make them *mean* something.]

making something illegal is different from being able to demonstrate (legally) that that something has happened, or that that something exists. and even if i has happened, and does exist, pinning down who is at fault is yet another matter.

the whole house of cards of compliance regulation is built upon trust: trust that compliance will follow the rule; that the rule says what was meant; that the regulator can hold parties to the rule; that the rule is valid; and so on.

but mostly, trust that compliance regulation leads to the intended outcomes, and that only bad eggs will find a way around the rule - that non-compliance is not the norm because that would be wrong, and we don't do wrong things ...

kurtisjOctober 24, 2011 11:07 PM

Btw, bruce, the issue is exporting technology. If they knowingly have registered users that they are delivering updates to in export restricted regions, they are breaking the law. The issue here is exporting, and I believe that delivering updates is considered exporting technology.

Clive RobinsonOctober 25, 2011 1:17 AM

@ Bruce,

"How does it make sense for a company to not be able to sell a product to certain countries, but be able to maintain them if those products somehow get sold to those countries."

You have raised to thorny issues as one.

The first is "What is a "product?"

The second is "The doctrine of the first sale".

The first thing you have to remember is "to think in physical terms" because that is what the law has been mainly about even when talking about IP.

Take for instance a car or any other everyday physical object, on examination it is not a single item but many component items that are put together. Some are custom parts (body shell) and some are standard parts (nuts bolts etc) and many of the custom parts will be made of standard sub parts. And whilst some parts may be custom (specialised engine) the chances are they will be designed to have standard "interfaces" so that they can be replaced at a later date with a different custom part.

So at what point do you draw the line as to it being a car, a collection of custom sub assemblies, or collection of standard parts in a custom configuration?

That is what differentiates a car from it's parts?

For instance is a "kit of bits" a car before or after it is built?

We have had this issue in Europe for quite a few years in the electronics industry for various reasons the simplest being safety. Before a product "goes on the European Market (ie offored for sale) it has to have passed various safety tests one of which is the "BSI finger test" to ensure the equipment is not going to electrocute people in use. However a distinction between "finished items" that had to have been tested as safe and "replacment" or "component" parts that either did not or could not pass the tests was made.

Then along came the PC with it's replacable I/O cards, to muck things up...

The legislation is and always will be a mess no mater how you try to address it when it comes to products and their parts that are also products in their own right, even case law usually makes absolutly no sense from the technical perspective, which is why people will always skate on the edge to get away with it.

Then there is the thorny issue of the "First Sale Doctrine" as an author you have legal control on the IP in your books via copyright law but you have no legal control on the physical print impression (paper book) past it's first sale.

So although you (or your various representatives) might for various reasons say "Not for sale in Europe" you will find it almost impossible to enforce. That is I can buy a copy of your book in the US bring it to Europe and then sell it to another individual. Provided I acknowledge the "first sale" in some way when selling the book, that is as "second hand", "nearly new" etc you have little or no recourse.

This "first sale doctrine" on software with End User Licences has recently come into question because the software is not sold but licensed,

https://freedom-to-tinker.com/blog/abridy/digital-death-copyrights-first-sale-doctrine

Tim#3October 25, 2011 4:33 AM

If the manufacturer wanted to be seen to be acting responsibly surely they would be trying to confirm that their product is in use then take it down through whatever means is available. Maybe they could even publish details of backdoors & other ways of circumventing the filters. As it stands they seem to be adopting a very odd attitude indeed.

Mike BOctober 25, 2011 7:10 AM

Having Syrian government network systems registered and receiving updates from a US based supplier is a good thing in the same way having US government network systems registered and receiving updates from a Chinese based supplier is a bad thing.

Hopefully if Blue Coat gets the call they'll know whose team they are playing for.

NobodySpecialOctober 25, 2011 7:34 AM

Of course if BlueCoat was doing something really wrong - like selling to a foreign online gaming company then the government would do something about it.

Matthew SkalaOctober 25, 2011 8:04 AM

As long as the US Government is allowed to mandate Web filtering against its own citizens - which it does, with the excuse that the victims are underage and therefore don't have REAL rights - there's no point worrying about exported US filtering technology elsewhere. Put your own house in order first, guys.

TomOctober 29, 2011 1:07 PM

Blocking source IP's from Syria to get updates would be practically useless. You could just proxy the IP's (a bit of irony there: proxies using proxies to bypass enforcement). Or just download some updates offline and apply them manually.

Ask the question another way - does Microsoft block updates from any countries? McAfee? Trend Micro? Etc.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..