Join Now!

Blocked Site of the Day

Blocking Software Reports

BESS
Cyber Patrol
WebSENSE
Net Nanny
SmartFilter
X-Stop / 8e6
I-Gear
CYBERsitter

About Peacefire
Join Peacefire
Blocking Software FAQ
Contact
Press information

All contents
©1996-2010 Peacefire

webmaster@
peacefire.org

HomeAbout PeacefireCensorwareContact

IGDecode: I-Gear list codebreaker

We decrypted the list of sites blocked by I-Gear and discovered that, of the first 50 sites blocked in the .edu domain, 38 out of 50 were obviously blocked in error, for an error rate of 74%. (Click here for an analysis of the first 50 .edu sites on the list.)

We also found that:

  • When you install I-Gear, it retrieves your real name and your company name from your hard drive, and uploads this information to Symantec after installing. (Not your "real name" that you enter while installing I-Gear -- the actual name used to register your copy of Windows NT.) Symantec's privacy policy claims that none of their products do this. More details below.
  • Even the descriptions of I-Gear's blocking categories include pages that are obviously legal for students under the First Amendment. For example, the description of the "Sex/Nudity" category says, "Includes sites featuring nudity that is artistic in nature or intended to be artistic, including photograph galleries, paintings that may be displayed in museums, and other readily identifiable art forms." More details below.

How to get I-Gear's list

Click here to download the encrypted list of blocked sites from I-Gear's server. (The download is 13 megabytes.)
(Note: I-Gear has de-activated this link. At this point, the only way to get a copy of I-Gear's list is to download and install I-Gear from http://www.urlabs.com. Before you install I-Gear, please be aware that the I-Gear installation program retrieves your "real name" and "company name" from Windows registration information on your computer, and uploads this information to Symantec -- more below.)

Click here to download igdecode.exe, the I-Gear list codebreaker. The syntax for using the codebreaker is: 

igdecode <filename>
This prints the decrypted list. Since the decrypted list is still 14 megabytes, it would make more sense to redirect the output to a text file: 
igdecode <filename> > output.txt

Privacy concerns

When you install I-Gear, it prompts you for information such as your real name and the company where you work. However, when this information is uploaded to Symantec, it also uploads the "real name" and "company name" that your copy of Windows is registered to -- i.e. what is listed if you look under the "General" tab of the "System" applet in Control Panel.

A Peacefire volunteer discovered that when I-Gear was installed on his Windows NT Server machine, it first contacted demand.urlabs.com and sent the following request: 


GET /ding2/cgi-bin/ding2.cgi?action=getlicense&firstname=xxxxx
&lastname=xxxxx&phone=xxxxx&shortkey=xxxxx&tain
t=51222111111111125688&fax=xxxxx&email=xxxxx&organization=xxxxx
&address1=xxxxx&address2=&city=xxxxx&state=xxxxx
&zip=xxxxx&country=xxxxx&vendor=&reqip=&sysinfo=Wes%20Mills%3aWyver
n%20Productions%20Group HTTP/1.0

(Here "xxxxx" represents personal data that was used to register this particular copy of I-Gear, which we have deleted. The highlighted information -- "Wes Mills, Wyvern Productions Group" -- was scanned in form Windows by I-Gear, and uploaded to Symantec at the same time. "51222111111111125688" was the computer's Windows NT Server product ID number; this was a legal copy of Windows NT that was used, even though "1111111111" is a generic Windows NT serial number. When this data is sent, URLabs's server sends back an activation key that is used as a "password" to download future copies of the blocked-site list.)

Symantec's privacy policy states:

The choice of how much personally identifiable information you disclose to Symantec is completely at your discretion.

I-Gear was manufactured by URLabs before URLabs was bought out by Symantec; even though Symantec's privacy policy now applies to products sold by URLabs, it is possible that at the time of the buyout, URLabs did not inform Symantec of their practice of collecting personal data about I-Gear users without consent.

Overbroad categories

I-Gear's Web site does not include descriptions of the program's blocking categories, but they are given in a file manual.pdf which can be downloaded with the software. Since the PDF file is more than 2 megabytes, we have copied the descriptions of two of the "sex" categories below:

Sex/Acts
Sites depicting or implying sex acts, including pictures of masturbation not categorized under sexual education. Also includes sites selling sexual or adult products.
http://www.cyberos.com
http://persiankitty.com

Sex/Nudity
Sites featuring pictures of exposed breasts or genitalia that do not include or imply sex acts. Includes sites featuring nudity that is artistic in nature or intended to be artistic, including photograph galleries, paintings that may be displayed in museums, and other readily identifiable art forms. Includes nudist and naturist sites that contain pictures of nude individuals.
http://www.artcreate.com/photo/body/
http://www.bareboating.com/

Obviously any attempt to ban the display of "photograph galleries, paintings that may be displayed in museums, and other readily identifiable art forms" to minors would be challenged in court under most circumstances.