RE: Intelligent Rating Systems from bede@scotty.mitre.org on 1995-06-27 (www-talk@w3.org from May to June 1995)

From: <bede@scotty.mitre.org>
Date: Mon, 26 Jun 1995 23:34:20 -0400
To: immedia@netwest.com
Cc: www-talk@www10.w3.org, peterd@bunyip.com, marc@matahari.ckm.ucsf.edu, michael@junction.net, rating@junction.net, uri@bunyip.com
Message-Id: <199506270334.XAA20051@scotty.mitre.org>
   Date: Mon, 26 Jun 1995 18:08:03 -0700
   From: immedia@netwest.com (Ken Meyering)

   At 08:05 PM 6/26/95 -0400, bede@scotty.mitre.org wrote:

   >In this scheme, the HTTP client might receive a header like this:
   >
   >    Content-Rating: MPAA "PG13+AC+AL"
   >
   >The client might also *send* a header like this as part of a
   >negotiation, as is now the case with "Accept:" headers.  In the case
   >of a server, though, the server is claiming that the "MPAA" rated the
   >attached document "PG13+AC+AL".  The client is free to verify this
   >claim, possibly by using a "content-rating" protocol.

   How would this scheme handle the following URL?  (Pardon my honesty.)

      http://www.penthousemag.com/magazine/p06jun/06pet06.jpg


OK, I'll take a stab at it.  Let's say my client is configured to
ask explicitly for

      Content-Rating: MPAA "PG13+AC+AL"

Now, has ".../06pet06.jpg" been rated by yhe MPAA?  Let's assume it
has, and that it's been rated "R".  The server shouldn't deliver the
JPEG to my client.  I'm thinking of the client-supplied rating as a
threshold value.  In this case, anything rated "worse" than "PG13+AC+AL"
by MPAA gets filtered out.  What "worse" means really boils down to a
local policy decision, and my client software and other access control
tools should be able to enforce this decision with a high (but not
necessarily bulletproof) level of assurance.

Similarly, if someone other than MPAA has rated ".../06pet06.jpg", the
server shouldn't deliver, because my client specifically asked for
MPAA ratings.  Maybe my syntax should be extended to allow for "*"
placeholders, although I'm not sure that makes any sense.  This might
also indicate a need for some way to translate between different
rating schemes, but that's a different topic.

Assume the server delivers ".../06pet06.jpg" with an appropriate
rating.  My client now has the option of checking with the MPAA online
source for verification.  In this case, I'd say we might want to
require an exact match with the server's rating before putting the
image onscreen, since a rating mismatch might also indicate an image
mismatch, but this is a policy you'd want to be able to configure into
the client.

Let's assume my client says nothing up front, and the server delivers
".../06pet06.jpg" with the same "PG13+AC+AL" header.  Now it's up to
the client and/or the local rating mechanism to figure out whether to
display the image.  I might try to check with the MPAA to verify
Penthouse's rating before deciding what to do, or I might just assume
Penthouse is telling the truth and apply a configured policy threshold
to their rating.  The publisher is not short of reasons for being
reasonably honest about ratings.

Let's assume the MPAA isn't online and I haven't got anything more
than the publisher's word about the rating.  They could lie to me, but
Penthouse is taking a pointless risk by doing so.  At the very
least, I might configure my local rating vector (which includes
filtering at the local router) to categorically exclude client access
to anything mentioning "www.penthousemag.com" [198.80.37.97].  I
suppose I could also phone/write the local newspaper, an ambitious
congressman or two, Senator Exon or a Liberal counterpart, the local
Christian Coalition bunch, generally raise a fuss and try to portray
Penthouse as a slimeball purveyor of online smut to innocent children.
Shock/shame tactics like these have been used very successfully
against adult magazines in stores like 7-11, and more recently against
cable TV companies, and the news media are amazingly quick to jump on
The-Internet-versus-our-kids horror stories these days.

If my client resides at an elementary school, I don't imagine I'd
want to allow access to "www.penthousemag.com" in the first place.
The easiest way to handle this is to just filter out access to the IP
address for that particular host.  Most Internet access providers
will do this for me, if I can't figure out how to do it myself.
www.playboy.com would be in the same boat, as would other "adult"
publishers in this context.  IP addresses can be terms in what I've
called the local "content-rating vector".  Not all access control
needs to be handled explicitly in the WWW client, and there are other
tools better suited for this anyway.

If my client is configured for a specific rating threshold and the
server doesn't rate the image, I have to decide whether the absence of
a rating is significant.  I think the decision for or against depends
on the circumstances.  The technical capability to support this kind
of policy decision is something which is needed from the client.



- Bede McCall   <bede@mitre.org>

  The MITRE Corporation            Tel: (617) 271-2839
  Bedford, Massachusetts           FAX: (617) 271-2423
Received on Monday, 26 June 1995 23:34:23 UTC