Is the Stop Online Piracy Act Bad for America?
CREDIT: David Iliff, Creative Commons
Two new bills being considered in Congress are designed to crack down on Web-based music and video piracy by enforcing American copyright laws overseas. Yet each bill could derail efforts to make the Internet more secure, according to experts, and might even break the global network by forcing drastic changes in the way users connect to websites.
The Senate bill, the PROTECT IP Act (“Prevent Real Online Threats to Economic Creativity and Theft of Intellectual Property”), was introduced on May 12 by Sen. Patrick Leahy, D-Vt. It cleared the Senate Judiciary Committee, but was then placed on indefinite hold by Sen. Ron Wyden, D-Ore.
The House's bill is called the Stop Online Piracy Act, or SOPA. Also known as the E-Parasite Act, it was introduced on Oct. 26 by Reps. Lamar Smith, R-Texas, and Howard Berman, D-Calif. Rep. Zoe Lofgren, D-Calif., whose district includes part of Silicon Valley, has spoken out in opposition to it, as have Rep. Darrell Issa, R-Calif., and presidential candidate Rep. Michele Bachmann, R-Minn.
[On Monday (Nov. 15), nine Internet-based companies, including AOL, eBay, Facebook, Google, Mozilla, Twitter and Yahoo, sent a letter to Congress expressing their concerns about the two bills.]
The House Judiciary Committee plans to hold a hearing on the SOPA bill Tuesday (Nov. 16).
SOPA and PROTECT IP are targeted at overseas websites that host pirated files of movies, music and TV shows (such as the Pirate Bay or MegaUpload), or stream video of sports matches or other live international events across national boundaries. (Broadcast rights to sports events are sold on a country-by-country basis.)
The yearly revenue lost to U.S. companies is estimated at $200 billion, according to a report commissioned by the U.S. Chamber of Commerce, which has come out strongly in favor of the SOPA and PROTECT IP bills.
Because such overseas sites are out of reach of U.S. law, each bill would force American payment providers, such as MasterCard or Visa, to stop processing transactions involving sites that were found by a court to be infringing copyrights — in effect, cutting off their money. (A similar tactic was used against Wikileaks a year ago.)
From a technical point of view, the most worrisome provision of the SOPA and PROTECT IP bills is that both allow federal courts order Internet service providers (ISPs), such as Time Warner Cable or Verizon, and search engines, such as Google or Yahoo, to block websites which have been determined to infringe upon copyrights and trademarks belonging to the American entertainment industry.
The ISPs would have to block such sites by “filtering” their own Domain Name System (DNS) servers. Normally, DNS servers match the Web addresses humans know — such as www.securitynewsdaily.com — with the Internet Protocol network addresses that computers use, such as 18.104.22.168.
But the SOPA and PROTECT IP bills would change that system. As a result, if a U.S.-based user were to type in a Web address pointing to an infringing site, the ISP’s DNS server would be forbidden from giving the correct Internet Protocol address to the user’s browser.
Instead, the ISP would have to either re-route the user’s browser to a notice of copyright infringement, or return a standard “404” error indicating that the site could not be found.
In the latter case, the ISP would have been forced to “lie” about the existence of the domain name — a breach of network protocol that could have effects reaching across the global Internet.
The effect of the bills on search engines would be slightly different. Google, for example, would filter out infringing sites from its results, which is technically simple but a disservice to the customer, who expects to be able to find anything he wants. Like the ISPs, search engines would be forced to “lie” and state that existing sites don't exist.
“It’s basically saying that if a court orders it, companies [such as Google] would have to remove the link from appearing in search engines,” said Michael Masnick, who writes the TechDirt technology blog and is the founder of Floor64, a Sunnyvale, Calif., company that builds collaboration technologies.
Masnick has been a strong opponent of the Senate's PROTECT IP Act.
Sacrificing security for royalties
Security experts object to the fact that the SOPA and PROTECT IP DNS filtering provisions butt up against a new security protocol, called Secure DNS or DNSSEC, that is being rolled out by Internet service providers and some countries (such as Brazil and Sweden) in their top-level domains.
Secure DNS helps users avoid bogus or criminal-controlled websites that gather traffic via DNS “cache poisoning,” or hijacking of DNS search results. (Such a cybercriminal scheme was recently uncovered in Brazil.)
Under Secure DNS, when a user types in a Web address, the DNS server that gives the user's browser the target site's IP address also sends bits of data that authenticate the IP address as genuine.
Paul Vixie, chairman and chief scientist at the Internet Systems Consortium in Redwood City, Calif., said that the PROTECT IP bill’s DNS-filtering requirements would defeat the mechanism of Secure DNS. (The same requirements are in the House's SOPA bill.)
“Secure DNS can tell you when you're being lied to, but it can't tell if those lies are due to a law like PROTECT IP or due to criminal interference,” Vixie said. “If you know you're being lied to, but you don't know whether it's a lawful lie, then what should you do? It turns out that PROTECT IP would make Secure DNS useless."
(Vixie was co-author of a whitepaper published in May that spelled out the technical concerns of legally mandated DNS filtering, available here as a PDF.)
If Secure DNS were to be rendered ineffective, bad actors who would want to set up a site that spoofed, for example, the official Bank of America site could continue to do so. Essentially, filtering DNS servers would make the Internet less safe.
If SOPA or PROTECT IP were to become law, Vixie said, sites such as the Pirate Bay, which really are dedicated to hosting illegally copied content, could simply set up an alternative set of domain name servers.
Even ordinary users would find it trivial to get around blockages involving the traditional DNS system. They could directly type in the IP addresses of sites they wanted to reach, for example, or use proxy servers to pretend they were not in the U.S. and hence not subject to the new laws. Or they could use OpenDNS, a well-regarded alternative to the traditional DNS system that has been in existence for years. (The SOPA bill's language is so broad that it might effectively outlaw such services.)
Much more seriously, filtering DNS listings could also fragment the Internet. The Internet Protocol depends on each participating device — and there are billions of them — to play by the same rules and to have identical information about all the other devices on the global network.
But if PROTECT IP or SOPA became law, DNS servers based in the U.S. would have to list a different set of network addresses from their foreign counterparts. They would in effect “see” a different Internet from what their foreign counterparts see.
In a way, this has already happened in China, Iran and other countries where users are blocked from sites the government doesn’t like, and the national network is effectively partitioned off from the global Internet with only a few carefully monitored connections in or out.
But the U.S. is the very heart of the Internet. The U.S. government created the system, the U.S. has the largest number of nodes and gateways of any nation, and billions of connections from foreign countries to other foreign countries cross through U.S.-based routers, gateways and relays.
If PROTECT IP or SOPA were to be implemented, it would effectively cut out the middle of the entire Internet.
David Sohn, senior policy counsel at the Center for Democracy and Technology in Washington, D.C., explained that part of the problem with the SOPA bill is that its definitions are simply too broad.
For example, the bill says that intermediaries — for instance, hosting providers unaware of what their clients are up to — can be defined as “dedicated to facilitating” the distribution of counterfeit goods or services. That would classify them as infringing upon U.S. intellectual property and subject to court-ordered blockage and filtering.
But blocking a hosting provider would also block all the other sites hosted by that provider, not just those offering bootleg TV shows. Such a shotgun-blast approach temporarily blocked 84,000 small websites earlier this year after the U.S. government targeted a single site thought to be harboring child pornography.
In fact, some argue that the SOPA bill would allow the courts to cut off funding to any company that is thought to be helping copyright infringement in any way. For example, the Mozilla Foundation, which distributes the Firefox browser, could be deemed hostile due to its refusal to disable add-ons that get around DNS blockages.
“The House bill definition could apply to a wide range of sites,” Sohn said.
Broad support, thin opposition
Both the SOPA and PROTECT IP bills have garnered strong bipartisan support in Congress. Outside support comes from organizations involved in the American entertainment industry, including as the Motion Picture Association of America, the Recording Industry Association of America, the Screen Actors Guild and the American Federation of Television and Radio Artists.
In a rare show of management-worker unity, the International Brotherhood of Teamsters and the AFL-CIO have joined the pro-business U.S. Chamber of Commerce in backing the bills.
Opposing the bills are Google, Yahoo, eBay, the Electronic Frontier Foundation and the Consumer Electronics Association and the Electronic Frontier Foundation. (Yahoo left the U.S. Chamber of Commerce last month, and Google and the Consumer Electronics Association are reportedly considering leaving.)
Google especially has much to lose, since SOPA reduces the scope of the “safe harbor” clause in the 1998 Digital Millennium Copyright Act (DMCA), the clause that lets copyrighted material stay up on YouTube until a copyright holder asks that it be taken down.
Also speaking out against SOPA and PROTECT IP, rather surprisingly, was teen-pop superstar Justin Bieber.
But the lines are not neatly divided between Hollywood and Silicon Valley. Christine Jones, general counsel at domain registrar GoDaddy, wrote a guest opinion piece on the political-news website Politico last month expressing support for SOPA. (It's behind a paywall on Politico, but Jones has reposted it on her blog.)
Jones told SecurityNewsDaily that concerns that a site like GoDaddy might get shut down as a facilitator of online piracy if the SOPA or PROTECT IP bills become law are overblown.
“Disney doesn’t care about your little website,” Jones said. “They care about sites that are wholesale infringers.”
Jones said the point of SOPA and PROTECT IP is to address what entertainment companies see as weaknesses in the DMCA, which currently covers copyright infringement and intellectual property on the Internet. She said the problem is that the DMCA doesn’t do much to stop a foreign site such as the Pirate Bay, which is based in Sweden.
SOPA, if it becomes law, will cover more than movies or music. Jones said it will also provide some method of redress for manufacturers who might have counterfeit products shipped into the U.S. and ordered online.
She noted that under both bills, a judge has to sign off on any injunction to shut down a site, and a private actor can’t unilaterally shut one down.
“It gives the Department of Justice the ability to go offshore,” Jones said.
For its part, she added that GoDaddy takes down sites that are infringing on copyrights down when requested to do so, and that under the proposed law, a site owner can challenge the injunction.
“The bad guys aren’t going to do that,” Jones said.