[RC] The so-called Stop Online Piracy Act

[David R. Block]

Title: "Remember, to a liberal, anyone who makes money in an endeavor frowned upon by liberals is 'greedy' and any person who express

Better known as the "Stop Online Free Speech Act: From the Eric S. Raymond blog Armed and Dangerous: http://esr.ibiblio.org/?p=4009 SOPA and the oblivious A government that is big enough to give you everything you want is big enough to take everything away from you – including your Internet freedom. That’s the thought that keeps running through my head as I contemplate the full-scale panic going on right now about SOPA, the “Stop Internet Piracy Act”. It’s a bad bill, all right. It’s a terrible bill – awful from start to finish, idiotic to the core, corruptly pandering to a powerful special-interest group at the cost of everyone else’s liberty. But I can’t help noticing that a lot of the righteous panic about it is being ginned up by people who were cheerfully on board for the last seventeen or so government power grabs – cap and trade, campaign finance “reform”, the incandescent lightbulb ban, Obamacare, you name it – and I have to wonder… Don’t these people ever learn? Anything? Do they even listen to themselves? It’s bizarre and entertaining to hear people who yesterday were all about allegedly benign and intelligent government interventions suddenly discovering that in practice, what they get is stupid and vicious legislation that has been captured by a venal and evil interest group. Yeah, no shit? How…how do they avoid noticing that in reality it’s like this all the time? The depressing part is how safe a bet it is that they’ll go back to being oblivious the moment their direct interests aren’t threatened. They’ll cheer for the next tax hike, the next round of environmental feel-goodism, the next political “fix” for the next transient market failure – and never notice that by doing so they’re creating the political conditions in which malignant growths like SOPAs inevitably flourish. So here’s a clue: the only way to keep your freedom – on the Internet or anywhere else – is to defend everyone else’s freedom as well, by keeping your government tiny and starved and rigidly constrained in what it can do. Otherwise, the future you’re begging for is SOPAs without end. The Volokh Conspiracy: http://volokh.com/2011/12/14/sopa-rope-a-dope/ SOPA-Rope-a-dope Stewart Baker • December 14, 2011 8:26 pm Critics of the Stop Online Piracy Act (H.R. 3261) have had an impact.  A manager’s amendment has been offered by Lamar Smith, R-TX, the Judiciary Committee chairman.  I was critical of the first version.  Here’s my take on the new version. This version contains several provisions aimed at the security concerns raised about the first version.  The new bill insists that it is imposing no technology mandate and that it should not be construed to impair the security of the domain name system or the network of an ISP that receives an order. And it whittles away at the original requirement that ISPs must “block and redirect” visitors to pirate sites. Now, the ISPs are only obliged to block those efforts, not to redirect the subscribers to an alternative site that warns against piracy. ISPs also get a safe harbor that allows them some assurance that they don’t have to redesign their networks to carry out the blocking. Unfortunately, the new version would still do great damage to Internet security, mainly by putting obstacles in the way of DNSSEC, a protocol designed to limit certain kinds of Internet crime. Today, it’s not uncommon for crooks to take over Internet connections in hotels, coffee shops and airports — and then to direct users to fake websites.  Users sent to a fake banking site are prompted to enter account and password data, which is used to loot the account. DNSSEC prevents such attacks by giving each website a signed credential that must be shown to the browser by the domain name system server before the connection can be completed. That’s a great idea, but crooks will predictably try to override it.  Their best bet is to claim that the website doesn’t have a signed credential – a claim that will be plausible at least during the transition to DNSSEC.  What should a browser do if a website says it doesn’t have a signed credential yet?  The site might be telling the truth, or it might be a fake site backed by a DNS server that’s been tampered with.  To find out, the browser needs to ask a second DNS server, and if that server doesn’t give an answer, a third and a fourth server until it gets an answer. That’s the only way to keep criminals from blocking the real DNS credentials and offering their own. Unfortunately, the things a browser does to bypass a criminal site will also defeat SOPA’s scheme for blocking pirate sites.  SOPA envisions the AG telling ISPs to block the address of www.piracy.com.  So the browsers get no information about www.piracy.com from the ISP’s DNS server. Faced with silence from that server, the browser will go into fraud-prevention mode, casting about to find another DNS server that can give it the address.  Eventually, it will find a server in, say, Canada.  Free from the Attorney’ General’s jurisdiction, the server will provide a signed address for piracy.com, and the browser will take its user to the authenticated site. That’s what the browser should do if it’s dealing with a hijacked DNS server.  But browser code can’t tell the Attorney General from a hijacker, so it will end up treating them both the same. And from the AG’s point of view, the browser’s efforts to find an authoritative DNS server will look like a deliberate effort to evade his blocking order. The latest version of SOPA will feed that view.  It allows the AG to sue “any entity that knowingly and willfully provides …a product … designed by such entity or by another in concert with such entity for the circumvention or bypassing of” the AG’s blocking orders. It’s hard to escape the conclusion that this provision is aimed squarely at the browser companies. Browsers implementing DNSSEC will have to circumvent and bypass criminal blocking, and in the process, they will also circumvent and bypass SOPA orders. The new bill allows the AG to sue the browsers if he decides he cares more about enforcing his blocking orders than about the security risks faced by Internet users. Indeed, the opaque language about “another in concert with such entity” makes perfect sense in the context of browser extensions.  It allows the AG to sue not just browsers but also add-ons with this feature. OK, that’s the law.  Now imagine you are Microsoft, or Google, or Apple, or Mozilla.  The DNSSEC guys come to you and ask you to implement DNSSEC.  It won’t increase your revenue, they admit, but it will make the Internet much safer for your users.  You want to be a good internet citizen, so you think maybe you should devote some precious code-writing resources to the cause.  But first you ask your lawyers whether they foresee any problems. “Well, yes,” they’d have to say. “If you add code to the browser that implements DNSSEC, you’ll have to add code that circumvents criminal hijackings of the DNS system.  And that code can be declared illegal by the Attorney General pretty much whenever he likes.  You can litigate about it, of course, but if you lose, the AG can shut down all shipments of your browser until it’s been revised to the satisfaction of his staff and their advisers in Hollywood.” Faced with that advice, would you implement DNSSEC? Neither would I. In fact, I wouldn’t even allow the DNSSEC guys to write an extension that implemented their protocol. And so, by poising a sword of Damocles over the browser companies, SOPA will kill DNSSEC. Let’s hope that the opposition to SOPA hasn’t punched itself out against the first version of the bill, because this version is badly in need of a knockout punch. -- "Remember, to a liberal, anyone who makes money in an endeavor frowned upon by liberals is 'greedy' and any person who expresses an idea contrary to basic liberal dogma is preaching 'hate.'  How shallow these people are."—Neal Boortz   -- Centroids: The Center of the Radical Centrist Community <RadicalCentrism@googlegroups.com> Google Group: http://groups.google.com/group/RadicalCentrism Radical Centrism website and blog: http://RadicalCentrism.org