#NerdsUnite: A Nerd's Eye View on #SOPA
<editorsnote> Nerds meet my buddy Jason. He's super passionate about SOPA and the implications it could have for us in the digiworld. Here are his thoughts on all the hooey pooey. I only have one more thing left to say ... HIT IT JASON!!! </editorsnote>
#TalkNerdyToMeLover's Jason Allen King
There's much discussion and public outrage in the IT community about the potential implications of SOPA (Stop Online Piracy Act) and how it will affect the Internet. Many people have acted surprised when I state that I'm not 'that worried about it' and I want to explain why you shouldn't be either. -- Even if it passes, implementation will be a nightmare, and it will fail to actually be enforced.
* DNS stands for domain name service, and SOPA's enforcement relies heavily on DNS, and blocking domain names from resolving when a site is 'suspected' of offering pirated material.
First, as a background:
At the age of 19 (12 years ago), I successfully raised over $250,000 to fund a startup based around DNS services, and later had that startup accepted into a prestigious UMSL/WASH.U sponsored technology incubator.
By 23, I was solely responsible for contracting the migration of the Government of Pakistan's entire website infrastructure (military, judicial, financial, and all other government websites, both public and private) to the US. I designed the routing, security, content filtering, server hosting, and intrusion detection framework in which their systems were deployed. I worked closely with the FBI and several other government agencies in issues regarding content publication and security.
By 25 I had acquired nearly 20 information technology, network design and network and information security certifications.
By 28 I had secured several multi-million dollar acquisition offers for DNS based software that I had written.
At 31 (now), I'm running the continued development of several software projects as well as managing several hundred website hosting clients that altogether use nearly 47,000 IP addresses and approximately 9,700 domain names.
While I am not an expert in Internet Law, I do consider myself an expert in DNS management, and it is here, in my understand in how SOPA is enforced via DNS manipulation, that I am going to discuss the bill's implications.
Point 1 - Does more harm than good.
Essentially, the bill is so incredibly ignorant, that no matter how good the intentions, once it becomes law, enforcement of the law will become such a bureaucratic nightmare and face such extreme resistance that it will practically be neutered from day one.
SOPA basically requires a website hosting provider to block access to a website if some small agency deems it could 'possibly be providing copyright infringing material'. I say possibly because they will have the authority to issue the cease and desist order before any defense can be made, and essentially issued on the whim of someone with an axe to grind. It’s that bad.
Simply, it provides the power to the government to block Youtube.com, in its entirety, by forcing YouTube’s ISP to stop the Youtube.com domain from resolving simply because a single user posted a copy of Metallica's Enter Sandman (or any other copyrighted material). YouTube already has a great method of dealing with copyright infringement.
Their user agreement states it's a violation of their terms to do so. They have an entire staff dedicated to dealing with possible violations as soon as they are notified.
This bill sets bad precedent. There is absolutely no way that YouTube is going to honor a cease and desist of that order. This law will force YouTube’s hand to either move its data overseas, or simply thumb their nose at the law, and pay the consequences. What kind of revenue would YouTube lose by being completely blacked out for a day?
Who owns YouTube? Google. Google has already stood before Congress and explained how ignorant the bill is, in some cases stating how the incredibly ambiguous language has left their legal department unable to interpret it. So, for large companies, such as Google, YouTube, Amazon.com, etc. it's most likely that they simply won't obey the law, and will instead fight it out in court, as the potential loss in revenue that could be caused by unjust court orders will be more damaging to their bottom line than any court fight.
From day one, SOPA will most likely have little or no effect on the largest, public distributors of content. Enforcement will simply be refused as the largest companies could actually die if they succumb to it. This is exactly why they will fight. YouTube probably has thousands of copyright infringing uploads each day, so YouTube would be at risk of shutdown every single day it operates. If they were successfully shut down one day and get back online the next, they could again be shutdown the following day! They simply have way too much volume to abide by this law.
Where this law could be particular damaging is in how it's applied to the small guy. Take for example, a small local online classifieds site. Completely innocent in nature, yet a member decides to start using it to provide access to copyrighted material (selling illegally copied DVD’s for example). Rather than follow normal, existing methods to deal with it (like contacting the manager of the site), the entire site could be taken offline without notice to the site owner. This opens up a can of worms as 1. It’s possible there wasn't any violation of law on part of the site owner. 2. It could disrupt existing service agreements the site owner has with its members to provide a certain level of uptime. Here you have an innocent content provider being damaged to a degree it may be worse than the actual supposed crime.
As I'll discuss in point 2 below, the technical implications of enforcement could potentially disrupt more than site a website's availability, but email, and other DNS based services as well.
A small business owner like this doesn't have a legal team to fight the US government in court, and they may simply be forced to shut down in face of all the implications surrounding providing member published content in the age of "SOPA".
So here we have a bill that won't really affect the largest providers publishing illegal content in mass yet could systematically ruin small businesses that were essentially innocent all while driving many legit businesses, big and small, overseas to avoid being impacted by the bill. -- Google has already threatened to move massive amounts of their infrastructure to Europe if this passes. Nice! Keep in mind, in spite of all of this, it might not actually stop any of the true pirates!
Point 2 - Enforcement will be a nightmare.
There's a site called thePirateBay.org that provides torrent tracking (a form of file sharing). The site itself isn't doing anything illegal, but its members can post links to software and other files which may be illegal. When their government tried to take them down, they (PirateBay) initiated a cat and mouse game which they essentially won. The website is still available and running as strong as ever.
The technical implications, in regards to enforcement, will more than likely do nothing to effect 'actual pirates of software and copyrighted material' as demonstrated by PirateBay's ability to circumvent the law. All this law is going to do is force into the limelight all of the ways content can be shuffled around, and how the court orders to take down the content can be gamed. While large, public companies like Amazon.com and Google will more than likely thumb their nose at the law and fight it out in court, underground/pirate sites will be much sneakier and make it incredibly expensive and annoying to chase them down, especially with the ease in which domain names can be shuffled around, and content moved to foreign locations.
Again, I can promise you that this bill will affect everyone except the actual pirates. To get into the technical details (which may be a boring topic to some) I'm going to discuss one major part of the bill that is ambiguous at best.
A) SERVICE PROVIDERS. 20
(i) IN GENERAL. A service provider shall take technically feasible and reasonable measures designed to prevent access by its subscribers located within the United States to the foreign infringing site (or portion thereof) that is subject to the order, including measures designed to prevent the domain name of the foreign in-ringing site (or portion thereof) from resolving to that domain names Internet Protocol address.
This is getting back to how DNS works, and why this is going to create a nightmare in regards to enforcement. If the US Gov wants the site to be blocked, and the domain to be prevented for resolving, do they contact the webhost of the site? Or the registrar of the domain name?
Website Host - Actually provides the content, and assigns an IP address to the website.
Registrar - Controls the domain name, as well as the records that dictate which IP address the domain name points to.
These two bodies can operate completely independent of each other.
If contacting the registrar, they basically need to update the A record to point somewhere else, or nullify the domain completely. The A Record is the part of the domain name’s configuration that points the domain to a specific website. This would require updating the DNS to point the domain to a different website/IP. Removing the domain config file completely (nullifying) does more than just take the site down, it could affect any other services built around that domain.. such as email. There is more than just 1 record in a domain configuration. There is also an MX record, which dictates where email is delivered. Just this implies a potential cascading effect in regards to disruption of business in ways that could do more damage to legit/innocent companies than the actual copyright infringement itself does. Basically, it's like bringing a nuke to a knife fight. This law would essentially allow/force Amazon.com to be blocked, and the entire company's email system to go down simply because one of their retailers is selling copyrighted material that they aren't authorized to sell. Do you think Amazon.com is going to stand for that? More than likely, they will actually simply ignore the order, and deal with the offending retailer the way they always do, by simply removing the listing and revoking their membership. The other option is to let the site go down, let their email fail, (can you imagine if all of Amazon.com’s users couldn’t even email Amazon.com or contact them online? Their phone system would break.)
This is part of what makes the bill so damn silly. There are already perfectly fine methods of dealing with this; they just have to be pursued. So if they (the government) don't want to be thugs and disrupt email and potentially affect the lives of thousands of employees, they would need to have the domain pointed somewhere else by updating the A record. This can't really have any immediate effect unless the domain already has a short TTL. TTL is time to live. Local ISP’s cache the domain’s entire record for the length of time the TTL dictates. If it's 24 hours (the norm), the registrar can't actually fully block the site until all non-authoritive DNS servers are updated. So, let’s say Amazon.com’s DNS configuration gets updated and now the domain points to nowhere. If the TTL is 24 hours, your ISP’s DNS servers won’t even check for an update to the record for about 24 hours. The entire point of the legislation is to block a site immediately, and updating a DNS record doesn’t do that, at all. So rather than contacting Amazon.com directly and pointing out a clear violation of copyright law, and allowing Amazon.com to follow their normal procedures and administratively and immediately remove the single violation from their site, the Gov could instead take action to take the entire site offline, something that might take a day! Contacting Amazon directly could result in the infringing item removed in 15 minutes! In short, not only does this bill complicate things, put innocent businesses at risk, and impede on the first amendment, it in no way provides any better method to dealing with the problem!
This entirely new, stupid method to stop online piracy could easily be subverted, content provider willing, by registering new domain names that point to the site before the domain TTL expires and or already having an existing array of domains registered 'just in case'. Then they can continue providing the content by sending emails to users stating they need to visit a different URL if they want to get continued access to the content. If the court order lists the site by domain, boom -- make them go back and get another court order for the new domain. Rinse, repeat.
Will large corporations follow this method? Unlikely, as the biggest corporations will most likely thumb their noses at the court order and deal with the infringement the way they normally do.
But black-market/private sites may do whatever it takes to subvert this law. Just look at the history of the Piratebay’s successful attempts at subverting the law. This leads back to the IP address. Web servers (computers that host and publish websites) actually listen on IP, so by simply disabling the IP you could block access immediately. This would require going to the actual hosting provider, not the registrar. Here, the hosting provider could just null route the IP (make the IP point to nothing), and access is immediately blocked. However, all this legislation discusses domain names. What if the domain is handled by an American registrar, but hosted by a foreign provider? Or what if the registrar is foreign and the host is domestic?
This will be an enforcement nightmare, and once US government agencies actually have to chase what could be a potentially white rabbit, they are going to want to take another look at existing procedures.. Such as which was taken with Wikileaks by cutting off their funding/revenue channels (Paypal, MasterCard both cut them off and Wikileaks money dried up quickly). If this new legislation was used against Wikileaks, it wouldn't have had much effect because they would have just played the cat and mouse game by moving urls and changing IP addresses.
Finally, since I’m not an expert in the legal ramifications of this law, just the technical enforcement ramifications, I’m going to provide a link to a scathing Stanford Law Review on the legal aspects of this bill, and how it essentially ‘breaks the internet’. It too considers the technical aspect, but also deals with First Amendment issues. http://www.stanfordlawreview.org/online/dont-break-internet