NetCoalition - Advocacy Materials
Content
400 North Capitol Street NW, Suite 585 Washington, D.C. 20001 Phone: 202-624-1460 | Fax: 202-393-5218 www.netcoalition.com | [email protected]
REFERENCE MATERIALS ON THE PROTECT IP ACT
• FOLDER CONTENTS •
o o o o o o o o o o o o o o o About NetCoalition NetCoalition Analysis of H.R. 3261 (“Stop Online Piracy Act”) About the “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011” (“PROTECT IP Act”) Internet Engineers’ Letter Urging Amendment to the PROTECT IP Act (October 12, 2011) Internet Engineers’ Letter in Opposition to DNS Filtering Legislation (October 12, 2011) Center for Democracy & Technology Letter in response to the MPAA concerning the PROTECT IP Act (September 23, 2011) Entrepreneurs’ Opposition Letter on the PROTECT IP Act (September 8, 2011) Congressional Budget Office Estimate of the PROTECT IP Act (August 16, 2011) Legal Experts’ Opposition Letter on the PROTECT IP Act (July 5, 2011) Venture Capitalists’ Opposition Letter on the PROTECT IP Act (June 23, 2011) Public Interest Opposition Letter on the PROTECT IP Act (May 25, 2011) Net Coalition Opposition Letter on the private right of action provisions included in S.968, the PROTECT IP Act (May 25, 2011) NetCoalition Testimony Before the Senate Judiciary Committee Hearing on “Targeting Websites Dedicated to Stealing American Intellectual Property” (February 16, 2011) Public Interest Letter on COICA (September 27, 2010) White Paper on “Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill” (May 2011)
NetCoalition represents leading global Internet and technology companies, including Google, Yahoo!, Amazon.com, eBay, IAC, Bloomberg LP, Expedia and Wikipedia, providing a platform from which members can engage legislators, through active dialogue, on public policy that raises important and fundamental issues involving NetCoalition’s primary agenda. At the core of our values, NetCoalition seeks to preserve the vitality of the Internet that exists today – an open and consumer-oriented competitive environment – which inspires global innovation and trade. We support strong and meaningful initiatives to protect intellectual property – which are, for many companies, among their most valuable assets – and enforce these voluntarily and vigorously. NetCoalition’s primary agenda includes – ● Promoting a balanced copyright, trademark and data-protection framework in the United States and internationally. ● Preserving a legal regime for Internet companies that inspires innovation and supports the existence of consumer-oriented applications and services free from laws and regulations that impose undue liability on companies that host, locate and provide access to content on the Internet. ● Enforcing consumer-protection policies that facilitate wellinformed decisions by consumers regarding accessibility of personal information on the Internet. .
Markham C. Erickson serves as Executive Director and General Counsel to the coalition. He is a founding partner of Holch & Erickson LLP, where he represents clients before federal regulatory agencies, courts, and the United States Congress. His practice typically involves engagement on complex issues relating to the Internet, new technologies, and nascent industries. He also has an active practice in Native American law and policy.
The Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (“PROTECT IP Act”) A Bill of Unintended Consequences On May 18, 2011, the Senate Judiciary Committee reported out the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (“PROTECT IP ACT”). This legislation, similar to last year’s Combating Online Infringement and Copyrights Act (“COICA”), gives the U.S. government authority to address copyright infringement and the sale of counterfeit merchandise on the Internet. These “rogue” website legislative initiatives are intended to target foreign websites dedicated almost exclusively to illegal copyright and trademark infringement activities. While NetCoalition supports the goal of the legislation, the PROTECT IP Act will ultimately put American innovators and investors at a serious disadvantage in the global economy. This legislation would likely set an international precedent inspiring international engagement in protectionism and censorship activities, which conflict with the United States’ agenda for a collaborative global Internet marketplace that supports healthy, consumer-oriented competition and economic growth. Most notably, the PROTECT IP Act enables rights holders to obtain orders to block access to online services by intermediary third parties – with limited oversight and due process. This private right of action provision imposes significant burdens on legitimate online commerce services. The scope of orders and cost of litigation will be significant, even for companies acting in good faith to address illegal copyright- infringing activities. Creating a private litigation regime ignores the voluntary, proactive processes implemented by Internet service providers, advertisers, credit card companies, payment processors, search engines, domain name registrars and registries to combat online piracy. The members of NetCoalition have the most robust and responsive “notice-and-take down” processes in the world. And no stakeholder asserts NetCoalition members are engaging in illegal activity. As such, it is highly extraordinary that Congress would even consider subjecting payment processors and Internet and technology companies to a private right of action. Rightsholders claim that a private right of action is needed because the Department of Justice cannot effectively enforce copyright and trademark laws. Should this be the case, discussions among legislators and stakeholders ought to focus on alleviating this issue. Shifting the burden and costs of enforcing copyright and trademark laws to lawful intermediary service providers is not a sensible solution. NetCoalition remains committed that no entity should make money from sites dedicated to copyright-infringing activities. Consequently, assigning enforcement responsibilities to payment processors, advertising companies and sponsored link providers delivered by search engines – provided there are appropriate safeguards from new, undue liabilities and a prohibition on “tech mandates” – is a sensible solution. A similar approach was approved by Congress in the Unlawful Internet Gambling Prohibition Act, which precludes payment processors from interacting with unlawful overseas gambling operations. We urge Congress to consider this precedent while moving forward on the PROTECT IP Act.
Internet Engineers' Letter Urging Amendment of the PROTECT-IP Act
October 12, 2011
To Members of the United States Senate:
We urge the modification of S. 968, the PROTECT-IP Act of 2011, to remove the provision requiring that domestic Internet service providers filter their Domain Name Service (“DNS”) results to protect brand and copyright owners against online infringement. We are engineers who have spent our careers working in and with the Internet's domain name system at a nuts-and-bolts level. We have developed or collaborated on key technical standards that are fundamental to the functioning of the Internet. We are recognized as leading experts in this particular field of technology. Ordinarily we do not get involved in legislative debates, but we believe that our background leaves us ideally situated to offer a full and realistic evaluation of the likely consequences of certain provisions of S. 968. We recognize and strongly support the rights of brand and copyright owners and we believe that S. 968's provisions curtailing the use of domestic advertising and payment networks by infringing web sites are well considered and will prove effective. However, the filtration of DNS results required by S. 968 would prove both costly and ineffective, and would have serious negative side effects.
PROTECT-IP's Proposed DNS Filtering Is Not Technically Feasible
As drafted, S. 968 calls for DNS editing that is not technically feasible, and incompatible with Internet DNS security extensions (also known as DNSSEC or Secure DNS). These security features have been under development for more than fifteen years with heavy investment by both US industry and US Government, and are now being deployed globally. ICANN has signed the DNS root zone, the U.S. Government has signed .EDU, .GOV and .MIL, large generic top level domains including dot-COM, dot-NET, and dot-ORG are signed, and almost 80 of countries have signed their top-level domains1. We stand now on the threshold of the next era in Internet security infrastructure, in which new and more secure applications from e-shopping to e-banking can can rely on Secure DNS as their foundation for online identity. If not amended to remove the DNS filtering provision, S. 968 would demand that ISPs choose between deploying Secure DNS and ignoring court-ordered DNS filtering, or forgoing Secure DNS in order to comply with the law. Recent letters2 and online posts3,4 by proponents of S. 968 have misstated key facts about DNS and Secure DNS. A white paper5 by the authors of this letter provides a comprehensive technical critique of the DNS provisions of S. 968, endorsed by the editorial boards of prominent national newspapers6,7.
PROTECT-IP's Proposed DNS Filtering Would Be Ineffective
Even assuming that domestic ISPs make the high initial and ongoing investment in name server filtering required by S. 968, ISPs cannot force their customers to use their name servers. Any user can avoid such filtering by using another name server, possibly located off-shore and not subject to US law. These off-shore name servers will be capable of redirecting web traffic to malicious sites including fake banks and search engines. By moving information-rich DNS lookup data offshore, users would create risk for the whole US information economy, not just for themselves. And the effort and expertise required to change a user's DNS settings is trivial, often reduced to “one click” or even completely automated.
PROTECT-IP's DNS Filtering Would Bring Negative Side Effects
Proponents of the DNS provisions of S. 968 assert that this proposed legislation would have no impact on Internet infrastructure. The facts about Secure DNS say otherwise. Secure DNS means being able to verify the integrity and source of DNS data, e.g., allowing a user to know whether it has reached their bank or an impostor site. DNS filtering asks DNS servers to “lie” by providing incorrect responses. If Secure DNS is deployed, a user's DNS client will know when it is being lied to. But it won't know whether the lie is the result of court-ordered DNS filtering or criminal interference with the user's DNS lookup. The inability to distinguish legitimate DNS diversions from malicious ones will make it impossible to use DNSSEC as a platform to build robust security protections. Any comparison of S. 968's DNS provisions to current filtering technologies such as parental controls or spam or malware blocking is inapt. These technologies are wanted by, and indeed installed and operated by, the end users themselves. When provided by ISPs, users do not complain or change their name servers because they are happy with the filtering. It should also be noted that when ISPs deploy Secure DNS, they will no longer be able to use the current filtering technologies. As described above, DNS filtering and Secure DNS are mutually incompatible. Requiring ISPs to deploy DNS filtering is futile and dangerous. The mere threat of S.968's filtering provision has resulted in the marketing in this country of fast, easy and zero-cost tools to change users' name servers. Just as we predicted in our white paper, there are now numerous evasive DNS services which promise to evade any mandated DNS blocking8,9,10. Annually, there are 58 billion page visits to sites dedicated to infringing activities which represents an enormous level of demand. To satisfy that demand, users will change their name servers.
PROTECT-IP's DNS Provisions Should Be Dropped
As stated, S. 968's goals are laudable, and its provisions regarding domestic advertising and payment networks are reasonable. However, no good and much harm can come from the DNS provision of S. 968 as currently written, and we urge that this provision be dropped when the bill is considered by the full Senate. Signed, Steve Crocker, Ph.D. – co-creator of the original ARPANET protocols; former Internet Engineering Task Force (IETF) security area director, former Internet Architecture Board member, former Internet Society board member; member of ICANN security and stability advisory committee. David Dagon, Ph.D. – author of numerous peer-reviewed studies of Secure DNS; co-founder of Internet security company providing DNS-based defense technologies; inventor of proposed antipoisoning technology for DNS. Dan Kaminsky – noted security researcher best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS); of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Danny McPherson – Chief Security Officer, Verisign, Inc.; member FCC CSRIC; appointed member Internet Architecture Board; author of numerous security and engineering studies, Internet RFCs, and several books; member of ICANN security and stability advisory committee. Paul Vixie, Ph.D. – founder of Internet Systems Consortium (ISC), operator of “F” root DNS name server, publisher of BIND DNS software system; IETF DNS protocol contributor; member of ARIN Board of Trustees; member of ICANN security and stability advisory committee.
1 DNSSEC Deployment Project, http://www.dnssec-deployment.org/ 2 IFTA, et al, “To the Members of the United States Senate”, http://www.mpaa.org/resources/f63d5736-4e36-49fb-a452586b23d24b04.pdf 3 George Ou, “DNS Filtering is Essential to the Internet”, http://www.hightechforum.org/dns-filtering-is-essential-to-theinternet/ 4 Michael O'Leary, “PROTECT-IP Letter from Law Professors Didn't Do its Homework”, http://blog.mpaa.org/BlogOS/post/2011/07/07/PROTECT-IP-Letter-from-Law-Professors-Did-Not-Do-itsHomework.aspx 5 Steve Crocker, David Dagon, Dan Kaminsky, Danny McPherson, and Paul Vixie, “Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT-IP Act”, http://www.shinkuro.com/PROTECT %20IP%20Technical%20Whitepaper%20Final.pdf 6 The Los Angeles Times, “Policing the Internet”, http://www.latimes.com/news/opinion/opinionla/la-ed-protectip20110607,0,2415749.story 7 The New York Times, “Internet Piracy and How to Stop It”, http://www.nytimes.com/2011/06/09/opinion/09thu1.html 8 Domain Incite, “Pirates set up domain seizure workaround”, http://domainincite.com/pirates-set-up-domain-seizureworkaround/ 9 Telecomix DNS, http://dns.telecomix.org/ 10 Dot-P2P, http://dot-p2p.org/
Internet Engineers' Letter in Opposition To DNS Filtering Legislation
October 12, 2011 The Honorable Lamar Smith Chairman Committee on the Judiciary U.S. House of Representatives Washington, D.C. 20515 The Honorable John Conyers, Jr. Ranking Member Committee on the Judiciary U.S. House of Representatives Washington, D.C. 20515 Dear Chairman Smith and Ranking Member Conyers: As you consider introducing legislation similar to S. 968, the PROTECT-IP Act of 2011, we urge you not to include any provision requiring domestic Internet service providers to filter their Domain Name Service (“DNS”) results to protect brand and copyright owners against online infringement. We are engineers who have spent our careers working in and with the Internet's domain name system at a nuts-and-bolts level. We have developed or collaborated on key technical standards that are fundamental to the functioning of the Internet. We are recognized as leading experts in this particular field of technology. Ordinarily we do not get involved in legislative debates, but we believe that our background leaves us ideally situated to offer a full and realistic evaluation of the likely consequences of certain provisions of S. 968. We recognize and strongly support the rights of brand and copyright owners and we believe that S. 968's provisions curtailing the use of domestic advertising and payment networks by infringing web sites are well considered and will prove effective. However, the filtration of DNS results required by S. 968 would prove both costly and ineffective, and would have serious negative side effects.
PROTECT-IP's Proposed DNS Filtering Is Not Technically Feasible
As drafted, S. 968 calls for DNS editing that is not technically feasible, and incompatible with Internet DNS security extensions (also known as DNSSEC or Secure DNS). These security features have been under development for more than fifteen years with heavy investment by both US industry and US Government, and are now being deployed globally. ICANN has signed the DNS root zone, the U.S. Government has signed .EDU, .GOV and .MIL, large generic top level domains including dot-COM, dot-NET, and dot-ORG are signed, and almost 80 of countries have signed their top-level domains1. We stand now on the threshold of the next era in Internet security infrastructure, in which new and more secure applications from e-shopping to e-banking can can rely on Secure DNS as their foundation for online identity. If not amended to remove the DNS filtering provision, S. 968 would demand that ISPs choose between deploying Secure DNS and ignoring court-ordered DNS filtering, or forgoing Secure DNS in order to comply with the law. Recent letters2 and online posts3,4 by proponents of S. 968 have misstated key facts about DNS and Secure DNS. A white paper5 by the authors of this letter provides a comprehensive technical critique of the DNS provisions of S. 968, endorsed by the editorial boards of prominent national newspapers6,7.
PROTECT-IP's Proposed DNS Filtering Would Be Ineffective
Even assuming that domestic ISPs make the high initial and ongoing investment in name server filtering required by S. 968, ISPs cannot force their customers to use their name servers. Any user can avoid such filtering by using another name server, possibly located off-shore and not subject to US law. These off-shore name servers will be capable of redirecting web traffic to malicious sites including fake banks and search engines. By moving information-rich DNS lookup data offshore, users would create risk for the whole US information economy, not just for themselves. And the effort and expertise required to change a user's DNS settings is trivial, often reduced to “one click” or even completely automated.
PROTECT-IP's DNS Filtering Would Bring Negative Side Effects
Proponents of the DNS provisions of S. 968 assert that this proposed legislation would have no impact on Internet infrastructure. The facts about Secure DNS say otherwise. Secure DNS means being able to verify the integrity and source of DNS data, e.g., allowing a user to know whether it has reached their bank or an impostor site. DNS filtering asks DNS servers to “lie” by providing incorrect responses. If Secure DNS is deployed, a user's DNS client will know when it is being lied to. But it won't know whether the lie is the result of court-ordered DNS filtering or criminal interference with the user's DNS lookup. The inability to distinguish legitimate DNS diversions from malicious ones will make it impossible to use DNSSEC as a platform to build robust security protections. Any comparison of S. 968's DNS provisions to current filtering technologies such as parental controls or spam or malware blocking is inapt. These technologies are wanted by, and indeed installed and operated by, the end users themselves. When provided by ISPs, users do not complain or change their name servers because they are happy with the filtering. It should also be noted that when ISPs deploy Secure DNS, they will no longer be able to use the current filtering technologies. As described above, DNS filtering and Secure DNS are mutually incompatible. Requiring ISPs to deploy DNS filtering is futile and dangerous. The mere threat of S.968's filtering provision has resulted in the marketing in this country of fast, easy and zero-cost tools to change users' name servers. Just as we predicted in our white paper, there are now numerous evasive DNS services which promise to evade any mandated DNS blocking8,9,10. Annually, there are 58 billion page visits to sites dedicated to infringing activities which represents an enormous level of demand. To satisfy that demand, users will change their name servers.
PROTECT-IP's DNS Provisions Should Be Dropped
As stated, S. 968's goals are laudable, and its provisions regarding domestic advertising and payment networks are reasonable. However, no good and much harm can come from the DNS provision of S. 968 as currently written, and we urge that this provision not be included in any similar legislation that may be introduced by the House Judiciary Committee. Signed, Steve Crocker, Ph.D. David Dagon, Ph.D. Dan Kaminsky Danny Mcpherson Paul Vixie, Ph.D.
cc:
The Honorable Robert Goodlatte Chairman Intellectual Property, Competition, and the Internet Subcommittee Committee on the Judiciary U.S. House of Representatives Washington, D.C. 20515 The Honorable Melvin Watt Ranking Member Intellectual Property, Competition, and the Internet Subcommittee Committee on the Judiciary U.S. House of Representatives Washington, D.C. 20515
Author biographies: Steve Crocker, Ph.D. – co-creator of the original ARPANET protocols; former Internet Engineering Task Force (IETF) security area director, former Internet Architecture Board member, former Internet Society board member; member of ICANN security and stability advisory committee. David Dagon, Ph.D. – author of numerous peer-reviewed studies of Secure DNS; co-founder of Internet security company providing DNS-based defense technologies; inventor of proposed antipoisoning technology for DNS. Dan Kaminsky – noted security researcher best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS); of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Danny McPherson – Chief Security Officer, Verisign, Inc.; member FCC CSRIC; appointed member Internet Architecture Board; author of numerous security and engineering studies, Internet RFCs, and several books; member of ICANN security and stability advisory committee. Paul Vixie, Ph.D. – founder of Internet Systems Consortium (ISC), operator of “F” root DNS name server, publisher of BIND DNS software system; IETF DNS protocol contributor; member of ARIN Board of Trustees; member of ICANN security and stability advisory committee.
1 DNSSEC Deployment Project, http://www.dnssec-deployment.org/ 2 IFTA, et al, “To the Members of the United States Senate”, http://www.mpaa.org/resources/f63d57364e36-49fb-a452586b23d24b04.pdf 3 George Ou, “DNS Filtering is Essential to the Internet”, http://www.hightechforum.org/dns-filtering-isessential-to-the- internet/ 4 Michael O'Leary, “PROTECT-IP Letter from Law Professors Didn't Do its Homework”, http://blog.mpaa.org/BlogOS/post/2011/07/07/PROTECT-IP-Letter-from-Law-ProfessorsDid-Not-Do-its- Homework.aspx 5 Steve Crocker, David Dagon, Dan Kaminsky, Danny McPherson, and Paul Vixie, “Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT-IP Act”, http://www.shinkuro.com/PROTECT %20IP%20Technical%20Whitepaper%20Final.pdf 6 The Los Angeles Times, “Policing the Internet”, http://www.latimes.com/news/opinion/opinionla/la-edprotectip20110607,0,2415749.story 7 The New York Times, “Internet Piracy and How to Stop It”, http://www.nytimes.com/2011/06/09/opinion/09thu1.html 8 Domain Incite, “Pirates set up domain seizure workaround”, http://domainincite.com/pirates-set-updomain-seizure- workaround/ 9 Telecomix DNS, http://dns.telecomix.org/ 10 Dot-P2P, http://dot-p2p.org/
September 23, 2011
TO MEMBERS OF THE UNITED STATES SENATE: We are writing in response to the September 20, 2011 letter by the Motion Picture Association of America (MPAA) and a number of its allies concerning S. 968, the PROTECT IP Act. There is no substantial disagreement with the billʼs goal of combating the online infringement of copyrights and trademarks; that is a valid and important aim. But some of the specific provisions of S. 968 are far more controversial and would do far more damage than MPAAʼs letter suggests. We would like to respond in particular to the following points. § MPAAʼs letter says that the billʼs tactic of requiring ISPs to block domainname lookup requests is already in use today to fight spam and malware, and can be employed without endangering the emerging security technology known as DNSSEC. But the principal author of the preeminent domain-name blocking technology says that the approach canʼt work for copyright infringement; it is an approach that only works when the users want to be protected.1 Even more important, Internet engineers with unassailable domain name system expertise have warned that S. 968 could stop DNSSEC – a crucial effort to improve Internet security, over 15 years in the making – dead in its tracks.2 The Internet Society likewise states that domain-name filtering will impede DNSSEC and decrease global security.3 There is no basis for the MPAAʼs breezy dismissal of the serious technical and security problems with portions of S. 968. MPAAʼs letter cites Ofcom, the United Kingdomʼs independent communications regulator, as concluding that domain-name blocking could deter casual and unintentional infringers. But the same Ofcom report found that blocking domain names is “incompatible” with DNSSEC, and that therefore “a replacement for DNS blocking would be required
§
1
Paul Vixie, “Alignment of Interests in DNS Blocking,” Jul 23, 2011, http://www.circleid.com/posts/20110723_alignment_of_interests_in_dns_blocking/. 2 Steve Crocker, David Dagon, Dan Kaminsky, Danny McPherson, and Paul Vixie, Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill, May 2011, http://www.shinkuro.com/PROTECT%20IP%20Technical%20Whitepaper%20Final.pdf. 3 Internet Society Perspectives on Domain Name System (DNS) Filtering, Sept. 15, 2011, http://www.isoc.org/internet/issues/docs/dns-filtering_20110915.pdf.
within the next three years.”4 Tellingly, the U.K. government responded to the Ofcom report by deciding not to move ahead with site-blocking regulations that had been proposed.5 § MPAAʼs letter cites a favorable editorial by the Washington Post. But other major newspapers have urged caution. The Los Angeles Times observed that, despite its laudable goals, the billʼs “details are problematic” – in large part because it “could undermine efforts to build a more reliable and fraud-resistant domain name system.”6 The New York Times likewise called some of the billʼs remedies “problematic,” especially the domain-name blocking, and concluded that S. 968 “shouldnʼt pass as is.”7 MPAAʼs letter quotes a constitutional scholar who believes the bill does not pose First Amendment concerns. But 108 law professors have signed a letter expressing the view that the bill has “grave constitutional infirmities” because it would suppress speech at blocked domain names before a final determination of illegality.8 Under prior restraint jurisprudence, the government cannot restrict access to expressive material based on a finding that the material is probably illegal; rather, government must first determine that the material actually is illegal. MPAAʼs letter says that S. 968 will safeguard American jobs. But over 50 of the countryʼs most prominent venture capitalists have warned that S. 968 will “stifle investment in Internet services, throttle innovation, and hurt American competitiveness.”9 Technology trade associations have cautioned that portions of the bill “will undoubtedly inhibit innovation and economic growth.”10 Payment systems and technology companies have serious concerns regarding the impact of the billʼs private right of action.11 Parts of S. 968 threaten more jobs than they would safeguard.
§
§
We believe it would be possible to craft an effective bill that would combat online infringement without the major collateral damage that S. 968 threatens to cause. In particular, there is general consensus that a “follow the money” approach – cutting off the revenue sources for foreign infringement websites – has real promise. A study earlier this year found that blocking
4
Ofcom, “Site Blocking” to reduce online copyright infringement, Aug. 3, 2011, http://stakeholders.ofcom.org.uk/binaries/internet/site-blocking.pdf, p. 43. 5 See U.K. Department for Culture, Media and Sport, Next steps for implementation of the Digital Economy Act, Aug. 2011, http://www.culture.gov.uk/images/publications/Next-steps-for-implementation-of-the-Digital-EconomyAct.pdf); Mike Sweeney, “Government scraps plan to block illegal filesharing websites,” The Guardian, Aug. 3, 2011, http://www.guardian.co.uk/technology/2011/aug/03/government-scraps-filesharing-sites-block. 6 “Policing the Internet,” L.A. Times, June 7, 2011, http://articles.latimes.com/2011/jun/07/opinion/la-ed-protectip20110607. 7 “Internet Piracy and How to Stop It,” N.Y. Times, June 8, 2011, http://www.nytimes.com/2011/06/09/opinion/09thu1.html?_r=1. 8 Professorsʼ Letter in Opposition to “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011,” July 5, 2011, http://www.scribd.com/doc/59241037/PROTECT-IP-Letter-Final. 9 Letter to Members of the U.S. Congress, June 23, 2011, https://docs.google.com/document/d/14CkX3zDyAxShrqUqEkewtUCjvvFdciIbKjC18_eUHkg/edit?hl=en_US&authk ey=CNHr3I4L&ndplr=1&pli=1. 10 Letter of CCIA, CEA, and NetCoalition to Sens. Leahy and Grassley, May 25, 2011, http://cdt.org/files/Tech_Assn_Letter_re_PIPA_5-25-11.pdf. 11 Letter to Sens. Leahy and Grassley, May 25, 2011, http://cdt.org/files/NC-Letter_on_PRA_on_Protect_IP_Act-4.pdf.
the money flow is the best way to achieve a real reduction in spam,12 and we believe that the same is true with respect to infringement. Unfortunately, S. 968 goes far beyond the money- focused approach to include highly controversial provisions that would ultimately do significant harm in exchange for what would likely be a negligible and fleeting impact on infringement. S. 968 in its current form should not pass. Thank you for your careful consideration of the concerns raised by S. 968. We stand ready to work with the Senate to craft a bill that can achieve the goal of reducing online infringement without so much collateral damage. Sincerely, /s/ Leslie Harris President and CEO /s/ David M. Sohn Senior Policy Counsel
12
See John Markoff, “Study Sees Way To Win Spam Fight,” N.Y. Times, May 19, 2011, http://www.nytimes.com/2011/05/20/technology/20spam.html.
To Members of the United States Congress: The undersigned are 160 entrepreneurs, founders, CEOs and executives who have been involved in 349 technology start-ups, and who have created over 65,000 jobs directly through our companies and hundreds of thousands, if not millions, more through the technologies we invented, funded, brought to market and made mainstream. We write today urging you to reject S.968, the PROTECT IP Act, also known as “PIPA.” We appreciate the stated purpose of the bill, but we fear that if PIPA is allowed to become law in its present form, it will hurt economic growth and chill innovation in legitimate services that help people create, communicate, and make money online. It is a truism that small businesses create significant economic growth and jobs, but it is more [1] accurate to say that new businesses, including tech start-ups, are most important. The Internet is [2] a key engine of today’s economy, and much of its economic contribution is attributable to companies that did not even exist 10 or even 5 years ago. The Internet has also created new opportunities for artists and other content creators -- today, there is more content being created by more people on more platforms (including some of our businesses) than ever before. We are not opposed to copyright or the bill’s intent, but we do not think this bill will actually fulfill copyright’s purpose of encouraging innovation and creativity. While the bill will create uncertainty for many legitimate businesses and in turn undermine innovation and creativity on those services, the dedicated pirates who use and operate “rogue” sites will simply migrate to platforms that conceal their activities. Our concerns include the following: • The notion of sites “dedicated to infringing activities” is vague and ripe for abuse, particularly when combined with a private right of action for rightsholders: Legitimate sites with legitimate uses can also in many cases be used for piracy. Historically, overzealous rightsholders have tried to stop many legitimate technologies that disrupted their existing business models and facilitated some unauthorized activity. The following technologies were condemned at one point or another - the gramophone (record player), the player piano, radio, television, the photocopier, cable TV, the VCR, the DVR, the mp3 player and video hosting platforms. Even though these technologies obviously survived, many individual businesses like DVR-maker ReplayTV and video platform Veoh were not so fortunate - those companies went bankrupt due to litigation costs, and sold their remaining assets to foreign companies. PIPA provides a new weapon against legitimate businesses and “rogue” sites alike, and the concern in this context is not merely historical or theoretical. Recent press reports noted that advertising giant WPP’s GroupM subsidiary had put together a list of 2,000 sites that were declared to be “supporting piracy,” on which none of its advertising would be allowed to appear. That list - which was put together with suggestions from GroupM clients - includes Vibe.com, the online version of the famed Vibe Magazine, founded by Quincy Jones, and a leading publication for the hip hop and R&B community. It also included the Internet Archive’s Wayback Machine, which preserves copies of Web pages in order to fill a similar function as libraries. When a famous magazine and a library get lumped in with “rogue pirate sites” in this way, it’s not hard to see how an overzealous copyright holder might seek to shut legitimate businesses down through PIPA. • The bill would create significant burdens for smaller tech companies: One of the key reasons why startups and innovative small businesses became the success stories we know of today was protection from misguided lawsuits under the safe harbors of Section 512 of the Digital Millennium Copyright Act (DMCA). By properly putting the legal liability on the actual actors of infringement rather than third-parties, Congress wisely ensured that service providers, such as many of the companies represented in this letter, could flourish.
PIPA would put new burdens and possible liability on independent third parties, including payment processors, advertising firms, information location tools and others. The definitions here are incredibly vague, and many companies signed below could fall under the broad definitions of “information location tools,” meaning costly changes to their infrastructure, including how we remain in compliance with blocking orders on an everchanging Internet. Separately, including a private right of action means that any rightsholder can tie up a service provider in costly legal action, even if it eventually turns out to not be valid. Given the broad definitions used above for sites “supporting piracy,” it’s not difficult to predict that plenty of legitimate startups may end up having to spend time, money and resources to deal with such actions. These burdens will be particularly intense for small businesses who can’t easily afford the legal fees, infrastructure costs or staff required to remain in compliance with broadly worded laws in a rapidly changing ecosystem. Legitimate services already do their part by following the notice-and-takedown system of the DMCA. While we take these types of legal responsibilities seriously and already take on costs to do so, that’s no reason to pile on additional regulations. • Breaking DNS will harm our ability to build new, safe, and secure services. As detailed in a recent whitepaper by some of the foremost experts in Internet architecture and security, PIPA will fragment parts of key Internet infrastructure, and disrupt key security [3] tools in use today. Interfering in the basic technological underpinnings of the Internet that we all rely on today would be a huge anchor on innovation in many of our companies.
As Web entrepreneurs and Web users, we want to ensure that artists and great creative content can thrive online. But this isn’t the right way to address the underlying issue. Introducing this new regulatory weapon into the piracy arms race won’t stop the arms race, but it will ensure there will be more collateral damage along the way. There are certainly challenges to succeeding as a content creator online, but the opportunities are far greater than the challenges, and the best way to address the latter is to create more of the former. In other words, innovation in the form of more content tools, platforms and services is the right way to address piracy -- while also creating new jobs and fueling economic growth. Entrepreneurs like us can help do that; PIPA can’t. Sincerely,
(In alphabetical order by name, followed by companies either founded or where one was in a job-creating executive role)
Jonathan Abrams Nuzzel, Founders Den, Socializr, Friendster, HotLinks Asheesh Advani Covestor, Virgin Money USA, CircleLending David Albert Hackruiter Will Aldrich SurveyMonkey, TripIt, Yahoo
Courtland Allen Syphir, Tyrant Lloyd Armbrust OwnLocal.com Jean Aw NOTCOT Inc. Joshua Baer Capital Factory, OtherInbox, UnsubCentral, SKYLIST Andy Baio Upcoming, Kickstarter Edward Baker Friend.ly David Barrett Expensify Jonathan Baudanza beatlab.com, Rupture Katia Beauchamp Birchbox Idan Beck Incident Technologies Matthew Bellows Yesware Inc., WGR Media David Berger XL Marketing, Caridian Marketing Labs Nicholas Bergson-Shilcock Hackruiter Ted Blackman Course Zero Automation, Motion Arcade Matthew Blumberg MovieFone, ReturnPath Nic Borg Edmodo
Bruce Bower Plastic Jungle, Blackhawk Network, Reactrix, Soliloquy Learning, ZapMe! Corporation, YES! Entertainment Josh Buckley MinoMonsters John Buckman Lyris, Magnatune, BookMooch Justin Cannon Lingt Language, EveryArt Teck Chia OpenAppMkt, Omigosh LLC, Gabbly.com Michael Clouser iLoding, Market Diligence, CEO Research, New Era Strategies Zach Coelius Triggit, Votes For Students, Coelius Enterprises John Collison Stripe Ben Congleton Olark, Nethernet Dave Copps PureDiscovery, Engenium Jon Crawford Storenvy Dennis Crowley Foursquare, Dodgeball Angus Davis Swipely, Tellme Eric DeMenthon PadMapper.com Steve DeWald Proper Suit, Data Marketplace, Maggwire Chad Dickerson
Etsy Suhail Doshi Mixpanel Natalie Downe Lanyrd Inc. Nick Ducoff Infochimps Derek Dukes *Stealth Startup*, Dipity, Yahoo! Jennifer Dulski The Dealmap Rod Ebrahimi ReadyForZero, DirectHost Chas Edwards Luminate, Digg, Federated Media, MySimon Dale Emmons Vidmakr David Federlein Fowlsound Productions, Soapbox Coffee, Inc. Mark Fletcher ONElist, Bloglines Andrew Fong Kirkland North Tom Frangione Simply Continuous, Telphia Brian Frank Live Colony Ken Fromm Vivid Studios, Loomia, Iron.io Nasser Gaemi BigDates, ASAM International Matt Galligan
SimpleGeo, SocialThing Zachary Garbow Funeral Innovations Jud Gardner Comprehend Systems David Gibbs High Speed Access Corp, Darwin Networks, Nomad Innovations Christopher Golda BackType Eyal Goldwerger TargetSpot, XMPie, WhenU, GoCargo Jude Gomila Heyzap Jeremy Gordon Department of Behavior and Logic, Secret Level, MagicArts Steve Greenwood drop.io James Gross Percolate, Federated Media Sean Grove Bushido, Inc. Anupam Gupta Mixpo Mike Hagan LifeShield, Verticalnet, Nutrisystem Tony Haile Chartbeat, Chi.mp Jared Hansen Breezy Scott Heiferman Meetup, Fotolog Jack Herbeck Jr.
Elroynet, Blu Zone Eva Ho Factual, Navigating Cancer, Applied Semantics Reid Hoffman LinkedIn, Paypal, Socialnet, Investor in many more, including Facebook, Zynga & GroupOn Jason Huggins Blu Zone Ben Ifeld Macer Media Joichi Ito Neoteny, Digital Garage, Investor in many more including Twitter, Flickr, Kickstarter, Six Apart, Technorati and over 20 other US companies Jason Jacobs FitnessKeeper Daniel James Three Rings Design David Jilk Standing Cloud, eCortex, Xaffire Noah Kagan Appsumo, GetGambit Bill Kallman Scayl, Varolii Jon Karl iovation, ieLogic Michael Karnjanaprakorn Skillshare Bryan Kennedy Sincerely.com, AppNinjas, Xobni, Pairwise Derek Kerton Kerton Group, Telecom Council of Silicon Valley Drew Kese Ecount, Orocast
David Kidder Clickable, SmartRay Network, THINK New Ideas, Net-X Eric Koger ModCloth Kitty Kolding elicit, House Party, Jupiter Pete Koomen Optimizely, CarrotSticks Brian Krausz GazeHawk Amit Kumar Socialscope Ryan Lackey HavenCo, Blue Iraq, Cryptoseal Jeff Lawson Twilio, Nine Star, Stubhub, Versity Peter Lehrman AxialMarket, Gerson Lehrman Group Michael Levit Bluelight.com, Redbooth, Spigot, Founders Den Michael Lewis Stellar Semiconductor, Cryptic Studios Thede Loder Boxbe, Leverage Information Systems Marissa Louie Ness Computing, HeroEX, AD-Village Eric Marcoullier OneTrueFan, Gnip, MyBlogLog, IGN Michael Masnick Floor64 Jordan Mendelson SeatMe, Heavy Electrons, SNOCAP, Web Services Inc
Dwight Merriman DoubleClick, BusinessInsider, Gilt Groupe, 10gen Scott Milliken MixRank.com Michael Montano BackType Dave Morgan Simulmedia, TACODA, Real Media Zac Morris Caffeinated Mind Inc. Rick Morrison Comprehend Systems Amy Muller GetSatisfaction, Rubyred Labs Darren Nix Silver Financial Jeff Nolan GetSatisfaction, NewsGator, Teqlo, Investor in many more Craig Ogg ThisNext, Stamps.com, TrueCar Alexis Ohanian Breadpig, Hipmunk, Reddit Casey Oppenheim Disconnect, Oppenheim Law Tim O’Reilly O'Reilly Media, Safari Books Online, Collabnet, Investor in many more Michael Ossareh Heysan Gagan Palrecha Chirply, Zattoo, Sennari Scott Petry Authentic8, Postini
Mark Pincus Zynga, Tribe Networks, SupportSoft, FreeLoader Chris Poole 4chan, Canvas Jon Pospischil PowerSportsStore, AppMentor, FoodTrux, Custora Jeff Powers Occipital Jeff Pulver 140Conf, Pulver.com, Vonage, Free World Dialup, VON Coalition, Vivox Scott Rafer Omniar, Lookery, MyBlogLog, Feedster, Fresher, Fotonation, Torque Systems John Ramey BuyAds.com, isocket, Maven Ventures, Lythargic Media, electronicfood.com Vikas Reddy Occipital Michael Robertson DAR.fm, mp3tunes.com, Gizmo5, Linspire, mp3.com Ian Rogers TopSpin, MediaCode, FISTFULAYEN, NullSoft/AOL, Yahoo! Music Avner Ronen Boxee, Odigo Zack Rosen ChapterThree, MissionBicycle, GetPantheon Oliver Roup VigLink Slava Rubin IndieGoGo David Rusenko Weebly Arram Sabeti ZeroCater
Peter Schmidt Midnight Networks, NorthStar Internetworking, Burning Blue Aviation, New England Free Skies Association, Lifting Mind, Analog Devices, Teradyne, Ipanema Technologies, Linear Air Geoff Schmidt Tuneprint, MixApp, Honeycomb Guide Sam Shank HotelTonight, DealBase, SideStep, TravelPost Upendra Shardanand Daylife, The Accelerator Group, Firefly Network Emmett Shear Justin.tv Pete Sheinbaum LinkSmart, DailyCandy, Alexblake.com, Shop.Eonline.com Chris Shipley Guidewire Group Adi Sideman Oddcast, Ksolo Karaoke, TargetSpot, YouNow Chris Sims Agile Learning Labs Dan Siroker Optimizely, CarrotSticks Rich Skrenta Blekko, Topix, NewHoo Bostjan Spetic Zemanta Joel Spolsky StackExchange, Fog Creek Software Josh Stansfied Incident Technologies Mike Tatum Whiskey Media, Listen.com/Rhapsody, CNET Brad Templeton
ClariNet Communications, Looking Glass Software, Caller App Inc. Jack Templin Lockify, ARC eConsultancy Craig Tumblison Bitcove Khoi Vinh Lascaux, NYTimes.com, Behavior Design Joseph Walla HelloFax Brian Walsh Castfire, Three Deep David Weekly PBWorks Jack Welde Smartling, eMusic, RunTime Technologies, Trio Development Evan Williams Blogger, Twitter, Obvious Holmes Wilson Worcester LLC, Participatory Culture Foundation Pierre-R Wolff DataWorks, E-coSearch, AdPassage, Impulse! Buy Network, Kinecta, Impermium, First Virtual Holdings, Revere Data, Tribe Networks Dennis Yang Infochimps, Floor64, CNET, mySimon Chris Yeh PBWorks, Ustream, Symphoniq Kevin Zettler Bushido, Inc.
CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
August 16, 2011
S. 968
Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011
As reported by the Senate Committee on the Judiciary on May 26, 2011 SUMMARY S. 968 would authorize the Attorney General to commence legal actions against individuals who operate or register an Internet site dedicated to activities infringing on copyrights of others. In situations where the individual cannot be located, the Attorney General could proceed against the domain name. The bill also would provide immunity from liability for Internet advertising services and financial transaction providers that take preventative measures against copyright-infringing Internet sites. Based on information from the Department of Justice (DOJ), CBO estimates that implementing S. 968 would cost $47 million over the 2012-2016 period, assuming appropriation of the necessary funds. Pay-as-you-go procedures do not apply to this legislation because it would not affect direct spending or revenues. S. 968 contains no intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would not affect the budgets of state, local, or tribal governments. S. 968 contains private-sector mandates as defined in UMRA. The bill would impose new requirements on companies such as Internet service providers, credit card companies, online advertisers, and search engines that engage in activities related to Internet sites that infringe on the copyrights of others. The bill also would eliminate an existing right to seek compensation for damages caused by companies that voluntarily block access to or stop doing business with Internet sites suspected of infringing on copyrights. Because the costs of the mandates would depend on future judicial proceedings, CBO cannot determine whether the aggregate cost of the mandates would exceed the annual threshold established in UMRA ($142 million in 2011, adjusted annually for inflation). ESTIMATED COST TO THE FEDERAL GOVERNMENT The estimated budgetary impact of S. 968 is shown in the following table. The costs of this legislation fall within budget function 750 (administration of justice).
By Fiscal Year, in Millions of Dollars 2012 2013 2014 2015 2016 20122016 CHANGES IN SPENDING SUBJECT TO APPROPRIATION Estimated Authorization Level 9 7 10 11 11 48 Estimated Outlays 7 8 10 11 11 47
BASIS OF ESTIMATE For this estimate, CBO assumes that S. 968 will be enacted near the end of fiscal year 2011, that the necessary amounts will be provided for each year, and that spending will follow historical patterns for similar activities. Based on information provided by DOJ, CBO estimates that implementing S. 968 would cost $47 million over the 2012-2016 period. DOJ anticipates that it would need to hire 22 special agents and 26 support staff to execute its new investigative responsibilities under the bill. Once fully phased in, CBO estimates the costs of the additional employees under the bill would reach about $10 million annually, including salaries, benefits, training, equipment, and support costs. For this estimate, we assume the investigative positions would be fully staffed by 2014 and that future spending would be adjusted for anticipated inflation. PAY-AS-YOU-GO CONSIDERATIONS: None. ESTIMATED IMPACT ON STATE, LOCAL, AND TRIBAL GOVERNMENTS S. 968 contains no intergovernmental mandates as defined in UMRA and would not affect the budgets of state, local, or tribal governments. ESTIMATED IMPACT ON THE PRIVATE SECTOR S. 968 contains private-sector mandates as defined in UMRA by imposing new requirements on companies that engage in certain activities related to Internet sites that infringe on the copyrights of others and by eliminating an existing right of action against entities that voluntarily cease interactions with Internet sites suspected of infringing on copyrights. Because the costs of the mandates would depend on future judicial proceedings, CBO cannot determine whether the aggregate cost of the mandates would exceed the annual threshold established in UMRA ($142 million in 2011, adjusted annually for inflation).
By authorizing DOJ to take legal action against Internet service providers, credit card companies, online advertisers, and search engines that engage in activities that infringe on the copyrights of others, the bill would impose a mandate. The companies identified in a DOJ legal action would be required either to block access to the Internet site or stop doing business with the site. The bill also would allow copyright holders to take legal action to prohibit credit card companies and online advertisers from doing business with Internet sites that infringe on copyrights. Because of uncertainty about how often and against whom the Department of Justice or copyright holders would use the authority to prohibit the actions outlined in the bill, CBO cannot determine the cost of the mandate to the private sector. By providing liability protection to companies that voluntarily take preventative measures to block access to or stop doing business with Internet sites that they believe are engaging in copyright-infringing activities, the bill would impose an additional private-sector mandate. Under current law, Internet sites have a right to seek compensation if they are harmed by such measures taken by a company. The cost of this mandate would equal the net value of the forgone awards and settlements in such claims. CBO has no basis for estimating the number of claims that would be filed in the future in the absence of this legislation or the level of potential damage awards in such cases, if any. ESTIMATE PREPARED BY: Federal Costs: Martin von Gnechten Impact on State, Local, and Tribal Governments: Melissa Merrell Impact on the Private Sector: Samuel Wice and Patrice Gordon ESTIMATE APPROVED BY: Peter H. Fontaine Assistant Director for Budget Analysis
Professors’ Letter in Opposition to “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011” (PROTECT-‐‑IP Act of 2011, S. 968) July 5, 2011 To Members of the United States Congress: The undersigned are 108 professors from 31 states, the District of Columbia,
and Puerto Rico who teach and write about intellectual property, Internet law, innovation, and the First Amendment. We strongly urge the members of Congress to reject the PROTECT-‐‑IP Act (the “Act”). Although the problems the Act attempts to address – online copyright and trademark infringement – are serious ones presenting new and difficult enforcement challenges, the approach taken in the Act has grave constitutional infirmities, potentially dangerous consequences for the stability and security of the Internet'ʹs addressing system, and will undermine United States foreign policy and strong support of free expression on the Internet around the world. The Act would allow the government to break the Internet addressing system. It requires Internet service providers, and operators of Internet name servers, to refuse to recognize Internet domains that a court considers “dedicated to infringing activities.” But rather than wait until a Web site is actually judged infringing before imposing the equivalent of an Internet death penalty, the Act would allow courts to order any Internet service provider to stop recognizing the site even on a temporary restraining order or preliminary injunction issued the same day the complaint is filed. Courts could issue such an order even if the
owner of that domain name was never given notice that a case against it had been filed at all. The Act goes still further. It requires credit card providers, advertisers, and search engines to refuse to deal with the owners of such sites. For example, search engines are required to “(i) remove or disable access to the Internet site associated with the domain name set forth in the court order; or (ii) not serve a hypertext link to such Internet site.” In the case of credit card companies and advertisers, they must stop doing business not only with sites the government has chosen to sue but any site that a private copyright or trademark owner claims is predominantly infringing. Giving this enormous new power not just to the government but to any copyright and trademark owner would not only disrupt the operations of the allegedly infringing web site without a final judgment of wrongdoing, but would make it extraordinarily difficult for advertisers and credit card companies to do business on the Internet. Remarkably, the bill applies to domain names outside the United States, even if they are registered not in the .com but, say, the .uk or .fr domains. It even applies to sites that have no connection with the United States at all, so long as they allegedly “harm holders” of US intellectual property rights. The proposed Act has three major problems that require its rejection: 1. Suppressing speech without notice and a proper hearing: The Supreme
Court has made it abundantly clear that governmental action to suppress speech taken prior to “a prompt final judicial decision . . . in an adversary proceeding” that the speech is unlawful is a presumptively unconstitutional “prior restraint,”1 the
1
Freedman
v.
Maryland,
380
U.S.
51,
58-‐60
(U.S.
1965)
(statute
requiring
theater
owner
to
receive
a
license
before
exhibiting
allegedly
obscene
film
was
unconstitutional
because
the
statute
did
not
“assure
a
prompt
final
judicial
decision”
that
the
film
was
obscene);
see
also
Bantam
Books
v.
Sullivan,
372
U.S.
58
(1962)
(State
Commission’s
letters
suggesting
removal
of
books
already
in
circulation
is
a
“prior
administrative
restraint”
and
unconstitutional
because
“most serious and the least tolerable infringement on First Amendment rights,”2 permissible only in the narrowest range of circumstances. The Constitution “require[s] a court, before material is completely removed from circulation, . . . to make a final determination that material is [unlawful] after an adversary hearing.”3 The Act fails this Constitutional test. It authorizes courts to take websites
“out of circulation” – to make them unreachable by and invisible to Internet users in the United States and abroad -‐‑-‐‑ immediately upon application by the Attorney General after an ex parte hearing. No provision is made for any review of a judge’s ex parte determination, let alone for a “prompt and final judicial determination, after an adversary proceeding,” that the website in question contains unlawful material. This falls far short of what the Constitution requires before speech can be eliminated from public circulation.4
there
was
no
procedure
for
“an
almost
immediate
judicial
determination
of
the
validity
of
the
restraint”);
Fort
Wayne
Books,
Inc.
v.
Indiana,
489
U.S.
46,
51-‐63
(1989)
(procedure
allowing
courts
to
order
pre-‐trial
seizure
of
allegedly
obscene
films
based
upon
a
finding
of
probable
cause
was
an
unconstitutional
prior
restraint;
publications
“may
not
be
taken
out
of
circulation
completely
until
there
has
been
a
determination
of
[unlawful
speech]
after
an
adversary
hearing.”).
See
also
Center
For
Democracy
&
Technology
v.
Pappert,
337
F.
Supp.
2d
606,
651
(E.D.
Pa.
2004)
(statute
blocking
access
to
particular
domain
names
and
IP
addresses
an
unconstitutional
prior
restraint).
2
Nebraska
Press
Ass'n
v.
Stuart,
427
U.S.
539,
559
(1976).
3
CDT
v.
Pappert,
337
F.Supp.2d,
at
657
(emphasis
added).
4
The Act would also suppress vast amounts of protected speech containing no infringing content whatsoever, and is unconstitutional on that ground as well. The current architecture of the Internet permits large numbers of independent individual websites to operate under a single domain name by the use of unique sub-domains; indeed, many web hosting services operate hundreds or thousands of websites under a single domain name (e.g., www.aol.com, www.terra.es, www.blogspot.com). By requiring suppression of all subdomains associated with a single offending domain name, the Act “burns down the house to roast the pig,” ACLU v. Reno, 521 U.S. 844, 882 (1997), failing the fundamental requirement imposed by the First Amendment that it implement the “least restrictive means of advancing a compelling state interest.” ACLU v. Ashcroft, 322 F.3d 240, 251 (3d Cir. 2003) (quoting Sable Commun. v. FCC, 492 U.S. at 126 (emphasis added)); cf. O’Brien, 391 U.S. at 377 (even the lower “intermediate scrutiny” standard requires that any “incidental restriction on First Amendment freedoms . . . be no greater than is essential to the furtherance of that interest”); see also CDT v Pappert, 337 F.Supp.2d, at 649 (domain name blocking [“DNS filtering”] resulted in unconstitutional “overblocking” of protected speech whenever “the method is used to block a web site on an online community or a Web Hosting Service, or a web host that hosts web sites as sub-pages under a single domain name,” and noting that one service provider “blocked hundreds of thousands of web sites unrelated to” the targeted unlawful conduct); see also id., at 640 (statute resulted in blocking fewer than
2. Breaking the Internet’s infrastructure: If the government uses the
power to demand that individual Internet service providers make individual, country-‐‑specific decisions about who can find what on the Internet, the interconnection principle at the very heart of the Internet is at risk. The Internet’s Domain Name System (“DNS”) is a foundational building block upon which the Internet has been built and on which its continued functioning critically depends. The Act will have potentially catastrophic consequences for the stability and security of the DNS. By authorizing courts to order the removal or replacement of database entries from domain name servers and domain name registries, the Act undermines the principle of domain name universality – that all domain name servers, wherever they may be located on the network, will return the same answer when queried with respect to the Internet address of any specific domain name – on which countless numbers of Internet applications, at present, are based. Even more troubling, the Act will critically subvert efforts currently underway – and strongly supported by the U.S. government – to build more robust security protections into the DNS protocols; in the words of a number of leading technology experts, several of whom have been intimately involved in the creation and continued evolution of the DNS for decades: The DNS is central to the operation, usability, and scalability of the Internet; almost every other protocol relies on DNS resolution to operate correctly. It is among a handful of protocols that that are the core upon which the Internet is built. . . . Mandated DNS filtering [as authorized by the Act] would be minimally effective and would present technical challenges that could frustrate important security initiatives. Additionally, it would promote development of techniques and software that circumvent use of the DNS. These actions would threaten the DNS’s ability to provide
400 websites containing unlawful child pornography but in excess of one million websites without any unlawful material).
universal naming, a primary source of the Internet’s value as a single, unified, global communications network. . . . PROTECT IP’s DNS filtering will be evaded through trivial and often automated changes through easily accessible and installed software plugins. Given this strong potential for evasion, the long-‐‑term benefits of using mandated DNS filtering to combat infringement seem modest at best.5 Moreover, the practical effect of the Act would be to kill innovation by new
technology companies in the media space. Anyone who starts such a company is at risk of having their source of customers and revenue – indeed, their website itself -‐‑-‐‑ disappear at a moment’s notice. The Act’s draconian obligations foisted on Internet service providers, financial services firms, advertisers, and search engines, which will have to consult an ever-‐‑growing list of prohibited sites they are not allowed to connect to or do business with, will further hamper the Internet’s operations and effectiveness. 3. Undermining United States’ leadership in supporting and defending
free speech and the free exchange of information on the Internet: The Act represents a retreat from the United States’ strong support of freedom of expression and the free exchange of information and ideas on the Internet. At a time when many foreign governments have dramatically stepped up their efforts to censor Internet communications,6 the Act would incorporate into U.S. law – for
5
Crocker, et al., “Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill,” available at http://domainincite.com/docs/PROTECT-IP-Technical-WhitepaperFinal.pdf. The authors describe in detail how implementation of the Act’s mandatory DNS filtering scheme will conflict with and undermine development of the “DNS Security Extensions,” a “critical set of security updates” for the DNS under development (with the strong support of both the U.S. government and private industry) since the mid-1990s.
6
Secretary
of
State
Clinton,
in
her
“Remarks
on
Internet
Freedom”
delivered
earlier
this
year,
put
it
this
way:
the first time – a principle more closely associated with those repressive regimes: a right to insist on the removal of content from the global Internet, regardless of where it may have originated or be located, in service of the exigencies of domestic law. China, for example, has (justly) been criticized for blocking free access to the Internet with its Great Firewall. But even China doesn'ʹt demand that search engines outside China refuse to index or link to other Web sites outside China. The Act does just that. The United States has been the world’s leader, not just in word but in deed,
in codifying these principles of speech and exchange of information. Requiring Internet service providers, website operators, search engine providers, credit card companies and other financial intermediaries, and Internet advertisers to block access to websites because of their content would constitute a dramatic retreat from the United States’ long-‐‑standing policy, implemented in section 230 of the Communications Decency Act, section 512 of the Copyright Act, and elsewhere, of allowing Internet intermediaries to focus on empowering communications by and among users, free from the need to monitor, supervise, or play any other gatekeeping or policing role with respect to those communications. These laws represent the hallmark of United States leadership in defending speech and their
In
the
last
year,
we’ve
seen
a
spike
in
threats
to
the
free
flow
of
information.
China,
Tunisia,
and
Uzbekistan
have
stepped
up
their
censorship
of
the
internet.
In
Vietnam,
access
to
popular
social
networking
sites
has
suddenly
disappeared.
And
last
Friday
in
Egypt,
30
bloggers
and
activists
were
detained.
.
.
.
As
I
speak
to
you
today,
government
censors
somewhere
are
working
furiously
to
erase
my
words
from
the
records
of
history.
But
history
itself
has
already
condemned
these
tactics.
[T]he new iconic infrastructure of our age is the Internet. Instead of division, it stands for connection. But even as networks spread to nations around the globe, virtual walls are cropping up in place of visible walls. . . . Some countries have erected electronic barriers that prevent their people from accessing portions of the world’s networks. They’ve expunged words, names, and phrases from search engine results. They have violated the privacy of citizens who engage in nonviolent political speech. . . . With the spread of these restrictive practices, a new information curtain is descending across much of the world.
protections are significantly responsible for making the Internet into the revolutionary communications medium that it is today. They reflect a policy that has not only helped make the United States the world leader in a wide range of Internet-‐‑related industries, but it has also enabled the Internet'ʹs uniquely decentralized structure to serve as a global platform for innovation, speech, collaboration, civic engagement, and economic growth. The Act would undermine that leadership and dramatically diminish the Internet’s capability to be a functioning communications medium. In conclusion, passage of the Act
will compromise our ability to defend the principle of the single global Internet – the Internet that looks the same to, and allows free and unfettered communication between, users located in Boston and Bucharest, free of locally-‐‑imposed censorship regimes. As such, it may represent the biggest threat to the Internet in its history. While copyright infringement on the Internet is a very real problem,
copyright owners already have an ample array of tools at their disposal to deal with the problem. We shouldn’t add the power to break the Internet to that list. Signed,7 Professor John R. Allison McCombs School of Business University of Texas at Austin Professor Brook K. Baker Northeastern University School of Law Professor Derek E. Bambauer Brooklyn Law School Professor Margreth Barrett Hastings College of Law University of California-‐‑San Francisco Professor Mark Bartholomew
7
All
institutions
are
listed
for
identification
purposes
only.
University at Buffalo Law School Professor Ann M. Bartow Pace Law School Professor Marsha Baum University of New Mexico School of Law Professor Yochai Benkler Harvard Law School Professor Oren Bracha University of Texas School of Law Professor Annemarie Bridy University of Idaho College of Law Professor Dan L. Burk University of California-‐‑Irvine School of Law Professor Irene Calboli Marquette University School of Law Professor Adam Candeub Michigan State University College of Law Professor Michael Carrier Rutgers Law School – Camden Professor Michael W. Carroll Washington College of Law American University Professor Brian W. Carver School of Information University of California-‐‑Berkeley Professor Anupam Chander University of California-‐‑Davis School of Law Professor Andrew Chin University of North Carolina School of Law
Professor Ralph D. Clifford University of Massachusetts School of Law Professor Julie E. Cohen Georgetown University Law Center Professor G. Marcus Cole Stanford Law School Professor Kevin Collins Washington University-‐‑St. Louis School of Law Professor Danielle M. Conway University of Hawai’i Richardson School of Law Professor Dennis S. Corgill St. Thomas University School of Law Professor Christopher A. Cotropia University of Richmond School of Law Professor Thomas Cotter University of Minnesota School of Law Professor Julie Cromer Young Thomas Jefferson School of Law Professor Ben Depoorter Hastings College of Law University of California – San Francisco Professor Eric B. Easton University of Baltimore School of Law Anthony Falzone Director, Fair Use Project Stanford Law School Professor Nita Farahany Vanderbilt Law School Professor Thomas G. Field, Jr.
University of New Hampshire School of Law Professor Sean Flynn Washington College of Law American University Professor Brett M. Frischmann Cardozo Law School Yeshiva University Professor Jeanne C. Fromer Fordham Law School Professor William T. Gallagher Golden Gate University School of Law Professor Laura N. Gasaway University of North Carolina School of Law Professor Deborah Gerhardt University of North Carolina School of Law Professor Llew Gibbons University of Toledo College of Law Professor Eric Goldman Santa Clara University School of Law Professor Marc Greenberg Golden Gate University School of Law Professor James Grimmelman New York Law School Professor Leah Chan Grinvald St. Louis University School of Law Professor Richard Gruner John Marshall Law School Professor Bronwyn H. Hall Haas School of Business
University of California at Berkeley Professor Robert A. Heverly Albany Law School Union University Professor Laura A. Heymann Marshall-‐‑Wythe School of Law College of William & Mary Professor Herbert Hovenkamp University of Iowa College of Law Professor Dan Hunter New York Law School Professor David R. Johnson New York Law School Professor Faye E. Jones Florida State University College of Law Professor Amy Kapczynski University of California-‐‑Berkeley Law School Professor Dennis S. Karjala Arizona State University College of Law Professor Anne Klinefelter University of North Carolina College of Law Professor Mary LaFrance William Boyd Law School University of Nevada – Las Vegas Professor Amy L. Landers McGeorge Law School University of the Pacific Professor Mark Lemley Stanford Law School Professor Lawrence Lessig
Harvard Law School Professor David S. Levine Elon University School of Law Professor Yvette Joy Liebesman St. Louis University School of Law Professor Lydia Pallas Loren Lewis & Clark Law School Professor Michael J. Madison University of Pittsburgh School of Law Professor Gregory P. Magarian Washington University-‐‑St. Louis School of Law Professor Phil Malone Harvard Law School Professor Christian E. Mammen Hastings College of Law University of California-‐‑San Francisco Professor Jonathan Masur University of Chicago Law School Professor Andrea Matwyshyn Wharton School of Business University of Pennsylvania Professor J. Thomas McCarthy University of San Francisco School of Law Professor William McGeveran University of Minnesota Law School Professor Stephen McJohn Suffolk University Law School Professor Mark P. McKenna Notre Dame Law School
Professor Hiram Melendez-‐‑Juarbe University of Puerto Rico School of Law Professor Viva Moffat University of Denver College of Law Professor Ira Nathenson St. Thomas University School of Law Professor Tyler T. Ochoa Santa Clara University School of Law Professor David S. Olson Boston College Law School Professor Barak Y. Orbach University of Arizona College of Law Professor Kristen Osenga University of Richmond School of Law Professor Aaron Perzanowski Wayne State University Law School Malla Pollack Co-‐‑author, Callman on Trademarks, Unfair Competition, and Monopolies Professor David G. Post Temple University School of Law Professor Connie Davis Powell Baylor University School of Law Professor Margaret Jane Radin University of Michigan Law School Professor Glenn Reynolds University of Tennessee Law School Professor David A. Rice Roger Williams University School of Law Professor Neil Richards
Washington University-‐‑St. Louis School of Law Professor Michael Risch Villanova Law School Professor Betsy Rosenblatt Whittier Law School Professor Matthew Sag Loyola University-‐‑Chicago School of Law Professor Pamela Samuelson University of California-‐‑Berkeley Law School Professor Sharon K. Sandeen Hamline University School of Law Professor Jason M. Schultz UC Berkeley Law School Professor Jeremy Sheff St. John’s University School of Law Professor Jessica Silbey Suffolk University Law School Professor Brenda M. Simon Thomas Jefferson School of Law Professor David E. Sorkin John Marshall Law School Professor Christopher Jon Sprigman University of Virginia School of Law Professor Katherine J. Strandburg NYU Law School Professor Madhavi Sunder University of California-‐‑Davis School of Law Professor Rebecca Tushnet
Georgetown University Law Center Professor Deborah Tussey Oklahoma City University School of Law Professor Barbara van Schewick Stanford Law School Professor Eugene Volokh UCLA School of Law Professor Sarah K. Wiant William & Mary Law School Professor Darryl C. Wilson Stetson University College of Law Professor Jane K. Winn University of Washington School of Law Professor Peter K. Yu Drake University Law School Professor Tim Zick William & Mary Law School
Thursday, June 23, 2011 Members of the U.S. Congress, We write to express our concern with S. 968, the PROTECT IP Act (“PIPA”). As investors in technology companies, we agree with the goal of fostering a thriving digital content market online. Unfortunately, the current bill will not only fail to achieve that goal, it will stifle investment in Internet services, throttle innovation, and hurt American competitiveness. Online innovation has flourished, in part, because the Digital Millennium Copyright Act (DMCA), though flawed, created clear, defined safe harbors for online intermediaries. The DMCA creates legal certainty and predictability for online services -- so long as they meet the conditions of the safe harbors, including an appropriate notice-and- takedown policy, they have no liability for the acts of their users. At the same time, the DMCA gives rights-holders a way to take down specific infringing content, and it is working well. We appreciate PIPA’s goal of combating sites truly dedicated to infringing activity, but it would undermine the delicate balance of the DMCA and threaten legitimate innovation. The bill is ripe for abuse, as it allows rights-holders to require third-parties to block access to and take away revenues sources for online services, with limited oversight and due process. In particular: 1. By requiring “information location tools” -- potentially encompassing any "director[ies], index[es], reference[s], pointer[s], or hypertext link[s]” -- to remove access to entire domains, the bill puts burdens on countless Internet services. 2. By requiring access to sites to be blocked by Domain Name System providers, it endangers the security and integrity of the Internet. 3. The bill’s private right of action will no doubt be used by many rights-holders in ways that create significant burdens on legitimate online commerce services. The scope of orders and cost of litigation could be significant, even for companies acting in good faith. Rights-holders have stated their interest in this private right of action because they worry that the Department of Justice will not have enough resources to initiate actions against all of
the infringing sites. Yet, why should costs be shifted to innocent Internet entrepreneurs, most of whom have budgets smaller than the Department of Justice’s? While we understand PIPA was originally intended to deal with “rogue” foreign sites, we think PIPA will ultimately put American innovators and investors at a clear disadvantage in the global economy. For one, services dedicated to infringement will simply make their sites easy to find and access in other ways, and determined users who want to find blocked content will simply shift to services outside the reach of U.S. law, in turn giving a leg up to foreign search engines, DNS providers, social networks, and others. Second, PIPA creates a dangerous precedent and a convenient excuse for countries to engage in protectionism and censorship against U.S. services. These countries will point to PIPA as precedent for taking action against U.S. technology and Internet companies. The entire set of issues surrounding copyright in an increasingly digital world are extremely complex, and there are no simple solutions. These challenges are best addressed by imagining, inventing, and financing new models and new services that will allow creative activities to thrive in the digital world. There is a new model for financing, distributing, and profiting from copyrighted material and it is working -- just look at services like iTunes, Netflix, Pandora, Kickstarter, and more. Pirate web sites will always exist, but if rights holders make it easy to get their works through innovative Internet models, they can and will have bright futures. Congress should not chill investment and reduce incentives to work on private sector solutions. Instead, we encourage Congress to focus on making it easier to license works and bring new, innovative services to market. Sincerely, Marc Andreessen, Andreessen Horowitz Brady Bohrmann, Avalon Ventures John Borthwick, Betaworks Mike Brown, Jr., AOL Ventures Brad Burnham, Union Square Ventures Jeffrey Bussgang, Flybridge Capital Partners John Buttrick, Union Square Ventures Randy Castleman, Court Square Ventures Tony Conrad, True Ventures Ron Conway, SV Angel
Chris Dixon, Founder Collective Bill Draper, Draper Richards Esther Dyson, EDventure Holdings Roger Ehrenberg, IA Ventures Brad Feld, Foundry Group Peter Fenton, Benchmark Capital Ron Fisher, Softbank Capital Chris Fralic, First Round Capital David Frankel, Founder Collective Ric Fulop, North Bridge Brad Gillespie, IA Ventures Allen "Pete" Grum, Rand Capital Chip Hazard, Flybridge Capital Partners Rick Heitzmann, FirstMark Capital Eric Hippeau, Lerer Ventures Reid Hoffman, Greylock Partners Ben Horowitz, Andreessen Horowitz Mark Jacobsen, OATV Amish Jani, First Mark Capital Brian Kempner, First Mark Capital Vinod Khosla, Khosla Ventures Josh Kopelman, First Round Capital David Lee, SV Angel Lawrence Lenihan, FirstMark Capital Kenneth Lerer, Lerer Ventures Jordan Levy, Softbank Capital Jason Mendelson, Foundry Group R. Ann Miura-Ko, Floodgate Howard Morgan, First Round Capital John O'Farrell, Andreessen Horowitz Tim O'Reilly, OATV David Pakman, Venrock Eric Paley, Founder Collective Alan Patricof, Greycroft Partners Danny Rimer, Index Ventures Neil Rimer, Index Ventures Bryce Roberts, OATV Bijan Sabet, Spark Capital David Sze, Greylock Partners Andrew Weissman, Betaworks
Albert Wenger, Union Square Ventures Eric Wiesen, RRE Ventures Fred Wilson, Union Square Ventures
May 25, 2011 The Honorable Patrick Leahy Chairman Committee on the Judiciary 224 Dirksen Senate Office Building Washington, DC 20510 The Honorable Chuck Grassley Ranking Member Committee on the Judiciary 224 Dirksen Senate Office Building Washington, DC 20510
Re: S. 968, Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 Dear Chairman Leahy and Ranking Member Grassley: Although the undersigned entities harbor no sympathy for websites whose primary purpose is to sell illegal products online, we cannot support S. 968, the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011, in its current form. The legislation has been improved over its predecessor with the removal of provisions targeting domain name registries and registrars, and with the narrowing of certain definitions to avoid some of the overbreadth issues inherent in the Combating Online Infringement and Counterfeits Act. We appreciate your work on these matters. Nonetheless, certain provisions within S. 968 continue to threaten the stability, freedom, and economic potential of the Internet. The new legislation maintains the provision to direct Internet Service Providers (ISPs) and others to interfere with Domain Name System (DNS) lookup services by tampering with their DNS responses. We continue to believe that such a provision would be ineffective and runs contrary to the US government’s commitment to advancing a single, global Internet. Its inclusion risks setting a precedent for other countries, even democratic ones, to use DNS mechanisms to enforce a range of domestic policies, erecting barriers on the global medium of the Internet. Non-democratic regimes could seize on the precedent to justify measures that would hinder online freedom of expression and association. In addition, circumventing DNS blocking risks substantial collateral damage by making domestic networks and users more vulnerable to cybersecurity attacks, and would increase opportunities for identity theft as users migrate to offshore DNS providers not subject to S. 968. It is critical that the Committee, before endorsing such a change to U.S. law, explore whether DNS blocking would likely result in a sufficient decrease in for-profit Internet piracy to justify taking such risks. Furthermore, the new inclusion of “information location tools” (also referred to as the “search engine” portion of the bill) has expanded the legislation’s reach. The term "information location tools" appears to encompass "director[ies], index[es], reference[s], pointer[s], or hypertext link[s].” With this provision in place, S. 968 makes nearly every actor on the Internet potentially subject to enforcement orders under the bill, raising new policy questions regarding government interference with online activity and speech.
We continue to urge the Committee to proceed cautiously given the concerns of the undersigned and we look forward to working with you and your colleagues in a constructive manner on improving S. 968.
Sincerely, American Association of Law Libraries Association of College and Research Libraries American Library Association Association of Research Libraries Center for Democracy and Technology Demand Progress EDUCAUSE Electronic Frontier Foundation Human Rights Watch Rebecca MacKinnon, Bernard Schwartz Senior Fellow, New America Foundation Public Knowledge Reporters sans frontières / Reporters Without Borders Special Libraries Association
May 25, 2011 The Honorable Patrick J. Leahy Chairman United States Senate Committee on the Judiciary 437 Russell Senate Building Washington, DC 20510 The Honorable Chuck Grassley Ranking Member United States Senate Committee on the Judiciary 135 Hart Senate Office Building Washington, DC 20510 Dear Chairman Leahy and Ranking Member Grassley: The undersigned below support the goals of S. 968, the PROTECT IP Act, to enforce intellectual property rights effectively by addressing rampant infringement by web sites designed and operated to promote and profit from illegal activities. While we each share that goal, and each continue to have concerns with various specific provisions in the legislation, our purpose in this letter is to express in clear terms our serious concerns with the private right of action provisions included in S. 968. The private right of action should be removed from the legislation. Under the current version of the PROTECT IP Act, an owner of a copyright or trademark could bring an action against a domain name associated with a website dedicated to infringing activity. It is reasonable to expect that a very large number of such actions will be brought, and in many cases, especially with non-U.S. domain names, the domain name owner will not respond to the complaint. It is very likely in such cases with only one party present that courts will enter default judgments and declare that the targeted websites are dedicated to infringing activity. The IP owner will then be able to ask the court to issue an order directed at two categories of services providers. First, a payment system could be required to stop processing transactions between the website and U.S. customers. Second, an advertising network could be directed to stop placing ads on the website. We believe that the currently proposed private litigation-based process will, however unintentionally, become a one-sided litigation machine with rights owners massproducing virtually identical cases against foreign domain names for the purpose of obtaining orders to serve on U.S. payment and advertising companies. Not only do we believe that this will be a significant driver of new litigation in federal courts, and will result in an endless stream of court orders imposing duties on U.S.-based companies, but we also believe that this litigation-based regime will significantly reduce the incentive that rights owners have to participate in a cooperative manner in the processes created by
payment and advertising companies to address illegal activities by third parties. We are confident that upon further review you will not support creating a private litigation regime that appears so open to abuse and which will undermine the prospects for private sector cooperation. Along with the fact that the private right of action regime will likely lead to a new litigation industry aimed at obtaining court orders related to websites whose owners will not appear in U.S. courts, we also believe that the regime will lead to private actions against US payment and advertising companies. It is likely that the operators of websites that are the target of court decisions and therefore the court orders aimed at payment and advertising companies will respond by attempting to circumvent the “blocks” imposed by payment systems and advertising networks. S. 968 authorizes the IP owner to bring private enforcement action against the payment and advertising service providers to compel compliance with an order, and the service provider could find itself enmeshed in litigation based on the actions of the suspected infringers of which it has no knowledge. To prevail in an enforcement action against a service provider, the IP owner would have to demonstrate that the service provider knowingly and willfully failed to comply with an order. The IP owner could argue that the service provider knew that its blocks could be circumvented, and thus that its failure to monitor the site and respond on its own to each act of circumvention constituted a violation of the order. Regardless of the validity of this argument, the cost of litigation, including discovery about the service provider’s operations and its awareness of the activities of the website at issue, might be sufficient to force the service providers to settle the claim on terms very favorable to the IP owner. Several law firms representing IP owners such as publishers of pornography have learned how to “game” the copyright system, and the private right of action under S. 968 provides them with an additional weapon. Moreover, even if most IP owners do not use the threat of enforcement actions to extort payments from service providers, the IP owners can employ such actions to shift the burden of monitoring websites subject to orders to the service providers. Given the large number of IP owners and infringing websites, and the relatively small number of major payment systems and advertising networks, the service providers’ monitoring costs could be significant. Last year's version of this legislation allowed only an action by the Attorney General. S. 968, by contrast, allows both an AG action and a private action. To prevent the abuses described above while still accomplishing the bill’s legitimate objectives, the private right of action should be removed, leaving the AG action. Respectfully, American Express Company Consumer Electronics Association Discover
Visa PayPal NetCoalition Yahoo! eBay Google
cc: Senate Judiciary Committee Members
Testimony of NetCoalition Before the United States Senate Committee on the Judiciary Hearing on “Targeting Websites Dedicated to Stealing American Intellectual Property” February 16, 2011 226 Dirksen Senate Office Building Washington, DC 20510
The members of NetCoalition1 share Chairman Leahy’s concern over websites that are dedicated to stealing American intellectual property. We support the objective of combating offshore counterfeiting and online infringement, and we understand the frustration over the challenges of targeting websites that reside beyond the borders of the United States. We pledge to work with Chairman Leahy and other members of the Committee on the Judiciary to address these concerns. However, combating foreign sites that are engaging in activity that is unlawful in the United States is complicated and challenging. Such an effort raises legal, political, and technological concerns. During the last Congress, on November 18, 2010, the Committee on the Judiciary approved S. 3804, the Combating Online Infringement and Counterfeits Act (“COICA”). The legislation had 19 cosponsors and was approved by the Committee 19-0. The Committee had not conducted a legislative hearing on H.R. 3804, and there was a considerable amount of concern with the legislation, including concerns that were raised by NetCoalition.2 At the time, Chairman Leahy pledged to work with concerned parties to address these concerns, even as the bill was being approved by the Committee. NetCoalition serves as a public policy voice to leading Internet and technology companies, including Amazon.com, Bloomberg LP, eBay, Google, IAC, Yahoo!, and Wikipedia. 2 See Exhibit 1 (September 27, 2010 Letter from NetCoalition and others and November 15, 2010 Letter from NetCoalition)
1
400 North Capitol Street, N.W. Suite 585 Washington, D.C. 20001 +1 202-624-1460 Writer’s E-Mail Address: [email protected]
Senator Feinstein noted that the Committee needed “to be careful to try to avoid unintended consequences on legitimate businesses.” She further noted that 90 engineers and others involved in developing the architecture and standards for the operation of the Internet were opposed to the bill and particularly concerned about the domain name remedy.3 She also noted that the Committee ought to explore whether the model adopted in the Unlawful Internet Gambling Enforcement Act, which imposes obligations on payment systems, would be a preferable model to use in combating offshore websites. Senator Coburn indicated that certain Internet service providers, search engines, Federal agencies in charged of intellectual property, and other interested parties had outstanding concerns over some provisions in the legislation. He noted the need for further discussion of those issues. Given the concerns raised with S. 3804, we appreciate that Chairman Leahy is holding a hearing to address some of the issues that were raised with S. 3804. We also appreciate the pledge by Committee counsel to work with NetCoalition and other stakeholders to address our concerns before a new version of legislation is introduced. In anticipation of a productive conversation about how to craft legislation in this area, we believe it would be helpful for the Committee to understand the concerns that were raised with S. 3804 in the 111th Congress. The following summarizes those concerns. Concerns with S. 3804, the “Combating Online Infringement and Counterfeits Act.” The sponsors of COICA intend to address the problem of foreign websites that are otherwise beyond the reach of the U.S. legal process and are dedicated to nothing but making infringing content available to U.S. users, essentially “the worst of the worst” foreign-based sites with no legitimate content whatsoever. Unfortunately, the scope of the proposed bill goes far beyond the stated intent of the sponsors and it continues to raise significant legal, political, and technological concerns. Technological Concerns. The bill’s primary, technical means of enforcement—requiring ISPs to manually interfere with the Domain Name Service (“DNS”) that connects a website name to the actual website—will not effectively prevent users from accessing the website in question and do nothing to remove the underlying infringing content.4 A DNS provider, which today is normally the user’s Internet access provider (e.g., Verizon, Comcast, AT&T, corporate enterprise server) serves as a “phone book” that connects the commercial domain name of a website (e.g., www.site_in_question.com) to See Exhibit 2. See Exhibit 3 (Dan Kaminsky, “DNS Filtering and S. 3804, ‘Countering Online Infringement and Counterfeiting Act.’”
3 4
the Internet Protocol number of the actual site (e.g., 123.456.789.123). The site’s Internet Protocol number may have an almost unlimited number of names that correspond to the site. The bill would require the DNS provider to “de-list” the domain name with the corresponding number for the site through a manual intervention into the directory. (This is similar to crossing out an entry in the virtual Internet phone book. The IP address is not disconnected, it merely becomes “unlisted.”) This DNS “spoiling” procedure required by the bill is not effective for the following reasons. 1. The user can simply type the numeric IP address into the browser. 2. Operators of the websites in question can easily offer alternative, offshore DNS servers that will allow users to end-run the DNS spoiling and thwart the effectiveness of the bill. 3. Individual users seeking to access a website in question can easily change a single setting on their computers to avoid their ISP’s DNS servers and instead connect to an offshore or little-known DNS provider. There are over one million DNS providers that make their servers available to Internet users. 4. Operators of websites in question can easily provide its users with a browser plugin that ensures the user can reach the site no matter what the user’s ISP is doing to block access to the site. The DNS blocking requirement and these easy “work-arounds” have the potential to create a tremendous amount of collateral harm to the Internet ecosystem. The following are some of the harms. 1. Increased risk of identity theft, spyware, malware, and other malicious activities. If a user accesses a non-U.S. DNS provider (especially one run by the website in question), this user is at increased risk for spyware and malware. Once the user’s computer is infected, the user likely will infect other computers. Moreover, the user will likely rely on that rogue DNS service for all other Internet activity, thereby affecting e-commerce more broadly. There would be no guarantee, for example, that the DNS provider would direct the user to the real online shopping or other desired site. 2. A shift way from U.S. DNS providers diminishes the ability of network managers and cyber-security experts to monitor the overall activity of the network and protect U.S. Internet users from cyber-attacks. 3. If the offshore DNS provider so desires, it can orchestrate a denial of service attack on U.S. Internet sites, using the computers of its increased U.S. audience. 4. With the strong support of the US government, major U.S. DNS providers have spent a decade working to implement “DNS Security Extensions” (“DNSSEC”), which ensure that responses to DNS lookups are cryptographically signed by the authoritative nameserver. This, in turns, ensures that the DNS lookup cannot be manipulated to direct a user to a site that will expose the user to identity theft and malware. In other words, these new security extensions will make sure that the “www.cnn.com” site that is displayed on a user’s computer is truly CNN. COICA upends this decade’s worth of work to secure the Internet. In fact, for major U.S.
DNS providers that have implemented DNS-SEC, it is not clear that they can even technically comply with the requirements of the bill. 5. Manipulation of the DNS lookups is a technique used by certain governments around the world to deny users access to content deemed lawful in the United States (e.g., political speech). Legislating the same technical solution in the U.S. (arguably for content that is lawful in the foreign jurisdiction) will invite retaliation against U.S. Internet companies and lead to geographical balkanization of the Internet. 6. DNS blocking will result in over-blocking of lawful content and other communications such as e-mail. A DNS provider has the ability to control only the second-level domain (i.e., the name immediately to left of the dot in .com). A DNS provider cannot block subdomains, which are widely used today by most corporations, universities and popular websites. A site that qualifies as infringing under the bill may be part of a larger, lawful domain – but the order will require blocking of the entire domain, including traffic associated with that domain such as email. For example, an order to block access to www.site-in-question.com would result in blocking access to www.blog.site-in-question.com or www.email.site-in-question.com. 7. The Internet was developed to operate efficiently and with multiple redundancies in order to withstand a nuclear attack. This architecture not only makes DNS spoiling technically questionable, but such blocking also interjects an incredible amount of inefficiency into the infrastructure, slowing down the Internet experience for all users. Legal Concerns. The scope and application of the legislation is significantly broader than its intended purpose and includes new and confusing definitions that are inconsistent with existing copyright law. 1. Contrary to the stated intent of the sponsors, the bill unnecessarily applies to U.S. domestic websites. Under the bill, law enforcement can serve a court order on the registrar or registry for a domestic site. The registrar or registry shall “suspend operation of, and may lock, the domain name.” a. U.S. law enforcement already has jurisdiction over domestic sites that infringe copyright law. This bill creates an overlapping and inconsistent remedy to law enforcement’s existing powers. Indeed, U.S. law enforcement has recently seized a significant number of “.com” and other sites hosted by U.S. registrars or registries, calling into question the need for further legislative authority. b. Because of the overbroad definitions in the bill, law enforcement (or a registrar or registry utilizing the bill’s “vigilante” provision) could take down a major Internet company’s domain for unlawful content on a subdomain. For example, infringing material on a subdomain, e.g., illegalmaterial.usergroup.majorinternetcompany.com, could result in the entire domain of www.majorinternetcompany.com being blocked.
2. The bill would create a new cause of action against a site “dedicated to infringing activities.” The definition of “dedicated to infringing activities” arguably would implicate major U.S. social media platforms, video sharing sites, e-commerce sites, third-party retail sites, grey-market sales sites, and countless sites that are overwhelmingly lawful and integral to the U.S. economy. There are two ways a site can be “dedicated to infringing activities.” a. A site is “dedicated to infringing activities” if it is “subject to civil forfeiture” under 18 U.S.C. § 2323. A website is subject to civil forfeiture if it used to sell infringing products with a total retail value of $1,000. This definition sweeps in most open online retailers and open web platforms. b. A site also would be “dedicated to infringing activities” if— the site is primarily designed, or has no demonstrable commercially significant purpose or use other than, or is marketed by its operator (I) to offer goods or services in violation of title 17, United States Code, or that enable or facilitate a violation of title 17, United States Code, including but not limited to offering or providing access in a manner not authorized by the copyright owner or otherwise by operation of law, copies or phonorecords of, or public performances or displays of works protected by Title 17, in complete or substantially complete form, by any means, including by means of download, streaming, or other transmission, provision of a link or aggregated links to other sites or Internet resources for obtaining access to such copies, phonorecords, performances, displays, goods or services; or (II) to sell or offer to sell or distribute or otherwise promote goods, services, or materials bearing a counterfeit mark, as that term is defined in section 34(d) of the Lanham Act (15 U.S.C. 1116(d); and… when taken together, such activities are the central activities of the Internet site or sites accessed through a specific domain name. i. This definition invents a new secondary liability concept, i.e., “enable or facilitate,” and for the first time codifies secondary liability. Today, copyright secondary liability is a judgemade, common law concept. Making U.S. Internet companies liable for “enabling” or
ii.
iii.
iv. v.
“facilitating” third parties that engage in illegal activity runs contrary to 13 years’ of wellsettled federal policy under the Digital Millennium Copyright Act. This legislation should not be used to re-write the DMCA. The definition applies even if the Internet company has no knowledge of the illegal activity or no intent to foster illegal activity: The site is “primarily designed…to offer goods and services… that enable or facilitate a violation of title 17….” A wide range of legitimate products such as personal computers and mobile smartphones “enable or facilitate” a violation of title 17. Accordingly, a site that is designed to sell personal computers or smartphones would fall within this definition. This concept is contrary to well-settled law under the Copyright Act. Through its focus on commercial purposes, the definition injects considerable confusion by discounting the well-established Sony Betamax standard that enabled the sale of equipment capable of substantial non-infringing uses -whether commercial or not -- and thereby ushered in a home video market that revitalized the entertainment industry. The definition creates a new trademark liability arguably inconsistent with existing law. The phrase “sites accessed through a specific domain name” is unclear.
3. The bill’s requirement that a financial transaction provider take “reasonable measures, as expeditiously as reasonable, to prevent or prohibit its service from completing payment transactions between its U.S. customers and the site, and to prevent the use of its trademarks” does not include a technical feasibility qualification, which is included in the DNS obligations, and needs to be tightened in other ways. 4. The bill would require a service that provides advertisements to Internet sites “take reasonable measures, as expeditiously as reasonable, to prevent its network from providing advertisements to an Internet site associated with such domain name.” Some concerns with this provision include:
a. The online advertising ecosystem is broad and includes many different intermediaries and business models. It is unclear to what parts of the advertising ecosystem this applies and whether exchanges that aggregate advertising space could even comply. b. It is unclear what “associated with such domain name” means or to what it is meant to apply. Arguably, an advertiser could be required to cease providing ads to a major ISP’s site because the ISP provides access to the unlawful website. c. The provision does not include a technical feasibility qualification, which is included in the DNS obligations. 5. The bill includes a “vigilante” provision that provides complete immunity for registrars and registries, financial transaction providers, and advertising services to take voluntary action against an Internet site if the entity “reasonably believes the Internet site is dedicated to infringing activities.” a. Under this vigilante provision, there is no government involvement in determining which sites meet the standard. Nor is there any due process or remedy for a site that is mistakenly targeted or purposely targeted for competitive reasons. For example, Viacom recently lost its $1 billion lawsuit against YouTube. Under this provision, however, Viacom could approach Verisign with evidence that YouTube is “dedicated to infringing activities” and Verisign’s lawyers could remove YouTube.com without any legal recourse for YouTube. 6. Under the bill, the IP Enforcement Coordinator must post a list of domain names affected by court orders on a publiclyavailable Internet site. The mere publication of the list may result in constructive knowledge for other Internet intermediaries for purposes of secondary liability, or “red flag” knowledge that disqualifies a service provider from safe harbors under the DMCA. So the list may be used as evidence in copyright lawsuits against any online intermediary, whether or not that entity received a court order under the bill. The bill should be clarified to provide that neither the IPEC list nor any other action could be admitted as evidence establishing knowledge or intent in copyright infringement actions against service providers.
Policy Concerns. 1. Jurisdiction. The bill would authorize a U.S. court to exercise jurisdiction over a foreign-registered domain name by virtue of the fact that U.S. citizens can access the site. It is far from clear that the due process clause of the Constitution allows a U.S. court to exercise jurisdiction in this manner. Moreover, this approach would set a dangerous precedent for foreign countries to attempt to control content on U.S. websites. Several years ago, a French court found Yahoo! liable for hosting auctions of Nazi-era materials that were viewable in France. Similarly, an Australian court exercised jurisdiction over Barron’s for alleged defamation in an article posted on a U.S. website. And, a French court held eBay liable for the sale of legitimate luxury goods that were being sold lawfully in the United States but violated France’s authorized distributor laws. The issue of jurisdiction for Internet-based activities is extraordinarily complex. Until now, Congress has let the courts take the lead on how to apply traditional principles of jurisdiction to the Internet environment. Congress should carefully consider the implications of this aggressive assertion of jurisdiction on U.S. websites that are viewable overseas. 2. Extraterritoriality. In addition to authorizing U.S. courts to exercise jurisdiction over foreign activity, the bill would create extraterritorial remedies. A financial transaction provider would be required to notify foreign website operators that they may not use the financial transaction provider’s trademarks. Similarly, an advertising service would be required to stop placing ads on foreign websites. This would be the case even if a U.S. user no longer can access the site or purchase infringing material from it. Again, this could be a troubling precedent that could be exploited by other countries against U.S. businesses. 3. Due Process. Under COICA, once a court issues an injunction against the domain name of a website dedicated to infringing activity, the Department of Justice can serve the order on the operators of domain name services, financial transaction providers, and advertising networks. COICA, therefore, allows the Department of Justice to impose obligations on these entities without first giving them an opportunity to be heard in court. In other words, the operators of websites dedicated to infringing activity receive more procedural protections than these innocent service providers. 4. Uncompensated Government Takings of Service. Unlike most other law enforcement tools that mandate that communications
intermediaries provide services to the Federal Government, COICA contains no reimbursement for costs. The Communications Assistance to Law Enforcement Act, the Electronic Communications Privacy Act (18 U.S.C. § 2706), and the FISA Amendments of 2008 all provide for reimbursement, generally at the prevailing rate for the service provided. COICA requires intermediaries to provided services for free to the government, however, without any compensation or cost reimbursement. 5. Endorsing the Tools of Government Censorship. Undoubtedly, this legislation’s endorsement of the very tools of censorship that have been used by regimes around the globe to disrupt political speech will be highlighted as justification for those regimes’ continued efforts to censor speech. In addition, the U.S. government’s disruption of global Internet governance issues will result in increased public pressure for an international governance body such as the United Nations to assume control over Internet governance. Conclusion. For the foregoing reasons, we hope that the Committee will proceed thoughtfully and carefully as it crafts legislation to address offshore, illegal Websites. We look forward to working with each member of the Committee as it considers this issue. We appreciate the opportunity to provide testimony on this matter. Please do not hesitate to contact us if you or your staff have any questions or concerns.
September 27, 2010 Chairman Patrick J. Leahy United States Senate 433 Russell Senate Office Building Washington, DC 20510 Ranking Member Jeff Sessions United States Senate 335 Russell Senate Office Building Washington, DC 20510
Re: S. 3804, Combating Online Infringement and Counterfeits Act (COICA) Dear Chairman Leahy and Ranking Member Sessions: Although the undersigned entities support the objectives of S. 3804, the “Combating Online Infringement and Counterfeits Act” (COICA), the bill raises numerous legal, political, and technical issues. If left unresolved, these issues could harm consumers, educational institutions, innovative technologies, economic growth and global Internet freedom. These complicated issues require careful deliberation that we fear cannot be accomplished in the waning days of this session. The bill enables the Justice Department to bring in rem actions against domestic and foreign domain names of websites dedicated to infringing activities, and, with respect to foreign sites, to obtain judicial orders mandating that Internet services, operators of domain name servers, financial transaction providers, and ad networks discontinue service to the designated sites. In addition, subsection (j) authorizes the Justice Department to maintain a public blacklist of websites that the Department determines “upon information and reasonable belief” to be dedicated to infringing activities. Internet-related services will be encouraged to discontinue service to these websites. Given the fundamental due process values of our nation and the potential for other countries to enact similar mechanisms to retaliate against U.S. companies abroad, Congress must carefully consider whether it wishes to authorize Justice Department officials to blacklist websites in a manner subject to little process and limited judicial review. Without judicial oversight, these blacklists could reach the websites of political candidates and advocacy groups. Numerous political campaigns have received copyright cease-and-desist letters or infringement notices, including candidates very recently in this cycle from both parties.1 The potential for blacklisting for “facilitating” infringement, as so broadly defined in this bill, can undermine U.S. secondary liability law as established in Sony v. Universal, and ignores the culpable intent requirement of MGM v. Grokster. For example, would the listing of a website on the blacklist constitute constructive knowledge for contributory infringement purposes, if a service provider did not discontinue providing service to a website after it was listed? More generally, the new definitions and requirements also raise serious questions about the effect of this bill on existing copyright exceptions, limitations and defenses upon which a significant sector of the U.S. economy relies.
1
Nevada GOP Candidate Faces Copyright Lawsuit, Wash. Post, Sept. 4, 2010; Mo. Democratic nominee for US Senate keeps TV ad despite copyright lawsuit by Fox News Network, Wash. Examiner, Sept. 16, 2010.
The proposed in rem proceeding also raises a host of issues that necessitate thorough review. It is unclear whom may be compelled by such orders, and what obligations can be imposed. The definition regarding which services must comply with in rem orders is both broad and vague. Will COICA apply to (a) all ISPs? (b) The root zone server operated by the Internet Corporation for Assigned Names and Numbers (ICANN)? (c) The “authoritative” root zone server operated by Verisign under contract with NTIA? Would a webhost or search engine have to remove all links to designated sites? Such mandates may be unmanageable, and could have a deleterious effect upon the fight to keep Internet governance out of the bureaucracy of international organizations. It is further unclear what consequences will result from the functionally extraterritorial application of U.S. intellectual property laws. Congress must consider the precedent this bill would set for countries less protective of citizens’ rights of free expression. COICA’s blacklist may be used to justify foreign blacklists of websites that criticize governments or royalty, or that contain other “unlawful” or “subversive” speech. Just this year, the Secretary of State declared that Internet freedom is nothing less than freedom of assembly online.2 At this time in our campaign to ensure Internet freedom abroad, it is imprudent to endow U.S. law enforcement officials with an unsupervised right to determine who may assemble and who may not. In sum, COICA – which was introduced only last week – raises a host of global entanglements and serious questions that need to be evaluated thoroughly and carefully. To do so, we believe a hearing on S. 3804, with testimony from impacted industries and user constituencies, should be held before any major legislative action is taken. We look forward to working with you to address these questions, and to ensure that intellectual property laws can be enforced while preserving free speech, due process, and the stability, freedom, and economic potential of the Internet. Respectfully submitted, American Association of Law Libraries (AALL) American Library Association (ALA) Association of College and Research Libraries (ACRL) Association of Research Libraries (ARL) Center for Democracy and Technology (CDT) Computer and Communications Industry Association (CCIA) Consumer Electronics Association (CEA) Electronic Frontier Foundation (EFF) Home Recording Rights Coalition (HRRC) NetCoalition Public Knowledge Cc: Senate Judiciary Committee Chairman and Ranking Member, House Judiciary Committee
2
Hillary Clinton, Remarks on Internet Freedom, Newseum, Jan. 21, 2010, available at http://www.state.gov/secretary/rm/2010/01/135519.htm
Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill
May 2011
Authors:
Steve Crocker, Shinkuro, Inc. David Dagon, Georgia Tech Dan Kaminsky, DKH Danny McPherson, Verisign, Inc. Paul Vixie, Internet Systems Consortium Affiliations provided for identification only Brief biographies of authors available below
EXECUTIVE SUMMARY
This paper describes technical problems raised by the DNS filtering requirements in S. 978, the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 (“PROTECT IP Act”). Its authors come from the technical, operational, academic, and research communities. We are leading domain name system (DNS) designers, operators, and researchers, who have created numerous “RFCs” (technical design documents) for DNS, published many peer-reviewed academic studies relating to architecture and security of the DNS, and operate important DNS infrastructure on the Internet. The authors of this paper take no issue with strong enforcement of intellectual property rights generally. The DNS filtering requirements in the PROTECT IP Act, however, raise serious technical concerns, including: • The U.S. Government and private industry have identified Internet security and stability as a key part of a wider cyber security strategy, and if implemented, the DNS related provisions of PROTECT IP would weaken this important commitment. • DNS filters would be evaded easily, and would likely prove ineffective at reducing online infringement. Further, widespread circumvention would threaten the security and stability of the global DNS. • The DNS provisions would undermine the universality of domain names, which has been one of the key enablers of the innovation, economic growth, and improvements in communications and information access unleashed by the global Internet. • Migration away from ISP-provided DNS servers would harm efforts that rely on DNS data to detect and mitigate security threats and improve network performance. • Dependencies within the DNS would pose significant risk of collateral damage, with filtering of one domain potentially affecting users’ ability to reach non-infringing Internet content. • The site redirection envisioned in Section 3(d)(II)(A)(ii) is inconsistent with security extensions to the DNS that are known as DNSSEC. The U.S. Government and private industry have identified DNSSEC as a key part of a wider cyber security strategy, and many private, military, and governmental networks have invested in DNSSEC technologies. • If implemented, this section of the PROTECT IP Act would weaken this important effort to improve Internet security. It would enshrine and institutionalize the very network manipulation that DNSSEC must fight in order to prevent cyberattacks and other malevolent behavior on the global Internet, thereby exposing networks and users to increased security and privacy risks. We believe the goals of PROTECT IP are important, and can be accomplished without reducing DNS security and stability through strategies such as the non-DNS remedies contained in PROTECT IP and international cooperation.
I. Introduction
The recently introduced PROTECT IP Act of 2011,1 the successor to last year’s COICA legislation,2 includes a range of proposed new enforcement mechanisms to combat the online infringement of intellectual property. Of keen interest to the community of engineers working on issues related to the domain-name system (DNS) is the DNS filtering provision that would require ISPs and other operators of “non-authoritative DNS servers” to take steps to filter and redirect requests for domains found by courts to point to sites that are dedicated to infringement. This paper seeks to explain a set of technical concerns with mandated DNS filtering and to urge lawmakers to reconsider enacting such a mandate into law. Combating online infringement of intellectual property is without question an important objective. The authors of this paper take no issue with the lawful removal of infringing content from Internet hosts with due process. But while we support the goals of the bill, we believe that the use of mandated DNS filtering to combat online infringement raises serious technical and security concerns. Mandated DNS filtering would be minimally effective and would present technical challenges that could frustrate important security initiatives. Additionally, it would promote development of techniques and software that circumvent use of the DNS. These actions would threaten the DNS’s ability to provide universal naming, a primary source of the Internet’s value as a single, unified, global communications network.
II. DNS Background
The domain-name system, or DNS, is a system that makes the Internet more accessible to humans. When computers on the Internet communicate with each other, they use a series of numbers called “IP addresses” (such as 156.33.195.33) to direct their messages to the correct recipient. These numbers, however, are hard to remember, so the DNS system allows humans to use easier-to-remember words (such as “senate.gov“) to access websites or send e-mail. Such names resolve to the proper IP numbers through the use of domain name servers. These servers are set up in a distributed fashion, often globally, such that resolution of names connected to IP addresses may pass through many servers during Internet data flow.3 To make the DNS faster and less expensive to operate, over ten million so-called “recursive servers” exist as accelerators of convenience, to store and retransmit DNS data to nearby users. The PROTECT IP Act proposes legal remedies for infringement that would affect the operators of these “recursive
1
Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011, S. 968, 112th Congress
2 3
Combatting Online Infringements and Counterfeits Act, S. 3480, 111th Congress
See P. Mockapetris, RFC 1034, “Domain Names – Concepts and Facilities,” Internet Engineering Task Force, November 1987, http://www.ietf.org/rfc/rfc1034.txt.
servers,” which are the type of DNS servers used by the computers of end users to resolve DNS names in order to access content on the Internet.4 The DNS is central to the operation, usability, and scalability of the Internet; almost every other protocol relies on DNS resolution to operate correctly. It is among a handful of protocols that that are the core upon which the Internet is built. Readers interested in finding out more about the DNS are directed to Paul Vixie’s article, “DNS Complexity.”5 See also Appendix A for a pictorial view of the DNS and DNS filtering. The DNS is a crucial element of Internet communication in part because it allows for “universal naming” of Internet resources. Domain names have in almost all cases been universal, such that a given domain name means the same thing, and is uniformly accessible, no matter from which network or country it is looked up or from which type of device it is accessed. This universality is assumed by many Internet applications. The domain name given to an Internet device or service is frequently stored and reused, or forwarded to other Internet devices that may not be customers of the same service provider or residents in the same country. For example, web URLs are frequently sent inside electronic mail messages where they are expected to mean the same thing (i.e., to reach the same content) to the recipient of the e-mail that they meant to the sender. Universality of domain names has been one of the key enablers of the innovation, economic growth, and improvements in communications and information access unleashed by the global Internet. The importance of universal naming is underscored in the U.S. International Strategy for Cyberspace: “The United States supports an Internet with end-to-end interoperability, which allows people worldwide to connect to knowledge, ideas, and one another through technology that meets their needs.”6 Mandated DNS filtering by nameservers threatens universal naming by requiring that some nameservers return different results than others for certain domains. While this type of mandated DNS manipulation is reportedly used in some Middle Eastern countries and in the so-called Great Firewall of China, the mandated DNS filtering proposed by PROTECT IP would be unprecedented in the United States and poses some serious concerns as described below.
4
The other type of DNS server is termed “authoritative.” These systems are the DNS servers that are usually under control of the content provider, and that provide the “authoritative” answer as to where on the Internet a given website or service is located. Essentially, “recursive” servers are the DNS servers that help users locate where things are on the Internet, and “authoritative” servers are the DNS servers are the sources of the answers to those queries. Because the focus of the PROTECT IP Act is on recursive DNS servers (and not authoritative servers), the terms “server,” and “DNS server,” and “resolver” in the remainder of this paper shall mean recursive servers that help users locate content and services on the Internet. 5 Paul Vixie, “DNS Complexity,” ACM Queue 5, no. 3, April 2007.
6
United States Office of the President, International Strategy for Cyberspace, May 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf, at page 8.
III.
Technical Challenges Raised By Mandatory DNS Filtering
A. DNS Filtering in Tension with DNSSEC
PROTECT IP would empower the Department of Justice, with a court order, to require operators of DNS servers to take steps to filter resolution of queries for certain names. Further, the bill directs the Attorney General to develop a textual notice to which users who attempt to navigate to these names will be redirected.7 Redirecting users to a resource that does not match what they requested, however, is incompatible with end-to-end implementations of DNS Security Extensions (DNSSEC), a critical set of security updates. Implementing both end-to-end DNSSEC and PROTECT IP redirection orders simply would not work. Moreover, any filtering by nameservers, even without redirection, will pose security challenges, as there will be no mechanism to distinguish court-ordered lookup failure from temporary system failure, or even from failure caused by attackers or hostile networks. Security problems with the DNS were identified over twenty years ago, and the DNSSEC approach to correcting vulnerabilities has been under development since the mid-1990s.8 In short, DNSSEC allows for DNS records to be cryptographically signed, thereby providing a secure authentication of Internet assets. When implemented end-to-end between authoritative nameservers and requesting applications, DNSSEC prevents man-in-the-middle attacks on DNS queries by allowing for provable authenticity of DNS records and provable inauthenticity of forged data. This secure authentication is critical for combatting the distribution of malware and other problematic Internet behavior. Authentication flaws, including in the DNS, expose personal information, credit card data, e-mails, documents, stock data, and other sensitive information, and represent one of the primary techniques by which hackers break into and harm American assets. DNSSEC has been promoted and supported by the highest levels of the U.S. government. Development and rollout has involved a major bipartisan political effort, undertaken at great expense as a public/private partnership dating back to the Clinton administration. President George W. Bush included securing the DNS among national cybersecurity priorities as early as 2003.9 When the root zone trust anchor was published just under a year ago, enabling use of DNSSEC within the global DNS, the Obama administration hailed it as a “major milestone for Internet security.”10 The security of the Internet and the success of DNSSEC have been, and remain, a vital policy goal of the United States.11
7 8 9
Section 3(d)(2)(A)(ii), “Text of Notice.” See http://www.dnssec.net.
United States Office of the President, The National Strategy to Secure Cyberspace, February 2003, http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf
10
Andrew McLaughlin, “A Major Milestone for Internet Security,” The White House blog, July 22, 2010, http://www.whitehouse.gov/blog/2010/07/22/a-major-milestone-internet-security. 11 See United States Office of the President, National Strategy for Trusted Identities in Cyberspace, April 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf; See also United States Office of the President, International Strategy for Cyberspace, May 2011, supra, note 6, http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf
The fundamental architectural concept behind DNSSEC is that any information associated with a name must verifiably come from the owner of that name. For example, DNSSEC is designed to ensure that if a user requests the mail server for the U.S. Senate, the response is actually the legitimate server to communicate with to send e-mail to addresses within the senate.gov domain. The power of DNSSEC is that it provides a widely deployed and well managed infrastructure that allows only the Senate IT staff to manipulate the authoritative senate.gov nameserver, while only the House of Representative’s IT staff can manipulate the authoritative house.gov nameserver. By mandating redirection, PROTECT IP would require and legitimize the very behavior DNSSEC is designed to detect and suppress. Replacing responses with pointers to other resources, as PROTECT IP would require, is fundamentally incompatible with end-to-end DNSSEC. Quite simply, a DNSSEC-enabled browser or other application cannot accept an unsigned response; doing so would defeat the purpose of secure DNS. Consistent with DNSSEC, the nameserver charged with retrieving responses to a user’s DNSSEC queries cannot sign any alternate response in any manner that would enable it to validate a query. Although DNSSEC-enabled applications are not yet in widespread use, the need for such applications has been a key factor driving DNSSEC’s development. Today, applications and services that require security (e.g. online banking) rely on other forms of authentication to work around a potentially insecure DNS, but a secure DNS would be more effective and efficient. End-to-end deployment of DNSSEC is required to better secure the sensitive applications we have today and allow for new sensitive applications. A legal mandate to operate DNS servers in a manner inconsistent with end-to-end DNSSEC would therefore interfere with the rollout of this critical security technology and stifle this emerging platform for innovation. Even DNS filtering that did not contemplate redirection would pose security challenges. The only possible DNSSEC-compliant response to a query for a domain that has been ordered to be filtered is for the lookup to fail. It cannot provide a false response pointing to another resource or indicate that the domain does not exist. From an operational standpoint, a resolution failure from a nameserver subject to a court order and from a hacked nameserver would be indistinguishable. Users running secure applications have a need to distinguish between policy-based failures and failures caused, for example, by the presence of an attack or a hostile network, or else downgrade attacks would likely be prolific.12 DNSSEC is being implemented to allow systems to demand verification of what they get from the DNS. PROTECT IP would not only require DNS responses that cannot deliver such proof, but it would enshrine and institutionalize the very network manipulation DNSSEC must fight in order to prevent cyberattacks and other miscreant behavior on the global Internet.
12
If two or more levels of security exist in a system, an attacker will have the ability to force a “downgrade” move from a more secure system function or capability to a less secure function by making it appear as though some party in the transaction doesn’t support the higher level of security. Forcing failure of DNSSEC requests is one way to effect this exploit, if the attacked system will then accept forged insecure DNS responses. To prevent downgrade attempts, systems must be able to distinguish between legitimate failure and malicious failure.
B. The Proposed DNS Filters Would Be Circumvented Easily
As described above, the DNS was adopted to achieve universal naming for Internet resources. The fact that host names resolve consistently regardless of which network performs the request is a key factor in the Internet’s success as a global communications network. Anybody who has surfed to a site in a public place, an office, or someone else’s house, and gone to a site different from what he or she is used to at home, will understand frustrations that can come from filtering. To the extent that the naming system becomes less universal or consistent, the economic and social value of the network will suffer. DNS filtering does not remove or prevent access to Internet content. It simply prevents resolution by a particular DNS server of a filtered domain to its associated IP address. The offending site remains available and accessible through non-filtered nameservers or numerous other means, including direct accessibility from the client to the server if they have the corresponding information. Circumvention is possible, with increasing ease, and is quite likely in the case of attempts to filter infringement via the DNS. All of the methods that we discuss in this section pose risks to the security and stability of the DNS, and to broader societal concerns. Evidence from the recent domain seizures by U.S. Immigrations and Customs Enforcement demonstrates how likely circumvention is to occur. Data captured by Arbor Networks regarding the seizure of TVShack.net, showed what appeared to be only a short term impact on actual traffic to the pirates’ servers.13 The content simply was moved to a different domain, with little long-term impact likely. Similarly, Alexa traffic rankings indicate that traffic to rojadirecta.es, the replacement for the seized rojadirecta.com, quickly reached levels comparable to that of the former domain.14 This occurred due to the fact that users and infringing websites do not simply “give up” in response to implementation of a filtering mechanism. They go online, find new (non-American) domains or direct IP numbers, and connect as they usually would. In the case of DNS filtering, users need not navigate to new domains, but can instead simply use non-filtered DNS servers. To understand this approach, it is helpful to understand what normally occurs for most residential broadband customer installations. Normally, as part of the initial settings provided by ISPs to their customers, the ISPs select the users’ DNS server (commonly as part of dynamic addressing lease negotiation or in setting up a user’s equipment). In general, the operator-selected DNS server is local to the user, providing fast, efficient resolution. Thus, for example, Comcast customers generally use Comcast’s DNS servers allowing for an “accelerated,” and topologically optimal, DNS experience. However, users may change their DNS server settings, either by running a local resolver or by updating a single OS configuration parameter. Moreover, applications and even websites can also change a users’ DNS settings automatically. A 2008 survey using data from Google found that hundreds of malware websites automatically change the DNS settings of users who simply
13
Craig Labovtiz, “Takedown,” Arbor Networks blog, July 2, 2010, http://asert.arbornetworks.com/2010/07/takedown/
14
Compare http://www.alexa.com/siteinfo/rojadirecta.com# and http://www.alexa.com/siteinfo/rojadirecta.es#.
visit a malicious web site.15 It is likely, if not inevitable, that infringement sites would use the same strategy, allowing a single site to instantly, silently, and permanently change a user’s DNS path and evade DNS filtration and filtering. How easily could software make such a change? Just a single line of code is needed to change one registry key in Microsoft Windows. As documented widely by Microsoft itself, software merely needs to edit one system registry parameter:
\\HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters
16
Such behavior is common. In a survey of 100,000 malware samples, pulled at random from the Georgia Institute of Technology’s malware repository, over 98% were found to read Windows registry settings, and some 68% were found to change the registry. Indeed, the anti-malware industry even has a term for viruses that specifically manipulate resolution via registry keys: “DNS-changers”, or “DNS-changing malware,” and such techniques have been employed by miscreants for nearly a decade.17 The choice of alternative DNS servers is effectively unlimited. In the same study, a survey of socalled “open-recursive” DNS resolvers revealed a dramatic increase in the number of public DNS servers. At present, there are tens of millions of open, public DNS servers, many outside the U.S. Sites offering or promoting the downloading of copyright-infringing content could use almost any of these resolvers to evade domestic DNS filtering. An obvious possibility would be for the operators of the infringement sites themselves to operate alternative DNS servers for their users. It has been suggested that perhaps pirate sites would not wish to operate such a service because it would be difficult or expensive. However, DNS resolvers are lightweight and do not expose the same network engineering profile or carry the same costs as other circumvention technologies such as full-traffic encryption. In practice, a $1,000 server can respond to over 100,000 DNS requests per second. It is substantially easier to provide the handful of bits required for a DNS response than to expose a complex searchable web interface to pirated content. Realistically, the DNS accelerating service could be provided at no additional cost, using spare capacity on existing servers. Thus, those entities large enough to attract the attention of PROTECT IP likely will be large enough to handle the DNS load of their user base. Suggestions have been made that U.S. users will not use servers located outside of the United States because the nameservers are foreign and untrusted.18 The user who is seeking pirated content, however, will often be more concerned about getting the content than with how reputable a particular DNS provider might be. More importantly, in many cases, the user will
15
D. Dagon, N. Provos, C. P. Lee, and W. Lee, “Corrupted DNS resolution paths: The rise of a malicious resolution authority,” In Proceedings of Network and Distributed Security Symposium (NDSS ‘08), 2008. Note: The 2008 study and this report share an author. 16 Microsoft, Inc. DNS Registry Entries. http://technet.microsoft. com/en-us/library/dd197418%28WS.10%29.aspx, 2011.
17
Dagon et. al., “Corrupted DNS resolution paths,” supra, note 15; see also Symantec, Description of Trojan.Qhosts virus, http://www.symantec.com/security_response/writeup.jsp?docid=2003-100116-5901-99.
18
Daniel Castro, “No, COICA Will Not Break the Internet,” Innovation Policy blog, January 18, 2011, http://www.innovationpolicy.org/no-coica-will-not-break-the-internet.
likely have no idea that they are changing DNS servers. Those promoting pirate sites will simply create websites and postings that ask: “Frustrated by getting filtered when you try to watch movies? Click here to fix the problem.” Long experience shows that high numbers of users will simply do just that; they will “click here” and thereby quickly circumvent the intended roadblock through automated processes such as DNS changers. Would users care about performance? One theory states that users would avoid these non-U.S nameservers because they would be slower, if for no other reason that they are offshore and thus may take up to a substantial fraction of a second to return answers. There is some data that slower sites are slightly less popular, but it is unlikely that foreign DNS would slow things down enough, for a number of reasons. First, the likely delay for a site would only be a few tenths of a second. Second, only the initial query to a domain is impacted. Third, most modern browsers implement something called DNS prefetching, performing the DNS lookup before the user even browses to a site. Consequently, users will likely not even experience the delay when navigating to a given site. Finally, from the perspective of a user seeking pirated content, a slightly slower site is much better than not being able to access the site and its infringing content at all. However, even if one supposed that all malicious sites changing DNS settings were filtered, and even if one supposed that 100% of users leave their ISPs’ DNS settings unchanged, mandatory DNS filtering still could be trivially evaded by individuals and even applications. The IP number for the website of The Pirate Bay, a well-known peer-to-peer (P2P) organization that has often been connected to infringement allegations, is 194.71.107.15. Simply typing this number instead of www.piratebay.org into a browser’s address line will take a user to the site. To avoid having to remember the number each time, PCs can easily be configured to bypass DNS filters. Effectively, all systems have within them something called a hosts file, which is in text format. After simple editing of a hosts file with the additional line “www.thepiratebay.org 194.71.107.15”, the DNS will no longer be consulted. Many users will not have the expertise necessary to rewrite a host file. On the other hand, individuals who are skeptical of this potential for evasion should consider that software developers already are working on software to evade DNS filtration. A group calling itself “MafiaaFire” has developed a Firefox browser plugin that automatically redirects users requesting a seized domain to the desired site’s new domain or server IP address.19 (A screen image that shows the ease with which Internet users can implement such tools is in Appendix B). Infringers are almost certain to develop similar plugins that skip the DNS entirely, perhaps simply by putting links on their pages which offer to make necessary system changes with a click of the mouse. This reality leads to one conclusion: PROTECT IP’s DNS filtering will be evaded through trivial and often automated changes through easily accessible and installed software plugins. Given this
19
http://mafiaafire.com/
strong potential for evasion, the long-term benefits of using mandated DNS filtering to combat infringement seem modest at best. In addition, if the U.S. mandates and thereby legitimizes DNS filtering, more countries may impose their own flavor of DNS filtering. As this practice becomes more widespread, the extent to which a particular name is reachable will become a function of on which network and in which country a user sits, compromising the universality of DNS naming and thereby the “oneness” of the Internet. This situation will in turn increase the cost and challenge of developing new technologies, and reduce the reliability of the Internet as a whole. If the Internet moves towards a world in which every country is picking and choosing which domains to resolve and which to filter, the ability of American technology innovators to offer products and services around the world will decrease. Moreover, circumvention poses risks to the security and stability of the DNS, which are explored in the following sections.
C. Circumvention Poses Performance and Security Risks
The likely circumvention techniques described above will expose users to new potential security threats. These security risks will not be limited to individuals. Banks, credit card issuers, health care providers, and others who have particular interests in security protections for data also will be affected. At the same time, a migration away from U.S.-based and ISP-provided DNS will harm U.S. network operators’ ability to investigate and evaluate security threats. Intelligence and law enforcement officials who rely on high-quality network usage data afforded by centralized DNS resolution will face a similar reduction in the usefulness of DNS.20 1. Users Will Face Increased Cybersecurity Risk As noted above, both users and operators of infringement sites will likely respond to DNS filtering by redirecting users’ DNS settings to point outside of the United States. One cannot predict which DNS services they will use instead, but one can anticipate that some if not many of the new DNS resolvers will be well outside U.S. jurisdiction, possibly run by the same criminals running the infringement sites, and perhaps even on the same systems and hardware. This concern is not mere speculation: the use of non-U.S. DNS is already favored by malicious websites, viruses, and criminal gangs to evade U.S. law enforcement. As a consequence of redirecting their DNS settings, users will face significantly increased security risks, as detailed below. Those risks, however, will not be obvious or well known to most users, and they will simply be unaware of the risks (and indeed, as noted above, the users may not even know that their DNS settings have been changed). Moreover, in households with shared computers, one user (say, a teenage music sharer) may redirect the DNS settings, but then those settings would carry over to when the parent later did online banking on the same computer. The teenager’s redirection also could redirect banking information and put it in jeopardy. The effects of increased security vulnerability will be felt not just by users, but by U.S.
20
A full discussion of the impact on law enforcement is outside the scope of this paper.
networks and businesses, including banks and credit card companies, which will internalize the costs of botnet disruptions, identity theft, and financial fraud. Users on computers with redirected DNS settings will have a number of increased risks. First, operators of rogue DNS servers are less likely than major U.S. operators to support DNSSEC. Thus users who switch or are switched to such nameservers will not benefit from the security and trust DNSSEC is being implemented to provide. And the absence of support for DNSSEC may expose these users to greater risk from malicious nameserver operators. Second, and critically, when traffic is pushed to potentially rogue servers, how will those servers handle the resolution of web and mail server lookups for military networks, U.S. banks, or social network sites used by U.S. citizens to communicate and share personal information and ideas? Circumvention has real consequences beyond evading the results of court-ordered filters. An infringement site that simply gains enough consent and cooperation from a user to shift his or her DNS resolution to the pirate site is not only insulated from the filters of PROTECT IP. The operator also gains access to all DNS traffic from that user: Every time the user seeks his bank, the pirate site has the opportunity to hijack it. Every time the user seeks an e-commerce site, the pirate site has the opportunity to impersonate it. Every email, every game, every Internet application that someone might use to be productive would potentially be exposed to manipulation. Although some pirate operators may decide to run “honest” DNS servers in an effort to gain the trust of users, at least some of the overseas DNS servers are likely to act on their economic incentive to exploit their access to the sensitive communications of some Americans. In the millions of DNS lookups exported from U.S. networks, many may prove innocuous, but some will fall in these sensitive categories, which will be attractive avenues for phishing and other cybercrime. In control of all of a user’s DNS traffic, a rogue resolver could easily return spurious results for sensitive queries. For example, a user could be sent an identical-looking but false and criminal website pretending to be Citibank.com, allowing the operator to gain access to and empty the user’s bank accounts. If users of government or military networks violate sound security practices and redirect their DNS traffic to a non-U.S. DNS server, they could create national security risks given the sensitivity of those networks.21 Redirection on such networks would risk providing non-U.S. networks a foothold in the DNS conversation, and the ability to monitor and manipulate resolution for potentially sensitive websites and mail servers, through denial-of-service attacks, disclosure attacks,22 and an array of other avenues.
21
Military information has been lost through P2P in the past; See, e.g., Tim Wilson, “Army Hospital Breach May Be Result of P2P Leak,” Dark Reading, June 3, 2008, http://www.darkreading.com/taxonomy/index/oldarticleurl?articleID=211201106.
22
“Disclosure attack” refers to the ability of an attacker to collect target intelligence information by analyzing client behavioral and query data.
2. ISPs Will Lose Visibility into Network Security Threats DNS data currently provides ISPs an important and accurate picture of both traffic patterns and security threats on their network, which in turn is vital for both business planning and network protection. Data gleaned from their customers’ access to their DNS servers can be useful for a number of purposes. First, it can allow an ISP to identify increases and shifts in traffic, which can inform infrastructure investment, network optimizations, interconnection strategies, and peering relationships. Even more critically, monitoring DNS data is a vital part of maintaining network security. By analyzing name lookups, ISPs are able to diagnose denial-of-service attacks, identify hosts that may be part of a botnet, and identify compromised domains serving as command-and-control servers or identify subscribers who may be at risk. These analyses in turn enable network administrators to combat these problems, both by addressing malicious traffic and by providing targeted assistance to the users of infected computers. As users increasingly turn to other DNS servers to avoid the DNS filtering, ISPs have less and less ability to manage security threats and maintain effective network operations. By losing visibility into network security threats, ISPs will be less able to identify customer computers that have been infected by a virus and come under the control of a criminal botnet. At the same time that ISPs will be less able to identify infected computers, their security offices will be less able to assist law enforcement in investigating network security attacks or data loss and exfiltration. The reduction of customer use of an enterprise, local network operator, or ISP’s DNS service will mean that more compromised computers will go unidentified and uncorrected. Furthermore, the set of attributes that need to be evaluated when a customer calls an operator help desk for support will be much more extensive, and will increase both cost and debugging complexity. 3. CDNs Would Likely Face Degraded Performance Routing DNS traffic to offshore servers will also affect network performance within the United States, and will increase costs for ISPs. For DNS queries themselves, any delay will be minimal. However, for content delivered from Content Distribution Networks (CDNs) the impact will be more severe. CDNs localize content delivery by distributing the same content across a number of servers on a wide range of networks. This localization reduces network congestion and decreases the load that would otherwise be put on a single server. Many CDNs use the IP address of the DNS resolver to estimate a user’s location and route the user to the fastest available server. To such networks, U.S. users who have changed their DNS resolvers for all lookups will appear to the CDNs to be browsing from abroad. As a result, these users could be routed to offshore servers not just for DNS queries, but also for content, undermining precisely the benefits CDNs provide by optimizing traffic distribution to account for proximity of client and server. Inefficient server selection would cause small delays for users, but high costs for commercial actors who must pay higher costs of latency and added network resources in order to provide the same level of service. The higher costs will negatively impact the business of both the providers of high-value, high-bandwidth (and non-infringing) content that overwhelmingly make up the customer base of CDNs, as well as the CDN operators themselves. To the extent that poor server
selection results in increased traffic over international links, as is likely, it will also increase the traffic load and network congestion experienced by a wider range of network operators.
D. DNS Interdependencies Will Lead to Collateral Damage
Two likely situations ways can be identified in which DNS filtering could lead to non-targeted and perfectly innocent domains being filtered. The likelihood of such collateral damage means that mandatory DNS filtering could have far more than the desired effects, affecting the stability of large portions of the DNS. First, it is common for different services offered by a domain to themselves have names in some other domain, so that example.com’s DNS service might be provided by isp.net and its e-mail service might be provided by asp.info. This means that variation in the meaning or accessibility of asp.info or isp.net could indirectly but quite powerfully affect the usefulness of example.com. If a legitimate site points to a filtered domain for its authoritative DNS server, lookups from filtering nameservers for the legitimate domain will also fail. These dependencies are unpredictable and fluid, and extremely difficult to enumerate. When evaluating a targeted domain, it will not be apparent what other domains might point to it in their DNS records. In addition, one IP address may support multiple domain names and websites; this practice is called “virtual hosting” and is very common. Under PROTECT IP, implementation choices are (properly) left up to DNS server operators, but unintended consequences will inevitably result. If an operator or filters the DNS traffic to and from one IP address or host, it will bring down all of the websites supported by that IP number or host. The bottom line is that the filtering of one domain name or hostname can pull down unrelated sites down across the globe. Second, some domain names use “subdomains” to identify specific customers. For example, blogspot.com uses subdomains to support its thousands of users; blogspot.com may have customers named Larry and Sergey whose blog services are at larry.blogspot.com and sergey.blogspot.com. If Larry is an e-criminal and the subject of an action under PROTECT IP, it is possible that blogspot.com could be filtered, in which case Sergey would also be affected, although he may well have had no knowledge of Larry’s misdealings. This type of collateral damage was demonstrated vividly by the ICE seizure of mooo.com, in which over 84,000 subdomains were mistakenly filtered.23 The authors of the paper understand that sites offering such subdomain hosting are not the target of PROTECT IP, but the possibility for such unintended filtering remains. Despite sharing a parent domain, subdomains, as well as their content, often have little or nothing to do with one another. The existence of additional subdomains may not be readily apparent upon reviewing whatever content is served at a particular subdomain, just as visiting google.com gives no indication of the existence of yahoo.com, despite the fact that the two domains share the .com top-level domain. Thus it is possible for an examination of one subdomain to conclude without ever revealing the existence of others that would be affected by a filtering order instituted in the DNS.
23
Thomas Claburn, “ICE Confirms Inadvertent Web Site Seizures,” InformationWeek, February 18, 2011, http://www.informationweek.com/news/security/vulnerabilities/229218959.
IV.
Conclusion
As stated above, we strongly believe that the goals of PROTECT IP are compelling, and that intellectual property laws should be enforced against those who violate them. But as discussed in this paper, the mandated DNS filtering provisions found in the PROTECT IP Act raise very serious security and technical concerns. We believe that the goals of PROTECT IP can be accomplished without reducing DNS security and stability, through strategies such as better international cooperation on prosecutions and the other remedies contained in PROTECT IP other than DNS-related provisions. We urge Congress to reject the DNS filtering portions of the Act.
APPENDIX A
The figure below may be helpful in understanding the DNS filtering method specified in PROTECT IP
D
Root DNS - Pointer to .COM TLD
The Internet
Web Server for www.example.com TLD DNS - Pointer to example.COM Authoritative DNS
G
3
4 5 C
Non-Authoritative DNS
F
Authoritative DNS - IP address for www.example.com
H
Search Engine
B 7 1
STEP ONE - Search for "pirated free movie" - Get link to www.example.com STEP TWO - Where is www.example.com? STEP THREE - Where is .COM TLD? STEP FOUR - Where is authoritative DNS for example.com? STEP FIVE
2 A
6
DNS Traffic Web Traffic Points NOT COVERED By PROTECT IP
A - End user software F - Authoritative DNS servers (off-shore) G - Providers hosting content H - Internet access to the content
- What is the IP address of www.example.com? STEP SIX - Return this IP address to the user STEP SEVEN - User connects to www.example.com
APPENDIX B
Some browser plugins are easily installed, and would allow users to avoid the DNS filtering contemplated by PROTECT-IP. The MafiaaFire redirector, shown below, was created in direct response to domain-seizures and the introduction of COICA in 2010.
Screen-captured on 05/25/11 at 10:45 a.m.
ABOUT THE AUTHORS
Steve Crocker is CEO of Shinkuro, Inc., a security-oriented consulting and development company, and has been leading Shinkuro’s work on deployment of DNSSEC, the security extension to DNS. He currently serves as vice chair of the board of ICANN and served as chair of ICANN’s Security and Stability Advisory Committee from its inception in 2002 until 2010. He has been active in the Internet community since 1968 when he helped define the original set of protocols for the Arpanet, founded the RFC series of publications and organized the Network Working Group, the forerunner of today’s Internet Engineering Task Force (IETF). He later served as the first Area Director for Security in the IETF. Over his forty-plus years in network research, development, and management, he has been an R&D Program Manager at DARPA, senior researcher at University of Southern California’s Information Sciences Institute, Director of Aerospace Corp’s Computer Science Laboratory, vice president of Trusted Information Systems, co-founder, senior vice president and CTO of CyberCash, Inc. and co-founder and CEO of Longitude Systems, Inc. David Dagon is a post-doctoral researcher at Georgia Institute of Technology studying DNS security and the malicious use of the domain resolution system. He is a co-founder of Damballa, an Internet security company providing DNS-based defense technologies. He has authored numerous peer- reviewed studies of DNS security, created patent-pending DNS security technologies, and proposed anti-poisoning protocol changes to DNS. Dan Kaminsky has been a noted security researcher for over a decade, and has spent his career advising Fortune 500 companies such as Cisco, Avaya, and Microsoft. Dan spent three years working with Microsoft on their Vista, Server 2008, and Windows 7 releases. Dan is best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS), and for leading what became the largest synchronized fix to the Internet’s infrastructure of all time. Of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Dan is presently developing systems to reduce the cost and complexity of securing critical infrastructure. Danny McPherson is Chief Security Officer for Verisign, Inc., where he is responsible for strategic direction, research, and innovation in infrastructure, and information security. He currently serves on the Internet Architecture Board (IAB), ICANN’s Security and Stability Advisory Council, the FCC’s Network Reliability and Interoperability Council (NRIC), and several other industry forums. He has been active within the Internet operations, security, research, and standards communities for nearly 20 years, and has authored a number of books and other publications related to these topics. Previously, he was CSO of Arbor Networks, and prior to that held technical leadership positions with Amber Networks, Qwest Communications, Genuity, MCI Communications, and the U.S. Army Signal Corp. Paul Vixie founded Internet Systems Consortium in 1996 and served as ISC’s President from 1996 to 2011 when he was named Chairman and Chief Scientist. Vixie was the principal author of BIND versions 4.9 to 8.2, which is the leading DNS server software in use today. He was also a principal author of RFC 1996 (DNS NOTIFY), RFC 2136 (DNS UPDATE), and RFC 2671 (EDNS), coauthor of RFC 1876 (DNS LOC), RFC 2317 (DNS for CIDR), and RFC 2845 (DNS TSIG). Vixie’s other interests are Internet governance and policy, and distributed system security.
400 North Capitol Street NW, Suite 585 Washington, D.C. 20001 Phone: 202-624-1460 | Fax: 202-393-5218 www.netcoalition.com | [email protected]
REFERENCE MATERIALS ON THE PROTECT IP ACT
• PRESS CLIPS •
U.S. government also a villain in piracy act story
By Molly Wood October 31, 2011 Now that we've had a few days to digest the MPAA-backed Stop Online Piracy Act (PDF), can we all finally agree that the MPAA is evil and Hollywood wants the Internet to die? And then can we stop letting them write laws for us? SOPA is the latest--and perhaps the most brazen--effort in a string of attempts by the MPAA and RIAA to bend the Internet to their corporate will and undermine all kinds of consumer rights. It's a breathtaking piece of work that would give Hollywood and private companies free reign to censor, remove, or prevent the creation of large chunks of the Web. But the industry is only offering such nightmarish law because our government has been letting them get away with Internet murder for years now. SOPA, also called the "E-PARASITE Act" (I mean, really?) is the darker version of the already dark Protect IP Act, which has been dogged by free speech, technical, and even constitutional concerns. But far from offering a reasonable alternative to Protect IP, the House delivered SOPA, which would let content owners bypass cops, courts, and any semblance of due process, and "disappear" entire Web domains like some kind of privatized secret police force. The legislation is shockingly bold. But again, the industry has every reason to believe it's got government on its side--because it does. I truly can't believe how long the Internet community has been fighting--and losing--against the creeping tide of intellectual property crackdown. I wrote a brief history of the wars back in March 2010, when the MPAA and RIAA submitted a wish list to the Office of Intellectual Property Enforcement asking for a wish list of government enforcement that would have created a fully formed copyright police state, featuring government-mandated software that searches for and automatically deletes "infringing" content, warrantless search and seizure, border searches, and much more. In fact, I've written more words on the topic than I care to count, since at least 2005, and yet the laws keep getting more draconian, the claims bolder, and the laws broader and potentially more damaging. My hope, if I have any left, is that SOPA is so appalling, and there's so much opposition to it, that we can finally see these attempts for the flagrantly ridiculous overreaches that they are, and restore some sanity to the process.
SOPA would allow rights-holders to get court orders to take down Web sites or blacklist entire domains based on accusations of infringement. The "infringements" themselves can constitute a single link on a single page of a site, or even an accusation that the site is taking steps to "avoid confirming a high probability" of infringement. Let me translate: if someone, anyone, who holds a copyright or trademark on anything, thinks you're deliberately not doing anything about something they consider infringement, they can get your site taken offline and there's virtually nothing you can do to stop them. What? There's more, and the "more" is even more insidious. The bill would also allow a rightsholder to send an infringement notice to an ad network like Google or a payment processor like Mastercard or Visa. In that case, with zero legal proof of infringement, the ad networks or payment processors would have five days to stop doing business with the accused site--an accuser can kill the alleged infringer's business, with, again, no proof or legal recourse. The bill almost completely dismantles the DMCA-enacted safe harbor provisions. Infringement claims, for all intents and purposes, don't even have to be valid. There's no burden of legitimacy to protect sites from content owners lobbing bogus claims, and since there's no due process involved, the damage would long since be done by the time an accused site ever managed to clear its name. There's no penalty for content owners whose claims might be found to be bogus, and there's very little redress for accused sites. The bill would also require far more active involvement and policing on the part of service providers, and some critics say it would go so far as to require service providers to monitor user activity, in order to be able to prove that they haven't been avoiding confirming the possibility of infringement. Plus, the over-broad and vague language in the bill would mean that despite its stated focus on "rogue foreign sites," its provisions could easily be applied to legitimate sites like eBay, YouTube, Twitter, Amazon, or even Google itself. And because entire domains can be blacklisted at any point, ISPs like Comcast would have to maintain giant lists of censored material, and, as the CEA points out, "SOPA incentivizes Internet sites that do not want to face liability under this bill to censor their content from users in the United States, which in turn incentivizes oppressive regimes and countries that regulate free speech to require U.S. Internet companies to censor content from citizens in those countries." Simply put, it's a nightmare. By my reading, there's nothing acceptable about SOPA. I'm not alone in this assessment. TheElectronic Frontier Foundation pledges a multi-installment series on how SOPA will destroy the Internet and kill innovation, saying it simply cannot be fixed and must be killed. And they've got unlikely bedfellows: even a major Tea Party faction has come out against SOPA and the Protect IP Act, calling them dangerous Internet censorship bills--which they are. Gary Shapiro, president and CEO of the Consumer Electronics Association, writes that venture capitalists are concerned that the bill will slaughter startups in droves and kill innovation and job creation with a toxic, threatening cloud of potential litigation. Rep. Zoe Lofgren, the Democrat who represents Silicon Valley, tells CNET the bill would "mean the end of the Internet as we know it."
The question isn't whether SOPA and Protect IP should be killed. The question is how have we gotten ourselves in a position where these bills were proposed at all? Arguably, it's because when they're not sitting in the pockets of banks and financial institutions, our government and certainly the current administration is busy in bed with Hollywood. The current administration has been cheerfully ceding your rights to the MPAA and RIAA since it took over the White House. Wired recently published e-mails obtained under the Freedom of Information Act that show the U.S. copyright czar, Victoria Espinel, and other high-ranking administration officials cutting friendly backroom deals with the entertainment industry as it pushed forward sweeping new regulations requiring, for the first time, ISPs to crack down on individual customers suspected of violating copyright. Vice President Joe Biden has a long history of voting for RIAA-backed measures and against consumer friendly technology regulations. And President Obama has been a staunch supporterof strict intellectual copyright laws and of negotiating the potentially nightmarish Anti-Counterfeiting Trade Agreement in secret--not to mention appointing five RIAA lawyers to the Justice Department. Under the current administration, the entertainment industry has managed to push through scenarios considered impossibly overreaching just a few years ago, including this summer's announcement that ISPs would have to police their own customers and adopt a "graduated response" to piracy allegations. And the industry only grows bolder--one can easily imagine, given the inflammatory language of SOPA, that the MPAA simply wrote it up and handed it to its purported author, Rep. Lamar Smith. After all, the bill's enormous collection of regulatory burdens would seem to create internal conflict in a representative who is otherwise against enormous and expensive collections of regulatory burdens. As opposition rightfully grows against SOPA, the attempts by the MPAA to prop it up feel even more desperate and cynical. A press release today quotes the Fraternal Order of Policediscussing the importance of stopping "rogue Web sites" from creating and selling counterfeit gloves and brake pads that could put police at risk, worrying over counterfeit pharmaceuticals and tooth paste that "put our seniors and our children at risk," and pointing out that "organized gangs" profit from counterfeit DVDs and then use those ill-gotten gains to wreak havoc here at home. I suspect the FOP understands the legislation they're supporting about as well as Rep. Smith does. The situation is, in a nutshell, ludicrous. And it's long past time to put a stop to this slow and steady corporate villainy, and the politics that keeps enabling it. Act now, as the EFF says, and let your representatives know that SOPA and Protect IP are unacceptable. And if that fails ... Occupy Sunset Boulevard? I'll get my tent ready.
Stop The Internet Blacklist Bill
By David Segal and Patrick Ruffini August 28, 2011 We are Tea Partiers and bleeding-heart liberals, we are artists and investment bankers, we represent the left and the right, and we support Senator Wyden as he comes forward, yet again, as a stalwart champion for First Amendment rights, innovation and digital security. The problem at hand is a bill called the "Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act" (PROTECT IP) and it aims to permanently change our digital landscape – that's why we're calling it what it is: The Internet Blacklist Bill. Imagine you're the successful owner of a heavily trafficked website. Your income and that of those with whom you work depends entirely on the advertising revenue and payments provided by visitors to your site. One day, without warning, your site no longer appears at its domain, your advertisers have backed out, and you can't even find your site on Google. You've been disappeared – blacklisted by new regulations set by Congress in the PROTECT IP Act. If passed, PROTECT IP would give the government dramatic new powers to target websites dedicated to the illegal distribution of copyrighted content. Violating sites would have their domain disabled in DNS servers (the servers that match the domain name with the numerical IP address and make sure you go to the websites you want to), and all third party sites, including search engines, would be required to remove the site from their registries and disable all links to the domain in question. Even worse, PROTECT IP also includes a "private right of action" that would allow rights holders to obtain a temporary restraining order against a domain in civil court. Instead, big content providers like the RIAA can target websites at their whim, urging courts to shut down anyone they accuse of violating U.S. copyright law. The entities accused of infringement wouldn't even get their day in court until after they've been shut down – they could appeal to the courts for relief only after the fact. Big interest groups in favor of PROTECT IP have recently pushed the idea that to be against
this bill is to handicap aspiring artists and to be in opposition to a fair marketplace. We vehemently disagree. Regulations stipulated in PROTECT IP would cause tremendous damage to the infrastructure and security of the Internet and ultimately undermine the millions of entrepreneurs, businesses and artists who depend on a free, uninterrupted communications platform. Already, venture capitalists, engineers, and entrepreneurs (including Google CEO Eric Schmidt) have penned letters and petitions against PROTECT IP, citing the corrosive effect it would have on digital security and innovation. Human rights activists are terrified that PROTECT IP will provide comfort to totalitarian regimes that seek ever more control over Internet users in their own countries. More than 400,000 Americans have urged their lawmakers to oppose the bill. But ultimately, we are depending on lawmakers, like Sen. Wyden to make the final decisions and defend our rights. David Segal is Executive Director of the left-leaning Demand Progress and Patrick Ruffini is Executive Director of the right-leaning Don't Censor the Net, which together have generated more than 400,000 anti-PIPA contacts to Congress.
Tea Party Patriots oppose Leahy’s online piracy bill
By Jennifer Martinez September 27, 2011 Opponents of a bill to crack down on intellectual property theft online picked up an unlikely ally over the weekend: Tea Party Patriots. Joining liberals such as Sen. Ron Wyden (D-Ore.) in opposing the Democrat-sponsored measure, the prominent tea party group took a swipe at the anti-piracy bill known as the PROTECT IP Act. The bill is aimed at cracking down on foreign websites that offer copyrighted content illegally. In a Facebook posting, the group called the bill a “severe government overreach in the area of intellectual property.” The Tea Party Patriots warned its Facebook followers that the bill would empower the government to shut down websites without warning. “Have your own website? Maybe the government will shut it down tomorrow ... without any notice to you. Republicans are going to introduce this in the House, Democrats in the Senate,” the group wrote in the post. “WHAT??? Big Labor, Hollywood, U.S. Chamber of Commerce all in this together ... against you.” The post also linked to an editorial written by Patrick Ruffini, executive director of the rightleaning Don’t Censor the Net, and David Segal, executive director of Demand Progress, a left-leaning civil liberties group. The founder of Demand Progress, Aaron Swartz, was arrested and charged earlier this year with breaking into MIT’s computer network and stealing more than 4 million articles from an online archive. The Tea Party Patriots has more than 848,000 followers on its Facebook page and serves as an organizing hub for many of the loosely affiliated tea party groups. Sen. Patrick Leahy (D-Vt.), the author of the PROTECT IP Act, has touted the bill as an important tool in the fight against websites that illegally offer copyrighted entertainment content and products. The bill is a modified version of a similar piece of legislation Leahy championed last Congress — dubbed COICA, for short — which also triggered a backlash from cyber liberties groups and some key tea party figures. Leahy tweaked the PROTECT IP Act to focus solely on foreign websites that violate
copyrights. The bill would give the Justice Department expanded powers to take action against such sites, such as authority to force a credit card company or ad network to cut off business with an infringing site. Ruffini’s group, Don’t Censor the Net, has been an outspoken opponent of the PROTECT IP Act and COICA. At the CPAC conference this February, the group passed out fliers that lambasted COICA and said it could potentially lead to the shutdown of some political blogs. Conservatives are right to be wary of the bill, Ruffini said. “Tea party members have plenty of reasons to be concerned about PROTECT IP because it grants the Obama administration wide-ranging new powers over the Internet and empowers trial lawyers to launch frivolous [lawsuits] against U.S. companies to compel them to take websites off the Internet,” Ruffini said in an email. Wyden is leading opposition to the bill in the Senate. He placed a hold on the PROTECT IP Act shortly after it was introduced this spring, arguing that it would discourage innovation of new Web products and shut down sites that host protected speech. He also warned it could hurt U.S. relations abroad.
Venture Capitalists Join Internet Blacklist Bill Backlash
By David Kravets Wired October 31, 2011 It’s no surprise that the proposal by Rep. Lamar Smith (R-Texas) to boost the government’s authority to disrupt and shutter websites that hawk or host trademark- and copyrightinfringing products would draw a harsh reaction from interest groups like Public Knowlege and the Electronic Frontier Foundation. Rep. Zoe Lofgren (D-California), whose district includes the headquarters of Google, Facebook and Apple, blasted last week’s proposal, too, saying if the measure passed, “this would mean the end of the internet as we know it.” That’s not surprising, given the bill allows private parties, without a hearing from a judge, to cut off ad dollars to sites they say host pirated or trademarked content; lets the government order search engines and ISPs to make it impossible for users to reach blacklisted sites; and criminalizes technology that would get around the blacklist. However, we didn’t expect to see venture capitalists staking out a position so soon. Mike Masnick over at techdirt directs our attention to an open a letter to Christopher Dodd, the Motion Picture Association of America’s chief executive, and huge supporter of Smith’s legislation. Signing onto the letter, which asks Dodd to end support for the Stop Online Piracy Act, are some venture capitalists like Brad Burnham and Fred Wilson of Union Square Ventures, which has invested in Twitter, Etsy, Kickstarter, DuckDuckgo, and Tumblr, among other companies. A bill like SOPA creates so much liability that it would be impossible for two engineers in a garage to build the next great startup unless they also had a dozen lawyers sitting with them. We can’t help the artists and creators who were in our group with the new platforms they rely on, if these new innovative startups don’t even bother starting. We can’t help the users and participants who want new and convenient and legitimate access to content, as well as ways to make their own content. At the end of the day, both Silicon Valley and Hollywood work best when we focus on creating and providing what our consumers want.
Smith’s legislation is expected to clear the House Judiciary Committee, which Smith heads, on Nov. 16. It has an uncertain fate on the House floor and in the Senate, where similar legislation has stalled.
SOPA: Hollywood's latest effort to turn back time
By Larry Downes November 1, 2011 Commentary: The introduction late last week by members of the House Judiciary Committee of the "Stop Online Piracy Act," or SOPA, may test a long-standing reluctance by technology companies to take up arms in the legislative battleground. The bill, introduced as the House version of the Senate's Protect IP Act, solves few of the glaring problems of the Senate bill and introduces many all its own. While Rep. Zoe Lofgren (D-Calif.) may have given in to hyperbole in calling SOPA "the end of the Internet as we know it," there is certainly a great deal in the bill that should concern even lawabiding consumers and leaders in the tech community.
Has Washington finally gone too far? House leaders assured Silicon Valley they would correct serious defects in the Senate bill. Unfortunately, SOPA does just the opposite. It creates vague, sweeping new standards for secondary liability, drafted to ensure maximum litigation. It treats all U.S. consumers as guilty until proven innocent. If passed, the bill would give media companies unprecedented new powers to shape the structure and content of the Internet. Critics of Protect IP pointed out that most of its provisions would only harm innocent foreign Web sites, since truly rogue Web sites could easily engineer around all of its provisions. Rather than give up on the idea of legislating a fast-changing Internet, the House authors have instead built in as many alternative definitions, open-ended requirements, and undefined terms as they could. The result is not a better piece of legislation. It is simply one with no real boundaries. The House version throws legal and technical spaghetti against the wall, hoping some of it will stick. The House bill, for example, dubbed the "E-PARASITE Act," proposes alternative versions of several provisions from Protect IP, including new authority for the attorney general to cut off access and funding for "parasite" foreign Web sites. (SOPA requires the U.S. copyright
czar to determine the extent to which these foreign infringers are actually harming U.S. interests, data collection that logically should precede such sweeping new powers.) Once the Justice Department determines a site "or a portion thereof" is "committing or facilitating" certain copyright and trademark violations, it can apply for court orders that would force ISPs and others who maintain DNS lookup tables to block access to the site. Search engines (a term broadly defined that includes any website with a "search" field), along with payment processors and advertising networks, can also be forced to cut ties with the parasites. Operators of innocent sites have limited ability to challenge the Justice Department's decision before or after action is taken. SOPA also includes its own version of another Senate bill, which would make it a felony to stream copyrighted works. The House version allows prosecution of anyone who "willfully" includes protected content without permission, including, for example, YouTube videos where copyrighted music is covered or even played in the background. While supporters deny that such minimal infractions would meet the bill's definition of "willfully," the actual text suggests otherwise. Prosecutors need only demonstrate that the use had a total "retail value" of more than $1,000. To avoid a felony conviction, a defendant would have to prove they reasonably believed their conduct was lawful, as for example someone in a "bona fide commercial dispute" over the scope of a license to use the content. The House bill also makes significant changes to provisions in the Senate bill that afford new enforcement tools to private holders of copyrights and trademarks. This "market-based system," as SOPA calls it, greatly extends existing provisions of the 1998 Digital Millennium Copyright Act, under which copyright holders can easily issue takedown notices for unlicensed use of protected content. SOPA's "market based" provisions are not limited to foreign Web sites. Indeed, they apply to any site or "portion of" a site that is "dedicated to theft of U.S. property," a new category broadly defined by the bill. Under the new law, rightsholders could force payment and advertising networks to cut ties to such sites simply by sending a letter to their authorized agents (who must register with the U.S. copyright office). Site owners can object, in which case the private parties may sue to enforce their claims, similar to the new powers afforded the Department of Justice. Unlike the DMCA, SOPA provides little penalty for wrongly targeting websites turn out not to be "dedicated to theft of U.S. property." Ad networks and payment processors are immune from liability if they fail to respond to a site's counterclaim, and damages to the site operator are only available if a claim "knowingly materially misrepresents" that the site satisfies the new definition. These extensions are both extreme and unnecessary. For U.S.-based sites, the DMCA has proven highly effective, working in many cases automatically based on "reference files" provided by rightsholders. Though obviously not perfect, economists and legal scholars believe the DMCA has proven to be a cost-effective solution that protects content without squelching innovation. SOPA's supporters have apparently concluded otherwise. Speaking on Monday to The Hill,
Rep. Bob Goodlatte (R-Va.), one of SOPA's sponsors, said that while Congress is willing to continue tinkering with specific language in the bill, it "is unrealistic to think we're going to continue to rely on the DMCA notice-and-takedown provision." Instead, under SOPA, "Anybody who is involved in providing services on the Internet would be expected to do some things."
Technology advocates cry foul; Silicon Valley slumbers on Despite the assurances of its supporters, SOPA may represent the most intrusive and dangerous effort yet to micromanage Internet infrastructure and services. A wide range of technology-oriented advocacy groups were quick to cry foul. The Electronic Frontier Foundation, in its initial review of the bill, determined the legislation would cause irreparable harm. "This bill cannot be fixed," the organization wrote on its Web site; "it must be killed." The Center for Democracy and Technology's David Sohn, similarly, called out the bill's broad and vague new standards for "facilitating" copyright and trademark infringement. He argues that SOPA effectively introduces new monitoring requirements for all websites that allow user content, even comments posted to blogs. Rightsholders, Sohn wrote, need only "a good faith belief that a Web site is 'avoiding confirming' infringement, and they can demand that payment systems and advertising networks cease doing business with the Web site." And Gary Shapiro, president and CEO of the Consumer Electronics Association, pulled no punches in an article Monday calling for rejection of both the House and Senate bills. "The Protect IP Act and SOPA will do plenty of harm," he wrote, "without providing any real assurance that they will stem the flow of digital piracy." The response from leading technology companies and Internet Service Providers, on the other hand, has been muted. This is also not surprising. At best, Silicon Valley historically leaves advocacy groups and trade associations to work with Congress on technologyfocused legislation, preferring to avoid direct contact with federal and state regulators. For decades, even the largest technology leaders have dealt with Washington like a baby playing peek-a-boo: by covering their eyes and imagining themselves invisible. If that was ever a sensible strategy, failure by innovators and entrepreneurs to engage the legislative process has become certifiable dangerous. As the information economy increasingly becomes the only economy, regulators around the world are looking for ways to assert their authority. The result, over the last few years, has been a flurry of legislative initiatives both in the U.S. and abroad. Legislation has been introduced that would apply or adapt a vast corpus of industrial-age laws to online behavior, including not only copyright and trademark abuse but also privacy, crime, antitrust, net neutrality, spam, spyware, data retention and data disclosure, geolocation services, pornography, gambling, electronic surveillance, taxation, and patents. Much of it fails to become law, which as a general rule is a good thing. While digital life is
hardly without its problems, the likelihood that solutions will come from disconnected legislators is low. Most of the hearings I've attended over the last few years begin with members of Congress confessing their ignorance of the particular technologies under investigation. All they know is that their kids are using them, which seems to suffice for expertise. But the last decade has provided ample evidence to the contrary. Washington is far more likely to produce unintended consequences than effective responses, especially when it focuses on flavor-of-the-month technology crises that change quickly.
Hollywood vs. Silicon Valley: Round Infinity Whatever the ultimate fate of SOPA, the bill's introduction may at last awaken Silicon Valley from its regulatory slumbers. That change could not come too soon. The bill's 79 pages of legalese do little to disguise its real agenda--to give Hollywood the kind of control over the Internet it has tried and failed to assert over every new media technology since the invention of the player piano. Let's be clear: SOPA is not the first and will certainly not be the last effort by Hollywood to stage a regulatory coup. At its core, the bill demonstrates once again that content providers have still not come to terms with the reality of the Internet--the latest innovation to upset traditional business models. While Hollywood has taken baby steps to embrace the potential of the digital revolution, very little has changed since 1982, when MPAA President Jack Valenti famously testified that the invention of the VCR was "to the American film producer and the American public as the Boston strangler is to the woman home alone." After all, the studios tried and failed to have VCRs banned. In the end, video became one of many disruptive technologies that ultimately saved the industry. The Internet is likely to do the same. But after failing to stuff the genie back in the bottle early on, content providers still struggle a decade later to find new ways of doing business that take advantage of the technologies and devices consumers are clearly eager to embrace. Washington is far more likely to produce unintended consequences than effective responses, especially when it focuses on flavor-of-the-month technology crises that change quickly. In the absence of legitimate, appropriately-priced alternatives, consumers always create their own channels and invent their own services. Often, it must be said, those alternatives violate copyright and trademark. Along the way, consumers and others who dare to test new services and new devices are punished harshly, only to be replaced by more resilient successors. Napster is gone, but iTunes thrives. But the solution isn't to strengthen the law, choking off innovation. The solution is to give consumers what they want, which Hollywood always, if begrudgingly, figures out how to do.
If parasitic foreign Web sites are truly costing the U.S. economy significant losses (a claim made regularly by content industries but without credible data to back it up), then the best use of government resources is not to surgically remove hyperlinks and DNS table entries. Rather, we should step up the pressure on foreign governments to enforce their own laws and international treaties extending U.S. protections abroad. And indeed, one positive development in SOPA is a provision that does just that. It requires both the State and Commerce Departments to make protection of U.S. copyright and trademark a priority in both diplomatic and trade negotiations. To fulfill SOPA's stated goal of reducing foreign infringement of U.S. interests, that section should have been the beginning and the end of the bill. The proposed legislation, unfortunately, goes much farther, losing sight of any actual harms in need of legislative correction, and invoking repeatedly the likely application of the law of unintended consequences. Stripped of their obfuscations, SOPA and Protect IP suggest increasing desperation by media companies. A bill that was to target only the "worst of the worst" foreign Web sites committing blatant and systemic copyright and trademark infringement has morphed inexplicably into an unrestricted hunting license for media companies to harass anyone-foreign or domestic--who questions their timetable for digital transformation. Nothing can change the fact that Hollywood's way of life is transforming once again. The only unknown is time--will a profitable future for digital content arrive in a few years or will it take another decade? SOPA only seeks to delay the inevitable, at the cost of wasteful litigation and overzealous law enforcement. As anyone knows who's ever watched a Hollywood move about time travel, trying to change history always turns out badly, usually with an ironic twist. Technology companies, that's your cue. Whether you like it or not, you've been cast in the role of villain. You can still be the hero.
Dot.Commentary: Stop Online Piracy Act would stop online innovation
By James Temple November 2, 2011 A bipartisan bill introduced last week in the House of Representatives would mark a fundamental change in Internet law, shifting liability for copyright piracy from the infringer to the host website. It would chip away at critical safeguards that have shaped the Internet as we know it today, and many worry it would make it far more difficult for the next YouTube, Facebook or Craigslist to emerge and succeed. The Stop Online Piracy Act (SOPA) is the counterpart to the Senate's pending PROTECT IP Act, which already had rights groups, academics and many online businesses up in arms. But the House bill goes much further. The goal of both bills is to give copyright holders stronger legal tools to go after sites that host unauthorized or counterfeit music, movies, software or goods, in particular "rogue" overseas sites that largely lie beyond the reach of U.S. law. It's a worthy goal, but not one worth sacrificing a critical enabler of online innovation, job creation and expression. "The limitation, censorship or stunting of such tools - because they may not support the guidelines of SOPA - would inevitably be bad for content creators and democracy more broadly," said Aaron Levie, chief executive officer of Box.net, a Palo Alto online storage and collaboration service. It's impossible to understand what the bill could do without first understanding the enormous influence of the Digital Millennium Copyright Act. By inoculating online businesses and Internet service providers against users' actions, the 1998 law created a legal environment where companies like Yelp, YouTube, eBay, Craigslist and Facebook could thrive.
Transferring liability It invited these companies to create lively and dynamic open forums, where people could post videos, sell things, share opinions, highlight articles and much more. That's because it
removed the risk that the few users among millions who post copyrighted material, libelous statements or counterfeit goods would subject the site to business-crushing legal liabilities. (Not that various media giants haven't tried anyway.) The DMCA isn't a free pass, as services are only protected so long as they act quickly when notified of illegal activity. But it correctly places the ultimate blame on the infringer, and the onus to police such activity on the copyright holder. Much of this could change under SOPA. Under one section, the U.S. attorney general could, with a court order, effectively block or cut off funds to a foreign but "U.S. directed" site that is "committing or facilitating the commission of criminal violations." The order could force Internet service providers to prevent customers from reaching the site. Search engines could be forced to remove links, and ad networks and payment processors would have to cut off the flow of funds. There are lots of concerns here, including the amount of discretion it hands to the attorney general. But another big worry is that blocking the domain name for one infringing site (say, latviablogging.com/counterfeitrolexes) could prevent access to thousands of innocent ones also hosted under that domain (like latviablogging.com/motherscookierecipes). "It is inevitable that there will be bad behavior on any site that has thousands and thousands of dedicated subsections," said Dane Jasper, CEO of Santa Rosa Internet service provider Sonic.net. Cutting off the entire site's traffic and funds amounts to an "Internet death penalty" without a trial, he said.
Shifting site policing The next section of the bill offers even less in the way of due process, while broadening the definition of sites that can be affected. Under it, a rights holder could direct an ad network or payment processor to suspend services for a purportedly infringing site. A court process would begin only if the site files a counter notification within five days or the ad network or payment processor declines to comply with the directive. This section of the bill appears to apply to both U.S.-based sites and foreign ones, or even a portion of a site, if it's "dedicated to theft of U.S. property." One of the key definitions of that is if a site "is taking, or has taken, deliberate actions to avoid confirming a high probability" of infringement. Public Knowledge, a Washington, D.C., public interest group, helpfully boiled down that clumsy legalese to: "lacking sufficient zeal to prevent copyright infringement." In other words, it would place the responsibility for detecting and policing infringement onto the site itself, rather than content owners, as required under the DMCA. "There's really not much question that this bill is designed to do an end run around the DMCA," said Corynne McSherry, intellectual property director at the Electronic Frontier Foundation, a digital rights group in San Francisco. "What has been affirmed by court after
court is that service providers do not have to affirmatively police infringement. That's a good thing because it's a terrible burden to put on a service provider."
Who is in favor A large number of big business trade groups are pushing for the measure, including the Motion Picture Association of America, the Recording Industry Association of America and the U.S. Chamber of Commerce. The organizations argue that the bill only targets the worst offenders. They further point out that online theft costs the U.S. economy billions of dollars each year and that consumers can be harmed by defective goods purchased on rogue sites. These are compelling arguments that something should be done, but not something this broad and heavy-handed. The language leaves too much room for rights holders to determine what sites to target. Recall, these are groups that, had they had their druthers, would have killed YouTube and Napster in their infancy. In the end, those sites fundamentally altered the way we buy and consume media - for the better, most would argue. Even the much reviled (and ultimately unsuccessful) Napster pointed the way for a service like Apple's iTunes. That created a way for both consumers and media companies to benefit from digital distribution.
Protecting Internet Protecting intellectual property is critical, but so is protecting the Internet and all of the innovation it delivers. "The Internet has worked because it is open," Jasper said. "That brings with it some negative effects: hate speech, harassment and crime. But it has also enabled a communications and education revolution that touches every corner of the globe." "To tamper with that," he said, "is an area fraught with much risk."
'Privacy' Bill Threatens to Censor Huge Swaths of the Internet
By James R. Hood November 3, 2011 A bill slithering through Congress gives companies new power to shut down Internet sites that offend them, all in the name of curtailing "piracy" of copyrighted material. But critics like CNET's Larry Downes call it "Hollywood's latest effort to turn back time." The Stop Online Piracy Act (SOPA) would require Internet intermediaries -- meaning your ISP, Facebook and sites like this one -- to censor any posting that supposedly violated intellectual property laws. Critics like Rep. Zoe Lofgren (D-CA) say SOPA “would mean the end of the Internet as we know it." Canadian pop star Justiin Bieber went even further in a radio interview last week, suggesting that any member of Congress who votes for the bill "needs to be locked up — put away in cuffs."
'Rogue' sites The bill, sponsored by Rep. Lamar Smith (R-TX) and others, would authorize the Justice Department to seek injunctions against "rogue" websites dedicated to providing access to pirated goods or content. It would also allow the government and rights holders to demand that third parties, including payment processors and online ad networks, cut ties with such sites. Ironically, Smith, who chairs the House Judiciary Committee, claims to be a foe of "unnecessary regulations," and frequently touts his committee's passage of a bill that would supposedly "reform the federal regulatory process and reduce unnecessary burdens on job creators." Smith and his follow SOPA sponsors say the measure is necessary to stop Americans from sharing music, movies and other copyrighted material with each other. But technology groups say the bill would be a "nightmare" for Web and social media firms. "[T]his is not a bill that targets 'rogue foreign sites.' Rather, it allows movie studios, foreign luxury goods manufacturers, patents and copyright trolls, and any holder of an intellectual property right to target lawful U.S. websites and technology companies," the Consumer
Electronics Association and the Computer and Communications Industry Association said in a letter to members of Congress.
Stifle innovation The Electronic Freedom Frontier (EFF) says the measure would stifle innovation and creativity and destroy jobs, while making the Internet duller and drabber while making it easy for just about anyone with a grievance to shut down entire sites. "This bill could also have a huge impact on the work of human rights advocates and whistleblowers who depend on online tools to protect their anonymity and speak out against injustice," said EFF's Travor Timm. "Platforms created to provide anonymity software to human rights activists across the world, as well as next generation WikiLeaks-style whistleblower sites, could be major casualties of this bill — all in the name of increasing Hollywood’s bottom line." Under SOPA, private companies would be able to force payment processors to shut down payments to websites by merely claiming the site “engages in, enables or facilitates” infringement. This broad provision could target websites behind important Internet projects such as Tor, the anonymity network that has been vital for protecting activists from government surveillance in Tunisia and Egypt, Timm said. "Corporations concerned about users illegally downloading music could use SOPA to force Visa and Mastercard to cut off donations to Torproject.org — despite Tor’s aim to facilitate human rights activism, not piracy," he said. Whistleblower sites could also find themselves in trouble if they post any documents related to corporate corruption or law breaking, if those documents contain trade secrets or are copyrightable.
Internet Piracy and How to Stop It
Editorial June 8, 2011 Online piracy is a huge business. A recent study found that Web sites offering pirated digital content or counterfeit goods, like illicit movie downloads or bootleg software, record 53 billion hits per year. That robs the industries that create and sell intellectual products of hundreds of billions of dollars. The problem is particularly hard to crack because the villains are often in faraway countries. Bad apples can be difficult to pin down in the sea of Web sites, and pirates can evade countervailing measures as easily as tweaking the name of a Web site. Commendably, the Senate Judiciary Committee is trying to bolster the government’s power to enforce intellectual property protections. Last month, the committee approved the Protect IP Act, which creates new tools to disrupt illegal online commerce. The bill is not perfect. Its definition of wrongdoing is broad and could be abused by companies seeking to use the law to quickly hinder Web sites. Some proposed remedies could also unintentionally reduce the safety of the Internet. Senator Ron Wyden put a hold on the bill over these issues, which, he argued, could infringe on the right to free speech. The legislation is, therefore, in limbo, but it should be fixed, not discarded. The bill defines infringing Web sites as those that have “no significant use other than engaging in, enabling, or facilitating” the illegal copying or distribution of copyrighted material in “substantially complete form” — entire movies or songs, not just snippets. If the offender can’t be found to answer the accusation (a likely occurrence given that most Web sites targeted will be overseas), the government or a private party can seek an injunction from a judge to compel advertising networks and payment systems like MasterCard or PayPal to stop doing business with the site. The government — but not private parties — can use the injunction to compel Internet service providers to redirect traffic by not translating a Web address into the numerical language that computers understand. And they could force search engines to stop linking to them. The broadness of the definition is particularly worrisome because private companies are given a right to take action under the bill. In one notorious case, a record label demanded that YouTube take down a home video of a toddler jiggling in the kitchen to a tune by
Prince, claiming it violated copyright law. Allowing firms to go after a Web site that “facilitates” intellectual property theft might encourage that kind of overreaching — and allow the government to black out a site. Some of the remedies are problematic. A group of Internet safety experts cautioned that the procedure to redirect Internet traffic from offending Web sites would mimic what hackers do when they take over a domain. If it occurred on a large enough scale it could impair efforts to enhance the safety of the domain name system. This kind of blocking is unlikely to be very effective. Users could reach offending Web sites simply by writing the numerical I.P. address in the navigator box, rather than the URL. The Web sites could distribute free plug-ins to translate addresses into numbers automatically. The bill before the Senate is an important step toward making piracy less profitable. But it shouldn’t pass as is. If protecting intellectual property is important, so is protecting the Internet from overzealous enforcement.
Policing the Internet
Editorial June 7, 2011 A Senate bill aims to cut off support for any site found by the courts to be 'dedicated' to copyright or trademark infringement. Its goals are laudable, but its details are problematic. Hollywood studios, record labels and other U.S. copyright and trademark owners are pushing Congress to give them more protection against parasitical foreign websites that are profiting from counterfeit or bootlegged goods. The Senate Judiciary Committee has responded with a bill (S 968) that would force online advertising networks, credit card companies and search engines to cut off support for any site found by the courts to be "dedicated" to copyright or trademark infringement. Its goals are laudable, but its details are problematic. The global nature of the Internet has spawned a profusion of websites in countries that can't or won't enforce intellectual property law. Under S 968, if a website were deemed by a court to be dedicated to infringing activities, federal agents could then tell the U.S. companies that direct traffic, process payments, serve advertisements and locate information online to end their support for the site in question. Copyright and trademark owners would be able to follow up those court orders by seeking injunctions against payment processors and advertising networks that do not comply. Cutting off the financial lifeblood of companies dedicated to piracy and counterfeiting makes sense. A similar approach to illegal online gambling has shown that it is technically feasible for payment processors to stop directing dollars from U.S. bettors to gambling sites anywhere in the world. The operators of the largest online advertising networks say they can do the same, although they object to the bill's proposal to let copyright and trademark owners seek injunctions against them. The main problem with the bill is in its effort to render sites invisible as well as unprofitable. Once a court determines that a site is dedicated to infringing, the measure would require the companies that operate domain-name servers to steer Internet users away from it. This misdirection, however, wouldn't stop people from going to the site, because it would still be accessible via its underlying numerical address or through overseas domain-name servers. A group of leading Internet engineers has warned that the bill's attempt to hide piracyoriented sites could hurt some legitimate sites because of the way domain names can be
shared or have unpredictable mutual dependencies. And by encouraging Web consumers to use foreign or underground servers, the measure could undermine efforts to create a more reliable and fraud-resistant domain-name system. These risks argue for Congress to take a more measured approach to the problem of overseas rogue sites.
Protect IP Act Gives Government Power to Seize Websites On A Whim
By Paul Joseph Watson July 6, 2011 New legislation that would give the US government the power to seize website domains on a whim with no oversight merely for linking to sites that host copyrighted material has been labeled a hallmark of “repressive regimes” by a group of law professors who warn that the bill allows the state to “break the Internet addressing system”. The Protect IP bill, currently stalled in the Senate, represents a death blow to Internet freedom of speech. It would turn the entire web into a clone of the YouTube model, which routinely censors and deletes material when requested to by governments or corporations and shuts down user channels without recourse. The legislation merely codifies what Homeland Security is already practicing, seizing and shutting down websites without any form of legal proceedings and in many cases not even notifying the owner. In an open letter penned by Professor Mark Lemley of Stanford University, David S. Levine of Elon University and David G. Post of Temple University, they warn that the bill would require Internet hosting companies and search engines to de-list entire websites on the basis of a mere copyright claim by a copyright holder, with no independent or legal process undertaken. Even linking to a website that copyright holders claim is in violation of intellectual property laws would be grounds for the feds to seize your domain and impose criminal penalties. “At a time when many foreign governments have dramatically stepped up their efforts to censor Internet communications, the [Protect IP Act] would incorporate into U.S. law — for the first time — a principle more closely associated with those repressive regimes: a right to insist on the removal of content from the global Internet, regardless of where it may have originated or be located, in service of the exigencies of domestic law,” states the letter. Suggesting that removing websites with no oversight whatsoever is a clear violation of constitutional law as interpreted by the Supreme Court, the professors add that the bill would hand government the power to “break the Internet addressing system.”
“It requires Internet service providers, and operators of Internet name servers, to refuse to recognize Internet domains that a court considers “dedicated to infringing activities.” But rather than wait until a Web site is actually judged infringing before imposing the equivalent of an Internet death penalty, the Act would allow courts to order any Internet service provider to stop recognizing the site even on a temporary restraining order or preliminary injunction issued the same day the complaint is filed. Courts could issue such an order even if the owner of that domain name was never given notice that a case against it had been filed at all.” Search engines, credit card companies and even advertisers would then be mandated to refuse to deal with the owners of the site under the proposed law, making it “extraordinarily difficult for advertisers and credit card companies to do business on the Internet.” As we have exhaustively documented, proponents of web regulation like Senator Joe Lieberman have openly stated their intention to create a Communist Chinese-style system of Internet policing, handing Obama the power to block entire areas of the web with a figurative kill switch. Indeed, Amazon’s Cloud network notoriously deleted the entire Wikileaks website from its servers following a phone call made by Senator Joe Lieberman’s Senate Homeland Security Committee demanding the website be axed. Lieberman spilled the beans on the true reasons behind the move towards web censorship during a CNN interview when he stated “Right now China, the government, can disconnect parts of its Internet in case of war and we need to have that here too.” During a more recent interview with the network, Lieberman labeled claims that he was working to create an “Internet kill switch” as “misinformation,” yet went on to repeat the same statement that the US government needs the power to “disconnect parts of its Internet in a case of war.” Of course as we have proven, China doesn’t disconnect the Internet “in case of war,” it only ever does so to censor and intimidate people who express dissent against government atrocities or corruption. This is precisely the kind of online environment western governments are trying to replicate as they attempt to put a stranglehold on the last bastion of true free speech – the world wide web.
Protect IP copyright bill faces growing criticism
By Declan McCullagh June 7, 2011 Technologists are warning that the practical effects of a controversial copyright bill backed by Hollywood will "weaken" Internet security and cause other harmful side effects. As more Internet engineers, networking professionals, and security specialists have evaluated the so-called Protect IP Act that was introduced last month, concern is growing about how it will change the end-to-end nature of the Internet in ways that could do more harm than good. (See CNET's previous coverage.) The Protect IP Act would give the U.S. Department of Justice the power to seek a court order against an allegedly infringing Web site, and then serve that order on search engines, certain Domain Name System (DNS) providers, and Internet advertising firms, who would be required to make the target Web site invisible. It's sponsored by Senate Judiciary Committee Chairman Patrick Leahy, a Vermont Democrat, and aims to target overseas Web sites. An analysis (PDF) prepared by five Internet researchers lists the problems with that approach. Among them: it's "incompatible" with a set of DNS security improvements called DNSSEC, innocent Web sites will be swept in as "collateral damage," and the blocks can be bypassed by using the numeric Internet address of a Web site. The address for CNET.com, for instance, is currently 64.30.224.118. Another concern, the authors said, is that the filters could be circumvented easily by using offshore DNS servers not subject to U.S. law. That "will expose users to new potential security threats" not present if they continued to use, say, Comcast's or AT&T's DNS servers. Fake DNS entries can be used by criminals to spoof Web sites for banks, credit card companies, e-mail providers, social-networking sites, and so on.
Circumvention by using offshore servers "will also mean that ISPs gain less data on network security threats, since they use their DNS services to monitor systems and guard against denial-of-service attacks, identify botnet hosts, and identify compromised domains," wrote Public Knowledge attorney Sherwin Siy in a blog post yesterday. The technical paper was authored by Steve Crocker, a longtime member of the Internet Engineering Task Force; David Dagon, a post-doctoral researcher at Georgia Institute of Technology; security researcher Dan Kaminsky; Verisign Chief Security Officer Danny McPherson; and Paul Vixie, chairman of the Internet Systems Consortium and principal author of popular versions of the BIND DNS server software. It's not entirely clear how broad the Protect IP Act's authority would be. An earlier draft (PDF) of the legislation would have allowed the Justice Department to order any "interactive computer service"--a phrase courts have interpreted to mean any Web site--to block access to the suspected pirate site. But the final version (PDF) refers instead to an "information location tool." That's defined as a "directory, index, reference, pointer, or hypertext link," which would certainly sweep in Google, Yahoo, and search engines, and may also cover many other Web sites. The technical paper joins other criticism of Protect IP, including that from the Electronic Frontier Foundation, which has created a petition saying the measure will "invite Internet security risks, threaten online speech, and hamper Internet innovation." EFF and other like-minded advocacy groups, including the American Library Association and Human Rights Watch, sent a letter (PDF last month to the bill's Senate sponsors saying the legislation goes too far. Google Chairman Eric Schmidt has panned it. Internet industry trade associations, including the Consumer Electronics Association and NetCoalition, said in a separate letter (PDF) that Protect IP has a real "potential for unintended consequence and require intense scrutiny and study." (CNET's parent company CBS has been a member of NetCoalition.) All this criticism hasn't done much to slow the bill's momentum so far. On May 26, the Senate Judiciary committee voted unanimously to send the bill to the floor for a vote. "The small businesses, artists, entrepreneurs, software designers, local journalists and every other segment of the creative community support the (Judiciary committee's decision) today," Sandra Aistars, director of the Copyright Alliance, a group backed by copyright owners, said after the committee vote. The U.S. Chamber of Commerce, too, is an enthusiastic supporter. Sen. Ron Wyden, an Oregon Democrat, has placed a hold on the bill, saying Protect IP takes an "overreaching approach to policing the Internet when a more balanced and targeted approach would be more effective." That hold could be defeated through a cloture vote, a significant hurdle but not an insurmountable one.
How The Protect IP Act Could Break The Internet
By Karl Bode June 1, 2011 Over the last few months the Immigration and Customs Enforcement (ICE) office of the Department of Homeland Security has launched a new campaign that involves seizing the domains used by websites involved in copyright infringement, the sale of counterfeit goods or child pornography. The problem is that the program has been borderline incompetent, taking legitimate foreign businesses offline, as well as earlier this year causing the outage of 84,000 largely legal websites after seizing the domain of a free DNS service operator. After several failed attempts to pass a law codifying the government's efforts to seize and/or filter domains deemed dedicated to infringing activities, Uncle Sam's Protect IP Act is now winding its way through the legislative process. While politicians are pushing the bill at the behest of entertainment industry lobbyists, experts in DNS functionality continue to warn that the bill's focus on DNS filtering could fundamentally break the Internet. Techdirt directs our attention to a new report (pdf) from researchers that issues some dire warnings about Protect IP. Specifically, analysts claim the bill could create additional security risks, limit ISP security analysis, degrade CDN performance, and result in false positives: Two likely situations ways can be identified in which DNS filtering could lead to nontargeted and perfectly innocent domains being filtered. The likelihood of such collateral damage means that mandatory DNS filtering could have far more than the desired effects, affecting the stability of large portions of the DNS.....We believe that the goals of PROTECT IP can be accomplished without reducing DNS security and stability, through strategies such as better international cooperation on prosecutions and the other remedies contained in PROTECT IP other than DNS-related provisions. We urge Congress to reject the DNS filtering portions of the Act. The paper's authors include folks like Dan Kaminsky, Verisign CSO Danny McPherson, Paul Vixie and Georgia Tech DNS security expert David Dago. The entertainment industry is downplaying these concerns, while the politicians pushing this law (as is usually the case in tech legislation) have little understanding about the law they're trying to pass at lobbyist behest.
Senator Blocks Controversial Copyright Bill
By Grant Gross May 27, 2011 A U.S. senator has blocked a controversial bill that would enlist ISPs, search engines and other businesses in blocking access to alleged websites infringing copyright. Senator Ron Wyden, an Oregon Democrat, has blocked the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, or PROTECT IP Act, from coming to the Senate floor for a vote. On Thursday, just two weeks after the bill was introduced, the Senate Judiciary Committee unanimously voted to move the PROTECT IP Act to the Senate floor. Under Senate rules, a single senator can place a hold on a bill, although the block can be overridden by a 60-vote majority. The PROTECT IP Act would allow the U.S. Department of Justice to seek court orders requiring search engines and ISPs to stop sending traffic to websites accused of infringing copyright. The bill would also allow copyright holders to seek court orders requiring payment processors and online ad networks to stop doing business with allegedly infringing websites. The legislation would attack free speech online and hurt e-commerce, Wyden said. "I understand and agree with the goal of the legislation, to protect intellectual property and combat commerce in counterfeit goods, but I am not willing to muzzle speech and stifle innovation and economic growth to achieve this objective," he said in a statement. "At the expense of legitimate commerce, [the bill's] prescription takes an overreaching approach to policing the Internet when a more balanced and targeted approach would be more effective. The collateral damage of this approach is speech, innovation and the very integrity of the Internet." Wyden called the Internet the "shipping lane" of the 21st century. "It is increasingly in America's economic interest to ensure that the Internet is a viable means for American innovation, commerce, and the advancement of our ideals that empower people all around the world," he said. "By ceding control of the Internet to corporations through a private right of action, and to government agencies that do not sufficiently understand and value the Internet, [the bill] represents a threat to our economic future and to our international objectives."
Critics of the bill have said it would lead to hundreds of court cases brought by copyright owners against online businesses. The legislation would lead to a blacklist of Internet sites and compromise the Internet's Domain Name System, critics have said. But backers of the bill have said new methods are needed to combat copyright infringement by foreign websites. The bill would target the worst foreign websites trafficking in digital piracy and counterfeit goods and would dry up their business by focusing on user traffic, advertising and payments, proponents said. "Copyright infringement and the sale of counterfeit goods can cost American businesses billions of dollars, and result in hundreds of thousands of lost jobs," Senator Patrick Leahy, a Vermont Democrat and lead sponsor of the bill, said Thursday. U.S. law enforcement agencies are limited in their ability to combat infringing websites operated overseas, Leahy added in a statement. "American consumers are too often deceived into thinking the products they are purchasing at these websites are legitimate because they are easily accessed through their home's Internet service provider, found through well known search engines, and are complete with corporate advertising, credit card acceptance, and advertising links that make them appear legitimate," he said. Wyden blocked a similar bill, the Combating Online Infringement and Counterfeits Act, or COICA, after the Senate Judiciary Committee passed it in late 2010. COICA would have expanded federal agencies' power to seize the domain names of allegedly infringing websites.
Blacklists, ahoy! PROTECT IP Act sails on to Senate floor
By Nate Anderson May 26, 2011 The Senate Judiciary Committee this morning unanimously approved the PROTECT IP Act by a voice vote after a brief markup; the hugely controversial Internet blacklisting bill now moves to the Senate floor with minimal changes, and may—or may not—soon come to a vote. The bill builds on last year's proposed COICA legislation, which would have given the government power to go to court and get a website's domain name blocked from American DNS servers. Credit card companies and advertising networks would be forbidden to do business with such sites. The bill was also passed unanimously by the Senate Judiciary Committee, but Sen. Ron Wyden (D-OR) put a hold on the bill when it came to the floor. The new version tightens up its definition of infringing sites, but adds things like a “private right of action” for companies who want to cripple sites without waiting for the government to get involved. Search engines are also prohibited from linking to blocked sites. Major rightsholders are particularly thrilled. The MPAA and the cable lobby both expressed enthusiastic support, and the US Chamber of Commerce said in a statement, "Rogue sites and their operators contribute nothing to the US economy. They do not innovate, they do not pay taxes, they do not follow safety standards, and they do not follow the law. Today’s vote serves as a wakeup call to those who illicitly profit at the expense of American businesses and consumers—the US will not tolerate your careless, reckless, malicious behavior." Will the bill get a vote in the Senate this time? Wyden has been cautious in his public statements, previously suggesting that certain changes to the bill could make it more palatable to him. He did make clear, however, that the bill in "its current form" was not acceptable. As he told Ars when we spoke a month ago, "If the new version of COICA is like last year's version of COICA, I will do everything in my power to block it." Back on May 12, when the PROTECT IP Act was introduced, Wyden said it would be "hard to consider legislation that would give the Departments of Justice and Homeland Security additional authorities to combat online content infringement… While the
departments finally responded to questions that I sent them more than three months ago, their responses reveal a single-minded determination to stamp out online infringement and demonstrate little if any understanding of the Internet’s value and function." Of particular concern is "their refusal to explain how linking is different than free speech. Given that hyperlinks in many ways form the foundation of the Internet, efforts to go after one site for linking to another site—which the Administration is currently doing and the Protect IP Act would expand on—threaten to do much more than protect IP." Update: Sen. Wyden has placed a hold on the bill.
US companies clash on bill aimed at online piracy
By Doug Palmer May 25, 2011 A broad coalition of U.S. entertainment, sports and publishing companies on Wednesday rallied support for a bill to get tough on foreign websites that pirate their goods, one day before a vote on the legislation in the Senate Judiciary Committee. "We think it's an important step forward to better address the problem of offshore digital piracy," said Mike Mellis, senior vice president and general counsel for MLB Advanced Media, the digital arm of Major League Baseball that provides online streaming video of games and mobile applications to about two million subscribers mostly in the United States. Sports leagues in the United States, Europe and other countries face a growing problem with websites that steal and redistribute their digital content. Many are foreign websites outside the jurisdiction of U.S. law, Mellis said. The Judiciary Committee bill gives the U.S. Justice Department new tools to go after domestic Internet service providers, advertisers, payment processors and search engines that help these websites operate. It is supported by 170 companies and business groups, including the Motion Picture Association of America, the Recording Industry Association of America, the Walt Disney Co. DIS.N>, Time Warner (TWX.N) and Viacom (VIAb.N). "Websites dedicated to trafficking in counterfeit products and digital theft dupe consumers, steal our jobs and threaten the vibrant Internet marketplace," U.S. Chamber of Commerce President Tom Donohue said in a statement. U.S. industries that depend on strong intellectual property protection account for more than $7.7 trillion of U.S. economic output, drive 60 percent of U.S. exports and employ more than 19 million Americans, the business group said. But another coalition representing computer, communication, electronic and Internet companies expressed concern about provisions of the bill that they said would "undoubtedly inhibit innovation and economic growth.
"We urge the committee to continue to pursue a process that can result in legislation that all can support," the groups said in a letter to the top Democrat and Republican on the Senate Judiciary Committee. Internet giants Google (GOOG.O), eBay (EBAY.O) and Yahoo (YHOO.O)! joined with American Express (AXP.N), Discover (DFS.N), Visa (V.N) and PayPal (PAPXX.O) in a separate letter to raise alarm about parts of the bill. Those companies said they particularly feared the effect of a provision allowing a private copyright or trademark owner to bring action against a domain name associated with a website dedicated to providing pirated or counterfeit goods. Since many domain name owners are unlikely to respond to such complaints, the brunt of the legislation would fall on advertising networks and payment processors used by the websites, the Internet and financial services companies said. That could create a "one-sided litigation machine with rights owners mass-producing virtually identical cases against foreign domain names for the purpose of obtaining orders to serve on U.S. payment and advertising companies," they said.
Tech groups fire back at PROTECT-IP Act
By Tony Romm May 25, 2011 Three top tech trade associations on Wednesday urged the Senate Judiciary Committee to consider major revisions to a controversial new online copyright bill — the PROTECT-IP Act — including a provision that would hold Internet search engines liable for helping crackdown on violators. A new letter from the Consumer Electronics Association, Computer and Communications Industry Association and NetCoalition stresses that portions of the legislation should be revised because, as written, they would “undoubtedly inhibit innovation and economic growth.” At issue are provisions that too broadly target actors “enabling, or facilitating” IP infringement, specify new liabilities on search engines, grant a private-right of action and allow the government to block certain websites. The bill is scheduled for a committee markup Thursday. Some of the policy alarms sounded Wednesday by the chiefs of CEA, CCIA and NetCoalition are objections they raised during the debate last year over the Combating Online Infringement and Counterfeits Act. That proposal, known to most as COICA, has since evolved into the PROTECT-IP Act slated for markup this week. Even as the legislation has changed, the groups told committee Chairman Patrick Leahy (D-Vt.) and ranking member Chuck Grassley (R-Iowa) in their letter that the “revisions to the previous text carry their own potential for unintended consequence and require intense scrutiny and study.” For one thing, the tech associations do not like a definition in the bill that would penalize actors that facilitate IP infringement in the same manner the federal government could punish the actual infringers. “Coupled with other elements of the definition, this language is broad enough to implicate retailer websites advertising legal devices that are capable of infringement (such as computers or copying machines),” wrote CEA President and CEO Gary Schapiro, CCIA President and CEO Ed Black and NetCoalition Executive Director Markham Erickson.
The groups further said the bill, if passed, would put too much liability on search engines. That provision marks a change from COICA that CEA, CCIA and NetCoalition said could constrain free speech guarantees, while posing serious challenges to search engines that “cannot readily distinguish between lawful fair uses” and IP infringement. The groups also stressed the bill’s “private right of action” component could open the door to a “flood of lawsuits” that would burden companies. And echoing many tech stakeholders’ concerns during last year’s COICA debate, the associations expressed skepticism about the bill’s manner of blocking sites that traffic infringed IP. “As an alternative, we continue to support and advocate remedies that put an end to profits gained through the sale and marketing of infringing goods by blocking access to payment processors and advertising,” the tech association leaders wrote. Meanwhile, another tech heavyweight, Microsoft, came out in a blog post Wednesday in support of the PROTECT IP Act — with some caveats. Microsoft, which sells software that has been the victim of copyright infringement, also operates a search engine, Bing. Microsoft argued that “safeguards should be included to ensure that rogue sites are identified clearly and appropriately, and that the responsibilities of companies required to take action to ensure compliance are well defined and their liability appropriately limited.” In addition, the company said in the blog post “steps should be taken to ensure that the private right of action is not subject to abuse, and that the new actions and resulting orders do not stifle free speech or the free flow of information.”
Carrying Water for Hollywood
By Daniel Halper February 15, 2011 This week the Senate Judiciary Committee will hold hearings on COICA (the Combating Online Infringements and Counterfeit Act). It sounds like harmless enough legislation, or at least it did to members of the committee who voted for it unanimously, 19-0, during the lame duck session last year. But it's worse than it sounds. COICA would allow the U.S. government to seize and remove websites from the Internet without due process and after only the allegation of copyright infringement. As Wired reported, COICA "would give the Attorney General the right to shut down websites with a court order if copyright infringement is deemed 'central to the activity' of the site -regardless if the website has actually committed a crime. The Combating Online Infringement and Counterfeits Act (COICA) is among the most draconian laws ever considered to combat digital piracy, and contains what some have called the 'nuclear option,' which would essentially allow the Attorney General to turn suspected websites 'off.'" Fortunately, at the last minute, Senator Ron Wyden put a hold on the bill, ending any prospect for passing it in the lame duck and forcing the bill’s sponsor, Senator Patrick Leahy, back to the negotiating table. The bill raises a number of concerns from free speech advocates, not least of which is the apparent ability of the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA) to jam new copyright legislation through Congress. As Techdirt explained late last year, The other argument that says COICA is not censorship is that it states that it is only directed at sites "dedicated to infringing activities" that have "no demonstrable, commercially significant purpose or use other than" infringement. However, what supporters of COICA hate to admit is that "dedicated to infringing activities" is very much in the eye of the beholder, and the same folks who support COICA -- such as the MPAA and the RIAA -- have a very long and troubled history of declaring all sorts of new technologies as "dedicated to infringing activities." The VCR, cable TV, the DVR and the MP3 player were all lambasted as being dedicated to infringing activities with no demonstrable, commercially significant purpose, when each was introduced.
Perhaps what's even more troubling, COICA has the potential to set a dangerous precedent that authoritarian regimes can point to in their own efforts to censor the Internet. All this at a time when anti-democratic regimes are getting wise to the potential of copyright infringement as a means of stifling dissent. In September of last year, the Kremlin used a weak claim of copyright infringement to raid the offices of NGOs and human rights groups. The Russian government claimed that the groups were using unlicensed copies of Microsoft’s Windows software. By the time Microsoft got around to granting the groups amnesty for any alleged infringements, the government had already seized hard-drives and other files from the groups -- one can imagine what Vladimir Putin’s cronies will do with the information gleaned from the raids. One can also imagine how Beijing might use claims of copyright infringement (claims that could be just as easily elicited from “private” media companies as state run enterprises) to take down websites hosting media those governments might deem offensive. It’s a slippery slope, and the U.S. Congress is on the verge of legitimizing a legal regime that allows governments to disappear websites without judicial review and on the basis of nothing more than an allegation. Indeed, several human and civil rights organizations came together late last year to voice their disapproval of the bill on these very grounds. "[T]his bill is in tension with current US foreign policy and could have grave repercussions for global human rights and the free and open Internet," the groups wrote in a letter addressed to Senators Leahy and Jeff Sessions. Ultimately, the advocacy groups argue, it's an issue that threatens the freedom of others: "If many other countries adopt COICA’s approach—and there is little doubt that they will—it will worsen the balkanization of the Internet, where the information any individual can access will depend entirely on where that individual sits. Freedom of expression and association are universal rights; further balkanization of the Internet undermines these rights and threatens the potential of the Internet as a powerful tool for advancing human rights and democracy."
REFERENCE MATERIALS ON THE PROTECT IP ACT
• FOLDER CONTENTS •
o o o o o o o o o o o o o o o About NetCoalition NetCoalition Analysis of H.R. 3261 (“Stop Online Piracy Act”) About the “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011” (“PROTECT IP Act”) Internet Engineers’ Letter Urging Amendment to the PROTECT IP Act (October 12, 2011) Internet Engineers’ Letter in Opposition to DNS Filtering Legislation (October 12, 2011) Center for Democracy & Technology Letter in response to the MPAA concerning the PROTECT IP Act (September 23, 2011) Entrepreneurs’ Opposition Letter on the PROTECT IP Act (September 8, 2011) Congressional Budget Office Estimate of the PROTECT IP Act (August 16, 2011) Legal Experts’ Opposition Letter on the PROTECT IP Act (July 5, 2011) Venture Capitalists’ Opposition Letter on the PROTECT IP Act (June 23, 2011) Public Interest Opposition Letter on the PROTECT IP Act (May 25, 2011) Net Coalition Opposition Letter on the private right of action provisions included in S.968, the PROTECT IP Act (May 25, 2011) NetCoalition Testimony Before the Senate Judiciary Committee Hearing on “Targeting Websites Dedicated to Stealing American Intellectual Property” (February 16, 2011) Public Interest Letter on COICA (September 27, 2010) White Paper on “Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill” (May 2011)
NetCoalition represents leading global Internet and technology companies, including Google, Yahoo!, Amazon.com, eBay, IAC, Bloomberg LP, Expedia and Wikipedia, providing a platform from which members can engage legislators, through active dialogue, on public policy that raises important and fundamental issues involving NetCoalition’s primary agenda. At the core of our values, NetCoalition seeks to preserve the vitality of the Internet that exists today – an open and consumer-oriented competitive environment – which inspires global innovation and trade. We support strong and meaningful initiatives to protect intellectual property – which are, for many companies, among their most valuable assets – and enforce these voluntarily and vigorously. NetCoalition’s primary agenda includes – ● Promoting a balanced copyright, trademark and data-protection framework in the United States and internationally. ● Preserving a legal regime for Internet companies that inspires innovation and supports the existence of consumer-oriented applications and services free from laws and regulations that impose undue liability on companies that host, locate and provide access to content on the Internet. ● Enforcing consumer-protection policies that facilitate wellinformed decisions by consumers regarding accessibility of personal information on the Internet. .
Markham C. Erickson serves as Executive Director and General Counsel to the coalition. He is a founding partner of Holch & Erickson LLP, where he represents clients before federal regulatory agencies, courts, and the United States Congress. His practice typically involves engagement on complex issues relating to the Internet, new technologies, and nascent industries. He also has an active practice in Native American law and policy.
The Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (“PROTECT IP Act”) A Bill of Unintended Consequences On May 18, 2011, the Senate Judiciary Committee reported out the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (“PROTECT IP ACT”). This legislation, similar to last year’s Combating Online Infringement and Copyrights Act (“COICA”), gives the U.S. government authority to address copyright infringement and the sale of counterfeit merchandise on the Internet. These “rogue” website legislative initiatives are intended to target foreign websites dedicated almost exclusively to illegal copyright and trademark infringement activities. While NetCoalition supports the goal of the legislation, the PROTECT IP Act will ultimately put American innovators and investors at a serious disadvantage in the global economy. This legislation would likely set an international precedent inspiring international engagement in protectionism and censorship activities, which conflict with the United States’ agenda for a collaborative global Internet marketplace that supports healthy, consumer-oriented competition and economic growth. Most notably, the PROTECT IP Act enables rights holders to obtain orders to block access to online services by intermediary third parties – with limited oversight and due process. This private right of action provision imposes significant burdens on legitimate online commerce services. The scope of orders and cost of litigation will be significant, even for companies acting in good faith to address illegal copyright- infringing activities. Creating a private litigation regime ignores the voluntary, proactive processes implemented by Internet service providers, advertisers, credit card companies, payment processors, search engines, domain name registrars and registries to combat online piracy. The members of NetCoalition have the most robust and responsive “notice-and-take down” processes in the world. And no stakeholder asserts NetCoalition members are engaging in illegal activity. As such, it is highly extraordinary that Congress would even consider subjecting payment processors and Internet and technology companies to a private right of action. Rightsholders claim that a private right of action is needed because the Department of Justice cannot effectively enforce copyright and trademark laws. Should this be the case, discussions among legislators and stakeholders ought to focus on alleviating this issue. Shifting the burden and costs of enforcing copyright and trademark laws to lawful intermediary service providers is not a sensible solution. NetCoalition remains committed that no entity should make money from sites dedicated to copyright-infringing activities. Consequently, assigning enforcement responsibilities to payment processors, advertising companies and sponsored link providers delivered by search engines – provided there are appropriate safeguards from new, undue liabilities and a prohibition on “tech mandates” – is a sensible solution. A similar approach was approved by Congress in the Unlawful Internet Gambling Prohibition Act, which precludes payment processors from interacting with unlawful overseas gambling operations. We urge Congress to consider this precedent while moving forward on the PROTECT IP Act.
Internet Engineers' Letter Urging Amendment of the PROTECT-IP Act
October 12, 2011
To Members of the United States Senate:
We urge the modification of S. 968, the PROTECT-IP Act of 2011, to remove the provision requiring that domestic Internet service providers filter their Domain Name Service (“DNS”) results to protect brand and copyright owners against online infringement. We are engineers who have spent our careers working in and with the Internet's domain name system at a nuts-and-bolts level. We have developed or collaborated on key technical standards that are fundamental to the functioning of the Internet. We are recognized as leading experts in this particular field of technology. Ordinarily we do not get involved in legislative debates, but we believe that our background leaves us ideally situated to offer a full and realistic evaluation of the likely consequences of certain provisions of S. 968. We recognize and strongly support the rights of brand and copyright owners and we believe that S. 968's provisions curtailing the use of domestic advertising and payment networks by infringing web sites are well considered and will prove effective. However, the filtration of DNS results required by S. 968 would prove both costly and ineffective, and would have serious negative side effects.
PROTECT-IP's Proposed DNS Filtering Is Not Technically Feasible
As drafted, S. 968 calls for DNS editing that is not technically feasible, and incompatible with Internet DNS security extensions (also known as DNSSEC or Secure DNS). These security features have been under development for more than fifteen years with heavy investment by both US industry and US Government, and are now being deployed globally. ICANN has signed the DNS root zone, the U.S. Government has signed .EDU, .GOV and .MIL, large generic top level domains including dot-COM, dot-NET, and dot-ORG are signed, and almost 80 of countries have signed their top-level domains1. We stand now on the threshold of the next era in Internet security infrastructure, in which new and more secure applications from e-shopping to e-banking can can rely on Secure DNS as their foundation for online identity. If not amended to remove the DNS filtering provision, S. 968 would demand that ISPs choose between deploying Secure DNS and ignoring court-ordered DNS filtering, or forgoing Secure DNS in order to comply with the law. Recent letters2 and online posts3,4 by proponents of S. 968 have misstated key facts about DNS and Secure DNS. A white paper5 by the authors of this letter provides a comprehensive technical critique of the DNS provisions of S. 968, endorsed by the editorial boards of prominent national newspapers6,7.
PROTECT-IP's Proposed DNS Filtering Would Be Ineffective
Even assuming that domestic ISPs make the high initial and ongoing investment in name server filtering required by S. 968, ISPs cannot force their customers to use their name servers. Any user can avoid such filtering by using another name server, possibly located off-shore and not subject to US law. These off-shore name servers will be capable of redirecting web traffic to malicious sites including fake banks and search engines. By moving information-rich DNS lookup data offshore, users would create risk for the whole US information economy, not just for themselves. And the effort and expertise required to change a user's DNS settings is trivial, often reduced to “one click” or even completely automated.
PROTECT-IP's DNS Filtering Would Bring Negative Side Effects
Proponents of the DNS provisions of S. 968 assert that this proposed legislation would have no impact on Internet infrastructure. The facts about Secure DNS say otherwise. Secure DNS means being able to verify the integrity and source of DNS data, e.g., allowing a user to know whether it has reached their bank or an impostor site. DNS filtering asks DNS servers to “lie” by providing incorrect responses. If Secure DNS is deployed, a user's DNS client will know when it is being lied to. But it won't know whether the lie is the result of court-ordered DNS filtering or criminal interference with the user's DNS lookup. The inability to distinguish legitimate DNS diversions from malicious ones will make it impossible to use DNSSEC as a platform to build robust security protections. Any comparison of S. 968's DNS provisions to current filtering technologies such as parental controls or spam or malware blocking is inapt. These technologies are wanted by, and indeed installed and operated by, the end users themselves. When provided by ISPs, users do not complain or change their name servers because they are happy with the filtering. It should also be noted that when ISPs deploy Secure DNS, they will no longer be able to use the current filtering technologies. As described above, DNS filtering and Secure DNS are mutually incompatible. Requiring ISPs to deploy DNS filtering is futile and dangerous. The mere threat of S.968's filtering provision has resulted in the marketing in this country of fast, easy and zero-cost tools to change users' name servers. Just as we predicted in our white paper, there are now numerous evasive DNS services which promise to evade any mandated DNS blocking8,9,10. Annually, there are 58 billion page visits to sites dedicated to infringing activities which represents an enormous level of demand. To satisfy that demand, users will change their name servers.
PROTECT-IP's DNS Provisions Should Be Dropped
As stated, S. 968's goals are laudable, and its provisions regarding domestic advertising and payment networks are reasonable. However, no good and much harm can come from the DNS provision of S. 968 as currently written, and we urge that this provision be dropped when the bill is considered by the full Senate. Signed, Steve Crocker, Ph.D. – co-creator of the original ARPANET protocols; former Internet Engineering Task Force (IETF) security area director, former Internet Architecture Board member, former Internet Society board member; member of ICANN security and stability advisory committee. David Dagon, Ph.D. – author of numerous peer-reviewed studies of Secure DNS; co-founder of Internet security company providing DNS-based defense technologies; inventor of proposed antipoisoning technology for DNS. Dan Kaminsky – noted security researcher best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS); of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Danny McPherson – Chief Security Officer, Verisign, Inc.; member FCC CSRIC; appointed member Internet Architecture Board; author of numerous security and engineering studies, Internet RFCs, and several books; member of ICANN security and stability advisory committee. Paul Vixie, Ph.D. – founder of Internet Systems Consortium (ISC), operator of “F” root DNS name server, publisher of BIND DNS software system; IETF DNS protocol contributor; member of ARIN Board of Trustees; member of ICANN security and stability advisory committee.
1 DNSSEC Deployment Project, http://www.dnssec-deployment.org/ 2 IFTA, et al, “To the Members of the United States Senate”, http://www.mpaa.org/resources/f63d5736-4e36-49fb-a452586b23d24b04.pdf 3 George Ou, “DNS Filtering is Essential to the Internet”, http://www.hightechforum.org/dns-filtering-is-essential-to-theinternet/ 4 Michael O'Leary, “PROTECT-IP Letter from Law Professors Didn't Do its Homework”, http://blog.mpaa.org/BlogOS/post/2011/07/07/PROTECT-IP-Letter-from-Law-Professors-Did-Not-Do-itsHomework.aspx 5 Steve Crocker, David Dagon, Dan Kaminsky, Danny McPherson, and Paul Vixie, “Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT-IP Act”, http://www.shinkuro.com/PROTECT %20IP%20Technical%20Whitepaper%20Final.pdf 6 The Los Angeles Times, “Policing the Internet”, http://www.latimes.com/news/opinion/opinionla/la-ed-protectip20110607,0,2415749.story 7 The New York Times, “Internet Piracy and How to Stop It”, http://www.nytimes.com/2011/06/09/opinion/09thu1.html 8 Domain Incite, “Pirates set up domain seizure workaround”, http://domainincite.com/pirates-set-up-domain-seizureworkaround/ 9 Telecomix DNS, http://dns.telecomix.org/ 10 Dot-P2P, http://dot-p2p.org/
Internet Engineers' Letter in Opposition To DNS Filtering Legislation
October 12, 2011 The Honorable Lamar Smith Chairman Committee on the Judiciary U.S. House of Representatives Washington, D.C. 20515 The Honorable John Conyers, Jr. Ranking Member Committee on the Judiciary U.S. House of Representatives Washington, D.C. 20515 Dear Chairman Smith and Ranking Member Conyers: As you consider introducing legislation similar to S. 968, the PROTECT-IP Act of 2011, we urge you not to include any provision requiring domestic Internet service providers to filter their Domain Name Service (“DNS”) results to protect brand and copyright owners against online infringement. We are engineers who have spent our careers working in and with the Internet's domain name system at a nuts-and-bolts level. We have developed or collaborated on key technical standards that are fundamental to the functioning of the Internet. We are recognized as leading experts in this particular field of technology. Ordinarily we do not get involved in legislative debates, but we believe that our background leaves us ideally situated to offer a full and realistic evaluation of the likely consequences of certain provisions of S. 968. We recognize and strongly support the rights of brand and copyright owners and we believe that S. 968's provisions curtailing the use of domestic advertising and payment networks by infringing web sites are well considered and will prove effective. However, the filtration of DNS results required by S. 968 would prove both costly and ineffective, and would have serious negative side effects.
PROTECT-IP's Proposed DNS Filtering Is Not Technically Feasible
As drafted, S. 968 calls for DNS editing that is not technically feasible, and incompatible with Internet DNS security extensions (also known as DNSSEC or Secure DNS). These security features have been under development for more than fifteen years with heavy investment by both US industry and US Government, and are now being deployed globally. ICANN has signed the DNS root zone, the U.S. Government has signed .EDU, .GOV and .MIL, large generic top level domains including dot-COM, dot-NET, and dot-ORG are signed, and almost 80 of countries have signed their top-level domains1. We stand now on the threshold of the next era in Internet security infrastructure, in which new and more secure applications from e-shopping to e-banking can can rely on Secure DNS as their foundation for online identity. If not amended to remove the DNS filtering provision, S. 968 would demand that ISPs choose between deploying Secure DNS and ignoring court-ordered DNS filtering, or forgoing Secure DNS in order to comply with the law. Recent letters2 and online posts3,4 by proponents of S. 968 have misstated key facts about DNS and Secure DNS. A white paper5 by the authors of this letter provides a comprehensive technical critique of the DNS provisions of S. 968, endorsed by the editorial boards of prominent national newspapers6,7.
PROTECT-IP's Proposed DNS Filtering Would Be Ineffective
Even assuming that domestic ISPs make the high initial and ongoing investment in name server filtering required by S. 968, ISPs cannot force their customers to use their name servers. Any user can avoid such filtering by using another name server, possibly located off-shore and not subject to US law. These off-shore name servers will be capable of redirecting web traffic to malicious sites including fake banks and search engines. By moving information-rich DNS lookup data offshore, users would create risk for the whole US information economy, not just for themselves. And the effort and expertise required to change a user's DNS settings is trivial, often reduced to “one click” or even completely automated.
PROTECT-IP's DNS Filtering Would Bring Negative Side Effects
Proponents of the DNS provisions of S. 968 assert that this proposed legislation would have no impact on Internet infrastructure. The facts about Secure DNS say otherwise. Secure DNS means being able to verify the integrity and source of DNS data, e.g., allowing a user to know whether it has reached their bank or an impostor site. DNS filtering asks DNS servers to “lie” by providing incorrect responses. If Secure DNS is deployed, a user's DNS client will know when it is being lied to. But it won't know whether the lie is the result of court-ordered DNS filtering or criminal interference with the user's DNS lookup. The inability to distinguish legitimate DNS diversions from malicious ones will make it impossible to use DNSSEC as a platform to build robust security protections. Any comparison of S. 968's DNS provisions to current filtering technologies such as parental controls or spam or malware blocking is inapt. These technologies are wanted by, and indeed installed and operated by, the end users themselves. When provided by ISPs, users do not complain or change their name servers because they are happy with the filtering. It should also be noted that when ISPs deploy Secure DNS, they will no longer be able to use the current filtering technologies. As described above, DNS filtering and Secure DNS are mutually incompatible. Requiring ISPs to deploy DNS filtering is futile and dangerous. The mere threat of S.968's filtering provision has resulted in the marketing in this country of fast, easy and zero-cost tools to change users' name servers. Just as we predicted in our white paper, there are now numerous evasive DNS services which promise to evade any mandated DNS blocking8,9,10. Annually, there are 58 billion page visits to sites dedicated to infringing activities which represents an enormous level of demand. To satisfy that demand, users will change their name servers.
PROTECT-IP's DNS Provisions Should Be Dropped
As stated, S. 968's goals are laudable, and its provisions regarding domestic advertising and payment networks are reasonable. However, no good and much harm can come from the DNS provision of S. 968 as currently written, and we urge that this provision not be included in any similar legislation that may be introduced by the House Judiciary Committee. Signed, Steve Crocker, Ph.D. David Dagon, Ph.D. Dan Kaminsky Danny Mcpherson Paul Vixie, Ph.D.
cc:
The Honorable Robert Goodlatte Chairman Intellectual Property, Competition, and the Internet Subcommittee Committee on the Judiciary U.S. House of Representatives Washington, D.C. 20515 The Honorable Melvin Watt Ranking Member Intellectual Property, Competition, and the Internet Subcommittee Committee on the Judiciary U.S. House of Representatives Washington, D.C. 20515
Author biographies: Steve Crocker, Ph.D. – co-creator of the original ARPANET protocols; former Internet Engineering Task Force (IETF) security area director, former Internet Architecture Board member, former Internet Society board member; member of ICANN security and stability advisory committee. David Dagon, Ph.D. – author of numerous peer-reviewed studies of Secure DNS; co-founder of Internet security company providing DNS-based defense technologies; inventor of proposed antipoisoning technology for DNS. Dan Kaminsky – noted security researcher best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS); of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Danny McPherson – Chief Security Officer, Verisign, Inc.; member FCC CSRIC; appointed member Internet Architecture Board; author of numerous security and engineering studies, Internet RFCs, and several books; member of ICANN security and stability advisory committee. Paul Vixie, Ph.D. – founder of Internet Systems Consortium (ISC), operator of “F” root DNS name server, publisher of BIND DNS software system; IETF DNS protocol contributor; member of ARIN Board of Trustees; member of ICANN security and stability advisory committee.
1 DNSSEC Deployment Project, http://www.dnssec-deployment.org/ 2 IFTA, et al, “To the Members of the United States Senate”, http://www.mpaa.org/resources/f63d57364e36-49fb-a452586b23d24b04.pdf 3 George Ou, “DNS Filtering is Essential to the Internet”, http://www.hightechforum.org/dns-filtering-isessential-to-the- internet/ 4 Michael O'Leary, “PROTECT-IP Letter from Law Professors Didn't Do its Homework”, http://blog.mpaa.org/BlogOS/post/2011/07/07/PROTECT-IP-Letter-from-Law-ProfessorsDid-Not-Do-its- Homework.aspx 5 Steve Crocker, David Dagon, Dan Kaminsky, Danny McPherson, and Paul Vixie, “Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT-IP Act”, http://www.shinkuro.com/PROTECT %20IP%20Technical%20Whitepaper%20Final.pdf 6 The Los Angeles Times, “Policing the Internet”, http://www.latimes.com/news/opinion/opinionla/la-edprotectip20110607,0,2415749.story 7 The New York Times, “Internet Piracy and How to Stop It”, http://www.nytimes.com/2011/06/09/opinion/09thu1.html 8 Domain Incite, “Pirates set up domain seizure workaround”, http://domainincite.com/pirates-set-updomain-seizure- workaround/ 9 Telecomix DNS, http://dns.telecomix.org/ 10 Dot-P2P, http://dot-p2p.org/
September 23, 2011
TO MEMBERS OF THE UNITED STATES SENATE: We are writing in response to the September 20, 2011 letter by the Motion Picture Association of America (MPAA) and a number of its allies concerning S. 968, the PROTECT IP Act. There is no substantial disagreement with the billʼs goal of combating the online infringement of copyrights and trademarks; that is a valid and important aim. But some of the specific provisions of S. 968 are far more controversial and would do far more damage than MPAAʼs letter suggests. We would like to respond in particular to the following points. § MPAAʼs letter says that the billʼs tactic of requiring ISPs to block domainname lookup requests is already in use today to fight spam and malware, and can be employed without endangering the emerging security technology known as DNSSEC. But the principal author of the preeminent domain-name blocking technology says that the approach canʼt work for copyright infringement; it is an approach that only works when the users want to be protected.1 Even more important, Internet engineers with unassailable domain name system expertise have warned that S. 968 could stop DNSSEC – a crucial effort to improve Internet security, over 15 years in the making – dead in its tracks.2 The Internet Society likewise states that domain-name filtering will impede DNSSEC and decrease global security.3 There is no basis for the MPAAʼs breezy dismissal of the serious technical and security problems with portions of S. 968. MPAAʼs letter cites Ofcom, the United Kingdomʼs independent communications regulator, as concluding that domain-name blocking could deter casual and unintentional infringers. But the same Ofcom report found that blocking domain names is “incompatible” with DNSSEC, and that therefore “a replacement for DNS blocking would be required
§
1
Paul Vixie, “Alignment of Interests in DNS Blocking,” Jul 23, 2011, http://www.circleid.com/posts/20110723_alignment_of_interests_in_dns_blocking/. 2 Steve Crocker, David Dagon, Dan Kaminsky, Danny McPherson, and Paul Vixie, Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill, May 2011, http://www.shinkuro.com/PROTECT%20IP%20Technical%20Whitepaper%20Final.pdf. 3 Internet Society Perspectives on Domain Name System (DNS) Filtering, Sept. 15, 2011, http://www.isoc.org/internet/issues/docs/dns-filtering_20110915.pdf.
within the next three years.”4 Tellingly, the U.K. government responded to the Ofcom report by deciding not to move ahead with site-blocking regulations that had been proposed.5 § MPAAʼs letter cites a favorable editorial by the Washington Post. But other major newspapers have urged caution. The Los Angeles Times observed that, despite its laudable goals, the billʼs “details are problematic” – in large part because it “could undermine efforts to build a more reliable and fraud-resistant domain name system.”6 The New York Times likewise called some of the billʼs remedies “problematic,” especially the domain-name blocking, and concluded that S. 968 “shouldnʼt pass as is.”7 MPAAʼs letter quotes a constitutional scholar who believes the bill does not pose First Amendment concerns. But 108 law professors have signed a letter expressing the view that the bill has “grave constitutional infirmities” because it would suppress speech at blocked domain names before a final determination of illegality.8 Under prior restraint jurisprudence, the government cannot restrict access to expressive material based on a finding that the material is probably illegal; rather, government must first determine that the material actually is illegal. MPAAʼs letter says that S. 968 will safeguard American jobs. But over 50 of the countryʼs most prominent venture capitalists have warned that S. 968 will “stifle investment in Internet services, throttle innovation, and hurt American competitiveness.”9 Technology trade associations have cautioned that portions of the bill “will undoubtedly inhibit innovation and economic growth.”10 Payment systems and technology companies have serious concerns regarding the impact of the billʼs private right of action.11 Parts of S. 968 threaten more jobs than they would safeguard.
§
§
We believe it would be possible to craft an effective bill that would combat online infringement without the major collateral damage that S. 968 threatens to cause. In particular, there is general consensus that a “follow the money” approach – cutting off the revenue sources for foreign infringement websites – has real promise. A study earlier this year found that blocking
4
Ofcom, “Site Blocking” to reduce online copyright infringement, Aug. 3, 2011, http://stakeholders.ofcom.org.uk/binaries/internet/site-blocking.pdf, p. 43. 5 See U.K. Department for Culture, Media and Sport, Next steps for implementation of the Digital Economy Act, Aug. 2011, http://www.culture.gov.uk/images/publications/Next-steps-for-implementation-of-the-Digital-EconomyAct.pdf); Mike Sweeney, “Government scraps plan to block illegal filesharing websites,” The Guardian, Aug. 3, 2011, http://www.guardian.co.uk/technology/2011/aug/03/government-scraps-filesharing-sites-block. 6 “Policing the Internet,” L.A. Times, June 7, 2011, http://articles.latimes.com/2011/jun/07/opinion/la-ed-protectip20110607. 7 “Internet Piracy and How to Stop It,” N.Y. Times, June 8, 2011, http://www.nytimes.com/2011/06/09/opinion/09thu1.html?_r=1. 8 Professorsʼ Letter in Opposition to “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011,” July 5, 2011, http://www.scribd.com/doc/59241037/PROTECT-IP-Letter-Final. 9 Letter to Members of the U.S. Congress, June 23, 2011, https://docs.google.com/document/d/14CkX3zDyAxShrqUqEkewtUCjvvFdciIbKjC18_eUHkg/edit?hl=en_US&authk ey=CNHr3I4L&ndplr=1&pli=1. 10 Letter of CCIA, CEA, and NetCoalition to Sens. Leahy and Grassley, May 25, 2011, http://cdt.org/files/Tech_Assn_Letter_re_PIPA_5-25-11.pdf. 11 Letter to Sens. Leahy and Grassley, May 25, 2011, http://cdt.org/files/NC-Letter_on_PRA_on_Protect_IP_Act-4.pdf.
the money flow is the best way to achieve a real reduction in spam,12 and we believe that the same is true with respect to infringement. Unfortunately, S. 968 goes far beyond the money- focused approach to include highly controversial provisions that would ultimately do significant harm in exchange for what would likely be a negligible and fleeting impact on infringement. S. 968 in its current form should not pass. Thank you for your careful consideration of the concerns raised by S. 968. We stand ready to work with the Senate to craft a bill that can achieve the goal of reducing online infringement without so much collateral damage. Sincerely, /s/ Leslie Harris President and CEO /s/ David M. Sohn Senior Policy Counsel
12
See John Markoff, “Study Sees Way To Win Spam Fight,” N.Y. Times, May 19, 2011, http://www.nytimes.com/2011/05/20/technology/20spam.html.
To Members of the United States Congress: The undersigned are 160 entrepreneurs, founders, CEOs and executives who have been involved in 349 technology start-ups, and who have created over 65,000 jobs directly through our companies and hundreds of thousands, if not millions, more through the technologies we invented, funded, brought to market and made mainstream. We write today urging you to reject S.968, the PROTECT IP Act, also known as “PIPA.” We appreciate the stated purpose of the bill, but we fear that if PIPA is allowed to become law in its present form, it will hurt economic growth and chill innovation in legitimate services that help people create, communicate, and make money online. It is a truism that small businesses create significant economic growth and jobs, but it is more [1] accurate to say that new businesses, including tech start-ups, are most important. The Internet is [2] a key engine of today’s economy, and much of its economic contribution is attributable to companies that did not even exist 10 or even 5 years ago. The Internet has also created new opportunities for artists and other content creators -- today, there is more content being created by more people on more platforms (including some of our businesses) than ever before. We are not opposed to copyright or the bill’s intent, but we do not think this bill will actually fulfill copyright’s purpose of encouraging innovation and creativity. While the bill will create uncertainty for many legitimate businesses and in turn undermine innovation and creativity on those services, the dedicated pirates who use and operate “rogue” sites will simply migrate to platforms that conceal their activities. Our concerns include the following: • The notion of sites “dedicated to infringing activities” is vague and ripe for abuse, particularly when combined with a private right of action for rightsholders: Legitimate sites with legitimate uses can also in many cases be used for piracy. Historically, overzealous rightsholders have tried to stop many legitimate technologies that disrupted their existing business models and facilitated some unauthorized activity. The following technologies were condemned at one point or another - the gramophone (record player), the player piano, radio, television, the photocopier, cable TV, the VCR, the DVR, the mp3 player and video hosting platforms. Even though these technologies obviously survived, many individual businesses like DVR-maker ReplayTV and video platform Veoh were not so fortunate - those companies went bankrupt due to litigation costs, and sold their remaining assets to foreign companies. PIPA provides a new weapon against legitimate businesses and “rogue” sites alike, and the concern in this context is not merely historical or theoretical. Recent press reports noted that advertising giant WPP’s GroupM subsidiary had put together a list of 2,000 sites that were declared to be “supporting piracy,” on which none of its advertising would be allowed to appear. That list - which was put together with suggestions from GroupM clients - includes Vibe.com, the online version of the famed Vibe Magazine, founded by Quincy Jones, and a leading publication for the hip hop and R&B community. It also included the Internet Archive’s Wayback Machine, which preserves copies of Web pages in order to fill a similar function as libraries. When a famous magazine and a library get lumped in with “rogue pirate sites” in this way, it’s not hard to see how an overzealous copyright holder might seek to shut legitimate businesses down through PIPA. • The bill would create significant burdens for smaller tech companies: One of the key reasons why startups and innovative small businesses became the success stories we know of today was protection from misguided lawsuits under the safe harbors of Section 512 of the Digital Millennium Copyright Act (DMCA). By properly putting the legal liability on the actual actors of infringement rather than third-parties, Congress wisely ensured that service providers, such as many of the companies represented in this letter, could flourish.
PIPA would put new burdens and possible liability on independent third parties, including payment processors, advertising firms, information location tools and others. The definitions here are incredibly vague, and many companies signed below could fall under the broad definitions of “information location tools,” meaning costly changes to their infrastructure, including how we remain in compliance with blocking orders on an everchanging Internet. Separately, including a private right of action means that any rightsholder can tie up a service provider in costly legal action, even if it eventually turns out to not be valid. Given the broad definitions used above for sites “supporting piracy,” it’s not difficult to predict that plenty of legitimate startups may end up having to spend time, money and resources to deal with such actions. These burdens will be particularly intense for small businesses who can’t easily afford the legal fees, infrastructure costs or staff required to remain in compliance with broadly worded laws in a rapidly changing ecosystem. Legitimate services already do their part by following the notice-and-takedown system of the DMCA. While we take these types of legal responsibilities seriously and already take on costs to do so, that’s no reason to pile on additional regulations. • Breaking DNS will harm our ability to build new, safe, and secure services. As detailed in a recent whitepaper by some of the foremost experts in Internet architecture and security, PIPA will fragment parts of key Internet infrastructure, and disrupt key security [3] tools in use today. Interfering in the basic technological underpinnings of the Internet that we all rely on today would be a huge anchor on innovation in many of our companies.
As Web entrepreneurs and Web users, we want to ensure that artists and great creative content can thrive online. But this isn’t the right way to address the underlying issue. Introducing this new regulatory weapon into the piracy arms race won’t stop the arms race, but it will ensure there will be more collateral damage along the way. There are certainly challenges to succeeding as a content creator online, but the opportunities are far greater than the challenges, and the best way to address the latter is to create more of the former. In other words, innovation in the form of more content tools, platforms and services is the right way to address piracy -- while also creating new jobs and fueling economic growth. Entrepreneurs like us can help do that; PIPA can’t. Sincerely,
(In alphabetical order by name, followed by companies either founded or where one was in a job-creating executive role)
Jonathan Abrams Nuzzel, Founders Den, Socializr, Friendster, HotLinks Asheesh Advani Covestor, Virgin Money USA, CircleLending David Albert Hackruiter Will Aldrich SurveyMonkey, TripIt, Yahoo
Courtland Allen Syphir, Tyrant Lloyd Armbrust OwnLocal.com Jean Aw NOTCOT Inc. Joshua Baer Capital Factory, OtherInbox, UnsubCentral, SKYLIST Andy Baio Upcoming, Kickstarter Edward Baker Friend.ly David Barrett Expensify Jonathan Baudanza beatlab.com, Rupture Katia Beauchamp Birchbox Idan Beck Incident Technologies Matthew Bellows Yesware Inc., WGR Media David Berger XL Marketing, Caridian Marketing Labs Nicholas Bergson-Shilcock Hackruiter Ted Blackman Course Zero Automation, Motion Arcade Matthew Blumberg MovieFone, ReturnPath Nic Borg Edmodo
Bruce Bower Plastic Jungle, Blackhawk Network, Reactrix, Soliloquy Learning, ZapMe! Corporation, YES! Entertainment Josh Buckley MinoMonsters John Buckman Lyris, Magnatune, BookMooch Justin Cannon Lingt Language, EveryArt Teck Chia OpenAppMkt, Omigosh LLC, Gabbly.com Michael Clouser iLoding, Market Diligence, CEO Research, New Era Strategies Zach Coelius Triggit, Votes For Students, Coelius Enterprises John Collison Stripe Ben Congleton Olark, Nethernet Dave Copps PureDiscovery, Engenium Jon Crawford Storenvy Dennis Crowley Foursquare, Dodgeball Angus Davis Swipely, Tellme Eric DeMenthon PadMapper.com Steve DeWald Proper Suit, Data Marketplace, Maggwire Chad Dickerson
Etsy Suhail Doshi Mixpanel Natalie Downe Lanyrd Inc. Nick Ducoff Infochimps Derek Dukes *Stealth Startup*, Dipity, Yahoo! Jennifer Dulski The Dealmap Rod Ebrahimi ReadyForZero, DirectHost Chas Edwards Luminate, Digg, Federated Media, MySimon Dale Emmons Vidmakr David Federlein Fowlsound Productions, Soapbox Coffee, Inc. Mark Fletcher ONElist, Bloglines Andrew Fong Kirkland North Tom Frangione Simply Continuous, Telphia Brian Frank Live Colony Ken Fromm Vivid Studios, Loomia, Iron.io Nasser Gaemi BigDates, ASAM International Matt Galligan
SimpleGeo, SocialThing Zachary Garbow Funeral Innovations Jud Gardner Comprehend Systems David Gibbs High Speed Access Corp, Darwin Networks, Nomad Innovations Christopher Golda BackType Eyal Goldwerger TargetSpot, XMPie, WhenU, GoCargo Jude Gomila Heyzap Jeremy Gordon Department of Behavior and Logic, Secret Level, MagicArts Steve Greenwood drop.io James Gross Percolate, Federated Media Sean Grove Bushido, Inc. Anupam Gupta Mixpo Mike Hagan LifeShield, Verticalnet, Nutrisystem Tony Haile Chartbeat, Chi.mp Jared Hansen Breezy Scott Heiferman Meetup, Fotolog Jack Herbeck Jr.
Elroynet, Blu Zone Eva Ho Factual, Navigating Cancer, Applied Semantics Reid Hoffman LinkedIn, Paypal, Socialnet, Investor in many more, including Facebook, Zynga & GroupOn Jason Huggins Blu Zone Ben Ifeld Macer Media Joichi Ito Neoteny, Digital Garage, Investor in many more including Twitter, Flickr, Kickstarter, Six Apart, Technorati and over 20 other US companies Jason Jacobs FitnessKeeper Daniel James Three Rings Design David Jilk Standing Cloud, eCortex, Xaffire Noah Kagan Appsumo, GetGambit Bill Kallman Scayl, Varolii Jon Karl iovation, ieLogic Michael Karnjanaprakorn Skillshare Bryan Kennedy Sincerely.com, AppNinjas, Xobni, Pairwise Derek Kerton Kerton Group, Telecom Council of Silicon Valley Drew Kese Ecount, Orocast
David Kidder Clickable, SmartRay Network, THINK New Ideas, Net-X Eric Koger ModCloth Kitty Kolding elicit, House Party, Jupiter Pete Koomen Optimizely, CarrotSticks Brian Krausz GazeHawk Amit Kumar Socialscope Ryan Lackey HavenCo, Blue Iraq, Cryptoseal Jeff Lawson Twilio, Nine Star, Stubhub, Versity Peter Lehrman AxialMarket, Gerson Lehrman Group Michael Levit Bluelight.com, Redbooth, Spigot, Founders Den Michael Lewis Stellar Semiconductor, Cryptic Studios Thede Loder Boxbe, Leverage Information Systems Marissa Louie Ness Computing, HeroEX, AD-Village Eric Marcoullier OneTrueFan, Gnip, MyBlogLog, IGN Michael Masnick Floor64 Jordan Mendelson SeatMe, Heavy Electrons, SNOCAP, Web Services Inc
Dwight Merriman DoubleClick, BusinessInsider, Gilt Groupe, 10gen Scott Milliken MixRank.com Michael Montano BackType Dave Morgan Simulmedia, TACODA, Real Media Zac Morris Caffeinated Mind Inc. Rick Morrison Comprehend Systems Amy Muller GetSatisfaction, Rubyred Labs Darren Nix Silver Financial Jeff Nolan GetSatisfaction, NewsGator, Teqlo, Investor in many more Craig Ogg ThisNext, Stamps.com, TrueCar Alexis Ohanian Breadpig, Hipmunk, Reddit Casey Oppenheim Disconnect, Oppenheim Law Tim O’Reilly O'Reilly Media, Safari Books Online, Collabnet, Investor in many more Michael Ossareh Heysan Gagan Palrecha Chirply, Zattoo, Sennari Scott Petry Authentic8, Postini
Mark Pincus Zynga, Tribe Networks, SupportSoft, FreeLoader Chris Poole 4chan, Canvas Jon Pospischil PowerSportsStore, AppMentor, FoodTrux, Custora Jeff Powers Occipital Jeff Pulver 140Conf, Pulver.com, Vonage, Free World Dialup, VON Coalition, Vivox Scott Rafer Omniar, Lookery, MyBlogLog, Feedster, Fresher, Fotonation, Torque Systems John Ramey BuyAds.com, isocket, Maven Ventures, Lythargic Media, electronicfood.com Vikas Reddy Occipital Michael Robertson DAR.fm, mp3tunes.com, Gizmo5, Linspire, mp3.com Ian Rogers TopSpin, MediaCode, FISTFULAYEN, NullSoft/AOL, Yahoo! Music Avner Ronen Boxee, Odigo Zack Rosen ChapterThree, MissionBicycle, GetPantheon Oliver Roup VigLink Slava Rubin IndieGoGo David Rusenko Weebly Arram Sabeti ZeroCater
Peter Schmidt Midnight Networks, NorthStar Internetworking, Burning Blue Aviation, New England Free Skies Association, Lifting Mind, Analog Devices, Teradyne, Ipanema Technologies, Linear Air Geoff Schmidt Tuneprint, MixApp, Honeycomb Guide Sam Shank HotelTonight, DealBase, SideStep, TravelPost Upendra Shardanand Daylife, The Accelerator Group, Firefly Network Emmett Shear Justin.tv Pete Sheinbaum LinkSmart, DailyCandy, Alexblake.com, Shop.Eonline.com Chris Shipley Guidewire Group Adi Sideman Oddcast, Ksolo Karaoke, TargetSpot, YouNow Chris Sims Agile Learning Labs Dan Siroker Optimizely, CarrotSticks Rich Skrenta Blekko, Topix, NewHoo Bostjan Spetic Zemanta Joel Spolsky StackExchange, Fog Creek Software Josh Stansfied Incident Technologies Mike Tatum Whiskey Media, Listen.com/Rhapsody, CNET Brad Templeton
ClariNet Communications, Looking Glass Software, Caller App Inc. Jack Templin Lockify, ARC eConsultancy Craig Tumblison Bitcove Khoi Vinh Lascaux, NYTimes.com, Behavior Design Joseph Walla HelloFax Brian Walsh Castfire, Three Deep David Weekly PBWorks Jack Welde Smartling, eMusic, RunTime Technologies, Trio Development Evan Williams Blogger, Twitter, Obvious Holmes Wilson Worcester LLC, Participatory Culture Foundation Pierre-R Wolff DataWorks, E-coSearch, AdPassage, Impulse! Buy Network, Kinecta, Impermium, First Virtual Holdings, Revere Data, Tribe Networks Dennis Yang Infochimps, Floor64, CNET, mySimon Chris Yeh PBWorks, Ustream, Symphoniq Kevin Zettler Bushido, Inc.
CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
August 16, 2011
S. 968
Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011
As reported by the Senate Committee on the Judiciary on May 26, 2011 SUMMARY S. 968 would authorize the Attorney General to commence legal actions against individuals who operate or register an Internet site dedicated to activities infringing on copyrights of others. In situations where the individual cannot be located, the Attorney General could proceed against the domain name. The bill also would provide immunity from liability for Internet advertising services and financial transaction providers that take preventative measures against copyright-infringing Internet sites. Based on information from the Department of Justice (DOJ), CBO estimates that implementing S. 968 would cost $47 million over the 2012-2016 period, assuming appropriation of the necessary funds. Pay-as-you-go procedures do not apply to this legislation because it would not affect direct spending or revenues. S. 968 contains no intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would not affect the budgets of state, local, or tribal governments. S. 968 contains private-sector mandates as defined in UMRA. The bill would impose new requirements on companies such as Internet service providers, credit card companies, online advertisers, and search engines that engage in activities related to Internet sites that infringe on the copyrights of others. The bill also would eliminate an existing right to seek compensation for damages caused by companies that voluntarily block access to or stop doing business with Internet sites suspected of infringing on copyrights. Because the costs of the mandates would depend on future judicial proceedings, CBO cannot determine whether the aggregate cost of the mandates would exceed the annual threshold established in UMRA ($142 million in 2011, adjusted annually for inflation). ESTIMATED COST TO THE FEDERAL GOVERNMENT The estimated budgetary impact of S. 968 is shown in the following table. The costs of this legislation fall within budget function 750 (administration of justice).
By Fiscal Year, in Millions of Dollars 2012 2013 2014 2015 2016 20122016 CHANGES IN SPENDING SUBJECT TO APPROPRIATION Estimated Authorization Level 9 7 10 11 11 48 Estimated Outlays 7 8 10 11 11 47
BASIS OF ESTIMATE For this estimate, CBO assumes that S. 968 will be enacted near the end of fiscal year 2011, that the necessary amounts will be provided for each year, and that spending will follow historical patterns for similar activities. Based on information provided by DOJ, CBO estimates that implementing S. 968 would cost $47 million over the 2012-2016 period. DOJ anticipates that it would need to hire 22 special agents and 26 support staff to execute its new investigative responsibilities under the bill. Once fully phased in, CBO estimates the costs of the additional employees under the bill would reach about $10 million annually, including salaries, benefits, training, equipment, and support costs. For this estimate, we assume the investigative positions would be fully staffed by 2014 and that future spending would be adjusted for anticipated inflation. PAY-AS-YOU-GO CONSIDERATIONS: None. ESTIMATED IMPACT ON STATE, LOCAL, AND TRIBAL GOVERNMENTS S. 968 contains no intergovernmental mandates as defined in UMRA and would not affect the budgets of state, local, or tribal governments. ESTIMATED IMPACT ON THE PRIVATE SECTOR S. 968 contains private-sector mandates as defined in UMRA by imposing new requirements on companies that engage in certain activities related to Internet sites that infringe on the copyrights of others and by eliminating an existing right of action against entities that voluntarily cease interactions with Internet sites suspected of infringing on copyrights. Because the costs of the mandates would depend on future judicial proceedings, CBO cannot determine whether the aggregate cost of the mandates would exceed the annual threshold established in UMRA ($142 million in 2011, adjusted annually for inflation).
By authorizing DOJ to take legal action against Internet service providers, credit card companies, online advertisers, and search engines that engage in activities that infringe on the copyrights of others, the bill would impose a mandate. The companies identified in a DOJ legal action would be required either to block access to the Internet site or stop doing business with the site. The bill also would allow copyright holders to take legal action to prohibit credit card companies and online advertisers from doing business with Internet sites that infringe on copyrights. Because of uncertainty about how often and against whom the Department of Justice or copyright holders would use the authority to prohibit the actions outlined in the bill, CBO cannot determine the cost of the mandate to the private sector. By providing liability protection to companies that voluntarily take preventative measures to block access to or stop doing business with Internet sites that they believe are engaging in copyright-infringing activities, the bill would impose an additional private-sector mandate. Under current law, Internet sites have a right to seek compensation if they are harmed by such measures taken by a company. The cost of this mandate would equal the net value of the forgone awards and settlements in such claims. CBO has no basis for estimating the number of claims that would be filed in the future in the absence of this legislation or the level of potential damage awards in such cases, if any. ESTIMATE PREPARED BY: Federal Costs: Martin von Gnechten Impact on State, Local, and Tribal Governments: Melissa Merrell Impact on the Private Sector: Samuel Wice and Patrice Gordon ESTIMATE APPROVED BY: Peter H. Fontaine Assistant Director for Budget Analysis
Professors’ Letter in Opposition to “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011” (PROTECT-‐‑IP Act of 2011, S. 968) July 5, 2011 To Members of the United States Congress: The undersigned are 108 professors from 31 states, the District of Columbia,
and Puerto Rico who teach and write about intellectual property, Internet law, innovation, and the First Amendment. We strongly urge the members of Congress to reject the PROTECT-‐‑IP Act (the “Act”). Although the problems the Act attempts to address – online copyright and trademark infringement – are serious ones presenting new and difficult enforcement challenges, the approach taken in the Act has grave constitutional infirmities, potentially dangerous consequences for the stability and security of the Internet'ʹs addressing system, and will undermine United States foreign policy and strong support of free expression on the Internet around the world. The Act would allow the government to break the Internet addressing system. It requires Internet service providers, and operators of Internet name servers, to refuse to recognize Internet domains that a court considers “dedicated to infringing activities.” But rather than wait until a Web site is actually judged infringing before imposing the equivalent of an Internet death penalty, the Act would allow courts to order any Internet service provider to stop recognizing the site even on a temporary restraining order or preliminary injunction issued the same day the complaint is filed. Courts could issue such an order even if the
owner of that domain name was never given notice that a case against it had been filed at all. The Act goes still further. It requires credit card providers, advertisers, and search engines to refuse to deal with the owners of such sites. For example, search engines are required to “(i) remove or disable access to the Internet site associated with the domain name set forth in the court order; or (ii) not serve a hypertext link to such Internet site.” In the case of credit card companies and advertisers, they must stop doing business not only with sites the government has chosen to sue but any site that a private copyright or trademark owner claims is predominantly infringing. Giving this enormous new power not just to the government but to any copyright and trademark owner would not only disrupt the operations of the allegedly infringing web site without a final judgment of wrongdoing, but would make it extraordinarily difficult for advertisers and credit card companies to do business on the Internet. Remarkably, the bill applies to domain names outside the United States, even if they are registered not in the .com but, say, the .uk or .fr domains. It even applies to sites that have no connection with the United States at all, so long as they allegedly “harm holders” of US intellectual property rights. The proposed Act has three major problems that require its rejection: 1. Suppressing speech without notice and a proper hearing: The Supreme
Court has made it abundantly clear that governmental action to suppress speech taken prior to “a prompt final judicial decision . . . in an adversary proceeding” that the speech is unlawful is a presumptively unconstitutional “prior restraint,”1 the
1
Freedman
v.
Maryland,
380
U.S.
51,
58-‐60
(U.S.
1965)
(statute
requiring
theater
owner
to
receive
a
license
before
exhibiting
allegedly
obscene
film
was
unconstitutional
because
the
statute
did
not
“assure
a
prompt
final
judicial
decision”
that
the
film
was
obscene);
see
also
Bantam
Books
v.
Sullivan,
372
U.S.
58
(1962)
(State
Commission’s
letters
suggesting
removal
of
books
already
in
circulation
is
a
“prior
administrative
restraint”
and
unconstitutional
because
“most serious and the least tolerable infringement on First Amendment rights,”2 permissible only in the narrowest range of circumstances. The Constitution “require[s] a court, before material is completely removed from circulation, . . . to make a final determination that material is [unlawful] after an adversary hearing.”3 The Act fails this Constitutional test. It authorizes courts to take websites
“out of circulation” – to make them unreachable by and invisible to Internet users in the United States and abroad -‐‑-‐‑ immediately upon application by the Attorney General after an ex parte hearing. No provision is made for any review of a judge’s ex parte determination, let alone for a “prompt and final judicial determination, after an adversary proceeding,” that the website in question contains unlawful material. This falls far short of what the Constitution requires before speech can be eliminated from public circulation.4
there
was
no
procedure
for
“an
almost
immediate
judicial
determination
of
the
validity
of
the
restraint”);
Fort
Wayne
Books,
Inc.
v.
Indiana,
489
U.S.
46,
51-‐63
(1989)
(procedure
allowing
courts
to
order
pre-‐trial
seizure
of
allegedly
obscene
films
based
upon
a
finding
of
probable
cause
was
an
unconstitutional
prior
restraint;
publications
“may
not
be
taken
out
of
circulation
completely
until
there
has
been
a
determination
of
[unlawful
speech]
after
an
adversary
hearing.”).
See
also
Center
For
Democracy
&
Technology
v.
Pappert,
337
F.
Supp.
2d
606,
651
(E.D.
Pa.
2004)
(statute
blocking
access
to
particular
domain
names
and
IP
addresses
an
unconstitutional
prior
restraint).
2
Nebraska
Press
Ass'n
v.
Stuart,
427
U.S.
539,
559
(1976).
3
CDT
v.
Pappert,
337
F.Supp.2d,
at
657
(emphasis
added).
4
The Act would also suppress vast amounts of protected speech containing no infringing content whatsoever, and is unconstitutional on that ground as well. The current architecture of the Internet permits large numbers of independent individual websites to operate under a single domain name by the use of unique sub-domains; indeed, many web hosting services operate hundreds or thousands of websites under a single domain name (e.g., www.aol.com, www.terra.es, www.blogspot.com). By requiring suppression of all subdomains associated with a single offending domain name, the Act “burns down the house to roast the pig,” ACLU v. Reno, 521 U.S. 844, 882 (1997), failing the fundamental requirement imposed by the First Amendment that it implement the “least restrictive means of advancing a compelling state interest.” ACLU v. Ashcroft, 322 F.3d 240, 251 (3d Cir. 2003) (quoting Sable Commun. v. FCC, 492 U.S. at 126 (emphasis added)); cf. O’Brien, 391 U.S. at 377 (even the lower “intermediate scrutiny” standard requires that any “incidental restriction on First Amendment freedoms . . . be no greater than is essential to the furtherance of that interest”); see also CDT v Pappert, 337 F.Supp.2d, at 649 (domain name blocking [“DNS filtering”] resulted in unconstitutional “overblocking” of protected speech whenever “the method is used to block a web site on an online community or a Web Hosting Service, or a web host that hosts web sites as sub-pages under a single domain name,” and noting that one service provider “blocked hundreds of thousands of web sites unrelated to” the targeted unlawful conduct); see also id., at 640 (statute resulted in blocking fewer than
2. Breaking the Internet’s infrastructure: If the government uses the
power to demand that individual Internet service providers make individual, country-‐‑specific decisions about who can find what on the Internet, the interconnection principle at the very heart of the Internet is at risk. The Internet’s Domain Name System (“DNS”) is a foundational building block upon which the Internet has been built and on which its continued functioning critically depends. The Act will have potentially catastrophic consequences for the stability and security of the DNS. By authorizing courts to order the removal or replacement of database entries from domain name servers and domain name registries, the Act undermines the principle of domain name universality – that all domain name servers, wherever they may be located on the network, will return the same answer when queried with respect to the Internet address of any specific domain name – on which countless numbers of Internet applications, at present, are based. Even more troubling, the Act will critically subvert efforts currently underway – and strongly supported by the U.S. government – to build more robust security protections into the DNS protocols; in the words of a number of leading technology experts, several of whom have been intimately involved in the creation and continued evolution of the DNS for decades: The DNS is central to the operation, usability, and scalability of the Internet; almost every other protocol relies on DNS resolution to operate correctly. It is among a handful of protocols that that are the core upon which the Internet is built. . . . Mandated DNS filtering [as authorized by the Act] would be minimally effective and would present technical challenges that could frustrate important security initiatives. Additionally, it would promote development of techniques and software that circumvent use of the DNS. These actions would threaten the DNS’s ability to provide
400 websites containing unlawful child pornography but in excess of one million websites without any unlawful material).
universal naming, a primary source of the Internet’s value as a single, unified, global communications network. . . . PROTECT IP’s DNS filtering will be evaded through trivial and often automated changes through easily accessible and installed software plugins. Given this strong potential for evasion, the long-‐‑term benefits of using mandated DNS filtering to combat infringement seem modest at best.5 Moreover, the practical effect of the Act would be to kill innovation by new
technology companies in the media space. Anyone who starts such a company is at risk of having their source of customers and revenue – indeed, their website itself -‐‑-‐‑ disappear at a moment’s notice. The Act’s draconian obligations foisted on Internet service providers, financial services firms, advertisers, and search engines, which will have to consult an ever-‐‑growing list of prohibited sites they are not allowed to connect to or do business with, will further hamper the Internet’s operations and effectiveness. 3. Undermining United States’ leadership in supporting and defending
free speech and the free exchange of information on the Internet: The Act represents a retreat from the United States’ strong support of freedom of expression and the free exchange of information and ideas on the Internet. At a time when many foreign governments have dramatically stepped up their efforts to censor Internet communications,6 the Act would incorporate into U.S. law – for
5
Crocker, et al., “Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill,” available at http://domainincite.com/docs/PROTECT-IP-Technical-WhitepaperFinal.pdf. The authors describe in detail how implementation of the Act’s mandatory DNS filtering scheme will conflict with and undermine development of the “DNS Security Extensions,” a “critical set of security updates” for the DNS under development (with the strong support of both the U.S. government and private industry) since the mid-1990s.
6
Secretary
of
State
Clinton,
in
her
“Remarks
on
Internet
Freedom”
delivered
earlier
this
year,
put
it
this
way:
the first time – a principle more closely associated with those repressive regimes: a right to insist on the removal of content from the global Internet, regardless of where it may have originated or be located, in service of the exigencies of domestic law. China, for example, has (justly) been criticized for blocking free access to the Internet with its Great Firewall. But even China doesn'ʹt demand that search engines outside China refuse to index or link to other Web sites outside China. The Act does just that. The United States has been the world’s leader, not just in word but in deed,
in codifying these principles of speech and exchange of information. Requiring Internet service providers, website operators, search engine providers, credit card companies and other financial intermediaries, and Internet advertisers to block access to websites because of their content would constitute a dramatic retreat from the United States’ long-‐‑standing policy, implemented in section 230 of the Communications Decency Act, section 512 of the Copyright Act, and elsewhere, of allowing Internet intermediaries to focus on empowering communications by and among users, free from the need to monitor, supervise, or play any other gatekeeping or policing role with respect to those communications. These laws represent the hallmark of United States leadership in defending speech and their
In
the
last
year,
we’ve
seen
a
spike
in
threats
to
the
free
flow
of
information.
China,
Tunisia,
and
Uzbekistan
have
stepped
up
their
censorship
of
the
internet.
In
Vietnam,
access
to
popular
social
networking
sites
has
suddenly
disappeared.
And
last
Friday
in
Egypt,
30
bloggers
and
activists
were
detained.
.
.
.
As
I
speak
to
you
today,
government
censors
somewhere
are
working
furiously
to
erase
my
words
from
the
records
of
history.
But
history
itself
has
already
condemned
these
tactics.
[T]he new iconic infrastructure of our age is the Internet. Instead of division, it stands for connection. But even as networks spread to nations around the globe, virtual walls are cropping up in place of visible walls. . . . Some countries have erected electronic barriers that prevent their people from accessing portions of the world’s networks. They’ve expunged words, names, and phrases from search engine results. They have violated the privacy of citizens who engage in nonviolent political speech. . . . With the spread of these restrictive practices, a new information curtain is descending across much of the world.
protections are significantly responsible for making the Internet into the revolutionary communications medium that it is today. They reflect a policy that has not only helped make the United States the world leader in a wide range of Internet-‐‑related industries, but it has also enabled the Internet'ʹs uniquely decentralized structure to serve as a global platform for innovation, speech, collaboration, civic engagement, and economic growth. The Act would undermine that leadership and dramatically diminish the Internet’s capability to be a functioning communications medium. In conclusion, passage of the Act
will compromise our ability to defend the principle of the single global Internet – the Internet that looks the same to, and allows free and unfettered communication between, users located in Boston and Bucharest, free of locally-‐‑imposed censorship regimes. As such, it may represent the biggest threat to the Internet in its history. While copyright infringement on the Internet is a very real problem,
copyright owners already have an ample array of tools at their disposal to deal with the problem. We shouldn’t add the power to break the Internet to that list. Signed,7 Professor John R. Allison McCombs School of Business University of Texas at Austin Professor Brook K. Baker Northeastern University School of Law Professor Derek E. Bambauer Brooklyn Law School Professor Margreth Barrett Hastings College of Law University of California-‐‑San Francisco Professor Mark Bartholomew
7
All
institutions
are
listed
for
identification
purposes
only.
University at Buffalo Law School Professor Ann M. Bartow Pace Law School Professor Marsha Baum University of New Mexico School of Law Professor Yochai Benkler Harvard Law School Professor Oren Bracha University of Texas School of Law Professor Annemarie Bridy University of Idaho College of Law Professor Dan L. Burk University of California-‐‑Irvine School of Law Professor Irene Calboli Marquette University School of Law Professor Adam Candeub Michigan State University College of Law Professor Michael Carrier Rutgers Law School – Camden Professor Michael W. Carroll Washington College of Law American University Professor Brian W. Carver School of Information University of California-‐‑Berkeley Professor Anupam Chander University of California-‐‑Davis School of Law Professor Andrew Chin University of North Carolina School of Law
Professor Ralph D. Clifford University of Massachusetts School of Law Professor Julie E. Cohen Georgetown University Law Center Professor G. Marcus Cole Stanford Law School Professor Kevin Collins Washington University-‐‑St. Louis School of Law Professor Danielle M. Conway University of Hawai’i Richardson School of Law Professor Dennis S. Corgill St. Thomas University School of Law Professor Christopher A. Cotropia University of Richmond School of Law Professor Thomas Cotter University of Minnesota School of Law Professor Julie Cromer Young Thomas Jefferson School of Law Professor Ben Depoorter Hastings College of Law University of California – San Francisco Professor Eric B. Easton University of Baltimore School of Law Anthony Falzone Director, Fair Use Project Stanford Law School Professor Nita Farahany Vanderbilt Law School Professor Thomas G. Field, Jr.
University of New Hampshire School of Law Professor Sean Flynn Washington College of Law American University Professor Brett M. Frischmann Cardozo Law School Yeshiva University Professor Jeanne C. Fromer Fordham Law School Professor William T. Gallagher Golden Gate University School of Law Professor Laura N. Gasaway University of North Carolina School of Law Professor Deborah Gerhardt University of North Carolina School of Law Professor Llew Gibbons University of Toledo College of Law Professor Eric Goldman Santa Clara University School of Law Professor Marc Greenberg Golden Gate University School of Law Professor James Grimmelman New York Law School Professor Leah Chan Grinvald St. Louis University School of Law Professor Richard Gruner John Marshall Law School Professor Bronwyn H. Hall Haas School of Business
University of California at Berkeley Professor Robert A. Heverly Albany Law School Union University Professor Laura A. Heymann Marshall-‐‑Wythe School of Law College of William & Mary Professor Herbert Hovenkamp University of Iowa College of Law Professor Dan Hunter New York Law School Professor David R. Johnson New York Law School Professor Faye E. Jones Florida State University College of Law Professor Amy Kapczynski University of California-‐‑Berkeley Law School Professor Dennis S. Karjala Arizona State University College of Law Professor Anne Klinefelter University of North Carolina College of Law Professor Mary LaFrance William Boyd Law School University of Nevada – Las Vegas Professor Amy L. Landers McGeorge Law School University of the Pacific Professor Mark Lemley Stanford Law School Professor Lawrence Lessig
Harvard Law School Professor David S. Levine Elon University School of Law Professor Yvette Joy Liebesman St. Louis University School of Law Professor Lydia Pallas Loren Lewis & Clark Law School Professor Michael J. Madison University of Pittsburgh School of Law Professor Gregory P. Magarian Washington University-‐‑St. Louis School of Law Professor Phil Malone Harvard Law School Professor Christian E. Mammen Hastings College of Law University of California-‐‑San Francisco Professor Jonathan Masur University of Chicago Law School Professor Andrea Matwyshyn Wharton School of Business University of Pennsylvania Professor J. Thomas McCarthy University of San Francisco School of Law Professor William McGeveran University of Minnesota Law School Professor Stephen McJohn Suffolk University Law School Professor Mark P. McKenna Notre Dame Law School
Professor Hiram Melendez-‐‑Juarbe University of Puerto Rico School of Law Professor Viva Moffat University of Denver College of Law Professor Ira Nathenson St. Thomas University School of Law Professor Tyler T. Ochoa Santa Clara University School of Law Professor David S. Olson Boston College Law School Professor Barak Y. Orbach University of Arizona College of Law Professor Kristen Osenga University of Richmond School of Law Professor Aaron Perzanowski Wayne State University Law School Malla Pollack Co-‐‑author, Callman on Trademarks, Unfair Competition, and Monopolies Professor David G. Post Temple University School of Law Professor Connie Davis Powell Baylor University School of Law Professor Margaret Jane Radin University of Michigan Law School Professor Glenn Reynolds University of Tennessee Law School Professor David A. Rice Roger Williams University School of Law Professor Neil Richards
Washington University-‐‑St. Louis School of Law Professor Michael Risch Villanova Law School Professor Betsy Rosenblatt Whittier Law School Professor Matthew Sag Loyola University-‐‑Chicago School of Law Professor Pamela Samuelson University of California-‐‑Berkeley Law School Professor Sharon K. Sandeen Hamline University School of Law Professor Jason M. Schultz UC Berkeley Law School Professor Jeremy Sheff St. John’s University School of Law Professor Jessica Silbey Suffolk University Law School Professor Brenda M. Simon Thomas Jefferson School of Law Professor David E. Sorkin John Marshall Law School Professor Christopher Jon Sprigman University of Virginia School of Law Professor Katherine J. Strandburg NYU Law School Professor Madhavi Sunder University of California-‐‑Davis School of Law Professor Rebecca Tushnet
Georgetown University Law Center Professor Deborah Tussey Oklahoma City University School of Law Professor Barbara van Schewick Stanford Law School Professor Eugene Volokh UCLA School of Law Professor Sarah K. Wiant William & Mary Law School Professor Darryl C. Wilson Stetson University College of Law Professor Jane K. Winn University of Washington School of Law Professor Peter K. Yu Drake University Law School Professor Tim Zick William & Mary Law School
Thursday, June 23, 2011 Members of the U.S. Congress, We write to express our concern with S. 968, the PROTECT IP Act (“PIPA”). As investors in technology companies, we agree with the goal of fostering a thriving digital content market online. Unfortunately, the current bill will not only fail to achieve that goal, it will stifle investment in Internet services, throttle innovation, and hurt American competitiveness. Online innovation has flourished, in part, because the Digital Millennium Copyright Act (DMCA), though flawed, created clear, defined safe harbors for online intermediaries. The DMCA creates legal certainty and predictability for online services -- so long as they meet the conditions of the safe harbors, including an appropriate notice-and- takedown policy, they have no liability for the acts of their users. At the same time, the DMCA gives rights-holders a way to take down specific infringing content, and it is working well. We appreciate PIPA’s goal of combating sites truly dedicated to infringing activity, but it would undermine the delicate balance of the DMCA and threaten legitimate innovation. The bill is ripe for abuse, as it allows rights-holders to require third-parties to block access to and take away revenues sources for online services, with limited oversight and due process. In particular: 1. By requiring “information location tools” -- potentially encompassing any "director[ies], index[es], reference[s], pointer[s], or hypertext link[s]” -- to remove access to entire domains, the bill puts burdens on countless Internet services. 2. By requiring access to sites to be blocked by Domain Name System providers, it endangers the security and integrity of the Internet. 3. The bill’s private right of action will no doubt be used by many rights-holders in ways that create significant burdens on legitimate online commerce services. The scope of orders and cost of litigation could be significant, even for companies acting in good faith. Rights-holders have stated their interest in this private right of action because they worry that the Department of Justice will not have enough resources to initiate actions against all of
the infringing sites. Yet, why should costs be shifted to innocent Internet entrepreneurs, most of whom have budgets smaller than the Department of Justice’s? While we understand PIPA was originally intended to deal with “rogue” foreign sites, we think PIPA will ultimately put American innovators and investors at a clear disadvantage in the global economy. For one, services dedicated to infringement will simply make their sites easy to find and access in other ways, and determined users who want to find blocked content will simply shift to services outside the reach of U.S. law, in turn giving a leg up to foreign search engines, DNS providers, social networks, and others. Second, PIPA creates a dangerous precedent and a convenient excuse for countries to engage in protectionism and censorship against U.S. services. These countries will point to PIPA as precedent for taking action against U.S. technology and Internet companies. The entire set of issues surrounding copyright in an increasingly digital world are extremely complex, and there are no simple solutions. These challenges are best addressed by imagining, inventing, and financing new models and new services that will allow creative activities to thrive in the digital world. There is a new model for financing, distributing, and profiting from copyrighted material and it is working -- just look at services like iTunes, Netflix, Pandora, Kickstarter, and more. Pirate web sites will always exist, but if rights holders make it easy to get their works through innovative Internet models, they can and will have bright futures. Congress should not chill investment and reduce incentives to work on private sector solutions. Instead, we encourage Congress to focus on making it easier to license works and bring new, innovative services to market. Sincerely, Marc Andreessen, Andreessen Horowitz Brady Bohrmann, Avalon Ventures John Borthwick, Betaworks Mike Brown, Jr., AOL Ventures Brad Burnham, Union Square Ventures Jeffrey Bussgang, Flybridge Capital Partners John Buttrick, Union Square Ventures Randy Castleman, Court Square Ventures Tony Conrad, True Ventures Ron Conway, SV Angel
Chris Dixon, Founder Collective Bill Draper, Draper Richards Esther Dyson, EDventure Holdings Roger Ehrenberg, IA Ventures Brad Feld, Foundry Group Peter Fenton, Benchmark Capital Ron Fisher, Softbank Capital Chris Fralic, First Round Capital David Frankel, Founder Collective Ric Fulop, North Bridge Brad Gillespie, IA Ventures Allen "Pete" Grum, Rand Capital Chip Hazard, Flybridge Capital Partners Rick Heitzmann, FirstMark Capital Eric Hippeau, Lerer Ventures Reid Hoffman, Greylock Partners Ben Horowitz, Andreessen Horowitz Mark Jacobsen, OATV Amish Jani, First Mark Capital Brian Kempner, First Mark Capital Vinod Khosla, Khosla Ventures Josh Kopelman, First Round Capital David Lee, SV Angel Lawrence Lenihan, FirstMark Capital Kenneth Lerer, Lerer Ventures Jordan Levy, Softbank Capital Jason Mendelson, Foundry Group R. Ann Miura-Ko, Floodgate Howard Morgan, First Round Capital John O'Farrell, Andreessen Horowitz Tim O'Reilly, OATV David Pakman, Venrock Eric Paley, Founder Collective Alan Patricof, Greycroft Partners Danny Rimer, Index Ventures Neil Rimer, Index Ventures Bryce Roberts, OATV Bijan Sabet, Spark Capital David Sze, Greylock Partners Andrew Weissman, Betaworks
Albert Wenger, Union Square Ventures Eric Wiesen, RRE Ventures Fred Wilson, Union Square Ventures
May 25, 2011 The Honorable Patrick Leahy Chairman Committee on the Judiciary 224 Dirksen Senate Office Building Washington, DC 20510 The Honorable Chuck Grassley Ranking Member Committee on the Judiciary 224 Dirksen Senate Office Building Washington, DC 20510
Re: S. 968, Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 Dear Chairman Leahy and Ranking Member Grassley: Although the undersigned entities harbor no sympathy for websites whose primary purpose is to sell illegal products online, we cannot support S. 968, the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011, in its current form. The legislation has been improved over its predecessor with the removal of provisions targeting domain name registries and registrars, and with the narrowing of certain definitions to avoid some of the overbreadth issues inherent in the Combating Online Infringement and Counterfeits Act. We appreciate your work on these matters. Nonetheless, certain provisions within S. 968 continue to threaten the stability, freedom, and economic potential of the Internet. The new legislation maintains the provision to direct Internet Service Providers (ISPs) and others to interfere with Domain Name System (DNS) lookup services by tampering with their DNS responses. We continue to believe that such a provision would be ineffective and runs contrary to the US government’s commitment to advancing a single, global Internet. Its inclusion risks setting a precedent for other countries, even democratic ones, to use DNS mechanisms to enforce a range of domestic policies, erecting barriers on the global medium of the Internet. Non-democratic regimes could seize on the precedent to justify measures that would hinder online freedom of expression and association. In addition, circumventing DNS blocking risks substantial collateral damage by making domestic networks and users more vulnerable to cybersecurity attacks, and would increase opportunities for identity theft as users migrate to offshore DNS providers not subject to S. 968. It is critical that the Committee, before endorsing such a change to U.S. law, explore whether DNS blocking would likely result in a sufficient decrease in for-profit Internet piracy to justify taking such risks. Furthermore, the new inclusion of “information location tools” (also referred to as the “search engine” portion of the bill) has expanded the legislation’s reach. The term "information location tools" appears to encompass "director[ies], index[es], reference[s], pointer[s], or hypertext link[s].” With this provision in place, S. 968 makes nearly every actor on the Internet potentially subject to enforcement orders under the bill, raising new policy questions regarding government interference with online activity and speech.
We continue to urge the Committee to proceed cautiously given the concerns of the undersigned and we look forward to working with you and your colleagues in a constructive manner on improving S. 968.
Sincerely, American Association of Law Libraries Association of College and Research Libraries American Library Association Association of Research Libraries Center for Democracy and Technology Demand Progress EDUCAUSE Electronic Frontier Foundation Human Rights Watch Rebecca MacKinnon, Bernard Schwartz Senior Fellow, New America Foundation Public Knowledge Reporters sans frontières / Reporters Without Borders Special Libraries Association
May 25, 2011 The Honorable Patrick J. Leahy Chairman United States Senate Committee on the Judiciary 437 Russell Senate Building Washington, DC 20510 The Honorable Chuck Grassley Ranking Member United States Senate Committee on the Judiciary 135 Hart Senate Office Building Washington, DC 20510 Dear Chairman Leahy and Ranking Member Grassley: The undersigned below support the goals of S. 968, the PROTECT IP Act, to enforce intellectual property rights effectively by addressing rampant infringement by web sites designed and operated to promote and profit from illegal activities. While we each share that goal, and each continue to have concerns with various specific provisions in the legislation, our purpose in this letter is to express in clear terms our serious concerns with the private right of action provisions included in S. 968. The private right of action should be removed from the legislation. Under the current version of the PROTECT IP Act, an owner of a copyright or trademark could bring an action against a domain name associated with a website dedicated to infringing activity. It is reasonable to expect that a very large number of such actions will be brought, and in many cases, especially with non-U.S. domain names, the domain name owner will not respond to the complaint. It is very likely in such cases with only one party present that courts will enter default judgments and declare that the targeted websites are dedicated to infringing activity. The IP owner will then be able to ask the court to issue an order directed at two categories of services providers. First, a payment system could be required to stop processing transactions between the website and U.S. customers. Second, an advertising network could be directed to stop placing ads on the website. We believe that the currently proposed private litigation-based process will, however unintentionally, become a one-sided litigation machine with rights owners massproducing virtually identical cases against foreign domain names for the purpose of obtaining orders to serve on U.S. payment and advertising companies. Not only do we believe that this will be a significant driver of new litigation in federal courts, and will result in an endless stream of court orders imposing duties on U.S.-based companies, but we also believe that this litigation-based regime will significantly reduce the incentive that rights owners have to participate in a cooperative manner in the processes created by
payment and advertising companies to address illegal activities by third parties. We are confident that upon further review you will not support creating a private litigation regime that appears so open to abuse and which will undermine the prospects for private sector cooperation. Along with the fact that the private right of action regime will likely lead to a new litigation industry aimed at obtaining court orders related to websites whose owners will not appear in U.S. courts, we also believe that the regime will lead to private actions against US payment and advertising companies. It is likely that the operators of websites that are the target of court decisions and therefore the court orders aimed at payment and advertising companies will respond by attempting to circumvent the “blocks” imposed by payment systems and advertising networks. S. 968 authorizes the IP owner to bring private enforcement action against the payment and advertising service providers to compel compliance with an order, and the service provider could find itself enmeshed in litigation based on the actions of the suspected infringers of which it has no knowledge. To prevail in an enforcement action against a service provider, the IP owner would have to demonstrate that the service provider knowingly and willfully failed to comply with an order. The IP owner could argue that the service provider knew that its blocks could be circumvented, and thus that its failure to monitor the site and respond on its own to each act of circumvention constituted a violation of the order. Regardless of the validity of this argument, the cost of litigation, including discovery about the service provider’s operations and its awareness of the activities of the website at issue, might be sufficient to force the service providers to settle the claim on terms very favorable to the IP owner. Several law firms representing IP owners such as publishers of pornography have learned how to “game” the copyright system, and the private right of action under S. 968 provides them with an additional weapon. Moreover, even if most IP owners do not use the threat of enforcement actions to extort payments from service providers, the IP owners can employ such actions to shift the burden of monitoring websites subject to orders to the service providers. Given the large number of IP owners and infringing websites, and the relatively small number of major payment systems and advertising networks, the service providers’ monitoring costs could be significant. Last year's version of this legislation allowed only an action by the Attorney General. S. 968, by contrast, allows both an AG action and a private action. To prevent the abuses described above while still accomplishing the bill’s legitimate objectives, the private right of action should be removed, leaving the AG action. Respectfully, American Express Company Consumer Electronics Association Discover
Visa PayPal NetCoalition Yahoo! eBay Google
cc: Senate Judiciary Committee Members
Testimony of NetCoalition Before the United States Senate Committee on the Judiciary Hearing on “Targeting Websites Dedicated to Stealing American Intellectual Property” February 16, 2011 226 Dirksen Senate Office Building Washington, DC 20510
The members of NetCoalition1 share Chairman Leahy’s concern over websites that are dedicated to stealing American intellectual property. We support the objective of combating offshore counterfeiting and online infringement, and we understand the frustration over the challenges of targeting websites that reside beyond the borders of the United States. We pledge to work with Chairman Leahy and other members of the Committee on the Judiciary to address these concerns. However, combating foreign sites that are engaging in activity that is unlawful in the United States is complicated and challenging. Such an effort raises legal, political, and technological concerns. During the last Congress, on November 18, 2010, the Committee on the Judiciary approved S. 3804, the Combating Online Infringement and Counterfeits Act (“COICA”). The legislation had 19 cosponsors and was approved by the Committee 19-0. The Committee had not conducted a legislative hearing on H.R. 3804, and there was a considerable amount of concern with the legislation, including concerns that were raised by NetCoalition.2 At the time, Chairman Leahy pledged to work with concerned parties to address these concerns, even as the bill was being approved by the Committee. NetCoalition serves as a public policy voice to leading Internet and technology companies, including Amazon.com, Bloomberg LP, eBay, Google, IAC, Yahoo!, and Wikipedia. 2 See Exhibit 1 (September 27, 2010 Letter from NetCoalition and others and November 15, 2010 Letter from NetCoalition)
1
400 North Capitol Street, N.W. Suite 585 Washington, D.C. 20001 +1 202-624-1460 Writer’s E-Mail Address: [email protected]
Senator Feinstein noted that the Committee needed “to be careful to try to avoid unintended consequences on legitimate businesses.” She further noted that 90 engineers and others involved in developing the architecture and standards for the operation of the Internet were opposed to the bill and particularly concerned about the domain name remedy.3 She also noted that the Committee ought to explore whether the model adopted in the Unlawful Internet Gambling Enforcement Act, which imposes obligations on payment systems, would be a preferable model to use in combating offshore websites. Senator Coburn indicated that certain Internet service providers, search engines, Federal agencies in charged of intellectual property, and other interested parties had outstanding concerns over some provisions in the legislation. He noted the need for further discussion of those issues. Given the concerns raised with S. 3804, we appreciate that Chairman Leahy is holding a hearing to address some of the issues that were raised with S. 3804. We also appreciate the pledge by Committee counsel to work with NetCoalition and other stakeholders to address our concerns before a new version of legislation is introduced. In anticipation of a productive conversation about how to craft legislation in this area, we believe it would be helpful for the Committee to understand the concerns that were raised with S. 3804 in the 111th Congress. The following summarizes those concerns. Concerns with S. 3804, the “Combating Online Infringement and Counterfeits Act.” The sponsors of COICA intend to address the problem of foreign websites that are otherwise beyond the reach of the U.S. legal process and are dedicated to nothing but making infringing content available to U.S. users, essentially “the worst of the worst” foreign-based sites with no legitimate content whatsoever. Unfortunately, the scope of the proposed bill goes far beyond the stated intent of the sponsors and it continues to raise significant legal, political, and technological concerns. Technological Concerns. The bill’s primary, technical means of enforcement—requiring ISPs to manually interfere with the Domain Name Service (“DNS”) that connects a website name to the actual website—will not effectively prevent users from accessing the website in question and do nothing to remove the underlying infringing content.4 A DNS provider, which today is normally the user’s Internet access provider (e.g., Verizon, Comcast, AT&T, corporate enterprise server) serves as a “phone book” that connects the commercial domain name of a website (e.g., www.site_in_question.com) to See Exhibit 2. See Exhibit 3 (Dan Kaminsky, “DNS Filtering and S. 3804, ‘Countering Online Infringement and Counterfeiting Act.’”
3 4
the Internet Protocol number of the actual site (e.g., 123.456.789.123). The site’s Internet Protocol number may have an almost unlimited number of names that correspond to the site. The bill would require the DNS provider to “de-list” the domain name with the corresponding number for the site through a manual intervention into the directory. (This is similar to crossing out an entry in the virtual Internet phone book. The IP address is not disconnected, it merely becomes “unlisted.”) This DNS “spoiling” procedure required by the bill is not effective for the following reasons. 1. The user can simply type the numeric IP address into the browser. 2. Operators of the websites in question can easily offer alternative, offshore DNS servers that will allow users to end-run the DNS spoiling and thwart the effectiveness of the bill. 3. Individual users seeking to access a website in question can easily change a single setting on their computers to avoid their ISP’s DNS servers and instead connect to an offshore or little-known DNS provider. There are over one million DNS providers that make their servers available to Internet users. 4. Operators of websites in question can easily provide its users with a browser plugin that ensures the user can reach the site no matter what the user’s ISP is doing to block access to the site. The DNS blocking requirement and these easy “work-arounds” have the potential to create a tremendous amount of collateral harm to the Internet ecosystem. The following are some of the harms. 1. Increased risk of identity theft, spyware, malware, and other malicious activities. If a user accesses a non-U.S. DNS provider (especially one run by the website in question), this user is at increased risk for spyware and malware. Once the user’s computer is infected, the user likely will infect other computers. Moreover, the user will likely rely on that rogue DNS service for all other Internet activity, thereby affecting e-commerce more broadly. There would be no guarantee, for example, that the DNS provider would direct the user to the real online shopping or other desired site. 2. A shift way from U.S. DNS providers diminishes the ability of network managers and cyber-security experts to monitor the overall activity of the network and protect U.S. Internet users from cyber-attacks. 3. If the offshore DNS provider so desires, it can orchestrate a denial of service attack on U.S. Internet sites, using the computers of its increased U.S. audience. 4. With the strong support of the US government, major U.S. DNS providers have spent a decade working to implement “DNS Security Extensions” (“DNSSEC”), which ensure that responses to DNS lookups are cryptographically signed by the authoritative nameserver. This, in turns, ensures that the DNS lookup cannot be manipulated to direct a user to a site that will expose the user to identity theft and malware. In other words, these new security extensions will make sure that the “www.cnn.com” site that is displayed on a user’s computer is truly CNN. COICA upends this decade’s worth of work to secure the Internet. In fact, for major U.S.
DNS providers that have implemented DNS-SEC, it is not clear that they can even technically comply with the requirements of the bill. 5. Manipulation of the DNS lookups is a technique used by certain governments around the world to deny users access to content deemed lawful in the United States (e.g., political speech). Legislating the same technical solution in the U.S. (arguably for content that is lawful in the foreign jurisdiction) will invite retaliation against U.S. Internet companies and lead to geographical balkanization of the Internet. 6. DNS blocking will result in over-blocking of lawful content and other communications such as e-mail. A DNS provider has the ability to control only the second-level domain (i.e., the name immediately to left of the dot in .com). A DNS provider cannot block subdomains, which are widely used today by most corporations, universities and popular websites. A site that qualifies as infringing under the bill may be part of a larger, lawful domain – but the order will require blocking of the entire domain, including traffic associated with that domain such as email. For example, an order to block access to www.site-in-question.com would result in blocking access to www.blog.site-in-question.com or www.email.site-in-question.com. 7. The Internet was developed to operate efficiently and with multiple redundancies in order to withstand a nuclear attack. This architecture not only makes DNS spoiling technically questionable, but such blocking also interjects an incredible amount of inefficiency into the infrastructure, slowing down the Internet experience for all users. Legal Concerns. The scope and application of the legislation is significantly broader than its intended purpose and includes new and confusing definitions that are inconsistent with existing copyright law. 1. Contrary to the stated intent of the sponsors, the bill unnecessarily applies to U.S. domestic websites. Under the bill, law enforcement can serve a court order on the registrar or registry for a domestic site. The registrar or registry shall “suspend operation of, and may lock, the domain name.” a. U.S. law enforcement already has jurisdiction over domestic sites that infringe copyright law. This bill creates an overlapping and inconsistent remedy to law enforcement’s existing powers. Indeed, U.S. law enforcement has recently seized a significant number of “.com” and other sites hosted by U.S. registrars or registries, calling into question the need for further legislative authority. b. Because of the overbroad definitions in the bill, law enforcement (or a registrar or registry utilizing the bill’s “vigilante” provision) could take down a major Internet company’s domain for unlawful content on a subdomain. For example, infringing material on a subdomain, e.g., illegalmaterial.usergroup.majorinternetcompany.com, could result in the entire domain of www.majorinternetcompany.com being blocked.
2. The bill would create a new cause of action against a site “dedicated to infringing activities.” The definition of “dedicated to infringing activities” arguably would implicate major U.S. social media platforms, video sharing sites, e-commerce sites, third-party retail sites, grey-market sales sites, and countless sites that are overwhelmingly lawful and integral to the U.S. economy. There are two ways a site can be “dedicated to infringing activities.” a. A site is “dedicated to infringing activities” if it is “subject to civil forfeiture” under 18 U.S.C. § 2323. A website is subject to civil forfeiture if it used to sell infringing products with a total retail value of $1,000. This definition sweeps in most open online retailers and open web platforms. b. A site also would be “dedicated to infringing activities” if— the site is primarily designed, or has no demonstrable commercially significant purpose or use other than, or is marketed by its operator (I) to offer goods or services in violation of title 17, United States Code, or that enable or facilitate a violation of title 17, United States Code, including but not limited to offering or providing access in a manner not authorized by the copyright owner or otherwise by operation of law, copies or phonorecords of, or public performances or displays of works protected by Title 17, in complete or substantially complete form, by any means, including by means of download, streaming, or other transmission, provision of a link or aggregated links to other sites or Internet resources for obtaining access to such copies, phonorecords, performances, displays, goods or services; or (II) to sell or offer to sell or distribute or otherwise promote goods, services, or materials bearing a counterfeit mark, as that term is defined in section 34(d) of the Lanham Act (15 U.S.C. 1116(d); and… when taken together, such activities are the central activities of the Internet site or sites accessed through a specific domain name. i. This definition invents a new secondary liability concept, i.e., “enable or facilitate,” and for the first time codifies secondary liability. Today, copyright secondary liability is a judgemade, common law concept. Making U.S. Internet companies liable for “enabling” or
ii.
iii.
iv. v.
“facilitating” third parties that engage in illegal activity runs contrary to 13 years’ of wellsettled federal policy under the Digital Millennium Copyright Act. This legislation should not be used to re-write the DMCA. The definition applies even if the Internet company has no knowledge of the illegal activity or no intent to foster illegal activity: The site is “primarily designed…to offer goods and services… that enable or facilitate a violation of title 17….” A wide range of legitimate products such as personal computers and mobile smartphones “enable or facilitate” a violation of title 17. Accordingly, a site that is designed to sell personal computers or smartphones would fall within this definition. This concept is contrary to well-settled law under the Copyright Act. Through its focus on commercial purposes, the definition injects considerable confusion by discounting the well-established Sony Betamax standard that enabled the sale of equipment capable of substantial non-infringing uses -whether commercial or not -- and thereby ushered in a home video market that revitalized the entertainment industry. The definition creates a new trademark liability arguably inconsistent with existing law. The phrase “sites accessed through a specific domain name” is unclear.
3. The bill’s requirement that a financial transaction provider take “reasonable measures, as expeditiously as reasonable, to prevent or prohibit its service from completing payment transactions between its U.S. customers and the site, and to prevent the use of its trademarks” does not include a technical feasibility qualification, which is included in the DNS obligations, and needs to be tightened in other ways. 4. The bill would require a service that provides advertisements to Internet sites “take reasonable measures, as expeditiously as reasonable, to prevent its network from providing advertisements to an Internet site associated with such domain name.” Some concerns with this provision include:
a. The online advertising ecosystem is broad and includes many different intermediaries and business models. It is unclear to what parts of the advertising ecosystem this applies and whether exchanges that aggregate advertising space could even comply. b. It is unclear what “associated with such domain name” means or to what it is meant to apply. Arguably, an advertiser could be required to cease providing ads to a major ISP’s site because the ISP provides access to the unlawful website. c. The provision does not include a technical feasibility qualification, which is included in the DNS obligations. 5. The bill includes a “vigilante” provision that provides complete immunity for registrars and registries, financial transaction providers, and advertising services to take voluntary action against an Internet site if the entity “reasonably believes the Internet site is dedicated to infringing activities.” a. Under this vigilante provision, there is no government involvement in determining which sites meet the standard. Nor is there any due process or remedy for a site that is mistakenly targeted or purposely targeted for competitive reasons. For example, Viacom recently lost its $1 billion lawsuit against YouTube. Under this provision, however, Viacom could approach Verisign with evidence that YouTube is “dedicated to infringing activities” and Verisign’s lawyers could remove YouTube.com without any legal recourse for YouTube. 6. Under the bill, the IP Enforcement Coordinator must post a list of domain names affected by court orders on a publiclyavailable Internet site. The mere publication of the list may result in constructive knowledge for other Internet intermediaries for purposes of secondary liability, or “red flag” knowledge that disqualifies a service provider from safe harbors under the DMCA. So the list may be used as evidence in copyright lawsuits against any online intermediary, whether or not that entity received a court order under the bill. The bill should be clarified to provide that neither the IPEC list nor any other action could be admitted as evidence establishing knowledge or intent in copyright infringement actions against service providers.
Policy Concerns. 1. Jurisdiction. The bill would authorize a U.S. court to exercise jurisdiction over a foreign-registered domain name by virtue of the fact that U.S. citizens can access the site. It is far from clear that the due process clause of the Constitution allows a U.S. court to exercise jurisdiction in this manner. Moreover, this approach would set a dangerous precedent for foreign countries to attempt to control content on U.S. websites. Several years ago, a French court found Yahoo! liable for hosting auctions of Nazi-era materials that were viewable in France. Similarly, an Australian court exercised jurisdiction over Barron’s for alleged defamation in an article posted on a U.S. website. And, a French court held eBay liable for the sale of legitimate luxury goods that were being sold lawfully in the United States but violated France’s authorized distributor laws. The issue of jurisdiction for Internet-based activities is extraordinarily complex. Until now, Congress has let the courts take the lead on how to apply traditional principles of jurisdiction to the Internet environment. Congress should carefully consider the implications of this aggressive assertion of jurisdiction on U.S. websites that are viewable overseas. 2. Extraterritoriality. In addition to authorizing U.S. courts to exercise jurisdiction over foreign activity, the bill would create extraterritorial remedies. A financial transaction provider would be required to notify foreign website operators that they may not use the financial transaction provider’s trademarks. Similarly, an advertising service would be required to stop placing ads on foreign websites. This would be the case even if a U.S. user no longer can access the site or purchase infringing material from it. Again, this could be a troubling precedent that could be exploited by other countries against U.S. businesses. 3. Due Process. Under COICA, once a court issues an injunction against the domain name of a website dedicated to infringing activity, the Department of Justice can serve the order on the operators of domain name services, financial transaction providers, and advertising networks. COICA, therefore, allows the Department of Justice to impose obligations on these entities without first giving them an opportunity to be heard in court. In other words, the operators of websites dedicated to infringing activity receive more procedural protections than these innocent service providers. 4. Uncompensated Government Takings of Service. Unlike most other law enforcement tools that mandate that communications
intermediaries provide services to the Federal Government, COICA contains no reimbursement for costs. The Communications Assistance to Law Enforcement Act, the Electronic Communications Privacy Act (18 U.S.C. § 2706), and the FISA Amendments of 2008 all provide for reimbursement, generally at the prevailing rate for the service provided. COICA requires intermediaries to provided services for free to the government, however, without any compensation or cost reimbursement. 5. Endorsing the Tools of Government Censorship. Undoubtedly, this legislation’s endorsement of the very tools of censorship that have been used by regimes around the globe to disrupt political speech will be highlighted as justification for those regimes’ continued efforts to censor speech. In addition, the U.S. government’s disruption of global Internet governance issues will result in increased public pressure for an international governance body such as the United Nations to assume control over Internet governance. Conclusion. For the foregoing reasons, we hope that the Committee will proceed thoughtfully and carefully as it crafts legislation to address offshore, illegal Websites. We look forward to working with each member of the Committee as it considers this issue. We appreciate the opportunity to provide testimony on this matter. Please do not hesitate to contact us if you or your staff have any questions or concerns.
September 27, 2010 Chairman Patrick J. Leahy United States Senate 433 Russell Senate Office Building Washington, DC 20510 Ranking Member Jeff Sessions United States Senate 335 Russell Senate Office Building Washington, DC 20510
Re: S. 3804, Combating Online Infringement and Counterfeits Act (COICA) Dear Chairman Leahy and Ranking Member Sessions: Although the undersigned entities support the objectives of S. 3804, the “Combating Online Infringement and Counterfeits Act” (COICA), the bill raises numerous legal, political, and technical issues. If left unresolved, these issues could harm consumers, educational institutions, innovative technologies, economic growth and global Internet freedom. These complicated issues require careful deliberation that we fear cannot be accomplished in the waning days of this session. The bill enables the Justice Department to bring in rem actions against domestic and foreign domain names of websites dedicated to infringing activities, and, with respect to foreign sites, to obtain judicial orders mandating that Internet services, operators of domain name servers, financial transaction providers, and ad networks discontinue service to the designated sites. In addition, subsection (j) authorizes the Justice Department to maintain a public blacklist of websites that the Department determines “upon information and reasonable belief” to be dedicated to infringing activities. Internet-related services will be encouraged to discontinue service to these websites. Given the fundamental due process values of our nation and the potential for other countries to enact similar mechanisms to retaliate against U.S. companies abroad, Congress must carefully consider whether it wishes to authorize Justice Department officials to blacklist websites in a manner subject to little process and limited judicial review. Without judicial oversight, these blacklists could reach the websites of political candidates and advocacy groups. Numerous political campaigns have received copyright cease-and-desist letters or infringement notices, including candidates very recently in this cycle from both parties.1 The potential for blacklisting for “facilitating” infringement, as so broadly defined in this bill, can undermine U.S. secondary liability law as established in Sony v. Universal, and ignores the culpable intent requirement of MGM v. Grokster. For example, would the listing of a website on the blacklist constitute constructive knowledge for contributory infringement purposes, if a service provider did not discontinue providing service to a website after it was listed? More generally, the new definitions and requirements also raise serious questions about the effect of this bill on existing copyright exceptions, limitations and defenses upon which a significant sector of the U.S. economy relies.
1
Nevada GOP Candidate Faces Copyright Lawsuit, Wash. Post, Sept. 4, 2010; Mo. Democratic nominee for US Senate keeps TV ad despite copyright lawsuit by Fox News Network, Wash. Examiner, Sept. 16, 2010.
The proposed in rem proceeding also raises a host of issues that necessitate thorough review. It is unclear whom may be compelled by such orders, and what obligations can be imposed. The definition regarding which services must comply with in rem orders is both broad and vague. Will COICA apply to (a) all ISPs? (b) The root zone server operated by the Internet Corporation for Assigned Names and Numbers (ICANN)? (c) The “authoritative” root zone server operated by Verisign under contract with NTIA? Would a webhost or search engine have to remove all links to designated sites? Such mandates may be unmanageable, and could have a deleterious effect upon the fight to keep Internet governance out of the bureaucracy of international organizations. It is further unclear what consequences will result from the functionally extraterritorial application of U.S. intellectual property laws. Congress must consider the precedent this bill would set for countries less protective of citizens’ rights of free expression. COICA’s blacklist may be used to justify foreign blacklists of websites that criticize governments or royalty, or that contain other “unlawful” or “subversive” speech. Just this year, the Secretary of State declared that Internet freedom is nothing less than freedom of assembly online.2 At this time in our campaign to ensure Internet freedom abroad, it is imprudent to endow U.S. law enforcement officials with an unsupervised right to determine who may assemble and who may not. In sum, COICA – which was introduced only last week – raises a host of global entanglements and serious questions that need to be evaluated thoroughly and carefully. To do so, we believe a hearing on S. 3804, with testimony from impacted industries and user constituencies, should be held before any major legislative action is taken. We look forward to working with you to address these questions, and to ensure that intellectual property laws can be enforced while preserving free speech, due process, and the stability, freedom, and economic potential of the Internet. Respectfully submitted, American Association of Law Libraries (AALL) American Library Association (ALA) Association of College and Research Libraries (ACRL) Association of Research Libraries (ARL) Center for Democracy and Technology (CDT) Computer and Communications Industry Association (CCIA) Consumer Electronics Association (CEA) Electronic Frontier Foundation (EFF) Home Recording Rights Coalition (HRRC) NetCoalition Public Knowledge Cc: Senate Judiciary Committee Chairman and Ranking Member, House Judiciary Committee
2
Hillary Clinton, Remarks on Internet Freedom, Newseum, Jan. 21, 2010, available at http://www.state.gov/secretary/rm/2010/01/135519.htm
Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill
May 2011
Authors:
Steve Crocker, Shinkuro, Inc. David Dagon, Georgia Tech Dan Kaminsky, DKH Danny McPherson, Verisign, Inc. Paul Vixie, Internet Systems Consortium Affiliations provided for identification only Brief biographies of authors available below
EXECUTIVE SUMMARY
This paper describes technical problems raised by the DNS filtering requirements in S. 978, the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 (“PROTECT IP Act”). Its authors come from the technical, operational, academic, and research communities. We are leading domain name system (DNS) designers, operators, and researchers, who have created numerous “RFCs” (technical design documents) for DNS, published many peer-reviewed academic studies relating to architecture and security of the DNS, and operate important DNS infrastructure on the Internet. The authors of this paper take no issue with strong enforcement of intellectual property rights generally. The DNS filtering requirements in the PROTECT IP Act, however, raise serious technical concerns, including: • The U.S. Government and private industry have identified Internet security and stability as a key part of a wider cyber security strategy, and if implemented, the DNS related provisions of PROTECT IP would weaken this important commitment. • DNS filters would be evaded easily, and would likely prove ineffective at reducing online infringement. Further, widespread circumvention would threaten the security and stability of the global DNS. • The DNS provisions would undermine the universality of domain names, which has been one of the key enablers of the innovation, economic growth, and improvements in communications and information access unleashed by the global Internet. • Migration away from ISP-provided DNS servers would harm efforts that rely on DNS data to detect and mitigate security threats and improve network performance. • Dependencies within the DNS would pose significant risk of collateral damage, with filtering of one domain potentially affecting users’ ability to reach non-infringing Internet content. • The site redirection envisioned in Section 3(d)(II)(A)(ii) is inconsistent with security extensions to the DNS that are known as DNSSEC. The U.S. Government and private industry have identified DNSSEC as a key part of a wider cyber security strategy, and many private, military, and governmental networks have invested in DNSSEC technologies. • If implemented, this section of the PROTECT IP Act would weaken this important effort to improve Internet security. It would enshrine and institutionalize the very network manipulation that DNSSEC must fight in order to prevent cyberattacks and other malevolent behavior on the global Internet, thereby exposing networks and users to increased security and privacy risks. We believe the goals of PROTECT IP are important, and can be accomplished without reducing DNS security and stability through strategies such as the non-DNS remedies contained in PROTECT IP and international cooperation.
I. Introduction
The recently introduced PROTECT IP Act of 2011,1 the successor to last year’s COICA legislation,2 includes a range of proposed new enforcement mechanisms to combat the online infringement of intellectual property. Of keen interest to the community of engineers working on issues related to the domain-name system (DNS) is the DNS filtering provision that would require ISPs and other operators of “non-authoritative DNS servers” to take steps to filter and redirect requests for domains found by courts to point to sites that are dedicated to infringement. This paper seeks to explain a set of technical concerns with mandated DNS filtering and to urge lawmakers to reconsider enacting such a mandate into law. Combating online infringement of intellectual property is without question an important objective. The authors of this paper take no issue with the lawful removal of infringing content from Internet hosts with due process. But while we support the goals of the bill, we believe that the use of mandated DNS filtering to combat online infringement raises serious technical and security concerns. Mandated DNS filtering would be minimally effective and would present technical challenges that could frustrate important security initiatives. Additionally, it would promote development of techniques and software that circumvent use of the DNS. These actions would threaten the DNS’s ability to provide universal naming, a primary source of the Internet’s value as a single, unified, global communications network.
II. DNS Background
The domain-name system, or DNS, is a system that makes the Internet more accessible to humans. When computers on the Internet communicate with each other, they use a series of numbers called “IP addresses” (such as 156.33.195.33) to direct their messages to the correct recipient. These numbers, however, are hard to remember, so the DNS system allows humans to use easier-to-remember words (such as “senate.gov“) to access websites or send e-mail. Such names resolve to the proper IP numbers through the use of domain name servers. These servers are set up in a distributed fashion, often globally, such that resolution of names connected to IP addresses may pass through many servers during Internet data flow.3 To make the DNS faster and less expensive to operate, over ten million so-called “recursive servers” exist as accelerators of convenience, to store and retransmit DNS data to nearby users. The PROTECT IP Act proposes legal remedies for infringement that would affect the operators of these “recursive
1
Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011, S. 968, 112th Congress
2 3
Combatting Online Infringements and Counterfeits Act, S. 3480, 111th Congress
See P. Mockapetris, RFC 1034, “Domain Names – Concepts and Facilities,” Internet Engineering Task Force, November 1987, http://www.ietf.org/rfc/rfc1034.txt.
servers,” which are the type of DNS servers used by the computers of end users to resolve DNS names in order to access content on the Internet.4 The DNS is central to the operation, usability, and scalability of the Internet; almost every other protocol relies on DNS resolution to operate correctly. It is among a handful of protocols that that are the core upon which the Internet is built. Readers interested in finding out more about the DNS are directed to Paul Vixie’s article, “DNS Complexity.”5 See also Appendix A for a pictorial view of the DNS and DNS filtering. The DNS is a crucial element of Internet communication in part because it allows for “universal naming” of Internet resources. Domain names have in almost all cases been universal, such that a given domain name means the same thing, and is uniformly accessible, no matter from which network or country it is looked up or from which type of device it is accessed. This universality is assumed by many Internet applications. The domain name given to an Internet device or service is frequently stored and reused, or forwarded to other Internet devices that may not be customers of the same service provider or residents in the same country. For example, web URLs are frequently sent inside electronic mail messages where they are expected to mean the same thing (i.e., to reach the same content) to the recipient of the e-mail that they meant to the sender. Universality of domain names has been one of the key enablers of the innovation, economic growth, and improvements in communications and information access unleashed by the global Internet. The importance of universal naming is underscored in the U.S. International Strategy for Cyberspace: “The United States supports an Internet with end-to-end interoperability, which allows people worldwide to connect to knowledge, ideas, and one another through technology that meets their needs.”6 Mandated DNS filtering by nameservers threatens universal naming by requiring that some nameservers return different results than others for certain domains. While this type of mandated DNS manipulation is reportedly used in some Middle Eastern countries and in the so-called Great Firewall of China, the mandated DNS filtering proposed by PROTECT IP would be unprecedented in the United States and poses some serious concerns as described below.
4
The other type of DNS server is termed “authoritative.” These systems are the DNS servers that are usually under control of the content provider, and that provide the “authoritative” answer as to where on the Internet a given website or service is located. Essentially, “recursive” servers are the DNS servers that help users locate where things are on the Internet, and “authoritative” servers are the DNS servers are the sources of the answers to those queries. Because the focus of the PROTECT IP Act is on recursive DNS servers (and not authoritative servers), the terms “server,” and “DNS server,” and “resolver” in the remainder of this paper shall mean recursive servers that help users locate content and services on the Internet. 5 Paul Vixie, “DNS Complexity,” ACM Queue 5, no. 3, April 2007.
6
United States Office of the President, International Strategy for Cyberspace, May 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf, at page 8.
III.
Technical Challenges Raised By Mandatory DNS Filtering
A. DNS Filtering in Tension with DNSSEC
PROTECT IP would empower the Department of Justice, with a court order, to require operators of DNS servers to take steps to filter resolution of queries for certain names. Further, the bill directs the Attorney General to develop a textual notice to which users who attempt to navigate to these names will be redirected.7 Redirecting users to a resource that does not match what they requested, however, is incompatible with end-to-end implementations of DNS Security Extensions (DNSSEC), a critical set of security updates. Implementing both end-to-end DNSSEC and PROTECT IP redirection orders simply would not work. Moreover, any filtering by nameservers, even without redirection, will pose security challenges, as there will be no mechanism to distinguish court-ordered lookup failure from temporary system failure, or even from failure caused by attackers or hostile networks. Security problems with the DNS were identified over twenty years ago, and the DNSSEC approach to correcting vulnerabilities has been under development since the mid-1990s.8 In short, DNSSEC allows for DNS records to be cryptographically signed, thereby providing a secure authentication of Internet assets. When implemented end-to-end between authoritative nameservers and requesting applications, DNSSEC prevents man-in-the-middle attacks on DNS queries by allowing for provable authenticity of DNS records and provable inauthenticity of forged data. This secure authentication is critical for combatting the distribution of malware and other problematic Internet behavior. Authentication flaws, including in the DNS, expose personal information, credit card data, e-mails, documents, stock data, and other sensitive information, and represent one of the primary techniques by which hackers break into and harm American assets. DNSSEC has been promoted and supported by the highest levels of the U.S. government. Development and rollout has involved a major bipartisan political effort, undertaken at great expense as a public/private partnership dating back to the Clinton administration. President George W. Bush included securing the DNS among national cybersecurity priorities as early as 2003.9 When the root zone trust anchor was published just under a year ago, enabling use of DNSSEC within the global DNS, the Obama administration hailed it as a “major milestone for Internet security.”10 The security of the Internet and the success of DNSSEC have been, and remain, a vital policy goal of the United States.11
7 8 9
Section 3(d)(2)(A)(ii), “Text of Notice.” See http://www.dnssec.net.
United States Office of the President, The National Strategy to Secure Cyberspace, February 2003, http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf
10
Andrew McLaughlin, “A Major Milestone for Internet Security,” The White House blog, July 22, 2010, http://www.whitehouse.gov/blog/2010/07/22/a-major-milestone-internet-security. 11 See United States Office of the President, National Strategy for Trusted Identities in Cyberspace, April 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf; See also United States Office of the President, International Strategy for Cyberspace, May 2011, supra, note 6, http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf
The fundamental architectural concept behind DNSSEC is that any information associated with a name must verifiably come from the owner of that name. For example, DNSSEC is designed to ensure that if a user requests the mail server for the U.S. Senate, the response is actually the legitimate server to communicate with to send e-mail to addresses within the senate.gov domain. The power of DNSSEC is that it provides a widely deployed and well managed infrastructure that allows only the Senate IT staff to manipulate the authoritative senate.gov nameserver, while only the House of Representative’s IT staff can manipulate the authoritative house.gov nameserver. By mandating redirection, PROTECT IP would require and legitimize the very behavior DNSSEC is designed to detect and suppress. Replacing responses with pointers to other resources, as PROTECT IP would require, is fundamentally incompatible with end-to-end DNSSEC. Quite simply, a DNSSEC-enabled browser or other application cannot accept an unsigned response; doing so would defeat the purpose of secure DNS. Consistent with DNSSEC, the nameserver charged with retrieving responses to a user’s DNSSEC queries cannot sign any alternate response in any manner that would enable it to validate a query. Although DNSSEC-enabled applications are not yet in widespread use, the need for such applications has been a key factor driving DNSSEC’s development. Today, applications and services that require security (e.g. online banking) rely on other forms of authentication to work around a potentially insecure DNS, but a secure DNS would be more effective and efficient. End-to-end deployment of DNSSEC is required to better secure the sensitive applications we have today and allow for new sensitive applications. A legal mandate to operate DNS servers in a manner inconsistent with end-to-end DNSSEC would therefore interfere with the rollout of this critical security technology and stifle this emerging platform for innovation. Even DNS filtering that did not contemplate redirection would pose security challenges. The only possible DNSSEC-compliant response to a query for a domain that has been ordered to be filtered is for the lookup to fail. It cannot provide a false response pointing to another resource or indicate that the domain does not exist. From an operational standpoint, a resolution failure from a nameserver subject to a court order and from a hacked nameserver would be indistinguishable. Users running secure applications have a need to distinguish between policy-based failures and failures caused, for example, by the presence of an attack or a hostile network, or else downgrade attacks would likely be prolific.12 DNSSEC is being implemented to allow systems to demand verification of what they get from the DNS. PROTECT IP would not only require DNS responses that cannot deliver such proof, but it would enshrine and institutionalize the very network manipulation DNSSEC must fight in order to prevent cyberattacks and other miscreant behavior on the global Internet.
12
If two or more levels of security exist in a system, an attacker will have the ability to force a “downgrade” move from a more secure system function or capability to a less secure function by making it appear as though some party in the transaction doesn’t support the higher level of security. Forcing failure of DNSSEC requests is one way to effect this exploit, if the attacked system will then accept forged insecure DNS responses. To prevent downgrade attempts, systems must be able to distinguish between legitimate failure and malicious failure.
B. The Proposed DNS Filters Would Be Circumvented Easily
As described above, the DNS was adopted to achieve universal naming for Internet resources. The fact that host names resolve consistently regardless of which network performs the request is a key factor in the Internet’s success as a global communications network. Anybody who has surfed to a site in a public place, an office, or someone else’s house, and gone to a site different from what he or she is used to at home, will understand frustrations that can come from filtering. To the extent that the naming system becomes less universal or consistent, the economic and social value of the network will suffer. DNS filtering does not remove or prevent access to Internet content. It simply prevents resolution by a particular DNS server of a filtered domain to its associated IP address. The offending site remains available and accessible through non-filtered nameservers or numerous other means, including direct accessibility from the client to the server if they have the corresponding information. Circumvention is possible, with increasing ease, and is quite likely in the case of attempts to filter infringement via the DNS. All of the methods that we discuss in this section pose risks to the security and stability of the DNS, and to broader societal concerns. Evidence from the recent domain seizures by U.S. Immigrations and Customs Enforcement demonstrates how likely circumvention is to occur. Data captured by Arbor Networks regarding the seizure of TVShack.net, showed what appeared to be only a short term impact on actual traffic to the pirates’ servers.13 The content simply was moved to a different domain, with little long-term impact likely. Similarly, Alexa traffic rankings indicate that traffic to rojadirecta.es, the replacement for the seized rojadirecta.com, quickly reached levels comparable to that of the former domain.14 This occurred due to the fact that users and infringing websites do not simply “give up” in response to implementation of a filtering mechanism. They go online, find new (non-American) domains or direct IP numbers, and connect as they usually would. In the case of DNS filtering, users need not navigate to new domains, but can instead simply use non-filtered DNS servers. To understand this approach, it is helpful to understand what normally occurs for most residential broadband customer installations. Normally, as part of the initial settings provided by ISPs to their customers, the ISPs select the users’ DNS server (commonly as part of dynamic addressing lease negotiation or in setting up a user’s equipment). In general, the operator-selected DNS server is local to the user, providing fast, efficient resolution. Thus, for example, Comcast customers generally use Comcast’s DNS servers allowing for an “accelerated,” and topologically optimal, DNS experience. However, users may change their DNS server settings, either by running a local resolver or by updating a single OS configuration parameter. Moreover, applications and even websites can also change a users’ DNS settings automatically. A 2008 survey using data from Google found that hundreds of malware websites automatically change the DNS settings of users who simply
13
Craig Labovtiz, “Takedown,” Arbor Networks blog, July 2, 2010, http://asert.arbornetworks.com/2010/07/takedown/
14
Compare http://www.alexa.com/siteinfo/rojadirecta.com# and http://www.alexa.com/siteinfo/rojadirecta.es#.
visit a malicious web site.15 It is likely, if not inevitable, that infringement sites would use the same strategy, allowing a single site to instantly, silently, and permanently change a user’s DNS path and evade DNS filtration and filtering. How easily could software make such a change? Just a single line of code is needed to change one registry key in Microsoft Windows. As documented widely by Microsoft itself, software merely needs to edit one system registry parameter:
\\HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters
16
Such behavior is common. In a survey of 100,000 malware samples, pulled at random from the Georgia Institute of Technology’s malware repository, over 98% were found to read Windows registry settings, and some 68% were found to change the registry. Indeed, the anti-malware industry even has a term for viruses that specifically manipulate resolution via registry keys: “DNS-changers”, or “DNS-changing malware,” and such techniques have been employed by miscreants for nearly a decade.17 The choice of alternative DNS servers is effectively unlimited. In the same study, a survey of socalled “open-recursive” DNS resolvers revealed a dramatic increase in the number of public DNS servers. At present, there are tens of millions of open, public DNS servers, many outside the U.S. Sites offering or promoting the downloading of copyright-infringing content could use almost any of these resolvers to evade domestic DNS filtering. An obvious possibility would be for the operators of the infringement sites themselves to operate alternative DNS servers for their users. It has been suggested that perhaps pirate sites would not wish to operate such a service because it would be difficult or expensive. However, DNS resolvers are lightweight and do not expose the same network engineering profile or carry the same costs as other circumvention technologies such as full-traffic encryption. In practice, a $1,000 server can respond to over 100,000 DNS requests per second. It is substantially easier to provide the handful of bits required for a DNS response than to expose a complex searchable web interface to pirated content. Realistically, the DNS accelerating service could be provided at no additional cost, using spare capacity on existing servers. Thus, those entities large enough to attract the attention of PROTECT IP likely will be large enough to handle the DNS load of their user base. Suggestions have been made that U.S. users will not use servers located outside of the United States because the nameservers are foreign and untrusted.18 The user who is seeking pirated content, however, will often be more concerned about getting the content than with how reputable a particular DNS provider might be. More importantly, in many cases, the user will
15
D. Dagon, N. Provos, C. P. Lee, and W. Lee, “Corrupted DNS resolution paths: The rise of a malicious resolution authority,” In Proceedings of Network and Distributed Security Symposium (NDSS ‘08), 2008. Note: The 2008 study and this report share an author. 16 Microsoft, Inc. DNS Registry Entries. http://technet.microsoft. com/en-us/library/dd197418%28WS.10%29.aspx, 2011.
17
Dagon et. al., “Corrupted DNS resolution paths,” supra, note 15; see also Symantec, Description of Trojan.Qhosts virus, http://www.symantec.com/security_response/writeup.jsp?docid=2003-100116-5901-99.
18
Daniel Castro, “No, COICA Will Not Break the Internet,” Innovation Policy blog, January 18, 2011, http://www.innovationpolicy.org/no-coica-will-not-break-the-internet.
likely have no idea that they are changing DNS servers. Those promoting pirate sites will simply create websites and postings that ask: “Frustrated by getting filtered when you try to watch movies? Click here to fix the problem.” Long experience shows that high numbers of users will simply do just that; they will “click here” and thereby quickly circumvent the intended roadblock through automated processes such as DNS changers. Would users care about performance? One theory states that users would avoid these non-U.S nameservers because they would be slower, if for no other reason that they are offshore and thus may take up to a substantial fraction of a second to return answers. There is some data that slower sites are slightly less popular, but it is unlikely that foreign DNS would slow things down enough, for a number of reasons. First, the likely delay for a site would only be a few tenths of a second. Second, only the initial query to a domain is impacted. Third, most modern browsers implement something called DNS prefetching, performing the DNS lookup before the user even browses to a site. Consequently, users will likely not even experience the delay when navigating to a given site. Finally, from the perspective of a user seeking pirated content, a slightly slower site is much better than not being able to access the site and its infringing content at all. However, even if one supposed that all malicious sites changing DNS settings were filtered, and even if one supposed that 100% of users leave their ISPs’ DNS settings unchanged, mandatory DNS filtering still could be trivially evaded by individuals and even applications. The IP number for the website of The Pirate Bay, a well-known peer-to-peer (P2P) organization that has often been connected to infringement allegations, is 194.71.107.15. Simply typing this number instead of www.piratebay.org into a browser’s address line will take a user to the site. To avoid having to remember the number each time, PCs can easily be configured to bypass DNS filters. Effectively, all systems have within them something called a hosts file, which is in text format. After simple editing of a hosts file with the additional line “www.thepiratebay.org 194.71.107.15”, the DNS will no longer be consulted. Many users will not have the expertise necessary to rewrite a host file. On the other hand, individuals who are skeptical of this potential for evasion should consider that software developers already are working on software to evade DNS filtration. A group calling itself “MafiaaFire” has developed a Firefox browser plugin that automatically redirects users requesting a seized domain to the desired site’s new domain or server IP address.19 (A screen image that shows the ease with which Internet users can implement such tools is in Appendix B). Infringers are almost certain to develop similar plugins that skip the DNS entirely, perhaps simply by putting links on their pages which offer to make necessary system changes with a click of the mouse. This reality leads to one conclusion: PROTECT IP’s DNS filtering will be evaded through trivial and often automated changes through easily accessible and installed software plugins. Given this
19
http://mafiaafire.com/
strong potential for evasion, the long-term benefits of using mandated DNS filtering to combat infringement seem modest at best. In addition, if the U.S. mandates and thereby legitimizes DNS filtering, more countries may impose their own flavor of DNS filtering. As this practice becomes more widespread, the extent to which a particular name is reachable will become a function of on which network and in which country a user sits, compromising the universality of DNS naming and thereby the “oneness” of the Internet. This situation will in turn increase the cost and challenge of developing new technologies, and reduce the reliability of the Internet as a whole. If the Internet moves towards a world in which every country is picking and choosing which domains to resolve and which to filter, the ability of American technology innovators to offer products and services around the world will decrease. Moreover, circumvention poses risks to the security and stability of the DNS, which are explored in the following sections.
C. Circumvention Poses Performance and Security Risks
The likely circumvention techniques described above will expose users to new potential security threats. These security risks will not be limited to individuals. Banks, credit card issuers, health care providers, and others who have particular interests in security protections for data also will be affected. At the same time, a migration away from U.S.-based and ISP-provided DNS will harm U.S. network operators’ ability to investigate and evaluate security threats. Intelligence and law enforcement officials who rely on high-quality network usage data afforded by centralized DNS resolution will face a similar reduction in the usefulness of DNS.20 1. Users Will Face Increased Cybersecurity Risk As noted above, both users and operators of infringement sites will likely respond to DNS filtering by redirecting users’ DNS settings to point outside of the United States. One cannot predict which DNS services they will use instead, but one can anticipate that some if not many of the new DNS resolvers will be well outside U.S. jurisdiction, possibly run by the same criminals running the infringement sites, and perhaps even on the same systems and hardware. This concern is not mere speculation: the use of non-U.S. DNS is already favored by malicious websites, viruses, and criminal gangs to evade U.S. law enforcement. As a consequence of redirecting their DNS settings, users will face significantly increased security risks, as detailed below. Those risks, however, will not be obvious or well known to most users, and they will simply be unaware of the risks (and indeed, as noted above, the users may not even know that their DNS settings have been changed). Moreover, in households with shared computers, one user (say, a teenage music sharer) may redirect the DNS settings, but then those settings would carry over to when the parent later did online banking on the same computer. The teenager’s redirection also could redirect banking information and put it in jeopardy. The effects of increased security vulnerability will be felt not just by users, but by U.S.
20
A full discussion of the impact on law enforcement is outside the scope of this paper.
networks and businesses, including banks and credit card companies, which will internalize the costs of botnet disruptions, identity theft, and financial fraud. Users on computers with redirected DNS settings will have a number of increased risks. First, operators of rogue DNS servers are less likely than major U.S. operators to support DNSSEC. Thus users who switch or are switched to such nameservers will not benefit from the security and trust DNSSEC is being implemented to provide. And the absence of support for DNSSEC may expose these users to greater risk from malicious nameserver operators. Second, and critically, when traffic is pushed to potentially rogue servers, how will those servers handle the resolution of web and mail server lookups for military networks, U.S. banks, or social network sites used by U.S. citizens to communicate and share personal information and ideas? Circumvention has real consequences beyond evading the results of court-ordered filters. An infringement site that simply gains enough consent and cooperation from a user to shift his or her DNS resolution to the pirate site is not only insulated from the filters of PROTECT IP. The operator also gains access to all DNS traffic from that user: Every time the user seeks his bank, the pirate site has the opportunity to hijack it. Every time the user seeks an e-commerce site, the pirate site has the opportunity to impersonate it. Every email, every game, every Internet application that someone might use to be productive would potentially be exposed to manipulation. Although some pirate operators may decide to run “honest” DNS servers in an effort to gain the trust of users, at least some of the overseas DNS servers are likely to act on their economic incentive to exploit their access to the sensitive communications of some Americans. In the millions of DNS lookups exported from U.S. networks, many may prove innocuous, but some will fall in these sensitive categories, which will be attractive avenues for phishing and other cybercrime. In control of all of a user’s DNS traffic, a rogue resolver could easily return spurious results for sensitive queries. For example, a user could be sent an identical-looking but false and criminal website pretending to be Citibank.com, allowing the operator to gain access to and empty the user’s bank accounts. If users of government or military networks violate sound security practices and redirect their DNS traffic to a non-U.S. DNS server, they could create national security risks given the sensitivity of those networks.21 Redirection on such networks would risk providing non-U.S. networks a foothold in the DNS conversation, and the ability to monitor and manipulate resolution for potentially sensitive websites and mail servers, through denial-of-service attacks, disclosure attacks,22 and an array of other avenues.
21
Military information has been lost through P2P in the past; See, e.g., Tim Wilson, “Army Hospital Breach May Be Result of P2P Leak,” Dark Reading, June 3, 2008, http://www.darkreading.com/taxonomy/index/oldarticleurl?articleID=211201106.
22
“Disclosure attack” refers to the ability of an attacker to collect target intelligence information by analyzing client behavioral and query data.
2. ISPs Will Lose Visibility into Network Security Threats DNS data currently provides ISPs an important and accurate picture of both traffic patterns and security threats on their network, which in turn is vital for both business planning and network protection. Data gleaned from their customers’ access to their DNS servers can be useful for a number of purposes. First, it can allow an ISP to identify increases and shifts in traffic, which can inform infrastructure investment, network optimizations, interconnection strategies, and peering relationships. Even more critically, monitoring DNS data is a vital part of maintaining network security. By analyzing name lookups, ISPs are able to diagnose denial-of-service attacks, identify hosts that may be part of a botnet, and identify compromised domains serving as command-and-control servers or identify subscribers who may be at risk. These analyses in turn enable network administrators to combat these problems, both by addressing malicious traffic and by providing targeted assistance to the users of infected computers. As users increasingly turn to other DNS servers to avoid the DNS filtering, ISPs have less and less ability to manage security threats and maintain effective network operations. By losing visibility into network security threats, ISPs will be less able to identify customer computers that have been infected by a virus and come under the control of a criminal botnet. At the same time that ISPs will be less able to identify infected computers, their security offices will be less able to assist law enforcement in investigating network security attacks or data loss and exfiltration. The reduction of customer use of an enterprise, local network operator, or ISP’s DNS service will mean that more compromised computers will go unidentified and uncorrected. Furthermore, the set of attributes that need to be evaluated when a customer calls an operator help desk for support will be much more extensive, and will increase both cost and debugging complexity. 3. CDNs Would Likely Face Degraded Performance Routing DNS traffic to offshore servers will also affect network performance within the United States, and will increase costs for ISPs. For DNS queries themselves, any delay will be minimal. However, for content delivered from Content Distribution Networks (CDNs) the impact will be more severe. CDNs localize content delivery by distributing the same content across a number of servers on a wide range of networks. This localization reduces network congestion and decreases the load that would otherwise be put on a single server. Many CDNs use the IP address of the DNS resolver to estimate a user’s location and route the user to the fastest available server. To such networks, U.S. users who have changed their DNS resolvers for all lookups will appear to the CDNs to be browsing from abroad. As a result, these users could be routed to offshore servers not just for DNS queries, but also for content, undermining precisely the benefits CDNs provide by optimizing traffic distribution to account for proximity of client and server. Inefficient server selection would cause small delays for users, but high costs for commercial actors who must pay higher costs of latency and added network resources in order to provide the same level of service. The higher costs will negatively impact the business of both the providers of high-value, high-bandwidth (and non-infringing) content that overwhelmingly make up the customer base of CDNs, as well as the CDN operators themselves. To the extent that poor server
selection results in increased traffic over international links, as is likely, it will also increase the traffic load and network congestion experienced by a wider range of network operators.
D. DNS Interdependencies Will Lead to Collateral Damage
Two likely situations ways can be identified in which DNS filtering could lead to non-targeted and perfectly innocent domains being filtered. The likelihood of such collateral damage means that mandatory DNS filtering could have far more than the desired effects, affecting the stability of large portions of the DNS. First, it is common for different services offered by a domain to themselves have names in some other domain, so that example.com’s DNS service might be provided by isp.net and its e-mail service might be provided by asp.info. This means that variation in the meaning or accessibility of asp.info or isp.net could indirectly but quite powerfully affect the usefulness of example.com. If a legitimate site points to a filtered domain for its authoritative DNS server, lookups from filtering nameservers for the legitimate domain will also fail. These dependencies are unpredictable and fluid, and extremely difficult to enumerate. When evaluating a targeted domain, it will not be apparent what other domains might point to it in their DNS records. In addition, one IP address may support multiple domain names and websites; this practice is called “virtual hosting” and is very common. Under PROTECT IP, implementation choices are (properly) left up to DNS server operators, but unintended consequences will inevitably result. If an operator or filters the DNS traffic to and from one IP address or host, it will bring down all of the websites supported by that IP number or host. The bottom line is that the filtering of one domain name or hostname can pull down unrelated sites down across the globe. Second, some domain names use “subdomains” to identify specific customers. For example, blogspot.com uses subdomains to support its thousands of users; blogspot.com may have customers named Larry and Sergey whose blog services are at larry.blogspot.com and sergey.blogspot.com. If Larry is an e-criminal and the subject of an action under PROTECT IP, it is possible that blogspot.com could be filtered, in which case Sergey would also be affected, although he may well have had no knowledge of Larry’s misdealings. This type of collateral damage was demonstrated vividly by the ICE seizure of mooo.com, in which over 84,000 subdomains were mistakenly filtered.23 The authors of the paper understand that sites offering such subdomain hosting are not the target of PROTECT IP, but the possibility for such unintended filtering remains. Despite sharing a parent domain, subdomains, as well as their content, often have little or nothing to do with one another. The existence of additional subdomains may not be readily apparent upon reviewing whatever content is served at a particular subdomain, just as visiting google.com gives no indication of the existence of yahoo.com, despite the fact that the two domains share the .com top-level domain. Thus it is possible for an examination of one subdomain to conclude without ever revealing the existence of others that would be affected by a filtering order instituted in the DNS.
23
Thomas Claburn, “ICE Confirms Inadvertent Web Site Seizures,” InformationWeek, February 18, 2011, http://www.informationweek.com/news/security/vulnerabilities/229218959.
IV.
Conclusion
As stated above, we strongly believe that the goals of PROTECT IP are compelling, and that intellectual property laws should be enforced against those who violate them. But as discussed in this paper, the mandated DNS filtering provisions found in the PROTECT IP Act raise very serious security and technical concerns. We believe that the goals of PROTECT IP can be accomplished without reducing DNS security and stability, through strategies such as better international cooperation on prosecutions and the other remedies contained in PROTECT IP other than DNS-related provisions. We urge Congress to reject the DNS filtering portions of the Act.
APPENDIX A
The figure below may be helpful in understanding the DNS filtering method specified in PROTECT IP
D
Root DNS - Pointer to .COM TLD
The Internet
Web Server for www.example.com TLD DNS - Pointer to example.COM Authoritative DNS
G
3
4 5 C
Non-Authoritative DNS
F
Authoritative DNS - IP address for www.example.com
H
Search Engine
B 7 1
STEP ONE - Search for "pirated free movie" - Get link to www.example.com STEP TWO - Where is www.example.com? STEP THREE - Where is .COM TLD? STEP FOUR - Where is authoritative DNS for example.com? STEP FIVE
2 A
6
DNS Traffic Web Traffic Points NOT COVERED By PROTECT IP
A - End user software F - Authoritative DNS servers (off-shore) G - Providers hosting content H - Internet access to the content
- What is the IP address of www.example.com? STEP SIX - Return this IP address to the user STEP SEVEN - User connects to www.example.com
APPENDIX B
Some browser plugins are easily installed, and would allow users to avoid the DNS filtering contemplated by PROTECT-IP. The MafiaaFire redirector, shown below, was created in direct response to domain-seizures and the introduction of COICA in 2010.
Screen-captured on 05/25/11 at 10:45 a.m.
ABOUT THE AUTHORS
Steve Crocker is CEO of Shinkuro, Inc., a security-oriented consulting and development company, and has been leading Shinkuro’s work on deployment of DNSSEC, the security extension to DNS. He currently serves as vice chair of the board of ICANN and served as chair of ICANN’s Security and Stability Advisory Committee from its inception in 2002 until 2010. He has been active in the Internet community since 1968 when he helped define the original set of protocols for the Arpanet, founded the RFC series of publications and organized the Network Working Group, the forerunner of today’s Internet Engineering Task Force (IETF). He later served as the first Area Director for Security in the IETF. Over his forty-plus years in network research, development, and management, he has been an R&D Program Manager at DARPA, senior researcher at University of Southern California’s Information Sciences Institute, Director of Aerospace Corp’s Computer Science Laboratory, vice president of Trusted Information Systems, co-founder, senior vice president and CTO of CyberCash, Inc. and co-founder and CEO of Longitude Systems, Inc. David Dagon is a post-doctoral researcher at Georgia Institute of Technology studying DNS security and the malicious use of the domain resolution system. He is a co-founder of Damballa, an Internet security company providing DNS-based defense technologies. He has authored numerous peer- reviewed studies of DNS security, created patent-pending DNS security technologies, and proposed anti-poisoning protocol changes to DNS. Dan Kaminsky has been a noted security researcher for over a decade, and has spent his career advising Fortune 500 companies such as Cisco, Avaya, and Microsoft. Dan spent three years working with Microsoft on their Vista, Server 2008, and Windows 7 releases. Dan is best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS), and for leading what became the largest synchronized fix to the Internet’s infrastructure of all time. Of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Dan is presently developing systems to reduce the cost and complexity of securing critical infrastructure. Danny McPherson is Chief Security Officer for Verisign, Inc., where he is responsible for strategic direction, research, and innovation in infrastructure, and information security. He currently serves on the Internet Architecture Board (IAB), ICANN’s Security and Stability Advisory Council, the FCC’s Network Reliability and Interoperability Council (NRIC), and several other industry forums. He has been active within the Internet operations, security, research, and standards communities for nearly 20 years, and has authored a number of books and other publications related to these topics. Previously, he was CSO of Arbor Networks, and prior to that held technical leadership positions with Amber Networks, Qwest Communications, Genuity, MCI Communications, and the U.S. Army Signal Corp. Paul Vixie founded Internet Systems Consortium in 1996 and served as ISC’s President from 1996 to 2011 when he was named Chairman and Chief Scientist. Vixie was the principal author of BIND versions 4.9 to 8.2, which is the leading DNS server software in use today. He was also a principal author of RFC 1996 (DNS NOTIFY), RFC 2136 (DNS UPDATE), and RFC 2671 (EDNS), coauthor of RFC 1876 (DNS LOC), RFC 2317 (DNS for CIDR), and RFC 2845 (DNS TSIG). Vixie’s other interests are Internet governance and policy, and distributed system security.
400 North Capitol Street NW, Suite 585 Washington, D.C. 20001 Phone: 202-624-1460 | Fax: 202-393-5218 www.netcoalition.com | [email protected]
REFERENCE MATERIALS ON THE PROTECT IP ACT
• PRESS CLIPS •
U.S. government also a villain in piracy act story
By Molly Wood October 31, 2011 Now that we've had a few days to digest the MPAA-backed Stop Online Piracy Act (PDF), can we all finally agree that the MPAA is evil and Hollywood wants the Internet to die? And then can we stop letting them write laws for us? SOPA is the latest--and perhaps the most brazen--effort in a string of attempts by the MPAA and RIAA to bend the Internet to their corporate will and undermine all kinds of consumer rights. It's a breathtaking piece of work that would give Hollywood and private companies free reign to censor, remove, or prevent the creation of large chunks of the Web. But the industry is only offering such nightmarish law because our government has been letting them get away with Internet murder for years now. SOPA, also called the "E-PARASITE Act" (I mean, really?) is the darker version of the already dark Protect IP Act, which has been dogged by free speech, technical, and even constitutional concerns. But far from offering a reasonable alternative to Protect IP, the House delivered SOPA, which would let content owners bypass cops, courts, and any semblance of due process, and "disappear" entire Web domains like some kind of privatized secret police force. The legislation is shockingly bold. But again, the industry has every reason to believe it's got government on its side--because it does. I truly can't believe how long the Internet community has been fighting--and losing--against the creeping tide of intellectual property crackdown. I wrote a brief history of the wars back in March 2010, when the MPAA and RIAA submitted a wish list to the Office of Intellectual Property Enforcement asking for a wish list of government enforcement that would have created a fully formed copyright police state, featuring government-mandated software that searches for and automatically deletes "infringing" content, warrantless search and seizure, border searches, and much more. In fact, I've written more words on the topic than I care to count, since at least 2005, and yet the laws keep getting more draconian, the claims bolder, and the laws broader and potentially more damaging. My hope, if I have any left, is that SOPA is so appalling, and there's so much opposition to it, that we can finally see these attempts for the flagrantly ridiculous overreaches that they are, and restore some sanity to the process.
SOPA would allow rights-holders to get court orders to take down Web sites or blacklist entire domains based on accusations of infringement. The "infringements" themselves can constitute a single link on a single page of a site, or even an accusation that the site is taking steps to "avoid confirming a high probability" of infringement. Let me translate: if someone, anyone, who holds a copyright or trademark on anything, thinks you're deliberately not doing anything about something they consider infringement, they can get your site taken offline and there's virtually nothing you can do to stop them. What? There's more, and the "more" is even more insidious. The bill would also allow a rightsholder to send an infringement notice to an ad network like Google or a payment processor like Mastercard or Visa. In that case, with zero legal proof of infringement, the ad networks or payment processors would have five days to stop doing business with the accused site--an accuser can kill the alleged infringer's business, with, again, no proof or legal recourse. The bill almost completely dismantles the DMCA-enacted safe harbor provisions. Infringement claims, for all intents and purposes, don't even have to be valid. There's no burden of legitimacy to protect sites from content owners lobbing bogus claims, and since there's no due process involved, the damage would long since be done by the time an accused site ever managed to clear its name. There's no penalty for content owners whose claims might be found to be bogus, and there's very little redress for accused sites. The bill would also require far more active involvement and policing on the part of service providers, and some critics say it would go so far as to require service providers to monitor user activity, in order to be able to prove that they haven't been avoiding confirming the possibility of infringement. Plus, the over-broad and vague language in the bill would mean that despite its stated focus on "rogue foreign sites," its provisions could easily be applied to legitimate sites like eBay, YouTube, Twitter, Amazon, or even Google itself. And because entire domains can be blacklisted at any point, ISPs like Comcast would have to maintain giant lists of censored material, and, as the CEA points out, "SOPA incentivizes Internet sites that do not want to face liability under this bill to censor their content from users in the United States, which in turn incentivizes oppressive regimes and countries that regulate free speech to require U.S. Internet companies to censor content from citizens in those countries." Simply put, it's a nightmare. By my reading, there's nothing acceptable about SOPA. I'm not alone in this assessment. TheElectronic Frontier Foundation pledges a multi-installment series on how SOPA will destroy the Internet and kill innovation, saying it simply cannot be fixed and must be killed. And they've got unlikely bedfellows: even a major Tea Party faction has come out against SOPA and the Protect IP Act, calling them dangerous Internet censorship bills--which they are. Gary Shapiro, president and CEO of the Consumer Electronics Association, writes that venture capitalists are concerned that the bill will slaughter startups in droves and kill innovation and job creation with a toxic, threatening cloud of potential litigation. Rep. Zoe Lofgren, the Democrat who represents Silicon Valley, tells CNET the bill would "mean the end of the Internet as we know it."
The question isn't whether SOPA and Protect IP should be killed. The question is how have we gotten ourselves in a position where these bills were proposed at all? Arguably, it's because when they're not sitting in the pockets of banks and financial institutions, our government and certainly the current administration is busy in bed with Hollywood. The current administration has been cheerfully ceding your rights to the MPAA and RIAA since it took over the White House. Wired recently published e-mails obtained under the Freedom of Information Act that show the U.S. copyright czar, Victoria Espinel, and other high-ranking administration officials cutting friendly backroom deals with the entertainment industry as it pushed forward sweeping new regulations requiring, for the first time, ISPs to crack down on individual customers suspected of violating copyright. Vice President Joe Biden has a long history of voting for RIAA-backed measures and against consumer friendly technology regulations. And President Obama has been a staunch supporterof strict intellectual copyright laws and of negotiating the potentially nightmarish Anti-Counterfeiting Trade Agreement in secret--not to mention appointing five RIAA lawyers to the Justice Department. Under the current administration, the entertainment industry has managed to push through scenarios considered impossibly overreaching just a few years ago, including this summer's announcement that ISPs would have to police their own customers and adopt a "graduated response" to piracy allegations. And the industry only grows bolder--one can easily imagine, given the inflammatory language of SOPA, that the MPAA simply wrote it up and handed it to its purported author, Rep. Lamar Smith. After all, the bill's enormous collection of regulatory burdens would seem to create internal conflict in a representative who is otherwise against enormous and expensive collections of regulatory burdens. As opposition rightfully grows against SOPA, the attempts by the MPAA to prop it up feel even more desperate and cynical. A press release today quotes the Fraternal Order of Policediscussing the importance of stopping "rogue Web sites" from creating and selling counterfeit gloves and brake pads that could put police at risk, worrying over counterfeit pharmaceuticals and tooth paste that "put our seniors and our children at risk," and pointing out that "organized gangs" profit from counterfeit DVDs and then use those ill-gotten gains to wreak havoc here at home. I suspect the FOP understands the legislation they're supporting about as well as Rep. Smith does. The situation is, in a nutshell, ludicrous. And it's long past time to put a stop to this slow and steady corporate villainy, and the politics that keeps enabling it. Act now, as the EFF says, and let your representatives know that SOPA and Protect IP are unacceptable. And if that fails ... Occupy Sunset Boulevard? I'll get my tent ready.
Stop The Internet Blacklist Bill
By David Segal and Patrick Ruffini August 28, 2011 We are Tea Partiers and bleeding-heart liberals, we are artists and investment bankers, we represent the left and the right, and we support Senator Wyden as he comes forward, yet again, as a stalwart champion for First Amendment rights, innovation and digital security. The problem at hand is a bill called the "Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act" (PROTECT IP) and it aims to permanently change our digital landscape – that's why we're calling it what it is: The Internet Blacklist Bill. Imagine you're the successful owner of a heavily trafficked website. Your income and that of those with whom you work depends entirely on the advertising revenue and payments provided by visitors to your site. One day, without warning, your site no longer appears at its domain, your advertisers have backed out, and you can't even find your site on Google. You've been disappeared – blacklisted by new regulations set by Congress in the PROTECT IP Act. If passed, PROTECT IP would give the government dramatic new powers to target websites dedicated to the illegal distribution of copyrighted content. Violating sites would have their domain disabled in DNS servers (the servers that match the domain name with the numerical IP address and make sure you go to the websites you want to), and all third party sites, including search engines, would be required to remove the site from their registries and disable all links to the domain in question. Even worse, PROTECT IP also includes a "private right of action" that would allow rights holders to obtain a temporary restraining order against a domain in civil court. Instead, big content providers like the RIAA can target websites at their whim, urging courts to shut down anyone they accuse of violating U.S. copyright law. The entities accused of infringement wouldn't even get their day in court until after they've been shut down – they could appeal to the courts for relief only after the fact. Big interest groups in favor of PROTECT IP have recently pushed the idea that to be against
this bill is to handicap aspiring artists and to be in opposition to a fair marketplace. We vehemently disagree. Regulations stipulated in PROTECT IP would cause tremendous damage to the infrastructure and security of the Internet and ultimately undermine the millions of entrepreneurs, businesses and artists who depend on a free, uninterrupted communications platform. Already, venture capitalists, engineers, and entrepreneurs (including Google CEO Eric Schmidt) have penned letters and petitions against PROTECT IP, citing the corrosive effect it would have on digital security and innovation. Human rights activists are terrified that PROTECT IP will provide comfort to totalitarian regimes that seek ever more control over Internet users in their own countries. More than 400,000 Americans have urged their lawmakers to oppose the bill. But ultimately, we are depending on lawmakers, like Sen. Wyden to make the final decisions and defend our rights. David Segal is Executive Director of the left-leaning Demand Progress and Patrick Ruffini is Executive Director of the right-leaning Don't Censor the Net, which together have generated more than 400,000 anti-PIPA contacts to Congress.
Tea Party Patriots oppose Leahy’s online piracy bill
By Jennifer Martinez September 27, 2011 Opponents of a bill to crack down on intellectual property theft online picked up an unlikely ally over the weekend: Tea Party Patriots. Joining liberals such as Sen. Ron Wyden (D-Ore.) in opposing the Democrat-sponsored measure, the prominent tea party group took a swipe at the anti-piracy bill known as the PROTECT IP Act. The bill is aimed at cracking down on foreign websites that offer copyrighted content illegally. In a Facebook posting, the group called the bill a “severe government overreach in the area of intellectual property.” The Tea Party Patriots warned its Facebook followers that the bill would empower the government to shut down websites without warning. “Have your own website? Maybe the government will shut it down tomorrow ... without any notice to you. Republicans are going to introduce this in the House, Democrats in the Senate,” the group wrote in the post. “WHAT??? Big Labor, Hollywood, U.S. Chamber of Commerce all in this together ... against you.” The post also linked to an editorial written by Patrick Ruffini, executive director of the rightleaning Don’t Censor the Net, and David Segal, executive director of Demand Progress, a left-leaning civil liberties group. The founder of Demand Progress, Aaron Swartz, was arrested and charged earlier this year with breaking into MIT’s computer network and stealing more than 4 million articles from an online archive. The Tea Party Patriots has more than 848,000 followers on its Facebook page and serves as an organizing hub for many of the loosely affiliated tea party groups. Sen. Patrick Leahy (D-Vt.), the author of the PROTECT IP Act, has touted the bill as an important tool in the fight against websites that illegally offer copyrighted entertainment content and products. The bill is a modified version of a similar piece of legislation Leahy championed last Congress — dubbed COICA, for short — which also triggered a backlash from cyber liberties groups and some key tea party figures. Leahy tweaked the PROTECT IP Act to focus solely on foreign websites that violate
copyrights. The bill would give the Justice Department expanded powers to take action against such sites, such as authority to force a credit card company or ad network to cut off business with an infringing site. Ruffini’s group, Don’t Censor the Net, has been an outspoken opponent of the PROTECT IP Act and COICA. At the CPAC conference this February, the group passed out fliers that lambasted COICA and said it could potentially lead to the shutdown of some political blogs. Conservatives are right to be wary of the bill, Ruffini said. “Tea party members have plenty of reasons to be concerned about PROTECT IP because it grants the Obama administration wide-ranging new powers over the Internet and empowers trial lawyers to launch frivolous [lawsuits] against U.S. companies to compel them to take websites off the Internet,” Ruffini said in an email. Wyden is leading opposition to the bill in the Senate. He placed a hold on the PROTECT IP Act shortly after it was introduced this spring, arguing that it would discourage innovation of new Web products and shut down sites that host protected speech. He also warned it could hurt U.S. relations abroad.
Venture Capitalists Join Internet Blacklist Bill Backlash
By David Kravets Wired October 31, 2011 It’s no surprise that the proposal by Rep. Lamar Smith (R-Texas) to boost the government’s authority to disrupt and shutter websites that hawk or host trademark- and copyrightinfringing products would draw a harsh reaction from interest groups like Public Knowlege and the Electronic Frontier Foundation. Rep. Zoe Lofgren (D-California), whose district includes the headquarters of Google, Facebook and Apple, blasted last week’s proposal, too, saying if the measure passed, “this would mean the end of the internet as we know it.” That’s not surprising, given the bill allows private parties, without a hearing from a judge, to cut off ad dollars to sites they say host pirated or trademarked content; lets the government order search engines and ISPs to make it impossible for users to reach blacklisted sites; and criminalizes technology that would get around the blacklist. However, we didn’t expect to see venture capitalists staking out a position so soon. Mike Masnick over at techdirt directs our attention to an open a letter to Christopher Dodd, the Motion Picture Association of America’s chief executive, and huge supporter of Smith’s legislation. Signing onto the letter, which asks Dodd to end support for the Stop Online Piracy Act, are some venture capitalists like Brad Burnham and Fred Wilson of Union Square Ventures, which has invested in Twitter, Etsy, Kickstarter, DuckDuckgo, and Tumblr, among other companies. A bill like SOPA creates so much liability that it would be impossible for two engineers in a garage to build the next great startup unless they also had a dozen lawyers sitting with them. We can’t help the artists and creators who were in our group with the new platforms they rely on, if these new innovative startups don’t even bother starting. We can’t help the users and participants who want new and convenient and legitimate access to content, as well as ways to make their own content. At the end of the day, both Silicon Valley and Hollywood work best when we focus on creating and providing what our consumers want.
Smith’s legislation is expected to clear the House Judiciary Committee, which Smith heads, on Nov. 16. It has an uncertain fate on the House floor and in the Senate, where similar legislation has stalled.
SOPA: Hollywood's latest effort to turn back time
By Larry Downes November 1, 2011 Commentary: The introduction late last week by members of the House Judiciary Committee of the "Stop Online Piracy Act," or SOPA, may test a long-standing reluctance by technology companies to take up arms in the legislative battleground. The bill, introduced as the House version of the Senate's Protect IP Act, solves few of the glaring problems of the Senate bill and introduces many all its own. While Rep. Zoe Lofgren (D-Calif.) may have given in to hyperbole in calling SOPA "the end of the Internet as we know it," there is certainly a great deal in the bill that should concern even lawabiding consumers and leaders in the tech community.
Has Washington finally gone too far? House leaders assured Silicon Valley they would correct serious defects in the Senate bill. Unfortunately, SOPA does just the opposite. It creates vague, sweeping new standards for secondary liability, drafted to ensure maximum litigation. It treats all U.S. consumers as guilty until proven innocent. If passed, the bill would give media companies unprecedented new powers to shape the structure and content of the Internet. Critics of Protect IP pointed out that most of its provisions would only harm innocent foreign Web sites, since truly rogue Web sites could easily engineer around all of its provisions. Rather than give up on the idea of legislating a fast-changing Internet, the House authors have instead built in as many alternative definitions, open-ended requirements, and undefined terms as they could. The result is not a better piece of legislation. It is simply one with no real boundaries. The House version throws legal and technical spaghetti against the wall, hoping some of it will stick. The House bill, for example, dubbed the "E-PARASITE Act," proposes alternative versions of several provisions from Protect IP, including new authority for the attorney general to cut off access and funding for "parasite" foreign Web sites. (SOPA requires the U.S. copyright
czar to determine the extent to which these foreign infringers are actually harming U.S. interests, data collection that logically should precede such sweeping new powers.) Once the Justice Department determines a site "or a portion thereof" is "committing or facilitating" certain copyright and trademark violations, it can apply for court orders that would force ISPs and others who maintain DNS lookup tables to block access to the site. Search engines (a term broadly defined that includes any website with a "search" field), along with payment processors and advertising networks, can also be forced to cut ties with the parasites. Operators of innocent sites have limited ability to challenge the Justice Department's decision before or after action is taken. SOPA also includes its own version of another Senate bill, which would make it a felony to stream copyrighted works. The House version allows prosecution of anyone who "willfully" includes protected content without permission, including, for example, YouTube videos where copyrighted music is covered or even played in the background. While supporters deny that such minimal infractions would meet the bill's definition of "willfully," the actual text suggests otherwise. Prosecutors need only demonstrate that the use had a total "retail value" of more than $1,000. To avoid a felony conviction, a defendant would have to prove they reasonably believed their conduct was lawful, as for example someone in a "bona fide commercial dispute" over the scope of a license to use the content. The House bill also makes significant changes to provisions in the Senate bill that afford new enforcement tools to private holders of copyrights and trademarks. This "market-based system," as SOPA calls it, greatly extends existing provisions of the 1998 Digital Millennium Copyright Act, under which copyright holders can easily issue takedown notices for unlicensed use of protected content. SOPA's "market based" provisions are not limited to foreign Web sites. Indeed, they apply to any site or "portion of" a site that is "dedicated to theft of U.S. property," a new category broadly defined by the bill. Under the new law, rightsholders could force payment and advertising networks to cut ties to such sites simply by sending a letter to their authorized agents (who must register with the U.S. copyright office). Site owners can object, in which case the private parties may sue to enforce their claims, similar to the new powers afforded the Department of Justice. Unlike the DMCA, SOPA provides little penalty for wrongly targeting websites turn out not to be "dedicated to theft of U.S. property." Ad networks and payment processors are immune from liability if they fail to respond to a site's counterclaim, and damages to the site operator are only available if a claim "knowingly materially misrepresents" that the site satisfies the new definition. These extensions are both extreme and unnecessary. For U.S.-based sites, the DMCA has proven highly effective, working in many cases automatically based on "reference files" provided by rightsholders. Though obviously not perfect, economists and legal scholars believe the DMCA has proven to be a cost-effective solution that protects content without squelching innovation. SOPA's supporters have apparently concluded otherwise. Speaking on Monday to The Hill,
Rep. Bob Goodlatte (R-Va.), one of SOPA's sponsors, said that while Congress is willing to continue tinkering with specific language in the bill, it "is unrealistic to think we're going to continue to rely on the DMCA notice-and-takedown provision." Instead, under SOPA, "Anybody who is involved in providing services on the Internet would be expected to do some things."
Technology advocates cry foul; Silicon Valley slumbers on Despite the assurances of its supporters, SOPA may represent the most intrusive and dangerous effort yet to micromanage Internet infrastructure and services. A wide range of technology-oriented advocacy groups were quick to cry foul. The Electronic Frontier Foundation, in its initial review of the bill, determined the legislation would cause irreparable harm. "This bill cannot be fixed," the organization wrote on its Web site; "it must be killed." The Center for Democracy and Technology's David Sohn, similarly, called out the bill's broad and vague new standards for "facilitating" copyright and trademark infringement. He argues that SOPA effectively introduces new monitoring requirements for all websites that allow user content, even comments posted to blogs. Rightsholders, Sohn wrote, need only "a good faith belief that a Web site is 'avoiding confirming' infringement, and they can demand that payment systems and advertising networks cease doing business with the Web site." And Gary Shapiro, president and CEO of the Consumer Electronics Association, pulled no punches in an article Monday calling for rejection of both the House and Senate bills. "The Protect IP Act and SOPA will do plenty of harm," he wrote, "without providing any real assurance that they will stem the flow of digital piracy." The response from leading technology companies and Internet Service Providers, on the other hand, has been muted. This is also not surprising. At best, Silicon Valley historically leaves advocacy groups and trade associations to work with Congress on technologyfocused legislation, preferring to avoid direct contact with federal and state regulators. For decades, even the largest technology leaders have dealt with Washington like a baby playing peek-a-boo: by covering their eyes and imagining themselves invisible. If that was ever a sensible strategy, failure by innovators and entrepreneurs to engage the legislative process has become certifiable dangerous. As the information economy increasingly becomes the only economy, regulators around the world are looking for ways to assert their authority. The result, over the last few years, has been a flurry of legislative initiatives both in the U.S. and abroad. Legislation has been introduced that would apply or adapt a vast corpus of industrial-age laws to online behavior, including not only copyright and trademark abuse but also privacy, crime, antitrust, net neutrality, spam, spyware, data retention and data disclosure, geolocation services, pornography, gambling, electronic surveillance, taxation, and patents. Much of it fails to become law, which as a general rule is a good thing. While digital life is
hardly without its problems, the likelihood that solutions will come from disconnected legislators is low. Most of the hearings I've attended over the last few years begin with members of Congress confessing their ignorance of the particular technologies under investigation. All they know is that their kids are using them, which seems to suffice for expertise. But the last decade has provided ample evidence to the contrary. Washington is far more likely to produce unintended consequences than effective responses, especially when it focuses on flavor-of-the-month technology crises that change quickly.
Hollywood vs. Silicon Valley: Round Infinity Whatever the ultimate fate of SOPA, the bill's introduction may at last awaken Silicon Valley from its regulatory slumbers. That change could not come too soon. The bill's 79 pages of legalese do little to disguise its real agenda--to give Hollywood the kind of control over the Internet it has tried and failed to assert over every new media technology since the invention of the player piano. Let's be clear: SOPA is not the first and will certainly not be the last effort by Hollywood to stage a regulatory coup. At its core, the bill demonstrates once again that content providers have still not come to terms with the reality of the Internet--the latest innovation to upset traditional business models. While Hollywood has taken baby steps to embrace the potential of the digital revolution, very little has changed since 1982, when MPAA President Jack Valenti famously testified that the invention of the VCR was "to the American film producer and the American public as the Boston strangler is to the woman home alone." After all, the studios tried and failed to have VCRs banned. In the end, video became one of many disruptive technologies that ultimately saved the industry. The Internet is likely to do the same. But after failing to stuff the genie back in the bottle early on, content providers still struggle a decade later to find new ways of doing business that take advantage of the technologies and devices consumers are clearly eager to embrace. Washington is far more likely to produce unintended consequences than effective responses, especially when it focuses on flavor-of-the-month technology crises that change quickly. In the absence of legitimate, appropriately-priced alternatives, consumers always create their own channels and invent their own services. Often, it must be said, those alternatives violate copyright and trademark. Along the way, consumers and others who dare to test new services and new devices are punished harshly, only to be replaced by more resilient successors. Napster is gone, but iTunes thrives. But the solution isn't to strengthen the law, choking off innovation. The solution is to give consumers what they want, which Hollywood always, if begrudgingly, figures out how to do.
If parasitic foreign Web sites are truly costing the U.S. economy significant losses (a claim made regularly by content industries but without credible data to back it up), then the best use of government resources is not to surgically remove hyperlinks and DNS table entries. Rather, we should step up the pressure on foreign governments to enforce their own laws and international treaties extending U.S. protections abroad. And indeed, one positive development in SOPA is a provision that does just that. It requires both the State and Commerce Departments to make protection of U.S. copyright and trademark a priority in both diplomatic and trade negotiations. To fulfill SOPA's stated goal of reducing foreign infringement of U.S. interests, that section should have been the beginning and the end of the bill. The proposed legislation, unfortunately, goes much farther, losing sight of any actual harms in need of legislative correction, and invoking repeatedly the likely application of the law of unintended consequences. Stripped of their obfuscations, SOPA and Protect IP suggest increasing desperation by media companies. A bill that was to target only the "worst of the worst" foreign Web sites committing blatant and systemic copyright and trademark infringement has morphed inexplicably into an unrestricted hunting license for media companies to harass anyone-foreign or domestic--who questions their timetable for digital transformation. Nothing can change the fact that Hollywood's way of life is transforming once again. The only unknown is time--will a profitable future for digital content arrive in a few years or will it take another decade? SOPA only seeks to delay the inevitable, at the cost of wasteful litigation and overzealous law enforcement. As anyone knows who's ever watched a Hollywood move about time travel, trying to change history always turns out badly, usually with an ironic twist. Technology companies, that's your cue. Whether you like it or not, you've been cast in the role of villain. You can still be the hero.
Dot.Commentary: Stop Online Piracy Act would stop online innovation
By James Temple November 2, 2011 A bipartisan bill introduced last week in the House of Representatives would mark a fundamental change in Internet law, shifting liability for copyright piracy from the infringer to the host website. It would chip away at critical safeguards that have shaped the Internet as we know it today, and many worry it would make it far more difficult for the next YouTube, Facebook or Craigslist to emerge and succeed. The Stop Online Piracy Act (SOPA) is the counterpart to the Senate's pending PROTECT IP Act, which already had rights groups, academics and many online businesses up in arms. But the House bill goes much further. The goal of both bills is to give copyright holders stronger legal tools to go after sites that host unauthorized or counterfeit music, movies, software or goods, in particular "rogue" overseas sites that largely lie beyond the reach of U.S. law. It's a worthy goal, but not one worth sacrificing a critical enabler of online innovation, job creation and expression. "The limitation, censorship or stunting of such tools - because they may not support the guidelines of SOPA - would inevitably be bad for content creators and democracy more broadly," said Aaron Levie, chief executive officer of Box.net, a Palo Alto online storage and collaboration service. It's impossible to understand what the bill could do without first understanding the enormous influence of the Digital Millennium Copyright Act. By inoculating online businesses and Internet service providers against users' actions, the 1998 law created a legal environment where companies like Yelp, YouTube, eBay, Craigslist and Facebook could thrive.
Transferring liability It invited these companies to create lively and dynamic open forums, where people could post videos, sell things, share opinions, highlight articles and much more. That's because it
removed the risk that the few users among millions who post copyrighted material, libelous statements or counterfeit goods would subject the site to business-crushing legal liabilities. (Not that various media giants haven't tried anyway.) The DMCA isn't a free pass, as services are only protected so long as they act quickly when notified of illegal activity. But it correctly places the ultimate blame on the infringer, and the onus to police such activity on the copyright holder. Much of this could change under SOPA. Under one section, the U.S. attorney general could, with a court order, effectively block or cut off funds to a foreign but "U.S. directed" site that is "committing or facilitating the commission of criminal violations." The order could force Internet service providers to prevent customers from reaching the site. Search engines could be forced to remove links, and ad networks and payment processors would have to cut off the flow of funds. There are lots of concerns here, including the amount of discretion it hands to the attorney general. But another big worry is that blocking the domain name for one infringing site (say, latviablogging.com/counterfeitrolexes) could prevent access to thousands of innocent ones also hosted under that domain (like latviablogging.com/motherscookierecipes). "It is inevitable that there will be bad behavior on any site that has thousands and thousands of dedicated subsections," said Dane Jasper, CEO of Santa Rosa Internet service provider Sonic.net. Cutting off the entire site's traffic and funds amounts to an "Internet death penalty" without a trial, he said.
Shifting site policing The next section of the bill offers even less in the way of due process, while broadening the definition of sites that can be affected. Under it, a rights holder could direct an ad network or payment processor to suspend services for a purportedly infringing site. A court process would begin only if the site files a counter notification within five days or the ad network or payment processor declines to comply with the directive. This section of the bill appears to apply to both U.S.-based sites and foreign ones, or even a portion of a site, if it's "dedicated to theft of U.S. property." One of the key definitions of that is if a site "is taking, or has taken, deliberate actions to avoid confirming a high probability" of infringement. Public Knowledge, a Washington, D.C., public interest group, helpfully boiled down that clumsy legalese to: "lacking sufficient zeal to prevent copyright infringement." In other words, it would place the responsibility for detecting and policing infringement onto the site itself, rather than content owners, as required under the DMCA. "There's really not much question that this bill is designed to do an end run around the DMCA," said Corynne McSherry, intellectual property director at the Electronic Frontier Foundation, a digital rights group in San Francisco. "What has been affirmed by court after
court is that service providers do not have to affirmatively police infringement. That's a good thing because it's a terrible burden to put on a service provider."
Who is in favor A large number of big business trade groups are pushing for the measure, including the Motion Picture Association of America, the Recording Industry Association of America and the U.S. Chamber of Commerce. The organizations argue that the bill only targets the worst offenders. They further point out that online theft costs the U.S. economy billions of dollars each year and that consumers can be harmed by defective goods purchased on rogue sites. These are compelling arguments that something should be done, but not something this broad and heavy-handed. The language leaves too much room for rights holders to determine what sites to target. Recall, these are groups that, had they had their druthers, would have killed YouTube and Napster in their infancy. In the end, those sites fundamentally altered the way we buy and consume media - for the better, most would argue. Even the much reviled (and ultimately unsuccessful) Napster pointed the way for a service like Apple's iTunes. That created a way for both consumers and media companies to benefit from digital distribution.
Protecting Internet Protecting intellectual property is critical, but so is protecting the Internet and all of the innovation it delivers. "The Internet has worked because it is open," Jasper said. "That brings with it some negative effects: hate speech, harassment and crime. But it has also enabled a communications and education revolution that touches every corner of the globe." "To tamper with that," he said, "is an area fraught with much risk."
'Privacy' Bill Threatens to Censor Huge Swaths of the Internet
By James R. Hood November 3, 2011 A bill slithering through Congress gives companies new power to shut down Internet sites that offend them, all in the name of curtailing "piracy" of copyrighted material. But critics like CNET's Larry Downes call it "Hollywood's latest effort to turn back time." The Stop Online Piracy Act (SOPA) would require Internet intermediaries -- meaning your ISP, Facebook and sites like this one -- to censor any posting that supposedly violated intellectual property laws. Critics like Rep. Zoe Lofgren (D-CA) say SOPA “would mean the end of the Internet as we know it." Canadian pop star Justiin Bieber went even further in a radio interview last week, suggesting that any member of Congress who votes for the bill "needs to be locked up — put away in cuffs."
'Rogue' sites The bill, sponsored by Rep. Lamar Smith (R-TX) and others, would authorize the Justice Department to seek injunctions against "rogue" websites dedicated to providing access to pirated goods or content. It would also allow the government and rights holders to demand that third parties, including payment processors and online ad networks, cut ties with such sites. Ironically, Smith, who chairs the House Judiciary Committee, claims to be a foe of "unnecessary regulations," and frequently touts his committee's passage of a bill that would supposedly "reform the federal regulatory process and reduce unnecessary burdens on job creators." Smith and his follow SOPA sponsors say the measure is necessary to stop Americans from sharing music, movies and other copyrighted material with each other. But technology groups say the bill would be a "nightmare" for Web and social media firms. "[T]his is not a bill that targets 'rogue foreign sites.' Rather, it allows movie studios, foreign luxury goods manufacturers, patents and copyright trolls, and any holder of an intellectual property right to target lawful U.S. websites and technology companies," the Consumer
Electronics Association and the Computer and Communications Industry Association said in a letter to members of Congress.
Stifle innovation The Electronic Freedom Frontier (EFF) says the measure would stifle innovation and creativity and destroy jobs, while making the Internet duller and drabber while making it easy for just about anyone with a grievance to shut down entire sites. "This bill could also have a huge impact on the work of human rights advocates and whistleblowers who depend on online tools to protect their anonymity and speak out against injustice," said EFF's Travor Timm. "Platforms created to provide anonymity software to human rights activists across the world, as well as next generation WikiLeaks-style whistleblower sites, could be major casualties of this bill — all in the name of increasing Hollywood’s bottom line." Under SOPA, private companies would be able to force payment processors to shut down payments to websites by merely claiming the site “engages in, enables or facilitates” infringement. This broad provision could target websites behind important Internet projects such as Tor, the anonymity network that has been vital for protecting activists from government surveillance in Tunisia and Egypt, Timm said. "Corporations concerned about users illegally downloading music could use SOPA to force Visa and Mastercard to cut off donations to Torproject.org — despite Tor’s aim to facilitate human rights activism, not piracy," he said. Whistleblower sites could also find themselves in trouble if they post any documents related to corporate corruption or law breaking, if those documents contain trade secrets or are copyrightable.
Internet Piracy and How to Stop It
Editorial June 8, 2011 Online piracy is a huge business. A recent study found that Web sites offering pirated digital content or counterfeit goods, like illicit movie downloads or bootleg software, record 53 billion hits per year. That robs the industries that create and sell intellectual products of hundreds of billions of dollars. The problem is particularly hard to crack because the villains are often in faraway countries. Bad apples can be difficult to pin down in the sea of Web sites, and pirates can evade countervailing measures as easily as tweaking the name of a Web site. Commendably, the Senate Judiciary Committee is trying to bolster the government’s power to enforce intellectual property protections. Last month, the committee approved the Protect IP Act, which creates new tools to disrupt illegal online commerce. The bill is not perfect. Its definition of wrongdoing is broad and could be abused by companies seeking to use the law to quickly hinder Web sites. Some proposed remedies could also unintentionally reduce the safety of the Internet. Senator Ron Wyden put a hold on the bill over these issues, which, he argued, could infringe on the right to free speech. The legislation is, therefore, in limbo, but it should be fixed, not discarded. The bill defines infringing Web sites as those that have “no significant use other than engaging in, enabling, or facilitating” the illegal copying or distribution of copyrighted material in “substantially complete form” — entire movies or songs, not just snippets. If the offender can’t be found to answer the accusation (a likely occurrence given that most Web sites targeted will be overseas), the government or a private party can seek an injunction from a judge to compel advertising networks and payment systems like MasterCard or PayPal to stop doing business with the site. The government — but not private parties — can use the injunction to compel Internet service providers to redirect traffic by not translating a Web address into the numerical language that computers understand. And they could force search engines to stop linking to them. The broadness of the definition is particularly worrisome because private companies are given a right to take action under the bill. In one notorious case, a record label demanded that YouTube take down a home video of a toddler jiggling in the kitchen to a tune by
Prince, claiming it violated copyright law. Allowing firms to go after a Web site that “facilitates” intellectual property theft might encourage that kind of overreaching — and allow the government to black out a site. Some of the remedies are problematic. A group of Internet safety experts cautioned that the procedure to redirect Internet traffic from offending Web sites would mimic what hackers do when they take over a domain. If it occurred on a large enough scale it could impair efforts to enhance the safety of the domain name system. This kind of blocking is unlikely to be very effective. Users could reach offending Web sites simply by writing the numerical I.P. address in the navigator box, rather than the URL. The Web sites could distribute free plug-ins to translate addresses into numbers automatically. The bill before the Senate is an important step toward making piracy less profitable. But it shouldn’t pass as is. If protecting intellectual property is important, so is protecting the Internet from overzealous enforcement.
Policing the Internet
Editorial June 7, 2011 A Senate bill aims to cut off support for any site found by the courts to be 'dedicated' to copyright or trademark infringement. Its goals are laudable, but its details are problematic. Hollywood studios, record labels and other U.S. copyright and trademark owners are pushing Congress to give them more protection against parasitical foreign websites that are profiting from counterfeit or bootlegged goods. The Senate Judiciary Committee has responded with a bill (S 968) that would force online advertising networks, credit card companies and search engines to cut off support for any site found by the courts to be "dedicated" to copyright or trademark infringement. Its goals are laudable, but its details are problematic. The global nature of the Internet has spawned a profusion of websites in countries that can't or won't enforce intellectual property law. Under S 968, if a website were deemed by a court to be dedicated to infringing activities, federal agents could then tell the U.S. companies that direct traffic, process payments, serve advertisements and locate information online to end their support for the site in question. Copyright and trademark owners would be able to follow up those court orders by seeking injunctions against payment processors and advertising networks that do not comply. Cutting off the financial lifeblood of companies dedicated to piracy and counterfeiting makes sense. A similar approach to illegal online gambling has shown that it is technically feasible for payment processors to stop directing dollars from U.S. bettors to gambling sites anywhere in the world. The operators of the largest online advertising networks say they can do the same, although they object to the bill's proposal to let copyright and trademark owners seek injunctions against them. The main problem with the bill is in its effort to render sites invisible as well as unprofitable. Once a court determines that a site is dedicated to infringing, the measure would require the companies that operate domain-name servers to steer Internet users away from it. This misdirection, however, wouldn't stop people from going to the site, because it would still be accessible via its underlying numerical address or through overseas domain-name servers. A group of leading Internet engineers has warned that the bill's attempt to hide piracyoriented sites could hurt some legitimate sites because of the way domain names can be
shared or have unpredictable mutual dependencies. And by encouraging Web consumers to use foreign or underground servers, the measure could undermine efforts to create a more reliable and fraud-resistant domain-name system. These risks argue for Congress to take a more measured approach to the problem of overseas rogue sites.
Protect IP Act Gives Government Power to Seize Websites On A Whim
By Paul Joseph Watson July 6, 2011 New legislation that would give the US government the power to seize website domains on a whim with no oversight merely for linking to sites that host copyrighted material has been labeled a hallmark of “repressive regimes” by a group of law professors who warn that the bill allows the state to “break the Internet addressing system”. The Protect IP bill, currently stalled in the Senate, represents a death blow to Internet freedom of speech. It would turn the entire web into a clone of the YouTube model, which routinely censors and deletes material when requested to by governments or corporations and shuts down user channels without recourse. The legislation merely codifies what Homeland Security is already practicing, seizing and shutting down websites without any form of legal proceedings and in many cases not even notifying the owner. In an open letter penned by Professor Mark Lemley of Stanford University, David S. Levine of Elon University and David G. Post of Temple University, they warn that the bill would require Internet hosting companies and search engines to de-list entire websites on the basis of a mere copyright claim by a copyright holder, with no independent or legal process undertaken. Even linking to a website that copyright holders claim is in violation of intellectual property laws would be grounds for the feds to seize your domain and impose criminal penalties. “At a time when many foreign governments have dramatically stepped up their efforts to censor Internet communications, the [Protect IP Act] would incorporate into U.S. law — for the first time — a principle more closely associated with those repressive regimes: a right to insist on the removal of content from the global Internet, regardless of where it may have originated or be located, in service of the exigencies of domestic law,” states the letter. Suggesting that removing websites with no oversight whatsoever is a clear violation of constitutional law as interpreted by the Supreme Court, the professors add that the bill would hand government the power to “break the Internet addressing system.”
“It requires Internet service providers, and operators of Internet name servers, to refuse to recognize Internet domains that a court considers “dedicated to infringing activities.” But rather than wait until a Web site is actually judged infringing before imposing the equivalent of an Internet death penalty, the Act would allow courts to order any Internet service provider to stop recognizing the site even on a temporary restraining order or preliminary injunction issued the same day the complaint is filed. Courts could issue such an order even if the owner of that domain name was never given notice that a case against it had been filed at all.” Search engines, credit card companies and even advertisers would then be mandated to refuse to deal with the owners of the site under the proposed law, making it “extraordinarily difficult for advertisers and credit card companies to do business on the Internet.” As we have exhaustively documented, proponents of web regulation like Senator Joe Lieberman have openly stated their intention to create a Communist Chinese-style system of Internet policing, handing Obama the power to block entire areas of the web with a figurative kill switch. Indeed, Amazon’s Cloud network notoriously deleted the entire Wikileaks website from its servers following a phone call made by Senator Joe Lieberman’s Senate Homeland Security Committee demanding the website be axed. Lieberman spilled the beans on the true reasons behind the move towards web censorship during a CNN interview when he stated “Right now China, the government, can disconnect parts of its Internet in case of war and we need to have that here too.” During a more recent interview with the network, Lieberman labeled claims that he was working to create an “Internet kill switch” as “misinformation,” yet went on to repeat the same statement that the US government needs the power to “disconnect parts of its Internet in a case of war.” Of course as we have proven, China doesn’t disconnect the Internet “in case of war,” it only ever does so to censor and intimidate people who express dissent against government atrocities or corruption. This is precisely the kind of online environment western governments are trying to replicate as they attempt to put a stranglehold on the last bastion of true free speech – the world wide web.
Protect IP copyright bill faces growing criticism
By Declan McCullagh June 7, 2011 Technologists are warning that the practical effects of a controversial copyright bill backed by Hollywood will "weaken" Internet security and cause other harmful side effects. As more Internet engineers, networking professionals, and security specialists have evaluated the so-called Protect IP Act that was introduced last month, concern is growing about how it will change the end-to-end nature of the Internet in ways that could do more harm than good. (See CNET's previous coverage.) The Protect IP Act would give the U.S. Department of Justice the power to seek a court order against an allegedly infringing Web site, and then serve that order on search engines, certain Domain Name System (DNS) providers, and Internet advertising firms, who would be required to make the target Web site invisible. It's sponsored by Senate Judiciary Committee Chairman Patrick Leahy, a Vermont Democrat, and aims to target overseas Web sites. An analysis (PDF) prepared by five Internet researchers lists the problems with that approach. Among them: it's "incompatible" with a set of DNS security improvements called DNSSEC, innocent Web sites will be swept in as "collateral damage," and the blocks can be bypassed by using the numeric Internet address of a Web site. The address for CNET.com, for instance, is currently 64.30.224.118. Another concern, the authors said, is that the filters could be circumvented easily by using offshore DNS servers not subject to U.S. law. That "will expose users to new potential security threats" not present if they continued to use, say, Comcast's or AT&T's DNS servers. Fake DNS entries can be used by criminals to spoof Web sites for banks, credit card companies, e-mail providers, social-networking sites, and so on.
Circumvention by using offshore servers "will also mean that ISPs gain less data on network security threats, since they use their DNS services to monitor systems and guard against denial-of-service attacks, identify botnet hosts, and identify compromised domains," wrote Public Knowledge attorney Sherwin Siy in a blog post yesterday. The technical paper was authored by Steve Crocker, a longtime member of the Internet Engineering Task Force; David Dagon, a post-doctoral researcher at Georgia Institute of Technology; security researcher Dan Kaminsky; Verisign Chief Security Officer Danny McPherson; and Paul Vixie, chairman of the Internet Systems Consortium and principal author of popular versions of the BIND DNS server software. It's not entirely clear how broad the Protect IP Act's authority would be. An earlier draft (PDF) of the legislation would have allowed the Justice Department to order any "interactive computer service"--a phrase courts have interpreted to mean any Web site--to block access to the suspected pirate site. But the final version (PDF) refers instead to an "information location tool." That's defined as a "directory, index, reference, pointer, or hypertext link," which would certainly sweep in Google, Yahoo, and search engines, and may also cover many other Web sites. The technical paper joins other criticism of Protect IP, including that from the Electronic Frontier Foundation, which has created a petition saying the measure will "invite Internet security risks, threaten online speech, and hamper Internet innovation." EFF and other like-minded advocacy groups, including the American Library Association and Human Rights Watch, sent a letter (PDF last month to the bill's Senate sponsors saying the legislation goes too far. Google Chairman Eric Schmidt has panned it. Internet industry trade associations, including the Consumer Electronics Association and NetCoalition, said in a separate letter (PDF) that Protect IP has a real "potential for unintended consequence and require intense scrutiny and study." (CNET's parent company CBS has been a member of NetCoalition.) All this criticism hasn't done much to slow the bill's momentum so far. On May 26, the Senate Judiciary committee voted unanimously to send the bill to the floor for a vote. "The small businesses, artists, entrepreneurs, software designers, local journalists and every other segment of the creative community support the (Judiciary committee's decision) today," Sandra Aistars, director of the Copyright Alliance, a group backed by copyright owners, said after the committee vote. The U.S. Chamber of Commerce, too, is an enthusiastic supporter. Sen. Ron Wyden, an Oregon Democrat, has placed a hold on the bill, saying Protect IP takes an "overreaching approach to policing the Internet when a more balanced and targeted approach would be more effective." That hold could be defeated through a cloture vote, a significant hurdle but not an insurmountable one.
How The Protect IP Act Could Break The Internet
By Karl Bode June 1, 2011 Over the last few months the Immigration and Customs Enforcement (ICE) office of the Department of Homeland Security has launched a new campaign that involves seizing the domains used by websites involved in copyright infringement, the sale of counterfeit goods or child pornography. The problem is that the program has been borderline incompetent, taking legitimate foreign businesses offline, as well as earlier this year causing the outage of 84,000 largely legal websites after seizing the domain of a free DNS service operator. After several failed attempts to pass a law codifying the government's efforts to seize and/or filter domains deemed dedicated to infringing activities, Uncle Sam's Protect IP Act is now winding its way through the legislative process. While politicians are pushing the bill at the behest of entertainment industry lobbyists, experts in DNS functionality continue to warn that the bill's focus on DNS filtering could fundamentally break the Internet. Techdirt directs our attention to a new report (pdf) from researchers that issues some dire warnings about Protect IP. Specifically, analysts claim the bill could create additional security risks, limit ISP security analysis, degrade CDN performance, and result in false positives: Two likely situations ways can be identified in which DNS filtering could lead to nontargeted and perfectly innocent domains being filtered. The likelihood of such collateral damage means that mandatory DNS filtering could have far more than the desired effects, affecting the stability of large portions of the DNS.....We believe that the goals of PROTECT IP can be accomplished without reducing DNS security and stability, through strategies such as better international cooperation on prosecutions and the other remedies contained in PROTECT IP other than DNS-related provisions. We urge Congress to reject the DNS filtering portions of the Act. The paper's authors include folks like Dan Kaminsky, Verisign CSO Danny McPherson, Paul Vixie and Georgia Tech DNS security expert David Dago. The entertainment industry is downplaying these concerns, while the politicians pushing this law (as is usually the case in tech legislation) have little understanding about the law they're trying to pass at lobbyist behest.
Senator Blocks Controversial Copyright Bill
By Grant Gross May 27, 2011 A U.S. senator has blocked a controversial bill that would enlist ISPs, search engines and other businesses in blocking access to alleged websites infringing copyright. Senator Ron Wyden, an Oregon Democrat, has blocked the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, or PROTECT IP Act, from coming to the Senate floor for a vote. On Thursday, just two weeks after the bill was introduced, the Senate Judiciary Committee unanimously voted to move the PROTECT IP Act to the Senate floor. Under Senate rules, a single senator can place a hold on a bill, although the block can be overridden by a 60-vote majority. The PROTECT IP Act would allow the U.S. Department of Justice to seek court orders requiring search engines and ISPs to stop sending traffic to websites accused of infringing copyright. The bill would also allow copyright holders to seek court orders requiring payment processors and online ad networks to stop doing business with allegedly infringing websites. The legislation would attack free speech online and hurt e-commerce, Wyden said. "I understand and agree with the goal of the legislation, to protect intellectual property and combat commerce in counterfeit goods, but I am not willing to muzzle speech and stifle innovation and economic growth to achieve this objective," he said in a statement. "At the expense of legitimate commerce, [the bill's] prescription takes an overreaching approach to policing the Internet when a more balanced and targeted approach would be more effective. The collateral damage of this approach is speech, innovation and the very integrity of the Internet." Wyden called the Internet the "shipping lane" of the 21st century. "It is increasingly in America's economic interest to ensure that the Internet is a viable means for American innovation, commerce, and the advancement of our ideals that empower people all around the world," he said. "By ceding control of the Internet to corporations through a private right of action, and to government agencies that do not sufficiently understand and value the Internet, [the bill] represents a threat to our economic future and to our international objectives."
Critics of the bill have said it would lead to hundreds of court cases brought by copyright owners against online businesses. The legislation would lead to a blacklist of Internet sites and compromise the Internet's Domain Name System, critics have said. But backers of the bill have said new methods are needed to combat copyright infringement by foreign websites. The bill would target the worst foreign websites trafficking in digital piracy and counterfeit goods and would dry up their business by focusing on user traffic, advertising and payments, proponents said. "Copyright infringement and the sale of counterfeit goods can cost American businesses billions of dollars, and result in hundreds of thousands of lost jobs," Senator Patrick Leahy, a Vermont Democrat and lead sponsor of the bill, said Thursday. U.S. law enforcement agencies are limited in their ability to combat infringing websites operated overseas, Leahy added in a statement. "American consumers are too often deceived into thinking the products they are purchasing at these websites are legitimate because they are easily accessed through their home's Internet service provider, found through well known search engines, and are complete with corporate advertising, credit card acceptance, and advertising links that make them appear legitimate," he said. Wyden blocked a similar bill, the Combating Online Infringement and Counterfeits Act, or COICA, after the Senate Judiciary Committee passed it in late 2010. COICA would have expanded federal agencies' power to seize the domain names of allegedly infringing websites.
Blacklists, ahoy! PROTECT IP Act sails on to Senate floor
By Nate Anderson May 26, 2011 The Senate Judiciary Committee this morning unanimously approved the PROTECT IP Act by a voice vote after a brief markup; the hugely controversial Internet blacklisting bill now moves to the Senate floor with minimal changes, and may—or may not—soon come to a vote. The bill builds on last year's proposed COICA legislation, which would have given the government power to go to court and get a website's domain name blocked from American DNS servers. Credit card companies and advertising networks would be forbidden to do business with such sites. The bill was also passed unanimously by the Senate Judiciary Committee, but Sen. Ron Wyden (D-OR) put a hold on the bill when it came to the floor. The new version tightens up its definition of infringing sites, but adds things like a “private right of action” for companies who want to cripple sites without waiting for the government to get involved. Search engines are also prohibited from linking to blocked sites. Major rightsholders are particularly thrilled. The MPAA and the cable lobby both expressed enthusiastic support, and the US Chamber of Commerce said in a statement, "Rogue sites and their operators contribute nothing to the US economy. They do not innovate, they do not pay taxes, they do not follow safety standards, and they do not follow the law. Today’s vote serves as a wakeup call to those who illicitly profit at the expense of American businesses and consumers—the US will not tolerate your careless, reckless, malicious behavior." Will the bill get a vote in the Senate this time? Wyden has been cautious in his public statements, previously suggesting that certain changes to the bill could make it more palatable to him. He did make clear, however, that the bill in "its current form" was not acceptable. As he told Ars when we spoke a month ago, "If the new version of COICA is like last year's version of COICA, I will do everything in my power to block it." Back on May 12, when the PROTECT IP Act was introduced, Wyden said it would be "hard to consider legislation that would give the Departments of Justice and Homeland Security additional authorities to combat online content infringement… While the
departments finally responded to questions that I sent them more than three months ago, their responses reveal a single-minded determination to stamp out online infringement and demonstrate little if any understanding of the Internet’s value and function." Of particular concern is "their refusal to explain how linking is different than free speech. Given that hyperlinks in many ways form the foundation of the Internet, efforts to go after one site for linking to another site—which the Administration is currently doing and the Protect IP Act would expand on—threaten to do much more than protect IP." Update: Sen. Wyden has placed a hold on the bill.
US companies clash on bill aimed at online piracy
By Doug Palmer May 25, 2011 A broad coalition of U.S. entertainment, sports and publishing companies on Wednesday rallied support for a bill to get tough on foreign websites that pirate their goods, one day before a vote on the legislation in the Senate Judiciary Committee. "We think it's an important step forward to better address the problem of offshore digital piracy," said Mike Mellis, senior vice president and general counsel for MLB Advanced Media, the digital arm of Major League Baseball that provides online streaming video of games and mobile applications to about two million subscribers mostly in the United States. Sports leagues in the United States, Europe and other countries face a growing problem with websites that steal and redistribute their digital content. Many are foreign websites outside the jurisdiction of U.S. law, Mellis said. The Judiciary Committee bill gives the U.S. Justice Department new tools to go after domestic Internet service providers, advertisers, payment processors and search engines that help these websites operate. It is supported by 170 companies and business groups, including the Motion Picture Association of America, the Recording Industry Association of America, the Walt Disney Co. DIS.N>, Time Warner (TWX.N) and Viacom (VIAb.N). "Websites dedicated to trafficking in counterfeit products and digital theft dupe consumers, steal our jobs and threaten the vibrant Internet marketplace," U.S. Chamber of Commerce President Tom Donohue said in a statement. U.S. industries that depend on strong intellectual property protection account for more than $7.7 trillion of U.S. economic output, drive 60 percent of U.S. exports and employ more than 19 million Americans, the business group said. But another coalition representing computer, communication, electronic and Internet companies expressed concern about provisions of the bill that they said would "undoubtedly inhibit innovation and economic growth.
"We urge the committee to continue to pursue a process that can result in legislation that all can support," the groups said in a letter to the top Democrat and Republican on the Senate Judiciary Committee. Internet giants Google (GOOG.O), eBay (EBAY.O) and Yahoo (YHOO.O)! joined with American Express (AXP.N), Discover (DFS.N), Visa (V.N) and PayPal (PAPXX.O) in a separate letter to raise alarm about parts of the bill. Those companies said they particularly feared the effect of a provision allowing a private copyright or trademark owner to bring action against a domain name associated with a website dedicated to providing pirated or counterfeit goods. Since many domain name owners are unlikely to respond to such complaints, the brunt of the legislation would fall on advertising networks and payment processors used by the websites, the Internet and financial services companies said. That could create a "one-sided litigation machine with rights owners mass-producing virtually identical cases against foreign domain names for the purpose of obtaining orders to serve on U.S. payment and advertising companies," they said.
Tech groups fire back at PROTECT-IP Act
By Tony Romm May 25, 2011 Three top tech trade associations on Wednesday urged the Senate Judiciary Committee to consider major revisions to a controversial new online copyright bill — the PROTECT-IP Act — including a provision that would hold Internet search engines liable for helping crackdown on violators. A new letter from the Consumer Electronics Association, Computer and Communications Industry Association and NetCoalition stresses that portions of the legislation should be revised because, as written, they would “undoubtedly inhibit innovation and economic growth.” At issue are provisions that too broadly target actors “enabling, or facilitating” IP infringement, specify new liabilities on search engines, grant a private-right of action and allow the government to block certain websites. The bill is scheduled for a committee markup Thursday. Some of the policy alarms sounded Wednesday by the chiefs of CEA, CCIA and NetCoalition are objections they raised during the debate last year over the Combating Online Infringement and Counterfeits Act. That proposal, known to most as COICA, has since evolved into the PROTECT-IP Act slated for markup this week. Even as the legislation has changed, the groups told committee Chairman Patrick Leahy (D-Vt.) and ranking member Chuck Grassley (R-Iowa) in their letter that the “revisions to the previous text carry their own potential for unintended consequence and require intense scrutiny and study.” For one thing, the tech associations do not like a definition in the bill that would penalize actors that facilitate IP infringement in the same manner the federal government could punish the actual infringers. “Coupled with other elements of the definition, this language is broad enough to implicate retailer websites advertising legal devices that are capable of infringement (such as computers or copying machines),” wrote CEA President and CEO Gary Schapiro, CCIA President and CEO Ed Black and NetCoalition Executive Director Markham Erickson.
The groups further said the bill, if passed, would put too much liability on search engines. That provision marks a change from COICA that CEA, CCIA and NetCoalition said could constrain free speech guarantees, while posing serious challenges to search engines that “cannot readily distinguish between lawful fair uses” and IP infringement. The groups also stressed the bill’s “private right of action” component could open the door to a “flood of lawsuits” that would burden companies. And echoing many tech stakeholders’ concerns during last year’s COICA debate, the associations expressed skepticism about the bill’s manner of blocking sites that traffic infringed IP. “As an alternative, we continue to support and advocate remedies that put an end to profits gained through the sale and marketing of infringing goods by blocking access to payment processors and advertising,” the tech association leaders wrote. Meanwhile, another tech heavyweight, Microsoft, came out in a blog post Wednesday in support of the PROTECT IP Act — with some caveats. Microsoft, which sells software that has been the victim of copyright infringement, also operates a search engine, Bing. Microsoft argued that “safeguards should be included to ensure that rogue sites are identified clearly and appropriately, and that the responsibilities of companies required to take action to ensure compliance are well defined and their liability appropriately limited.” In addition, the company said in the blog post “steps should be taken to ensure that the private right of action is not subject to abuse, and that the new actions and resulting orders do not stifle free speech or the free flow of information.”
Carrying Water for Hollywood
By Daniel Halper February 15, 2011 This week the Senate Judiciary Committee will hold hearings on COICA (the Combating Online Infringements and Counterfeit Act). It sounds like harmless enough legislation, or at least it did to members of the committee who voted for it unanimously, 19-0, during the lame duck session last year. But it's worse than it sounds. COICA would allow the U.S. government to seize and remove websites from the Internet without due process and after only the allegation of copyright infringement. As Wired reported, COICA "would give the Attorney General the right to shut down websites with a court order if copyright infringement is deemed 'central to the activity' of the site -regardless if the website has actually committed a crime. The Combating Online Infringement and Counterfeits Act (COICA) is among the most draconian laws ever considered to combat digital piracy, and contains what some have called the 'nuclear option,' which would essentially allow the Attorney General to turn suspected websites 'off.'" Fortunately, at the last minute, Senator Ron Wyden put a hold on the bill, ending any prospect for passing it in the lame duck and forcing the bill’s sponsor, Senator Patrick Leahy, back to the negotiating table. The bill raises a number of concerns from free speech advocates, not least of which is the apparent ability of the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA) to jam new copyright legislation through Congress. As Techdirt explained late last year, The other argument that says COICA is not censorship is that it states that it is only directed at sites "dedicated to infringing activities" that have "no demonstrable, commercially significant purpose or use other than" infringement. However, what supporters of COICA hate to admit is that "dedicated to infringing activities" is very much in the eye of the beholder, and the same folks who support COICA -- such as the MPAA and the RIAA -- have a very long and troubled history of declaring all sorts of new technologies as "dedicated to infringing activities." The VCR, cable TV, the DVR and the MP3 player were all lambasted as being dedicated to infringing activities with no demonstrable, commercially significant purpose, when each was introduced.
Perhaps what's even more troubling, COICA has the potential to set a dangerous precedent that authoritarian regimes can point to in their own efforts to censor the Internet. All this at a time when anti-democratic regimes are getting wise to the potential of copyright infringement as a means of stifling dissent. In September of last year, the Kremlin used a weak claim of copyright infringement to raid the offices of NGOs and human rights groups. The Russian government claimed that the groups were using unlicensed copies of Microsoft’s Windows software. By the time Microsoft got around to granting the groups amnesty for any alleged infringements, the government had already seized hard-drives and other files from the groups -- one can imagine what Vladimir Putin’s cronies will do with the information gleaned from the raids. One can also imagine how Beijing might use claims of copyright infringement (claims that could be just as easily elicited from “private” media companies as state run enterprises) to take down websites hosting media those governments might deem offensive. It’s a slippery slope, and the U.S. Congress is on the verge of legitimizing a legal regime that allows governments to disappear websites without judicial review and on the basis of nothing more than an allegation. Indeed, several human and civil rights organizations came together late last year to voice their disapproval of the bill on these very grounds. "[T]his bill is in tension with current US foreign policy and could have grave repercussions for global human rights and the free and open Internet," the groups wrote in a letter addressed to Senators Leahy and Jeff Sessions. Ultimately, the advocacy groups argue, it's an issue that threatens the freedom of others: "If many other countries adopt COICA’s approach—and there is little doubt that they will—it will worsen the balkanization of the Internet, where the information any individual can access will depend entirely on where that individual sits. Freedom of expression and association are universal rights; further balkanization of the Internet undermines these rights and threatens the potential of the Internet as a powerful tool for advancing human rights and democracy."
