December 15, 2011

Stopping SOPA’s Anti-Circumvention

Filed under: Chilling Effects, censorship, code, copyright, domain names — wseltzer @ 10:35 am

The House’s Stop Online Piracy Act is in Judiciary Committee Markup today. As numerous protests, open letters, and advocacy campaigns across the Web, this is a seriously flawed bill. Sen. Ron Wyden and Rep. Darrell Issa’s proposed OPEN Act points out, by contrast, some of the procedural problems.

Here, I analyze just one of the problematic provisions of SOPA: a new”anticircumvention” provision (different from the still-problematic anti-circumvention of section1201). SOPA’s anticircumvention authorizes injunctions against the provision of tools to bypass the court-ordered blocking of domains. Although it is apparently aimed at MAFIAAfire, the Firefox add-on that offered redirection for seized domains in the wake of ICE seizures,[1] the provision as drafted sweeps much more broadly. Ordinary security and connectivity tools could fall within its scope. If enacted, it would weaken Internet security and reduce the robustness and resilience of Internet connections.

The anticircumvention section, which is not present in the Senate’s companion PROTECT-IP measure, provides for injunctions, on the action of the Attorney General:

(ii)against any entity that knowingly and willfully provides or offers to provide a product or service designed or marketed by such entity or by another in concert with such entity for the circumvention or bypassing of measures described in paragraph (2) [blocking DNS responses, search query results, payments, or ads] and taken in response to a court order issued under this subsection, to enjoin such entity from interfering with the order by continuing to provide or offer to provide such product or service. ยง 102(c)(3)(A)(ii)

As an initial problem, the section is unclear. Could it cover someone who designs a tool for”the circumvention or bypassing of” DNS blockages in general — even if such a person did not specifically intend or market the tool to be used to frustrate court orders issued under SOPA? Resilience in the face of technological failure is a fundamental software design goal. As DNS experts Steve Crocker, et al. say in their Dec. 9 letter to the House and Senate Judiciary Chairs, “a secure application expecting a secure DNS answer will not give up after a timeout. It might retry the lookup, it might try a backup DNS server, it might even restart the lookup through a proxy service.” Would the providers of software that looked to a proxy for answers –products “designed” to be resilient to transient DNS lookup failures –be subject to injunction? Where the answer is unclear, developers might choose not to offer such lawful features rather than risking legal attack. Indeed, the statute as drafted might chill the development of anti-censorship tools funded by our State Department.

Some such tools are explicitly designed to circumvent censorship in repressive regimes whose authorities engage in DNS manipulation to prevent citizens from accessing sites with dissident messages, alternate sources of news, or human rights reporting. (See Rebecca MacKinnon’s NYT Op-Ed, Stop the Great Firewall of America. Censorship-circumvention tools include Psiphon, which describes itself as an “Open source web proxy designed to help Internet users affected by Internet censorship securely bypass content-filtering systems,” and The Tor Project.) These tools cannot distinguish between Chinese censorship of Tiananmen Square mentions and U.S. copyright protection where their impacts — blocking access to Web content — and their methods — local blocking of domain resolution — are the same.

Finally, the paragraph may encompass mere knowledge-transfer. Does telling someone about alternate DNS resolvers, or noting that a blocked domain can still be found at its IP address — a matter of historical record and necessary to third-party evaluation of the claims against that site — constitute willfully “providing a service designed … [for] bypassing” DNS-blocking? Archives of historic DNS information are often important information to legal or technical network investigations, but might become scarce if providers had to ascertain the reasons their information was being sought.

For these reasons among many others, SOPA should be stopped.

3 Comments »

  1. One of the things I find interesting is that, although Firefox/MAFIAAfire provides a convent workaround to DNS blocks, every operating system (Windows, Mac OSX, Linux & Unix all alike) has a built-in bypass: The /etc/hosts file (or c:/Windows/System32/drivers/etc/hosts for modern Windows systems) allows you to manually put in an IP address against a hostname.

    With this set, any time a program next connects to that URL it will goto that new address, bypassing any DNS override put in place by your ISP! It’s hard not to see that with this being included as standard within pretty much every operating system on every computer connected to the internet, does this not in fact make every OS and PC illegal with the stroke of a single pen?

    Comment by Jonathan Wright — December 15, 2011 @ 11:29 am

  2. +1 for Mr. Wright above. In fact some enterprising folks at the huge discussion site reddit.com have assembled a rudimentary hosts file http://bit.ly/rKoyH5.

    The discussion rightly turned to issues of security, and the dangers of letting unknown third parties determine IP addresses on your computer in your hosts file. The opportunity for abuse is enormous, and imho points pretty much to the Vixie et al letter referenced above.

    Alternatively, the possibility for good behavior exists as well, some kind of “Open Source”/transparent community effort to create and vet such lists similar to the AdBlock list subscriptions.

    Comment by robin — December 17, 2011 @ 10:37 am

  3. [...] “circumvention” of court-ordered blocking that was written broadly enough that it could apply to Tor — which helps its users to “circumvent” local-network censorship. Further, both [...]

    Pingback by Wendy’s Blog: Legal Tags » Keep Copyright Balance: Stop SOPA and PIPA — January 18, 2012 @ 7:48 am

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress