February 19, 2012

Domain diversification, or why wendy.seltzer.is

Filed under: Chilling Effects, censorship, code, domain names — wseltzer @ 12:45 pm

Early last week, jotforms.com, a platform for user-generated webforms, found its domain name suspended, breaking and all its users’ hosted forms. When its founder inquired why, registrar GoDaddy responded that the name had been “suspended as part of an ongoing law enforcement investigation” — apparently instigated by the U.S. Secret Service. Commentators jumped on GoDaddy, already in the doghouse for supporting SOPA, but also linked the problem to earlier U.S. government domain takedowns: ICE’s year-long unexplained seizure of music blog dajaz1, and more recent seizure of megaupload.com’s domain, along with its principals. The problem comes from both: GoDaddy is too willing to suspend first, ask questions later; and the U.S. government is to eager to use and encourage takedowns, disregarding their free speech implications.

foxylad on Hacker News gave us “Today’s sysadmin todo list:”

0. Get corporate membership with EFF.

1. Identify all applications with user-generated content.

2. Move all associated domains to a non-US based registrar.

3. Migrate DNS, web serving and other critical services to non-US based servers.

4. Migrate yourself to a non-US controlled country.

I’m sorry for US sites and users. Your government is hell-bent on turning the internet into a read-only device like TV, easily regulated and controlled.

Now I still believe that the United States’ First Amendment gives strong protection to free expression, online or off. But so long as the administration’s enforcers are playing with domain takedown like a shiny new toy gun, aimed without regard due process of law, online speech that depends on U.S. registries or registrars is at risk. I’ve registered my domains through the excellent Canada-based Hover, but the .com, .net, and .org registries are still located in the U.S. and hence vulnerable. I don’t think anything on my sites infringes, but that’s one more chance than I’d be taking outside U.S. jurisdiction.

Iceland, on the other hand, has expressed a strong commitment to free, online expression. I’m happy to support Iceland’s free-speech haven by moving some of my business there. If enough others do too, perhaps that jurisdictional arbitrage will show the U.S. government the harm that bad law-enforcement and bad law inflict on U.S. business and society.

Plus, what’s not to like in such fun URLs as http://wendy.seltzer.is/blogging (which redirects here) and http://wendy.seltzer.is/writing (which I’m counting on to inspire me to do more!)

January 19, 2012

Copyright in Congress, Court, and Public

Filed under: Chilling Effects, censorship, code, copyright — wseltzer @ 4:30 pm

Yesterday, while hundreds of sites (including this one, along with Google, Wikipedia, and Reddit) were going black to protest SOPA and PIPA, the Supreme Court released its own copyright blackout, Golan v. Holder (PDF). Justice Ginsburg’s majority opinion held that the First Amendment did not prohibit reclaiming works from the public domain.

Justice Breyer, joined by Justice Alito, gave a stirring dissent. Copyright law, he said, must be “designed to encourage new production,” not just redistribute works already created. Re-copyrighting already-written works “does not encourage anyone to produce a single new work.” Instead, backwards-looking copyright grants create a serious public choice problem:

Whereas forward-looking copyright laws tend to benefit those whose identities are not yet known (the writer who has not yet written a book, the musician who has not yet composed a song), when a copyright law is primarily backward looking the risk is greater that Congress is trying to help known beneficiaries at the expense of badly organized unknown users who find it difficult to argue and present their case to Congress.

We see the same problem with SOPA and PIPA. The legislation pits organized incumbents against future innovators. Congress risks being captured by the lobbying power of current copyright industries, organized in the MPAA and RIAA, before the artists who have yet to create and the industries who support them can find their political voice. But the SOPAstrike reminds us that more than industry interests are at stake here — the general public, the editors of and users of Wikipedia, the contributors and readers of Reddit and the coders and browsers of Mozilla also create and bring value to the Internet.

Golan reminds us too that we can’t count on the courts to help us where Congress gets copyright wrong. The majority leaves a great deal to Congressional discretion, as it did in Eldred (striking down a challenge to copyright term extension): “the Copyright Clause does not demand that each copyright provision, examined discretely, operate to induce new works.” In a chilling phrase, the Golan majority quotes the district court’s finding of a “settled rule that private censorship via copyright enforcement does not implicate First Amendment concerns.”

Perhaps a later Court will see the First Amendment as a stronger check on Congressional power to restrict speech in the name of copyright, but where we can’t count on 5 (Justices), defenders of free communications on the open Internet will need to count to 51% of Congress. Keep up the pressure, it’s having an impact!

January 18, 2012

Keep Copyright Balance: Stop SOPA and PIPA

Filed under: Chilling Effects, censorship, code, copyright — wseltzer @ 7:48 am

As I wrote over on the Tor Project blog, SOPA and PIPA (the House’s “Stop Online Piracy Act” and the Senate’s “Protect-IP Act”) go beyond enforcement of copyright. These copyright bills would strain the infrastructure of the Internet, on which many free communications — anonymous or identified — depend. Originally, the bills proposed that so-called “rogue sites” should be blocked through the Internet’s Domain Name System (DNS). That would have broken DNSSEC security and shared U.S. censorship tactics with those of China’s “great firewall.”

Now, while we hear that DNS-blocking is off the table, the bills remain threatening to the network of intermediaries who carry online speech. Most critically to Tor, SOPA contained a provision forbidding “circumvention” of court-ordered blocking that was written broadly enough that it could apply to Tor — which helps its users to “circumvent” local-network censorship. Further, both bills broaden the reach of intermediary liability, to hold conduits and search engines liable for user-supplied infringement. The private rights of action and “safe harbors” could force or encourage providers to censor well beyond the current DMCA’s “notice and takedown” provision (of which Chilling Effects documents numerous burdens and abuses).

On January 18, we’re joining Wikipedia, Reddit, the MIT Media Lab, and hundreds of others in protest, turning a portion of the Tor site black to call attention to copyright balance and remind the US Congress and voters of the value of the open Internet.

U.S. citizens, please call or write, to urge your representatives to stop SOPA and PIPA. Elsewhere in the world, keep an eye out for similar legislation. and bring the fight there too.

December 15, 2011

Stopping SOPA’s Anti-Circumvention

Filed under: Chilling Effects, censorship, code, copyright, domain names — wseltzer @ 10:35 am

The House’s Stop Online Piracy Act is in Judiciary Committee Markup today. As numerous protests, open letters, and advocacy campaigns across the Web, this is a seriously flawed bill. Sen. Ron Wyden and Rep. Darrell Issa’s proposed OPEN Act points out, by contrast, some of the procedural problems.

Here, I analyze just one of the problematic provisions of SOPA: a new”anticircumvention” provision (different from the still-problematic anti-circumvention of section1201). SOPA’s anticircumvention authorizes injunctions against the provision of tools to bypass the court-ordered blocking of domains. Although it is apparently aimed at MAFIAAfire, the Firefox add-on that offered redirection for seized domains in the wake of ICE seizures,[1] the provision as drafted sweeps much more broadly. Ordinary security and connectivity tools could fall within its scope. If enacted, it would weaken Internet security and reduce the robustness and resilience of Internet connections.

The anticircumvention section, which is not present in the Senate’s companion PROTECT-IP measure, provides for injunctions, on the action of the Attorney General:

(ii)against any entity that knowingly and willfully provides or offers to provide a product or service designed or marketed by such entity or by another in concert with such entity for the circumvention or bypassing of measures described in paragraph (2) [blocking DNS responses, search query results, payments, or ads] and taken in response to a court order issued under this subsection, to enjoin such entity from interfering with the order by continuing to provide or offer to provide such product or service. § 102(c)(3)(A)(ii)

As an initial problem, the section is unclear. Could it cover someone who designs a tool for”the circumvention or bypassing of” DNS blockages in general — even if such a person did not specifically intend or market the tool to be used to frustrate court orders issued under SOPA? Resilience in the face of technological failure is a fundamental software design goal. As DNS experts Steve Crocker, et al. say in their Dec. 9 letter to the House and Senate Judiciary Chairs, “a secure application expecting a secure DNS answer will not give up after a timeout. It might retry the lookup, it might try a backup DNS server, it might even restart the lookup through a proxy service.” Would the providers of software that looked to a proxy for answers –products “designed” to be resilient to transient DNS lookup failures –be subject to injunction? Where the answer is unclear, developers might choose not to offer such lawful features rather than risking legal attack. Indeed, the statute as drafted might chill the development of anti-censorship tools funded by our State Department.

Some such tools are explicitly designed to circumvent censorship in repressive regimes whose authorities engage in DNS manipulation to prevent citizens from accessing sites with dissident messages, alternate sources of news, or human rights reporting. (See Rebecca MacKinnon’s NYT Op-Ed, Stop the Great Firewall of America. Censorship-circumvention tools include Psiphon, which describes itself as an “Open source web proxy designed to help Internet users affected by Internet censorship securely bypass content-filtering systems,” and The Tor Project.) These tools cannot distinguish between Chinese censorship of Tiananmen Square mentions and U.S. copyright protection where their impacts — blocking access to Web content — and their methods — local blocking of domain resolution — are the same.

Finally, the paragraph may encompass mere knowledge-transfer. Does telling someone about alternate DNS resolvers, or noting that a blocked domain can still be found at its IP address — a matter of historical record and necessary to third-party evaluation of the claims against that site — constitute willfully “providing a service designed … [for] bypassing” DNS-blocking? Archives of historic DNS information are often important information to legal or technical network investigations, but might become scarce if providers had to ascertain the reasons their information was being sought.

For these reasons among many others, SOPA should be stopped.

November 4, 2011

ICANN: The Stakes in Registrar Accreditation

Filed under: ICANN, Internet, censorship, domain names — wseltzer @ 12:15 pm

Law enforcement demands to domain name registrars were a recurring theme of the 42d ICANN public meeting, concluded last week in Dakar. The Governmental Advisory Committee (GAC) took every opportunity at its public meetings with GNSO and Board, and in its Communique to express dismay, disappointment, and demands for urgent action to “reduce the risk of criminal abuse of the domain name system.”

This conversation about domain name abuse benefits from a multi-stakeholder environment, where it can include domain registrars, registrants, and Internet users, along with law enforcement representatives. Broad debate helps because the question is not just how to “mitigate criminal activity using the domain name system,” but how to recognize criminal activity at the DNS level, how to implement due process to protect legitimate online speakers from abusive or mistaken takedowns, and how to protect the privacy and security of non-criminal users of the domain name system.

ICANN’s processes, particularly the GNSO Policy Development Process, are designed to bring these viewpoints together and find consensus. The Generic Names Supporting Organization has representatives from domain registries, registrars, business, and non-commercial users. (I sit on the GNSO Council as a Non-Commercial Stakeholder Group representative.) Governments are invited to participate in these processes, as well as having a specially privileged role to give “Advice” to the ICANN Board, which the Board must explicitly consider. The rights of domain registrants and Internet users depend on the terms of the Registrar Accreditation Agreement between domain registrars and ICANN. Under all the acronyms lie important issues of free expression.

Yet the U.S., speaking through the GAC, demanded a bigger stick and a smaller discussion, asserting that domain registrars should have unilaterally acceded to the 12-point law enforcement demands instead of going through community comment, negotiation, and discussion. The U.S. cannot simultaneously seek public support for multistakeholder processes while attempting to circumvent those processes in action. Thus I welcome the ICANN Board’s resolution starting an Issue Report for the GNSO to consider issues for RAA amendment.

Now some of the law enforcement demands — publication of a contact address, identification of registrars’ principals — appear relatively innocuous, but even those could be the prelude to assessing intermediary liability and pressure on those who facilitate speech. More troubling, law enforcement wants to force registrars to do extensive verification of domain name registrants’ identities, and to constrain the privacy and proxy services that currently permit registrants to shield identities and addresses from public disclosure.

Domain names are often tools of individual and group expression; not so much through expressive content of the strings themselves, but through the speech hosted at a domain, the conversations carried on through URLs and hyperlinks, and the use of domains to route email and other messaging. Domain names provide stable location pointers for individuals’ and groups’ online speech; as such, they also present possible chokepoints for censorship and suppression of speech.

In the specific instance of responding to law enforcement requests for the publication of registrar contact information, the potential impact is indirect but not insubstantial. In response to law enforcement requests for “registrar cooperation in addressing online crime,” the resolution considers a requirement that registrars “must publish on their respective web sites e-mail and postal mail addresses to which law enforcement actions may be directed.”

If we could be sure that the requests would relate only to activity universally agreed to be criminal, from law enforcement agencies following due process of law and respecting human rights, the proposed requirement would be uncontroversial. As legal regimes and their approaches to human rights are not uniform, we cannot make that blanket assumption. The contacts could be used to censor.

I don’t want to interfere with legitimate law enforcement. I do want to specify explicit procedure and limitations so that these contact points do not become points of control through which registrars can be pressured into removing domains that provide access to critical or “inharmonious” speech. To that end, it’s important that the discussion take place in the GNSO forum where civil society is represented to raise these concerns and develop procedural protections.

June 9, 2011

UN Rapporteur on Free Expression on the Internet

Filed under: Chilling Effects, Internet, censorship, open, privacy — wseltzer @ 5:54 pm

“[D]ue to the unique characteristics of the Internet, regulations or restrictions which may be deemed legitimate and proportionate for traditional media are often not so with regard to the Internet.”

This statement of Internet exceptionalism comes not from the fringes of online debate, but from the UN Human Rights Council’s Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression. The Rapporteur, Frank La Rue, recently presented a report emphasizing the importance of rule of law and respect for free expression.

  • State-sponsored content blocking or filtering is “frequently in violation of their obligation to guarantee the right to freedom of expression.” Blocking is often overbroad and vague, secret (non-transparent), and often lacks independent review.
  • Intermediary liability, even with notice-and-takedown safe-harbor, “is subject to abuse by both State and private actors.” Private intermediaries, like states, will tend to over-censor and lack transparency. They’re not best placed to make legality determinations. “The Special Rapporteur believes that censorship measures should never be delegated to a private entity, and that no one should be held liable for content on the Internet of which they are not the author.”
  • Disconnecting users cuts off their Internet-based freedom of expression. The report calls out HADOPI, the UK Digital Economy Bill, and ACTA for concern, urging states “to repeal or amend existing intellectual copyright laws which permit users to be disconnected from Internet access, and to refrain from adopting such laws.”
  • Anonymity. “The right to privacy is essential for individuals to express themselves freely. Indeed, throughout history, people’s willingness to engage in debate on controversial subjects in the public sphere has always been linked to possibilities for doing so anonymously.” Monitoring, Real-ID requirements, and personal data collection all threaten free expression, “undermin[ing] people’s confidence and security on the Internet, thus impeding the free flow of information and ideas online.”

    “The Special Rapporteur calls upon all States to ensure that Internet access is maintained at all times, including during times of political unrest.” I couldn’t say it better myself.

  • Editorials against PROTECT-IP

    Filed under: Chilling Effects, censorship, copyright, domain names — wseltzer @ 2:40 pm

    First the Los Angeles Times, now the New York Times have both printed editorials critical of the PROTECT-IP bill.

    Both the LAT and NYT support copyright — and announce as much in their opening sentences. That doesn’t mean we should sacrifice Internet security and stability for legitimate DNS users, nor the transparency of the rule of law. As the LAT puts it “The main problem with the bill is in its effort to render sites invisible as well as unprofitable.” Pulling sites from search won’t stop people from reaching them, but will stifle public debate. Copyright must not be used to shut down the engine of free expression for others.

    Let’s hope these policy criticisms, combined with the technical critiques from a crew of DNS experts will begin a groundswell against this poorly considered bill.

    May 12, 2011

    Debugging Legislation: PROTECT IP

    Filed under: Chilling Effects, censorship, copyright, domain names, events — wseltzer @ 10:45 am

    There’s more than a hint of theatrics in the draft PROTECT IP bill (pdf, via dontcensortheinternet ) that has emerged as son-of-COICA, starting with the ungainly acronym of a name. Given its roots in the entertainment industry, that low drama comes as no surprise. Each section name is worse than the last: “Eliminating the Financial Incentive to Steal Intellectual Property Online” (Sec. 4) gives way to “Voluntary action for Taking Action Against Websites Stealing American Intellectual Property” (Sec. 5).

    Techdirt gives a good overview of the bill, so I’ll just pick some details:

    • Infringing activities. In defining “infringing activities,” the draft explicitly includes circumvention devices (”offering goods or services in violation of section 1201 of title 17″), as well as copyright infringement and trademark counterfeiting. Yet that definition also brackets the possibility of “no [substantial/significant] use other than ….” Substantial could incorporate the “merely capable of substantial non-infringing use” test of Betamax.
    • Blocking non-domestic sites. Sec. 3 gives the Attorney General a right of action over “nondomestic domain names”, including the right to demand remedies from (A) domain name system server operators, (B) financial transaction providers, (C), Internet advertising services, and (D) “an interactive computer service (def. from 230(f)) shall take technically feasible and reasonable measures … to remove or disable access to the Internet site associated with the domain name set forth in the order, or a hypertext link to such Internet site.”
    • Private right of action. Sec. 3 and Sec. 4 appear to be near duplicates (I say appear, because unlike computer code, we don’t have a macro function to replace the plaintiff, so the whole text is repeated with no diff), replacing nondomestic domain with “domain” and permitting private plaintiffs — “a holder of an intellectual property right harmed by the activities of an Internet site dedicated to infringing activities occurring on that Internet site.” Oddly, the statute doesn’t say the simpler “one whose rights are infringed,” so the definition must be broader. Could a movie studio claim to be hurt by the infringement of others’ rights, or MPAA enforce on behalf of all its members? Sec. 4 is missing (d)(2)(D)
    • WHOIS. The “applicable publicly accessible database of registrations” gets a new role as source of notice for the domain registrant, “to the extent such addresses are reasonably available.” (c)(1)
    • Remedies. The bill specifies injunctive relief only, not money damages, but threat of an injunction can be backed by the unspecified threat of contempt for violating one.
    • Voluntary action. Finally the bill leaves room for “voluntary action” by financial transaction providers and advertising services, immunizing them from liability to anyone if they choose to stop providing service, notwithstanding any agreements to the contrary. This provision jeopardizes the security of online businesses, making them unable to contract for financial services against the possibility that someone will wrongly accuse them of infringement. 5(a) We’ve already seen that it takes little to convince service providers to kick users off, in the face of pressure short of full legal process (see everyone vs Wikileaks, Facebook booting activists, and numerous misfired DMCA takedowns); this provision insulates that insecurity further.

    In short, rather than “protecting” intellectual and creative industry, this bill would make it less secure, giving the U.S. a competitive disadvantage in online business.

    UPDATE: Sen. Leahy has posted the bill with a few changes from the above-linked draft (thanks Ryan Radia for the link).

    May 5, 2011

    In DHS Takedown Frenzy, Mozilla Refuses to Delete MafiaaFire Add-On

    Filed under: Chilling Effects, censorship, code, copyright, domain names — wseltzer @ 8:27 pm

    Not satisfied with seizing domain names, the Department of Homeland Security asked Mozilla to take down the MafiaaFire add-on for Firefox. Mozilla, through its legal counsel Harvey Anderson, refused. Mozilla deserves thanks and credit for a principled stand for its users’ rights.

    MafiaaFire is a quick plugin, as its author describes, providing redirection service for a list of domains: “We plan to maintain a list of URLs, and their duplicate sites (for example Demoniod.com and Demoniod.de) and painlessly redirect you to the correct site.” The service provides redundancy, so that domain resolution — especially at a registry in the United States — isn’t a single point of failure between a website and its would-be visitors. After several rounds of ICE seizure of domain names on allegations of copyright infringement — many of which have been questioned as to both procedural validity and effectiveness — redundancy is a sensible precaution for site-owners who are well within the law as well as those pushing its limits.

    DHS seemed poised to repeat those procedural errors here. As Mozilla’s Anderson blogged: “Our approach is to comply with valid court orders, warrants, and legal mandates, but in this case there was no such court order.” DHS simply “requested” the takedown with no such procedural back-up. Instead of pulling the add-on, Anderson responded with a set of questions, including:

    1. Have any courts determined that MAFIAAfire.com is unlawful or illegal inany way? If so, on what basis? (Please provide any relevant rulings)

    2. Have any courts determined that the seized domains related to MAFIAAfire.com are unlawful, illegal or liable for infringement in any way? (please provide relevant rulings)
    3. Is Mozilla legally obligated to disable the add-on or is this request based on other reasons? If other reasons, can you please specify.

    Unless and until the government can explain its authority for takedown of code, Mozilla is right to resist DHS demands. Mozilla’s hosting of add-ons, and the Firefox browser itself, facilitate speech. They, like they domain name system registries ICE targeted earlier, are sometimes intermediaries necessary to users’ communication. While these private actors do not have First Amendment obligations toward us, their users, we rely on them to assert our rights (and we suffer when some, like Facebook are less vigilant guardians of speech).

    As Congress continues to discuss the ill-considered COICA, it should take note of the problems domain takedowns are already causing. Kudos to Mozilla for bringing these latest errors to public attention.

    February 1, 2011

    Reflections on Egypt and the Net

    Filed under: Internet, censorship, networks — wseltzer @ 9:07 am

    Over the last week, I’ve been glued to my Twitter feed (hashtags #jan25, #egypt, and @ioerror, @jilliancyork and @EthanZ are good aggregators) and Al Jazeera English to follow events in Egypt. I can only watch and tweet my support (and work with groups like Tor Project whose technology and training helps dissidents stay safer when they have Net access) as people mass in Tahrir Square for a million+ person march.

    I recognize the location of some of Al Jazeera footage from a visit to Cairo. Poignantly, that was in November 2008, in the final days of the U.S. presidential election, when I used the Internet to make skype-based get-out-the-vote calls. Since Mubarak has been in power for 30 years, the Egyptians who cheered Obama’s victory around me had never had the opportunity to vote in meaningful free elections.

    As Egypt’s January 25 protests continued, the Egyptian government cut off Internet access (see reports from The Tor Project, Renesys, and RIPE) and mobile SMS from most of the country’s providers. Yesterday, Noor.net, the final provider that had continued to offer Internet connectivity, also became unreachable. Even phone service is uncertain. Andrew McLaughlin eloquently called upon Communications Minister Tarek Kamel to restore communications.

    That cut-off in itself demonstrates some of the value of Internet communications: the unpopular government fears the organizing resources the Net provides for citizens, and the window it gives to the world watching and trying to help. While it’s far too early to measure the Net’s impact on revolutionary movements in Egypt, and Tunisia only weeks earlier, we can find potential impacts. Were Egyptians inspired by news from Tunisia’s uprising, some of it reaching them faster online? Did they use social media to organize, along with off-line means? Did social media help to amplify off-line protests, showing solidarity among friends and people they respected, encouraging more to take to the streets? It’s clear that we in the United States have had access to much more information, through the Net, even cut off as it has been, than we’d get quickly from a pre-Internet revolution.

    We also see that the Internet is not any particular means of data transport. The independence of layers means that applications don’t care what the route underneath looks like, so long as there is one. That meant that even cutting off Internet service providers couldn’t stop information flows: while Egyptians could call out from the country, they could tell their stories at @jan25voices, and through the Google-Twitter-Phone service, @speak2tweet, that automates some of the voice-Twitter connection. Other providers outside Egypt have offered dial-up lines.

    Moreover, the situation illustrates the value of open Internet here at home. Al Jazeera English, the television broadcaster giving the most thorough coverage of the Egyptian events — despite having its Cairo bureau closed and six of its journalists jailed — is not available through most US cable providers. Ryan Grim on Huffington Post calls this a “blackout”, but thanks to the Internet, that need not be a barrier. I’m watching Al Jazeera English on my computer, through pipes that can carry video, audio, and text of my choice. (So it’s disturbing to see Chris Sacca tweet that he “worked at an Akamai competitor when Al-Jazeera sought CDN [content delivery network: local caching that can help improve network delliery] help in 2002. US Gov made clear to us that we would suffer.” Cable’s limited-purpose pipe, where subscribers get only bundles chosen from among the channels their providers offer, seems an anachronism in the Internet age. We may still want to watch video (and not only create it ourselves), but we need Net neutrality’s assurance that we can get it from any source: peer, professional, or dissident.

    I’ll continue to watch the tweets and video online, hoping that in the near future, I’ll be able to celebrate with the Egyptian people as they vote in free and democratic elections.

    Next Page »

    Powered by WordPress