If you look at tech blogs or most any technology-related website these days you will see people ranting against two major pieces of legislation that are on the table in American congress – the Stop Online Piracy Act (SOPA) and Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, Protect IP Act (PIPA) for short. These are two of the pieces of legislation that the House of Representatives (SOPA) and the Senate (PIPA) are working on pushing through as laws to combat piracy/copyright infringement on the Internet. My opinion and SingleHop’s position is that these laws would be harmful to the Internet in general and frankly toxic and highly detrimental to the Internet infrastructure itself, which is contributing more than $45 billion to the U.S. economy annually.

Before I begin digressing into my points, I first want to explain some terminology that will be used in this post as well as a brief synopsis of both bills and what their effects are at the time of writing. These are very removed explanations as I could spend quite a long time explaining what these bills are in their entirety and that is not the point of this post. I will provide links which provide a more in-depth explanation of both bills in the source at the bottom of this post should you wish to further-educate yourself on either or both.

Some terminology defined so that things are easier to understand:

DNS servers are groups of servers that are the equivalent of the yellow pages of the Internet. Every single computer linked into the Internet has an IP address which is like your phone number. The DNS servers make it so that when you request singlehop.com for instance, you are given the IP address so that you may connect to our site. There are two major types of DNS servers you deal with on a regular basis, authoritative and non-authoritative domain name servers. The difference simply put is authoritative are servers where the actual domain is kept and the non-authoritative are name servers used locally to cache results from authoritative name servers to reduce overhead of authoritative name servers. The name servers you use for your Internet connection are non-authoritative and the name servers that are used to provide the IP addresses for SingleHop are authoritative.

A payment gateway is a network or company that is used to process transactions when you purchase things on websites. For instance, MasterCard, Discover, Visa, PayPal, Google Checkout and so on are payment processors.

DMCA is the Digital Millennium Copyright Act. This is a bill put in place by Bill Clinton during his term as president in an attempt to curb copyright infringement on the Internet. It has been updated a few times over the years in the hopes of assisting intellectual property owners in maintaining the integrity of their property. An intellectual property owner is allowed to issue a request to a site/operator asking infringing content requesting take down with proof of ownership of the infringing content. If the take down is not taken care of in a timely manner then the owners have the right to issue litigation against the offending client and sue. They are also allowed the rights for what is known as a request for data preservation. These are secretive subpoenas issued to the hosts of infringing material requesting that the content, payment information and any information attainable be stored for a predetermined time should the requesting party wish to take the offense to court. Requests for data preservation are issued by the FBI and Police typically, owners of intellectual property do not have this right without first going to a legal entity requesting, and issuing a warrant.

Now for the bills. 

The tamer of the two which is PIPA. At the time of writing Wikipedia explains the contents as such^[1]:

The bill provides for “enhancing enforcement against rogue websites operated and registered overseas”, and authorizes the United States Department of Justice to seek a court order in rem against websites dedicated to infringing activities themselves, if through due diligence an individual owner or operator cannot be located. The bill requires the Attorney General to serve notice to the defendant. Once the court issues an order, it could then be served on financial transaction providers, Internet advertising services, Internet service providers, and information location tools to require them to stop financial transactions with the rogue site and stop linking to it. The term “information location tool” is borrowed from the Digital Millennium Copyright Act and is understood to refer to search engines, but could cover other sites that link to content.

“The Protect IP Act says that an “information location tool shall take technically feasible and reasonable measures, as expeditiously as possible, to remove or disable access to the Internet site associated with the domain name set forth in the order”. In addition, it must delete all hyperlinks to the offending “Internet site”.”

Non-authoritative domain name servers would be ordered to take technically feasible and reasonable steps to prevent the domain name from resolving to the IP address of a website that had been found by the court to be “dedicated to infringing activities.”The website could still be reached by its IP address, but links or users that used the website’s domain name would not reach it. Also search engines—such as the already protesting Google—would be ordered to “(i) remove or disable access to the Internet site associated with the domain name set forth in the [court] order; or (ii) not serve a hypertext link to such Internet site.” Furthermore, trademark and copyright holders who have been harmed by the activities of a website dedicated to infringing activities would be able to apply for a court injunction against the domain name to compel financial transaction providers and Internet advertising services to stop processing transactions to and placing ads on the website, but would not be able to obtain the domain name remedies available to the Attorney General.

By golly that’s a mouthful! As I’m sure like most people your eyes glaze over reading that with all the tech-speak along with litigious wording. To put it in the simplest terms, Protect IP is an act that allows intellectual property owners the right to file takedown requests of their content to websites. If this request is not fulfilled within what the bill considers adequate time the Attorney-General then has the right to issue a court order to blacklist the infringing domain through all non-authoritative DNS servers in america, pull all payment gateway access, search engine listing as well as a federal charge for the offender.

And now for SOPA^[2]:

The bill would authorize the U.S. Department of Justice to seek court orders against websites outside U.S. jurisdiction accused of infringing on copyrights, or of enabling or facilitating copyright infringement. After delivering a court order, the U.S. Attorney-General could require US-directed Internet service providers, ad networks, and payment processors to suspend doing business with sites found to infringe on federal criminal intellectual property laws. The Attorney-General could also bar search engines from displaying links to the sites.

The bill also establishes a two-step process for intellectual property rights holders to seek relief if they have been harmed by a site dedicated to infringement. The rights holder must first notify, in writing, related payment facilitators and ad networks of the identity of the website, who, in turn, must then forward that notification and suspend services to that identified website, unless that site provides a counter notification explaining how it is not in violation. The rights holder can then sue for limited injunctive relief against the site operator, if such a counter notification is provided, or if the payment or advertising services fail to suspend service in the absence of a counter notification.

The bill provides immunity from liability to the ad and payment networks that comply with this Act or that take voluntary action to cut ties to such sites. Any copyright holder who knowingly misrepresents that a website is dedicated to infringement would be liable for damages. The second section increases the penalties for streaming video and for selling counterfeit drugs, military materials or consumer goods. The bill would make unauthorized streaming of copyrighted content a felony.

Again so many words! Like the previous bill, an owner of intellectual property can issue a takedown request. If the request isn’t filled the Attorney-General has the right to block all access to the site via non-authoritative DNS servers, payment gateways, search engine listings, ad revenue and so on. This goes a step further by also allowing the Attorney-General the right to issue the IP of the infringing server to be blocked access from the internet. This bill is more aggressive than PIPA in the fact that intellectual property owners can notify an offending client of their infringement and request immediate takedown without any due process. With PIPA an offense must first be approved by the Attorney General before a takedown request is valid. There is a great deal more in both of these bills, but this is the prime rib of them.

Now with just a brief synopsis, at least PIPA doesn’t look that harmful. It just seems like more added to the DMCA of previous to protect the interest of those that own intellectual property. The crux of the matter is that these bills won’t work, they’re made to shovel liability off the intellectual property owners and onto the providers of content on the Internet and their providers, Internet infrastructure companies like SingleHop. The DMCA includes protection for those who host infringing content known as safe harbor – the exclusion of litigation against DMCA violations . What this means is as of right now if someone were to buy a server from us and that client then provides hosting for another client, we are exempt legally from the ramifications of the actions from the end-user as long as we abide by the provisions of the DMCA, specifically the take-down provisions. If we are in the safe harbor, we are safe from litigation, which allows us to conduct our business of providing Internet infrastructure to our customers without being forced to police and check their content against every copyright every registered, an incredible strain on a company like SingleHop.  If the RIAA were to find a MP3 on a site they can request for it to be taken down, request client information and then go after them legally should they decide losses were had as a result of that file being on the server. To put it in a scenario closer to an end-user: if you download a movie using Bit Torrent and your ip is logged, using the DMCA the MPAA can request from your ISP your customer information and then issue a lawsuit asking for coverage of losses. With SOPA and PIPA we as hosting providers lose the protection set forth in the DMCA and these entities are allowed to go after us along with the end-user for losses as a result of a users actions.

The long-arm of these bills doesn’t end there, say you have comments on your blog and a spammer links a download to protected content. If this link is not removed within a timely manner your entire site can be taken off from both acts. SOPA goes a step further and allows the complaint to block the entire server. So if you have a server with thousands of sites on the single server, every single site is now blocked from access.  This alone disrupts a great deal of many facets of the Internet that have become commonplace among daily use. Because of one single user an entire site such as Twitter, Facebook, Google, MegaUpload, news sites and anything else could have the entire site taken down for all of the United States under both SOPA and PIPA.

Starting to unsettle you? Why would anyone be interested in a piece of legislature this powerful? I urge you to take a look at lists of people that support SOPA and PIPA^[3] and you might get a better idea. If you look at this list you will see that most of the people included are large names in the entertainment and goods industry. These people thrive only off people purchasing their goods and their model is based solely off obtaining said goods. If you exclude those two industries, you will see the list of backers is surprisingly sparse because the entire idea of both bills burns anyone outside of these industries. It’s obvious that these proposed bills are one-sided with the interests of only a choice group of people that represent the Internet as a whole. When researching SOPA you might be surprised to find that representatives opposing the bill that are part of the committee drafting the bill have even stated that they feel the process is being rushed and are missing a great deal of input as experts of the other facets of the Internet have yet to comment, and are being neglected from commenting at the hearing.^[4]

These bills are made to address the necessity of protecting the interest of people that sell tangible goods and services where they have lost or don’t understand how to properly sell these goods on the Internet or are subject of foreign counterfeiting looking for assistance in combating the illicit goods. As a whole the Internet is still pretty new and the world is trying to figure out just exactly how it should be run. It’s an interesting concept because the Internet is essentially decentralized so how can a single government control the Internet? These bills will not work for a few reasons and rather than turn this post into a 20 page paper about the dangers of these bills I’m going to point out my top complaints from my end of the field and how these bills disrupt, undermine and destroy the entire point of the limitations in place currently.

First, both of these bills bring forth the idea of blacklisting DNS on non-authoritative name servers within United States. This is a very dangerous proposition and introduces major security concerns to system administrators around the world for a few reasons. First, all DNS in the world is run by what are known as root name servers. These name servers the end-all authoritative source for domains and requests branch out from them down the line until you find the request you are trying to locate. All of these servers are hosted in the United States[5], and along with this brings up concerns of America becoming “Internet police” if the government decides to leverage control on these root name servers. At the time of writing both bills are only against non-authoritative name servers so they are still protected, but for how long? On top of this, since the Internet is decentralized nothing is stopping a client from using non-authoritative servers outside of the United States to get around the block, which is why SOPA tries to further control by blocking actual access to the end-point IP. A big move in the past few years is introducing DNSSEC which is a set of security guidelines over DNS to prevent malicious attacks against DNS. By forcing users to use illicit name servers to connect to their website you break the entire foundation of DNSSEC and open up a wealth of illicit possibilities against clients.

Second, SOPA allows what is known as Deep Packet Inspection – the ability to tap into any network within the United States to obtain traffic for purposes proving the proposed illicit activity is taking place. This is a huge privacy concern considering how loosely SOPA defines what infringing content is and brings up a wealth of concerns about personal rights on the Internet as a citizen of the United States.

Third, neither bill clearly sets forth what infringing material is. The definition is very loosely blanketed which could be spun to cover a broad spectrum of material and could potentially mean that a company could simply use the power to attack others in their industry to try and get a standing ground above them. Of course, this is all hearsay until someone abuses the power but you don’t need to look far to see that DMCA is already being abused. The popular file upload site MegaUpload hired a group of singers to make an advertisement for their site, uploaded it to YouTube which was pulled by UMG on the grounds that it contained infringing content. The entire video was paid for, commissioned and had contracts from all artists that gave MegaUpload the right to use the video. UMG used a service YouTube provides to intellectual property owners to disable links without going through the DMCA process as a way to hasten take downs to keep their content secured. UMG abused this right by taking down the video and when MegaUpload turned around with a lawsuit UMG released a statement stating that they were exempt from any unlawful takedown as when they removed the video it wasn’t done through a DMCA request.^[6]

Lastly, having worked in the industry I can see why intellectual property owners feel the DMCA fails. Part of my role at SingleHop is acting as “Custodian of Records”. While this is actually a phrase borrowed from the adult entertainment industry, my role within SingleHop requires me to assist with subpoenas requesting for data preservation and complying with other requests as deemed by the legal document. With the complexity of hosting it can be frustrating on both ends due to lack of understanding and comprehension of just how the industry works. While we do have clients, some of these clients have clients, so on and so forth. So while a website might be hosted in our IP space there might be a chain of 4 people before you actually reach the content the subpoena is requesting and sometimes by the time the end of the chain is found, the desired data is long gone and somewhere else. While not commonplace, it does happen and can be extremely frustrating. Having an understanding of this I can understand where the people backing SOPA/PIPA feel this helps them as it makes everyone in the chain responsible for that one illicit activity but is unfair as nobody can police every single action of every single user.

So what can we do to fix this? There are a lot of ideas and I’ve spent the last month contemplating this. I don’t like having a disagreement with an argument without having an alternative solution as it isn’t productive. Personally I think the issue isn’t that there aren’t enough rules set in place to enforce copyright infringement, rather there isn’t a clear and standardized method of dealing with these issues. Rather than create blanket clauses to give intellectual property owners more power there should be a process all companies must adhere to for handling infringement of content and services. An example where policy has helped is spam. Back in the 90s there used to be no clear policy and the only way to truly never have spam was to never, ever give your address out and even then you will likely get hit if you use a major email provider due to shortcomings with mail transfer authority services. The CAN-SPAM act was created to combat this setting forth legal guidelines required for all mass-mailings which, while did not 100% solve spam issues provided a guideline that all mail services were to follow and enforce which has significantly reduced the amount of spam. A similar set of guidelines such as having a true Custodian of Records responsible for client information would provide a clear and concise chain of communication. Every domain is required to have an abuse contact but no single company has a similar abuse policy.

Now, this doesn’t mean that the burden of effort all sides on the hosting providers, I can say with a firm knowledge that a big issue is a lot of intellectual property owners simply don’t care about policy. If there is infringing content they will do the legal bare-minimum and be completely unhelpful trying to resolve an infracting issue. Even when sites will state a clear-cut policy on how to report a violation a majority of intellectual property owners will do the bare-minimum, only contacting the abuse contacts and expect them to handle the rest. If both sides were able to come to an agreement on policy on how to act and implement a system things would be much more smooth and handled in a faster fashion.

Do you disagree with SOPA/PIPA? If so feel free to head over to the SaveHosting coalition www.savehosting.org which have petitions for both SOPA and PIPA you may sign to show your support against both bills.

Sources:

[1] http://en.wikipedia.org/wiki/PROTECT_IP_Act

[2] http://en.wikipedia.org/wiki/SOPA

[3] https://sites.google.com/site/boycottsopasponsors/home/list-of-supporters-and-sponsors

[4] http://www.computerworld.com/s/article/9222759/House_committee_to_push_ahead_on_SOPA

[5] http://en.wikipedia.org/wiki/Root_name_server

[6] http://arstechnica.com/tech-policy/news/2011/12/umg-we-have-the-right-to-block-or-remove-youtube-videos.ars