SOPA, PIPA and you

A friend of mine asked me what the deal with SOPA and PIPA was. So here was my email response (it got a little longer then I wanted it to get.. whoops)

Alright, so the whole ordeal is about two newly proposed bills in the US. SOPA - Stop Online Piracy Act, and PIPA - Protect Intellectual Property Act. These two bills are being largely fronted by organizations such as the RIAA and MPAA - Recording Industry Association of America and Motion Picture Association of America - who are wanting better tools to protect their copyrights online.

While the goal is noble, the execution is terrible.

To understand why, there are some things you have to know. First, there already exists legislation to protect copyright owners - its called the Digital Millennium Copyright Act (DMCA). Under this Act (which was passed way back in like 2005), a copyright owner can claim infringement by issuing whats called a 'takedown notice' to the host of the infringing content.

For example, lets say I uploaded a song of mine onto youtube. If someone else then reposted that song without my permission, I could enforce my copyright and issue a takedown notice to youtube.

A host who receives a takedown notice has a certain number of days to respond (I think its somewhere in the realm of 30 days) and remove the infringing material. The reason this is so important is that this absolves the host of any liability to what its users post. A user infringes on copyright, the owner of the copyright issues a notice, the host removes it. No harm done. If the host does not comply, then they become liable for the copyright infringement.

The DMCA also allows for what's known as 'Fair Use' - parody/satire, highlighting an issue, and a few others (I would look it up, but Wikipedia is blacked out in protest over SOPA). This means that something is not infringing if it falls under this fair use - the copyright owner has to allow it, as long as the use is not for profit (I think. Fair use is one of the less clear to me parts of the DMCA).

All of this is the current state of affairs: The DMCA is in effect, and millions of copyright infringements have been removed. The way things are right now, a host (for example Facebook, YouTube, Flickr, Reddit, etc) has 'Safe Harbor' because of the takedown notices. As long as they comply with any takedown notices, they are in good standing and will not be prosecuted. There are plenty of other nuances to this, such as fraudulent or false takedown notices (which can result in fines for the offender) and some hosts allow you to repost your content if its clearly fair use, but the point is, this is generally the way it has worked for a while now.

The proposed laws change the game in a big way. Now, part of the controversy is that not everyone believes that this is the correct interpretation of the laws, but several copyright lawyers have come out saying 'yeah, this is how it is'. Also, all of this that follows is conjecture and hearsay. But, what the bills are supposedly proposing to do include:

-Changing the 'copyright owner must pursue infringements' way of doing things. A site that hosts infringing content (including user generated content) can be blacklisted, and have its domain name blocked (I'll get to why this is bad in a bit)
-Requiring that search engines remove all links to the offending site
-Requiring that all ad-networks and payment processors (paypal, visa, etc) block the site (similar to what happened to wikileaks)
-Requiring that the site scrub all copyright violations from its entire structure

What this means in a nutshell is that if a user posted a comment on facebook, linking to a picture on imgur of a copyrighted character:

-Facebook would have to scrub that link from all comments, past and future
-Imgur would be subject to blockages from their ad revenues
-Google, Microsoft and Yahoo would have to scrub the picture from their search engines

and if any of them dont do what's required of them, their DNS would be blocked.

Hopefully you understand partially why this is a terrible idea (putting the burden of proof on hosts rather then on copyright holders; requiring programming architecture that would need to be constantly updated and maintained, scrubbing all offending links forever, etc) and this says nothing about the fair use provisions. Even if this didnt severely undermine the security of the entire internet (which, it surely does, as I'll explain in a moment), this would still be overbearing draconian copyright policies.

It would literally be like if the law required a bookstore to make sure that there were no copyright infringements in any of their books, and if they missed any, they would be subject to immediate foreclosure.

But, lets ignore that for now, and get to the real problem: the breakdown in DNS security.

The way the internet works is as follows.

You type your favorite site into the search bar, the site loads its contents and you do what you came to do. But to someone who understands what's really happening, it looks much different.

You type your favorite site into the search bar. The browser sends a DNS (Domain Name Server) request of that name to a DNS host. The host searches its records for the registrar of that domain name, finds the most recent IP address, returns it to the browser. The browser makes a request to the given IP address, the server at the IP address responds with the content based on the script at the server. The browser then formats the contents of the files for you, and loads the contents.

What this means is that a site is not dependent on a domain name. The domain name is just there to make it human friendly.

Currently, there exists a type of phishing attack which basically redirects the DNS address to a host you control.

So I set up a server at IP address 123.123.123.123, with a malicious script designed to look like facebook's login site, but really just captures login attempts. I then set up a DNS server and change the IP address of Facebook.com in my DNS tables to my IP (123.123.123.123). If anyone uses my DNS to lookup facebook.com
, they will get the malicious site instead.

Sure, there are protections (ie, DNS servers are pretty rare, and mostly come from trusted sources) right now. But with SOPA's blacklisting, things get much more interesting. In fact, hundreds of leading security experts on the subject (who know far more then I) are saying that even the very idea of blacklisting DNS makes DNS much less secure. Honestly, I'm not even really sure what will happen (because the bills are so vague), but when the security experts are saying 'this is literally going to make the entire internet less safe', I tend to stop and listen.

So there you have it, give or take. A big part of the problem is that all of the wording is very vague and mysterious. In fact, this could easily be a stepping stone to something even worse. All it takes is one line in some future bill saying 'add the line ", or inflammatory/hostile to the US" to the definition of the bill' line buried literally anywhere (scary thing about American Politics - one bill can change any number of other bills, and probably less then half the bills that get passed actually get read on and debated) before we reach 1984 status.

If you want to go even deeper, this is just another example of corporate lobbyists buying legislation - in fact, the recent court case that allowed corporations to give unlimited funds as campaign contributions to elected officials (much of which can be fully untraced and undocumented due to the laws allowing for Super PACs) probably directly prompted this. In 2006 alone, the RIAA and MPAA donated over $200,000 to various congressmen and senators (from both parties). There isnt any recent data because now any donations to Super PACs no longer need to be reported.

Ps - I just remembered the biggest joke of all! All of this is designed to stop online piracy and protect the copyright holder's interests. But ask any hacker how they get their movies/tv/music, and the answer is torrents. Torrents are just a link to peer to peer file transfers. So after all of this (if it passes), downloading will not stop. Or even slow down. The worst they could do would be to block the DNS of a torrent tracking site (isohunt or piratebay) but, and this is key, it doesnt stop the IP address from working. So, I could, if I knew it, go directly to the IP address of any site, bypassing DNS entirely.

So they are literally wasting millions trying to prevent something that this is not going to stop. Its like they found a roach problem in a house, so they decided to burn the house down, but somehow picked the wrong house to burn down. Thats why this is outrageous. It is doing nothing except adding costs and hassles to startups and existing companies, making the current internet less safe, and putting the burden of finding copyright infringement on service providers instead of on the copyright owners, like every other medium of copyright.

Sorry if it seems ranty in areas, it gets me hot under the collar that 65+ year old dudes who's entire knowledge of the internet is 'that blue e where google is', and watching them systematically destroy something so beautiful and unique, because it doesnt fit the business model of a pair of industries, who, have made a habit of resisting every technological advance, and claiming that the sky is falling each time (see: tape cassettes, laserdiscs, VHS, DVR, walkmans, cd players, ipod) is just so infuriating.