The Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA), two pieces of legislation with close ties, have come under intense fire from security professionals and other high-tech executives who say that if the bills are signed into law, they could weaken the Internet and limit the ability of security researchers to trace cybercriminals.
Once a user or a network engineer attempts to get visibility into the network, they won’t be able to tell if an ISP is disrupting that connection pursuant to a court order or if a cybercriminal is creating the disruption in advance of a cyberattack.
Markham C. Erickson, executive director of the Open Internet Coalition
The two proposed pirating laws, which aim to crack down on piracy, could force tech companies to monitor user content, limiting the use of pictures and other media used on many social networks. The bills could also prompt costly compliance mandates, hampering small businesses and startups and creating a barrier to expansion and potentially hindering innovation, said Markham C. Erickson, executive director of the Open Internet Coalition, which lobbies for Google, Yahoo and other Silicon Valley tech giants.
“Once a user or a network engineer attempts to get visibility into the network, they won’t be able to tell if an ISP is disrupting that connection pursuant to court order or if a cybercriminal is creating the disruption in advance of a cyberattack,” Erickson said. “You would also have to create a compliance strategy to make sure your users aren’t using your network to reach a site deemed to be illegal.”
A vote on whether to bring the PIPA Act to the floor of the Senate for debate is expected Jan. 24. PIPA gives the U.S. Department of Justice the power to seek a court order to shut down a website that hosts suspected pirated content. The law would force Domain Name System (DNS) providers and search engines to remove the website from search results and block users from accessing it on the Internet. The bill is sponsored by Senate Judiciary Committee Chairman Patrick Leahy, a Vermont Democrat.
Protect IP has exemptions in place for some businesses, focusing primarily on DNS providers and the ad networks connected to rogue websites selling access to pirated material. The SOPA Act is broader in its reach and would force nearly all businesses to monitor Internet access. SOPA is currently being debated by members of the U.S. House of Representatives Judiciary Committee. Debate has been postponed until after Congress' holiday break. SOPA is sponsored by Texas Congressman Lamar Smith.
A group of security experts and other Internet pioneers wrote a letter to Congress opposing SOPA and PIPA. The group, which included network security luminaries Dan Kaminsky and Paul Vixie, said if enacted, the legislation could “seriously harm the credibility of the United States in its role as a steward of key Internet infrastructure.”
“Censorship of Internet infrastructure will inevitably cause network errors and security problems,” according to the opposition letter. “This is true in China, Iran and other countries that censor the network today; it will be just as true of American censorship. It is also true regardless of whether censorship is implemented via the DNS, proxies, firewalls, or any other method. Types of network errors and insecurity that we wrestle with today will become more widespread, and will affect sites other than those blacklisted by the American government.”
The bills are aimed at blacklisting “rogue” sites that host pirated content, but the proposed legislation could have a major impact on file-hosting websites, social networks that host user-generated content and a number of Web forums. For example, Twitter would have to figure out a way to prescreen user messages to filter links, pictures and other media against sites of domains that are deemed to be illegal. DNS filtering can also be costly to small ISPs, according to some estimates, adding more than $11 million in expenses each year.
Kaminsky, Vixie and other experts believe the DNS filtering enacted in the legislation could undermine the integrity of the DNS system and challenge the broader use of DNSSEC, an improved protocol that adds a cryptographic layer to DNS communication exchanges. Vixie is one of five researchers who issued a report analyzing the impact the two bills could have on DNSSEC (.pdf).
“It attempts to do something noble, but it doesn’t take into account how the Internet works,” said malware and vulnerability expert HD Moore, creator of Metasploit and CTO of Rapid7. “What they are debating is so far beyond sanity that it’s almost ridiculous.”
In a letter to Congress, David Ulevitch, founder and CEO of OpenDNS, said the two bills could be devastating to the economy and send jobs overseas if passed. Ulevitch said there is no way to censor illegal content without harming uses on websites as well.
“It’s likely that if SOPA and PIPA existed when I started my company, we would have incorporated outside of the United States and all of the jobs and investment that I have put into the economy would have been taken elsewhere,” Ulevitch wrote. “I expect many businesses will make the decision to incorporate elsewhere should this legislation pass, and it’s possible that existing corporations will relocate to more entrepreneur-friendly countries.”
Supporters of the two bills, mainly the U.S. Chamber of Commerce and the Motion Picture Association of America (MPAA), say the aim is to block access to rogue websites that share pirated movies, songs and other media.
“Rogue sites legislation will give our law enforcement the necessary legal tools to go after these online criminals who abuse the Internet from beyond our borders, and therefore, beyond the reach of our enforcement agencies,” said Mark Elliot, executive vice president for the Global Intellectual Property Center at the U.S. Chamber of Commerce. In an op-ed in The Hill, Elliot defended the bills and said opponents have gone too far with the technical issues that the bills would pose. “The techniques put forth to block these illegal enterprises are by no means new and are already in use to combat the likes of child pornography and malware or spammers.”