Once again, Congress is being asked to make bad rules that will hurt network security, but this time the blame doesn’t fall on the privacy lobby. This time the booby prize goes to the intellectual property lobby.
Below is an op-ed I wrote for Politico this week on the security consequences of the copyright enforcement bills now on the Hill — PROTECT IP and the Stop Online Piracy Act. As it happens, the House Judiciary Committee held a hearing on the proposal on Wednesday, when the op-ed appeared, and some of the questioning turned on my op-ed. Indeed, I gather that it contributed to an unexpectedly ragged performance from Hollywood’s normally smooth witnesses.
Unfortunately, the Politico article was posted behind a paywall. That’s pretty ironic for an op-ed questioning the value of over-enforcing the copyright laws. So I’m posting it here, too:
Everyone knows that internet security is bad and getting worse. Recognizing the problem, Congress is hard at work on cybersecurity, with a number of bills on the table. Ironically, at the very same time, Congress is getting ready to pass a copyright enforcement bill that could kill our best hope for actually securing the internet.
How did that happen? Let’s start with the internet, where fake websites cost users millions of dollars in fraud losses every year. Unless we find a better system for locking down website identities, this and other forms of online crime will continue to skyrocket.
It turns out that internet engineers have already designed a system to solve this problem — a set of technical rules that go by the unlovely name of DNSSEC. Under these rules, an Internet website will be given identification credentials by the same company that registers its Internet name. Thus, when Citibank claims the domain name citibank.com, the registry who issues the name will at the same time lock that name to a particular Internet address. From then on, anyone who types “citibank.com” into his browser will be sent to one and only one Internet address. Under the new system, the browser simply will not take the user to a site that isn’t verified by Citibank’s unique credentials.
That’s protection that the people who bank online need today.
Why don’t they have it? Two reasons. The first is friction. Moving to the new rules won’t be free. It will require a lot of work by browser companies, internet service providers, domain registries, and others – many of whom may never get any direct benefit from the change. Naturally, these companies are a little slow to spend money that just makes the internet overall safer; that’s the tragedy of the commons. But as the need for security becomes obvious to all, we’re slowly overcoming that friction, thanks in part to the leadership of my old agency, the Department of Homeland Security, in getting government to adopt the new procedures.
The second problem is new. It is Hollywood’s desperate desire to keep foreign websites from delivering pirated movies and music to American computers. To do that, the movie industry wants a law that will require internet service providers block their customers from going to those sites. Instead, the users are supposed to be sent to a site that warns them against copyright infringement.
Hollywood has sold that idea to Congress, and bills are now moving through both houses to impose this “block and redirect” obligation on internet service providers. And they’re moving fast. The Senate bill is out of committee, while the House judiciary committee is holding hearings on a similar bill this week.
This is far faster than Congress’s cybersecurity effort, and it runs directly counter to that effort. Because “block and redirect” is exactly what crooks are doing today to bank customers. If the bills become law, the security system won’t be able to tell the difference between sites that have been blocked by law and those that have been sabotaged by hackers. Indeed, it isn’t hard to imagine crooks redirecting users to sites that say, “You were redirected here because the site you asked for has violated copyright,” while at the same time planting malware on the user’s computer.
What’s more, the bill will likely break the fragile consensus that my former agency, the Department of Homeland Security, has spent years helping to build around the switch to DNSSEC. If the bill passes, practically everyone who needs to make changes to implement DNSSEC will instead be on the phone to their lawyers, asking whether they will be sued for adopting a security technology that makes the mandated “block and redirect” system even more difficult.
If “block and redirect” could stop Hollywood’s bleeding, perhaps a case could be made for undermining everyone’s security in order to protect the studios’ intellectual property. But it won’t stop the bleeding. Even today, if someone is blocked and redirected away from his favorite pirate website, he can find many simple ways to defeat the block. He can paste his favorite pirate website’s number (rather than its name) into the address box on his browser. Or he can simply tell his computer to look up the site’s address on a Canadian server instead of an American one.
Passing this bill will make Hollywood feel better, and richer.
For about a minute.
It will leave the rest of us hurting and poorer for years.
DVe says:
“It will leave the rest of us hurting and poorer
for years.”
So it is sure to become law.
November 18, 2011, 6:51 pmSteve says:
Are you saying that hackers will have no way to “block and redirect” web traffic under a DNSSEC regime unless this bill passes? I’m not sure I get that.
November 18, 2011, 7:05 pmDany says:
Steve,
That is precisely what he means.
However, this article leaves me wondering about why it wouldn’t be far out for Hollywood to simply ask for a “block” mechanism rather than a “block and redirect” mechanism. Sure, hackers could theoretically block users from accessing a high profile site, but surely that’s a better option than having users blocked AND redirected to a potentially malicious website?
November 18, 2011, 7:43 pmBlue says:
Will someone please explain to me why Republicans do a single damn thing for the entertainment industry?
November 18, 2011, 10:45 pmAnonymous Coward says:
DNSSEC verifies “non-existent domain” responses. You can’t erase the entry any better than you could modify it. The only way to do it would be to violate the protocol, which would generally cause the user’s client to generate a nasty message about his DNS server being compromised. Which would just make the ISPs angry because they’ll get a bunch of calls from confused users, and make Hollywood angry because if the users actually change their DNS servers to ones that aren’t “compromised” then the site block won’t work anymore.
Because Fox News is part of the entertainment industry, naturally.
November 18, 2011, 11:21 pmPQuincy says:
“This time the booby prize goes to the intellectual property lobby.”
Let’s call them what they are: “the government-established temporary monopoly lobby.” Please do not forget that copyright is a governmental monopoly license. Moreover, it’s a very particular kind of license: it’s specifically intended to “promote the Progress of Science and useful Arts”, that is, it is established for the public welfare. Sounds like socialism to me.
Since IANAL, I will leave aside the technical question whether, in legal language, such a license is ‘property’: it probably is. But it is property of a very particular kind, since it takes the specific form of a government-enforced monopoly. And it’s clearly not the same kind of property as real or portable property, which also enjoys government protection, but not in the form of a commercial monopoly, really. I’m not against such licenses (not being a libertarian), but we should call a spade a spade, I think.
Meanwhile, the fact that Hollywood is eagerly pushing for a law that will shoot them (and everyone else) in the foot is truly no surprise. I see no evidence that the entertainment industry produces leaders who think in prudent, strategic long-term ways. This is shown first by the industry’s complete bungling of the digital transition (What? Digital networks are going to stop people from buying records? Never!), then bungling the first generation of (genuinely illegal) file-sharing services. Suing some of your customers to intimidate them all…what a great marketing strategy!
November 19, 2011, 12:24 amDonald Weetman Cameron says:
If Holly Wood doesn’t like the new digital medium are they not free to return to analog and vinyl?
November 19, 2011, 1:07 amPhil Hunt says:
Blue: Will someone please explain to me why Republicans do a single damn thing for the entertainment industry?
Because, like Democrats, they like getting
November 19, 2011, 1:26 ambribescampaign comtributions. To be fair, there are politcians in both parties who oppose this illiberal (and probably unworkable) nonsense.NM Kerr says:
They same reason they do things for the oil industry, Cash$
November 19, 2011, 3:54 amPersonFromPorlock says:
Unless Fox News makes a lot of movies, I doubt it. I think we have to put this one down to the pubbies’ native gormlessness.
November 19, 2011, 7:59 ambwhat says:
Perhaps their primary motive isn’t to help the entertainment industry, but to strengthen intellectual property rights and thereby foster the formation and preservation of capital for the purpose of improving overall economic output?
But then, you would have to believe that our elected officials are in some measure genuine when they purport to be trying to help the people who elect them.
Skepticism helps you spot the badness. Cynicism guarantees you miss the goodness.
November 19, 2011, 10:34 amTim R. says:
You might also want to look at the list of Democrats sponsoring the bill. Truly a bipartisan folly.
November 19, 2011, 11:00 amMLS says:
Distilled to its essence, Mr. Baker presents an argument that is based upon technology, and not law.
Unfortunately, for every person who is a technical expert in the field and argues against the bills on technical grounds, he/she has a counterpart who disagrees with their technical assessments.
And, BTW, these bills are not just about “Hollywood”.
November 19, 2011, 3:36 pmAnonymous Coward says:
Even if you had presented some evidence to back your unsupported assertion that as many technical experts are for the bill as against, your argument would still amount to nothing more than the balance fallacy. A popularity contest is not an argument; especially not in a world where “experts” are compensated for their positions.
Moreover, the assertion itself appears to be inaccurate. I’m not aware of anyone who has done a survey, but do your own. Read the comments at any site where technical experts gather: Slashdot, Hacker News, Ars Technica, etc. The discussions of the merits of the bill quickly conclude with a consensus that the bill would be a disaster after its few supporters present arguments in favor that are no more sophisticated than “something must be done, this is something, so we must do this,” while the opponents point out cogent technical reasons why the bill will both fail at its intended purpose and create serious and harmful unintended consequences.
The lack of anyone able to refute the technical arguments against the bill with anything more than an unsupported “no it won’t” is so recurrent across the many stories about it that it regularly leads the discussion to transcend into a longer discussion of the political corruption that could allow it to pass despite the consensus defects, and then widespread lamentation about the inability to stop it.
November 19, 2011, 7:45 pmDan Simon says:
I’m neutral to mildly negative on the bills in question. But this article grossly overstates the security benefits of DNSSEC, which essentially duplicates the functionality performed by the current SSL/TLS certificate authority (CA) infrastructure. (There are pluses and minuses to both the DNSSEC and SSL/TLS versions of this infrastructure, which is why there’s no solid consensus on the urgency of deploying DNSSEC.)
Also, these bills could easily accomplish what they’re trying to accomplish without interfering with DNSSEC deployment. They could require ISPs to redirect traffic by IP address, rather than by DNS name, for instance. Or they could focus on domain name seizures, rather than ISP redirection, as the main weapon against sites they wish to shut down. In other words, even for DNSSEC advocates, DNSSEC deployability concerns are an argument for amending the bills, but not necessarily for opposing them outright.
If the bill’s critics were genuinely interested in security, they’d point that out, hoping that even in the event that the bills succeed in passing, it’s amended so as to preserve DNSSEC deployability. The fact that they do no such thing suggests to me that their security-based argument against the bills is completely disingenuous.
Opponents of these bills certainly have a legitimate case to make. But specious arguments based on computer security bogeymen do more to undermine their own credibility than to make that case.
November 19, 2011, 9:41 pmBrad says:
Defense in depth. To MITM you’d need to compromise a CA & the relevent tld registrar.
November 20, 2011, 3:13 amAnonymous Coward says:
DNSSEC is hardly redundant with SSL/TLS. The latter both authenticates the connection and encrypts it, but the server-side overhead is significant so it is only used sparingly where secrecy is vital such as for passwords or banking. By contrast, DNSSEC primarily just assures that you get the correct IP address for the website (with consequently lower overhead) and for that reason can be used for everything. To give one example, SSL/TLS is not used when you visit http://google.com , but using DNSSEC would prevent a malware author with control over your local DNS server from redirecting that site to one that infects users’ computers with malware.
In addition to that, there have been numerous recent instances of SSL/TLS certificate authorities being compromised and the attackers having obtained fraudulent certificates for sites like Bank of America and Facebook. In those instances DNSSEC adds an extra layer of security that could prevent the attacker from redirecting you from your intended destination to the attacker’s server where they would use the purloined certificate to impersonate your actual destination.
The slow uptake has been primarily attributable to the misalignment of incentives. DNSSEC helps website operators and end users but has to be implemented by the authors of web browsers and operating systems and by last mile telecommunications companies who operate users’ DNS servers.
IP blocking is in many ways substantially worse than DNS redirection. The way that routing works on the internet is that routers have multiple links (connections) to other routers and contain tables which tell the router which link is the routing path for a particular IP address. The only way the tables can be of a manageable size that allow the routers to forward packets in a fraction of a second is by using ranges, so that e.g. all packets destined for any of the sixteen million addresses between 75.0.0.0 and 75.255.255.255 take the same route and only collectively need one entry in the table. If you have to add an entry to the tables for every pirate site on the internet to send its traffic to oblivion, the tables would explode to a completely unmanageable size. Which would naturally be made worse because the pirate sites would just get a new IP address that would have to be added to the tables every time the previous one was blocked.
In addition to that, a massive amount of international traffic is routed through the United States. Traffic from Canada to Europe or China to Brazil goes through New York and San Francisco. Having to maintain separate routing tables based on country of origin would multiply the scope of an already unmanageable problem. And yet the alternative of foisting the block on other sovereign nations will quickly turn into a catastrophe for the internet when they reciprocate and block whatever it is they want to block.
That would not achieve the desired result because the domain names can only be seized if the registrar is in the United States. You can (and they did) seize rojadirecta.org because the registrar for the .org top level domain is in the US, notwithstanding that the site is arguably legal in Spain where it operates and where most of its users are. In so doing you prevent those people, along with those in the US, from accessing the site.
At the same time, you can’t seize rojadirecta.es because the registrar is outside of the US, so people from everywhere including the US can still get there just by using a different name.
It seems rather futile to pass a bill that allows seizures of a subset of domains that pirates would immediately just stop using in favor of those that can’t be seized.
November 20, 2011, 4:03 amHyman Rosen says:
This is a good time to become aware of the MAFIAAFFIRE add-on for Firefox, which maintains a list of seized domains and redirects requests for them to alternate domains that the owners have established. For example, going to rojadirecta.org gets redirected to http://www.rojadirecta.me.
November 20, 2011, 5:17 amPer Son says:
It is not just Hollywood that supports this, but also the Chamber of Commerce.
November 20, 2011, 9:18 amAlbert Johnson says:
The Chamber of Commerce is a private lobby group for (among others) Hollywood. Their support for anything is purely a measure of lobbying power, wholly divorced from the actual merit of the thing in question.
November 20, 2011, 1:06 pmleo marvin says:
That’s MAFIAAfire (i.e., one “f” not two in “Afire”).
November 20, 2011, 5:19 pmrumpsetiltskin says:
Does anyone think that there is some law we could pass that would stop petty larceny? Some rules about property ownership? Mandate new locks for all cars to stop car theft?
Then why does the IP industry think they can do it with IP?
November 20, 2011, 5:42 pmAnonymous Coward says:
It makes perfect sense when you think about the incentives. The harms we’re talking about are harms in large part to generativity, semiotic democracy, user-generated content and other internet-based content distribution. They’re barriers to entry in the marketplace of ideas.
The companies advocating these bills view those things as the competition. The “harms” are benefits to them. They want people watching reality TV on Fox, not lolcats on YouTube. Better that people get their news from MSNBC than directly from the subjects of the story posting to their blogs. Destroying the internet is a good thing; Cable TV has higher advertising rates. Certainly turning the internet into Cable TV is a good thing, because that’s how they exercise control. If new artists can self-record and post their albums directly to iTunes or Google Music then how do the labels stay in business? If actors and directors can get together and release direct to Netflix, who needs the networks or the studios?
You take that into account and suddenly, from the perspective of the legacy industry, all the downside is gone or converted to upside and the fact that the reduction in piracy will be negligible is irrelevant. The harm is the benefit so pass the bill.
November 20, 2011, 8:36 pmHow SOPA would affect you (FAQ) » 99dzh says:
[...] the former policy chief at the Department of Homeland Security who’s now in private practice, warned in an op-ed that SOPA “runs directly counter” to the House’s own cybersecurity [...]
November 21, 2011, 5:04 pmHow SOPA would affect you - Gadsit.com & YA Newz says:
[...] the former policy chief at the Department of Homeland Security who’s now in private practice, warned in an op-ed that SOPA “runs directly counter” to the House’s own cybersecurity [...]
November 21, 2011, 5:07 pmHow SOPA would affect you | Partners In Sublime says:
[...] the former policy chief at the Department of Homeland Security who’s now in private practice, warned in an op-ed that SOPA “runs directly counter” to the House’s own cybersecurity [...]
November 21, 2011, 5:22 pmHow SOPA would affect you » 99dzh says:
[...] the former policy chief at the Department of Homeland Security who’s now in private practice, warned in an op-ed that SOPA “runs directly counter” to the House’s own cybersecurity [...]
November 21, 2011, 6:05 pmHow SOPA would affect you | Travel Portal says:
[...] a former process arch during a Department of Homeland Security who’s now in private practice, warned in an op-ed that SOPA “runs directly counter” to a House’s possess cybersecurity [...]
November 21, 2011, 6:23 pmHow SOPA would affect you | DailyBinaryNews.com says:
[...] former process arch during the Department of Homeland Security who’s now in private practice, warned in an op-ed that SOPA “runs directly counter” to the House’s possess [...]
November 21, 2011, 6:35 pmHow SOPA would affect you | Internet Advertising and Marketing Tips and Secrets says:
[...] the former policy chief at the Department of Homeland Security who’s now in private practice, warned in an op-ed that SOPA “runs directly counter” to the House’s own cybersecurity [...]
November 21, 2011, 6:59 pmHow SOPA would affect you: FAQ | Partners In Sublime says:
[...] the former policy chief at the Department of Homeland Security who’s now in private practice, warned in an op-ed that SOPA “runs directly counter” to the House’s own cybersecurity [...]
November 21, 2011, 11:53 pmHow SOPA would affect you says:
[...] arch during the Department of Homeland Security who’s right away in in isolation practice, warned in an op-ed which SOPA “runs without check counter” to the House’s own [...]
November 22, 2011, 4:51 amSOPA – Läs och begrunda | NFSI – Nätverket För Socialt Inflytande says:
[...] the former policy chief at the Department of Homeland Security who’s now in private practice, warned in an op-ed that SOPA “runs directly counter” to the House’s own cybersecurity [...]
November 22, 2011, 7:17 amHow SOPA would affect you: FAQ : Welcome to 13 News Net says:
[...] the former policy chief at the Department of Homeland Security who’s now in private practice, warned in an op-ed that SOPA “runs directly counter” to the House’s own cybersecurity [...]
November 24, 2011, 2:42 amThe Right To A Domain « Regulation Regulation Regulation « PostLibertarian says:
[...] a lot of hoopla going around on the Internet, opposing the proposed SOPA and PROTECT-IP acts meandering through Congress. [...]
December 10, 2011, 4:06 pm