More “For the Moment Final”** Thoughts on SOPA

[** from Wallace Stevens, NY Law School Class of ’03, The Man With the Blue Guitar — though the original reads “for a moment final”, a nice example of how much meaning can change when substituting the definite for the indefinite article]

The folks over at Justia’s Verdict asked me to give them a piece summarizing the whole SOPA debate and for some reflections of a “now that the dust has settled a bit, what was that all about?” variety.  So I did.  The original is published here: http://verdict.justia.com/2012/02/13/sopa-and-the-future-of-internet-governance.  By virtue of Justia’s rather enlightened publication agreement, I can reprint/republish/reuse my piece to my heart’s content, provided I acknowledge and link to their initial posting – which I’ve done.  So here it is.  Those of you who have read my earlier postings on the subject will see familiar things in here – but I think I keep finding more reasons to be alarmed by what the Congress was about to do, and that they speak to some very large issues in connection with our ability, going forward, to bring “law” to the Net.
SOPA and the Future of Internet Governance

So what was all that fuss about?   SOPA, PIPA, Internet Blackout Day, front page stories in newspapers all across the country, 8 million or so emails pouring into the White House, 2 million #sopa tweets, 10 million signatures added to online petitions opposing the bills, . . . followed, of course, by the announcement that these various legislative proposals for combating online infringement1 had been taken off the table “for further study.”

1.  Although SOPA (the “Stop Online Piracy Act”) was only one of the bills advancing through Congress to deal with online infringement – others include PIPA (“Protect IP Act”), COICA (“Combating Online Infringement and Counterfeits Act”), and the incredibly-acronymed E-Parasite Act – ” Enforcing and Protecting American Rights Against Sites Intent on Theft and Exploitation” – I will use “SOPA” as the generic descriptor of the class throughout this article.

As Larry Downes noted in Forbes, “Internet users have revolted before in the face of earlier efforts to regulate their activities, but never on this scale or with this kind of momentum.”

What happened?  How did it happen?  And does it matter?

I’m not sure anyone can say – yet – exactly what happened or how it happened.  But whatever it was – a spontaneous, grassroots outpouring of opposition to an attack on Internet freedom of expression?  A bunch of information junkies who’ve gotten hooked on free music and free movies sticking it to the Man?  A plot by the giant technology companies to show Washington who’s the boss? – I’m here to tell you:  It matters, and it matters a great deal.

It matters because the Internet matters – if the events of the Arab Spring didn’t finally persuade everyone of that, I can’t imagine what would or will – and because SOPA would have done serious damage to the technical infrastructure that allows the Internet to do the remarkable things that it does.  [More on that in a moment]

And it matters – even more — because the law enforcement regime that SOPA would have put into place reflects an approach to the problems of “Internet law” and “Internet governance” that is outmoded, unworkable, and unjust.

SOPA’s objective was straightforward:  to reduce or eliminate access to websites operating outside of U.S. borders and “dedicated to infringing activities” – e.g., offshore websites offering copyrighted music or movies for download, or selling counterfeit Omega watches, all without authorization from the rights holders.  It’s a worthwhile objective; nobody can deny that there are an enormous number of such sites, that many of them make a great deal of money by trampling on the legitimate rights of copyright and trademark owners, and that the consequent damage to those rights holders is substantial.

This problem of offshore infringement arises from two very basic characteristics of the global network.  First and most obviously, digital information can be reproduced at nearly zero cost, and with nearly 100% accuracy, making it a simple matter to do something that was for all intents and purposes impossible a mere twenty or thirty years ago:  producing, say, 100,000 copies of the motion picture “Avatar” while on coffee break, and with a lower outlay of funds than is required for your cappuccino.

Second, physical location in realspace no longer bears any relationship whatsoever to accessibility or to proximity.  In realspace – the world of atoms and tangible matter – it’s harder to do business in London if you’re in Lima than it is if you’re in Liverpool, and it’s harder to cause harm in Seattle from Seoul than from Spokane. But in the world of bits, that’s just not true anymore; web servers in all of those cities are effectively “equidistant” from one another, as “close to,” and as accessible to, a user anywhere on the global network as the server down the street.

That’s the good news.  The bad news is that our realspace legal infrastructure is, just as one would expect it to be, built for the world of atoms.  (How could it have been otherwise?)  Our realspace legal system reflects this fundamental feature of the world within which it was designed to operate:  physical location and physical proximity are indispensable components of many inquiries central to the way law operates, e.g., determining “jurisdiction,” or “citizenship,” or the “locus” of a contract or a tort, or dozens of other questions.  The “distance” between actors matters, in that realspace legal world; the more physically distant the relevant actors the more difficult it is, generally speaking, to enforce one’s law on them.

The disconnect between these two worlds – one in which physically distant actors can have a very substantial impact (good or bad) upon you or your property, and one in which it is difficult to bring law to bear upon them – is at the heart of the problem on which SOPA trains its sights.

It’s a profoundly difficult problem.  Some of us saw it coming, twenty years ago.  An enormous amount of creative and innovative thinking is going to be required if we are to solve it in a sensible way.  SOPA does reflect some creative and innovative thinking; indeed, it embodies a radical new plan for the way that law enforcement will proceed on the Net.  But the new plan is deeply flawed, and would set us on precisely the wrong course for dealing with this difficult challenge.

A few words, first, about how SOPA works.  SOPA targets the activities of “foreign infringing websites,” but it doesn’t impose any sanctions on the offending websites, on the servers on which those websites are hosted, or even on the operators of those websites.  Instead, SOPA imposes its sanctions on the domain names used by those websites.  It authorizes courts to “seize” the domain names used by the offending sites via actions in rem, actions against “property” (i.e., the domain name) and not the persons owning or using the property, thereby avoiding the messy problem of trying to assert personal jurisdiction over the foreign actors or the foreign servers.  Judges could then issue orders to any U.S. Internet Service Provider – a category that includes hundreds of thousands of entities, from giants like Comcast, Verizon, and AT&T to any business or educational institution that offers Internet access to users – requiring the removal of the offending websites’ domain names from the ISP’s “routing tables,” the databases of Internet domain names and Internet addresses used by all ISPs to get messages from one place to another over the Net.

This is not the place, nor do I have the time or space, to explain how those routing tables, or Internet message routing more generally, work.2  Every day, the Internet accomplishes an astonishing feat, many hundreds of billions of times over:  it takes an address on a message (like the URL that you type into your web browser, or the email address you put into the appropriate field of an email message), and, from among the seven or eight hundred million machines out on there on the Internet, it finds the right one to deliver it to.  All in about a second or two.  It is a truly incredible (and largely invisible and unappreciated) feat of engineering, a finely-tuned system (to put it mildly) comprising, among other things, hundreds of thousands of copies of these routing table databases circulating around the Internet from ISP to ISP at all times.

2.  If you’re interested, see chapter 10 (“Governing Cyberspace II: Names”) of my book In Search of Jefferson’s Moose: Notes on the State of Cyberspace for a detailed account.

All of that complicated engineering is premised on one fundamental principle:  universal addressing.  The routing tables are the same wherever you are; that’s why there’s only one Internet, and it looks the same whether you access it from Brazil or from Boston or from Belarus.

The consequences of court intervention ordering the selective removal of entries from these routing databases are potentially severe and possibly catastrophic.  Don’t take my word for it; people who know a great deal more about these engineering matters than I do have warned about this in no uncertain terms.  In their words, SOPA’s manipulation of the domain name system (DNS) would:

(a) be “evaded easily” and would “likely prove ineffective at reducing online infringement”;

(b) “threaten the security and stability” of the Internet, “harming efforts that rely on DNS data to detect and mitigate security threats and improve network performance” and “posing significant risk of collateral damage”; and

(c)  “weaken important efforts now underway to improve Internet security [by] enshrining and institutionalizing the very network manipulation that [such security measures] must fight in order to prevent cyberattacks and other malevolent behavior on the global Internet, thereby exposing networks and users to increased security and privacy risks.”3

3.  Crocker, Dagon, Kaminsky, McPherson, and Vixie, “Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill.”  Several of the authors were instrumental in the current design of the DNS, and continue to operate critical portions of the DNS infrastructure.

The Obama Administration, finally, got this message.  As Internet Blackout Day approached, the White House announced that it was reconsidering its support for SOPA, in part because . . .

. . . proposed laws must not tamper with the technical architecture of the Internet through manipulation of the Domain Name System (DNS), a foundation of Internet security. Our analysis of the DNS filtering provisions in some proposed legislation suggests that they pose a real risk to cybersecurity and yet leave contraband goods and services accessible online. We must avoid legislation that drives users to dangerous, unreliable DNS servers and puts next-generation security policies, such as the deployment of DNSSEC, at risk.”

But the damage SOPA would impose on the Internet goes beyond this (though this is serious enough), extending beyond the Internet’s technical infrastructure and deep into its legal infrastructure.

Two of its provisions are especially troubling.  First, SOPA authorizes issuance of these domain-name-removal orders after nothing more than summary ex parte proceedings, proceedings in which only the prosecutor and the judge, and not the individual(s) responsible for the websites’ activities, are present.

What this means is that some Korean, or Brazilian, or Russian website operator wakes up one morning to discover that her domain has been “seized” by the US government, and that ISPs are now removing it from the routing tables and making it, literally, invisible across the Net.  Her website is still up and running – it’s just that fewer and fewer people can reach it.  She can challenge the seizure (once she finds out what happened) — perhaps on the grounds that her website is not “dedicated to infringing activities” at all, perhaps on the grounds that under Korean, or Brazilian, or Russian law her actions are entirely lawful, or perhaps on the grounds that the prosecutor just got it wrong, as prosecutors sometimes do – but she’ll have to come to the United States, and get legal representation, to do so.  (And if she does that, in a little added bit of nastiness, SOPA provides that she will then be deemed to have subjected herself to the personal jurisdiction of the US courts).

Second, SOPA authorizes a kind of “vigilante enforcement”: copyright or trademark holders, acting entirely on their own without the intervention even of a prosecutor or a judge, would be able simply to provide written notice to banks, credit card companies, Internet search engines, or Internet advertisers regarding the allegedly infringing conduct of the foreign websites, and the recipients of the notice will then have five days to cease doing any business with the offending website or risk losing an immunity from suit for damages caused by the website’s continuing operation.

“A guy walks into a bank.  He asks to see the branch manager.  He says: “You know Farmer Jones, whose place is just down the road from mine?  He’s been dumping pig shit in my pond, and spoiling it for my livestock.  He’s a nasty SOB.  STOP DOING BUSINESS WITH HIM.  FREEZE HIS ACCOUNT.”

In our realspace legal world, the bank will (and should) refuse.  “We’re sorry, but we can’t just take your word for it,” it will say; “Bring us a court order and we’ll comply, but we’re not just going to deny Farmer Jones access to our services just because you think he’s acting illegally.”

More to the point, in our realspace legal world, the law surely does not and cannot compel the bank to comply with the demand, or offer it a reward for doing so – precisely what SOPA would do.  One of the very small number of truly fundamental principles undergirding our legal system, and the Rule of Law itself, enshrined (twice!) in our Constitution, is that you may not deprive anyone (like Farmer Jones) of life, liberty, or property without due process of law:  a meaningful opportunity to be heard, before a neutral magistrate, in an adversarial proceeding in which he gets to present his side of the story, in a forum that can lawfully assert jurisdiction over him and/or his property.

What is most disturbing about SOPA is not just that it would run roughshod over this principle, though it would, and that is disturbing enough; what is most disturbing about SOPA are the justifications proffered by its proponents for doing so.  I’m not aware of any SOPA supporter who argues that SOPA actually does provide foreign website operators with a meaningful opportunity to be heard, before a neutral magistrate, in an adversarial proceeding and in a forum that can lawfully assert jurisdiction over him and/or his property before depriving them of their ability to communicate with millions of Internet users in the United States.  Instead, they argue that the full panoply of procedures comporting with due process isn’t required when courts “seize property” (like a domain name) that is located “inside” the United States borders.  And they argue that, in any event, SOPA doesn’t violate the due process rights of foreign website owners because as foreign nationals standing outside of U.S. borders, they don’t have due process rights.

To be fair, it’s not an entirely indefensible position; indeed, there’s precedent to the effect that, as the Supreme Court put it,  “[a]liens receive constitutional protections [only] when they have come within the territory of the United States and developed substantial connections with this country.”4  To SOPA proponents, the proper analogy here is  to the Customs Service.  SOPA, they say, simply prevents persons operating outside the United States from entering into our territory and bringing unlawful material – contraband movies and handbags – with them.  Customs agents board and search ships at the U.S. borders all the time, and if they find 100,000 copies of the Avatar DVD in the hold, they seize those copies and bring them before a magistrate, who orders their disposal and destruction (with or without the ship owner present).  Nobody complains about due process (or, for that matter, about the ship owner’s First Amendment rights) when this happens.  “Why, then,” they ask, “is everyone so exercised about SOPA?”

4.   United States v. Verdugo-Urquidez, 494 U.S. 259, 271 (1990).

To which the answer is:  we’re exercised about SOPA because, as I said earlier, it is outmoded, unworkable, and unjust.  The Customs Service analogy doesn’t work; there are no ships, and there are no borders, no “French” or “Brazilian” or “American” parts of the Internet, but a single global network.  We can, if we wish, impose borders onto the network, through legislative enactments like SOPA, thereby creating an “American” portion of the Internet, and we can let the Brazilians create a “Brazilian” portion of the Internet, and the Australians an Australian portion, and so on; but why would we want to do that?  Why would we want the Internet to look like the map of the world in 1950 or 1975, when its power derives precisely from the fact that it is a single global network, accessible to, and allowing communication among, all of the world’s peoples?

It is unworkable, because the network architecture virtually guarantees that evasion will be widespread and rather simple to accomplish; tools that allow websites to instantaneously alter their domain names and redirect traffic to the new sites without any special action on a user’s part are already widely available, and will surely become more so if this approach becomes commonplace.  SOPA will not stamp out copyright infringement on the Internet; it probably won’t even make much of a dent in copyright infringement.  If there are 50,000 pirate websites out there and SOPA somehow managed to close half of them down, that still leaves you with 25,000 badguys.  And in the world of bits – where information is infinitely reproducible at virtually no cost – 25,000 bad guys can do just as much damage to your intellectual property as 50,000 bad guys.

And it is unjust.  Perhaps we are not required to provide due process to those residing outside our borders, but that hardly means that we shouldn’t do so.  The Constitution of the United States, remember, doesn’t bestow the right to due process upon us; it says that the government won’t take away the due process rights we all already have by virtue of the fact that we are human beings.  That, I suggest, is the principle on which we should begin building a truly just legal regime for our new global place.

Copyrighted works are important, culturally and economically, and they are worth protecting.  They are not, however, sacred objects that we should protect at any cost.  The damage SOPA would do is immense, and its benefits would be negligible.  RIP, and may it not, as I suspect it will, rise from its grave to haunt us any time soon.