Tuesday, January 17, 2012

Reddit’s Technical Examination of SOPA/PIPA

Granted that Reddit will be going down tomorrow in protest of SOPA and PIPA, I felt morally obligated to mirror this post from their blog on this site so that interesting and edifying information can be properly disseminated, which, quite appropriately, the bills will infringe on greatly.

As you have probably heard, there are two pieces of legislation currently pending that we, and others like us, believe seriously threaten the internet. I wanted to take some time to delve into the text of both of these bills, and outline their potential consequences as I am able to understand them. As you can imagine, this is a complex issue, and as a result this is going to be a complex post. I highly encourage you to set some time aside to read this thoroughly. Grab some caffeine, we are going to be here for a while.
As a disclaimer, I am not a lawyer, I'm a sysadmin. The following is not legal advice, but rather an outline and personal interpretation of critical portions of the legislation. If you own or operate a site that may be affected by this legislation, I suggest having your legal counsel look at these bills. If you're a brand new startup with little to no money for legal counsel, well, best of luck to you. The internet may no longer be a friendly place.
Note: In recent news, several legislators have suggested that they will be removing the DNS provisions from both SOPA and PROTECT IP. However, those provisions still exist in the bills today, and they are likely to still be debated. For these reasons, I'm going to include the DNS provisions in this discussion.

amcens_kwong

The Sacred Texts


Much of this post will be focusing on Title 1, Sections 101, 102, and 103 of SOPA; and Sections 2, 3, and 4 of PROTECT IP. I hope to make the impact of these bills clear, however you shouldn't just blindly trust me. Here are links to the current versions of the bills provided by Library of Congress and the Government Printing Office.

The Battlefields


One of the most important distinctions in these bills is the difference between a 'foreign site' and a 'domestic site'. The definitions try to break websites into two groups using some fairly simple language; however the results may be unexpected in several cases.
  • SOPA Domestic Internet Site - A domestic site is defined as a site that corresponds to a 'domestic domain name', or if there is no domain name, a domestic IP address.1 A domestic domain name is defined as a domain registered or assigned by a registrar or other authority that is located within the United States.2 Some common examples of domestic top-level domain names are '.com', '.org', and '.us'.
  • SOPA Foreign Internet Site or PROTECT IP Non-domestic domain name - A foreign site is very simply defined as a site that is not a domestic site.3 4 Under this definition, any site not using a domestic domain name is a foreign site.
Under these broad definitions, domestically hosted sites such as 'redd.it' and 'bit.ly' can be defined as foreign internet sites. On the other side of the coin, foreign hosted sites such as wikileaks.org and thepiratebay.org can be defined as 'domestic', since their domain names are registered through authorities located in the U.S.

The Players

sopa_kwong

  • Service Provider - A service provider is defined as a service that hosts a non-authoritative DNS server.5 This includes ISPs, sites like OpenDNS, Google's public nameservers, and any other service providing a public DNS resolution server.
  • Internet Advertising Services - A service that will serve, display, or "otherwise facilitate" an ad in return for compensation.6 7 This includes both services which display ads linking to sites (e.g. Google AdWords and reddit's self-serve advertising), and services which host ads on other sites (e.g. Google AdSense).
  • SOPA Payment Network Provider or PROTECT IP Financial transaction provider - A service that handles payment transactions (e.g. PayPal).8 9
  • SOPA Internet Search Engine - The definition of a search engine in the legislation is very wordy. What it basically comes down to is a service that provides links to other sites based on a user query or selection.10 Sites like reddit certainly fall within this definition. Other sites likely to fall within this definition are live blogs, link shorteners, wikis, and blog networks.
  • PROTECT IP Information Location Tool - The definition of this is not included in PROTECT IP itself, but rather referenced to language in existing copyright law.11 The existing law doesn't explicitly define an 'information location tool', but instead gives some extremely broad examples.12 It boils down to any service that displays links or 'pointers'.
  • SOPA U.S. Directed Sites - A site, or portion thereof, that is used to conduct business or provide services to U.S. residents.13 "Service" is not explicitly defined.
  • Qualifying Plaintiff - A holder of intellectual property who is harmed by the activity of a foreign infringing site.14 15


The Powers


Most of the power in these bills is granted to the office of the Attorney General. The Attorney General can obtain a court order to take action16 17 against a foreign infringing site, or portions thereof, as defined by the following.
SOPA18
  1. The site is U.S. directed.
  2. The owner or operator of the site is "committing or facilitating the commission [my emphasis] of criminal violations punishable under section 2318, 2319, 2319A, 2319B, or 2320, or chapter 90, of title 18, United States Code." Those sections primarily deal with copyright infringement and counterfeit products.
  3. The site would be subject to seizure if it were instead a domestic site.

PROTECT IP19
  1. The site is used "primarily as a means for engaging in, enabling, or facilitating the activities" of copyright infringement or counterfeit products; or
  2. The site is designed by its operator "as a means for engaging in, enabling, or facilitating the activities" of copyright infringement or counterfeit products.

If this criteria is met, the office of the Attorney General can then serve this court order to entities in the U.S., requiring them to take specific actions against the site. The following are the actions which must be taken upon receiving the order from the Attorney General's office:
  • Require U.S. sites and search engines to remove all links to the foreign site.20 21
  • Require U.S. advertising services to no longer serve ads linking to the site, or display ads (e.g. AdSense) on the foreign site.22 23
  • Require U.S. payment networks to cease any transactions between the foreign site and U.S. customers.24 25
  • Require U.S. service providers to block customer access to the foreign site (DNS blacklisting).2627
"No Duty to Monitor"

SOPA
The requirements of ad networks22 and payment networks24 include a 'no duty to monitor' paragraph. This paragraph indicates that the networks are in compliance with the requirements if they take the actions described on the date that the order is served. It should be noted that 'search engines' have no such paragraph. This would mean that search engines can be required to continually monitor and prevent new instances of links to foreign sites. Coming from the point-of-view of the drafter of the legislation, this makes perfect sense. Requiring a site to scrub all the links to a foreign site is a useless effort if the links will simply pop up again the next day.
Actions which can be taken by qualified plaintiffs

The Attorney General doesn't get all of the fun. Qualifying plaintiffs can also send notice28 30 to advertising services and payment networks requiring them to cease interaction with a foreign infringing site.29 31

The Devil in the Details

Domestic vs Foreign

The concept of 'domestic' versus 'foreign' on the internet is complex. For example, reddit's primary servers are located in Virginia, however we have domain names through foreign registrars (redd.it, reddit.co.uk). The site is hosted via a third-party content-delivery network (Akamai). This means that if you connect to reddit from a foreign country, you are likely connecting to an Akamai server not located in the U.S. This legislation naively ignores this complexity, and simply labels a site 'foreign' or 'domestic' based solely on the domain name.
The legislators sponsoring these bills have indicated that they are only targeted at truly foreign sites. However, the language is so loose and ignorant of what is truly a foreign site that there is a huge amount of room to argue what is actually "foreign".
Facilitation of criminal violations

The potential for abuse in this language is painfully obvious. "Facilitation" can often be argued as simply teaching or demonstrating how to do something. Under this definition, a site could be targeted for something as simple as describing how to rip a Blu-Ray. This language also makes it clear that the legislation is not solely targeting sites "dedicated to theft".

The Fallout

Why this is going to harm user-driven sites like reddit

Up to this point, reddit and sites like it have been required to remove specific copyrighted content if presented with a properly filled out DMCA takedown request. The notices are required to indicate exactly what pages the content is on, and to prove that they are indeed the owners of the content. Even then, this process is often abused.
SOPA and PROTECT IP contain no provisions to actually remove copyrighted content, but rather focus on the censorship of links to entire domains.
If the Attorney General served reddit with an order to remove links to a domain, we would be required to scrub every post and comment on the site containing the domain and censor the links out, even if the specific link contained no infringing content. We would also need to implement a system to automatically censor the domain from any future posts or comments. This places a measurable burden upon the site's technical infrastructure. It also damages one of the most important tenets of reddit, and the internet as a whole – free and open discussion about whatever the fuck you want.
Why this doesn't actually stop piracy

This legislation is aimed at requiring private U.S. entities to enforce restrictions against foreign sites but does nothing against the infringement itself. All of the enforcement actions can and will be worked around by sites focused on copyright infringement. U.S. citizens will still be able to use foreign DNS servers, new advertising and payment networks will pop up overseas, and "infringing sites" will still be linked to by other foreign sites and search engines. In fact, tools used to circumvent these form of internet restrictions are being funded by the U.S. State department to offer citizens under "repressive regimes" uncensored access to the internet. When the dust settles, piracy will still exist, and the internet in the U.S. will have entered the realm of federal regulation and censorship.
Why this is ripe for abuse

The vague and technology-ignorant language in this pending legislation opens a huge number of doors for different interpretations. When you take this broad language and use it to grant powers to both the Attorney General and plaintiffs like the MPAA and RIAA, you create a system that is begging to be abused. Given the history of abuse of laws like the DMCA, it has become obvious that institutions like the RIAA can and will stretch laws to the breaking point, often while suffering no repercussions.
To prevent a repeat in history of the abuse of internet copyright law, any new legislation must be drafted with the following:
1. Airtight, technically sound definitions.
2. Heavy input from the technology sector. Complex technology legislation should not be drafted by someone who barely has a working knowledge of the internet.
3. Checks and balances ensuring that due-process can be invoked before, during, and after any action is taken.
4. Clear repercussions for entities utilizing the legislation in an abusive manner.
Why this is going to hurt startups and tech innovation

One of the big reasons why a company is able to go from a few computers in a garage to a multi-billion dollar company is due to the open nature of the internet. The barrier to entry on creating a new site or product is very low. Adding legislation that regulates this open platform will seriously hamper future business.
Entrepreneurs will need to invest in legal counsel to ensure they can properly respond to a PROTECT IP or SOPA order. New sites and products will need to invest precious development time to build-in censorship utilities so that they can remove links to foreign sites. New advertising networks will need to calculate the new risk of displaying ads for or on foreign websites. Sites will also be heavily discouraged from using non-US domain names due to the broad language in the bills on how they may be defined.
Adding regulation to one of the few growing sectors in the U.S. will result in a "chilling effect" and will push individuals and business to start ventures elsewhere. Threatening this existing ecosystem for the purpose of making it slightly harder to pirate movies is a very dangerous tradeoff.

In Conclusion


It is my strong belief that both PROTECT IP and SOPA:
  1. Will not stop the piracy they are targeting
  2. Contain language that is highly ambiguous and extremely broad making them ripe for abuse, and
  3. Introduce regulation and enforce censorship on what should be a free and open internet.

Peace

No comments: