Tuesday, December 27, 2011

Why I'm Terrified of the SOPA du Jour


Full disclosure: what follows is a factually informed but nonetheless angry rant

As many of you may know, an inimical piece of legislation currently barrels through Congress unimpeded by logic or regard for consequence. As you have probably guessed from the clever turn of phrase I've chosen for a title, I'm talking about the Stop Online Piracy Act. The name of the bill alone qualifies it to stand in a league with other incontrovertible bills such as the No Child Left Behind Act and the Patriot Act. Who doesn't want to Stop Online Piracy? Probably the same people who want to leave children behind. Why, you might ask, has an inarguably good bill raised the heads of the largely apolitical software development community? Simply put, because if the bill were to pass it would make the Internet worse. Period.

As a staunch opponent of the bill, I've become frustrated not only by the proponents of the bill but also by my fellow opponents. I don't think saying that opposition for the bill lies primarily in the technical community is a stretch. Many non-technical people hear the purpose of the bill, decide that it sounds like a great idea, and promptly sign on with their support. I don't fault them for this. Why wouldn't they? At this point, technically minded opponents of the bill (bear with me here) respond with statements like "SOPA will break the foundation of the Internet" and "SOPA would spell the end of the free Internet". While true, the first statement is so broad as to be meaningless, and the second one provokes the question "why should I care?" Let's dive in and see 1) why the bill is so bad, and 2) why you should care.

I'm going to try to clarify some technical issues for non-technical people precisely because the folly of the bill lies in the technical implementation, not the spirit. When you type in "www.google.com" in the address bar of your computer, your browser fires off a request to a remote computer asking "where does www.google.com" live? The response to this query is a string of numbers known as an IP address, or "internet protocol" address. An IP address tells routers (all the computers your request passes through between your computer and Google's server) where to send your traffic. Without that IP address, you can't communicate with Google. The computer servicing your request for an IP address lookup is known as the DNS, or "domain name system". Practically, the DNS is a series of computers sitting at a large institutions mostly in the US. Without the DNS, looking up IP addresses is difficult. More on that later.

SOPA operates by placing restrictions on the operators of the DNS. This group includes universities, large corporations, and non-profits. Basically, if a site is found to be in violation of copyright law (more on how this is determined later), the operators of the DNS are required to remove that IP address from their registry. Then, when someone requests the address of a violating site, it is nowhere to be found. The site has simply "disappeared". This not only places an undo burden on the DNS operator, it violates some core principles of uniform naming that have allowed the Internet to become the largest information network ever seen. I don't have time to explain it completely here, but basically you get something like China's fragmented version of the Internet.

SOPA targets sites that make money by trafficking in pirated copyrighted content. Congressmen love to characterize these sites as "rogue offshore sites" because nobody is going to leap to the defense of a site that fits that description. The problem lies in the fact that SOPA contains no provisions that lead me to believe it will be limited to these obviously bad websites. Any site can fall victim to a SOPA censorship request--including legitimate sites that you use every day. The ease with which this can happen is downright scary.

In order for a site to fall victim to a SOPA takedown request, all that is required is a "good faith" complaint from a third party that the site is hosting copyrighted content. The target of the complaint doesn't even need to be notified that they are the subject of a complaint. The courts can just shut the site down. "Done. Game over. I'm sorry you were a legitimate multimillion dollar company employing hundreds of people. One of your competitors told us you were stealing, and we believed them. Better luck next year." As you can tell, it's hard to put into words how inane this policy is. And that's just a non-technical flaw in the implementation. The technical flaws are even more gaping.

As mentioned before, the primary mechanism by which SOPA accomplishes its questionable ends is through DNS censorship. However, this simply removes the IP address from the official DNS registry. Nothing is stopping somebody from setting up their own rogue DNS service that contains the IP addresses of all of the censored websites. Under SOPA this would be illegal, but so are pirate sites, and they exist. The problem with these third-party DNS services is not that they wouldn't work but rather that we have no reason to trust them. The DNS is already a fairly significant security risk for the Internet. Moving it outside of the regulation under which it currently operates only exacerbates this problem.

Imagine a scenario in which you type in "www.bankofamerica.com" in your browser. Because SOPA has mired the official DNS system down in a mess of litigation, you've decided to use a third-party DNS service. Instead of returning the true IP address of Bank of America, this service sends you to a truly rogue site whose only purpose is to steal your online banking credentials. Problem.

Perhaps the most terrifying thing about SOPA is not the future we face if it passes but the fact that it stands a chance of passing at all. I haven't been as scared as I was when reading transcripts of the House hearings since I watched the Exorcism of Emily Rose. The number of times a congressman made a tongue-in-cheek comment such as "I'm not a nerd" or "I don't know about this DNS stuff" would be comical if it weren't sad. The kicker here is that the congressmen refuse to call in expert testimony. Any decision-making body that simultaneously claims ignorance and refuses to listen to experts is broken.

Hopefully I've convinced you that SOPA will harm the Internet. However, I would be very interested in hearing why this bill is even being considered. Leave any insights in the comments. It would be much appreciated.