Sign up to our newsletter
The latest security news direct to your inbox
SOPA as currently constructed can never work as intended. I'm not going to get into the reasons we don't like it because of its oppressive implications or because it is against our first amendment rights nor for any other reason (there's been so much other commentary on those issues that it would be superfluous). I just want to point out some very simple technical things about how the Internet actually works, and which either break SOPA or would cause SOPA to be ineffective..
The Stop Online Piracy Act or SOPA as it is more commonly known, currently being debated in congress, has lit up a huge outcry on the Internet in recent weeks. We, here at ESET were one of the companies who, a little while ago, started raising the alarm about the devastating effect it would have on America's online economy, along with several other very high profile companies.
GoDaddy, the popular domain registrar was initially a prominent supporter of SOPA and when this was revealed it prompted a large Internet campaign to move domains away from GoDaddy – in the next couple of days they lost 37,000 domains.
Today, 29th of December, is the culmination of that campaign when many companies will be moving their domains.
As of today, ESET is also moving our 26 domains from GoDaddy. As expected, GoDaddy did a half turn a couple of days ago, and somewhat restricted their support, later doing a full turn and saying they no longer support SOPA.
That's great – the effect is a demonstration of how America works. Money talks, and businesses listen. The problem with SOPA is that, unless people who still support it start to listen too, the money will go away, from them and their businesses too. It's also too late for GoDaddy, integrity and trust is not something you can switch back on overnight, demonstrating that the most important thing a business can have is the belief of its users. GoDaddy, as they acknowledge, will have to work hard to get the support of the community back; they should have known better.
As is usually the case when things get heated, the real issues tend to get lost and debate turns into a slanging match with the proponents of each argument becoming more and more entrenched on their own sides. There's certainly been a lot of commentary and a lot of name calling, but the reality is, this really matters, but not just because of the censorship issue. Yes, it is likely that SOPA might be abused or misused, as have DMCA* takedown notices, but that's not the reason for the bill. Stopping piracy is a very real problem and at ESET we're not immune: it costs ESET money when people steal our software, so it's in our interests to see stronger controls imposed on people who aid and abet pirates. Stopping or reducing piracy is a good aim, and it's one ESET will always support, it's just that the target of SOPA is wrong. What we truly risk if SOPA passes is that America becomes an Internet backwater, where things look materially different to people here than they do for the rest of the world. This will inevitably affect businesses and that's just bad for our economy as a whole.
This risk is best summed up by Representative Jared Polis (D. Col)
"Instead of closing down and arresting everyone in a crack house, it's like changing all the street signs and roads so that it's a lot more difficult to find the crack house. But it's still there and if you try hard enough, you can find it. It also messes everyone else up, making places much harder to find for everyone else"
My analogy would be that SOPA's DNS provision is just like David Copperfield hiding the Statue of Liberty, everyone knows that the statue is still there, but from where you're standing, you're under the illusion that it's disappeared, and the rest of the world, standing outside of the illusion zone can still see it. Indeed, SOPA really is about hiding liberty for Americans, while pretending to the outside world that she's still there holding up her shiny torch for the rest of the world.
When you hook a device up to an Internet connected network, unless you're on some really outdated system, you are assigned a number called an Internet Protocol (IP) address. My current one is 192.168.1.2 – I'm typing this while connected to a portable MiFi network router device, so this is an 'internal' IP address that tells my router where to find me. The router device is connected to the Internet, and has the external IP address 126.96.36.199, which it's connecting to me via its own internal IP address of 192.168.1.1. I'm writing this post on blog.eset.com which has the IP address 188.8.131.52. My machine sends information from my IP address to the internal IP of the router, the router sends that out to 184.108.40.206 via its external IP address, and returning traffic gets sent back to me along the reverse of that route.
So, what does this mean? Well, the IP address is the fundamental building block of the Internet. Everything has a unique numerical address. It's like a giant list of unique numbers. If you know the number, you can find the site. Remember, every single site on the Internet works this way. There's a numerical IP address behind it. The problem is, humans aren't really good at remembering numbers, particularly when you'd need to memorize thousands of them. Just close your eyes now, and see if you can remember the four I've already mentioned? Did you? Well, there's the problem, even if you could, I bet you couldn't scale that up. Humans like words. It's easier to remember a person's name than their phone number (or even social security number), that's just how we're wired. Enter the Domain Name System or DNS. You can think of it as a phonebook for the Internet. If you want to find the ESET blog, it's much easier to remember to go to blog.eset.com than it is to remember 220.127.116.11. DNS acts as a way of mapping these simple names to the underlying numbers. The beauty of this is that you can change the number, and you can still find the site by its name, you just tell DNS that the number has changed. DNS is a global network of servers that provide these phonebooks for the Internet. This is what SOPA will break.
Quoted directly from the SOPA bill:
(i) IN GENERAL.—A service provider
shall take technically feasible and reasonable measures designed to prevent access by its subscribers located within the United States to the foreign infringing site (or portion thereof) that is subject to the order, including measures designed to prevent the domain name of the foreign infringing site (or portion thereof) from re- solving to that domain name’s Internet Protocol address.
The diagram below shows the problem with this. Since DNS is a global system, it relies on trust that the results returned are correct. In reality what will happen if SOPA goes through is that nobody globally will trust USA DNS server results anymore. Not only that, but it won't even block the sites. All the viewer needs to do is set their DNS server to an offshore location and they'll get the page they ask for – or they can just directly type the IP address and bypass DNS altogether.
To demonstrate just how easy this provision would be to subvert, a new Firefox plugin called DeSOPA has been released. By enabling the plugin, Firefox simply uses non USA based DNS servers for resolution. As Representative Polis pointed out, it's just like making the crack house harder to find, without doing anything that actually harms the crack house owners. What it will do is make it very difficult for non-technical users in the USA to see the Internet as the rest of the world does – it's like you're standing in the sightline of David Copperfield's illusion – to you, the thing is gone. It's ironic that all the while the USA advocates free Internet in places like Iran and China, it wants to make it harder for people in the USA to access the Internet in an unfettered way.
The implications of SOPA are way too important to ignore, and if the bill passes, it is not hyperbole to say that it will break the Internet, at least for the residents of the USA. It will harm businesses, and it makes the wrong people the target – it will make not one iota of difference to anyone ripping off our software or feeding off the innovation and invention of America. Meanwhile, the very companies the bill is claiming to protect will suffer from the lack of visibility and trust. If nobody trusts our DNS anymore, there's no way to resolve problems, and it makes the USA a second class Internet citizen. Not only that, but as I previously pointed out, it breaks DNS Security Extensions, which if implemented properly will remove one of the major hiding holes for malware authors.
Perhaps someone will campaign on a platform of adding an amendment to the US constitution that states: "Congress shall make no law respecting an establishment of Internet censorship, or prohibiting the free exercise of all persons using it." Maybe then everyone will finally understand the great strength and beauty of what has been created in the Internet, and protect the businesses, intellectual property and economic rights of all of us who live and work in this great country. Are there abuses on the Internet? Yes, of course, but just because some people abuse it, don't break it for the rest of us.
There's a pretty good page on Wikipedia that summarizes the issues and both sides of the debate. It's interesting to note that sites like Wikipedia could be seriously affected by SOPA, if someone objects to its use of images, text or even opinions.
*As others have noted, the DMCA already includes powers for takedowns of sites giving access to copyright infringing materials.
Author Andrew Lee, ESET