Hollywood's New War on Software Freedom and Internet Innovation
By Corynne McSherry and Peter Eckersley
.
This is the third in our series (Part 1, Part 2) breaking down the potential effects of the Stop Online Piracy Act (SOPA), an outrageous and grievously misguided bill now working its way through the House of Representatives. This post discusses dangerous software censorship provisions that are new in this bill, as well as the DNS censorship provisions it inherited from the Senate's COICA and PIPA bills. Please help us fight this misguided legislation by contacting Congress today.
In this new bill, Hollywood has expanded its censorship ambitions. No longer content to just blacklist entries in the Domain Name System, this version targets software developers and distributors as well. It allows the Attorney General (doing Hollywood or trademark holders' bidding) to go after more or less anyone who provides or offers a product or service that could be used to get around DNS blacklisting orders. This language is clearly aimed at Mozilla, which took a principled stand in refusing to assist the Department of Homeland Security's efforts to censor the domain name system, but we are also concerned that it could affect the open source community, internet innovation, and software freedom more broadly:
- Do you write or distribute VPN, proxy, privacy or anonymization software? You might have to build in a censorship mechanism — or find yourself in a legal fight with the United States Attorney General.
- Even some of the most fundamental and widely used Internet security software, such as SSH, includes built-in proxy functionality. This kind of software is installed on hundreds of millions of computers, and is an indispensable tool for systems administration professionals, but it could easily become a target for censorship orders under the new bill.
- Do you work with or distribute zone files for gTLDs? Want to keep them accurate? Too bad — Hollywood might argue that if you provide a complete (i.e., uncensored) list, you are illegally helping people bypass SOPA orders.
- Want to write a client-side DNSSEC resolver that uses multiple servers until it finds a valid signed entry? Again, you could be in a fight with the U.S. Attorney General.
It would be bad enough to have these types of censorship orders targeted at software produced and distributed by a single company. But for the free and open source software community — which contributes many billions of dollars a year to the American economy — legal obligations to blacklist domains would be an utter catastrophe. Free and open source projects often operate as decentralized, voluntary, international communities. Even if ordered to by a court, these projects would struggle to find volunteers to act as censors to enforce U.S. law, because volunteers usually only perform tasks that they consider constructive. And in the case of larger projects and repositories like Mozilla, to monitor and enforce such court orders against generic functionality could potentially violate licensing obligations and would likely create acrimony, demoralizing and shrinking the communities of contributors and innovators that those projects depend upon.
Essentially any software product or service, such as many encryption programs, that is not responsive to blocking orders could be under threat. And lest you think we exaggerate for effect, recall how some of the provisions of another copyright bill have been used to chill security research.
Those are just the new provisions in SOPA. Like its companion Senate bill, PROTECT-IP, the bill also authorizes the United Sates Attorney General to wreak havoc with the Domain Name System by ordering service providers to block U.S. citizens' ability to access domain names, which will inevitably lead to competing Internet naming infrastructures and widespread security risks. As leading Internet engineers explained (commenting on an earlier version of the bill), this approach:
[W]ill risk fragmenting the Internet's global domain name system (DNS), create an environment of tremendous fear and uncertainty for technological innovation, and seriously harm the credibility of the United States in its role as a steward of key Internet infrastructure. In exchange for this, the bill will introduce censorship that will simultaneously be circumvented by deliberate infringers while hampering innocent parties' ability to communicate.
All censorship schemes impact speech beyond the category they were intended to restrict, but this bill will be particularly egregious in that regard because it causes entire domains to vanish from the Web, not just infringing pages or files. Worse, an incredible range of useful, law-abiding sites can be blacklisted under this bill. These problems will be enough to ensure that alternative name-lookup infrastructures will come into widespread use, outside the control of US service providers but easily used by American citizens. Errors and divergences will appear between these new services and the current global DNS, and contradictory addresses will confuse browsers and frustrate the people using them. These problems will be widespread and will affect sites other than those blacklisted by the American government.
By introducing bills like this, Congress is recklessly endangering Internet innovation and security. The free/open source and Internet engineering communities need to fight back.