Perhaps SOPA Should Be Called The Stop Online PRIVACY Act
from the unintended-consequences? dept
From piracy to privacy
Critics of the Stop Online Piracy Act and its Chinese Firewall approach to combatting Internet piracy have hammered the ill-advised legislation for the predictable damage it would inflict on cybersecurity, innovation, and above all, free speech. More than a hundred eminent law professors—including such renowned constitutional scholars as Harvard's Lawrence Tribe—have blasted blocking provisions in SOPA (and its Senate counterpart PROTECT-IP) as a form of "prior restraint" of speech prohibited by the First Amendment. Yet SOPA also poses less obvious risks to the privacy of Internet users—risks which have received far less attention.
"We tend to treat freedom of speech issues on the Internet as matters of censorship," former White House technology advisor Andrew McLaughlin recently explained to The Wall Street Journal, "but the real threat is surveillance." Censorship and surveillance are natural partners: Monitoring alone often chills speech as effectively as blocking, and content prohibitions naturally give rise to monitoring designed to identify prohibited content. So it is likely to be with SOPA.
Under the notice-and-takedown approach to copyright infringement embedded in the Digital Millenium Copyright Act, Web platforms aren't expected to actively police the content uploaded by their users: They're only expected to comply with requests to remove specific identifying files identified by rightsholders. Under SOPA, however, a site can be branded as "dedicated to theft of U.S. property" if, in the statute's bizarre wording, its owner "is taking, or has taken deliberate actions to avoid confirming a high probability" of infringement. Sites merely accused of insufficient diligence risk being starved of revenue from ad networks or payment providers.
These dire consequences provide a powerful incentive for legitimate sites to implement some form of automated monitoring of user uploaded content, lest they be accused of "deliberately avoiding" awareness of infringement. Sites that do so can be expected to modify their terms of service—lengthy blocks of legalese, which users seldom read closely—to authorize such scans. As many analysts have pointed out, the friction and overhead costs involved in implementing such filters burden both innovation and legitimate "fair uses" of copyrighted content. But such scanning may also have unanticipated knock-on effects on the level of legal privacy protection to which user communications are entitled.
Much infringing content is posted on the public Internet for all to see. But infringement can just as easily occur in more limited, private forums. A pirated file can also be sent as an e-mail attachment, shared exclusively with a circle of friends on a social network, or uploaded to a cloud storage site behind a password wall. A comprehensive scan would have to include these as well—potentially affecting how content is treated under both federal statute and the Constitution. In short, SOPA incentivizes private cloud providers to change their practices in ways that may lower legal barriers to government acquisition of private communications—even for investigations having nothing to do with copyright.
Enter the Fourth Amendment
Courts have only depressingly recently begun recognizing that some forms of cloud-stored data are entitled to the protection of the Fourth Amendment. But Fourth Amendment analysis focuses on whether an individual enjoys a "reasonable expectation of privacy" in the information a government agent seeks to obtain. If files or messages are routinely scanned for infringing content by skittish cloud providers, courts may be more likely to find that the user's expectation of privacy—and any Fourth Amendment protection that accompanies it—has been waived. Even the lesser privacy protection afforded by the Electronic Communications Privacy Act depends in part on the provider having limited access to user files and messages, which means more scans that are not obviously a necessary part of providing a particular cloud service could provide a basis for questioning the statute's applicability.
Let's be optimistic, though, and assume that the law will be interpreted to preserve the privacy protection of user-uploaded content, even if it has been scanned in this way. That protection is still less likely to extend to any logs generated by a provider's scans. Insofar as these logs indicate which users have been flagged for uploading suspect files, or for sending links to suspect sites, they would reveal information about user content, but could easily be treated as ordinary business records accessible to government via a mere subpoena or other lesser process, rather than a full Fourth Amendment search warrant.
Would DNS redirection violate wiretap laws?
Finally, it's worth considering some potential effects of falsifying DNS records to redirect traffic bound for foreign sites deemed verboten by the Department of Justice. While SOPA leaves open what happens when someone attempts to reach a blocked site, PROTECT-IP explicitly suggests that a blocking notice chosen by the Attorney General should be shown to users seeking to reach those sites. That suggests that PROTECT-IP could be implemented using a scheme similar to that used by the Department of Homeland Security for seizing U.S. sites, which are pointed to a notice of seizure at 74.81.170.110.
Much here depends on the details of implementation, but such redirection creates a possible backdoor mechanism for the collection of information that normally requires a court order. Ordinarily, when the government wants to acquire communications metadata in realtime—to find out who is communicating to or from a particular phone, e-mail account, or IP address—it must get what's known as a "pen register" (for outgoing information) or "trap and trace" order (for incoming information) authorized by a judge. The standard for these orders is far lower than the "probable cause" needed for a full-blown wiretap, but they do still require some showing of relevance to an ongoing investigation of a specific crime that the government believes has been or is about to be committed.
If requests for pages hosted at InfringingContent.com, CheapViagraPills.net, or SexyMidgetVideos.org are instead sent to a blocking notification page on a government-controlled server, that server's logs will effectively capture the IP address of every user who has attempted to initiate a communication with a blocked domain (unless they're using a proxy or other anonymizing tool). This is especially worrisome in cases where the site in question might host content that is controversial for reasons beyond copyright status.
Potentially still more problematic—and again, depending heavily on the implementation details—such redirection could cause communications intended for one domain to be redirected to the government's notification server, which would technically constitute an illegal "interception" under federal wiretap law even if the notification server were not configured to accept or record any of that data. The simplest way this might happen is if a DNS server operator interpreted the law as requiring modification of a blocked domain's mail server (or MX) record. But even an ordinary HTTP page request will often contain some forms of "content": search queries, login credentials, a user agent string, or cookies placed by the blocked site during previous visits. And of course, DNS is not only used by web browsers, but by other clients operating on other communication protocols. The host currently used by DHS to provide seizure notification only appears to keep port 80 (HTTP), 443 (SSL), and 3389 (terminal services) open, but those settings can be easily changed at any time, before or after redirection begins. In effect, DNS hijacking puts the government on the honor system with respect to communications directed at or through a seized domain. The alternative—failure to resolve without redirection—results in censorship without transparency, as government blocks become indistinguishable from technical or other sources of connection failure.
From worries about its impact on DNSSEC to fears of providing cover for repressive regimes abroad, it's hard to keep track of all the different reasons to oppose domain censorship as an anti-piracy strategy, but there are strong grounds for adding its effect on privacy to the long, growing list.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, copyright, monitoring, privacy, sopa, unintended consequences
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
No need to thank me for the fact checking.
[ link to this | view in thread ]
[ link to this | view in thread ]
No need to thank me for the fact checking.
[ link to this | view in thread ]
Re:
WAIT A MOMENT!
[ link to this | view in thread ]
[ link to this | view in thread ]
You're out of your fucking mind. The ISP's on coming out in favor of SOPA by the markup.
[ link to this | view in thread ]
Why is the Entertainment Industry so powerful?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
Ha. Lol.
In America today, just six people by themselves have as much wealth as 30% of the citizenry.
Who really has the power? Is it ninety million soi disant “consumers” —or those six people.
It's not a difficult question. You already know who really has the power: Who can buy laws. Who can get wars started. Whose opinion really counts in this country.
[ link to this | view in thread ]
Re: Re: Re:
Remember, those who violently halt peaceful protests ensure violent proitests will occur.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Why is the Entertainment Industry so powerful?
[ link to this | view in thread ]
Re: Re: Re: Re:
When they're shopping for Congressmen, they spend considerably more.
[ link to this | view in thread ]
Re: Re:
I have been ding this for the last 5 or 6 years and will do this for many more if not my whole life.
1.never go to a theater
2.do not do Netflix/ITUNES, etc as Hollywood will get money that way
3.never ever buy a digital file of music/movies from RIAA & MPAA
4.Boycott any fool Artist who signs with the RIAA
5.Do not buy any new physical movies/music from Big Content
6.But only used Physical products locally or if not found online
7.Buy only INDIE Movies and Music
8.never let a dime of your wallet go near the RIAA & MPAA
Fight the bastards with your buying power and spread the word.
They want to make war against all of us now you all should be fighting back.so what if you have to wait a little while to watch something.Be patient and wait and then buy used.
FRAK YOU MPAA & RIAA
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
But the issue is important enough for that to be a sensible way to vote.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
Movies are another matter. I only buy movies if there's something special about the physical disk, like if it's the Special Extended Director's Cut Collector's Edition. Otherwise it's just another digital media file and the physical token isn't efficient. Things like Netflix, and recently YouTube, have made paying for the file easier.
Eventually, I'll be able to watch movies the same way I listen to music.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]