SOPA Supporter: If You Use DNSSEC You Can Ignore SOPA/PIPA

from the wait,-what? dept

Daniel Castro from the Information Technology and Innovation Foundation (ITIF) is the guy who has been highlighted for coming up with the idea of censoring the internet to deal with copyright infringement online. In 2009, he wrote a whitepaper suggesting just such a strategy, and since then has been a vocal champion of the approach that mimics China's Great Firewall.

He's issued a "response" to "critics" over the bills which is, frankly, an embarrassment for supporters of these bills. There may be some compelling ways to defend these disasters (though I doubt it), but Castro's paper is beyond ridiculous. It rolls out all the usual bogus tropes, talking up the "size" of the problem with claims that simply aren't backed up by the data at all. But it's main focus is trying to respond to the claims of all sorts of people who actually understand internet security, about how DNS blocking would be a disaster. At this point, the incredible thing is that supporters of SOPA/PIPA have yet to come up with a single credible person who thinks DNS blocking is a good idea. On the flip side, DNS experts like Paul Vixie and David Ulevitch have been vocally opposed. In addition, there are other folks like Stewart Baker, the former Homeland Security Assistant Secretary and former NSA General Counsel, as well as the folks at Sandia National Labs, experts in internet security, who are opposed to it as well. All of them have pointed out that DNS blocking won't work, will likely make things worse, and will have disastrous consequences for internet security. These are people who understand this stuff at its core. On the other side? We've got Daniel Castro. There's a lot of ridiculousness here, but let's start with the most insane part, the response over how this will kill DNSSEC. Castro seems to suggest that those who use DNSSEC can just ignore the law:

PIPA/SOPA states that service providers are required to take only “technically feasible and reasonable measures” to comply with government court orders. The legislation further states that a service provider is not required to “modify its network, software, systems, or facilities” to comply with these requirements. This means that if DNS servers are deployed using DNSSEC, and if DNSSEC does not allow for the type of redirection or filtering specified in the legislation, ISPs would not need to take action. Thus there is no reason to suspect that ISPs would delay deploying DNSSEC because of provisions in SIPA/PIPA. If anything, to the extent that any ISPs oppose DNS filtering for ideological or technical reasons, the DNS filtering requirements in PIPA/SOPA would serve as a catalyst for ISPs to upgrade to DNSSEC since this may free them of unwanted obligations.

Really? Is he really arguing that if you're running DNSSEC, you can ignore the government's official blacklist? Why do I get the feeling that any provider that actually does that will quickly find themselves hauled into court for... "enabling" or "facilitating" infringement? How can anyone take this seriously?

While technology should shape policy, it should not determine policy. The U.S. policies on the Internet should not be determined by the ideological points of view of a few network engineers in the IETF. Policymakers routinely ask the private sector to design systems to meet new technical standards so as to achieve a specific policy outcome.

This is either ignorant or just stupid. DNSSEC has been under development for sixteen years. Part of the reason it's taken so long is because this is not easy. Castro's flippant suggestion that we just ignore the technological issues is downright scary. If the technology is carefully set up and clueless think tankers and regulators are about to throw a decade plus of careful development out the window for a "problem" they can't actually show with a "solution" that won't work... it seems pretty damn reasonable to raise the technological issues.

DNSSEC, as with many technical standards, is not an immutable set of rules carved by God on stone tablets. Although DNSSEC has been codified in various technical documents, it continues to evolve over time as researchers propose new modifications to the standard to address various limitations. The question policymakers should be asking is not whether the proposed solution is compatible with the current version of DNSSEC, but how to craft policies that best take advantage of potential improvements in the DNSSEC standard.

Ah, the MPAA's "you techies can just change the code" argument. Once again, displaying a massive ignorance of what has happened over the last 16 years and the effort that has gone into creating DNSSEC and then beginning the process of getting it out there. Is Castro really suggesting that we go back to the drawing board, and leave security issues ignored for another decade and a half? Just because some movie studios are too lazy to adapt? That's scary.

Opponents of PIPA/SOPA, such as the Internet Society and Crocker et al., argue that DNS filtering will “puts users at risk.”31 However there are no security risks from DNS filtering. Instead, the purported security risks for users come about only for those Internet users who begin using alternative DNS services (i.e. those individuals intent on breaking the law). Yet, as we have seen, to date there is little evidence that the average user will begin using these alternative DNS services. In fact, users will be unlikely to use an alternative DNS service precisely because of the security risks.

This is a disgusting smear from Castro, suggesting that the only people who might use alternative DNS systems are intent on breaking the law. Does he really not think that some people might not trust the US DNS system once it's been given orders for an official blacklist of sites to censor?

The Internet Society argues that DNS filtering “has the potential to restrict free and open communications and could be used in ways that limit the rights of individuals or minority groups.” Of course it could. ISPs or the U.S. government could use DNS filtering to block sites they do not like. But guns can be used by criminals to kill people too and that does not mean that we do not let the police or security guards have guns.

Is he really arguing that DNS filtering isn't censorship in the US because we're giving it to "the good guys"? That seems to be the argument here... and it's ridiculous. The censors in China and Iran consider themselves the good guys too. Is this really the message we want to send to the rest of the world? Just make sure you say your official censors are "police" and all is good, according to Daniel Castro.

Critics of PIPA/SOPA are trying to suggest that if a user is prevented from obtaining a pirated copy of the latest Hollywood film, this is an unlawful restriction of their Constitutional rights.

No, actually, that's not what they're arguing. They're arguing that this idiotic censorship system Castro is supporting will censor plenty of protected speech, which is a restriction of their Constitutional rights.

Ironically, many of the voices arguing that DNS filtering does not solve the core issue, which is that pirated content is made available online, often are the same ones opposing digital rights management (DRM) technology that is created to achieve the very goal of eliminating pirated content.

That's not ironic. Neither DNS filtering nor DNS achieve the goal in question. The position of being against draconian, overly aggressive technology that harms consumers rights and is likely to be abused, is entirely consistent.

There's a lot more in the paper like this, but you get the idea. There's barely a sentence in there that's reasonable or sensible.

Filed Under: daniel castro, dns, dnssec, security

Paul Vixie: SOPA/PIPA Would Be Good For My Business, But I'm Still Against It

from the the-toothpaste-will-come-out-somewhere dept

Last night, there was an interesting panel at Stanford discussing many of the problems with SOPA. It covered a lot of the ground that we've covered here over the past few months, but there were a few interesting moments. Paul Vixie, who has been a very vocal opponent to DNS blocking, explained why it wouldn't work, and how it would cause a lot of other problems... but he also noted that he was probably going against his own self-interest in making this argument. That's because the problems caused by SOPA/PIPA's DNS blocking would need fixing... and he suggests lots of folks would come to his company and pay for fixes. So it's a pretty principled stand by Vixie.

A separate point that was raised by Mark Lemley early on was that this argument that those in the US simply can't go after foreign sites is ridiculous. Under existing law, it's happened plenty of times in the past where copyright holders have gone after sites and companies based outside of the US and dragged those folks into US courts.

The vast majority of the evening proceeded with the implicit assumption that everyone there was categorically opposed to SOPA... but towards the end two execs from Paramount Pictures made it known they were there, and they were very much on the other side. The temperature in the room must have dropped 20 degrees when that happened. To be honest, the panel itself might have had a few more fireworks (though likely wouldn't have been that productive) if there had been a SOPA supporter on the panel itself. Of course, the Paramount guys, in typical Hollywood fashion, made a bunch of false assumptions. Perhaps the best part was when one of them challenged venture capitalist Albert Wenger by claiming that the companies in his portfolio used intellectual property laws to protect their business: to which Wenger immediately shot back that they did not, and that they didn't support such things at all. Instead, he noted that the companies his firm (Union Square Ventures) invests in tend to win in the marketplace by competing and winning. He noted that even if they completely gave away the source code of Tumblr (one of USV's investments), it wouldn't matter. In fact, he pointed out that another company had copied Tumblr feature-for-feature... but they couldn't get users. The point is clear, and it's the same point we've made here for years: focusing on copyright to protect yourself is not a good business model, and not something they invest in. Instead, they focus on things that can succeed by executing even if someone copies them line for line.

Finally, there was an entertaining moment when Andrew Bridges asked the Paramount guys exactly how many sites they saw as a problem. Because, he noted, other studio execs from some of the big Hollywood studios had given him numbers between 10s and a few hundred. And, he noted, if it's just such a small number of sites, then why create massive regulatory issues for the entire internet, rather than trying to deal with the sites. The problem is that Hollywood wants control over much more than what's really "the worst of the worst." However, when someone suggested it was "a couple hundred" sites that were problems, Mark Lemley pointed out that then they should be all done, because ICE has already seized 450 domains.

All in all it was an interesting evening. The specific discussions on the problems of DNS blocking were particularly enlightening. It's why when the House had its ridiculously one-sided hearing on SOPA last month -- in which not a single panelist knew anything about DNS -- they should have had someone like Paul Vixie there to explain the basics of why SOPA and PIPA are bad ideas that won't fix things and will likely make things worse.

There was one metaphor that was used repeatedly through the evening, and it's really quite apt. People kept noting that "the toothpaste is just going to come out somewhere else." It's a good way of noting the unintended consequences here. Plugging this "hole" and then putting pressure on sites may stop certain actions, but it won't deal with the real issue that Hollywood is facing. In fact, it's likely to cause more problems, as the toothpaste squirts out somewhere else, unexpectedly.

Filed Under: dns, dnssec, paul vixie, protect ip, sopa, unintended consequences

As SOPA/PIPA Still Loom, Techies Already Creating Workarounds

from the of-course-they-are dept

While there's still a fight over whether or not SOPA and PIPA will pass, it seems that people are already working up basic hacks to make the laws obsolete, should they pass. The folks behind MAFIAAFire, the browser plugin designed to route around ICE seizures has created a new offering, dreadfully named "The Pirate Bay Dancing," which will route around any DNS or IP blocking by using a rotating list of proxy servers. If you thought that ICE was upset about MAFIAAFire, you'd have to imagine they won't be at all pleased about this bit of code. Of course, SOPA does have an anti-circumvention clause in there, which would effectively make this plugin illegal. Of course, I can't see how they could possibly enforce something like that. Using a proxy in general is legal. How will they know if you're using a proxy to get around these particular blocks? Either way, it's yet another example of why the MPAA's insistence that DNS blocking remain in the bill shows (yet again) how technically clueless they are. DNS blocking is a total waste of time. It makes the internet less secure. It fragments key pieces of the internet. Breaks the basic agreement of how the internet is supposed to work... And all for what? To create a system that won't actually block much at all?

Filed Under: blocking, circumvention, dns, ip blocking, mafiaafire, pipa, pirate bay dancing, protect ip, sopa, technology, workarounds

Another DNS Provider Comes Out Against SOPA

from the speak-up dept

We had already seen OpenDNS publicly come out against SOPA and PROTECT IP, and it appears other DNS providers are doing so as well. Dyn has come out strongly against the bill as well, comparing it directly to the Great Firewall of China.

Are you familiar with the Great Firewall Of China? Sometimes referred to as the Golden Shield project, it’s a Chinese government censorship and Internet surveillance project kicked off in 1998 and put into action in 2003. Simply put, it enables the government to restrict what content its citizens can read and view via IP blocking and DNS filtering. If they don’t like a site request a user makes, it won’t get viewed.

Many dismiss what’s happening in China and chalk to up to their communist political system. That could never happen in a free speech-driven, rights for all society like we have in the United States, right?

If the Stop Online Piracy Act (SOPA) introduced this week gets enacted into law, things could change negatively for Americans which is why Dyn opposes the bill.

Once again, this isn't just some "easy to dismiss" ranting from "the usual crowd." This is from a company that actually runs a DNS system and knows directly how this law will create the functional equivalent of the way blocking is done in China. It stuns me that politicians and folks at the MPAA still want to pretend that the concerns over DNS are nothing to pay attention to and that techies can just "change some code" to fix them.

Filed Under: dns, sopa
Companies: dyn

Sandia National Labs: DNS Filtering In SOPA/PIPA Won't Stop Piracy, But Will Hurt Online Security

from the more-experts-weigh-in dept

We've covered at great length the problems with DNS filtering in SOPA and PROTECT IP (PIPA) and how it will harm internet security. These concerns were first highlighted by a group of folks who are considered to be some of the foremost experts (and original architects) on DNS. The MPAA and other SOPA/PIPA startups have been trying for months to diminish these points, but have yet to find any kind of argument that makes sense. The argument they fall back on is "well, if this law breaks DNSSEC, just change the code and fix it." This represents a fundamental misunderstanding of the technoloy. That's not too surprising, coming from the MPAA, frankly. However, now, Sandia National Labs, which is a part of the Department of Energy, has sent a letter to Rep. Zoe Lofgren confirming most of the problems with the idea of DNS filtering, noting that it would make the internet less secure... and would do nothing to actually stop piracy.

It is not likely DNS filtering would be effective in blocking U.S. access to targeted foreign websites....

On the question of DNSSEC, the letter notes that slowing the adoption of DNSSEC would have significant "negative consequences" for US online security. While DNSSEC may not be fully rolled out yet, nearly everyone who understands this stuff knows that it's needed to fix key flaws in DNS. And while it takes time, simply breaking it and waiting for the next generation to rewrite it from scratch would be a mistake. Many years of careful work has gone into DNSSEC. Scrapping it for something else random is not going to help.

At this point, I don't see how any SOPA/PIPA supporters can still claim that the concerns over DNS blocking are unfounded. When you even have a major national lab saying that it's a bad idea, won't work and will be bad for online security... can the MPAA still respond with nothing more detailed than "we disagree" (which was the MPAA's actual statement at the hearing when challenged about the security problems associated with DNS blocking).

Filed Under: censorship, department of energy, dns, filtering, sopa
Companies: sandia national labs

More And More People Speak Up Against SOPA

from the speak-up dept

With the hearings this morning (more on that later), there were also more statements publicly made against SOPA this morning. Two key ones are, unfortunately, behind Politico's paywall, so I can't link or quote too much. The first, by former Homeland Security Assistant Secretary and former NSA General Counsel, Stewart Baker, was raised a few times during the hearings. Baker focused on the problems of SOPA and PROTECT IP and their impact on online security. He notes that the DNS blocking portions of both bills "run directly counter" to the government's cybersecurity efforts:

Because “block and redirect” is exactly what crooks are doing today to bank customers. If the bills become law, the security system won’t be able to tell the difference between sites that have been blocked by law and those that have been sabotaged by hackers. Indeed, it isn’t hard to imagine crooks redirecting users to sites that say, “You were redirected here because the site you asked for has violated copyright,” while at the same time planting malware on the user’s computer.

There's much more in the article as well, noting that these laws won't actually help Hollywood and will "leave the rest of us hurting and poorer for years." The really tragic part of the hearing is that when all of the panelists were asked about Baker's statement, every single one of them admitted that they didn't understand the technology enough to really comment. The best that the MPAA's Michael O'Leary could blurt out was that he "didn't agree."

The second interesting piece at Politico comes from famed Constitutional scholar Laurence Tribe, who more or less acts as a counterweight to Floyd Abram's letter. He basically highlights all of the problems we've discussed over the past few weeks: vague definitions, broadly targeted, will impact perfectly legitimate sites. And, he notes clearly: "It would violate the First Amendment."

A key provision of the bill would give copyright owners the power to stop online advertisers and credit card processors from doing business with a website, merely by filing a unilateral notice that the site is “dedicated to the theft of U.S. property” — even if no court has actually found any infringement.

The immunity provisions in the bill create an overwhelming incentive for advertisers and payment processors to comply with such a request immediately upon receipt. Courts have always treated such cutoffs of revenue from speech as a suppression of that speech, and the silencing of expression in the absence of judicial review is a classic prior restraint forbidden by the First Amendment.

Just as we have said in the past. It seems that more and more lawyers are making this point. So far, the pro-SOPA side has Floyd Abrams. He's respected, sure, but so is Tribe and so are many of the other lawyers who have questions SOPA's impact on the First Amendment.

Lots of internet companies have come out against the bill as well. Reddit and Tumblr both joined with American Censorship Day, blocking out parts of their site. Tumblr went so far as to blackout their entire dashboard. Along with them Kickstarter and FourSquare both spoke out against the bills as well. These are all platforms that content creators today rely on to create, connect, promote, distribute and monetize their works. In other words, these are the platforms of the future -- the platforms that could be crippled with legal and regulatory compliance under these bills. Burdening them doesn't help content creators. It may help the big record labels and the big studios -- the ones who don't want musicians and filmmakers "going direct" via these platforms... but it doesn't help actual content creators or the public.

Web hosting platform/CDN Cloudflare has weighed in by warning of legal denial of service attacks that would be enabled under the bill:

We've been seeing a disturbing trend recently. Increasingly, we're receiving purported DMCA requests that ask us to identify website hosts that are actually from attackers abusing the legal code. If we reveal the requested information, attacks are launched directly at those hosts, bypassing CloudFlare's protections and knocking legitimate sites offline. Initially, these requests were relatively easy to spot. When we recognized the new attack method, we changed our policies and trained our customer support team to more carefully screen DMCA requests. Increasingly, however, the requests are becoming more sophisticated and difficult to detect.

Imagine the challenge for someone on CloudFlare's support team. If someone writes to us alleging that they are a photographer who took a picture that appears on a website, or a designer who drew a logo, or an author who wrote some text, how can that claim be verified? I'm an attorney and member of the bar. I teach a course on intellectual property and technology law at the John Marshall Law School. I serve on the Board of the Center for Information Technology and Privacy Law. I've reviewed many of these requests and, even with my training in the subject, I have no idea how to effectively and efficiently tell the difference between valid and invalid complaints.

In an Internet without bad guys, the consequences of revealing a host's information is relatively minimal. Unfortunately, the Internet is full of bad guys. There has been a steady rise in attacks, increasingly affecting legitimate small businesses and ecommerce sites. These attacks have been part of why more than 100,000 websites have sought shelter behind CloudFlare in just the last 12 months. We offer great technical protections to shield sites from attack, but I'm concerned some of our efforts could be undermined by new laws like SOPA.

Yes, read that again, because it's downright scary.

Mozilla, the makers of Firefox, also joined in, with the following on their website: They've also put up an entire information page about SOPA.

Perhaps most interesting of all, even Rep. Zoe Lofgren joined in with American Censorship Day by censoring her own logo on her official House website:

Filed Under: copyright, cybersecurity, dns, first amendment, laurence tribe, sopa, stewart baker
Companies: foursquare, kickstarter, reddit, tumblr

OpenDNS Tells Congress Not To Create The Great Firewall Of America

from the speak-up dept

When I went to Washington DC a few weeks ago with other entrepreneurs and venture capitalists, one of those whom I had the pleasure of meeting and walking the halls of Congress with was David Ulevitch, the CEO of OpenDNS, the world's largest DNS and internet security service. His service protects over 30 million people every day, and is currently used to protect people in approximately one-third of every public K-12 school. Hearing his story and his concerns about PROTECT IP and SOPA was really eye-opening. He's someone who clearly understands DNS and DNS/IP blocking better than probably anyone. And he told me that if SOPA were in place when he was first creating OpenDNS, he wouldn't have bothered. The liability would be just too great.

David has now penned an open letter to Congress, which we've embedded below, asking Congress to reject SOPA and PROTECT IP as being extremely bad bills that will have massive unintended consequences, hurting jobs and internet security at the same time. Here are just a few excerpts:

It’s likely that if SOPA and PIPA existed when I started my company, we would have incorporated outside of the United States and all of the jobs and investment that I have put into the economy would have been taken elsewhere. I expect many businesses will make the decision to incorporate elsewhere should this legislation pass and it’s possible that existing corporations will relocate to more entrepreneur-friendly countries.

My company invented many of the specific techniques that SOPA and PIPA would require all domestic Internet Service Providers and companies like mine to employ. Needless to say, we understand the censorship technology being proposed in this legislation and we are deeply concerned. While the aims of protecting IP and reducing piracy are noble, there are many reasons why SOPA and PIPA are dangerous as currently written. Here are the three that impact my business most:

1. It will, by definition, be overbroad, as there is no way to censor only illegal content without harming legitimate uses on sites as well. This is particularly true in light of the broad notion of “sites dedicated to infringing activity.”
2. Through their requirements to block websites, these bills will create a domestic Internet firewall designed to censor websites equivalent to the “Great Firewall of China” that is used to suppress information. If we implemented such a solution we would be setting a terrible example for the rest of the world, including countries we criticize for the same behavior like Iran, Syria, and China.
3. They will burden companies with an onerous level of liability for all user-generated content. What the bills propose would be akin to requiring the phone company to be responsible for the legality of every phone call that takes place. With that kind of regulation, companies will spend more on lawyers and litigation than they will on hiring and innovating. Existing laws like the Digital Millennium Copyright Act already provide a satisfactory legal framework to remove copyright infringement and enforce intellectual property rights.

It's difficult to argue that Ulevitch doesn't know what he talks about. He runs the largest DNS provider in the world. How much longer will Congress continue to ignore the people who actually understand the technology they're trying to regulate?

Filed Under: congress, david ulevitch, dns, great firewall, protect ip, sopa
Companies: opendns

As Expected, Alternative DNS Systems Sprouting Up To Ignore US Censorship

from the not-like-people-weren't-warned dept

After the US government, via Homeland Security's Immigration and Customs Enforcement (ICE) division, started seizing domains without any notification or adversarial hearing (things that most of the world would consider to be reasonable due process), some folks quickly put together a browser extension, called MAFIAAfire, that would route around any ICE seizures and take you directly to the sites whose domains had been seized. This is, as the internet saying goes, a form of seeing censorship as "damage" and routing around it. Of course, that could be done on a much larger scale. As a bunch of the folks who built key pieces of the core internet infrastructure warned, continuing this kind of policy (and extending it with PROTECT IP) will lead to more workarounds that inevitably will fracture key pieces of the internet and make it significantly less secure. Supporters of PROTECT IP refuse to heed this warning -- and, from what we've heard -- refuse to compromise and make sure that the basic functioning of DNS will be protected.

So now, totally as expected, we're already seeing alternative DNS systems showing up, advertising that they should be used to route around US government censorship of such websites. The one getting attention these days is called BlockAid.me.

What's just as stunning as the fact that supporters of PROTECT IP still can't figure out how this is really, really bad, is that they also don't realize how this pretty much destroys any argument the US makes around the globe in trying to protest political censorship. Some claim it's entirely different, but it's not. Both involve a government entity deciding that websites cannot be reached without a trial. This makes the US look ridiculous in the eyes of the world, but I guess as long as it makes sure that Universal and Warner Bros. can prop up their profits for a few more years... it's all good.

Filed Under: alternatives, censorship, dns, protect ip

Belgian Court Orders Blocking Of The Wrong PirateBay Domain

from the the-trials-and-tribulations-of-the-technologically-clueless dept

This is fairly amusing. In the wake of a (not very amusing) ruling in Belgium that ISPs had to implement a DNS blockade of various domains associated with The Pirate Bay, some have realized that the court order failed to actually list The Pirate Bay's main site: thepiratebay.org. Instead, if you look at the details of the order, it lists out www.thepiratebay.org and a variety of other domains, but which all use www at the begining. However, TPB doesn't use www:

So obviously in defiance of that, people testing their dns servers go to the domain www.thepiratebay.org, except, thepiratebay doesn't have the www domain turned on. At one point it redirected to the main page at the url thepiratebay.org, now it doesn't probably because of negligence from the admins. What's interesting is that the court only ordered the block of the www subdomains so if an isp wants to make a fuss they should be able to avoid the penalties until a later ruling.

Of course, further showing the pointlessness of all of this is that TPB already set up an alternate domain, similar to when its faced challenges like this in the past. None of it seems to do anything to slow down TPB (in fact, it seems to help advertise it). Either way, it's yet another reminder of what happens when you have technologically illiterate judges making these kinds of decisions.

Filed Under: belgium, blocking, dns, technical illiteracy
Companies: the pirate bay

Paul Vixie Explains How PROTECT IP Will Break The Internet

from the not-cool-folks dept

It's pretty difficult to question Paul Vixie's credibility when it comes to core internet infrastructure. Creator of a variety of key Unix and internet software, he's still most known for his work on BIND, "the most widely used DNS software on the internet." So you would think that when he and a few other core internet technologists spoke up about why PROTECT IP would break fundamental parts of the internet, people would pay attention. Tragically, PROTECT IP supporters, like the MPAA, appear to be totally clueless in arguing against Vixie. Their response is basically "it's fine to break the internet to evil rogue sites."

That, of course, is missing the point. It's not that anyone's worried about breaking the internet for those sites. It's that it will break fundamental parts of the internet for everyone else as well. And... it will do this in a way that won't make a dent in online infringement. Afterdawn sat down with Vixie who gave a clear and concise explanation of why PROTECT IP is a problem. The biggest issue is how it will impact DNSSEC, which adds encrypted signatures to DNS records to make sure that the IP address you're getting is authentic. You want that. Without that, there are significant security risks. But PROTECT IP ignores that.

Explained simply, for DNSSEC to work, it needs to be able to route around errors. But the way PROTECT IP is written, routing around errors will break the law:

Say your browser, when it's trying to decide whether some web site is or is not your bank's web site, sees the modifications or hears no response. It has to be able to try some other mechanism like a proxy or a VPN as a backup solution rather than just giving up (or just accepting the modification and saying "who cares?"). Using a proxy or VPN as a backup solution would, under PROTECT IP, break the law.

And, of course, none of these DNS efforts will actually stop infringement. As the Afterdawn article notes: "Bypassing DNS filtering is trivially easy. All you need to do is configure your computer to use DNS servers outside the US which won't be affected by the law."

And while supporters of PROTECT IP insist that there's nothing to worry about because it only impacts those "foreign websites," that's misleading in the extreme. PROTECT IP will impact a ton of US-based technology companies. First, if we have a less secure internet, that's going to be a problem for obvious reasons. Additionally, the way the law works is that it puts a direct burden on US companies to figure out ways to block sites declared rogue (you know, like the Internet Archive and 50 Cent's personal website), or face liability. This will increase both compliance and legal costs.

In the last few months we've been hearing from more folks in the startup world who are really concerned about the excessive burdens PROTECT IP is going to put on them. If you're an entrepreneur who's worried about this, we'd like to hear about it. Please contact us.

Filed Under: break the internet, dns, dnssec, paul vixie, protect ip, unintended consequences