High Tech Forums Thoughts from the Technology Trenches

SOPA Hearing DNS Filtering Discussion

December 16th, 2011 by | 5 Comments »

The House Judiciary Hearing on the Stop Online Piracy Act (SOPA) held on Thursday, December 15 was certainly one of the longest hearings in recent memory, as well as one of the most detailed. A group of nine members of the committee offered some 60+ amendments to the latest version of the bill, the Manager’s Amendment published Monday night.

Thanks to the glory that is the Internet, you can view the hearing on-line and see the text of the amendments. Of particular interest is Rep. Goodlatte’s discussion of DNS filtering at  5:52:30 in the video. He reads from the blog post described below, quotes from an ITIF report on SOPA by Daniel Castro, PIPA/SOPA: Responding to Critics and Finding a Path Forward, and then reads from a blog post I put up on the Innovation Policy Blog Wednesday, DNS Filtering is an American Innovation.

My blog post simply shares the fact that the Internet’s most common DNS server implementation, BIND, already includes a filtering system (called Response Policy Zones or RPZ,) so compliance with the SOPA mandate to blacklist rogue sites is a simple matter for most ISPs today. It’s also the case that other leading DNS services such as Nominum (run by Paul Mockapetris, the man who invented DNS) and OpenDNS support domain-level blacklisting. It’s somewhat ironic that the RPZ feature was designed by Paul Vixie, one of the five DNS experts who signed a letter in opposition to SOPA (Mockapetris did not sign this letter, which is significant.) So Vixie is in the curious position of urging Congress not to mandate the use of a feature that he designed.

The argument over DNS filtering is becoming increasingly silly, with opponents of the bill maintaining that it criminalizes various measures that might be thought of as anti-circumvention measures despite the fact that the bill is very clear about what constitutes circumvention. The opponents’ argument is that any measure that has the effect of bypassing the DNS blacklist, even unintentionally, would come under fire.

Yet the text of the bill says the target is: “any entity that knowingly and willfully provides …a product or service designed or marketed …for the circumvention or bypassing of measures described in paragraph (2) [blocking DNS responses] and taken in response to a court order…(page 21.)

These need to be willful measures designed or marketed for copyright circumvention, not technical oddities that have the magical and purely accidental effect of circumventing the blacklist, so there shouldn’t be much fear of a broad net catching the wrong fish here.

Wendy Seltzer, the Princeton activist law professor, has written a very intriguing blog post advancing the black-is-white argument; she says the section cited is “unclear.” I gave up the quest to understand law professors’ reasoning long ago because so much of it is based on particular court cases that define terms that mean one thing in common usage in a completely different way in the law. One thing I do know about this piece of legal code is that “knowingly and willfully” means the party in question can’t be just fooling around and causing unintended consequences: They need to know what they are doing and they need to be taking deliberate steps to bypass the filter, like the author of the MAFIAAFire redirector has done.

The DNS experts who oppose copyright enforcement have devised a peculiar scenario in which tools meant to carry DNSSEC through public firewalls in coffee shops and hotels will run afoul of the anti-circumvention provision. Their reasoning is quite distorted. These networks may need to use proxies to bypass their NAT firewalls, but these proxies don’t need to request DNS resolution from pirate DNS servers that bypass the blacklist. Not all bypassing is created equal, in other words. Bypassing a firewall to reach the Internet in a secure way is fine, but bypassing the blacklist is not fine. I think most judges can make that distinction, even if some law professors and software engineers can’t.

Seltzer raises a curious point about the blacklist circumvention tools being developed by the U. S. State Department to aid pro-democracy activists in other countries. As these tools are used to evade such things as China’s speech restrictions, I see no reason to believe they would come under attack by the U. S. Attorney General on copyright grounds. They aren’t designed and marketed to evade the U. S. copyright blacklist, and  would in most cases comply with it as far as I can tell.  This may be a problem for overseas activists who want to pirate Hollywood movies, but I don’t think that’s the relevant use case.

Seltzer points out that the activist tools may rely on darknets such as Tor and Psiphon. Once on the darknet, a U. S. user might use a pirate DNS to resolve the address of The Pirate Bay, so she fears a wholesale ban on darknets. I think this contrived use case misses the point of the SOPA blacklist, which is help consumers tell which sites are legitimate and which aren’t. Dedicated pirates determined to get to The Pirate Bay don’t need to use darknets to find TPB’s IP address; they’ve probably got it bookmarked.

The DNS programmers raise a similar specter with respect to applications responding to DNS resolution failures as a result of filtering. Once again, there’s no problem with trying multiple servers when an address resolution fails; that’s what happens today. SOPA only has a problem with DNS implementations that are hard-wired to use databases that are designed and marketed to bypass the AG’s blacklist. The DNS code may not be able to tell the difference between a DNS failure in China and one in the U. S., but  the DNS user can certainly can tell the difference between an activist DNS and a pirate DNS.

You don’t get to use either one unless you set up your operating system to do so, and whether you do or whether you don’t, SOPA doesn’t have a problem. You can’t be prosecuted under SOPA for selling circumvention to yourself.

UPDATE: Stewart Baker echoes Seltzer’s fanciful interpretation of anti-circumvention on The Volokh Conspiracy, a libertarian law blog. His argument, like Seltzer’s, depends on the reader accepting one particularly peculiar notion:

So the browsers get no information about www.piracy.com from the ISP’s DNS server. Faced with silence from that server, the browser will go into fraud-prevention mode, casting about to find another DNS server that can give it the address.

Sorry, but browsers aren’t going to go “casting about” to random DNS servers for certified responses, they’re only going to ask trusted ones.

In the comments, a reader explains how to do secure blocking with DNSSEC:

This seems to me an easy problem to solve technically. The Attorney General’s office would simply get a credential as a Certification Authority, and would order all US DNS servers to publish its own signed DNSSEC record which says that piracy.com is a server the Justice Dept. controls. As a side benefit (from their point of view), anyone who attempts to visit piracy.com and reaches the Justice Department’s server will leave log records of his visit that can be traced to the originating computer.

Of course, much like common efforts to entrap dope dealers, this effort will entrap only the most naive Internet users. Serious users will access piracy.com proxy servers located outside the US, or will simply go to its IP address rather than the domain name. But there are a lot more technically naive people than programmers out there.

Yup. What we have in the engineers’ letter on SOPA and DNSSEC is a bunch of people who don’t like what the bill does – censor the Internet – making up far-fetched reasons why it shouldn’t be passed. It’s politics, in other words, not technology.

ShareThis

Reader Comments

  1. “So Vixie is in the curious position of urging Congress not to mandate the use of a feature that he designed.”

    It’s also curious that Vixie signed a letter saying that DNS Filtering would break the Internet by breaking Internet Cybersecurity, but he readily admits that it wouldn’t break the Internet or security.

    Vixie also told reporters that bills like Protect IP makes software implementation of DNS backup mechanisms illegal, which is false because nowhere in the bill’s text does it say that. The new amendments to SOPA even makes it explicit that the bill should not be construed to inhibit cybersecurity in any way.

    Now Vixie has signed another letter saying that they oppose the SOPA bill for non-engineering reasons, but he is putting his name behind letters that oppose the bill on false engineering claims which he admits are false.

  2. You say:

    “Yet the text of the bill says the target is: “any entity that knowingly and willfully provides …a product or service designed or marketed …for the circumvention or bypassing of measures described in paragraph (2) [blocking DNS responses] and taken in response to a court order…(page 21.)

    These need to be willful measures designed or marketed for copyright circumvention”…

    In two lines, you directly contradict your own quote!!

    “for circumvention” does not mean “for copyright circumvention” – it means for circumventing the technology used.

    And it does not require that the entity providing the product or service, be the entity marketing (regardless of the purposes its use is described as being, in the marketing).

    In other words, if I write software to enable someone in China to access blocked domains (e.g. a US immigration web site), and that software is marketed by YOU as being meant for piracy, it doesn’t matter what my intentions were – I’m guilty by (non-)association. I may have nothing to do with you, and want nothing to do with you, but you can put me in jeopardy solely because of your independent activities.

    The authors of DNS software are very concerned because of this clause.

    If this bill passes, then a very real threat will exist towards those who don’t agree with the bill’s authors (the MPAA and RIAA). At that point, the MPAA and RIAA, unilaterally, can declare war against anyone they don’t like, if those folks have ever written any piece of software.

    Perhaps you think they’re really nice organizations, just misunderstood or have gotten some bad press? These are the folks who sue people based only on IP addresses, knowingly employing slimy private detectives and third-rate technology goons who won’t or can’t figure out whether the person being sued ever actually downloaded a file, ever? Maybe they’ve changed, magically, and promise to behave themselves now?

    The risk is that all that is required is a claim. It doesn’t have to be proven for the clauses to take effect. The MPAA and RIAA go from being the Copyright Police, to being the Copyright Gestapo.

    And THAT is why this is a much bigger First Amendment issue than merely the issue of blocking sites which provide knock-off movies, music, and software.

    • You’re misreading the clear intent of the bill. The measures described in para 2 pertain to a domain name blacklist used to filter responses, so the only thing that would circumvent these measures would be a tool that’s directly related by design or marketing to the blacklist itself.