Drafters of House and Senate bills aimed at protecting intellectual property have overlooked unintended consequences around proposed legislation, the Brooking Institute's Allan Friedman says.
The Senate's Protect IP Act, S 968, and the House's Stop Online Privacy Act, HR 3261, allow the federal government to order Internet service providers to use the Domain Name System's DNS resolvers - the technology responsible for translating a domain name into an IP address - to inform users that a website deemed to infringe intellectual property does not exist. The problem with such a policy is people will easily figure out ways to circumvent DNS blocking, Friedman says.
"I'm not against laws that are trying to govern behavior if we have a good discussion about what the behavior we're trying to evaluate is," Friedman says in an interview with Information Security Media Group's Eric Chabrow (transcript below).
"The challenge is every time you have any law, you want to think about what are the unintended consequences," he says. "Clearly, the drafters of the House and Senate version either didn't care or didn't know enough to think about the unintended consequences."
Based on history, crackdowns on certain styles of illegal infringement will force people to find other solutions. While proposing such legislation, lawmakers need to seriously consider how they're trying to change behavior to make sure that people aren't going to do something that renders the law less effective, Friedman says, "because you're not going to rid of infringement if it's easy to evade these controls. But more importantly, in addition to not achieving your stated gains, you're actually making things worse off."
In the interview, Friedman identifies flaws with the legislation:
- Adding complexity that would make the goals of stability and security more difficult.
- Exposing many American Internet users, their computers and employers to known risks.
- Setting back other efforts to secure cyberspace, domestically and internationally.
As a fellow in governance studies at Brookings, Friedman wrote a policy briefing - Cybersecurity in the Balance: Weighing the Risks of the Protect IP Act and the Stop Online Piracy Act - on how IP protection laws could endanger cyberspace security.
Friedman also serves as research director at Brooking's Center for Technology Innovation. His work spans the social sciences, public policy and computer science, and has addressed issues ranging from electronic medical records to telecommunications policy.
Before joining Brookings, Friedman was a fellow at the Center for Research on Computation and Society in the Harvard Computer Science department, where he worked on cybersecurity policy, privacy-enhancing technologies and the economics of information security. Friedman also was a fellow at the Belfer Center for Science and International Affairs, where he worked on the Minerva Project for Cyber International Relations.
Friedman holds a Ph.D. in public policy from Harvard. He earned his bachelor degree in computer science from Swarthmore College.
Bills Threaten Internet
ERIC CHABROW: You write that these bills are the first legislation that pits our cybersecurity priorities against entrenched economic interest, highlighting a very real social choice. How so? What are the objectives of these two bills and how could they weaken cybersecurity?
ALLAN FRIEDMAN: The bills are devoted to trying to stop online websites from facilitating intellectual property theft with the primary focus on websites that are outside of the American jurisdiction. We currently have a number of laws on the books that allow content holders to go to websites and say, "Listen, that content is illegal. You're using it illegally. We own the rights to it; you can't do that." The Digital Millennium Copyright Act was passed. More recently a bill was passed that empowered United States government to seize domains if they were devoted to infringement. But this law really expands the set of powers that the government can use to go after online infringement. The challenge is the means by which it does that. Not only do they affect online free-expression and potentially pose a threat to future innovation, but they really represent a threat to efforts to secure cyberspace.
First, there's the question of tinkering with the underlying mechanics of the Internet. One of the powers mentioned in both bills is a requirement that once a website is deemed to be infringing, the government can issue an order and every service provider in America - from the largest multi-state ISPs to any service provider for a medium-size company - has to change their DNS resolvers to block these websites. So you have infringing website.ru. The way computers usually talk to is as you type in the domain name, the computer talks to a DNS resolver which translates it back into an IP address that allows two computers to talk. The law requires that these DNS resolvers lie and say there is no website. This in general isn't a great idea. It makes things less stable and in particular it interferes with the technology known as DNSSEC, an attempt to secure the domain name system which doesn't have built-in security. This secure overlay is something that the United States has made a priority for almost the past ten years, and this will make it a little difficult. It won't make it impossible because, after all, it breaks DNSSEC for websites that the government has already deemed illegal, but it will make it a little difficult.
The real problem comes in the way people will evade this type of DNS blocking. The bill is not focused on getting these websites off the Internet. It's focused on making sure that Americans can't access them. However, it's very, very easy to get around DNS blocks. All you have to do is use a DNS resolver that's not in the jurisdiction of the bill. It's outside of America. It's trivial right now for anyone who knows just a little bit about computers to go online and say, "Give me an open-domain resolver." They will be circulating around the Internet. You just go into your computer setting's website and type out, enter a number for DNS server and now you're computer can talk to any computer on the Internet without going through the American law.
However, this also means that you have to trust that foreign domain resolver, and chances are many of these are not going to be trustworthy. We've already seen this as an increasingly common attack for cyber criminals. They try to change innocent users' domain name resolvers or DNS servers that they're pointing to, and now America is saying, by law, we're going to create very strong incentives for people to go in and do voluntarily what the criminals are trying to do by tricking us or through malware.
Governing Internet Behavior
CHABROW: I find what you just said interesting, that legislation is trying to change the behavior of Internet users. As you said, if the government takes away and blocks access to a certain server, people can figure out ways around that. How should laws be used to govern individual behavior on the Internet? What's appropriate? What's not appropriate?
FRIEDMAN: I'm not against laws that are trying to govern behavior if we have a good discussion about what the behavior we're trying to evaluate is. We weigh the pros and cons. For example, laws devoted to protecting privacy seem like a good idea. Laws that encourage good cybersecurity behavior or make cyber crime harder - these are good things we can try to do. The challenge is every time you have any law really, you want to think about what are the unintended consequences, and clearly the drafters of both the House and Senate version either didn't care or didn't know enough to think about the unintended consequences. We know from history that as soon as you try to change or crack down on a certain style of illegal infringement, people will find another way to do it. Now this doesn't mean that you shouldn't try to stop any infringement. It just means that you need to seriously consider how you're trying to change behavior to make sure that people aren't going to do something that renders the law less effective, because you're not going to rid of infringement if it's easy to evade these controls, but more importantly, in addition to not achieving your stated gains, you're actually making things worse off.
CHABROW: In these particular bills, should this provision just be eliminated or is there an alternative approach?
FRIEDMAN: I think it has to be eliminated. I don't think the United States should be in the business of directly saying at a national level what users can and can not access by interfering with the technology itself. That said, when we're dealing with truly egregious content - child pornography - then we may want to step in and think through things a little bit. That is a much, much smaller market and there's much greater international consensus that this is truly something that's worth interfering with the Internet to prevent.
However, by interfering with the way that DNS works for all Americans, we're actually making DNS harder to use strategically or any technology strategically in achieving our other goals as a country. For example, the House version says not only must Internet service providers create this DNS-based censorship, but it criminalizes attempts to evade DNS-based censorship. Now this is problematic because the United States has been a big proponent of technology that enables circumvention of DNS-based censorship because we strongly believe that people should be allowed to access political websites around the world and there are a number of governments that build this type of censorship into their network, targeting political speech. And the United States has paid for and promoted tools that allow censorship evasion, censorship circumvention. It's going to be much harder to pursue that agenda if countries can point to us and say, "Listen, we think this behavior is fine and you're censoring and they will try to create the case of moral equivalency."
CHABROW: Without this provision, do you think there are other elements in the legislation that are sufficient to protect intellectual property?
FRIEDMAN: The bill certainly isn't toothless and it depends on the challenge of what is the ultimate goal of the bill. Perfect enforcement of intellectual property is impossible and it's not clear to me why anyone would want perfect enforcement of intellectual property. The goal of an intellectual-property regime is to promote the creation of new ideas and to make sure we can have a knowledge-based economy, where people are rewarded for these ideas. How do you have capitalism based on information? You use intellectual property. However, that doesn't say that we need to have perfect enforcement, because perfect enforcement comes with a whole bunch of other adverse consequences. For example, there are provisions - particularly in the House bill - that allow private parties to bring notice not only against websites that are hosting infringing content - that's been American law since 1998 - but they allow private parties to go after the financial resources of websites. These are the ad agencies; this is the payment network such as Visa and MasterCard that make it very, very difficult for anyone to promote a website that's "dedicated" to the theft of U.S. property. However, in the bill - the House version - it defines "dedicated" as enables or facilitates. Now, at least for me, there's a big difference between something that's "dedicated" to intellectual property infringement, which I think many of us can say, "No that's illegal," versus something that enables or facilitates it, because those of us who know how computers work know that almost any information platform can enable or facilitate just about any piece of information processing.
For me, at least as I read the bill, this would make the next YouTube illegal; it would make the next Facebook illegal; and certainly if it doesn't make them illegal it puts enough legal blocks in front of them that it's clear that venture capitalists would never come along and fund the next Web2.0 site that's built on allowing people to share information.
America's & Internet Governance
CHABROW: One of the things that struck me in reading your brief was how the enactment of these bills could alter America's leadership on Internet governance.
FRIEDMAN: This is an important component where if the United States is saying securing the Internet both at the technical level and at the policy level is incredibly important, but at the same time we're willing to promote policies that expose large portions of our population to new insecurity models and we're also trying to say Internet protocols are very, very important, we all need to understand how they work so that they can be more secure. While at the same, interfering with them inside our country takes away our ability or leadership, even if you disagree with the idea that it actually makes America less secure. Certainly, it can create the perception that this is not an American priority and that can undermine our leadership and in turn allow other countries to come along and say, "The United States isn't taking this seriously enough. Allow us to lead the charge." This can lead to actions that might make us less secure as well as harming other aspects of our agenda, such as the Internet-treaty agenda that's been promoted by the Department of State.
Other Bills Threatening Online Security
CHABROW: Are there other potential bills or government acts pinning one priority against the other that could threaten our online security?
FRIEDMAN: From a cybersecurity perspective, we're just beginning to see legislation. And the challenge with thinking about cybersecurity is, anytime you want to address risk that's been there all along but now you want to address it, there are going to be things that used to be cheap and now are a little more expensive. Someone is going to have to pay. What makes this bill a harbinger of what's to come is if we can't give any trade-off between a narrow industry's priorities and a nation's priority to determine that cybersecurity should be at the top of the list, how could we go to the energy sector and say, "You need to spend a lot of money on protecting the critical infrastructure. You need to turn off all of the tools that allow you to do things efficiently but insecurely." How can we go to the other aspects of critical infrastructure and demand that they make changes that would secure our country, but that would cost money? If we can't do this ... as a no-brainer, saying the status quo is not terrible, streaming websites are bad, but I don't believe that they're costing Americans jobs, and the challenge is if we're unwilling to do this in this instance, how can we expect other industries to not push back and say, "No, we're not going to do this unless the government pays for it."
One of the things that we've seen as people talk about understanding market forces in securing the cyber infrastructure is this idea of we have carrots or we have sticks, and ultimately both of those are expensive. A carrot can be a stick that someone is paying for and vice versa, so if we don't expect the government to pay for everything given the current budget crisis ... then the challenge is going to be how do we avoid a precedent where every single piece of the critical infrastructure in cyber space we're expecting the U.S. government to pay for rather than the people who built the infrastructure and maintain the infrastructure? It will no longer be a public-private partnership; now it will just be a public effort.