Potential side effects of SOPA.

23 December 2011

Note: Updated January 4 2012 in response to a comment by Jamie Zawinski, proprietor of the DNA Lounge.

I haven't been writing about SOPA (the Stop Online Piracy Act) or PIPA (the PROTECT IP Act) because, frankly, I've been too busy trying to fight them. To keep abreast of them following the #SOPA hashtag on Twitter is really the best way to go about it because things are changing so rapidly. Between the people watching the live stream of the markup hearings and people who are actually attending the hearings and livetweeting (I'm looking at you, @EFFlive) things are changing too rapidly to do much more than write about point-in-time snapshots. Suffice it to say that when Congress dismisses the words of the people who built the Internet with contempt and ignorance, something's dangerously wrong.

These two bills pose a serious threat to the Internet as we know it. If you haven't been paying attention, the Net has done something heretofore unprecedented in Human history, which is give everyone who can get access to it a voice. Books can be burned, getting on television is too expensive, and gathering in the town square can get you picked off by a sniper but the Internet makes it possible to exchange ideas, evolve new ones, and share media and culture with minimal effort and maximum potential of propagation. That is what has some people frightened; hidden in the guise of stopping software piracy and the sale of counterfeit goods are provisions that would make it possible for nearly any online resource to be taken down with a single complaint, legitimate or not.

This year something frightening started happening: US ICE (Immigration and Customs Enforcement) began seizing domains that they claimed participated in the piracy of media. The way they did this is by strong-arming domain registrars into re-assigning ownership of the domains in question to US ICE, and then changing the DNSes considered 'canonical' for those domains to ones run by ICE. Whenever you plug one of those seized domains into your browser, you actually get a website run by ICE with the now-infamous This domain has been seized banner. Now, this next bit may come as a shock to the "Then they were obviously doing something illegal!" crowd: You don't have to be involved in piracy to get your domain shut down. Websites can and have been shut down "just because" and there is no legal recourse to get your domain name (and visibility, and search engine rankings) back. You pretty much have to register a new domain and go through all the trouble of making its presence known again.

For a clearer picture of how DNS resolution works, I recommend that you check out this article. I could recapitulate all of it, but that would put this article way off into the weeds and they did a better job than I could anyway.

Lest you think that it's only small fry who don't amount to anything whining, some rather famous stars recently explicitly endorsed file sharing and media lockers in a song they collaborated on because those sites have actually been helpful to their careers. Media conglomerate Universal freaked out and got the song censored even though they don't own the rights to the video or the song, an implicit "shut the hell up if you know what's good for you" to Kanye West, Will.i.am (transhumanist Illuminati fistbump), Mary J. Blige, and others. It is also known that there are organizations that are working to oppose independent media by trying to brand independent-friendly licenses and distribution media as indistinguishable from piracy, and even going so far as to demand that royalty fees be paid for work they don't own, works that are explicitly free to play, share, use, and remix.

But why are SOPA and PIPA x-threats in all but name to the Internet?
The problem with SOPA is that the bill, if passed into law, would make it trivial for anyone to get any content taken down by simply e-mailing the hosting provider, stating that it infringes upon someone's copyright, and demanding that it be taken down. SOPA as written does not state a minimum amount of "infringing content" that a site must host before it can be applied. It was mentioned a few times during the markup hearings a few days ago that the bill should be amended such that only the media in question would be taken down and not the domain (note: The DMCA already requires this, and it's been effective), but every time it was proposed it was voted down. SOPA would require that search engines remove from their databases all links to sites that are branded "rogue" which would effectively make them unfindable. SOPA would require that everybody who runs their own DNS filter out requests to resolve so-called "rogue domains", meaning that anyone working inside of the existing domain naming system would either have to fall back on plugging IP addresses into their browser or simply go without access to those sites.

What makes this so dangerous is that anyone who uses a site - be it a member of a forum, a blogger, or someone leaving a comment on a post - could post a link to some piece of content, usually owned by somebody else (which is actually legal, it's called Fair Use and comes from 17 USC 107), and that link (or that picture or video) could then be used to have that site effectively removed from the Internet. Gone. Kaput. Even if one of your users was using an icon of a cartoon character in their posts, that could be declared copyright infringement. One of the potential consequences of that is that people considering starting new businesses or setting up new sites might decide against it because it could be taken down too readily and possibly be too expensive to sustain due to court costs and legal fees.

The example that I gave on Twitter a few days ago was this: Since it re-opened a decade ago a popular nightclub named the DNA Lounge in San Francisco has made a policy of webcasting all of its concerts and theme nights and putting them online for two weeks, in accord with the appropriate laws (please see Jamie Jawinski's comment at the bottom of this post). Recently, the owner archive.org uploaded the whole collection of recordings to their website for the whole Internet to download and listen to after they'd been rotated out from the Lounge's website. Now, as a nightclub the DNA Lounge pays royalties to the people and companies that own the rights to the music played there (where applicable). This is all well and good, and as it should be. archive.org isn't making any money off of those recordings, they're just putting them online for people to listen to. However, it would be very easy for anyone at any of the record labels (or just claiming to work for one of them) to get the entirity of archive.org removed from the Net because they have recordings of concerts at the DNA Lounge available (even though they've already been paid for their performance) if SOPA were passed into law. If some random guy can go on a takedown binge without SOPA, what do you think a company worth millions of US dollars could do with a couple of e-mails with SOPA? Not good things, that's for sure.

Also - and this is the bit that really got my dander up - there is a provision in SOPA that makes it possible to file an injunction against any group or person who makes available technologies that could be used to circumvent SOPA-related censorship and get those technologies shut down or removed. It bears repeating that those same technologies, everything from Tor to OpenVPN to simple proxy servers are used by activists around the world to communicate, organize, and get the word out about things happening that the powers that be would much rather we not know about. If censorship circumvention technologies began to vanish because SOPA was used to remove them from the Net, the repercussions would certainly be felt around the world, from Syria to Iran and China. I also hasten to point out that SOPA could be abused (as such broadly written laws tend to be) to get video footage shot at protests taken down with fraudulent claims in acts of political censorship. So, not only could, say, someone acting as a representative of the Syrian government get a video of a crowd being mowed down by machine gun fire removed from Youtube, but they could also threaten the existence of Youtube under SOPA by claiming copyright of the video (remember, under SOPA you don't actually have to prove that you own the rights to something, just say that you do). Either way, that footage vanishes like smoke before a hair dryer.

Incidentally, we're already seeing things like this happen. Word's been going around the #OpSyria community for months that there are pro-Syrian government users on Facebook who are hammering the "Report/Mark as spam" button on every post that shows photographs or video from protests or Mukhabarat raids. When enough people hit that X-button, the post vanishes from sight, and so does the evidence. We've also seen police departments in the United States try to have footage of brutality removed from Youtube (this happened during one of the early #occupyOakland raids). Thus far, the attempts by the police departments to have the footage taken down have all been failures but SOPA would pretty much assure that the evidence could conveniently vanish.

So, what can any of us do? It seems like the answer is "not much." SOPA and PIPA are sponsored by some of the biggest, most powerful corporate entities in the United States - here's a list of them and here is a call to arms on behalf of the Internet. Literally millions of dollars have been spent by private interests getting SOPA and PIPA to the House of Representatives, and their war chests may as well be limitless. I hate to say it but I think that SOPA will be passed solely because big corporations want it passed the same way you or I want oxygen. The members of the House Judiciary Committee are not just bragging that they know nothing about the Internet, they're wallowing in it just because they can so going to them is a lost cause. It would behoove us now to be able to work around it as soon as it becomes problematic because that pesky "no circumvention measures" bit would probably be used against all of the most visible projects within a short period of time. The nail that sticks up gets hammered down, and all that.

The kicker is that SOPA involves censoring the Domain Name System. Without DNS we're back to typing into our browsers each and every time, but that's not a reliable fix due to virtual web hosting, which today is the rule and not the exception thanks to inexpensive web hosting. There are a couple of web browser plugins out there that will make it easier, namely, the just-released DeSOPA (now up to v1.2) and MAFIAAfire Redirector, both for Firefox. They're available now and very functional so it's probably a good idea to get hold of them. It's pretty easy to set up your own DNS and configure your machines to use them preferentially, but the problem with doing so is that this normally relies upon the existing DNS infrastructure, which for all practical intents and purposes is US controlled and would be censored at the top levels, so just running your own DNS would be no help. What would have to be done is your personal (or activist-run) DNS would have to be configured to use an alternative DNS root system, of which there are many but of questionable utility. To really be a feasible alternative the alternative DNS root would have to encompass not only the Net as it would stand post-SOPA but would also have to be authoritative for censored domains. It would be tricky and I'm not sure how feasible it would be because alternative DNSes never really caught on.

Going a little more toward the esoteric side there is the Namecoin project, which is basically a hack of of Bitcoin which would let the user register whatever domain they wanted in the .bit crypto-TLD after generating a little crypto-currency called Namecoins; after registration you could associate whatever IP addresses you liked with your .bit domain name. The problem with Namecoin is that it really is a hack on top of Bitcoin and appears to be of questionable reliability. I experimented with it earlier this year and nearly wiped out my Bitcoin wallet because it acted just like Bitcoin under the hood, so you have to be really careful with it. Also, once the GPU miners get into the game it won't be possible to easily get hold of namecoins in very short order and we'll be back to the system of "pay money for your domain or you're out of luck," plus you'll have all of the difficulties of converting cash-money or credit into namecoins that most people run into (it's so much easier if you don't care about being on the up-and-up). That really seems to skew namecoins away from the direction of people trying to exercise their rights to speak freely, which I have an ethical problem with. On the other hand, the last time I tried to use Namecoin was in May of 2011, so things may have changed and my criticisms may be invalid. I don't mind being proven wrong in this regard.

There is an online service and Firefox add-on called SocialDNS that I've been using for a while to register a custom domain and explore some of the sites out there, but I have some major reservations about the service. Namely, their Firefox add-on doesn't work on newer releases of Firefox (as in, later than v3.x) so it may as well be useless. I don't know anything about Firefox add-on development or I'd pick it up. A little bit lower on the OSI stack, when I was hanging out on the /r/darknetplan IRC server I was told about a distributed implementation of DNS that uses a distributed hash table (ala BitTorrent) instead of a hierarchy with a subvertable root. I immediately downloaded a copy of the software (called cjdns) from Github and began playing with it. Lo and behold, it seems to do exactly what it says on the tin, which is implement a DNS that is fully compatible with existing tools and applications. My initial tests of a checkout of the code from Thanksgiving of 2011 were not only speedy but fairly reliable.

I think it'll take a little time to figure out how to use cjdns effectively because if you configure a machine to use an instance of it for DNS resolution you'll have to stop using the existing DNS infrastructure for the moment, and that'll effectively cut you off from the normal workaday Internet. Not everybody's okay with that. What I don't like is that Caleb DeLisle also wants to add functionality to cjdns that'll let it act like its own Tor-like darknet. I have a problem with that because that violates the UNIX principle of "one tool that does one thing really well"; additional complexity means more potential vulnerabilities that can be exploited. Also, there are already other tools out there that implement such capabilities, are more mature, and do their job quite well. Everyone reinventing the wheel will result in lots of partially finished wheels and no results. But, if there's a way to opt out of the darknet functionality then I will probably be doing so. Also, there does not yet seem to be a way to associate one of the FQDNs generated by cjdns (which look like this: 01901520f60cf0d7ed23521288cf5bf640bb7608.dht) with a domain name of your choosing (such as drwho.virtual-adepts.dht) so that users don't have to cut-and-paste (or worse, retype character by character) the hashes generated by cjdns for internal use.

As for getting around search engine censorship there are a couple of options, none of which are perfect. People can use search engines outside of direct US control but, and let's face it, they're not the ones we use regularly (Google, Bing, sometimes Cuil, and occasionally Yahoo). Compared to Google a lot of them just don't stack up, plus they may not be USian friendly. Also, if the domains of any of those search engines are registered through a US company, they're subject to the mandatory search engine listing censorship provisions of SOPA. There are some special purpose search engines out there that are pretty good but the problem is that they're good only in their particular fields (like ISOhunt, Technorati, LexisNexis, and Dice). There is a number of F/OSS search engine projects out there, like ht://dig (which is... okay.. but not in my top three (also, it hasn't had a major release since 2004)), Lucene and YaCy, but they too have their pros and cons. YaCy is a fully distributed peer-to-peer search engine written in Java that runs on Windows, /*nix/i, and Mac OSX. It is fully decentralized, designed with privacy in mind (it logs neither queries nor IP addresses), and censorship resistent. The idea is that YaCy acts as a web proxy, a search engine client, and search engine-back end and indexes web content while you read it. Any YaCy node can be asked by other YaCy nodes to spider and index arbitrary web pages to further add to the index. If you configure it to it'll proxy what you browse and search for on the web (within reason - YaCy is designed to protect the privacy of its users and will even detect and ignore pages you have to log into, such as webmail sites), index content, and distribute the indexed information among all of the other YaCy nodes out there so it can be automatically evaluated, optimized, and collated. I can't recommend that people install and play with this software highly enough - it's got a lot of potential and could become very important in the near future. A potential downside is that, because it's peer-to-peer software if you run it on your laptop at work it might get you into trouble because a lot of organizations specifically forbid peer-to-peer software of any kind on their networks. I wonder if YaCY has an "update your local index but upload it later" function...

I've done some experimenting with Seeks and it's okay. Seeks is an open-source meta-search engine based upon, you guessed it, peer-to-peer networking. Conversely, searches run through Seeks are handled by other Seeks clients by searching for similiar queries already run against other search engines and aggregating them to evaluate and return better results. It's very difficult to censor because there is no central authority. On the other hand, it depends on people installing and running the Seeks software and letting it monitor what you do (which anybody with a lick of concern about privacy should rightly feel concerned about), so there is also the possibility of self-censorship adversely affecting how the search index evolves. Also, Seeks isn't actually a search engine in itself, at least not directly. While content can be entered directly into Seeks it still relies (at least for the first queries of any sort) on other search engines, and if other search engines are censored then chances are your Seeks searches will be somewhat censored as well.

So that's about where things stand. Prepare for the worst, hope for the best, and don't let up until SOPA and PIPA are dead and buried, or the House of Representatives finalizes the terms of lobotomy of the Internet. We may not succeed, but if we do nothing we will surely fail. And so, off to work.