Kill Switch

The so-called PROTECT IP act, sequel to the much-criticized COICA, is under fire again as it enters the process of becoming law. We’ve talked about it on this blog before and no doubt the discussion will continue after it passes or is rejected, but it’s important at this critical moment that everyone concerned weigh in and make an unambiguous statement regarding the quality of this bill. So then: PROTECT IP is a lunatic proposal, penned by a dinosauric industry concerned solely with the preservation of its own profits. It will do nothing to curb piracy while at the same time eroding fundamental freedoms of the internet.

The only people who can possibly be in favor of this bill are either ignorant of its implications or stand to gain by its passage. This desperate power grab by a diminishing elite fails to even comprehend the problems it aims to solve, and its blunt force methods are wide open for abuse, and very possibly unconstitutional. Make no mistake about it: this is a kill switch, and if it’s passed, it will revisit us for years to come in ways we never suspected possible. If you think that’s an overstatement, think about it again next time you’re posing naked for the TSA, and ask yourself how that came about.

The full text of the Senate and House versions of the bill can be read here and here, respectively. Can it be fixed? No. The problems it attempts to address are simply not going to be solved by any approach suggested in this bill. Activist groups, law professors, entrepreneurs, CEOs, and many more have already spoken out.Contact your Senator and Representative and urge them to reject S.968.

Acknowledging the problem

No one opposes this bill (which I will refer to as S.968 because its other names leave a bad taste in the mouth) because they are in favor of piracy or copyright infringement. The problem is real — but that doesn’t mean that the fictions regarding its effects on sales and so on are as well. Trying to make sense of the various studies, separating the propaganda from the facts, and the fluff from the insight, is a big job. The consensus is that there is no consensus, and that’s probably consensus enough. After all, if piracy were having the kind of devastating effect on music sales or theater-going that the record and movie industries say it is, that would be very clearly reflected in the numbers.

Instead, we see healthy growth in some areas, cannibalized sales elsewhere, and yes, huge illegal download numbers. But to put these pieces together properly apparently requires more than all the RIAA’s horses and all the MPAA’s men have got. Instead, they choose the data that fits their hypothesis. But this is all known; it’s enough to say that the entertainment industries have poisoned the well with their antics, and nobody should take anything they say or propose seriously.

Again, their dishonesty and absurd lawsuits do not mean the problem doesn’t exist. Music, movies, TV shows, and games are available online in a dozen places the day they are released, and thousands upon thousands of people download them. If that’s not a problem, I don’t know what is. Of course, some would say that thousands of people consuming your product, at no cost to you or them, is one of those good problems. And then there’s the whole continuum of lost sales, outright theft, distribution, fair use, and so on to consider. It’s a complex issue to say the least.

Sometimes complex issues require simple solutions, as Alexander demonstrated. Simple, but not simplistic, which is what many would call S.968.

If it ain’t broke, break it

A straw-man problem requires a straw-man solution. And that’s exactly what S.968 proposes. The approach of the bill to combating piracy is laughably inappropriate, yet at the same time so vague in critical portions that it’s hard to believe it wasn’t done that way on purpose.

Briefly stated, the bill allows for the law to target services connected or tangential to infringing sites, which not only means any financial support in the form of advertisers or payment processors, but also the search engines that index the sites and the DNS registries that direct queries to the correct IP. They would all be required, within five days, to remove the site in question from their services, listings, and registries, or be in violation of the law.

First, this notion of creating a special United States DNS listing with blacklisted sites excised. The folly of this design can’t be overstated. I feel I can say with confidence that many a security expert and network technician must have laughed aloud at this proposal. The real world equivalent, if a shop was alleged to be selling stolen goods, would be to make them take their sign down. Workarounds for a DNS blockade would be plentiful and effective and need not be described here.

This measure has been described by its proponents as akin to door locks on cars — not foolproof, but we should still use them. There’s some sense to this, but of course the fundamental difference between material theft and “content theft,” i.e. making a copy, is ignored. The situation changes somewhat when it’s impossible to steal what’s in your “car.” If people were going around making perfect copies of the CDs, radios, and umbrellas in our cars, door locks wouldn’t really be necessary, would they? Admittedly, it’s a little disingenuous to mischaracterize their metaphor in this way (half the meaning is that we should take simple precautions if they are available), but it’s also disingenuous of them to mischaracterize the problem they say they are working against.

In addition to the fact that this alternate DNS registry would be completely inadequate for its stated purpose, it’s fundamentally a bad idea to fiddle with international standards. Domain name universality is one of the underpinnings of the web. When I type Facebook.com into my browser, it goes to Facebook because of a principle set down and agreed upon by the internet infrastructure worldwide. But not everyone is on the same system: there are, of course, some countries that already have a blocking or filtering system in place. Places like China and Iran.

First, they came for the cyberlockers

A blacklist for sites, whatever the intention, is simply an idea that has no place in a free society. This is inarguable. It is censorship, plain and simple, and it is exactly as audacious as banned book lists and other more recent forms of moral, political, and ideological bootheeling. It sounds inflammatory, but this bill is a wedge to be driven over time. Permitting this blacklist would be surrendering an important guarantee of the internet, and opening the door to worse. The slippery slope argument doesn’t always hold up, but with the parties involved, there is precedent in abundance for excess and abuse. And the law is not structured to prevent such abuse.

The first red flag is the casual contravention of internationally agreed-upon standards. Any site can be blocked, regardless of where it is registered or hosted, or where the content is stored. It falls short of imposing US copyright law on the rest of the world, but it demonstrates a troubling lack of respect for the international structure of the web. The world looks down on China and Saudi Arabia for their filtering of internet content to make it comply with their local laws and beliefs. Now they will look down on us.

Next, S.968 appears to ignore due process and the presumption of innocence. These are, you will agree, somewhat elementary civil rights. Yet under S.968, sites would be eligible for takedown without any involvement on their part, and their supporting services, like advertisers, hosts, and payment processors, would be required to take action as well or share liability. All it takes is for a copyright holder to fill out the paperwork, and they’ve had that process automated for years. It’s worth noting that DOJ-issued orders are required for search engines and domain registries to take action. Copyright holders may “only” affect payment processors and advertisers without a court order — so they’re limited to only crippling the site financially. But let’s be honest. The same people who will be researching and filing complaints pretty much wrote this law. Getting the DOJ to rubber-stamp an order is trivial.

And on the topic of liability, the burden has been shifted, or rather multiplied, to include service providers. Google, for example, has long existed within a “safe harbor” provision of the DMCA, providing as it does only an information-locating and caching service. But the new bill calls for service providers specifically to immediately comply with the blacklist — in five days or less. Considering it might be quite a while before a small site can even get on a court calendar or have their request reviewed, this puts service providers in an awkward situation: take the site down, or be in violation of the law until it works its way through the courts? Very few will choose the latter.

Even then, we can’t trust the courts to make the right decision. We’ve seen numerous examples of credulous judges being taken in by industry lawyers. Sony, for example, showed no compunction at all while it took one incompetent for a ride, extracting years of irrelevant and private payment and IP records for a website during a protracted jurisdictional hearing. There are bright spots here and there, but for the most part the entertainment industry has been pillaging with impunity.

The consequences of a takedown are also totally out of proportion with the cause. One infringing file or “portion” (e.g. a forum thread) could be used as the basis to take down an entire website (or at least have them take down their sign). This has happened plenty already: Google deleted several large and legitimate music blogs after complaints about a microscopic portion of the content. That’s a hell of a lever to have at your disposal, and the process for review is slow enough that it could easily be used as a perfectly legal kill switch for any site on the internet. Despite the claims that the bill is narrowly focused on piracy-centric sites, the definition, viz. “engaging in, enabling, or facilitating the reproduction, distribution, or public performance of copyrighted works, in complete or substantially complete form” is hopelessly open to interpretation. You could find a thousand videos on YouTube in an hour that facilitate the public performance of copyrighted works, and browbeat a judge with them tomorrow. And again, while it’s trivial to get past the DNS blacklist, the compulsory compliance of associated services could be harmful.

There is little or no allowance for a site to defend itself against accusations before action is taken, which means fraudulent or predatory takedowns and embargoes will be easy to make and very effective. And as many have pointed out, the most popular sites in the world today would probably be considered “notorious” if they were introduced today, but are exempt because they have had time to establish themselves as legitimate services. For small sites and startups, however, which have neither the immunity of established services nor the money or time to fend off a damaging takedown attempt, it could be fatal. There are penalties for anyone who “knowingly materially misrepresents,” but that seems a pretty high bar, and lawyers likely already have themselves a “safe harbor” of their own — reasonable suspicion, that sort of thing.

And it is not limited to any particular kind of site; after all, infringing content could be hiding anywhere. Or information that shows that a site is “facilitating” infringement, or “enabling” it. On evidence that could be easily cherry-picked or modified and in which many judges would be unable (or too busy, as they will be) to detect the flaws, any website could be hobbled. With a little organization and legwork, one could compel the owners, advertisers, hosts, and DNS registries to stop acknowledging any website, almost instantaneously. As internet services are disproportionately US-based, S.968 is a loaded gun pointed at the rest of the world.

There is a built-in provision for a yearly review. One would expect that after a year or two, the report would conclude that the act had done nothing to inhibit copyright infringement. That much would be given. But the response to this would be far more likely to spawn further, more draconian measures (such as more complete blockage at the IP level) than produce an admission of failure.

Reject S.968

S.968 will be completely ineffective at preventing copyright infringement or any other kind of undesired activity. Every measure it takes is trivial to circumvent, and will not deter the people doing the vast majority of illegal content distribution. It does, however, provide a set of tools that are not only easy to leverage for private or nefarious purposes, but also align the US with the human rights abuses of oppressive regimes.

The bill is transparently the work of an entertainment industry which, failing to raise itself to the standards of demand, wants to drag the law down to its level with more avenues for litigation and greater weapons at its disposal. That we are even entertaining the idea of government-ordered blacklists of certain websites is repugnant and un-American.

Everyone who cares about the freedoms provided by the internet is opposing S.968. And then there’s everyone else.