While most of the people likely to read this blog will have some familiarity with that avalanche of acronyms, here's a quick explanation for anyone who doesn't:
- DNSSEC (Domain Name System Security Extension) is an initiative intended to enhance the security of DNS, the hierarchical naming system primarily intended to ensure that internet services translate human-friendly domain names to the numeric identifiers that computers understand. DNS was created in a more innocent age where the current scale and divergence of internet usage, and its inevitable misuse by criminals and worse, were not generally anticipated. Part of the rationale behind DNSSEC is to retrofit security to the system so as to mitigate (perhaps eliminate is too much to hope for) the problems caused by redirection of user traffic to malicious and fraudulent web sites.
- SOPA, known to its friends as HR 3261 or the Stop Online Piracy Act, and PIPA, otherwise known as S.968 or the PROTECT IP Act (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property), are obviously aimed at preventing piracy and breaches of intellectual property. And, given the number of times my own work has been plundered, I've no issues with that aim.
However, a great many people and organizations have expressed serious concerns about the current forms of SOPA and PIPA, suggesting that not only will they be ineffective in their own right, but they will also reduce or obviate the effectiveness of other attempts to make the internet safer.
"Father of the Internet" Vint Cerf told Politico Pro that:
The bill themselves won’t solve the problem, but they visit upon a lot of third parties what appear to be a variety of liabilities that are very hard to cope with.
Back in May 2011, security heavyweights like David Dagon, Dan Kaminsky, and Paul Vixie pointed out in a paper called Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill that:
The site redirection envisioned in Section 3(d)(II)(A)(ii) is inconsistent with security extensions to the DNS that are known as DNSSEC. The U.S. Government and private industry have identified DNSSEC as a key part of a wider cyber security strategy, and many private, military, and governmental networks have invested in DNSSEC technologies.
(Of course, there's a lot more to the paper than that, and I recommend that you read the whole thing.)
My colleague at ESET, Stephen Cobb, compared the proposed DNS filtering to the actions of the DNSchanger malware and asserted that:
These bills would require DNS server operators in the US to replace the correct IP address for a website with an alternate address provided by the Attorney General's office, if the website was "infringing"...While the FBI and other law enforcement are working hard to stop the bad guys making millions by infecting our computers and subverting DNS it seems unwise to give private companies the ability to go ahead and change DNS armed only with court orders.
ESET CEO Andrew Lee went further and published an open letter to Congress in which he stated that:
...these bills will be devastating to the Internet and America's leadership in the global digital economy. They will undermine plans to make the Internet more secure and needlessly complicate the fight against cybercrime.
Google Chairman Eric Schmidt has described the measures as draconian and recommended an alternative strategy based on "tracing payments spent at websites offering illegal materials." However, the concerns go far beyond Google.
A letter to prominent members of the Committee on the Judiciary expresses concern that they pose a risk to innovation, job creation, and cyber-security, and notes that they would undermine the "safe harbour" provisions of the Digital Millennium Copyright Act. The signatories are AOL, eBay, Facebook, Google, LinkedIn, Mozilla, Twitter, Yahoo! and Zynga. Most of these have a very clear interest in sharing where many of the lobbyists behind SOPA and PIPA have an equally clear interest in controlling the distribution of intellectual property. But don't look on this as a simple battle of conflicting interests. The signatories to the letter also have a strong interest in preserving their own IP and that of their customers: it seems to me that this is not an "either/or" conflict, but a clear case of needing to find a mutual accommodation of interests. And where so many security and internet infrastructure heavyweights have stepped up to point out the problems, it behoves the legislators to think long and hard about why they've done so.
David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow