Is SOPA worth the sacrifice of a secure internet?

On October 26th 2011, the “Stop Online Piracy Act” (SOPA) was introduced to the U.S. congress with the intent to curb the proliferation of copyright infringement and the piracy of intellectual property. The goals of SOPA are clear and understood. The means by which the proposed bill will try to achieve these goals are, however, not without a far-fetching negative impact on the stability and the security of the internet. This documents intends to clarify the repercussions of SOPA and how the bill contradicts earlier U.S. commitment to internet security and the protection of online U.S. assets.

When an individual is looking for information, purchasing goods or doing business on the internet she uses a computing device that, either through a web browser or another applications, allows her to interact with assets on the internet. Today she can use a phone, a tablet, a laptop, a PC or a fridge for this purpose. The assets she interacts with can be anywhere in the world. While her user experience is smooth and everything seems to go back and forth automatically there is a lot of technology involved. Technology that is not relevant to the end user. Technology that is ubiquitous and trivial, until it breaks. The main technology enabling people to send mails, buy presents, write blogs, etc. etc. is the Domain Name System (DNS). Where all assets on the internet are known by their ‘Internet Protocol addresses’, the DNS translates these weird numbers to human-readable addresses. www.facebook.com, www.whitehouse.gov and www.google.com are all examples of such DNS names. They are easy to remember, easy to use and easy to share. The DNS is, and will remain to be, what makes the internet user-friendly for most of it’s users and thus a crucial part of our online life.

Internet users are, on a daily basis, targeted by online criminals who abuse several weaknesses in the DNS. Online criminals impersonate social networks, banks and legitimate online businesses. The weaknesses allow viruses to be installed on the devices used by our citizens, they facilitate identity theft and the abuse of credit cards. As online crime has soared over the past years, impacting citizens and businesses alike, several counter-measures have been evaluated and most of them have been proven to fall short in re-establishing the trust in the internet. The only solution, build on the DNS, that maintains the flexibility of today’s internet while adding the required robustness is DNSSEC : Domain Name System Security Extensions. DNSSEC is so much of a necessity for a secure internet that it has been supported and promoted by the highest levels of the U.S. government since the Clinton administration. George W. Bush included securing the DNS among national cybersecurity priorities and when DNSSEC roll-out started in 2010, the Obama administration called it “a major milestone for internet security”. This all underlines the importance of the DNS as a technology supporting the internet and the crucial part it plays in enabling and securing online business.

DNSSEC guarantees the authenticity of a DNS name. When a user requests the DNS name associated with an ‘Internet Protocol’ address from a DNS server using DNSSEC, she can trust the response as the cryptographic signature associated with the DNS name can not be forged or changed. This blocks any attempt by online criminals to impersonate online assets, secures the internet from the ground up and re-establishes trust in running businesses online.

SOPA, at it’s core, contains a provision to filter traffic between the internet user and a website hosting pirated content using the DNS. This would empower the Department of Justice, with a court order, to require operators of DNS servers to redirect traffic for a specific website to a specific textual notice developed by the Attorney General thus rendering the pirated content unavailable.

The first problem with using this counter-measure to protect intellectual property is that it will not prevent internet users that want to access pirated content from doing so. There are 10 million DNS servers, a minority of those operated by U.S. organizations, on the internet that those users can connect to instead of the DNS servers that have filtering implemented. Moreover they can connect to the servers hosting the pirated content using their ‘Internet Protocol’ addresses, thus completely circumventing the DNS (and rendering the filtering useless). SOPA’s DNS filtering provision will (and can) not prevent internet users who are looking for pirated content from accessing it.

The second, and more serious, problem is that SOPA will undermine the trust between consumers who use online services and businesses who offer their services online. Online trust has been eroding over the past decade as no technology was able to prevent criminals from stealing identities, other personal information or impersonate popular or high profile websites. Just like in the real world, where consumers tend to do business with those entities that they can trust, the online world needs a system that can guarantee that a specific website is the website that the consumer intends to do business with. We, as humans, tend to avoid buying bread from those bakeries that are suspected from messing with the ingredients in their products. We take our business to other butchers once we get a hunch that ours is selling us second grade meat. We buy from those that we trust and the economy soars when trust is honored.

DNSSEC, as it is in the process of being rolled out, is supported by the U.S. government and the only solution to guarantee online users that they are dealing with the online entity they intended to deal with. It works very much like an online identity store, maintained by it’s owner, listing all the names of online resources that are allowed to represent it’s brand name. When a DNSSEC enabled application requests such a resource, the answer is basically signed by the owner’s CEO, giving the user the guarantee that it’s ok to conduct business. As more and more applications start supporting DNSSEC, any attempt to redirect a user to a resource she didn’t intend to access will no longer happen without

notice thus preventing online criminals from using the simplest tool available without being detected.

The DNS filtering provision in SOPA relies on the same technique that online criminals use to steal from our citizens. If we accept this provision to become law, we do not only give those criminals a waiver to keep doing damage to our citizens and businesses but we also call a stop to a joint effort to secure the internet. We have been going forward with great strides. The U.S. government, (inter)national corporations and internet users have joined hands allowing DNSSEC to gain traction and get up to speed. We can not allow a provision that doesn’t have the capacity to prevent what it’s intended to prevent to undermine online trust, render the internet insecure forever and wipe away an unprecedented effort - made possible by citizens, the government and corporations - in one go.