Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature currently requires accessing the site using the built-in Safari browser.
On the negative side, serious problems remain. SOPA would still carry dangerous consequences for innovation in online communications tools, for online free expression, and for cybersecurity.
The bill still includes domain-name filtering the very tactic CDT warned the Committee against in our March hearing testimony and in much of our writing on the topic ever since. The new version may not strictly require ISPs to engage in domain-name filtering, but it does demand that they take steps to prevent access to targeted websites. And it states that if they employ domain-name filtering, they get safe harbor certainty that they have sufficiently complied. So its pretty clear what any competent general counsel would recommend that the ISP do. Its worth noting, too, that this obligation can be put on any service providers, a term defined in the bill as an operator of a nonauthoritative domain name server a pretty strong signal that DNS filtering is whats really on the table. And really, what other viable tactics would an ISP have at its disposal? Other means of preventing access involve constant surveillance of the bitstream of the ISPs entire user base in order to identify communications with rogue sites. Thats not an appealing option from a cost perspective or from a privacy perspective.
In short, the practical result of requiring ISPs to prevent access will be domain-name filtering. And that carries all the negative consequences that CDT has previously described. It undermines cybersecurity, sets a dangerous international precedent towards further balkanization of the Internet, and risks inadvertent impact on lawful content.
The amendment tries to sidestep the cybersecurity problems of domain-name filtering in a few different ways. All are unsuccessful. First, it states that ISPs need not re-direct traffic (the bill previously had contemplated re-directing users to a DoJ warning page, but re-direction is blatantly inconsistent with the emerging security upgrade known as DNSSEC). But simply not answering domain name requests leaves users in limbo, with the impression that something is broken. ISPs cant afford a new barrage of service calls from confused subscribers. If they have to do domain-name filtering, theyre going to want to provide re-direction to some kind of explanation. They cant do that and implement DNSSEC too. So the bottom line is, the bill would create a strong incentive for ISPs not to move forward with DNSSEC. Thats a blow to security.
Moreover, domain-name filtering causes significant security problems even without re-direction. Top domain name system (DNS) engineers have made this point directly; DNSSEC cant play its intended role as a valuable security platform if government creates a gaping ambiguity and loophole by demanding that ISPs take actions that, from the technical DNSSEC perspective, are indistinguishable from true attacks. And as Sandia National Labs described in its discussion of the cybersecurity threat posed by DNS filtering, the tactics security risks are not limited to the negative impact on DNSSEC.
Second, the amendment tries to brush off cybersecurity problems by saying that nothing in the bill shall be construed to create obligations that would impair the security or integrity of the domain name system. But courts, tasked with ruling in particular cases, wont have the relevant evidence or expertise to draw conclusions about the overall impact on the domain name system. Domain-name filtering is expressly cited in the bill as a way for ISPs to comply with the legislation; would a court really conclude that the bills general statement about DNS security and integrity is intended to override the explicit approval of domain-name filtering? Moreover, court orders are likely to direct ISPs to prevent access and then leave to ISPs the question of how to do it. Since the court isnt ordering specific action, its unlikely to feel it is in any position to analyze specific consequences for DNS security.
Third, the amendment calls for a study of the effects of the ISP obligation to prevent access. This is shoot first, ask the tough questions later. The impact of imposing filtering obligations on ISPs should be fully considered before it is written into federal statute. After all, the bill does not contain any sunset provision; the measures it proposes would, if enacted into law, likely be with us for a long, long time.
The amendments modified definition of sites that can be targeted for suits by the Attorney General remains entirely open-ended. Any site is subject to prosecution as an infringement site if its domain name, were it domestic, would be eligible for seizure. Seizure law allows for seizure of any property that is used in any manner or part to commit or facilitate illegal activity. That means a website with 99% lawful activity and no bad intent can qualify as an infringement site based on a small amount of infringing activity by users. End result: The A.G. would have carte blanche to go after virtually any user-generated content site, whenever it wants to. They are all punishable as infringement sites by the terms of this bill.
By including a private right of action, the amendment still undermines the predictable legal environment that the DMCA sought to create for online services. Under current law, a site that complies with section 512 of the DMCA gets safe harbor protection against copyright suits seeking monetary damages. But under SOPA, that same site could still face lawsuits seeking to cut off its sources of revenue. In effect, a litigious rights holder gets a second bite at the apple, this time without having to worry about that pesky safe harbor. Thats bad for online innovation, as it gives rights holders a powerful club with which to threaten emerging online services.
That risk might be reduced if the private right of action were strictly limited to foreign entities that would otherwise be outside U.S. jurisdiction. But the bill would allow suits against any website registered to a non-U.S. domain name, even if the parent company is U.S.-based. So U.S. Internet companies with sites registered in foreign country domains would be fair game. Thats evident from the fact that the bill, in both sections 102 and 103, talks about in personam actions it envisions actions against parties that are fully subject to U.S. jurisdiction, even though such parties are already subject to strong legal tools to address infringement.
A developing US Senate plan that would bolster the governments ability to regulate the computer security of companies that run critical industries is drawing strong opposition from businesses that say it goes too far and security experts who believe it should have even more teeth. Legislation set to come out in the days ahead is intended to ensure that computer systems running power plants and other essential parts of the countrys infrastructure are protected. The US Department of Homeland Security, with input from businesses, would select which companies to regulate; the agency would have the power to require better computer security, according to officials who described the bill. They spoke on condition of anonymity because lawmakers have not finalized all the details.
Those are the most contentious parts of legislation designed to boost cybersecurity against the constant attacks that target US government, corporate and personal computer networks and accounts. Authorities are increasingly worried that cybercriminals are trying to take over systems that control the inner workings of water, electrical, nuclear or other power plants. That was the case with the Stuxnet computer worm, which targeted Irans nuclear program in 2010, infecting laptops at the Bushehr nuclear power plant. As much as 85 percent of the US critical infrastructure is owned and operated by private companies. The emerging proposal isnt sitting well with those who believe it gives Homeland Security too much power and those who think its too watered down to achieve real security improvements.
One issue under debate is how the bill narrowly limits the industries that would be subject to regulation. Summaries of the bill refer to companies with systems whose disruption could result in the interruption of life-sustaining services, catastrophic economic damage or severe degradation of national security capabilities. Critics suggest that such limits may make it too difficult for the government to regulate those who need it. There are sharp disagreements over whether Homeland Security is the right department to enforce the rules and whether it can handle the new responsibilities. US officials familiar with the debate said the department would move gradually, taking on higher priority industries first.
The debate taking place in [US] Congress is not whether the government should protect the American people from catastrophic harms caused by cyberattacks on critical infrastructure, but which entity can do that most effectively, said Jacob Olcott, a senior cybersecurity expert at Good Harbor Consulting. Under the legislation, Homeland Security would not regulate industries that are under the authority of an agency, such as the Nuclear Regulatory Commission, with jurisdiction already over cyberissues. The bill, written largely by the US Senate Commerce, Science and Transportation Committee and the Senate homeland security panel, is also notable for what it does not include: a provision that would give the president authority to shut down Internet traffic to compromised Web sites during a national emergency. This kill switch idea was discussed in early drafts, but drew outrage from corporate leaders, privacy advocates and Internet purists who believe cyberspace should remain an untouched digital universe.
MORE
