The Web of Piracy

Photo credit: Dusit/
Photo credit: Dusit/

Today’s younger generation wants digital content, and they want it now. What’s more, they want it all for free. But maybe I shouldn’t pick on just the starving students out there. After all, who among us hasn’t been guilty of sharing a music file with a friend?

But proponents of international anti-piracy efforts would say that it’s not the illegal ripper, or even the downloader they are really after. It’s the actual sites that peddle this contraband they want to target. It’s easy to take down a website within your own boarders when the proper mechanisms are in place, but it’s a whole lot harder to do so when Johnny from Arizona State visits a website from Sweden to download his digital booty.

Websites, like Sweden-based The Pirate Bay, snub their noses at Digital Millennium Copyright Act (DMCA) and cease and desist orders from US courts. They are well within their rights to do so, as the site noted in its response to an order from movie studio DreamWorks:

“As you may or may not be aware, Sweden is not a state in the United States of America. Sweden is a country in northern Europe. Unless you figured it out by now, US law does not apply here”


Pirate Bay is correct in its assertions, and that’s why movie studios, software companies, and record labels have – for the most part – all lent their support to protective frameworks such as SOPA and PIPA. While costs of online piracy are open to interpretation, it is nonetheless illegal – a point that both sides of the argument can agree on. It’s the enforcement mechanisms envisioned by SOPA and PIPA that have become points of contention. The proposals have created a storm of protest, backtracking, and delays that have put the entire scheme on hold.

What are SOPA and PIPA?

SOPA, or the Stop Online Piracy Act, is currently being tabled by the US House of Representatives. On the other side of Capitol Hill, the Senate has done likewise with similar legislation in the form of the PROTECT IP Act, more commonly known as PIPA. The bills – as originally written – would permit copyright holders to seek a court order to both block protected content, in addition to websites that the US Justice Department has identified as engaging in widespread copyright violations. It would also encourage payment providers to refrain from conducting business with sites that that Justice has signalled out. Finally, in an apparent effort to appease defense contractors and the pharmaceutical industry, it would also increase the criminal penalties for those who traffic in counterfeit medicine and military equipment.

Although the DMCA already provides a mechanism to combat online piracy within the US, the law is ineffective against foreign websites that illegally distribute copyrighted material. SOPA and PIPA, as its drafter’s initially envisioned it, would provide a solution by requesting that ISPs, under court order, block domestic access to websites identified as habitual offenders by Justice Department.

Both privacy and security experts were quick to speak out. The bills, they believed, were written too broadly and give rise to possible censorship claims. Former CNN reporter Rebecca MacKinnon told Bloomberg that it would “[set] up a system of blacklisting websites at the national level…basically installing a censorship mechanism” used in countries like China and Iran.

Objections from abroad were an almost certainty. Back in December of last year, before all of the mainstream hoopla, KasperskyLabs founder Eugue Kaspersky sounded his alarm over what he dubbed as SOPA’s “Americanization of the internet”. Kaspersky withdrew his company’s membership from the Business Software Alliance trade group for its support of SOPA, and admonished the bill’s ability to censor the web for the entire world according to US standards.

The American Society of News Editors joined in the criticism, saying the proposed bills would prevent the “free aggregation of content that has become central to online journalism”. Internet ‘founding father’ Vint Cerf was one of 82 internet engineers who sent a letter to the US House, warning that SOPA and PIPA would risk fragmenting the internet’s DNS structure, stifle innovation, and damage US credibility as a responsible steward of internet infrastructure.

Numerous internet companies came out against SOPA and PIPA, criticizing congressional efforts as restrictive and ambiguous. Many instead proposed their own anti-piracy bill that would specifically target only the worst offenders. A joint letter to lawmakers from AOL, eBay, Facebook, LinkedIn, Twitter, and Yahoo! argued that SOPA would “expose law abiding US internet and technology companies to new uncertain liabilities…[that] pose a serious risk” to their industry’s ability to innovate and create jobs, in addition to cybersecurity issues. The mention of the word “jobs” likely elicited a Pavlovian response from lawmakers, many of whom would hesitate to support any bill viewed as a potential ‘job-killer’ in this, and election year here in the US.

With the collective egos of lawmakers, dot.coms and trade groups converging, the landscape was primed for a fracas. If every good protest needs an equally suitable platform, then the houses of Congress were about to discover that it’s not wise to mess with the companies that control the most popular ones.

A Web of Protest

Leave it to the hacktivist group Anonymous to amuse us with unabashed rhetoric. It’s not surprising that whoever controls the social media accounts for this group would take issue with SOPA. “This is a call for a worldwide internet and physical protest against the powers that be”, the group stated in January video message, then calling on supporters to “replace the front page of every website…with a simple, clear protest page”. Of course, they meant without the site owner’s permission.

Other organizations chose game-play out of the Ghandi handbook and instead organized a more effective, impactful campaign. Most notable was Wikipedia, which took its site offline January 18 and instead replaced its home page with a message asking users to engage their community in opposition of both PIPA and SOPA. The subtle message, not coincidently, was accompanied by social media links to help spread the word.

Wikipedia founder Jimmy Wales told the BBC: “Proponents of SOPA have characterized the opposition as people who want to enable piracy or defend [it]. But that’s not the point…the bill is so overly broad and so badly written that it’s going to impact all kinds of things that don’t have anything to do with stopping piracy”.

Wikipedia’s blackout was joined by news aggregation site Reddit. Google – which stood to lose out on revenue if a DNS blocking mechanism was passed – blacked out its home page logo the same day in a similar protest. Even the Occupy Wall Street movement got involved, and somehow managed to latch onto the issue and give it a nostalgic physical presence.

The blowback was immediate, and the results stunning. Even before Wikipedia went down for its single-day protest, three White House advisers articulated the Obama administration’s stance that the DNS blocking provision should not be a part of any anti-piracy legislation. They did so largely in response to two online petitions against the proposed measure. The president’s advisors warned that the laws would “tamper with the technical architecture of the internet” by manipulating DNS, what they called “the foundation of internet security”.

"[SOPA] is so overly broad and so badly written that it’s going to impact all kinds of things that don’t have anything to do with stopping piracy"

Jimmy Wales, Wikipedia founder

Mainstream media attention to the issue forced PIPA’s sponsor, Patrick Leahy (D-Vt.), to pledge a removal of the DNS filtering provision when the bill came up for debate on the Senate floor. Lamar Smith (R-Texas), sponsor of SOPA, likewise acquiesced by agreeing to withdraw the same provision in the House version of the bill. Both men vowed that the legislation would move forward and address the foreign piracy issue with other provisions.

Then it was as if a light switch turned on under the US Capitol dome, as members of Congress scurried like cockroaches out of the bright rays of SOPA and PIPA criticism. The days surrounding the online protests saw supporters hastily withdraw their previous positions, as the bills crumbled under the weight of online uprising. Many Democrats who supported the bills backtracked on their positions, but the Republican defections from SOPA and PIPA were hard to ignore. Among them were party heavyweights, including senators Roy Blunt (Mo.), Orin Hatch (Utah), Marco Rubio (Fla.), and Jim DeMint (S.C.).

“They are not dead at this point”, Neil Roiter, director of research at Corero Network Security, said when contemplating the future of PIPA and SOPA. He believes the sponsors will put both measures up for reconsideration “but likely not in an election year”.

The network security expert expresses many of the same concerns voiced by his peers. As they are currently constituted, “[SOPA and PIPA] would put a tremendous burden on internet providers, search engines, and companies that deal in online advertising, and would not effectively stop the problem of pirated content from coming into the United States.

“It might stop some of it”, he added, “but as the expression goes: ‘Water finds a way’”. When measured against their objectives, Roiter believes these measures would not succeed in stopping the flow of pirated content. Instead, he argues, “they would have a potentially devastating effect on internet commerce”.

The Security Implications

An event recently held at Princeton University’s Center for Information Technology Policy examined the vast complexity of online copyright enforcement. It brought together representatives from the content industry, academia, e-commerce sites, and internet service providers for a lively, if not extremely cordial, debate. Nearly all of the speakers agreed that online copyright infringement is a problem and deserving of enforcement. But very few agreed that SOPA or PIPA were an appropriate solution.

Mike Freedman, an expert on network architecture, explained the methodology behind various domain blocking techniques. He said the content industry does not have an effective means to take down sites outside the US. SOPA and PIPA, which they largely promoted, are attempts to augment law enforcement’s seizure capabilities at home with the ability to make rouge sites abroad unreachable.

Just as Neil Roiter warned that pirated content would flow like water through cracks, the Princeton professor of computer science observed that DNS resolvers can be easily altered – with a little know-how. If someone points their resolver somewhere else, it makes domain blocking strategies originally considered in SOPA “somewhat ineffective” because people can easily point resolvers outside the country, to a location outside the enforcement jurisdiction.

“There were strong statements against [SOPA and PIPA], both by the wider internet population and by many of the technologist and academics who helped design and build the internet”, Freedman said. “They believe it would actually be ineffective and raise multiple security issues”.

The controversial blocking measures were the galvanizing force behind the popular outcry, and their inclusion is why the bills are now on hold pending revision. Roiter explains the security implications of the unpopular provision by noting that “DNSSEC is designed to establish a chain of trust in DNS resolution, using digital signatures, to protect against DNS forgery used to direct clients to malicious websites”. His analysis is that among the “two broad enforcement mechanisms included in SOPA and PIPA, [DNS blocking] was dropped by supporters in response to objections that it would ‘break’ DNSSEC, which is seen as a major Internet security enhancement as it is more widely adopted.”

Roiter warned that had previous iterations of SOPA and PIPA been enacted into law, “ISPs would be required to redirect traffic from websites trading in pirated content”, which he said is “analogous to what attackers do and would render DNSSEC ineffective, as applications would have to revert to traditional DSN resolution and open the door for attackers”.

Software and content piracy are serious problems Roiter contended. “But SOPA – and PIPA in particular – are dangerous pseudo-solutions to the problem. They would create new problems without effectively addressing the existing problem of content piracy and copyright infringement.”

At a philosophical level, he believes the measures lack “due process” for alleged offenders. From a business perspective, Roiter said SOPA and PIPA “would place an enormous burden on search engines in particular, and it would require monitoring that would be extremely burdensome and ultimately impractical”.

The View from the Other Side

Eddy Leviten is the head of communications for the UK-based Federation Against Copyright Theft (FACT), a trade organization that represents firms in the recording and film industries, in addition to professional sports leagues. Their members include the Big Six movie studios, independent distributors, satellite providers, and the English Premier League.

Leviten says his organization takes a close interest in what happens elsewhere, including developments with SOPA and PIPA. “We are a UK organization, he acknowledged. “But obviously with the internet, some of what we do is global because what happens in one country has an impact in others as well.”

He observed that the UK already has a site blocking mechanism not unlike those proposed in SOPA and PIPA. Leviten is referring to section 97A of the UK’s Copyright, Designs and Patents Act of 1988, which allows High Court judges to grant injunctions against internet providers that orders them to block websites illegally distributing copyrighted content within the UK.

It was this section of the law that the court used in 2010, when it ordered BT to block links to the Newzbin website. Critics of the method would hold this up as a sterling example of why blocking is not an effective deterrent, as Newzbin quickly provided a workaround for members to access a new site – Newzbin 2. The court issued another order in 2011 when the Motion Picture Association sought a second injunction. Once again, water found its way through the cracks.

Not surprisingly, given his current employment, Leviten takes a more positive view of this site blocking mechanism. He said provisions like 97A, SOPA, and PIPA deal with rogue sites that operate outside jurisdictional control and are only meant to be used in cases where law enforcement has little power, and rights holders have no other recourse.

Is All this SOPA Stuff Really Necessary?

If we go back to the beginning of this discussion, and consider downloaders like Johnny from Arizona State, Leviten says anti-piracy proposals like SOPA and PIPA do not target those who think content on the internet should be free. “We are not talking about small-scale infringers”, he related. “We are talking about businesses – criminal enterprises – like MegaUpload, whose main purpose is to make money by providing access to material without the permission of people who created it.”

But don’t recent multi-national law enforcement efforts like the MegaUpload takedown mean that the existing structure is working without compromising both security and prosperity? It’s a point that Neil Roiter makes when he summarized his views on SOPA and PIPA.

“I believe these legislative remedies are not the right answer and would have a chilling and suppressive effect on the internet”, he said. “If the internet is impacted, then commerce is as well.” In the case of these two proposals, he contended that attempts to remedy for one industry “can have a deleterious effect on numerous [others] and internet trade, which is basically the lifeblood of the global economy.”

FACT’s Leviten regrets that the average person really does not understand the nuance of international piracy, and he believes a fair amount of misinformation was inserted into the argument. “People are entitled to protest, and I think it’s fair that we have a healthy debate on these issues”, he affirmed.

“But I think, in this particular instance, people were led to believe that [SOPA and PIPA] would shut down the internet, and that isn’t the case.”

The final word goes to Mike Freedman who cautioned that “We should be skeptical about the methods used to identify copyright infringers”, when expressing his reservations that takedown powers may not be used carefully or honestly. Furthermore, the Princeton professor sees no reason to change the enforcement status quo, because many of the aims SOPA and PIPA seek are already being achieved within the current DMCA framework.

“We should be careful when we embed blocking/censorship infrastructure”, Freedman warned. “It generally works well, but it’s often pretty ineffective when you are dealing with motivated people with the skills to re-route their traffic.”

What’s hot on Infosecurity Magazine?