SOPA Supporter: If You Use DNSSEC You Can Ignore SOPA/PIPA

(Mis)Uses of Technology

from the wait,-what? dept

Daniel Castro from the Information Technology and Innovation Foundation (ITIF) is the guy who has been highlighted for coming up with the idea of censoring the internet to deal with copyright infringement online. In 2009, he wrote a whitepaper suggesting just such a strategy, and since then has been a vocal champion of the approach that mimics China’s Great Firewall.

He’s issued a “response” to “critics” over the bills which is, frankly, an embarrassment for supporters of these bills. There may be some compelling ways to defend these disasters (though I doubt it), but Castro’s paper is beyond ridiculous. It rolls out all the usual bogus tropes, talking up the “size” of the problem with claims that simply aren’t backed up by the data at all. But it’s main focus is trying to respond to the claims of all sorts of people who actually understand internet security, about how DNS blocking would be a disaster. At this point, the incredible thing is that supporters of SOPA/PIPA have yet to come up with a single credible person who thinks DNS blocking is a good idea. On the flip side, DNS experts like Paul Vixie and David Ulevitch have been vocally opposed. In addition, there are other folks like Stewart Baker, the former Homeland Security Assistant Secretary and former NSA General Counsel, as well as the folks at Sandia National Labs, experts in internet security, who are opposed to it as well. All of them have pointed out that DNS blocking won’t work, will likely make things worse, and will have disastrous consequences for internet security. These are people who understand this stuff at its core. On the other side? We’ve got Daniel Castro. There’s a lot of ridiculousness here, but let’s start with the most insane part, the response over how this will kill DNSSEC. Castro seems to suggest that those who use DNSSEC can just ignore the law:

PIPA/SOPA states that service providers are required to take only ?technically feasible and reasonable measures? to comply with government court orders. The legislation further states that a service provider is not required to ?modify its network, software, systems, or facilities? to comply with these requirements. This means that if DNS servers are deployed using DNSSEC, and if DNSSEC does not allow for the type of redirection or filtering specified in the legislation, ISPs would not need to take action. Thus there is no reason to suspect that ISPs would delay deploying DNSSEC because of provisions in SIPA/PIPA. If anything, to the extent that any ISPs oppose DNS filtering for ideological or technical reasons, the DNS filtering requirements in PIPA/SOPA would serve as a catalyst for ISPs to upgrade to DNSSEC since this may free them of unwanted obligations.

Really? Is he really arguing that if you’re running DNSSEC, you can ignore the government’s official blacklist? Why do I get the feeling that any provider that actually does that will quickly find themselves hauled into court for… “enabling” or “facilitating” infringement? How can anyone take this seriously?

While technology should shape policy, it should not determine policy. The U.S. policies on the Internet should not be determined by the ideological points of view of a few network engineers in the IETF. Policymakers routinely ask the private sector to design systems to meet new technical standards so as to achieve a specific policy outcome.

This is either ignorant or just stupid. DNSSEC has been under development for sixteen years. Part of the reason it’s taken so long is because this is not easy. Castro’s flippant suggestion that we just ignore the technological issues is downright scary. If the technology is carefully set up and clueless think tankers and regulators are about to throw a decade plus of careful development out the window for a “problem” they can’t actually show with a “solution” that won’t work… it seems pretty damn reasonable to raise the technological issues.

DNSSEC, as with many technical standards, is not an immutable set of rules carved by God on stone tablets. Although DNSSEC has been codified in various technical documents, it continues to evolve over time as researchers propose new modifications to the standard to address various limitations. The question policymakers should be asking is not whether the proposed solution is compatible with the current version of DNSSEC, but how to craft policies that best take advantage of potential improvements in the DNSSEC standard.

Ah, the MPAA’s “you techies can just change the code” argument. Once again, displaying a massive ignorance of what has happened over the last 16 years and the effort that has gone into creating DNSSEC and then beginning the process of getting it out there. Is Castro really suggesting that we go back to the drawing board, and leave security issues ignored for another decade and a half? Just because some movie studios are too lazy to adapt? That’s scary.

Opponents of PIPA/SOPA, such as the Internet Society and Crocker et al., argue that DNS filtering will ?puts users at risk.?31 However there are no security risks from DNS filtering. Instead, the purported security risks for users come about only for those Internet users who begin using alternative DNS services (i.e. those individuals intent on breaking the law). Yet, as we have seen, to date there is little evidence that the average user will begin using these alternative DNS services. In fact, users will be unlikely to use an alternative DNS service precisely because of the security risks.

This is a disgusting smear from Castro, suggesting that the only people who might use alternative DNS systems are intent on breaking the law. Does he really not think that some people might not trust the US DNS system once it’s been given orders for an official blacklist of sites to censor?

The Internet Society argues that DNS filtering ?has the potential to restrict free and open communications and could be used in ways that limit the rights of individuals or minority groups.? Of course it could. ISPs or the U.S. government could use DNS filtering to block sites they do not like. But guns can be used by criminals to kill people too and that does not mean that we do not let the police or security guards have guns.

Is he really arguing that DNS filtering isn’t censorship in the US because we’re giving it to “the good guys”? That seems to be the argument here… and it’s ridiculous. The censors in China and Iran consider themselves the good guys too. Is this really the message we want to send to the rest of the world? Just make sure you say your official censors are “police” and all is good, according to Daniel Castro.

Critics of PIPA/SOPA are trying to suggest that if a user is prevented from obtaining a pirated copy of the latest Hollywood film, this is an unlawful restriction of their Constitutional rights.

No, actually, that’s not what they’re arguing. They’re arguing that this idiotic censorship system Castro is supporting will censor plenty of protected speech, which is a restriction of their Constitutional rights.

Ironically, many of the voices arguing that DNS filtering does not solve the core issue, which is that pirated content is made available online, often are the same ones opposing digital rights management (DRM) technology that is created to achieve the very goal of eliminating pirated content.

That’s not ironic. Neither DNS filtering nor DNS achieve the goal in question. The position of being against draconian, overly aggressive technology that harms consumers rights and is likely to be abused, is entirely consistent.

There’s a lot more in the paper like this, but you get the idea. There’s barely a sentence in there that’s reasonable or sensible.

Filed Under: daniel castro, dns, dnssec, security