As I prepare a managers' amendment to be considered during the floor debate, I will therefore propose that the positive and negative effects of this provision be studied before implemented...

For example an early draft of this legislative package called for DNS redirection of malicious domain names in conflict with the end-to-end DNS Security system (DNSSEC). Any such redirection would be trivially detected as a man in the middle attack by secure clients and would thus be indistinguishable from the kind of malevolent attacks that DNSSEC is designed to prevent. After the impossibility of redirection was shown supporters of PIPA and SOPA admitted that a redirection (for example, showing an "FBI Warning" page when an American consumer tried to access a web site dedicated to piracy or infringement) was not actually necessary. Their next idea was no better: to return a false No Such Domain (NXDOMAIN) signal. When the DNS technical community pointed out that NXDOMAIN had the same end-to-end security as a normal DNS answer and that false NXDOMAIN would be detected and rejected by secure clients the supporters SOPA and PIPA changed their proposal once again.

The second to latest idea for some technologically noninvasive way to respond to a DNS lookup request for a pirate or infringing domain name was "just don't answer". That is, simulate network loss and let the question "time out". When the DNS technical community explained that this would lead to long and mysterious delays in web browser behavior as well as an increased traffic load on ISP name servers due to the built in "retry logic" of all DNS clients in all consumer facing devices, we were ignored. However when we also observed that a DNSSEC client would treat this kind of "time out" as evidence of damage by the local hotel or coffee shop wireless gateway and could reasonably respond by trying alternative servers or proxies or even VPN paths in order to get a secure answer, the supporters of SOPA and PIPA agreed with this and moved right along.

The latest idea is to use the Administrative Denial (REFUSED) response code, which as originally defined seemed perfect for this situation. To me this latest proposal as well as the road we've travelled getting to this point seems like an excellent example of why network protocols should be designed by engineers....

Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names. While in the past those domains may have wanted to do so but felt it would have limited effect, they now can work on signing their domains knowing that the largest ISP in the U.S. can validate those signatures on behalf of our customers.

When we launched the Domain Helper service, we also set in motion its eventual shutdown due to our plans to launch DNSSEC. Domain Helper has been turned off since DNS response modification tactics, including DNS redirect services, are technically incompatible with DNSSEC and/or create conditions that can be indistinguishable from malicious modifications of DNS traffic (including DNS cache poisoning attacks). Since we want to ensure our customers have the most secure Internet experience, and that if they detect any DNSSEC breakage or error messages that they know to be concerned (rather than not knowing if the breakage/error was "official" and caused by our redirect service or "unofficial" and caused by an attacker), our priority has been placed on DNSSEC deployment -- now automatically protecting our customers...

we disagree with the way that Mr. Castro applies our findings to the SOPA debate. His presumption that people will work as hard or harder to access political content than they do to access entertainment content deeply misunderstands how and why most people use the internet. Far more users in open societies use the Internet for entertainment than for political purposes; it is unreasonable to assume different behaviors in closed societies. Our research offers the depressing conclusion that comparatively few users are seeking blocked political information and suggests that the governments most successful in blocking political content ensure that entertainment and social media content is widely available online precisely because users get much more upset about blocking the ability watch movies than they do about blocking specific pieces of political content.

Rather than comparing usage of circumvention tools in closed societies to predict the activities of a given userbase, Mr. Castro would do better to consider the massive userbase of tools like bit torrent clients, which would make for a far cleaner analogy to the problem at hand. Likewise, the long line of very popular peer-to-peer sharing tools that have been incrementally designed to circumvent the technical and political measures used to prevent sharing copyrighted materials are a stronger analogy than our study of users in authoritarian regimes seeking to access political content.

Second, our research has consistently shown that those who really wish to evade Internet filters can do so with relatively little effort. The problem is that these activities can be very dangerous in certain regimes. Even though our research shows that relatively few people in autocratic countries use circumvention tools, this does not mean that circumvention tools are not crucial to the dissident communities in those countries. 19 million people is not large in relation to the population of the Internet, but it is still a lot of people absolutely who have freer access to the Internet through the tools. We personally know many people in autocratic countries for whom these tools provide a crucial (though not perfect) layer of security for their activist work. Those people would be at much greater risk than they already are without access to the tools, but in addition to mandating DNS filtering, SOPA would make many circumvention tools illegal. The single biggest funder of circumvention tools has been and remains the U.S. government, precisely because of the role the tools play in online activism. It would be highly counter-productive for the U.S. government to both fund and outlaw the same set of tools.

If this were surgery, the patient would have run out screaming a long time ago. But this is like a group of well-intentioned amateurs getting together to perform heart surgery on a patient incapable of moving. “We hear from the motion picture industry that heart surgery is what’s required,” they say cheerily. “We’re not going to cut the good valves, just the bad — neurons, or whatever you call those durn thingies.”

This is terrifying to watch. It would be amusing — there’s nothing like people who did not grow up with the Internet attempting to ask questions about technology very slowly and stumbling over words like “server” and “service” when you want an easy laugh. Except that this time, the joke’s on us.

• Huge kudos to Reps. Issa, Lofgren, Chaffetz and Polis, who combined to repeatedly point out the problems of the bill and to argue forcefully and compellingly about why we needed to fix these problems. That much of the rest of the Committee ignored these concerns, played them down, or rejected them for silly or nonsense reasons, is really just a statement on the sad state of Congress today.
• I heard from sources that a big time content industry lobbyist was seen hanging out in the "members only" area during the session. If that doesn't tell you everything you need to know about what's going on, then you're not paying attention.
• There was a bizarre elementary school-like fight that went on at one point. Rep. Steve King tweeted early on:

  We are debating the Stop Online Piracy Act and Shiela Jackson has so bored me that I'm killing time by surfing the Internet.

  Rep. Jackson-Lee found out about this and announced that she was "offended," at which point it seemed like a bunch of these old clueless men started arguing about how inappropriate it was for her to say she was offended. The whole session had to pause while they talked to a "parliamentarian" about whether it was okay to use the term "offended," eventually leading Jackson-Lee to change her statement. Yeah. These are the people in charge of making our laws. Scary.
• With the session going on for 11.5 hours, there was a short break for lunch, but for dinner Rep. Lamar Smith offered "four kinds of pizza," but apparently only for other members. Staffers had to sit and starve. Nice of them, huh?

PIPA/SOPA states that service providers are required to take only “technically feasible and reasonable measures” to comply with government court orders. The legislation further states that a service provider is not required to “modify its network, software, systems, or facilities” to comply with these requirements. This means that if DNS servers are deployed using DNSSEC, and if DNSSEC does not allow for the type of redirection or filtering specified in the legislation, ISPs would not need to take action. Thus there is no reason to suspect that ISPs would delay deploying DNSSEC because of provisions in SIPA/PIPA. If anything, to the extent that any ISPs oppose DNS filtering for ideological or technical reasons, the DNS filtering requirements in PIPA/SOPA would serve as a catalyst for ISPs to upgrade to DNSSEC since this may free them of unwanted obligations.

While technology should shape policy, it should not determine policy. The U.S. policies on the Internet should not be determined by the ideological points of view of a few network engineers in the IETF. Policymakers routinely ask the private sector to design systems to meet new technical standards so as to achieve a specific policy outcome.

DNSSEC, as with many technical standards, is not an immutable set of rules carved by God on stone tablets. Although DNSSEC has been codified in various technical documents, it continues to evolve over time as researchers propose new modifications to the standard to address various limitations. The question policymakers should be asking is not whether the proposed solution is compatible with the current version of DNSSEC, but how to craft policies that best take advantage of potential improvements in the DNSSEC standard.

Opponents of PIPA/SOPA, such as the Internet Society and Crocker et al., argue that DNS filtering will “puts users at risk.”31 However there are no security risks from DNS filtering. Instead, the purported security risks for users come about only for those Internet users who begin using alternative DNS services (i.e. those individuals intent on breaking the law). Yet, as we have seen, to date there is little evidence that the average user will begin using these alternative DNS services. In fact, users will be unlikely to use an alternative DNS service precisely because of the security risks.

The Internet Society argues that DNS filtering “has the potential to restrict free and open communications and could be used in ways that limit the rights of individuals or minority groups.” Of course it could. ISPs or the U.S. government could use DNS filtering to block sites they do not like. But guns can be used by criminals to kill people too and that does not mean that we do not let the police or security guards have guns.

Critics of PIPA/SOPA are trying to suggest that if a user is prevented from obtaining a pirated copy of the latest Hollywood film, this is an unlawful restriction of their Constitutional rights.

Ironically, many of the voices arguing that DNS filtering does not solve the core issue, which is that pirated content is made available online, often are the same ones opposing digital rights management (DRM) technology that is created to achieve the very goal of eliminating pirated content.

Say your browser, when it's trying to decide whether some web site is or is not your bank's web site, sees the modifications or hears no response. It has to be able to try some other mechanism like a proxy or a VPN as a backup solution rather than just giving up (or just accepting the modification and saying "who cares?"). Using a proxy or VPN as a backup solution would, under PROTECT IP, break the law.