Perhaps SOPA Should Be Called The Stop Online PRIVACY Act

from the unintended-consequences? dept

From piracy to privacy

Critics of the Stop Online Piracy Act and its Chinese Firewall approach to combatting Internet piracy have hammered the ill-advised legislation for the predictable damage it would inflict on cybersecurity, innovation, and above all, free speech. More than a hundred eminent law professors?including such renowned constitutional scholars as Harvard’s Lawrence Tribe?have blasted blocking provisions in SOPA (and its Senate counterpart PROTECT-IP) as a form of “prior restraint” of speech prohibited by the First Amendment. Yet SOPA also poses less obvious risks to the privacy of Internet users?risks which have received far less attention.

“We tend to treat freedom of speech issues on the Internet as matters of censorship,” former White House technology advisor Andrew McLaughlin recently explained to The Wall Street Journal, “but the real threat is surveillance.” Censorship and surveillance are natural partners: Monitoring alone often chills speech as effectively as blocking, and content prohibitions naturally give rise to monitoring designed to identify prohibited content. So it is likely to be with SOPA.

Under the notice-and-takedown approach to copyright infringement embedded in the Digital Millenium Copyright Act, Web platforms aren’t expected to actively police the content uploaded by their users: They’re only expected to comply with requests to remove specific identifying files identified by rightsholders. Under SOPA, however, a site can be branded as “dedicated to theft of U.S. property” if, in the statute’s bizarre wording, its owner “is taking, or has taken deliberate actions to avoid confirming a high probability” of infringement. Sites merely accused of insufficient diligence risk being starved of revenue from ad networks or payment providers.

These dire consequences provide a powerful incentive for legitimate sites to implement some form of automated monitoring of user uploaded content, lest they be accused of “deliberately avoiding” awareness of infringement. Sites that do so can be expected to modify their terms of service?lengthy blocks of legalese, which users seldom read closely?to authorize such scans. As many analysts have pointed out, the friction and overhead costs involved in implementing such filters burden both innovation and legitimate “fair uses” of copyrighted content. But such scanning may also have unanticipated knock-on effects on the level of legal privacy protection to which user communications are entitled.

Much infringing content is posted on the public Internet for all to see. But infringement can just as easily occur in more limited, private forums. A pirated file can also be sent as an e-mail attachment, shared exclusively with a circle of friends on a social network, or uploaded to a cloud storage site behind a password wall. A comprehensive scan would have to include these as well?potentially affecting how content is treated under both federal statute and the Constitution. In short, SOPA incentivizes private cloud providers to change their practices in ways that may lower legal barriers to government acquisition of private communications?even for investigations having nothing to do with copyright.

Enter the Fourth Amendment

Courts have only depressingly recently begun recognizing that some forms of cloud-stored data are entitled to the protection of the Fourth Amendment. But Fourth Amendment analysis focuses on whether an individual enjoys a “reasonable expectation of privacy” in the information a government agent seeks to obtain. If files or messages are routinely scanned for infringing content by skittish cloud providers, courts may be more likely to find that the user’s expectation of privacy?and any Fourth Amendment protection that accompanies it?has been waived. Even the lesser privacy protection afforded by the Electronic Communications Privacy Act depends in part on the provider having limited access to user files and messages, which means more scans that are not obviously a necessary part of providing a particular cloud service could provide a basis for questioning the statute’s applicability.

Let’s be optimistic, though, and assume that the law will be interpreted to preserve the privacy protection of user-uploaded content, even if it has been scanned in this way. That protection is still less likely to extend to any logs generated by a provider’s scans. Insofar as these logs indicate which users have been flagged for uploading suspect files, or for sending links to suspect sites, they would reveal information about user content, but could easily be treated as ordinary business records accessible to government via a mere subpoena or other lesser process, rather than a full Fourth Amendment search warrant.

Would DNS redirection violate wiretap laws?

Finally, it’s worth considering some potential effects of falsifying DNS records to redirect traffic bound for foreign sites deemed verboten by the Department of Justice. While SOPA leaves open what happens when someone attempts to reach a blocked site, PROTECT-IP explicitly suggests that a blocking notice chosen by the Attorney General should be shown to users seeking to reach those sites. That suggests that PROTECT-IP could be implemented using a scheme similar to that used by the Department of Homeland Security for seizing U.S. sites, which are pointed to a notice of seizure at

Much here depends on the details of implementation, but such redirection creates a possible backdoor mechanism for the collection of information that normally requires a court order. Ordinarily, when the government wants to acquire communications metadata in realtime?to find out who is communicating to or from a particular phone, e-mail account, or IP address?it must get what’s known as a “pen register” (for outgoing information) or “trap and trace” order (for incoming information) authorized by a judge. The standard for these orders is far lower than the “probable cause” needed for a full-blown wiretap, but they do still require some showing of relevance to an ongoing investigation of a specific crime that the government believes has been or is about to be committed.

If requests for pages hosted at,, or are instead sent to a blocking notification page on a government-controlled server, that server’s logs will effectively capture the IP address of every user who has attempted to initiate a communication with a blocked domain (unless they’re using a proxy or other anonymizing tool). This is especially worrisome in cases where the site in question might host content that is controversial for reasons beyond copyright status.

Potentially still more problematic?and again, depending heavily on the implementation details?such redirection could cause communications intended for one domain to be redirected to the government’s notification server, which would technically constitute an illegal “interception” under federal wiretap law even if the notification server were not configured to accept or record any of that data. The simplest way this might happen is if a DNS server operator interpreted the law as requiring modification of a blocked domain’s mail server (or MX) record. But even an ordinary HTTP page request will often contain some forms of “content”: search queries, login credentials, a user agent string, or cookies placed by the blocked site during previous visits. And of course, DNS is not only used by web browsers, but by other clients operating on other communication protocols. The host currently used by DHS to provide seizure notification only appears to keep port 80 (HTTP), 443 (SSL), and 3389 (terminal services) open, but those settings can be easily changed at any time, before or after redirection begins. In effect, DNS hijacking puts the government on the honor system with respect to communications directed at or through a seized domain. The alternative?failure to resolve without redirection?results in censorship without transparency, as government blocks become indistinguishable from technical or other sources of connection failure.

From worries about its impact on DNSSEC to fears of providing cover for repressive regimes abroad, it’s hard to keep track of all the different reasons to oppose domain censorship as an anti-piracy strategy, but there are strong grounds for adding its effect on privacy to the long, growing list.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Perhaps SOPA Should Be Called The Stop Online PRIVACY Act”

Subscribe: RSS Leave a comment
Anonymous Coward says:

I still say the ISPs should band together and shut down until these bills are officially killed. Force them to choose between the entertainment industry or the net. I have a feeling the millions of phone calls from angry internet users who are unable to get online would change their minds in a hurry.

You’re out of your fucking mind. The ISP’s on coming out in favor of SOPA by the markup.

Anonymous Coward says:

Re: Re: Re:

…the power is with the consumer…

Ha. Lol.

In America today, just six people by themselves have as much wealth as 30% of the citizenry.

Who really has the power? Is it ninety million soi disant ?consumers? ?or those six people.

It’s not a difficult question. You already know who really has the power: Who can buy laws. Who can get wars started. Whose opinion really counts in this country.

gorehound (profile) says:

Re: Re: Re:

Good For You !!!
I have been ding this for the last 5 or 6 years and will do this for many more if not my whole life.

1.never go to a theater not do Netflix/ITUNES, etc as Hollywood will get money that way
3.never ever buy a digital file of music/movies from RIAA & MPAA
4.Boycott any fool Artist who signs with the RIAA
5.Do not buy any new physical movies/music from Big Content
6.But only used Physical products locally or if not found online
7.Buy only INDIE Movies and Music
8.never let a dime of your wallet go near the RIAA & MPAA
Fight the bastards with your buying power and spread the word.
They want to make war against all of us now you all should be fighting what if you have to wait a little while to watch something.Be patient and wait and then buy used.

another mike (profile) says:

Re: Re: Re:

I pledge to buy music directly from the artists I like. If sites like Bandcamp charge a processing fee, they stand to make a fortune.
Movies are another matter. I only buy movies if there’s something special about the physical disk, like if it’s the Special Extended Director’s Cut Collector’s Edition. Otherwise it’s just another digital media file and the physical token isn’t efficient. Things like Netflix, and recently YouTube, have made paying for the file easier.
Eventually, I’ll be able to watch movies the same way I listen to music.

Me says:

Why is the Entertainment Industry so powerful?

These laws are a fricken joke. The Government will help the entertainment idustry and control what people do but nothing was ever done about preventing pedofiles from viewing child and minor porn, or even stopping people from learning how to make bombs. Nice message! It’s ok for a 10 year old to learn how to make a pipe bomb and for Uncle Chuckles to download kiddie porn at his local Internet Cafe, but download some B rated Hollywood crap movie that you wouldn’t have paid to see anyway and BOOOOOM, privacy rights GONE, freedom of speech GONE…..Like I wrote it’s a fricken joke and disgusting to say the least. I say everyone not see a movie or buy music in 2012 and see how fast things change. ENTERTAINMENT INDUSTRY CHANGE YOUR OUTDATED BUSINESS MODEL AND US GOV GET SOME BALLS!

daveshouse1000 (profile) says:

ATTENTION – If any of your elected officials vote for SOPA or PROTECT IP, regardless of party affiliation, BE SURE TO VOTE THEM OUT IN THE NEXT ELECTION CYCLE. This is will not make you a one issue voter as this is an important acid test to determine who your Congressman or Senator stands on the side of. Either the people or the corporations. There it is, simple in black and white! ANYBODY who would run this bill through is either profoundly corrupt or too incompetent to make important decisions regarding our constitutional rights. If they would vote this bill through, you need to ask yourself, “What else would they vote for in the future”. When you write or call your Congressman or Senator, tell them that you will vote them out of office, AND ACTUALLY DO IT!

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...