France Keeps Breaking the Internet to Stop Piracy, Even Though It’s Not Working
from the but-maybe-this-time-it-will! dept
Back in 2011 and 2012, one of the central technical objections that helped kill SOPA and PIPA was about DNS blocking. Engineers, internet architects, and cybersecurity experts all lined up to explain, in painstaking detail, why blocking at the DNS layer was a terrible idea. It would break the fundamental architecture of how the internet works. It would have massive collateral damage. It would undermine security protocols designed to protect users from exactly the kind of DNS manipulation that the bill proposed. And it wouldn’t even stop piracy, because anyone who actually wanted to get around DNS blocking could do so easily.
Congress, to its rare credit, actually listened to the technical experts (and widespread protests) and shelved the legislation. But the entertainment industry never gave up on the idea. They just went jurisdiction-shopping. And France, which has never met a maximalist copyright enforcement scheme it didn’t love, has been more than happy to oblige.
As recently reported by TorrentFreak, a Paris Court of Appeal validated DNS blocking orders requiring Google, Cloudflare, and Cisco to block access to pirate sites through their own DNS resolvers. This goes beyond traditional ISP resolvers, which France has been ordering blocked for years — this targets third-party resolvers — the ones that millions of people specifically choose to use because they offer better privacy, better security, and better reliability than their ISP’s default DNS.
But, of course, in France (and to the usual crew of Hollywood lobbyists), “better privacy, security, and reliability” can only mean one thing: used for piracy.
The court rejected all five appeals, and in doing so, articulated a legal principle so sweeping that it has no natural stopping point.
In this case, French pay-TV provider Canal+ went to court under Article L. 333-10 of the “French Sport Code,” which lets rightsholders request “all proportionate measures” against “any online entity in a position to help” block access to pirate sites. Canal+ argued that because users were simply switching to third-party DNS resolvers to circumvent ISP-level blocking, those resolvers should be conscripted into the blocking regime too.
Cloudflare and Cisco pushed back, arguing that their DNS resolvers serve a “neutral and passive function” — they translate domain names into IP addresses and that’s it. They compared their role to a phone book. The court’s response boiled down to: we don’t care.
The DNS resolution service allows its users, via the translation of a domain name into an IP address, to access websites on which sports competitions are broadcast in violation of rights-holders’ rights, and in particular to circumvent the blocking of those sites by ISPs.
The court found that the “neutral and passive” nature of DNS resolvers is “simply irrelevant to Article L. 333-10.” The law isn’t about liability at all — it only cares whether a service can help block access to pirate sites, which DNS resolvers clearly can. If you are technically capable of blocking access, you must.
Google, meanwhile, tried a different argument: that DNS blocking through third-party resolvers isn’t effective because users can just switch to a VPN or yet another resolver. The court wasn’t moved by that either:
Any filtering measure can be circumvented, and this possibility does not render the measures in question ineffective.
As long as DNS blocking stops some subset of users from reaching pirate sites, the court ruled, it’s “proportionate.” Under that line of thinking, any measure that inconveniences even a fraction of would-be pirates is legally justified, no matter how much collateral damage it causes for everyone else.
And if you think that principle has any limit, Canal+ has made it quite clear that they don’t think it does:
Canal+ said in a statement that the rulings are “more than a victory,” forming part of “a global approach that will be reinforced by the progressive deployment of complementary measures, including IP blocking.”
Canal+ has already been getting courts to order VPN providers to block as well. So now we have ISP DNS blocking mandated, third-party DNS resolver blocking mandated, VPN blocking mandated — and, per the TorrentFreak article, direct automated IP address blocking is coming too. They will not stop until the entire internet is broken.
Each step reaches further down the internet stack, breaks more of the internet for more people, and stops fewer actual pirates, because the people who are determined to pirate content are always one technical maneuver ahead. The people who get caught in the collateral damage are ordinary users who happen to use Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8 for perfectly legitimate reasons like speed, reliability, and privacy.
Cisco, rather than comply with the original order, simply pulled its OpenDNS service out of France entirely. That’s the kind of collateral damage we’re talking about. French users who relied on OpenDNS for entirely lawful purposes completely lost access to the service. Because a copyright holder decided that the DNS layer was the right place to play whack-a-mole with pirate sites.
When Cisco argued on appeal that implementing geo-targeted DNS blocking would require 64 person-weeks of engineering work, the court waved it off, saying the estimate was “not supported by any objective evidence” and pointing out that Cisco already offers DNS filtering to enterprise customers. The fact that enterprise DNS filtering for corporate networks is a fundamentally different thing than mass geo-targeted blocking of domains at the resolver level for an entire country’s users apparently did not register as a meaningful distinction.
The court’s core reasoning — that any entity technically capable of blocking must do so, that circumvention doesn’t make blocking disproportionate, and that the “neutral and passive” function of an intermediary is irrelevant — creates a legal framework that can reach basically anything. If a DNS resolver can be conscripted because it’s “in a position to help,” what about browsers? What about operating systems? What about CDNs, or cloud hosting providers, or certificate authorities? The logic has no brake pedal. Every layer of the internet stack is, in some sense, “in a position to help” block access to content. The question the court’s reasoning cannot answer is: where does it end?
Under this reasoning, what’s to stop a rightsholder from arguing that browsers should block pirate URLs directly? Or that operating systems should refuse to resolve them at all?
That seems bad!
Of course, this kind of maximalist copyright enforcement is something of a French specialty. This is the same country that brought us HADOPI, the graduated response agency that cost French taxpayers €82 million over a decade while imposing a grand total of roughly €87,000 in fines. A staggering return on investment — if the goal was to light money on fire while accomplishing nothing. France has also been at the forefront of copyright exceptionalism that risks undermining the EU legal system more broadly, pushing interpretations of copyright law so aggressive that they threaten to distort the legal frameworks of neighboring countries.
France keeps doing the same thing over and over again: spend enormous sums, conscript more and more intermediaries, break more and more of the internet’s infrastructure, accomplish almost nothing in terms of actually reducing piracy, and then conclude that what’s really needed is… more of the same, but harder. The entertainment industry’s refusal to learn from twenty years of evidence that enforcement-maximalism doesn’t work is genuinely remarkable. Every study and every natural experiment shows the same thing: the most effective anti-piracy tool ever invented is convenient, reasonably priced legal access to content. But that requires adapting your business model, and it’s apparently much more satisfying to get courts to break the internet for you instead.
The ruling’s real danger is the template it sets. Other countries with similar legal frameworks will look at this appeals court validation and think: we can do that too. The “any entity in a position to help” standard, combined with the “doesn’t have to be perfectly effective” standard, combined with the “we don’t care about your neutral role in the architecture” standard, adds up to a legal toolkit for conscripting nearly any internet infrastructure provider into a copyright enforcement apparatus. And the costs get externalized onto those providers (and their users), while the rightsholders collect the benefits.
The engineers who fought SOPA warned about exactly this: DNS blocking breaks things, creates collateral damage, pushes enforcement into layers of the stack never designed for it — and doesn’t actually stop piracy, because the actual pirates just route around it while everyone else suffers. France apparently decided all of those concerns are, to quote the court, “simply irrelevant.” And now they’ve moving on to IP blocking.
At some point, you run out of layers of the internet to break. But apparently we’re going to have to find out where that point is the hard way.
Filed Under: copyright, dns blocking, france, sopa
Companies: canal plus, cisco, cloudflare, google
Comments on “France Keeps Breaking the Internet to Stop Piracy, Even Though It’s Not Working”
France (and Europe in general) has become quite poor over the last 20 years. Most of that is due to bad economic and labor policy but a lot of it is due to tech policies like this that just kills their tech industry.
Increasingly they’ve been trying to apply their laws to foreign tech companies (mostly American) and I think it’s time for tech companies just to pull out, have no exposure to Europe. It’s not worth it.
France has fewer free speech rights than the United States, and many other western countries. Since the right in this country is often unimpressed with France, they may become “adversarial” apps/programs like TikTok is/was if any of their tech companies become big enough to compete here.
whose at fault
I have a hard time blaming the court since they are just enforcing the law as written.
Back to the future: hosts.txt
Before DNS came along (and in some cases, well after) a single text file was used to map hostnames to addresses. This worked because there weren’t that many hosts and they didn’t change too often.
It still works now in certain cases: e.g., I built an (internal) corporate network that uses this approach because that completely avoids the need for any DNS servers and thus any DNS software and thus all security problems either associated with the protocol itself or its implementation. This doesn’t work for everyone, of course, and it doesn’t work well for most Internet-facing deployments.
But it does work extremely well for pirates, because out of the entire alphabet soup of DNS records, the only ones relevant to pirates are the addresses records: A for IPv4, AAAA for IPv6. That’s only a fraction of the data found in most contemporary DNS zones.
Which is probably why we’re now seeing this make a comeback. It’s not big — yet. But I’ve spotted it twice, and I’m not even looking for it, so my observations are likely an undersample. Sure, there are a lot of pirate sites, and sure, they change fairly often, but there are far better and faster ways to distribute a simple text file or 50 than FTP’ing it from SRI-NIC.
The Berne convention
It should come as no surprise that France is at the forefront of this. Victor Hugo (and the association he created) was one of the main architects behind the Berne convention which governs international copyright law. It’s kind of funny that his legacy is turning us into Les Miserables.
To all the people that bitch about my stance on free speech: Situations like this are why I don’t endorse government-sponsored censorship. The Devil paves the road to Hell with the best intentions of Man.
DNS providers should respond
Dear French Government
France has laws outlawing slavery and theft. In this spirit we enclose a quote for setting up a French residents-only DNS service, including of course the money required to staff this service for the first year of operation. Further years of service can be purchased at the beginning of each (French) financial year.
Once payment has been made we will endeavor to block DNS resolution as requested once you have provided us with a full list of all IP address ranges used by your citizens. When we receive this list from you we will spin off a team who will start setting up rules redirecting French traffic to your own private DNS service.
You will note that the above plan only covers DNS requests originating from France (and of course its colonies around the globe). It will not prevent citizens of other nations viewing your apparently riveting French football games or whatever else you are worried about users seeing. Should you wish us to censor the entire globe you just need to provide us with letters from all the other nations around the world consenting to France deciding what their citizens are permitted to access on the internet.
Signed
[DNS provider]