Perhaps SOPA Should Be Called The Stop Online PRIVACY Act
from the unintended-consequences? dept
From piracy to privacy
Critics of the Stop Online Piracy Act and its Chinese Firewall approach to combatting Internet piracy have hammered the ill-advised legislation for the predictable damage it would inflict on cybersecurity, innovation, and above all, free speech. More than a hundred eminent law professors—including such renowned constitutional scholars as Harvard's Lawrence Tribe—have blasted blocking provisions in SOPA (and its Senate counterpart PROTECT-IP) as a form of "prior restraint" of speech prohibited by the First Amendment. Yet SOPA also poses less obvious risks to the privacy of Internet users—risks which have received far less attention.
"We tend to treat freedom of speech issues on the Internet as matters of censorship," former White House technology advisor Andrew McLaughlin recently explained to The Wall Street Journal, "but the real threat is surveillance." Censorship and surveillance are natural partners: Monitoring alone often chills speech as effectively as blocking, and content prohibitions naturally give rise to monitoring designed to identify prohibited content. So it is likely to be with SOPA.
Under the notice-and-takedown approach to copyright infringement embedded in the Digital Millenium Copyright Act, Web platforms aren't expected to actively police the content uploaded by their users: They're only expected to comply with requests to remove specific identifying files identified by rightsholders. Under SOPA, however, a site can be branded as "dedicated to theft of U.S. property" if, in the statute's bizarre wording, its owner "is taking, or has taken deliberate actions to avoid confirming a high probability" of infringement. Sites merely accused of insufficient diligence risk being starved of revenue from ad networks or payment providers.
These dire consequences provide a powerful incentive for legitimate sites to implement some form of automated monitoring of user uploaded content, lest they be accused of "deliberately avoiding" awareness of infringement. Sites that do so can be expected to modify their terms of service—lengthy blocks of legalese, which users seldom read closely—to authorize such scans. As many analysts have pointed out, the friction and overhead costs involved in implementing such filters burden both innovation and legitimate "fair uses" of copyrighted content. But such scanning may also have unanticipated knock-on effects on the level of legal privacy protection to which user communications are entitled.
Much infringing content is posted on the public Internet for all to see. But infringement can just as easily occur in more limited, private forums. A pirated file can also be sent as an e-mail attachment, shared exclusively with a circle of friends on a social network, or uploaded to a cloud storage site behind a password wall. A comprehensive scan would have to include these as well—potentially affecting how content is treated under both federal statute and the Constitution. In short, SOPA incentivizes private cloud providers to change their practices in ways that may lower legal barriers to government acquisition of private communications—even for investigations having nothing to do with copyright.
Enter the Fourth Amendment
Courts have only depressingly recently begun recognizing that some forms of cloud-stored data are entitled to the protection of the Fourth Amendment. But Fourth Amendment analysis focuses on whether an individual enjoys a "reasonable expectation of privacy" in the information a government agent seeks to obtain. If files or messages are routinely scanned for infringing content by skittish cloud providers, courts may be more likely to find that the user's expectation of privacy—and any Fourth Amendment protection that accompanies it—has been waived. Even the lesser privacy protection afforded by the Electronic Communications Privacy Act depends in part on the provider having limited access to user files and messages, which means more scans that are not obviously a necessary part of providing a particular cloud service could provide a basis for questioning the statute's applicability.
Let's be optimistic, though, and assume that the law will be interpreted to preserve the privacy protection of user-uploaded content, even if it has been scanned in this way. That protection is still less likely to extend to any logs generated by a provider's scans. Insofar as these logs indicate which users have been flagged for uploading suspect files, or for sending links to suspect sites, they would reveal information about user content, but could easily be treated as ordinary business records accessible to government via a mere subpoena or other lesser process, rather than a full Fourth Amendment search warrant.
Would DNS redirection violate wiretap laws?
Finally, it's worth considering some potential effects of falsifying DNS records to redirect traffic bound for foreign sites deemed verboten by the Department of Justice. While SOPA leaves open what happens when someone attempts to reach a blocked site, PROTECT-IP explicitly suggests that a blocking notice chosen by the Attorney General should be shown to users seeking to reach those sites. That suggests that PROTECT-IP could be implemented using a scheme similar to that used by the Department of Homeland Security for seizing U.S. sites, which are pointed to a notice of seizure at 188.8.131.52.
Much here depends on the details of implementation, but such redirection creates a possible backdoor mechanism for the collection of information that normally requires a court order. Ordinarily, when the government wants to acquire communications metadata in realtime—to find out who is communicating to or from a particular phone, e-mail account, or IP address—it must get what's known as a "pen register" (for outgoing information) or "trap and trace" order (for incoming information) authorized by a judge. The standard for these orders is far lower than the "probable cause" needed for a full-blown wiretap, but they do still require some showing of relevance to an ongoing investigation of a specific crime that the government believes has been or is about to be committed.
If requests for pages hosted at InfringingContent.com, CheapViagraPills.net, or SexyMidgetVideos.org are instead sent to a blocking notification page on a government-controlled server, that server's logs will effectively capture the IP address of every user who has attempted to initiate a communication with a blocked domain (unless they're using a proxy or other anonymizing tool). This is especially worrisome in cases where the site in question might host content that is controversial for reasons beyond copyright status.
Potentially still more problematic—and again, depending heavily on the implementation details—such redirection could cause communications intended for one domain to be redirected to the government's notification server, which would technically constitute an illegal "interception" under federal wiretap law even if the notification server were not configured to accept or record any of that data. The simplest way this might happen is if a DNS server operator interpreted the law as requiring modification of a blocked domain's mail server (or MX) record. But even an ordinary HTTP page request will often contain some forms of "content": search queries, login credentials, a user agent string, or cookies placed by the blocked site during previous visits. And of course, DNS is not only used by web browsers, but by other clients operating on other communication protocols. The host currently used by DHS to provide seizure notification only appears to keep port 80 (HTTP), 443 (SSL), and 3389 (terminal services) open, but those settings can be easily changed at any time, before or after redirection begins. In effect, DNS hijacking puts the government on the honor system with respect to communications directed at or through a seized domain. The alternative—failure to resolve without redirection—results in censorship without transparency, as government blocks become indistinguishable from technical or other sources of connection failure.
From worries about its impact on DNSSEC to fears of providing cover for repressive regimes abroad, it's hard to keep track of all the different reasons to oppose domain censorship as an anti-piracy strategy, but there are strong grounds for adding its effect on privacy to the long, growing list.