The roadside of what used to be called the information superhighway is littered with the corpses of bloated, partisan, or ill-conceived legal attempts to protect a model of intellectual property still based on physical media.
Back in 2006, the mother of poorly executed attempts to tackle online piracy was the Anti-Counterfeiting Trade Agreement (ACTA). This draft agreement would come to be highly influential in the drafting of PIPA/SOPA four years later, which we’ll come to shortly.
ACTA was proposed as a global trade agreement, drafted and negotiated in secret with only participating governments and industry lobbyists represented. NGOs, organizations representing citizens’ rights and developing nations, were excluded. ACTA established its own committee outside the purview of the G8, the World Trade Organization, and the World Intellectual Property Organization — seemingly to protect vested interests of large corporations and a tiny minority of governments.
The signing of ACTA in 2012 drew global street protests around the world, particularly within the EU, where tens of thousands of people took to the streets. An open letter with 57 international signatories stated that ACTA threatened “fundamental freedoms online, net neutrality, innovation, access to and sharing of free/libre/open technologies, education, culture, essential medicines and seeds.” The treaty was subsequently abandoned, ratified only by Japan.
Legislation Plays Catch-Up
By its very nature, legislation often trails in the exhaust of innovation. New technologies surface, existing ones are repurposed, and entire industries are disrupted in very short time periods.
The entertainment industry might have felt these disruptions more acutely than other industries. Physical distribution formats with ever-decreasing lifetimes (vinyl, cassette, VHS, CD, LaserDisc, DVD, MiniDisc) gave way to software distribution, which rapidly succumbed to streaming. Many people now prefer to rent access to media rather than own it, yet despite this trend, piracy and copyright infringement continues to boom. In 2017, U.S. web users made an average of 71 visits per user to piracy-related websites — an astonishing 20.3 billion visits that year.
In 2010 and 2011, there were several proposed laws that, perhaps understandably, made a stab at cracking down on digital piracy and the theft of copyrighted material. But the 2010 Combating Online Infringement and Counterfeits Act (COICA); its rewrite, the PROTECT IP Act (PIPA, the somewhat forced acronym for “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act”), a Senate bill introduced by Patrick Leahy (D-VT); and the 2011 Stop Online Piracy Act (SOPA), a similar House bill introduced by Lamar Smith (R-TX) were all so woefully technologically ill-informed that they triggered a massive online outcry and protest movement that has left them languishing since 2012.
The bills initially contained proposals for the use of the Domain Name System (DNS) as a blunt instrument to block access to sites that were simply accused of hosting or even linking out to copyrighted content. DNS servers would be required to prevent the domain names of infringing websites from resolving to their IP address, and search engines would be required to delist sites that contained copyright-infringing content, blocking entire domains for potentially one infringing post or page. In practice, an extreme scenario could see a legitimate site such as YouTube being blocked in its entirety because one user posted copyrighted content. The bills also proposed to enforce liability on hosts for any links that point to disputed content and would have obliged service providers to investigate their customers’ online activity at the behest of the authorities.
For sites and services populated with user-generated content, this could mean being forced to close down, being obliterated from search results, or even having a domain name seized — all as a result of the actions of users who are beyond their control.
Sledgehammer to Crack a Nut
These proposals were both draconian and a technical threat to the very structure and reliability of the internet in general and DNS in particular, conceived by nontechnical legislators on the testimony of nontechnical witnesses.
A logical consequence of DNS filtering would have been wholesale migration to “unofficial” DNS servers offering alternative and unofficial access — unregulated registries would very rapidly have become a hotbed of malicious activity. Does anyone remember the kinds of malicious files inadvertently downloaded over LimeWire or eMule? Multiply that by a million.
It also would have had a serious impact on the adoption of DNSSEC, an “unspoofable” secured (rather than trusted) implementation of DNS that thankfully has been gaining traction in the years since.
And 2018 offers a new challenge. The entering into force of the General Data Protection Regulation (GDPR) in May 2018 is, by and large, a Very Good Thing. The GDPR was drafted as an attempt to protect individuals’ personal data from unsanctioned collection, use, sharing, or storage.
While this regulation is European in origin, it is global in scope, because any organization doing business in the EU or with EU citizens will have to comply. It enshrines a person’s right to know who is holding data about them, what that data is, and what it is being used for. It also gives us the right to request portability of that data, or even outright deletion, and places an obligation on organizations to inform their customers of a breach within 72 hours of becoming aware of it. This represents a huge step forward in consumer protection, in handing control of data back to the data subject, and is at least a step toward helping individuals understand the value of their personal data.
The Law of Unintended Consequences
And yet even this laudable project is not immune from the law of unintended consequences. One of the public registries of personal data that is of great value to the security industry and law enforcement is WHOIS, a register of the organizations and individuals to whom DNS domains are registered. As a result of the GDPR, WHOIS is going dark.
Registrars, concerned they may fall foul of the requirements of GDPR, are no longer publishing the directories that allow security organizations to identify and block malicious infrastructure, often before it is even used in attacks. These directories are also invaluable in countless legal investigations into online crime.
Removing the security community’s access to WHOIS data will thwart several existing cybersecurity mitigation techniques and further empower attackers to scale their infrastructure with more persistent campaigns. Any removal of access will lead to a material increase in the damage caused by cyber-attackers. As a community, security experts remain engaged with the EU and with ICANN to find a way to overcome this obstacle.
The law enforcement and security communities continue to work in the best interests of individuals, making the world safe for exchanging digital information. However, far greater integration and inclusion of our industry in the machinery of international legislation and regulation is required.
Post–Cambridge Analytica, regulation of internet services has never been higher up the political agenda. But the task of drafting effective and carefully designed legislation demands an expertise and understanding of unintended consequences that have never yet been appreciated in proposed technology regulation. And if the recent U.S. Senate questioning of Mark Zuckerberg and the looming prospect of greater regulation are anything to go by, they need all the help they can get.