No, COICA Will Not Break the Internet

Gavel

Last fall I wrote an article about Sen. Leahy’s proposed legislation—the Combating Online Infringement and Counterfeits Act (COICA)—that summarized the criticism of the bill and provided a rebuttal to those arguments. Since last year the issue of online piracy has not abated and the opposition to the legislation remains as heated as ever. Since COICA draws heavily on ideas proposed by ITIF in the report “Steal These Policies: Strategies for Reducing Digital Piracy,” I think it is appropriate to respond again to some of these concerns. As part of a two-part blog series, I would like to dive deeper into the two main objections to COICA: 1) that it will break the underlying technical foundations of the Internet and 2) that it is a direct threat to and contradiction of the U.S.’s commitment to global Internet freedom.

In this post, I will address the first objection, i.e. that COICA represents a threat to the technical integrity of the Internet. This argument has been put forth by organizations like the Electronic Frontier Foundation (EFF) who argue that it will “undermine basic Internet infrastructure” and the Public Interest Registry (PIR) who boldly claim that the legislation “breaks the Internet.”

First a quick review of what is in the legislation (for a detailed overview, see my original article). COICA authorizes the creation of a government blacklist of websites “dedicated to infringing activities.” Then it provides remedies for restricting access to these sites. For domestic sites, COICA is fairly straightforward in that it requires domain name registries and registrars to suspend the domain names of these websites. Foreign sites are trickier since most of these sites are immune from legal action in the United States. For infringing websites located abroad COICA creates three new enforcement mechanisms: 1) requiring ISPs and other service providers operating DNS servers to not resolve IP addresses for domain names appearing on the government blacklist; 2) requiring financial transaction providers to no longer process payments for these websites; and 3) requiring advertisers to no longer advertise on these sites. Most of the technical objections to COICA stem from the first of these three methods.

To understand the debate, you must understand how DNS works. DNS is like a global phonebook for the Internet providing users a number that corresponds to each name. Before a user can visit a domain name (e.g. www.itif.org), his or her computer must first discover the IP address associated with that web address (e.g. 69.65.119.60). DNS servers provide this service to users by translating domain names into IP addresses through a recursive process. Most users rely on the DNS servers of their local ISP for this service and it is these DNS servers that are the principle target of COICA. If a site appeared on the government blacklist, e.g. www.watch-pirated-videos.tv, then the DNS servers would be instructed to no longer resolve an IP address for that domain. And without this IP address, users cannot visit these infringing websites.

COICA would require ISPs and other DNS service providers to “take technically feasible and reasonable steps designed to prevent a domain name from resolving to that domain name’s Internet protocol address.” Opponents of COICA decry this as government intruding on the basic functioning of the Internet. Groups like EFF even inject moral language into the debate arguing that COICA prevents servers from “telling you the truth about a website’s location.” After all, lying is bad. Or is it? Once a DNS server knows that a website is illegal, why should it be obligated to help others find this website?

Critics lament that by preventing DNS servers from responding with “the truth, the whole truth, and nothing but the truth” COICA will sabotage DNS Security Extensions (DNSSEC), a recent upgrade to DNS that seeks to improve the security of the DNS system. Part of the problem is that the current DNS standard does not provide a mechanism by which a DNS server can tell the requester “the site may exist, but it is illegal so I am not going to find the answer for you.” Instead, the server must choose a less eloquent response, such as not replying (a bad idea since the user will just keep asking), replying that the domain does not exist, or replying with an incorrect address.

However, this problem appears to be the result of a deficiency in the current DNS protocol (perhaps a result of the ideological stance of its authors) rather than any true technical limitation. It could be addressed fairly simply by modifying the standard to support these additional types of responses (indeed, one such modification has already been developed). Such a change would not be needed simply for the benefit of the U.S. government. Blacklists are a fairly common tool among ISPs where they have been used for years in as a means of combating spam and protecting users. In addition, many DNS resolvers routinely return different answers to users as part of a service, such as to provide parental filters, correct typos in URLs, or to provide search results in lieu of a basic “domain not found” error.

Not surprisingly some of those who have been involved in writing the DNS protocol chafe at the idea of government interference in their work. One of the most vocal opponents of COICA has been Dan Kaminsky (famous for finding the “Kaminsky bug” in DNS) who claims that the bill will provoke a mass exodus of users from U.S.-based DNS servers to foreign DNS servers. He believes that users will not sit by idly as U.S.-based DNS servers block access to pirated content, but instead will switch to foreign DNS servers outside of the reach of COICA. As a result, Kaminsky charges, the legislation would be completely ineffective and “have no impact on the piracy rate.”

Kaminsky’s argument is based on three assumptions: 1) that changing DNS servers is trivial, 2) that users will decide to do this, and 3) that alternative, non-U.S. based DNS servers will be available. The first assumption is true: for a moderately-savvy user changing DNS servers is easy (to see just how easy it is for a Windows user, check out the 11 steps to switch to Google’s DNS service). The other two assumptions, however, are not supported by the facts.

While switching DNS servers may be incredibly easy, it is still beyond the comfort level of many Internet users.  Moreover, as Kaminsky acknowledges, users who switch to foreign DNS servers expose themselves to many security risks if they cannot trust the responses from these servers.  For example, while the name servers may reliably return the correct IP address for a Russian MP3 site, they might not return the correct address for Bank of America. How many users are willing to risk their identity and financial information just to download a few songs? Similarly, the DNS server that a person uses can collect a fairly detailed record of an individual’s browsing history which presents obvious privacy risks. Would most users trust their entire browsing history to an unregulated, foreign company?

Using a foreign DNS server also could result in substantial decreases in performance for many users. You usually get what you pay for, and a free foreign DNS service is likely to be substantially slower than the DNS servers offered by local ISPs. How many users would tolerate a few extra seconds of delay every time they click a link?  In addition, users of foreign DNS servers would likely see another performance hit when accessing websites using content distribution networks like Akamai because foreign DNS servers would point them to the CDN content servers closest to the overseas DNS server not the user.

Aside from practical matters there is also the obvious question of who would be willing to provide such a service.  If, as Kaminsky argues, virtually every American user leaves their local DNS server who would provide all of the computing power necessary to process these DNS requests?  And more importantly, who would pay for it?

Finally, Kaminsky argues that in countries with high levels of censorship on the Internet “we see tremendous awareness and adoption of proxying and VPN technologies, even among the nontechnical.” Yet again, the facts do not support this claim. Researchers at the Berkman Center for Internet & Society at Harvard University found that “no more than 3 percent of Internet users in countries that engage in substantial filtering use circumvention tools. The actual number is likely considerably less.” The probability of a large majority of U.S. users abandoning their current DNS providers is not very high.

Online piracy continues to be a significant problem online. While COICA will not eliminate piracy—it will certainly not stop a determined user–it is a step in the right direction. Moreover, it will provide law enforcement new means by which it can reduce the profitability and ease of running copyright infringing websites.

Next up: COICA and its implications for global Internet freedom.

Photo credit: Flickr user Joe Gratz

Print Friendly

About the author

Daniel Castro is a Senior Analyst with ITIF specializing in information technology (IT) policy. His research interests include health IT, data privacy, e-commerce, e-government, electronic voting, information security and accessibility. Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.
  • Daniel Castro

    To clarify, in the updated draft of the legislation the “government blacklist” only contains websites that courts have issued orders against.

  • Leahy_v_Vermont

    utter nonsense. mr. kaminsky is referring to a site changing to a non-us controlled registrar (not .com but rather .info, another perfectly valid gtld), thus outside the control of the doj and their extra-judicial pursuits.the entire dns industry is opposed to this un-constitutional legislation on practical grounds: http://bit.ly/hiDmzx

  • Richard Bennett

    Here, in 2010, I’ve finally concluded that we have to do the same in DNS [as we did for spam]. I am just not comfortable having my own resources used against me simply because I have no way to differentiate my service levels based on my estimate of the reputation of a domain or a domain registrant. So, we at ISC have devised a technology called Response Policy Zones (DNS RPZ) that allows cooperating good guys to provide and consume reputation information about domain names. The subscribing agent in this case is a recursive DNS server, whereas in the original RBL it was an e-mail (SMTP) server. But, the basic idea is otherwise the same. If your recursive DNS server has a policy rule which forbids certain domain names from being resolvable, then they will not resolve. And, it’s possible to either create and maintain these rules locally, or, import them from a reputation provider.

  • Richard Bennett

    Posterous ate part of my comment. The quote is from http://www.circleid.com/posts/20100728_taking_back_the_dns/, read the whole thing.