Proposed Revision to SOPA: Some Welcome Cuts, But Major Concerns Remain
Written by David Sohn
Yesterday afternoon, House Judiciary Committee Chairman Lamar Smith released a proposed substitute amendment for SOPA, the sweepingly broad anti-piracy bill introduced in October. The amended version is scheduled to be considered by the Judiciary Committee on Thursday.
Based on an initial read – and the amended bill still clocks in at over seventy pages, so further lurking issues may emerge with more analysis – it appears that Chairman Smith has addressed some of the bill’s most egregious faults. However, he was starting from a very low baseline; the original bill contained many hugely problematic elements, which is why it has drawn such a massive outpouring of opposition. The amended bill still fails to fully embrace a narrowly targeted, follow-the-money approach. (Senator Wyden and Representative Issa recently issued a concrete proposal showing what that might look like.) Thus, the revised version of SOPA continues to raise major concerns.
Let’s review the improvements first. On the plus side, the amended version of SOPA:
- Drops the ill-conceived idea of empowering private rights holders to demand that websites be cut off from financial and ad networks, based on mere allegations.
- Drops the language that effectively required online service providers to constantly monitor user behavior, by declaring them “dedicated to theft” if they “avoid confirming” infringing user behavior.
- In the section creating a private right of action, reworks the key definition so that sites need to have bad intent to be considered “dedicated to theft.”
- Adds language to ensure that court orders under this legislation don’t eliminate the practical availability of the safe harbor set forth in section 512 of the DMCA. (The safe harbor is not available to parties with knowledge of specific infringement – so if every court order under SOPA were deemed to give service providers such knowledge, safe harbor protections would cease to be meaningful and all websites would need to engage in constant proactive monitoring for sites targeted by court orders.)
On the negative side, serious problems remain. SOPA would still carry dangerous consequences for innovation in online communications tools, for online free expression, and for cybersecurity.
- The bill still includes domain-name filtering – the very tactic CDT warned the Committee against in our March hearing testimony and in much of our writing on the topic ever since. The new version may not strictly require ISPs to engage in domain-name filtering, but it does demand that they take steps to “prevent access” to targeted websites. And it states that if they employ domain-name filtering, they get “safe harbor” certainty that they have sufficiently complied. So it’s pretty clear what any competent general counsel would recommend that the ISP do. It’s worth noting, too, that this obligation can be put on any “service providers,” a term defined in the bill as “an operator of a nonauthoritative domain name server” – a pretty strong signal that DNS filtering is what’s really on the table. And really, what other viable tactics would an ISP have at its disposal? Other means of “preventing access” involve constant surveillance of the bitstream of the ISP’s entire user base in order to identify communications with rogue sites. That’s not an appealing option from a cost perspective or from a privacy perspective.
In short, the practical result of requiring ISPs to “prevent access” will be domain-name filtering. And that carries all the negative consequences that CDT has previously described. It undermines cybersecurity, sets a dangerous international precedent towards further balkanization of the Internet, and risks inadvertent impact on lawful content.
- The amendment tries to sidestep the cybersecurity problems of domain-name filtering in a few different ways. All are unsuccessful. First, it states that ISPs need not re-direct traffic (the bill previously had contemplated re-directing users to a DoJ warning page, but re-direction is blatantly inconsistent with the emerging security upgrade known as DNSSEC). But simply not answering domain name requests leaves users in limbo, with the impression that something is broken. ISPs can’t afford a new barrage of service calls from confused subscribers. If they have to do domain-name filtering, they’re going to want to provide re-direction to some kind of explanation. They can’t do that and implement DNSSEC too. So the bottom line is, the bill would create a strong incentive for ISPs not to move forward with DNSSEC. That’s a blow to security.
Moreover, domain-name filtering causes significant security problems even without re-direction. Top domain name system (DNS) engineers have made this point directly; DNSSEC can’t play its intended role as a valuable security platform if government creates a gaping ambiguity and loophole by demanding that ISPs take actions that, from the technical DNSSEC perspective, are indistinguishable from true attacks. And as Sandia National Labs described in its discussion of the cybersecurity threat posed by DNS filtering, the tactic’s security risks are not limited to the negative impact on DNSSEC.
Second, the amendment tries to brush off cybersecurity problems by saying that nothing in the bill shall be construed to create obligations that would impair the security or integrity of the domain name system. But courts, tasked with ruling in particular cases, won’t have the relevant evidence or expertise to draw conclusions about the overall impact on the domain name system. Domain-name filtering is expressly cited in the bill as a way for ISPs to comply with the legislation; would a court really conclude that the bill’s general statement about DNS security and integrity is intended to override the explicit approval of domain-name filtering? Moreover, court orders are likely to direct ISPs to “prevent access” and then leave to ISPs the question of how to do it. Since the court isn’t ordering specific action, it’s unlikely to feel it is in any position to analyze specific consequences for DNS security.
Third, the amendment calls for a study of the effects of the ISP obligation to “prevent access.” This is shoot first, ask the tough questions later. The impact of imposing filtering obligations on ISPs should be fully considered before it is written into federal statute. After all, the bill does not contain any sunset provision; the measures it proposes would, if enacted into law, likely be with us for a long, long time.
- The amendment’s modified definition of sites that can be targeted for suits by the Attorney General remains entirely open-ended. Any site is subject to prosecution as an “infringement site” if its domain name, were it domestic, would be eligible for seizure. Seizure law allows for seizure of any property that is used “in any manner or part” to commit or facilitate illegal activity. That means a website with 99% lawful activity and no bad intent can qualify as an infringement site based on a small amount of infringing activity by users. End result: The A.G. would have carte blanche to go after virtually any user-generated content site, whenever it wants to. They are all punishable as “infringement sites” by the terms of this bill.
- By including a private right of action, the amendment still undermines the predictable legal environment that the DMCA sought to create for online services. Under current law, a site that complies with section 512 of the DMCA gets safe harbor protection against copyright suits seeking monetary damages. But under SOPA, that same site could still face lawsuits seeking to cut off its sources of revenue. In effect, a litigious rights holder gets a second bite at the apple, this time without having to worry about that pesky safe harbor. That’s bad for online innovation, as it gives rights holders a powerful club with which to threaten emerging online services.
- That risk might be reduced if the private right of action were strictly limited to foreign entities that would otherwise be outside U.S. jurisdiction. But the bill would allow suits against any website registered to a non-U.S. domain name, even if the parent company is U.S.-based. So U.S. Internet companies with sites registered in foreign country domains would be fair game. That’s evident from the fact that the bill, in both sections 102 and 103, talks about “in personam” actions – it envisions actions against parties that are fully subject to U.S. jurisdiction, even though such parties are already subject to strong legal tools to address infringement.
As a final note, the amendment specifies that nothing in the bill shall be construed to impose a duty to monitor or a technology mandate. While perhaps well intentioned as efforts to address concerns that have been raised, the likely protection these provisions offer is marginal. That’s because SOPA was never about creating an explicit, statutory duty to monitor or to build technology a certain way. The threat has always been that it imposes new legal risks and gives rights holders new tools to bully online service providers – with the result that service providers feel the need to monitor or to implement certain technologies in order to self-protect. That’s an outcome that would be bad for innovation and online expression, but it’s not a black-and-white statutory mandate. So it’s an outcome that isn’t addressed by a statement that the law creates no affirmative duty.
UPDATE: Opponents of the bill are looking to Internet users to weigh in today, before the Thursday markup. Click here for more info.