Last year’s Combating Online Infringements and Counterfeits Act (COICA) was a hot topic at State of the Net earlier this week. On a panel dedicated to debating the domain-blocking bill, CDT’s David Sohn reiterated our concerns with its approach, foremost among them that DNS-blocking will be an ineffective infringement remedy that will compromise the stability and security of the DNS.
I want to focus on one portion of this argument, which concerns the risks that will flow from the circumvention of efforts to block domain resolution. CDT and others contend that many users, when confronted with a blocked domain, will take the simple steps required to change their DNS provider to one not obliged to block. In addition to undermining the effectiveness of blocking at stopping infringement, switching DNS providers could create new problems for cybersecurity
. Such a provider may offer resolution of blocked domains, but may also be less reputable or trustworthy than other providers, opening up users to new risks of phishing and other attacks. (For more, see CDT’s memo on the bill
.) In addition, security expert Dan Kaminsky
has argued that migration away from ISP-provided DNS servers will rob ISPs of their “eyes and ears” for monitoring attacks.
Daniel Castro, a COICA
proponent also on Tuesday’s panel, takes issue with this argument
. He believes that switching DNS providers will be beyond the technical comfort level of most Internet users, and that the security and privacy dangers of doing so (as well as the potential decrease in performance if the new provider is overseas) will serve as a deterrent to making the switch. It is likely, however, that changing providers will require no technical savvy whatsoever. Sites that find themselves the subject of blocking orders will likely offer simple programs that make the switch automatically. Castro may be correct that many users will not understand how to manually updated their DNS settings (although instructions abound
), but I have no doubt that they will understand “Broken link? Click HERE to fix your settings and get your movie.”
And if, as Castro argues, it’s beyond the technical understanding of average users to manually update their DNS settings, I seriously doubt they’ll be contemplating the security, privacy, and performance risks of switching. In that moment when a determined infringer wants to stream a movie and finds a broken link, will she consider the repute or location of a DNS server, or will she just click the link that changes the setting that lets her get the movie? Ten-plus years of experience with p2p may be instructive: networks like Kazaa and Limewire were often linked to increased virus and malware risk — the Kazaa client was even bundled with adware and spyware — but still managed to attract huge numbers of users.
Castro also tries to dismiss the argument that blocking orders may interfere with ISPs’ rollout of the DNS Security Extensions (DNSSEC). He suggests that if refusing to point to certain sites is incompatible with DNSSEC, perhaps the solution is “modifying the standard.” But changing DNS — a fundamental component of the Internet — is not that simple. The standards community has been working on DNSSEC for over 10 years, and we’re only beginning to see deployment. Tweaking the system is easy to suggest, but is a tremendous undertaking. Would it be worth it to enable an intellectual property enforcement mechanism that will have so little lasting impact on infringement?