Afilias Says "No" to SOPA

The Stop Online Piracy Act (SOPA) is the subject of substantial controversy in the United States, and the domain name industry is squarely in the middle of the debate. Many DNS service providers and technology developers in the industry oppose SOPA, Afilias among them. Here's why.

First, let us say that Afilias supports SOPA's ultimate outcome, which is intellectual property protection. The protection of intellectual property is as important to technology companies as it is to musicians and movie producers. However, if the US is to attempt to tackle the problem with legislation, it should do so in a way that does not increase risk to its citizens and reduce confidence in the Internet.

One significant problem with SOPA is technological. Afilias is a strong supporter of DNSSEC, the next-generation security standard for trustworthy DNS, but some of the provisions of SOPA threaten to undermine the security leaps that the technology is ready to create. DNSSEC promises to make the DNS more reliable, mitigating the risk of phishing and pharming. Chains of trust, connecting through a distributed network of cryptographic signatures, will enable applications to ensure that criminals do not tamper with domain name queries.

For DNSSEC to reach its full potential, though, the chains of trust must be end-to-end; the standard was developed to prevent DNS-based man-in-the-middle attacks. SOPA, however, would require ISPs to execute what DNSSEC would interpret as a man-in-the-middle attack every time they are forced to block an allegedly abusive domain name. If applications are unable to tell the difference between a criminal attack and a legal, court-mandated interception, DNSSEC could become virtually useless.

The legislation would also make it easier for criminals to engage in many types of online fraud, including identity theft. This unintended consequence would come about largely as a result of user behavior.

SOPA would require American ISPs to redirect or ignore DNS queries destined for allegedly infringing websites; however, their customers are under no obligation to use their ISP for DNS service and these blocks will be trivial to circumvent. Even today, millions of Internet users choose to take their DNS from third-party services such as OpenDNS and Google since switching providers takes just a few minutes and requires virtually no technical knowledge. Now, even before SOPA passes, we're already seeing the emergence of rogue overseas DNS providers — some of them operating via easy-to-install browser plug-ins — that promise to resolve piracy domain names even if they are subject to a SOPA interception order.

Third-party DNS providers offer a valuable service to Internet users, but DNS services that are created purely to enable access to pirated material risk the security of their users. Criminals will be able to transparently capture all DNS traffic, including traffic destined for banks and other financial institutions. They will be able to send unwitting victims to phishing servers they control. Imagine losing your banking security credentials to an attacker because your teenager reconfigured the DNS settings on your shared home computer. That's a probable risk when DNS filtering becomes the legal norm.

Fortunately, SOPA is not inevitable. While it has the support of some lawmakers, others are starting to pay serious attention to the concerns of the Internet's technical experts, as well as the people who elected them.

When Congress returns in early 2012 to consider SOPA and other anti-piracy legislation, Afilias hopes the volume of dissent will have been turned up sufficiently that lawmakers will not be able to ignore the very real problems the legislation could create.