SOPA and the Future of Internet Governance

Posted in: IP Law

So what was all that fuss about?  SOPA, PIPA, Internet Blackout Day, front page stories in newspapers all across the country, eight million or so emails pouring into the White House, two million #sopa tweets, and 10 million signatures added to online petitions opposing the bills—followed, of course, by the announcement that these various legislative proposals for combating online copyright and trademark infringement had all been taken off the table “for further study.”

As Larry Downes noted in Forbes, “Internet users have revolted before in the face of earlier efforts to regulate their activities, but never on this scale or with this kind of momentum.”

What happened?  How did it happen?  And does it matter?

I’m not sure anyone can yet say exactly what happened or how it happened.  But whatever it was—a spontaneous, grassroots outpouring of opposition to an attack on Internet freedom of expression?  A bunch of information junkies who’ve gotten hooked on free music and free movies sticking it to The Man?  A plot by the giant technology companies to show Washington who’s boss?—I’m here to tell you that it matters, and it matters a great deal.

It matters because the Internet matters. If the events of the Arab Spring didn’t finally persuade everyone of that, I can’t imagine what would or will.  And it matters because SOPA would have done serious damage to the technical infrastructure that allows the Internet to do the remarkable things that it does—as I’ll discuss further below.

(I should point out here that SOPA, the “Stop Online Piracy Act,” was only one of the bills advancing through Congress recently dealing with online infringement.  Others included PIPA (“Protect IP Act”), COICA (“Combating Online Infringement and Counterfeits Act”), and the incredibly-acronymed E-Parasite Act, “Enforcing and Protecting American Rights Against Sites Intent on Theft and Exploitation.”  Though the bills differed in certain details, they all shared the same basic structure and were afflicted by the same problems; for the sake of convenience and clarity, I will use the term “SOPA” in this column to refer to this whole suite of bills.)

And it matters even more because the law enforcement regime that SOPA would have put into place reflects an approach to the problems of “Internet law” and “Internet governance” that is outmoded, unworkable, and unjust.

SOPA’s Objective

SOPA’s objective was straightforward:  to reduce or eliminate access to websites “dedicated to infringing activities” and operating outside of U.S. borders—for example, offshore websites offering copyrighted music or movies for download, or selling counterfeit Omega watches, all without authorization from the rights holders.

It’s a worthwhile goal; nobody can deny that there are an enormous number of such sites, that many of them make a great deal of money by trampling on the legitimate rights of copyright and trademark owners, and that the consequent damage to those rights holders is substantial.

This problem of offshore infringement arises from two very basic characteristics of the global network: First and most obviously, digital information can be reproduced at nearly zero cost, and with nearly 100% accuracy, making it a simple matter to do something that was for all intents and purposes impossible a mere twenty or thirty years ago:  to produce, say, 100,000 copies of the motion picture “Avatar” while you are on your coffee break, and with a lower outlay of funds than is required to pay for your cappuccino.

Second, physical location in realspace—the world of atoms and tangible matter—bears no relationship whatsoever to accessibility or to proximity in the world of bits.  In realspace, it’s harder to do business in London if you’re in Lima than it is if you’re in Liverpool, and it’s harder to cause harm in Seattle from Seoul than from Spokane. But in the world of bits, that’s just not true anymore; web servers in all of those cities are effectively “equidistant” from one another, as “close to,” and as accessible to, a user anywhere on the global network as the server down the street.

That’s the good news.  The bad news is that our realspace legal infrastructure is, just as one would expect it to be, built for the world of atoms.  (How could it have been otherwise?)  Our realspace legal system reflects this fundamental feature of the real world within which it was designed to operate:  physical location and physical proximity matter.  They are indispensable components of many inquiries central to the way realspace law operates, such as determining “jurisdiction,” or “citizenship,” or the “locus” of a contract or a tort, or dozens of other similar questions.  In our realspace legal world, as in realspace, “distance” between actors matters; the more physically distant the relevant actors are from each other, the more difficult it is, generally speaking, to enforce one’s law upon the other.

The disconnect between these two worlds—one in which physically distant actors can have a very substantial impact (good or bad) upon you or your property, and one in which it is difficult to bring law to bear upon those very actors—is at the heart of the problem that SOPA is trying to solve.

It’s a profoundly difficult problem.  Some of us saw it coming, twenty years ago or so.  An enormous amount of creative and innovative thinking is going to be required if we are to solve it in a sensible way.

SOPA does reflect some creative and innovative thinking; indeed, it embodies a radical new plan for the way that law enforcement will proceed on the Net.  But the new plan is deeply flawed, and would set us on precisely the wrong course for dealing with this difficult challenge.

How SOPA Would Work: A Brief Explanation

SOPA targets the activities of “foreign infringing websites,” but it doesn’t impose any sanctions on the offending websites, on the servers on which those websites are hosted, or even on the operators of those websites.  Instead, SOPA imposes its sanctions on the domain names used by those websites.

More specifically, SOPA authorizes courts to “seize” the domain names used by the offending sites via actions in rem—that is, actions that are brought against “property” and not against the persons owning or using the property.  By deeming domain names to be property, SOPA’s in rem actions thereby avoid the messy problem of trying to assert personal jurisdiction over the foreign actors or the foreign servers that are involved in a given dispute.

Under SOPA, judges could issue orders to any U.S. Internet Service Provider (ISP)—a category that includes hundreds of thousands of entities, from giants like Comcast, Verizon, and AT&T to any business or educational institution, however small, that offers Internet access to users—requiring the removal of the offending websites’ domain names from the ISP’s “routing tables,” the databases of Internet domain names and Internet addresses that are used by all ISPs to get messages from one place to another over the Net.

The Impact on the Internet If SOPA Became Law

Every day, the Internet accomplishes an astonishing feat, many hundreds of billions of times over:  it takes an address on a message (like the URL that you type into your web browser, or the email address you put into the appropriate field of an email message), and, from among the seven or eight hundred million machines out on there on the Internet, it finds the right one to deliver it to.  And it does all this in about a second or two.

It is a truly incredible (and largely invisible and unappreciated) feat of engineering, a finely-tuned system (to put it mildly) comprising, among other things, hundreds of thousands of copies of these routing table databases circulating around the Internet from ISP to ISP at all times.  (For a detailed account of how those routing tables, and Internet message routing more generally, work, see Chapter 10 of my book In Search of Jefferson’s Moose:  Notes on the State of Cyberspace.)

All of that complicated engineering is premised on one fundamental principle:  universal addressing.  The routing tables are the same wherever you are; that’s why there’s only one Internet, an Internet that looks the same whether you access it from Brazil or from Boston or from Belarus.

The consequences of court-ordered intervention to selectively remove entries from these routing databases are potentially severe and possibly catastrophic.

Don’t take my word for it; a number of people who know a great deal more about these engineering matters than I do, several of whom were instrumental in creating the original design for the Internet’s domain name system (DNS) and continue to manage and operate critical portions of the DNS infrastructure, have warned about this in no uncertain terms.  In their words, SOPA’s court-ordered manipulation of the domain name system (DNS) would:

  • (a)   be “evaded easily” and would “likely prove ineffective at reducing online infringement”;
  • (b)   “threaten the security and stability” of the Internet, “harming efforts that rely on DNS data to detect and mitigate security threats and improve network performance” and “posing significant risk of collateral damage”; and
  • (c)   “weaken important efforts now underway to improve Internet security [by] enshrining and institutionalizing the very network manipulation that [such security measures] must fight in order to prevent cyberattacks and other malevolent behavior on the global Internet, thereby exposing networks and users to increased security and privacy risks.”

(For more on these subjects, consult their full account.)

As Internet Blackout Day approached, the Obama Administration, finally, got the message.  On January 14, in the face of mounting public pressure, the White House announced that it was reconsidering its support for SOPA, in part because . . .

. . . proposed laws must not tamper with the technical architecture of the Internet through manipulation of the Domain Name System (DNS), a foundation of Internet security. Our analysis of the DNS filtering provisions in some proposed legislation suggests that they pose a real risk to cybersecurity and yet leave contraband goods and services accessible online. We must avoid legislation that drives users to dangerous, unreliable DNS servers and puts next-generation security policies, such as the deployment of DNSSEC, at risk.

Reassuring words—though one might ask why they hadn’t been uttered earlier in the SOPA debate.

But the damage SOPA would impose on the Internet goes beyond this (though this is serious enough), extending beyond the Internet’s technical infrastructure and deep into its legal infrastructure.

SOPA Undermines the Rule of Law

Two of SOPA’s provisions are especially troubling.  First, SOPA authorizes the issuance of these domain-name-removal orders after nothing more than summary ex parte proceedings, proceedings in which only the prosecutor and the judge, and not the individual(s) responsible for the websites’ activities, are present.

What this means is that some Korean, or Brazilian, or Russian website operator wakes up one morning to discover that her domain has been “seized” by the US government, and that ISPs are now removing it from the routing tables and making it, literally, invisible across the Net.  Her website is still up and running—it’s just that fewer and fewer people can reach it.

She can challenge the seizure (once she finds out what happened)—perhaps on the grounds that her website is not “dedicated to infringing activities” at all, perhaps on the grounds that under Korean, or Brazilian, or Russian law her actions are entirely lawful, or perhaps on the grounds that the prosecutor just got it wrong, as prosecutors sometimes do—but she’ll have to come to the United States, and get legal representation, to do so.  (And if she does that, in a little added bit of nastiness, SOPA provides that she will then be deemed to have subjected herself to the personal jurisdiction of the US courts.)

Second, SOPA authorizes a kind of “vigilante enforcement”: Copyright or trademark holders, acting entirely on their own without the intervention even of a prosecutor or a judge, would be able simply to provide written notice to banks, credit card companies, Internet search engines, or Internet advertisers regarding the allegedly infringing conduct of the foreign websites, and the recipients of such notices will then have five days to cease doing any business with the offending website or risk losing an immunity from suit for damages caused by the website’s continuing operation.

Imagine this scenario: “A guy walks into a bank.  He asks to see the branch manager.  He says: “You know Farmer Jones, whose place is just down the road from mine?  He’s been dumping horse manure in my pond, and spoiling it for my livestock.  He’s a nasty SOB.  STOP DOING BUSINESS WITH HIM.  FREEZE HIS ACCOUNT.”

In our realspace legal world, the bank will (and should) refuse.  “We’re sorry, but we can’t just take your word for it,” the bank will say; “Bring us a court order and we’ll comply, but we’re not going to deny Farmer Jones access to our services just because you think he’s acting illegally.”

More to the point, in our realspace legal world, the law surely does not and cannot compel the bank to comply with the demand, or offer it a reward for doing so—which is precisely what SOPA would do.

One of the very small number of truly fundamental principles undergirding our legal system and the Rule of Law itself—a principle enshrined (twice!) in our Constitution—is that you may not deprive anyone (like Farmer Jones) of life, liberty, or property without due process of law.  And due process of law requires that Farmer Jones has a meaningful opportunity to be heard, before a neutral magistrate, in an adversarial proceeding in which you and he each get to present your side of the story, in a forum that can lawfully assert jurisdiction over Farmer Jones and/or his property.

What is most disturbing about SOPA is not just that it would run roughshod over this principle, though it would, and that is disturbing enough; what is most disturbing about SOPA are the justifications proffered by its proponents for doing so.

I’m not aware of any SOPA supporter who argues that SOPA actually does provide foreign website operators with a meaningful opportunity to be heard, before a neutral magistrate, in an adversarial proceeding and in a forum that can lawfully assert jurisdiction over him and/or his property before depriving them of their ability to communicate with millions of Internet users in the United States.  They typically know full well that it does not.

Instead, SOPA supporters argue that the full panoply of procedures comporting with due process isn’t required when courts “seize property” (like a domain name) that is located “inside” United States borders.  And they argue that, in any event, SOPA doesn’t violate the due process rights of foreign website owners because foreign nationals standing outside of U.S. borders don’t have due process rights.

To be fair, their position is not an entirely indefensible one; indeed, there’s precedent to the effect that, as the Supreme Court put it in United States v. Verdugo-Urquidez, “[a]liens receive constitutional protections [only] when they have come within the territory of the United States and developed substantial connections with this country.”

Thus, to SOPA proponents, the proper analogy here is to the Customs Service.  SOPA, they say, simply prevents persons operating outside the United States from entering into our territory and bringing unlawful material—contraband movies and handbags—with them.  Customs agents board and search ships at the U.S. borders all the time, and if they find 100,000 copies of the “Avatar” DVD in the hold, they seize those copies and bring them before a magistrate, who orders their disposal and destruction (with or without the ship owner present).  Nobody complains about due process (or, for that matter, about the ship owner’s First Amendment rights) when this happens.  “Why, then,” SOPA supporters ask, “is everyone so exercised about SOPA?”

SOPA Is Outmoded, Unworkable, and Unjust

To which the answer is:  we’re exercised about SOPA because, as I said earlier, it is outmoded, unworkable, and unjust.  The Customs Service analogy doesn’t work; there are no ships and there are no borders, no “French” or “Brazilian” or “American” parts of the Internet, but rather a single global network.

We can, if we wish, impose borders onto the network, through legislative enactments like SOPA, creating an “American” portion of the Internet, while the Brazilians create a “Brazilian portion,” the Australians an “Australian portion,” and so on.  But why would we want to do that?  Why would we want the Internet to look like the map of the world in 1950 or 1975, when its power derives precisely from the fact that it is a single global network, accessible to, and allowing communication among, all of the world’s peoples?

SOPA is unworkable because the network architecture virtually guarantees that evasion will be widespread and rather simple to accomplish; tools that allow websites to instantaneously alter their domain names and redirect traffic to the new sites without any special action on a user’s part are already widely available, and will surely become more so if this approach becomes commonplace.  Thus, SOPA will not stamp out copyright infringement on the Internet; indeed, it probably won’t even make much of a dent in copyright infringement.  If there are 50,000 pirate websites out there and SOPA somehow managed to close half of them down, that would still leave us with 25,000 bad guys.  And in the world of bits—where information is infinitely reproducible at virtually no cost—25,000 bad guys can do just as much damage to your intellectual property as 50,000 bad guys can.

Finally, SOPA is unjust.  Perhaps we are not required to provide due process to those residing outside our borders, but that hardly means that we shouldn’t choose to do so.  The Constitution of the United States, remember, doesn’t bestow the right to due process upon us; it says that the government won’t take away the due process rights we all already have by virtue of the fact that we are human beings.  That is the principle on which we should begin building a just legal regime for our new online global society.

Copyrighted works are important, culturally and economically, and they are worth protecting.  They are not, however, sacred objects that we should protect at any cost.  The damage SOPA would do is immense, and the benefits it would provide would be negligible.  R.I.P., SOPA.  May your sleep be long and untroubled, and may you not rise, as I fear you will, from your grave to haunt us again any time soon.

Posted in: IP Law, Technology Law