Internet legislation that is scheduled for a vote in the U.S. Senate next month would aim to stop the unlicensed downloading of billions of dollars’ worth of movies and music—as well as the trade in counterfeit drugs and other goods—by blocking access to certain websites, many of them registered abroad. But its basic strategies could lead to trouble on several fronts.
For one thing, the crackdown may unintentionally weaken Internet security. That is because the legislation could let courts order Internet service providers, search engines, domain-name servers and others to block Web addresses or send people to addresses other than the ones they typed or clicked. That trick, called redirection, is just the kind thing security engineers want to stamp out, because it’s also a key tool for committing Internet fraud.
For another, song and movie traders will always be able to use widely available circumvention tools—such as Tor, a technology funded and developed by the U.S. government itself—to get around blocks and reach the desired sites. If passed, the legislation may achieve little more than an ineffectual antipiracy law recently enacted in France, which has been bogged down by its complexity and costs.
Under the Protect IP Act, government prosecutors or copyright holders could seek a court order finding that a website was “dedicated to infringing activities.” With such a finding, a court could order those sites blocked so as to prevent people who click the relevant links or type their domain names into a browser from actually reaching them. (Instead, the user might be redirected to a warning page.) The Senate bill is scheduled for a January 24 vote. A similar House bill, called the Stop Online Piracy Act, or SOPA, is still in the Judiciary Committee.
Redirecting people from domain names they’d typed or clicked would upend efforts to make the domain-name system more secure, several researchers have argued. “The security community is trying to tell Congress you can’t build a system that distinguishes between a government-required false answer and a hacker’s false answer,” says Ernesto Falcon, director of government affairs at Public Knowledge, a free-speech think tank in Washington, DC. “If you have ISPs and the domain-name system falsify information and give people wrong [Web pages], then efforts to build a secure system won’t work.”