For CNET today, I have a long analysis and commentary on the "Stop Online Piracy Act," introduced last week in the House. The bill is advertised as the House's version of the Senate's Protect-IP Act, which was voted out of Committee in May.
It's very hard to find much positive to say about the House version. While there's considerable evidence its drafters heard the criticisms of engineers, legal academics, entrepreneurs and venture capitalists, their response was unfortunate.
Engineers pointed out, for example, that court orders requiring individual ISPs to remove or redirect domain name requests was a futile and dangerous way to block access to "rogue" websites. Truly rogue sites can easily relocate to another domain, or simply have users access them with their IP address and bypass DNS altogether.
There are millions of DNS servers, according to Verisign, so getting all of them to make the change would be impossible, splintering the system. And redirecting DNS requests is some sense introducing a bug in the system, one that is inconsistent with upcoming security measures aimed at protecting users from being hijacked.
But all the drafters of SOPA seemed to have heard was the part about "futile." Their response has been to make the DNS provisions vaguer and more open-ended, in hopes that whatever mechanisms the rogue sites come up with to evade the law will also be illegal. Blocking is now extended not just to "parasite" sites but to a "portion thereof," for example.
And the Attorney General can now apply for injunctive relief against any "entity" that provides "a product or service designed or marketed for the circumvention or bypassing of measures" taken in response to an earlier court order.
Similar efforts are found throughout SOPA, particularly in the felony streaming provision, and the private right of action (or what the bill calls the "market-based system") for private enforcement of copyright and trademark abuses. Where clarity isn't possible, the drafters have opted for vagueness, open-ended definitions, and hedges. Even the term "including" is defined, to be clear that it means "including but not limited to."
The point to criticism of Protect-IP was instead that it was impossible to regulate technology that is changing so quickly, and that any effort to do so would only prove obsolete on arrival. As previous efforts from CAN-SPAM to ECPA and back make clear, you cannot future-proof legislation aimed at specfiic features of emerging technologies.
That, unfortunately, is exactly what SOPA tries to do. And beyond making the legislation clumsy and imprecise, the intentional vagueness greatly increases the potential for unintended consequences. I describe several unintentionally dangerous examples from SOPA in the CNET piece; other analysts have done the same in pieces listed at the end of this post.
Two good things I found in the 79-page draft:
1. The failure of Protect-IP to define "nonauthoritative domain name server" has been addressed. That term is now defined, and the definition looks correct to me.
2. SOPA recognizes, at least, the better approach to solving the problem of foreign websites that blatantly violate copyright and trademark. Near the back, Section 205 calls on the State and Commerce Departments to make enforcement of existing international law and treaties regarding information products and services a priority. This includes the assignment of new attaches dedicated to information products.
Would that SOPA started and ended with this provision, there would be little basis to fault its drafters. If the problem SOPA is attempting to solve, after all, is the scourge or foreign websites that distribute movies, music, and counterfeit goods without a license (often pretending to be legitimate), then surely the solution is one of foreign and trade policy and not micromanaging Internet protocols.
Instead, we have a bill that treats all U.S. consumers as guilty until proven innocent, and hands Hollywood the keys to the inner workings of the Internet. Just what they've always wanted.