Weighing In on Anti-Piracy Legislation
Are New Laws Needed to Battle Data Theft?Does the U.S. government's shuttering of the file-sharing website Megaupload.com show that new laws are not needed to battle intellectual property piracy? Brookings's Allan Friedman believes it does.
See Also: Using the Netskope HIPAA Mapping Guide
"Given that the U.S. authorities have just used existing law, I think the answer is a resounding yes," Friedman says in an interview with Information Security Media Group's Eric Chabrow [transcript below]. He's a fellow in governance studies and research director of the Center for Technology Innovation at Brookings, a Washington think tank.
Federal authorities on Thursday charged the operators of Megaupload with violations of numerous conspiracy laws for pirating copyrighted music. The charges came as Congress suspended consideration of the Senate's Protect Intellectual Property Act and the House's Stop Online Piracy Act because of public objections of provisions of the bills. Opponents contend the legislation would violate Internet freedom. To protest the legislative proposals, a number of websites, including Wikipedia and Reddit, staged temporary blackouts this week.
"The interesting thing is that these lockers (such as Megaupload.com), as they're called, have been cited as reasons why we need these new laws," Friedman says. But he points out that existing law, such as those used by federal authorities this week, seem to be adequate.
The charges against Megaupload's leaders provoked the hacker collective Anonymous to launch on Thursday denial-of-service attacks at Justice Department and FBI websites as well as those of the motion picture and recording industries' trade associations (see Hackers Target DoJ, FBI Websites).
Friedman contends the government could have been better prepared to defend the Justice sites. "Large organizations should have the capacity to withstand a reasonably sophisticated denial of service attack," he says. "The solution to a denial-of-service attack is to throw bandwidth at it. This isn't cheap. ... It requires a little bit of preparation; it requires having a flexible IT staff and then a watch officer situation. But this is the sort of thing that you would expect for the nation's top law enforcement agency."
In the interview, Friedman also discusses:
- Why opponents consider PIPA and SOPA a threat to Internet rights and security;
- How international cooperation to fight online child pornography and illicit gambling could be replicated to halt copyright infringement on the Internet;
- The real damage caused by Anonymous assaults.
Before joining Brookings, Friedman was a fellow at the Center for Research on Computation and Society in the Harvard Computer Science department, where he worked on cybersecurity policy, privacy-enhancing technologies and the economics of information security. Friedman also was a fellow at the Belfer Center for Science and International Affairs, where he worked on the Minerva Project for Cyber International Relations. Friedman holds a Ph.D. in public policy from Harvard. He earned his bachelor degree in computer science from Swarthmore College.
PIPA, SOPA
ERIC CHABROW: Are the anti-piracy arrests associated with the file-sharing site Megaupload.com an example of authorities using existing laws to go after intellectual property pirates without the need of some of the controversial provisions found in PIPA and SOPA that are before Congress?
ALLAN FRIEDMAN: Given that the U.S. authorities have just used existing law, I think the answer is a resounding yes. The interesting thing is that these online file lockers - that they're called to distinguish them - sites that provide links to content or actually explicitly host content in a searchable form, have been cited as reasons why we need these new laws. Apparently they can apply to existing laws.
CHABROW: What provisions do you see surviving in SOPA and PIPA at some form, and would that create some good law?
FRIEDMAN: Looking at SOPA and PIPA, it's important to understand them in the context as a gradual evolution of increasing enforcement. We started out with the Digital Millennium Copyright Act, which allowed anyone who says, "Listen, there's something that's on the website that we don't like; we think it's violation of our intellectual property rights. Please take it down." This is the notice provision of DMCA and most large websites have learned to deal with this. It provides reasonably good enforcement. It doesn't provide perfect enforcement, but it actually works with the economics. A site that really distributes a lot of content that's blatantly violating is more likely to attract attention, and it doesn't require that all of these new websites police everything that's going on.
But there are still websites that are devoted primarily to infringing content. In cases where they don't respond to DMCA, rights holders felt that their ability to gain injunctions were not strong enough so we have the PRO-IP Act that was passed two years ago, which allowed the United States government to go directly after the domain name. Now this wasn't digging into the nuts and bolts of the Internet. This just said we can seize the domain name from the registry that allows us to replace the link instead of having that domain name pointing to the server for the website. It can point to a web page that we say is illegal. So no one can access this through the domain system. So this applies to anything that's inside the jurisdiction of the United States.
Many, many people over the past 30 years have bemoaned the fact that unfortunately the Internet does not fall under the control of any single government and thus people will use jurisdiction shopping when they wish to do things to avoid the attention of certain governments. This is something that we think of as a good thing when it's countries that we don't like, and it's a bad thing when its things that we don't like that other countries don't mind as much. The challenge here is, you can only seize a domain name from a registry that's inside the United States that's under the jurisdiction of the United States. So this would be .com, but it would not be the large panoply of the rest of the top-level domains that aren't based in the United States. Thus, Unites States can't exert control.
What we couldn't do was extend this power out to the rest of the world because the United States government doesn't have the authority to seize property that's owned by foreign nationals. We need the cooperation of other countries and other governments, and this by the way is how we handle crime. Intellectual property infringement is a problem, but so is bank fraud and of course child pornography and we work with other governments to take these things off the Internet. But rather than move through that route, why don't we just prevent access from American customers from gaining this content? How can we prevent access? Well, a couple of different paths.
The most famous and controversial was actually blocking the domain names from the global Internet and preventing American Internet users from contacting these domains. From having the URLs, www.infringingsite.ie couldn't be translated. When you tried to resolve it to figure out where the computer was through the global domain name system, under these PIPA and SOPA laws, servicer providers would be barred from having those domains resolved through an IP address. The other means for going after this content was getting at search engine results and allowing a private right of action against the financial means of support, which would be advertising networks for things that stream content and, for websites that sold counterfeit goods online, you would go through the payment networks.
Now some of those make sense. For example, we have used direct engagement in the payment networks to stop other kinds of illegal activity, lots of cybercrime. This is how the United States has prevented Americans from engaging in online gambling by working with the online payment processors and banks to make sure that money wasn't flowing into accounts that were controlled by companies that did online gambling. From that perspective, it makes sense.
The really controversial aspects were this idea that we would cross the line from attacking businesses to actually altering how the Internet was used by Americans. I wouldn't go so far to say it would break the Internet, but it certainly would create a very strong precedent and endanger certain aspects of cybersecurity and perhaps most importantly it would seriously undercut America's efforts to both build a more secure Internet and Intranet government context as well as a more open Internet globally.
Anonymous Retaliation
CHABROW: The hacking group Anonymous launched denial-of-service attacks at the websites of the Justice Department and other organizations, such as the Motion Picture Association and recording industry in retaliation for the Megaupload arrests and charges. Especially the government, shouldn't they have anticipated these attacks, and if so what could they have done to prevent them?
FRIEDMAN: We're still waiting to here the full details about these attacks and of course victims of this type of attack, especially governments, are often loathed to reveal too much in the way of details because they believe it exposes their vulnerabilities at least until they can fix them. By and large, I think it's safe to say that a large organization, whether it's a portion of the government or a large corporation, should have the capacity to withstand a reasonably sophisticated denial-of-service attack. The solution to a denial-of-service attack is to throw bandwidth at it. This isn't cheap, but on the other hand it's also not something you need to do in the long run. It requires a little bit of preparation. It requires having a flexible IT staff and a watch officer situation, but this is the sort of thing that you would expect from the nation's top law enforcement agency.
CHABROW: Are you familiar enough with them to know whether they have that kind of staffing?
FRIEDMAN: I know that they have very sophisticated IT staff, but of course budgets are very tight and when you're given a choice between using your resources to secure your network against data exfiltration or engage in forensics to prosecute people, you can understand how someone would say, "Maybe we don't need to have a new meeting every six months to figure out how much more we can have to defend ourselves against the denial-of-service attacks." But I was surprised that it was taken offline, even just for a short time. I would have thought that they would have been more prepared and I think we will find out more about the Anonymous attacks.
Traditionally, the Anonymous attacks have been well-coordinated but have not brought to bear the full offense of capacity that only comes from illegal malware-driven machines. It's been more of the participatory software model and that attack is fairly easy to mitigate. So I believe when we learn more about this attack, we'll find out that they really did employ more botnets than we've seen from some of the previous attacks.
Risk Management Issue
CHABROW: It sounds like it's a risk management issue for the people at the FBI, in a sense. As you pointed out, they're more concerned with the exfiltration of different data than they are necessarily about denial-of-service attacks that might take them down for a bit but they're back up again.
FRIEDMAN: It's true. Things like website defacement or denial-of-service attacks against a specific part of your domain are certainly high profile but it's by no means the worst thing that can happen to an organization. In fact, it's probably the first thing you would like to have go down compared to all of the other things that can happen to an organization's information architecture.
Damage Assessment
CHABROW: What kind of damage is Anonymous really doing and how concerned should those charged with protecting their organization's information assets be against these so-called hacktivists?
FRIEDMAN: Anonymous is a fascinating model because we haven't even come up with a decent way of describing the phenomena. A collective is probably a better word than group. It's a purely voluntary organization with no membership, limited common identity and no real identities, even inside the community of individuals. It's very flexible and in fact the decision-making process is fascinating. I have not personally researched it, but there are a number of scholars who have been working on this issue and just observing the challenges of how a group makes decisions in this kind of context. It's something that I think every government and social organization could learn a lot from.
The challenge here is what drives action. Clearly there are certain things that provide a certain amount of emotion. They've gone after some of the famous betting wars of the hacking community, from scientology to the MPAA and they sort of generally grow out of the grand-hacker ethos of openness and rough consensus and running code. What's interesting is for a little while there were open declarations that we're going to attack this organization and sometimes it would work and sometimes it wouldn't. Members of them are clearly well-trained in understanding systems and how to infiltrate them. We don't have a very good idea of what percentage of the people who are engaged in these activities and self identify its members are the ones who are actually doing this.
I think the true, more prominent activities they're known for are these denial-of-service attacks that started off as host-based attacks where individual members would download this famous application and it would simply run a SIM flood from the host machines or other types of classis DDoS attacks. Those attacks are relatively easy to defend against now for large organizations and so they have to go to slightly more sophisticated denial-of-service attacks, which are much harder to do without bringing in large-scale botnets and other things that most security researchers think of as highly illegal.
The other component which strikes fear into the heart of many organizations is this idea of just infiltrating and gaining access to any set of documents. The larger the organization, the harder it is to safeguard all of your documents and to safeguard all of your entries and this is what infosec is worried about quite a bit, certainly in the last two years, especially with respect to economic espionage. And now it's not that you're worried about economic espionage but you're worried about having your dirty laundry aired as many companies have found out. Sometimes as a PR move this can backfire, as the attack against Stratfor, which was both claimed and denied by groups that self-identified as Anonymous. People who claimed they were Anonymous during the attack said this is a contractor who represents the forces of evil for government control of the Internet, when in fact Stratfor is just a slightly hawkish think tank that deals in information. So the publication of personal data probably did not do well for the reputation of this kind of attack for people who didn't have an opinion made yet.