Here is the scenario. You are under a tight deadline. You are in the middle of a heated hunt and peck on the Internet, searching for something highly specific that you need, to buttress a key point in your presentation – just one more data point, one more reference, one more link – when all of a sudden your key tools are absent. Wikipedia? Down. Reddit? Dark. Your favourite blog network? Out. Huh?
Now stop imagining…
The date was January 18, 2012 and for a full twenty-four hours over 7000 web sites throughout the world shut their doors. While still accessible by their URLs, these sites had each made the same decision to “black out” and restrict all access to their content. Why? What could possibly unite such fiercely independent fiefdoms of online blogs, directories and communities?
All this was in coordinated protest over a US congressional bill called the Stop Online Piracy Act – affectionately known as SOPA – which in 2012 ignited a fireball of global debate about the use (and misuse) of digital content on the web, the real (and unreal) abilities to combat perceived threats, and the informed (and uninformed) players behind the US legislative curtain.
Thankfully, SOPA was extinguished before it made it to the floor as an official bill. Disaster averted, you say. Well, nothing ever really dies in the US Congress. Enter CISPA. And this time around, the stakes are even higher. Now, the initial goal to protect digital content in the name of commerce has taken a backseat to the broader (and bolder) objective of strengthening US cyber-security, potentially at the expense of basic privacy rights. As the next barrage in the Internet privacy wars, this salvo is packed with explosives of all sorts and the battle lines blur at a dizzying pace.
So, what was SOPA – that brother of PIPA and father of CISPA? To understand the hate that this bill inspired, one must take the time to understand the Stop Online Piracy Act’s initial stated purpose. H.R. 3261, its Congressional moniker, began life as a resolution to protect the intellectual property of the United States. This primary goal aimed to suppress the online posting of such intellectual property on both US-based and rogue foreign websites, as well as certain counterfeit goods being sold online (prescription medicines, for example) through expanded legal means available to US Courts and law enforcement.
To those familiar with US legislative lore, SOPA was preceded by PIPA, the Protect Intellectual Property Act, which was concurrently drafted inside the US Senate and was to be eventually merged in committee with SOPA. PIPA also had the same shape; it was designed to suppress illegal usage of content throughout the Internet in support of US-owned and controlled intellectual property.
Both proposed bills shared a key tenet. This core provision stated that any US-based copyright holder who claimed evidence that a US or foreign website was “enabling” and/or “facilitating copyright infringement”, could seek a variety of legal means to end the infraction. This might include such measures as: a court order to force search engines to stop linking to the accused site; restricting advertising networks and payment processors from doing business with the accused site; and most notably, requiring Internet service providers to block direct access to the site from US Internet connections. This wide-ranging power was also to be made available to the US Department of Justice and could be invoked even without a submitted claim of wrongdoing by a corporation. If the DOJ deemed infractions were taking place, they could unilaterally act on behalf of the public good. A secondary provision allowed for criminal penalties to be assessed for the illegal streaming of copyrighted content and the illegal sale of counterfeit drugs, military materials and select consumer goods.
While the general topic of piracy is nothing new, SOPA as a potential law had to spell out the mechanics of such a plan. Whom do you notify? How would you submit a claim? Who would be liable? Who would be immune from prosecution if they cooperated? This attempt at an actual framework – the guts of a legislative process – exposed much more than just a poorly designed bill. It exposed a growing reality amidst many elected representatives (in the US and abroad as well): very, very few of them understand what they are talking about, let alone what they aim to legislate.
The use case is this: A US-based magazine publisher discovers a snippet of content, say a quote from an interview with a starlet, first published in its print version and recently released on its own website. The accused offending site, a German blog that caters to fans of the same starlet, has the verbatim quote in its blog posting and a link directing back to the US magazine site.
Wait a moment, the US publisher says, that blog quote was never approved or even requested through proper channels! We don’t approve! With evidence of infraction, the US publisher then files a claim with the DOJ and sends concurrent notification to the German site requesting the content be taken down. What is the harm in this so far? Most sane business owners and consumers would certainly allow any copyright holder to ask that their content be removed or ask for compensation in return.
However, here is where SOPA veered into the muddy waters of association. Imagine too that another blog, an entirely personal site by a soccer mom in Ohio who follows the same starlet, links back to the German blog’s post that included the original publisher link. We now have two offending sites. Add to that the ad networks that are supplying the display banners to both blogs and now these entities can all be considered to be breaking the law. SOPA would require them to stop trafficking those sold ads and sever all business ties with the accused sites. But wait, it gets really interesting! What happens when a search result, called by the query of a teenage surfer in Brazil (hoping for a scoop on her favourite movie star), lists the German blog in its results? Is Google, Bing or any other search engine for that matter breaking the law? Yep, you guessed it. Under the vague language of SOPA, it is all illegal.
The opposition to SOPA that led to the January 2012 blackout began a quick and viral course through the same blogs, communities and sites that SOPA was intended to have jurisdiction over, once enacted. The irony was clear. And this was not merely the web’s fringe, as the larger global Internet players, such as Twitter, released direct challenges to SOPA’s framework. At one point, Google had collected over seven million signatures in opposition to the hazy framework of HR 3261.
SOPA was met with direct and loud protest on each of its core ideas. It had the legal architects of the current Digital Millennium Copyright Act crying foul for potentially weakened “safe harbour” provisions that the DMCA had created in 1988. Technologists and those operating the fabric of the Internet shook their heads in disbelief as the very nature of the domain name system – known as DNS, the service and rules by which all sites are listed – was thrown into potential disarray. How could a system, which by design is meant to search for the authoritative domain based on a user’s browser request, be asked to circumvent itself? Wouldn’t the mere activity of evading known DNS assignments, due to a SOPA take-down, be considered cyber-security risks themselves? What would happen if the US name servers became the doddering and paranoid senior citizens of the global web infrastructure? Certainly, as many feared, this would hasten the demise of the US role in ongoing Internet leadership.
As for business owners, particularly those starting new businesses as venture capitalists and angel investors, a Google-sponsored report indicated that many leading VCs had vowed not to invest in new digital intermediaries under the shadow of SOPA – the risk was simply too high. They asserted nearly unanimously that they would rather invest under current law in a weak economy rather than invest in an even stronger economy, but under SOPA’s proposed tighter reins.
This barrage was fast, furious – and as hindsight would have it – totally overwhelming SOPA’s supporters. These precious, albeit powerful, few crept into submission without much of a public fight or debate given the ferocity of the wider opposition. Corporate supporters of the bill included Nike, L’Oreal, Ford and not surprisingly, the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA) and a wide roster of other media, television and film entities. The White House largely stayed above the fray, but lent a supportive note to the SOPA protests: “While we believe that online piracy by foreign websites is a serious problem that requires a serious legislative response, we will not support legislation that reduces freedom of expression, increases cyber-security risk, or undermines the dynamic, innovative global Internet.”
For all involved, the lines of communication quickly narrowed to direct and sometimes caustic appeals to members of the US Congress, both in the House of Representatives and the Senate. Many US citizens wrote their first letters (well, emails, to be specific) to their elected representatives as part of this debate. And for one member of the US Congress, this barrage of protest exposed roots at the very heart of a cosy industry relationship brokered by well-heeled lobbyists.
Texas. The Lone Star State. Home of Angus beef, the Dallas Cowboys football team, plenty of wide-open space, and the birthplace of SOPA. US Congressional Representative Lamar Smith is a native Texan and works hard for his constituents, some of whom live in the state capital of Austin, others further south into the boundaries of San Antonio and still others west into expansive ranchland. Rep. Smith is the Chairman of the House Judiciary Committee, the strong arm of the legislative branch of the United States Government where bills are drafted, debated and eventually pass into federal law. He also likes movies. Well, put another way, the movie business really likes him. In one of the oddest pairings in the recent history of Washington-cum-Industry, Rep. Smith has become the best legislative friend of the film and recording industry.
A member of the Congress since 1987, Rep. Smith has been clearly ensconced on the conservative side of the aisle supporting anti-abortion efforts, the continued criminalisation of marijuana and other conservative rallying cries. Upon being named the Chairman of the House Judiciary Committee, Smith became an easy focal point for the wave of lobbyists engaged by a wide swath of American business interests. One key segment in this phalanx of lobbyists was the film, television and recording industry. Living at the crossroads of digital distribution, now enabled and accelerated by the Internet, corporate entities such as Time Warner have been facing tumultuous change in how consumers digitally consume their content. In some cases, this consumption has grown outside the control of the content owners themselves and thus outside their grasp to profit from it. The recording industry, still reeling from their massive failure to recognise and adopt new technologies and business models (remember Napster?) continues to look for an aegis inside the law. And now, with the accelerated demand for not only digital music, but also online video, the broader content industry needed new friends in high places. This is where it got muddy.
While the spectre of pirated content was raised again, SOPA also became a veritable soup of other agendas, specifically the call for wider-ranging cyber-security coverage for US businesses and the government. Rep. Lamar Smith’s industry-laden staff opened the door and proponents of tougher internet security stepped in to help guide SOPA’s creation and modification. SOPA used piracy as the bogeyman to shape legislation with a much broader reach. This was the dirty secret of SOPA: Stop Online Piracy at the expense of much, much more. But as last winter played out, Rep. Smith greatly miscalculated this depth of concern. In a quiet announcement, Rep. Smith stated that, “the House Judiciary Committee will postpone consideration of the legislation until there is wider agreement on a solution.”
Soon after the demise of SOPA, another proposition began to see the light courtesy of new Congressional supporters: Rep Mike Rogers (R-Mich.) and a surprising mix of Democratic Representatives as well. Welcome, Cyber Intelligence Sharing and Protection Act, or CISPA. Stripped of the murky association with content piracy and continued grabs by that industry for legal help in their own failing distribution models, CISPA came clean. This baby was meant to rule – and rule hard. While the stated intent was to allow, if not force, a heightened level of vigilance for growing and potentially disastrous attacks on US networks, the mechanism for such protection forced some extreme bargains. The core thinking inside CISPA was to create direct communication between the US Government and participating companies across all industries. This compact was created in order to “share” information about potential and/or actual network security attacks.
In an ironic use of terminology, the “share” referenced in CISPA, much like its social media definition, could be comprised of almost any facet of digital communication: its source, destination, content, purpose. Companies who agreed to support CISPA, in exchange for governmental data on the cyber-threats under watch, would then be relieved of most responsibilities to keep its customers information – the data being collected at every digital interaction – private. Openly sharing this treasure trove of data with the government would now not only be encouraged, but legal. Privacy advocates, as well as maverick politicians such as Rep. Ron Paul, shined a harsh light on CISPA as being a clear end-run around such established and key existing federal laws such as the Wiretap Act and the Electronic Communications Privacy Act. Others criticised the potential creation of a new cyber-security complex by virtue of CISPA. Clearly then, with all this conflict with current law and its poorly designed architecture, CISPA must have been destined for a similar fate as SOPA – never to see the floor for a vote. Right? Introduced in the House of Representatives for a straight up vote, CISPA passed 248-168.
In addition to fuller support from across both aisles (check your lobbyist), the coterie of companies that supported the proposed bill looked different this time around. Absent from the previous mania around SOPA, Facebook actually stated its support for CISPA, as did Intel, Microsoft and others previously on the fence. Their chorus was a consistent message that, by sharing information with the government, cyber-security threats would be become more manageable and potentially less debilitating, a rising tide of cyber-preparation lifting all ships. For those schooled in US legislative process, CISPA, passed by the House last April, still had to meet up with the Senate’s version and be merged into a single, unified bill for passage – and eventual messaging to the White House for Executive signature (or Presidential veto). However, the Senate was mired in its own debate focusing on the continued attachment of unrelated amendments to its bill and the frustrating reality of a “lame duck” Congress in a post-election Washington. So CISPA, stalled in the waiting room of US politics, fell apart. Rep. Mike Rogers, one author of CISPA, tiredly remarked, “maybe we can move forward and get the Senate to move a little bit.”
The latest spin in all this has come from the White House where, to complete the strange circle of once slight enemy, now fast friend, President Obama has stated the growing need to enact tougher cyber-security laws. With no CISPA, the President’s team has hinted, through unnamed sources, that it may draft its own Executive Order to engage US companies in the same sort of information sharing based on the need to keep critical infrastructure protected. Most of those who watch Washington reiterate that nothing of merit will be pushed forward until after the new session of Congress convenes in 2013, including this minor threat of unilateral Presidential action.
So what lies ahead? There is no doubt of the growing frequency and relative strength of new cyber attacks, from enemy nation-states and coordinated amateur factions, against US and other infrastructure, both material and digital. The risk though, as exhibited in SOPA/CISPA’s legal and technical positioning, is that the solution for an all-encompassing cyber security solution almost always simultaneously erodes the key pillars of privacy the US strives to uphold. It is not an easy nut to crack. One certainty though, we will no doubt be introduced to another acronym. Get ready.