Monday, October 18, 2010

COICA: RIAA and MPAA at it again?

In the comments on Friday's postI said I might talk about the free speech problems inherent in the administrations desire to wiretap the internet. That's not happening today, although it's still an important topic. Today we are going to talk about COICA, the "Combating Online Infringements and Counterfeits Act". The Electronic Frontier Foundation has a very good resource page, including a list of legitimate and pseudo-legitimate sites that could be taken down using COICA, and a page explaining why.

This bill (S111=3804) does what has never been done in the United States - it censors the internet. Probably in a much more far-reaching manner than expected by the Senate, or by the groups pushing for it. If it is as effective as it's elder brother, the DMCA, it will also have little effect on criminal, but will have far more serious effect on law-abiding citizens.

Actually, this ties in with my concern over the proposal to make the wiretap friendly. Businesses such as and Mozy.comstore your data encrypted. They cannot access it because they don't have your encryption key. Then there are free sites like Dropbox and Carbonite and Mozy are for-profit businesses, and presumably can prove that their primary purpose is not sharing pirated music and/or movies. Dropbox and Oosah may have a harder time. And if push came to shove, none of them could prove the files on their servers are not stolen intellectual property - unless they have the ability to decrypt their customers files. So to make COICA work they will have to make the internet wiretap friendly. Except that still won't make COICA work, it will just harm legitimate businesses and services.

If I were into conspiracy theories I'd say we were seeing a two pronged attack. If the RIAA amd MPAA can get COICA passed, the 'wiretap bill' (whatever it will be called) will be passed because it COICA will require it to be able to prove a site's primary purpose is piracy. It could even be made part of COICA. The Fed, the MPAA and RIAA would all get what they want. It wouldn't work the way they expect it to, because the bad guys don't obey the law. Steve Gibson of the Security Now (show transcript)podcast stated the problems well:

Well, and you end up with cat and mouse, too. You end up with those sites that are blacklisted register under a different name. And for a while they're there, until the blacklist catches up with them. And then they move again. I mean, the whole thing is just brain dead. It makes no sense. But we have a problem, and that is that we're dealing with technology that the legislatures probably don't understand. And who knows what the unintended consequences are going to be. But the idea that we're facing state-sponsored censorship of the Internet...

The bill specifies that domain names will be blacklisted. That's wonderful, but blacklisting a domain name may not be enough. The bill does not mention IP addresses, and I don't think those get blocked if the domain name is. If the IP address isn't blacklisted, then the whole thing is an exercise in futility. All the domain name system does is say, "IP address will map to domain name "" If you type in the IP address you'll get to the site, even if the domain name is blacklisted.

When it comes to wiretapping the internet and putting backdoors on encryption, in the same podcast, Steve said:

Now, the problem is, and we said this a little bit at the top of the show, is this is too late. I mean, I completely sympathize with what law enforcement wants to do, with the dilemma they have. But this technology exists. It is in the public domain. It is in open source tools all over the world. It's already escaped. And there's nothing they can do about it.

What Steve is talking about, is that current encryption technology is pretty much uncrackable. The best way to crack it is to use things like rainbow tables and try to find collisions - which mean you find passwords that give the same results. The weaker or more common the password used, the easier it is to crack the encryption. So if you use "Rover" it may not take long to discover it through rainbow tables. "e3'w53eksw;1" may take centuries. That might not be such a big deal if encyrption software was proprietary, with every company creating it's own and keeping the codes and algorithms secret secret. But encryption technology is almost 100% created by people and teams who have given the code and algorithms free and clear for anyone to use. So if we install backdoors in our encryption products, the only people it will have any effect on will be law-abiding U.S. citizens. Criminals and foriegn citizens will not care because they can roll their own encryption software.

I haven't even talked about free speech, but it's late, so I'll leave this here for now.