Way, way back during the SOPA/PIPA fight, a very important part of the resistance against the bills was coming from infrastructure operators who explained how they were technically incoherent and dangerous. One prominent group was the Internet Infrastructure Coalition, co-founded by Christian Dawson. Today, with legislative amnesia setting in and new requirements for infrastructure-level site blocking rearing their heads, the Coalition has released a new report: DNS At Risk. This week, he joins us on the podcast to talk about the report and the ongoing dangers of attacks on the internet infrastructure.
Walled Culture has been following closely Italy’s poorly designed Piracy Shield system. Back in December we reported how copyright companies used their access to the Piracy Shield system to order Italian Internet service providers (ISPs) to block access to all of Google Drive for the entire country, and how malicious actors could similarly use that unchecked power to shut down critical national infrastructure. Since then, the Computer & Communications Industry Association (CCIA), an international, not-for-profit association representing computer, communications, and Internet industry firms, has added its voice to the chorus of disapproval. In a letter to the European Commission, it warned about the dangers of the Piracy Shield system to the EU economy:
The 30-minute window [to block a site] leaves extremely limited time for careful verification by ISPs that the submitted destination is indeed being used for piracy purposes. Additionally, in the case of shared IP addresses, a block can very easily (and often will) restrict access to lawful websites – harming legitimate businesses and thus creating barriers to the EU single market. This lack of oversight poses risks not only to users’ freedom to access information, but also to the wider economy. Because blocking vital digital tools can disrupt countless individuals and businesses who rely on them for everyday operations. As other industry associations have also underlined, such blocking regimes present a significant and growing trade barrier within the EU.
It also raised an important new issue: the fact that Italy brought in this extreme legislation without notifying the European Commission under the so-called “TRIS” procedure, which allows others to comment on possible problems:
The (EU) 2015/1535 procedure aims to prevent creating barriers in the internal market before they materialize. Member States notify their legislative projects regarding products and Information Society services to the Commission which analyses these projects in the light of EU legislation. Member States participate on the equal foot with the Commission in this procedure and they can also issue their opinions on the notified drafts.
As well as Italy’s failure to notify the Commission about its new legislation in advance, the CCIA believes that:
this anti-piracy mechanism is in breach of several other EU laws. That includes the Open Internet Regulation which prohibits ISPs to block or slow internet traffic unless required by a legal order. The block subsequent to the Piracy Shield also contradicts the Digital Services Act (DSA) in several aspects, notably Article 9 requiring certain elements to be included in the orders to act against illegal content. More broadly, the Piracy Shield is not aligned with the Charter of Fundamental Rights nor the Treaty on the Functioning of the EU – as it hinders freedom of expression, freedom to provide internet services, the principle of proportionality, and the right to an effective remedy and a fair trial.
Far from taking these criticisms to heart, or acknowledging that Piracy Shield has failed to convert people to paying subscribers, the Italian government has decided to double down, and to make Piracy Shield even worse. Massimiliano Capitanio, Commissioner at AGCOM, the Italian Authority for Communications Guarantees, explained on LinkedIn how Piracy Shield was being extended in far-reaching ways (translation by Google Translate, original in Italian). In future, it will add:
30-minute blackout orders not only for pirate sports events, but also for other live content;
the extension of blackout orders to VPNs and public DNS providers;
the obligation for search engines to de-index pirate sites;
the procedures for unblocking domain names and IP addresses obscured by Piracy Shield that are no longer used to spread pirate content;
the new procedure to combat piracy on the #linear and “on demand” television, for example to protect the #film and #serietv.
That is, Piracy Shield will apply to live content far beyond sports events, its original justification, and to streaming services. Even DNS and VPN providers will be required to block sites, a serious technical interference in the way the Internet operates, and a threat to people’s privacy. Search engines, too, will be forced to de-index material. The only minor concession to ISPs is to unblock domain names and IP addresses that are no longer allegedly being used to disseminate unauthorized material. There are, of course, no concessions to ordinary Internet users affected by Piracy Shield blunders.
The changes made unfortunately do not resolve #critical issues such as the fact that private #reporters, i.e. the holders of the rights to #football matches and other live #audiovisual content, have a disproportionate role in determining the blocking of #domains and #IP addresses that transmit in violation of #copyright.
Moreover:
The providers of #network and #computer security services such as #VPNs, #DNSs and #ISPs, who are called upon to bear high #costs for the implementation of the monitoring and blocking system, cannot count on compensation or financing mechanisms, suffering a significant imbalance, since despite not having any active role in #copyright violations, they invest economic resources to combat illegal activities to the exclusive advantage of the rights holders.
The fact that the Italian government is ignoring the problems with Piracy Shield and extending its application as if everything were fine, is bad enough. But the move might have even worse knock-on consequences. An EU parliamentary question about the broadcast rights to audiovisual works and sporting competitions asked:
Can the Commission provide precise information on the effectiveness of measures to block pirate sites by means of identification and neutralisation technologies?
In order to address the issues linked to the unauthorised retransmissions of live events, the Commission adopted, in May 2023 the recommendation on combating online piracy of sport and other live events.
By 17 November 2025, the Commission will assess the effects of the recommendation taking into account the results from the monitoring exercise.
It’s likely that copyright companies will be lauding Piracy Shield as an example of how things should be done across the whole of the EU, conveniently ignoring all the problems that have arisen. Significantly, a new “Study on the Effectiveness and the Legal and Technical Means of Implementing Website-Blocking Orders” from the World Intellectual Property Organisation (WIPO) does precisely that in its Conclusion:
A well-functioning site-blocking system that involves cooperation between relevant stakeholders (such as Codes of Conduct and voluntary agreements among rights holders and ISPs) and/or automated processes, such as Italy’s Piracy Shield platform, further increases the efficiency and effectiveness of a site-blocking regime.
As the facts show abundantly, Piracy Shield is the antithesis of a “well-functioning site-blocking system”. But when have copyright maximalists and their tame politicians ever let facts get in the way of their plans?
Two years ago BestNetTech wrote about an attempt by Sony Music in Germany to implicate Quad9, a free anycast DNS platform (Cloudflare has technical details on what “recursive” means in this context), in copyright infringement at the domains it resolves. That was bad news for at least two reasons. First, because Quad9 is operated by the Quad9 Foundation, a Swiss public-benefit, not-for-profit organization, whose operational budget comes from sponsorships and donations. It aims to protect tens of millions of users around the world from malware and phishing, receiving nothing in return. More generally, success in this lawsuit would create a terrible precedent for blaming a service that is part of the Internet’s basic plumbing for what passes through its pipes.
Unfortunately, the Regional Court in Hamburg, where the case was heard, issued an interim injunction ordering Quad9 to cease resolving the names of sites that Sony Music alleged were infringing on its copyright. A more recent BestNetTech post noted that Quad9 had appealed to the Hamburg Higher Regional Court against the lower court’s decision. Around this time the Regional Court in Leipzig handed down another ruling against the company. Quad9 said that it would be appealing to the Dresden Higher Court against that decision. The good news is that the court in Dresden has now ruled in favor of Quad9. A blog post by Quad9 summarizes what happened:
The appeal with the Higher Regional Court in Dresden follows a decision by the Regional Court in Leipzig, in which Sony prevailed, and Quad9 was convicted as a wrongdoer. Before that, Sony successfully obtained a preliminary junction against Quad9 with the Regional Court in Hamburg. The objection against the preliminary injunction by Quad9 was unsuccessful, and the appeal with the Higher Regional Court in Hamburg was withdrawn by Quad9 since a decision in the main proceeding was expected to be made earlier than the conclusion of the appeal in the preliminary proceedings.
That’s great news, since it confirms that Quad9 benefits here from the liability privileges as a “mere conduit”. Also good news is the court’s ruling that the case “cannot be taken to a higher court and their decision is the final word in this particular case.” Except, as Quad9 explains, it’s not quite over yet:
Sony may appeal the appeal closure via a complaint against the denial of leave of appeal and then would have to appeal the case itself with the German Federal Court. So while there is still a possibility that this case could continue, Sony would have to win twice to turn the decision around again.
There’s also a situation in which a DNS resolver might still be required to block a domain:
it is possible that a DNS resolver operator can be required to block as a matter of last resort if the claiming party has taken appropriate means to go after the wrongdoer and the hosting company unsuccessfully. Such measures could be legal action by applying for a preliminary injunction against a hosting company within the EU. These uncertainties still linger, and we expect that this ongoing question of what circumstances require what actions, by what parties, will continue to be argued in court and in policy circles over the next few years.
Moreover, despite this clear win in Germany, Quad9 has been served with another demand (from media companies once more), this time to block domain names because of alleged copyright infringement in Italy:
Italian legal representatives have presented us with a list of domains and a demand for blocking those domains. Now we must again determine the path to take forward fighting this legal battle, in another nation in which we are neither headquartered nor have any offices or corporate presence.
As to how these legal actions in Germany and Italy can be brought in countries where Quad9 has no corporate presence, the answer is something called the Lugano Convention. And to end on a more positive note, another major DNS service provider, Cloudflare, has also won a legal battle in Germany:
A recent decision from the Higher Regional Court of Cologne in Germany marked important progress for Cloudflare and the Internet in pushing back against misguided attempts to address online copyright infringement through the DNS system. In early November, the Court in Universal v. Cloudflare issued its decision rejecting a request to require public DNS resolvers like Cloudflare’s 1.1.1.1. to block websites based on allegations of online copyright infringement. That’s a position we’ve long advocated, because blocking through public resolvers is ineffective and disproportionate, and it does not allow for much-needed transparency as to what is blocked and why.
Although these victories are welcome, they are hard won. Moreover, the battles between deep-pocketed media companies and not-for-profit organizations like Quad9 are inherently unbalanced. Quad9 itself admits:
Quad9 can only have a few legal fronts open at once – we are nearly entirely dedicated to operational challenges of running a free, non-profit recursive resolver platform that protects end users against malware and phishing. We are not a for-profit company with lawyers on retainer.
And that’s why the lawsuits keep coming – in the hope that one day the people defending the Internet, as Quad9 and Cloudflare have done with success, run out of money or management time to devote to these fights. It’s a risk that has not gone away, despite these recent wins.
Back in September 2021 BestNetTech covered an outrageous legal attack by Sony Music on Quad9, a free, recursive, anycast DNS platform. Quad9 is part of the Internet’s plumbing: it converts domain names to numerical IP addresses. It is operated by the Quad9 Foundation, a Swiss public-benefit, not-for-profit organization. Sony Music says that Quad9 is implicated in alleged copyright infringement on the sites it resolves. That’s clearly ridiculous, but unfortunately the Regional Court of Hamburg agreed with Sony Music’s argument, and issued an interim injunction against Quad9. The German Society for Civil Rights (Gesellschaft für Freiheitsrechte e.V. or “GFF”) summarizes the court’s thinking:
In its interim injunction the Regional Court of Hamburg asserts a claim against Quad9 based on the principles of the German legal concept of “Stoererhaftung” (interferer liability), on the grounds that Quad9 makes a contribution to a copyright infringement that gives rise to liability, in that Quad9 resolves the domain name of website A into the associated IP address. The German interferer liability has been criticized for years because of its excessive application to Internet cases. German lawmakers explicitly abolished interferer liability for access providers with the 2017 amendment to the German Telemedia Act (TMG), primarily to protect WIFI operators from being held liable for costs as interferers.
As that indicates, this is a case of a law that is a poor fit for modern technology. Just as the liability no longer applies to WIFI operators, who are simply providing Internet access, so the German law should also not catch DNS resolvers like Quad9. The GFF post notes that Quad9 has appealed to the Hamburg Higher Regional Court against the lower court’s decision. Unfortunately, another regional court has just handed down a similar ruling against the company, reported here by Heise Online (translation by DeepL):
the Leipzig Regional Court has sentenced the Zurich-based DNS service Quad9. On pain of an administrative fine of up to 250,000 euros or up to 2 years’ imprisonment, the small resolver operator was prohibited from translating two related domains into the corresponding IP addresses. Via these domains, users can find the tracks of a Sony music album offered via Shareplace.org.
The GFF has already announced that it will be appealing along with Quad9 to the Dresden Higher Regional Court against this new ruling. It says that the Leipzig Regional Court has made “a glaring error of judgment”, and explains:
Let’s hope so. If it isn’t, we can expect companies providing the Internet’s basic infrastructure in the EU to be bombarded with demands from the copyright industry and others for domains to be excluded from DNS resolution. The likely result is that perfectly legal sites and their holdings will be ghosted by DNS companies, which will prefer to err on the side of caution rather than risk becoming the next Quad9.
One of the striking features of the copyright industry is the fact that enough is never enough. Give companies stronger enforcement of copyright, and they will still start pushing for more. An example is the EU’s Copyright Directive. Even when upload filters were approved against all expert advice, on the grounds that sufficient safeguards were built in, French politicians were persuaded by copyright companies to jettison even those weak user rights.
Similarly, no matter how much power is given to companies to enforce copyright, they always want to turn everyone else into their personal police squad. A recent example saw Sony trying to force a DNS service to stop resolving certain domain names that were allegedly implicated in copyright infringement.
A case currently before the Court of Justice of the European Union (CJEU), the EU’s top court, sees another such attempt to force a company to become copyright’s enforcer (via The IP Kat blog). It involves two Serbian companies: Grand Production, which produces TV programs broadcast in Serbia, and GO4YU, which runs an Internet streaming platform. GO4YU had a license to show Grand Production’s programs in Serbia and Montenegro, but not elsewhere. It therefore uses geoblocking to stop people outside those countries from accessing the material. Unsurprisingly, people used VPNs to get around those geoblocks.
Grand Production was unhappy, and turned to the courts, claiming that GO4YU would have known that people would use VPNs to circumvent the geoblocks, and was therefore responsible for the copyright infringement in some way. Because of the important questions it raised, the case moved through local courts all the way up to the CJEU. The court itself has not yet ruled, but as is usual for these cases, a special court advisor, known as an Advocate General, has offered his opinion. It’s not binding on the CJEU, but generally indicates how the case may go. In this instance, the comments of Advocate General Szpunar are particularly interesting (there’s no English version of his comments yet – the quotations below are DeepL translations of the Italian version). First of all, Szpunar has the following to say about the use of VPNs:
As is well known, neither in the virtual nor in the real world are there any protective measures that cannot be circumvented or violated. This can only be more or less difficult. The same applies to geographical access blocks. Different types of technical means, including VPN services, allow these blocks to be circumvented, in particular, by virtually changing the user’s location. Although technical means exist to counter such practices, they are not, and probably never will be, fully effective – progress in violation techniques is always one step ahead of progress in protection mechanisms.
That’s a recognition of the fact that VPNs are widely used to avoid geoblocks, and will never be completely countered, although the Advocate General did add a proviso:
The situation would be different only if the company GO4YU Beograd intentionally applied an ineffective geographic access blockade in order to effectively allow persons outside the territory in which it is authorised to communicate to the public the programmes produced by the company Grand Production to access the programmes in question, in a manner facilitated by the objectively existing possibilities on the Internet, in particular in comparison with the generally available VPN services.
In other words, provided a company makes reasonable efforts, it can’t be blamed if some people find workarounds. He then went on to note an important implication of the widespread use of VPNs:
The company Grand Production is probably right in asserting that the company GO4YU Beograd is aware that its geographic access blockade is circumvented via the VPN service. However, the company Grand Production is also aware of this fact. The circumvention of various types of protection measures by users constitutes an inherent risk in the digital distribution, especially on the Internet, of copyright-protected works. The company Grand Production, by allowing the company GO4YU Beograd to communicate its programmes to the public on a streaming platform in a certain territory, had to take into account the fact that a certain number of users could obtain access to them outside that territory.
That is only Szpunar’s view, and the CJEU may decide differently. Nonetheless, it shows a refreshing recognition by one of the EU’s most senior lawyers that there have to be limits on the copyright industry’s ability to bully others to do its bidding.
Almost exactly a decade ago, a few months after the US Congress rejected the site blocking setup of the SOPA copyright bill, which would enable copyright holders to force ISPs to block access entirely to websites deemed as being dedicated to “piracy,” we wrote a post about how it wasn’t even clear SOPA was needed when courts were willing to issue such blocking orders already. That was in a case around counterfeiting, where Louis Vuitton sought, and obtained, an order from a judge that demanded that domain registrars and ICANN effectively wipe certain website domains off the internet entirely.
Fast forward almost exactly a decade and TorrentFreak points us to a somewhat similar series of orders that demand that every ISP in the US block access entirely to three websites accused of infringement by a series of movie, TV, sports, and news content providers in Israel. The three orders are all embedded below, though they’re all basically the same — but they order non-party ISPs to block access to three domains that are accused of showing infringing streams: israel-tv.com, israel.tv, and sdarot.tv.
For all three of the websites, no defendants showed up in court (not too surprising, given that the cases were filed in the US). Without a defendant showing up, the court ruled for the plaintiffs in a default judgment — which is pretty typical. However, what is atypical, is that the judge then basically set the 1st Amendment on fire, and basically ordered a ton of non-parties to do things to stop enabling any access to these websites. It first issues a permanent injunction for anyone operating or working with those websites, but then issues an order for EVERY single ISP in the US to block access to these websites.
IT IS FURTHER ORDERED that all ISPs (including without limitation those set forth in Exhibit B hereto) and any other ISPs providing services in the United States shall block access to the Website at any domain address known today (including but not limited to those set forth in Exhibit A hereto) or to be used in the future by the Defendants (“Newly-Detected Websites”) by any technological means available on the ISPs’ systems. The domain addresses and any NewlyDetected Websites shall be channeled in such a way that users will be unable to connect and/or use the Website, and will be diverted by the ISPs’ DNS servers to a landing page operated and controlled by Plaintiffs (the “Landing Page”) which can be reached as follows:
Domain – zira-usa-11026.org IP Address: 206.41.119.50 (Dedicated)
The Landing Page will include substantially the following information:
On April 26, 2022, in the case of United King Distributors, et al. v. Does 1-10, d/b/a Sdarot.tv (S.D.N.Y., Case No. 1:21-cv-11026 (KPF) (RWL)), the U.S. District Court for the Southern District of New York issued an Order to block all access to this website/ service due to copyright infringement
It’s unclear who created this particular landing page, but it does not exist, and at least it doesn’t include the silly badges with eagles on it.
The blocking order shows a very long list of ISPs, covering nine pages. For unclear reasons, the list shows not just the names of the ISPs, but also the estimated population covered, the number of states they cover, and their max speeds. As far as I can tell, the list appears to come from BroadbandNow’s “Internet Providers in the United States of America” list. This is the first page that comes up if you Google “list of US ISPs” and it also displays the exact same data sets in the exact same order. The list doesn’t match exactly, though, so it appears to be a subset of the larger list — though the court order says that it should be considered to apply to any US ISP.
And Judge Katherine Polk Failla doesn’t stop there. After ordering every ISP to block these websites, she also orders all third party service providers to cease doing business with these three websites. This includes an incredibly long list of possible service providers (notably a list that is even more in-depth than would have been required under SOPA — which, again, Congress rejected):
IT IS FURTHER ORDERED, that third parties providing services used in connection with Defendants’ operations — including, without limitation, ISPs, web hosting providers, CDN service providers, DNS service providers, VPN service providers, domain name purchasing service, domain names privacy service, back-end service providers, affiliate program providers, web designers, shippers, search-based online advertising services (such as through-paid inclusion, paid search results, sponsored search results, sponsored links, and Internet keyword advertising), any banks, savings and loan associations, merchant account providers, payment processors and providers, credit card associations, or other financial institutions, including without limitation, PayPal, and any other service provider which has provided services or in the future provides services to Defendants and/or the infringing Website (including without limitation those set forth in the list annexed and made Exhibit C annexed hereto) (each, a “Third Party Service Provider”) — having knowledge of this Order by service, actual notice or otherwise be and are hereby permanently enjoined from providing services to the Website (through any of the domain names set forth in Exhibit A hereto or at any Newly-Detected Websites) or to any Defendant in conjunction with any of the acts set forth in subparagraphs (A)(1) to (A)(6) above;
And, as if that was not enough, she also orders domain registrars effectively kill those domains as well and hand them over to the plaintiffs:
That all domain names associated with the infringing Website, including without limitation those set forth in Exhibit A hereto, as well as any Newly-Detected Websites, be transferred to Plaintiffs’ ownership and control; and
That in accordance with this Court’s inherent equitable powers and its power to coerce compliance with its lawful orders, and due to Defendants’ on-going operation of their counterfeiting activities, in the event Plaintiffs identifies any Newly-Detected Website registered or operated by any Defendant and used in conjunction with the streaming any of Plaintiffs’ Works, including such Websites utilizing domain names containing any of Plaintiffs’ service mark or marks confusingly similar thereto, Plaintiffs shall have the ongoing authority to serve this Order on the domain name registries and/or the individual registrars holding and/or listing one or more of such the domain names associated with the Newly-Detected Websites; and
That the domain name registries and/or the individual registrars holding and/or listing one or more of the domain names associated with the Newly-Detected Websites, within seven (7) days of service of a copy of this Order, shall temporarily disable any domain names associated with the Newly-Detected Websites, make them inactive, and channel them in such a way that users will be unable to connect and/or use the Website, and will be diverted to the Landing Page (as defined in Paragraph B, above); and
That after thirty (30) business days following the service of this Order, the registries and/or the individual registrars shall provide Plaintiffs with all contact information for the Newly-Detected Websites; shall transfer any domain names associated with the Newly-Detected Websites to the ownership and control of Plaintiffs, through the registrar of Plaintiffs’ choosing, unless the Defendant has filed with the Court and served upon Plaintiffs’ counsel a request that such Newly-Detected Websites be exempted from this Order or unless Plaintiffs requests that such domain names associated with the NewlyDetected Websites be released rather than transferred;
Again, this is way, way beyond what even SOPA would have allowed. But Congress didn’t do it — and for good reason. This ruling has some really significant 1st Amendment issues. Ordering the complete takedown of a website like this is the equivalent of shutting down a magazine — ordering that the landlord evict the publisher, that the printing presses be destroyed, that the postal service refuse to send copies of the magazine, that the local waste management company refuse to pick up the garbage, etc. etc. An order like that would obviously have tremendous 1st Amendment problems as an attack on speech, even if you recognize that some of the content was infringing.
Of course, given that the websites chose not to show up in US court, it seems unlikely that they will challenge the order. It is possible that some ISPs might push back on it, not because they want to support piracy, but because of the extraordinarily problematic general precedent of allowing a judge to order such an extreme internet kill order. Allowing these kinds of orders to survive creates tremendous instability for the internet, and hopefully some ISPs will push back.
Much of the world is, correctly, standing up against Russia following its despicable invasion of Ukraine as part of Vladimir Putin’s power-mad fever dream. And in response there are lots of questions about how different companies are looking to punish, sanction, or limit Russian access to goods and services. Some of the ideas make sense. Some of them don’t. And some of them are incredibly dangerous. In the extremely dangerous territory is Ukrainian officials reaching out to ICANN on Monday and asking it to disconnect Russia from the internet, revoking domains issued in Russia and shutting down DNS servers in Russia.
Moreover, it’s becoming clear that this aggression could spread much further around the globe as the Russian Federation puts the nuclear deterrent on “special alert” and threatens both Sweden and Finland with “military and political consequences” if these states join NATO. Such developments are unacceptable in the civilized, peaceful world, in the XXI century.
Therefore, I’m strongly asking you to introduce the following list of sanctions targeting Russian Federation’s access to the Internet:
Revoke, permanently or temporarily, the domains “.ru”, “.рф” and “.su”. This list is not exhaustive and may also include other domains issued in the Russian Federation.
Contribute to the revoking for SSL certificates for the abovementioned domains.
Shut down DNS root servers situated in the Russian Federation, namely:
Saint Petersburg, RU (IPv4 199.7.83.42)
Moscow, RU (IPv4 199.7.83.42, 3 instances)
Apart from these measures, I will be sending a separate request to RIPE NCC asking to withdraw the right to use all IPv4 and IPv6 addresses by all Russian members of RIPE NCC (LIRs – Local Internet Registries), and to block the DNS root servers that it is operating.
All of these measures will help users seek for reliable information in alternative domain zones, preventing propaganda and disinformation. Leaders, governments and organizations all over the world are in favor of introducing sanctions towards the Russian Federation since they aim at putting the aggression towards Ukraine and other countries to an end. I ask you kindly to seriously consider such measures and implement them as quickly as possible. Help to save the lives of people in our country.
It is difficult to describe just how bad an idea this is. First of all, this is kind of what Russia already wants. It’s already looking to cut itself off from the wider internet in order to keep its own citizenry misinformed. Second, this punishes the Russian people, many of whom are against the war. Third, the internet remains the best way for activists on the ground in Russia to organize and to evade crackdowns by the Russian government. Fourth, the internet remains one of the most important ways that people outside of Russia are getting information on what is happening in the country.
“This is a huge request from Ukraine,” says Justin Sherman, a fellow at the Atlantic Council’s Cyber Statecraft Initiative. “It’s very likely ICANN will just say no. The Kremlin is spreading tons of propaganda and disinformation about Ukraine, but this is not the way to go about addressing it.”
The RIPE Network Coordination Centre, which (as noted above) received its own such request has similarly rejected it and explained the many reasons why cutting off Russia from the internet is a dreadfully bad idea.
It is crucial that the RIPE NCC remains neutral and does not take positions with regard to domestic political disputes, international conflicts or war.
This guarantees equal treatment for all those responsible for providing Internet services. This is a fundamental reason why the RIPE NCC has been able to maintain its operations in the way it has for the past three decades. It also means that the information and data provided by the RIPE NCC can be trusted as authoritative and free from bias or political influence. Failure to adhere to this approach would jeopardise the very model that has been key to the development of the Internet in our service region.
Separately, the Internet Society has put out a statement explaining why undermining the internet at this moment is a dangerous idea.
These proposals miss something fundamental about the Internet: it was never designed to respect country borders. The idea of unplugging a country is as wrong when people want to do it to another country as it is when governments want to do it to their own.
Internet connectivity means anyone with access can use the Internet to communicate. This means aggressors and opponents alike. Unlike most historical communication methods, the Internet is astonishingly resilient when conditions for connection are bad. It’s not magic. It won’t end wars or invasions. But it is a great tool for humans to use against their oppressors.
The Internet allows people who otherwise would be silenced to speak, so it should be no surprise that there are people the world over trying to undermine the Internet.
Russia has been trying for over a decade, with limited evidence of success (whatever the Kremlin has said), to be able to unplug from the Internet. Some governments impose Internet shutdowns that harm the interests of their citizens and impede economic development, all in the interests of social control. These efforts are not “the Internet with local characteristics,” or any other catchphrase. They’re opposition to the Internet. The Internet puts decisions about connections into the hands of people who want to connect. It’s a frightening idea to those who want to control the messages. But it’s what has made the Internet a resource to enrich people’s lives.
Furthermore, it notes just how dangerous a precedent this would set:
Once large network operators start demonstrating an ability to make routing decisions on political grounds, other governments will notice. This will attract regulatory requirements to shape network interconnection in real time along political lines. If we travel that path, in short order the network of networks will not exist. In its place we would have a different network design built around national gateways, broken up on geopolitical lines, and just as dynamic and robust as other multilateral, regulation-based systems. The Internet has done a lot to erode those systems because it is more efficient and effective. We’d give that up.
Without the Internet, the rest of the world would not know of atrocities happening in other places. And without the Internet, ordinary citizens of many countries wouldn’t know what was being carried out in their name. Our best hope, however dim, is that those supporting an aggressive regime will change their support. More information can help, even as disinformation circulates. We need a better understanding of what is and is not disinformation. Cutting a whole population off the Internet will stop disinformation coming from that population—but it also stops the flow of truth.
We must not ease the path for those who hate the Internet and its ability to empower people. We must fight the suppression of the Internet. This means making sure connectivity does not stop for anyone. It means ensuring that strong encryption, which protects ordinary communications, but also allows political discourse in the face of censorship, is always available. It means making sure the critical properties of the Internet are not undermined by legislation, no matter how well-meaning. It means making interconnections cheap and easy and ubiquitous, so that all networks are reliable and robust systems that can be made from unreliable parts. It means dedicating ourselves to ensuring that the Internet is for everyone.
I can kind of understand the thinking behind the original request, but it’s important to recognize how such an idea would (1) dangerously backfire in the short-term, and (2) set an extraordinarily bad precedent for the future that would then be widely abused. There are plenty of reasonable actions to take against Russia. Cutting them off from the internet is not one and would play into Putin’s hands.
Today we’re launching our latest BestNetTech Tech Policy Greenhouse discussion in which we bring in a bunch of actual experts to discuss and debate complex and nuanced subjects regarding tech policy — this time about content moderation at the infrastructure layer. We’re excited that we’re doing it in partnership with our friends over at the Electronic Frontier Foundation (EFF)! Also, we’re going to conclude this new series of posts on BestNetTech with two virtual events. On October 6th from 9am to noon PT, we’ll have many of this series’ authors discussing and debating their pieces in front of a live (though virtual!) audience (register to attend here). The following day, on October 7th, EFF and BestNetTech will be hosting a smaller workshop event to take some of what we learned and discussed the previous day, and see if we can come up with more concrete steps and approaches to make sure providers, policymakers, and others understand the risks and challenges of infrastructure moderation, and how to respond to those risks.
The latest edition will again dip into the content moderation well, but will focus on a part of the discussion that is all too often forgotten (leading to potentially damaging consequences). Specifically, we’ll be talking about content moderation not at the “edge” of the internet (i.e., the user-facing services like Google, Facebook, and Twitter), but at the infrastructure layers deeper in the stack. This could include content moderation via hosting companies, domain registrars, ad networks, payment processors, app stores, and much, much more. Since so much of the discussion (and anger) around content moderation focuses on those edge providers that everyone is familiar with, it seems that nearly all proposals tend to just focus on correcting perceived content moderation ills for end users. But, at the same time, it seems that most of the policy proposals we see would apply equally (if not more so) to infrastructure providers.
Some of this is by design.
The “original” content moderation debate on the internet revolved around copyright — with the record labels (mainly) demanding ever more draconian regulations and standards to force content offline. However, as the technology evolved, we increasingly saw the legacy entertainment companies recognize that they could get more bang for the buck by targeting infrastructure intermediaries. They started to threaten ad networks and domain registrars for infringement that happened on websites that neither of those entities had power over.
Indeed, the biggest concern with moving moderation decisions down the stack is that most infrastructure players only have a sledge hammer to deal with these questions, rather than a scalpel. They can’t remove just the “bad” content. They can only remove (or, at least threaten to remove) all service, which can wreak havoc on a site. And we’ve seen how that pressure can be used to extreme ends. People focus on more recent examples, but over a decade ago, caving to pressure from US government officials, Amazon and others dumped Wikileaks.
That said, the infrastructure companies are still private entities, and do (for the most part, with a few exceptions) retain the power to run their businesses how they wish — including the right to refuse service to certain customers. And there are reasons why infrastructure providers may not just want, but actually need, the ability to do some amount of moderation — for example ISPs have good reason to run spam filters for their customers, and there have been cases where serving companies have (understandably) wanted to pull down malware bot networks using their infrastructure.
In other words, there are a lot of nuances here, and plenty to discuss and debate and explore better paths forward.
Finally, we should note that, beyond partnering with EFF for this project, we are also supported by the grant we received last year from the Knight Foundation to explore this very topic, as well as sponsorships from Cloudflare, Internet Society, and Golden Frog.
One of the characteristics of maximalist copyright companies is their limitless sense of entitlement. No matter how much copyright is extended, be it in duration, or breadth of application, they want it extended even more. No matter how harsh the measures designed to tackle copyright infringement, they want them made yet harsher. And no matter how distantly connected to an alleged copyright infringement a company or organization or person may be, they want even those bystanders punished.
In June, Quad9 was served with a notice from the Hamburg Germany court (310 O 99/21) stating that Quad9 must stop resolving certain domain names that Sony Music GmbH believed were implicated in infringement on properties that Sony claims are covered by their copyrights. Quad9 has no relationship with any of the parties who were involved in distributing or linking to the content, and Quad9 acts as a standard DNS recursive resolver for users in Germany to resolve those names and others.
Sony Music is not alleging that Quad9 is infringing on copyright directly, but that its DNS service allows people to access a Web site that has links to material on a second Web site that infringes on copyrights. On this basis, the Hamburg Court has used Germany’s law on indirect liability to order Quad9 to cease resolving the names of those sites. But as the Gesellschaft für Freiheitsrechte explains, there’s a crazy twist here. Under German law:
[Internet] service providers who provide access to unlawful information or transmit such information are expressly no longer liable for damages or responsible for removal, nor can an injunction be granted against them. However, the Hamburg Regional Court assumes that Quad9 cannot invoke this liability privilege because it does not itself route the copyright-infringing information from A to B, but merely provides indirect access to it. This understanding of the law leads to the contradictory result that Quad9 is deemed liable for copyright infringements precisely because it has even less to do with the copyright infringements than Internet access providers, who are equally not involved in copyright infringements but at least do transmit the data in question.
this would set a dangerous precedent for all services used in retrieving web pages. Providers of browsers, operating systems or antivirus software could be held liable as interferers on the same grounds if they do not prevent the accessibility of copyright-infringing websites.
The past history of media companies suggest that, given such a capability, they would indeed go after all of these incidental operators, as part of an insane quest to put every aspect of the Internet at the service of copyright.
Each time you visit a website, your browser interacts with a domain name system (DNS) resolver that converts web addresses to an IP address understood by the machines along your path. Historically however this traffic exchange isn’t encrypted, making it possible for your broadband provider or another third party to monitor your browsing data based on your DNS queries. DNS inventors in the 80s didn’t really bet on a future where all DNS queries would be tracked, monetized, or weaponized by third parties.
Experts for a while have been arguing (including here at the BestNetTech Greenhouse policy project) that it’s important that we start encrypting these pathways to bring a little more security and privacy to the equation. Companies like Mozilla have been at the forefront of implementing “DNS over HTTPS,” a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. Recently, even Comcast (a company that’s no stranger to monetizing your online habits) joined Mozilla’s efforts to take the idea mainstream.
“ODoH is an emerging protocol being developed at the IETF. ODoH works by adding a layer of public key encryption, as well as a network proxy between clients and DoH servers such as 1.1.1.1. The combination of these two added elements guarantees that only the user has access to both the DNS messages and their own IP address at the same time.”
The changes shouldn’t add any perceptible latency to browsing speed, but should notably improve user and overall internet security. A good thing in a country that still doesn’t seem to think even a modern, simply privacy law for the internet era is necessary to protect the security of the internet and public safety. But as Zack Whitacre at TechCrunch notes, steps still need to be taken to ensure no single party controls both the DNS resolver and proxy:
“A key component of ODoH working properly is ensuring that the proxy and the DNS resolver never ?collude,? in that the two are never controlled by the same entity, otherwise the ?separation of knowledge is broken,? Sullivan said. That means having to rely on companies offering to run proxies.”
Cloudflare told TechCrunch that several partner organizations are already running proxies, allowing for folks to give the system an early spin if they use Cloudflare’s security-focused 1.1.1.1 DNS resolver. Everybody else will need to wait until the new protocol comes standard as part of your OS or browser, which depends on how long it takes for the Internet Engineering Task Force to finalize the proposal. That could take months or years, but in a world where your every waking online movement is increasingly tracked and monetized, it should be a welcome shift whenever it finally drops.
