Last Monday, the Senate Judiciary Committee introduced S. 3804, the Combating Online Infringement and Counterfeits Act. It proposes to target websites that distribute infringing materials by having the Attorney General shut down their domain names (if their registrars or registries are US-based), or by telling US-based ISPs and other online providers not to connect users to accused websites that have foreign-based domain names. While there are a number of websites infringing copyrights and trademarks with domains registered overseas, there are a number of serious problems with the way this bill tries to tackle them. These problems make the bill a danger to innocent and beneficial sites, create potential technical problems, and put it in conflict with the United States' agenda for a single, global, Internet.

Problem 1: False Positives for Infringers, False Positives for Their Supporters

This bill contains a host of problems, beginning with its broad scope. To begin an action against a website, the Attorney General has to show a court that the site is "dedicated to infringing activity." To fit into that category, the site either needs to be designed for, or marketed to offer infringing goods or services, or "enable or facilitate" infringement.

That phrase, "enable or facilitate," is a landmine of uncertainty. There's no question that in one sense, an ISP can enable online infringement just by providing users with service. The manufacturer of a computer that lets you use the site can be said to enable infringement as well. Less facetiously, the sort of online host of user-generated content can "enable" users to infringe, even if it tries hard not to, just as craigslist and eBay can enable or facilitate trade in knockoff goods (also targeted by the bill) as much as they'd like not to. Any of these entities could too easily be targeted for this treatment by the Attorney General. And while it's not likely that the Justice Department is going to mistake all of eBay or YouTube for a pirate site, a newer, smaller exchange site or video hosting service could more easily be slammed because of a few bad actors among its users.

Another overly broad definition lies in who exactly can get an order from the Attorney General telling them to stop doing business with the accused site. The section-by-section explanation for the bill specifically mentions ISPs, but the bill's language itself mentions

a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server.

Not only does this include any DNS server operator at all (which could also include small ISPs like colleges, libraries, and independent third-party operators), but section 512(k)(1) also defines a lot more than just ISPs. In fact, it includes any "provider of online services or network access, or the operator of facilities therfor." That scope has been interpreted to include far more than ISPs, including online hosting services, websites, blogs, and more. The breadth of this definition in the bill leaves nearly any online entity subject to an order from the Attorney General not to serve traffic to a site associated with a particular domain name, from a massive backbone Internet provider to a website run off of a creaky Pentium.

Problem 2: The Blacklist

One of the most troubling parts of the proposed bill is in subsection (j), which requires the Attorney General to keep a public list of domain names that it thinks, "upon information and belief," are "dedicated to infringing activities," but that it hasn't actually acted on. Any ISP, credit card company, ad network, or other online service provider who does business with a site that ends up on this blacklist is free to stop doing business with the site, and is immunized from any lawsuit that might result form them breaking contracts or cutting off service from that site.

It's problematic enough when the Attorney General has overly broad discretion to issue orders against a variety of businesses, but here, a much lower standard applies to putting websites on a blacklist. "Upon information and belief" isn't much of an evidentiary standard, and you can bet that the Attorney General is going to be lobbied hard by the entertainment industry and others to put certain sites on the list, whether or not those sites actually are engaging in infringement. (The bill requires the Attorney General to have procedures to receive information form the public about infringing sites.)

And the immunity for anyone acting on the basis of a site's presence on the blacklist positively encourages them to do so, based upon what could be as little as a submitted allegation. This is especially dangerous given potential impacts on the balance of secondary liability, which leads us to the next problem.

Problem 3: Secondary Liability

So say you're a credit card processor. What happens when a site you do business with ends up on the blacklist? Cutting them off is voluntary, but doing so doesn't create any liability for you. You lose a customer, but if you're Mastercard, that's not quite such a big deal in the grand scheme of things. On the other hand, what happens if you ignore the blacklist? Lots of copyright holders have been getting increasingly litigious and eager to apply new, expansive theories of contributory and vicarious infringement. Failing to cut off someone who is accused (by the Attorney General, no less!) of infringement could be interpreted as having constructive or even actual knowledge of infringement—perhaps enough to trigger "red flag" knowledge that takes you out of DMCA protections.

And the questions about secondary liability don't end there. As noted above, the actual sites accused of infringement by the Attorney General can be as tangentially connected to the infringement as being marketed as "enabling or facilitating" infringement. How does this square with the standard in Sony--that an accused device have a "substantial non-infringing use?" Without further refinement, this bill could shift the balance struck so far by the courts in this constantly evolving field of law.

Problem 4: DNS Blocking and Unintended Consequences

There's also real problems attending the way that the bill proposes to have ISPs and other DNS providers to "take reasonable steps that will prevent a domain name from resolving to that domain name's Internet protocol address." This seems to be a roundabout way to say that these entities would have their DNS servers point request for a domain elsewhere. This would mean more conflicts among DNS servers than there already are, as the Attorney General runs about issuing orders to various ISPs and other DNS operators located in the US. Meanwhile, these conflicts, as well, I'm sure as the lure of getting to domains barred by the larger DNS providers, can easily drive users to third-party systems of varying degrees of savoriness. ICANN has previously warned of the harms that DNS redirects can do to the Internet, and tampering with the reliability of that system even more could destabilize that system even faster.

Problem 5: Global Internet Freedom

But one of the largest concerns with the bill has less to do with legal arguments about definitions, jurisdiction, or interpretation. It's a question of political concerns in what we as a country do with problems on the Internet, and how those methods are perceived internationally.

However good the justifications may be that we can make for blocking DNS requests, or other information transfers, other countries will point to our example and provide their own justifications for their own blocking. Where we might find certain tracks infringing, another country's court might find a license valid; where we would protect harsh, hostile, or critical speech, other countries might disallow it with broader defamation laws, or laws against criticizing royalty or the state. However valid or invalid such relativism may be, it has been and will be used to justify a number of foreign remedies we're studiously trying to discourage around the world.

Another thing to be avoided globally is the fragmentation of addressing, something that can happen when court orders start mucking about with the DNS. Imprudently broad orders, or orders directed at the wrong targets (would root servers be included in the scope?) would have massive effects. More than that, though, a branch of the government restricting DNS resolution for foreign servers could invite retaliation, increasing the tangle of redirects.

And finally, there's a constant anxiety in many international forums about the United States' role with respect to the Internet and the memorandum of understanding between the Department of Commerce and ICANN. ICANN is located in the United States, just as Network Solutions (which manages the top level domains .com, .net, and .org). Exercise of US jurisdiction over these entities, with global effects, is often too readily portrayed as the US trying to "take over the Internet," with associated diplomatic headaches. The impulse to deal with infringing sites that sit beyond US jurisdiction is understandable, but the mechanisms used to deal with that have to be carefully tailored so as not to sweep in innocent parties, or upset delicate legal, technical, or political situations. As it stands, S. 3804 misses the mark in a variety of ways, and shouldn't move forward until these issues with it can be resolved.

Last Monday, the Senate Judiciary Committee introduced S. 3804, the Combating Online Infringement and Counterfeits Act. It proposes to target websites that distribute infringing materials by having the Attorney General shut down their domain names (if their registrars or registries are US-based), or by telling US-based ISPs and other online providers not to connect users to accused websites that have foreign-based domain names. While there are a number of websites infringing copyrights and trademarks with domains registered overseas, there are a number of serious problems with the way this bill tries to tackle them. These problems make the bill a danger to innocent and beneficial sites, create potential technical problems, and put it in conflict with the United States' agenda for a single, global, Internet.

Problem 1: False Positives for Infringers, False Positives for Their Supporters

This bill contains a host of problems, beginning with its broad scope. To begin an action against a website, the Attorney General has to show a court that the site is "dedicated to infringing activity." To fit into that category, the site either needs to be designed for, or marketed to offer infringing goods or services, or "enable or facilitate" infringement.

That phrase, "enable or facilitate," is a landmine of uncertainty. There's no question that in one sense, an ISP can enable online infringement just by providing users with service. The manufacturer of a computer that lets you use the site can be said to enable infringement as well. Less facetiously, the sort of online host of user-generated content can "enable" users to infringe, even if it tries hard not to, just as craigslist and eBay can enable or facilitate trade in knockoff goods (also targeted by the bill) as much as they'd like not to. Any of these entities could too easily be targeted for this treatment by the Attorney General. And while it's not likely that the Justice Department is going to mistake all of eBay or YouTube for a pirate site, a newer, smaller exchange site or video hosting service could more easily be slammed because of a few bad actors among its users.

Another overly broad definition lies in who exactly can get an order from the Attorney General telling them to stop doing business with the accused site. The section-by-section explanation for the bill specifically mentions ISPs, but the bill's language itself mentions

a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server.

Not only does this include any DNS server operator at all (which could also include small ISPs like colleges, libraries, and independent third-party operators), but section 512(k)(1) also defines a lot more than just ISPs. In fact, it includes any "provider of online services or network access, or the operator of facilities therfor." That scope has been interpreted to include far more than ISPs, including online hosting services, websites, blogs, and more. The breadth of this definition in the bill leaves nearly any online entity subject to an order from the Attorney General not to serve traffic to a site associated with a particular domain name, from a massive backbone Internet provider to a website run off of a creaky Pentium.

Problem 2: The Blacklist

One of the most troubling parts of the proposed bill is in subsection (j), which requires the Attorney General to keep a public list of domain names that it thinks, "upon information and belief," are "dedicated to infringing activities," but that it hasn't actually acted on. Any ISP, credit card company, ad network, or other online service provider who does business with a site that ends up on this blacklist is free to stop doing business with the site, and is immunized from any lawsuit that might result form them breaking contracts or cutting off service from that site.

It's problematic enough when the Attorney General has overly broad discretion to issue orders against a variety of businesses, but here, a much lower standard applies to putting websites on a blacklist. "Upon information and belief" isn't much of an evidentiary standard, and you can bet that the Attorney General is going to be lobbied hard by the entertainment industry and others to put certain sites on the list, whether or not those sites actually are engaging in infringement. (The bill requires the Attorney General to have procedures to receive information form the public about infringing sites.)

And the immunity for anyone acting on the basis of a site's presence on the blacklist positively encourages them to do so, based upon what could be as little as a submitted allegation. This is especially dangerous given potential impacts on the balance of secondary liability, which leads us to the next problem.

Problem 3: Secondary Liability

So say you're a credit card processor. What happens when a site you do business with ends up on the blacklist? Cutting them off is voluntary, but doing so doesn't create any liability for you. You lose a customer, but if you're Mastercard, that's not quite such a big deal in the grand scheme of things. On the other hand, what happens if you ignore the blacklist? Lots of copyright holders have been getting increasingly litigious and eager to apply new, expansive theories of contributory and vicarious infringement. Failing to cut off someone who is accused (by the Attorney General, no less!) of infringement could be interpreted as having constructive or even actual knowledge of infringement—perhaps enough to trigger "red flag" knowledge that takes you out of DMCA protections.

And the questions about secondary liability don't end there. As noted above, the actual sites accused of infringement by the Attorney General can be as tangentially connected to the infringement as being marketed as "enabling or facilitating" infringement. How does this square with the standard in Sony--that an accused device have a "substantial non-infringing use?" Without further refinement, this bill could shift the balance struck so far by the courts in this constantly evolving field of law.

Problem 4: DNS Blocking and Unintended Consequences

There's also real problems attending the way that the bill proposes to have ISPs and other DNS providers to "take reasonable steps that will prevent a domain name from resolving to that domain name's Internet protocol address." This seems to be a roundabout way to say that these entities would have their DNS servers point request for a domain elsewhere. This would mean more conflicts among DNS servers than there already are, as the Attorney General runs about issuing orders to various ISPs and other DNS operators located in the US. Meanwhile, these conflicts, as well, I'm sure as the lure of getting to domains barred by the larger DNS providers, can easily drive users to third-party systems of varying degrees of savoriness. ICANN has previously warned of the harms that DNS redirects can do to the Internet, and tampering with the reliability of that system even more could destabilize that system even faster.

Problem 5: Global Internet Freedom

But one of the largest concerns with the bill has less to do with legal arguments about definitions, jurisdiction, or interpretation. It's a question of political concerns in what we as a country do with problems on the Internet, and how those methods are perceived internationally.

However good the justifications may be that we can make for blocking DNS requests, or other information transfers, other countries will point to our example and provide their own justifications for their own blocking. Where we might find certain tracks infringing, another country's court might find a license valid; where we would protect harsh, hostile, or critical speech, other countries might disallow it with broader defamation laws, or laws against criticizing royalty or the state. However valid or invalid such relativism may be, it has been and will be used to justify a number of foreign remedies we're studiously trying to discourage around the world.

Another thing to be avoided globally is the fragmentation of addressing, something that can happen when court orders start mucking about with the DNS. Imprudently broad orders, or orders directed at the wrong targets (would root servers be included in the scope?) would have massive effects. More than that, though, a branch of the government restricting DNS resolution for foreign servers could invite retaliation, increasing the tangle of redirects.

And finally, there's a constant anxiety in many international forums about the United States' role with respect to the Internet and the memorandum of understanding between the Department of Commerce and ICANN. ICANN is located in the United States, just as Network Solutions (which manages the top level domains .com, .net, and .org). Exercise of US jurisdiction over these entities, with global effects, is often too readily portrayed as the US trying to "take over the Internet," with associated diplomatic headaches. The impulse to deal with infringing sites that sit beyond US jurisdiction is understandable, but the mechanisms used to deal with that have to be carefully tailored so as not to sweep in innocent parties, or upset delicate legal, technical, or political situations. As it stands, S. 3804 misses the mark in a variety of ways, and shouldn't move forward until these issues with it can be resolved.