[governance] Filtering and Blocking Closer To The Core Of The Internet?

Riaz K Tayob riaz.tayob at gmail.com
Sun Nov 20 09:40:40 EST 2011 

[Now just where are those vulgar proponents of US exceptionalism over 
critical internet resources (the don't worry its in good hands crowd and 
you will break the internet) as this is pushed through while ordinary 
non-violent folk are pepper sprayed while marginal sanctions are pushed 
against brutal police officers?]



    Filtering and Blocking Closer To The Core Of The Internet?

Published on 20 November 2011 @ 1:00 pm

EmailShare Print This Post 
<http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/print/> 
Print This Post 
<http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/print/> 


By Monika Ermert <http://www.ip-watch.org/weblog/author/monika/> for 
Intellectual Property Watch

With protests against draft US legislation like the Stop Online Piracy 
Act (SOPA) and the Protect IP Act ongoing and the European Parliament 
voting on 17 November for a resolution to request that the United States 
should be "refraining from unilateral measures to revoke IP addresses or 
domain names," politicians are talking a lot about technology for the 
internet domain name system. But at the same time, engineers are getting 
more political and are intensively discussing technology providing the 
tools for blocking -- by governments and private parties.

For the community that cares for the functioning of the domain name 
system (DNS), it came as a shock when Paul Vixie, founder of the 
Internet Software Consortium (ISC), said that the BIND software would 
allow the filtering out of sites with a bad "reputation" -- like listed 
malware sites -- and also the "rewriting" of DNS answers -- manipulating 
what people get to see when asking for domain names.

Vixie is a guru of the DNS and one of the authors of the letter by 
well-known experts against DNS blocking in the Protect IP Act. But he is 
perhaps best-known for being the father of BIND, which has for a decade 
been the open source tool that makes the DNS work.

More Filter-Friendly DNS Software

Jim Reid, one of the chairs of the DNS working group at the Réseaux IP 
Europeéns, said during a recent debate about principles that he was 
"rather saddened" by ISC's decision to allow the rewriting. "We're 
giving the bad guys tools," Reid warned.

The rewriting -- which sends back a "lie" upon a request to the DNS from 
someone looking for a website -- "also sends a rather nasty message 
saying it's okay to do this kind of thing." What is worse from the 
engineers' standpoint with the rewriting is that it breaks new measures 
to secure the DNS, because the "lies" are detected and dropped without 
users knowing what happened.

The "lying" is currently happening for domains seized by the US 
government agency ICE (US Immigration and Customs Enforcement), some of 
them legal in their country of origin, like the Spanish RojaDirecta.com, 
(a case discussed intensively by the experts). When typing 
RojaDirecta.com, users do not get to that site, but to a 
warning/blocking site by the ICE.

It is this kind of case that has stirred up debate in the European 
Parliament, pushed by the European Digital Right initiative (EDRi). "By 
this you render a site and the data inaccessible without having any 
court order in the site owner's country," said Joe McNamee, who fought 
for the declaration now officially included in the Parliament's 
resolution on the upcoming European Union-US Summit of 28 November 2011.

The text of the Parliament resolution is here 
<http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2011-0510&language=EN&ring=P7-RC-2011-0577>. 


Under the topic "Freedom and Security," the declaration stresses the 
need "to protect the integrity of the global internet and freedom of 
communication by refraining from unilateral measures to revoke IP 
addresses or domain names."

SOPA, McNamee warned, would be so broad that "it could be interpreted in 
a way that would mean that no online resource in the global internet 
would be outside US jurisdiction."

Of those who provide users with domain names -- with the so-called DNS 
registrars closer to the user and the user's jurisdictions -- it is the 
registry companies who manage the central database for zones like .com 
(for example) who are an easy target when it comes to take-downs. They 
keep the record of who every .com domain name is delegated to and inform 
those looking for a site where to go. So they can from a top spot in the 
DNS hierarchy point to a "wrong" location.

What makes things difficult is that many large registries, like VeriSign 
(registry for .com and .net) which changed the rojadirecta.com record, 
are located in the United States and while offering services globally in 
name, they in fact are bound by US law.

Registries -- Target for Take-Downs

VeriSign recently tried to get a new registry policy acknowledged by the 
Internet Corporation for Assigned Names and Numbers (ICANN), the DNS 
technical oversight body, which would have allowed the dot com and .dot 
net registry (VeriSign) "to comply with any applicable court orders, 
laws, government rules or requirements, requests of law enforcement or 
other governmental or quasi-governmental agency, or any dispute 
resolution process." After a first wave of protests, the company backed 
off and withdrew the test for the time being.

Matt Pounsett from Afilias, the registry for .info and some other TLDs, 
explained the dilemma. While the registries certainly like people to see 
the correct DNS-answers that they send, "there are cases where even we 
participate in things like that, particularly domain take-down." Many 
take-downs were made when it was found out "that a particular domain is 
being used in a way that violates acceptable use."

Registry operators and a software providers like ISC underline that the 
fight against malware mainly drives their interventions. BIND's 
filtering function will help the manager of a local domain to protect 
his network. Customers are pushing, for example, for options like 
rewriting, said Joao Damas, a developer at ISC.

The rewriting not only allows ICE to lead people to their website 
instead of Rojadirecta's, it also allows commercial companies to attract 
traffic to their search engine with recommendations and paid ads. Some 
big telecommunications providers, for example, lure users to their 
search site every time they mistype a domain name or simply look for 
something that does not exist.

"If we do not do offer functionalities like the rewriting in our BIND 
software, we will drive them away from BIND," said Damas. BIND's new 
"reputation policy zone" function allows people to have names checked 
against lists of alleged bad actors, known spammers or 
malware-distributers, and in case of a match do not display the 
respective sites.

More Private Filtering

But what about the governance of increased private manipulation and also 
filtering that is enabled by better tools, asked Peter Koch, a DNS 
expert at Denic, the registry for the .de. country code TLD of Germany. 
"When we talk about a near real-time facility that would enable certain 
groups to influence resolvers to block or rewrite resolution data," Koch 
warned, collateral damage and even liability issues could arise. The 
more sceptical engineers also warn that such interventions could make 
the deployment of secure DNS on the last mile to the user very 
difficult. As they, including Vixie, have worked for a decade to 
implement this kind of security, they oppose it from an architectural 
standpoint.

Civil liberty advocates like McNamee or Wendy Seltzer, co-founder of the 
project Chilling Effects, point to the difficulties for victims of the 
varieties of filtering possibilities to push back. Why can a DMCA (US 
Digital Millennium Copyright Act 
<http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act>) request 
from a private party lead to Google even filtering a part of the 
rojadirecta website included in the Spanish version and housed under 
.es, the country code TLD of Spain -- as actually happened?

"Today the biggest problem is there's too many things happening not 
based on legislation," said Patrik Fältström, chair of the Security and 
Stability Advisory Committee of the ICANN. Fältström belongs to the 
engineers hoping that fixing the political code might be the first 
necessary step to solve the problems. Only then would the next step be 
addressed, Fältström said, in addressing conflicting national 
legislations. A mega-size example is coming with regard to this problem: 
the introduction of new TLDs as approved by ICANN.

Could ICANN approve a domain name that is illegal in one jurisdiction? 
asked Fältström. Several jurisdictions have announced they would 
otherwise block complete TLDs, with new top level domains like .gay 
being only one example not being welcome everywhere in the world. Or 
should controversial new address zones be blocked at the outset by ICANN?

If the registries are close to the core, the root zone that lists 
existing TLDs (like .com, .net, .ch) and future ones could be seen as 
one core spot of the global internet.

With the new contract for the managing of this root function, the 
Internet Assigned Numbers Authority (IANA) contract, the US 
administration seems to have put itself in a difficult spot. The 
contract has been performed by the ICANN so far, and the US National 
Telecommunications and Information Administration oversees the work. The 
difficult spot for NTIA is that they will for every new TLD check if 
ICANN's procedure for approving a new TLD has been supportive of the 
"global public interest". What will the US do about potential knocks at 
their door from those who do not like to have a .gay or a .sex? It will 
be a difficult filtering function, close to the core.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20111120/5695366d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: printer_famfamfam.gif
Type: image/gif
Size: 1035 bytes
Desc: not available
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20111120/5695366d/attachment.gif>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.cpsr.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.cpsr.org/lists/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t

More information about the Governance mailing list