Read full story: External Source

You know that the anti-exceptionalists have raised the white flag of surrender when they are forced to whine that the thousands of web publishers who went dark are "abusing their power” — thus admitting that a critical mass of Western society's eyes are turned toward the Internet and that the people who occupy and publish and interact in that globalized space constitute enough of a cohesive community to collectively turn against those who threaten them.

It doesn't matter whether one is on the pro-control or anti-control side of the spectrum; governing the internet forces a choice upon one: either go for new and unprecedented forms of technical intervention and transnational political cooperation, or go for some kind of ratification and institutionalization of the Internet's special status as a zone for the free flow of information and a diminished role for territorial government and traditional informational property rights.

Mind you, one needn't be a cyber-utopian to be an Internet exceptionalist. In other words, you don't have to believe that the Internet will by its very nature make politics fair and democratic and that the good guys will always win. SOPA or some equivalent could rise again, in some other form. Some key actors could be bought off with some concessions in the new legislation. The mobilized community's resolve could weaken over time, as it grows accustomed to things. We need to be heedful of Benkler's warning that as the networked environment resists control, there will be strong pressures to suck ever more of it into the law enforcement vortex. But surely, after 15 years of these battles (starting, roughly, with the CDA mobilization of 1996) we can dismiss these jaded admonitions that Internet regulation is just business as usual. If the Internet stops being an exception, we will have no one but ourselves to blame.

Written by Milton Mueller, Professor, Syracuse University School of Information Studies

Geist writes: "With Bill C-11 back on the legislative agenda at the end of the month, Canada will be a prime target for SOPA style rules. In fact, a close review of the unpublished submissions to the Bill C-32 legislative committee reveals that several groups have laid the groundwork to add SOPA-like rules into Bill C-11, including blocking websites and expanding the 'enabler provision' to target a wider range of websites. Given the reaction to SOPA in the U.S., where millions contacted their elected representatives to object to rules that threatened their Internet and digital rights, the political risks inherent in embracing SOPA-like rules are significant."

Read full story: New York Times

Other sources: (UPDATED Jan 19, 2012 12:40 PM PST)
The Internet Spoke and, Finally, Congress Listened! EFF, Jan.20.2012
Lawmakers try to keep anti-piracy bills on track AP, Jan.19.2012
PIPA support collapses, with 13 new Senators opposed Ars Technica, Jan.18.2012

"Right now, Congress is debating a few pieces of legislation concerning the very real issue of online piracy, including the Stop Online Piracy Act (SOPA), the PROTECT IP Act and the Online Protection and Digital ENforcement Act (OPEN). We want to take this opportunity to tell you what the Administration will support—and what we will not support. Any effective legislation should reflect a wide range of stakeholders, including everyone from content creators to the engineers that build and maintain the infrastructure of the Internet.

While we believe that online piracy by foreign websites is a serious problem that requires a serious legislative response, we will not support legislation that reduces freedom of expression, increases cybersecurity risk, or undermines the dynamic, innovative global Internet."

Read full story: Computerworld

For example an early draft of this legislative package called for DNS redirection of malicious domain names in conflict with the end-to-end DNS Security system (DNSSEC). Any such redirection would be trivially detected as a man in the middle attack by secure clients and would thus be indistinguishable from the kind of malevolent attacks that DNSSEC is designed to prevent. After the impossibility of redirection was shown supporters of PIPA and SOPA admitted that redirection (for example, showing an "FBI Warning" page when an American consumer tried to access a web site dedicated to piracy or infringement) was not actually necessary. Their next idea was no better: to return a false No Such Domain (NXDOMAIN) signal. When the DNS technical community pointed out that NXDOMAIN had the same end-to-end security as a normal DNS answer and that false NXDOMAIN would be detected and rejected by secure clients the supporters SOPA and PIPA changed their proposal once again.

The second to latest idea for some technologically noninvasive way to respond to a DNS lookup request for a pirate or infringing domain name was "just don't answer". That is, simulate network loss and let the question "time out". When the DNS technical community explained that this would lead to long and mysterious delays in web browser behavior as well as an increased traffic load on ISP name servers due to the built in "retry logic" of all DNS clients in all consumer facing devices, we were ignored. However when we also observed that a DNSSEC client would treat this kind of "time out" as evidence of damage by the local hotel or coffee shop wireless gateway and could reasonably respond by trying alternative servers or proxies or even VPN paths in order to get a secure answer, the supporters of SOPA and PIPA agreed with this and moved right along.

The latest idea is to use the Administrative Denial (REFUSED) response code, which as originally defined seemed perfect for this situation. To me this latest proposal as well as the road we've travelled getting to this point seems like an excellent example of why network protocols should be designed by engineers rather than by bloggers. REFUSED will not work for PIPA and SOPA's purposes, for two important reasons.

First, as I explained in DNS Policy is Hop by Hop; DNS Security is End to End, there is no security for the REFUSED signal. Since IP source addresses are easily forged no secure application can ever take an unsecure signal seriously. In DNSSEC, even failures must be secure or else any attacker can control the decisions made by an app. Since one such possible decision might be to retry an operation using a less secure method, we would call this a "downgrade attack". DNSSEC secures the data from end to end — meaning from the DNS content server to the secure client — but does not secure any of the messages that flow hop by hop through the DNS system — including REFUSED. In fact, the intermediate servers (including the ISP name servers to be regulated by SOPA and PIPA) don't have any kind of trust relationship with each other and can neither generate nor verify any secure messages. This may seem like an oversight but I was there and I remember this as a conscious and deliberate decision based on the cost-to-benefit ratio of adding hop by hop security to DNS. High cost, low benefit: no sale.

Second, and more importantly, REFUSED is the wrong signal. The preeminent DNS software on the Internet is BIND, whose market share has declined from 99% to 85% in the last 25 years. I maintained and rewrote BIND from 1989 or so until 1999 or so and I am also the author or co-author of a half dozen or so Internet RFC documents on the subject of DNS. So I know that we send REFUSED in response to a query when we don't like the client's IP address — DNS servers do not even look at the question before deciding whether to send REFUSED. On the client side, if we hear a REFUSED we give up on that server and move on to the next server — which means we assume that it was the client's IP address that the server is refusing, not the question we happened to be asking at that moment. Microsoft Windows will actually "de-preference" a name server if they hear too many REFUSED messages from it — so BIND is not the only DNS software that interprets REFUSED in this way. What this boils down to is that REFUSED is all about the relationship between the client and the server, and has nothing to do with the particular question being asked. If SOPA or PIPA becomes law with a requirement to signal REFUSED when someone looks up an infringing or pirate domain name, then in the language of DNS we will be saying "please stop asking this server any questions at all." There is no signal in DNS that means "that's a bad question but please feel free to ask other questions."

This means a classic non-secured DNS client will react to a REFUSED signal by treating the server as broken and just asking the next available server — hoping to find a server that is not broken. Whereas a newer DNSSEC client will react to REFUSED by ignoring it and continuing to wait — hoping for a real answer that might follow close on the heels of the potential forgery. In the unsecure case, the client will often do what the proponents of SOPA and PIPA would seem to want — display an error message in the web browser — but will occasionally just repeat the whole transaction a fraction of a second later, increasing the load on the ISP's name servers. In the DNSSEC case, the client will not do PIPA or SOPA are asking, there will just be delay followed by trying some other server, or retrying through a proxy, or otherwise circumventing what will look to DNSSEC like just another broken hotel or coffee shop wireless network.

In summary, REFUSED doesn't mean what supporters of SOPA and PIPA want it to mean and no amount of new law can change that. There is in fact no signal in DNS that conveys the meaning of SOPA and PIPA, and every protocol perturbation thus far suggested by the supporters of SOPA and PIPA will look to DNSSEC like an attack or failure requiring circumvention. I urge anyone interested in adding new signals to DNS to please participate in the Internet Engineering Task Force (IETF) to work on a new Internet RFC document on this topic. As an open and transparent peer driven engineering forum, the IETF is ideally placed to study this problem, determine whether a solution is possible, and standardize such a solution for use on the global Internet.

Written by Paul Vixie, Chairman and Chief Scientist, Internet Systems Consortium

First, let us say that Afilias supports SOPA's ultimate outcome, which is intellectual property protection. The protection of intellectual property is as important to technology companies as it is to musicians and movie producers. However, if the US is to attempt to tackle the problem with legislation, it should do so in a way that does not increase risk to its citizens and reduce confidence in the Internet.

One significant problem with SOPA is technological. Afilias is a strong supporter of DNSSEC, the next-generation security standard for trustworthy DNS, but some of the provisions of SOPA threaten to undermine the security leaps that the technology is ready to create. DNSSEC promises to make the DNS more reliable, mitigating the risk of phishing and pharming. Chains of trust, connecting through a distributed network of cryptographic signatures, will enable applications to ensure that criminals do not tamper with domain name queries.

For DNSSEC to reach its full potential, though, the chains of trust must be end-to-end; the standard was developed to prevent DNS-based man-in-the-middle attacks. SOPA, however, would require ISPs to execute what DNSSEC would interpret as a man-in-the-middle attack every time they are forced to block an allegedly abusive domain name. If applications are unable to tell the difference between a criminal attack and a legal, court-mandated interception, DNSSEC could become virtually useless.

The legislation would also make it easier for criminals to engage in many types of online fraud, including identity theft. This unintended consequence would come about largely as a result of user behavior.

SOPA would require American ISPs to redirect or ignore DNS queries destined for allegedly infringing websites; however, their customers are under no obligation to use their ISP for DNS service and these blocks will be trivial to circumvent. Even today, millions of Internet users choose to take their DNS from third-party services such as OpenDNS and Google since switching providers takes just a few minutes and requires virtually no technical knowledge. Now, even before SOPA passes, we're already seeing the emergence of rogue overseas DNS providers — some of them operating via easy-to-install browser plug-ins — that promise to resolve piracy domain names even if they are subject to a SOPA interception order.

Third-party DNS providers offer a valuable service to Internet users, but DNS services that are created purely to enable access to pirated material risk the security of their users. Criminals will be able to transparently capture all DNS traffic, including traffic destined for banks and other financial institutions. They will be able to send unwitting victims to phishing servers they control. Imagine losing your banking security credentials to an attacker because your teenager reconfigured the DNS settings on your shared home computer. That's a probable risk when DNS filtering becomes the legal norm.

Fortunately, SOPA is not inevitable. While it has the support of some lawmakers, others are starting to pay serious attention to the concerns of the Internet's technical experts, as well as the people who elected them.

When Congress returns in early 2012 to consider SOPA and other anti-piracy legislation, Afilias hopes the volume of dissent will have been turned up sufficiently that lawmakers will not be able to ignore the very real problems the legislation could create.

That's all I can really say.

Who would have ever believed that .XXX would finally be approved AND launched, total domains registrations would continue to grow at 10% year over year, ICANN would be in the process of preparing for the launch of new gTLDs in the face of harsh criticism, and that both Go Daddy and Group NBT would be acquired by private equity firms.

As we look back over the past year, here are the top 10 biggest domain stories of 2011:

10 – To Mark Cyber-Monday, US Government Continues Practice of Domain Seizures

On November 28, U.S. Immigration and Customs Enforcement's (ICE), Homeland Security Investigations (HSI), the National Intellectual Property Rights Coordination Center (IPR Center), the Department of Justice and the FBI Washington Field Office seized 150 domain names that were illegally selling and distributing counterfeit merchandise. The 150 seized domains are in the custody of the federal government. Visitors to these websites will now find a seizure banner that notifies them that the domain name has been seized by federal authorities and educates them that willful copyright infringement is a federal crime.

9 – Total Number of Worldwide Registrations Reach 220 Million

With a base of close to 220 million registrations worldwide, 2011 saw close to 10% increase in total registrations over 2010 as reported by Verisign.

8 – Secondary Domain Market Remains Strong

Even with the launch of hundreds of new extensions expected in 2013, the secondary market for domain names remained healthy. Top reported domain sales in 2011 included Social.com for $2.6 million, DomainName.com for $1 million and Aktien.de (Stocks in German) for $725,000.

7 – ICANN CEO Leaves ICANN after Single Term

After just one 3-year term, ICANN CEO Rod Beckstrom announced that he will be leaving the agency in July 2012. According to his list of accomplishments, Beckstrom helped coordinate system of unique identifiers and global, interoperable Internet, with excellence; executed on every single major ICANN strategic initiative (100%); and helped evolve ICANN into a world-class institution.

6 – An Unprecedented Number of Registrar Acquisitions Occur

On July 1, Go Daddy announced that it agreed to be bought by private-equity firms KKR & Co., Silver Lake Partners and Technology Crossover Ventures for $2.25 billion. Then in August, Web.com announced their acquisition of Network Solutions for $560 million in cash and stock. Finally, on November 25, it was announced that Group NBT (parent of NetNames, Ascio, Speednames, Envisional, Easily.co.uk and Indom) was acquired by HG Capital for $236 million.

5 – ccTLD Registries Make Efforts to Improve Online Security

As predicted in 2010, a number of ccTLD Registries (including .AF, .CX, .GS, .GY, .KI, .NF, .NL, .PR and .TL.) adopted Registry Locking programs in 2011. Previously, only .COM, .NET and .BIZ had offered Registry Locking programs. A domain that is set to a Registry Lock status cannot be updated using automated commands and an offline security protocol must be completed before the domain can be modified in any way. Registry Locked domains are impervious to hijackings, erroneous name server updates and social engineering attacks.

4 – SOPA (Stop Online Piracy Act) Faces Strong Opposition

The bill would allow the U.S. Department of Justice, as well as copyright holders, to seek court orders against websites accused of enabling or facilitating copyright infringement. Proponents of the bill which include media conglomerates and pharmaceutical companies claim that it protects intellectual property, while opponents which include some of the world's largest Internet properties, coalitions of law professors, and groups of engineers claim that it threatens First Amendment rights and could cripple the Internet. Go Daddy, initially an proponent of the bill, quickly changed their tune when backlash to their support became apparent.

3 – Registrar Security Breaches Abound

In 2011, a number of domain registrars suffered breaches and outages resulting in redirected websites, possible malware infections, non-responsive websites and compromised usernames.

The first attack occurred on September 4 when hackers were able to update nameservers for domains managed by NetNames, a corporate-focused, UK-based registrar. High-profile domains were redirected to a page that stated, "4 Sept. We Turkguvenligi declare this day as World Hackers Day — Have fun ;) h4ck y0u."

Not ten days later on September 14, hundreds of websites hosted by Go Daddy were compromised when logins and passwords were used to access accounts. Visitors to affected sites (originating from search engines) were redirected to a site that attempted to download malware to their respective computers.

At the end of September, NetRegistry, an Australian-based registrar, suffered a DDoS (Distributed Denial of Service) attack. Customers using NetRegistry's web-hosting services reported intermittent access to their websites.

Finally, on December 23 as part of an ICANN requirement, Melbourne IT erroneously sent WDRP (Whois Data Reminder Policy) notices to the wrong accounts resulting in thousands of breached usernames. Melbourne IT stated that no passwords were sent, and that access to an account could only be gained with both the username and password.

2 – .XXX Is Approved and Launched

After years of back and forth, the ICM Registry finally received approval from ICANN to operate .XXX. On September 7, the ICM Registry began accepting Sunrise Registrations which offered trademark owners the ability to purchase a block of the trademarked string for a period of 10 years. The ICM Registry has made concerted efforts to protect the rights of brand owners in other ways too. The .XXX zone file currently contains ~106,000 registrations.

1 – Despite Harsh Criticism ICANN Remains Committed to Launching New gTLD Program

ICANN's new gTLD Program will open up the top level of the Internet's namespace (to the right of the "dot") to purportedly "foster diversity, encourage competition, and enhance the utility of the DNS." Currently there are only 22 gTLDs (.com, .net, .org) and 250+ ccTLDs (.fr, .de, .cn).

Despite the benefits espoused by ICANN, the Program has received harsh criticism from the Association of National Advertisers (ANA), the Direct Marketing Association (DMA) the Interactive Advertising Bureau (IAB) and the Coalition for Responsible Internet Domain Oversight (CRIDO). The FTC also expressed their concerns to ICANN regarding the new gTLD program.

Both the US House and Senate also held hearings in 2011 on the topic of new gTLDs.

Regardless of the recent criticisms, ICANN is moving full steam ahead with the new gTLD Program. Applications for new gTLDs will be accepted from January 12, 2012 to April 12, 2012. Experts believe that there will likely be hundreds of applications for new gTLDs submitted during this first round.

So What Will 2012 Bring?

I believe that ICANN will open the new gTLD application period without any glitches, and that many will be surprised at the actual number of applications submitted. However, as new gTLD registries will not become operable until 2013, the real heartburn for brand owners will not be felt until next year.

Also, I am sure that we will continue to see security breaches at both the Registry and Registrar levels and that the sophistication of these attacks will continue to increase.

But whatever the new year brings, I'm certain that it won't be business as usual. In the domain industry — it never is.

Written by Elisa Cooper, Director of Product Marketing at MarkMonitor

There is the domain registration itself, which signals existence of a domain into the appropriate top-level domain's DNS zone.

For example, if the domain "example.com" was a foreign infringing site, a law enforcement agency could petition Verisign (the registry operator of the .com TLD) to remove the relevant DNS records that provide the delegation for example.com. In fact, this type of behavior isn't SOPA specific and our current judicial framework permits this to happen today.

One should note that the impact of such a suspension would have a worldwide impact. All users of the domain name would no longer be able to access services offered by that domain.

There's the authoritative DNS service for example.com which could be terminated.

A delegation for example.com is made from Verisign to the domain's authoritative DNS provider to a company such as Dyn. If a foreign infringing site were to be supported by a U.S. authoritative DNS provider, law enforcement could petition the authoritative DNS provider to remove support for the domain by terminating authoritative DNS service. Again, this would cause a worldwide suspension of services for the domain, but unlike a registry level termination, the alleged infringer could move services to another authoritative DNS provider and continue doing whatever he/she was doing utilizing the newly acquired authoritative DNS service.

There's recursive DNS interception, redirection and alteration (which is the primary technique contemplated by SOPA) that would be implemented at the ISP level.

Unlike TLD and domain authoritative nameservers (of which any set are under the same common administrative control, i.e. Dyn), recursive DNS servers are deployed Internet wide in clusters throughout ISPs. Under SOPA, U.S. ISPs would be required to accept an additional "feed" of data which would include a list of known or alleged domains participating in foreign infringement.

The feed would be used to block DNS queries made for foreign infringing domains and would remove U.S. access of these domains for users of U.S. ISPs. The feed could be incorporated into DNS using a variety of techniques including deep packet inspection (DPZ), a software interface such as BIND's Response Policy Zones (RPZ) or even by creating false zones in the recursive DNS servers view.

From Dyn's perspective, the third option — ISP-based DNS query manipulation — is the most hazardous to the health of the global DNS.

Implementing such a solution breaks the distributed tree of authority concept used by the DNS by "injecting" U.S. nationalized pieces of DNS policy into the system. ISPs around the United States would become responsible for implementing, maintaining and monitoring these SOPA feeds into their DNS infrastructures, creating an additional layer of operational complexity for their DNS operations. Additionally, since not all DNS systems permit the inclusion of external data feeds to support local policy, many operators would be required to upgrade the recursive DNS infrastructures in significant ways.

There's a number of conditions that could occur where a SOPA-fed recursive DNS server could hand back incorrect DNS data or be circumvented all together. If an ISP were to have issues pulling the SOPA feed or clearing domains from the SOPA list, a single domain could be blacklisted in the United States when it is perfectly legal to be used. If the source of a SOPA feed were to ever be compromised, an attacker could take critical Internet infrastructure domains offline by adding them to the feed (i.e. root-servers.net).

Savvy users could simply bypass a SOPA-enabled recursive DNS server by pointing their DNS settings to an off-shore recursive DNS server. Technically savvy networks might respond by blocking port 53 externally or by hijacking port 53 traffic on their network to their SOPA-enabled recursive DNS resolvers. Anyone want to bring Net Neutrality into this discussion? What would happen to users if an infringer decided to setup a "free, non-SOPA" recursive DNS server for users to use — one that additionally hijacked legitimate banking, ecommerce and business websites, too?

It is Dyn's opinion that the technical implementation techniques contemplated by SOPA do more damage to the global DNS than help solve the problem it aims to tackle. There are existing law enforcement techniques available to deal with copyright infringement today at the registry level, so we ask why are they not being effectively utilized? Must we resort to breaking the DNS?

After I finished reading this op-ed, I began to see that there is not a clear understanding among DNS laymen as to the difference between "end to end" and "hop by hop" signaling systems. I hope to illuminate this difference and its relevance to the policy debate about DNS controls as contemplated by the Stop Online Piracy Act (SOPA). I will use the story of DNSSEC's treatment of NXDOMAIN as an illustrative example. My goal is to move the underlying debate forward to a new stage where the questions being debated are respectful of both the laws of physics and the rules of the DNSSEC protocol.

DNSSEC is an "end to end" system, where digital signatures are applied to DNS data by the originator of that data — who is the owner of the DNS name. So, only the United States Government (USG) can authoritatively state that the Internet address of INTERWEB.NIC.MIL is 207.132.116.20, because only USG and its contractors possess the private signing key that is known used by NIC.MIL. If any ISP who carries this DNS information decides to modify it in any way, then the digital signature will be wrong. Any DNSSEC capable name server or web browser would discard the modified DNS information because its digital signature would not match the signing key for NIC.MIL. Similarly, any DNS answer that arrives without any digital signature at all would also be discarded, since the receiving DNS server or web browser would know that NIC.MIL is signed and so would have to assume that any unsigned response is a "man in the middle" attack of the kind popularized by Dan Kaminsky in 2008.

DNS has several possible response codes, of which two (0 for "success" and 3 for "name error") are end to end, meaning that they are assertions which can only be made by the owner of a name. To secure the DNS it was necessary to add digital signatures for both of these response codes. Continuing from the above example, only USG and its contractors possess the signing key needed to authoritatively state that FOO.BAR.MIL does not exist. If any ISP between the USG name servers for ".MIL" and the end user's name server or web browser modifies a response to assert that something does not exist when it actually does exist, then this modification will be detectible by the absence of a digital signature, or by the presence of an invalid digital signature. There is just no way for intermediaries to successfully insert lies into the DNS data stream once DNSSEC is in use.

The other DNS response codes, such as 1 for "format error", 2 for "server failure", 4 for "not implemented", and 5 for "refused", are "hop by hop" codes. They tell an end user's name server or web browser nothing about the name they are looking up. Rather, these codes are statements about the name server itself. Because digital signing keys are associated with domain names and not with name servers, none of these other response codes is secured by DNSSEC. So, when an end user's name server or web browser receives a DNS message containing one of these response codes, there's a viable possibility that the message was generated by an attacker — a "man in the middle". Secure systems including both DNSSEC itself as well as any applications based on DNSSEC will necessarily ignore these unsigned responses or else they would be susceptible to a "downgrade attack". If a banking application is trying to start up in its most secure mode and sees a "NOTIMP" or "REFUSED" response, its reaction will be to try other name servers hoping to find one that is not broken in the same way. Failures and attacks have an identical appearance to a properly secured system.

It may be possible to design "hop by hop" security into DNSSEC. However, this was not a development goal during the major DNSSEC development effort from 1996 to 2009. Doubtless there are strong governments around the world who would like to be able to modify DNS data in flight without triggering any suspicion by their end user citizens or by secure applications. It is not too late for such governments to form a work party for these features and to offer their detailed design to the the IETF for consideration in a future edition of the DNSSEC protocol, and if successful, work to incorporate these new features into the Internet's operating DNS. Until and unless that is done, DNSSEC will remain tamper-proof.

It would be ignorant and wrong-headed to codify in law a requirement that hop by hop security features be used before there is proof that these features can be defined and deployed in what is today an end to end security system.

Written by Paul Vixie, Chairman and Chief Scientist, Internet Systems Consortium

I finally got around to reading the text of the Stop Online Piracy Act (SOPA) today. While the ostensible intentions are to combat online piracy and the sale of counterfeit goods, the bad news is that the legislation contains elements which basically puts every single domain registered under generic TLDs under the authority of the United States Attorney General.

We have already seen in cases if the ICE domain seizures, improper takedowns and overreach resulting in the takedown of tens of thousands of websites when a single one was the target.

How does this affect you?

Our objections to SOPA are very similar to our objections to Verisign's recent proposal which contained overly broad takedown powers and could be used to assert US law (and "requests") on all domain holders internationally.

We consider SOPA far more pernicious because it is possibly to become US law, rather than a policy implemented by a private company (albeit one that holds a monopoly on large tracts of internet namespace).

SOPA differentiates between "domestic" and "foreign" domain names, but the definition of "domestic" basically includes all domains registered under any of the gTLDs (generic Top Level Domains), because their respective Registry operators are US-based entities:

(3) DOMESTIC DOMAIN NAME- The term `domestic domain name' means a domain name that is registered or assigned by a domain name registrar, domain name registry, or other domain name registration authority, that is located within a judicial district of the United States.

All domains under .com, .net, .org, and .biz are "assigned by" a domain name registry in the United States. Verisign, Public Interest Registry and Neustar respectively. Afilias is incorporated in Ireland, however they are operationally in the US. And at the end of the day, all domain names exist in namespaces assigned by ICANN, which is a California corporation.

So basically this means everything. Any domain, any TLD, anywhere, can be cutoff at the knees by the US Attorney General issuing a court order against a service provider, registrar or registry. (Although they may find it more difficult to assert beyond the generic TLDs. ICANN cannot for example, operationally takedown a domain inside some given ccTLD, the way Verisign or some other gTLD registry could simply yank any domain's nameserver records out of the rootzones.)

Perhaps for the scope of this discussion, only gTLDs are at risk. This means you can probably ignore all of this unless your domain is under com/net/org/biz/info, or you use a US-based registrar, service provider or your website is ever visited by anybody from the United States.

Where This Is Going.

If this becomes law, it's a short stretch from SOPA to NODA (No Online Dissent Anywhere) and if you think I'm a nutcase for saying so, I'd like to remind everybody what happened just over a year ago, when US politicians were tripping over themselves to shut down wikileaks (a royal fiasco in which this company was embroiled) and to this day, they have not been charged with a crime anywhere.

Many of the "dirty tricks" employed against Wikileaks would be enshrined on law under SOPA (and someday, NODA):

• A requirement that service providers block access to offending domains, including that they stop resolving their DNS
• Search engines to purge search results for offending domains
• Payment processors to sever ties to offending domains

And they added an extra provision that it will be an offense to knowingly create a service or system to provide a workaround to a banned domain or host. So for example, they would no longer have to hassle Mozilla to remove that firefox plugin that let's you reach ICE blocked websites, it would be illegal to make it or distribute it.

While this is an Online Piracy law, it already contains additional "enhancements" under Title 2: Additional Enhancements to Combat Intellectual Property Theft:, namely:

• SEC. 201. STREAMING OF COPYRIGHTED WORKS IN VIOLATION OF CRIMINAL LAW.
• SEC. 202. TRAFFICKING IN INHERENTLY DANGEROUS GOODS OR SERVICES.
• SEC. 203. PROTECTING U.S. BUSINESSES FROM FOREIGN AND ECONOMIC ESPIONAGE.

Where All This Ends

Even if ICANN is officially against SOPA (Former chairman Vint Cerf wrote a good letter opposing it), failure on ICANN's part to oppose SOPA would mean catastrophic failure in their mission of overseeing the namespace to the benefit of all stakeholders.

If this happens, there needs to be a serious conversation around a topic so incendiary, so heretical that I will probably become persona non-grata within domain policy circles for saying it, but I'm going to say it:

The Internet RootZone would have to be administered by a non-US Entity instead of ICANN.

The reason why is because the internet root is held together largely through two things:

• Consensus
• Convention

As all of the world's peoples, businesses and websites come increasingly under the jurisdiction and law of a single country, consensus will fragment. The internet root will have to be under the stewardship of an honest broker who can respect the rights of all sovereign interests as they relate to the internet.

Otherwise, it ends with a split internet root, if we're lucky. If not, it ends with a completely Balkanized one, because while it may not be the case now, as this escalates (and I suspect it will), it will pose intolerable risk to non-US entities of all stripes.

Already we get business from companies whose stated corporate IT policy is to not use US based servers to hold email or route web traffic. I'm not talking about torrent hosts, whistleblowers and fake Rolex vendors. We're talking large enterprise entities whose legal departments find even the theoretical legal ability for Homeland Security to monitor their corporate communications simply intolerable.

While I'm not complaining about the extra business, I still smell trouble on the horizon.

Written by Mark Jeftovic, Co-Founder, easyDNS Technlogies Inc.

No Internet user is required to use the Domain Name servers provided by their ISP. And if millions of American citizens who for whatever reason want to engage in online piracy can no longer do so because Congress has passed this law and their ISP is now filtering the citizen's DNS lookups, well, those citizens will have dozens if not thousands of off-shore Domain Name servers they can switch to with the click of a mouse.

This is an important point since if federal law is changed to mandate that hundreds of millions of dollars be spent by ISP's blocking the estimated hundred or so domain names used by the worst off-shore offenders of U. S. copyright and trademark law, then we'd all like to have some assurance that American consumers will respect this blockade. We would call those consumers "unintended infringers" because they are infringing U. S. copyrights and trademarks now, but are doing so in ignorance, and if they knew they were stealing, they wouldn't do it. We know that no "intended infringers" — who already know they are stealing when they buy pirated or infringing goods online — will be stopped by any federal law, since the Internet just doesn't work that way. From the same article:

The Great Firewall of China is built to a massive scale and could easily cope with this sort of problem. Since we in America would never monitor and restrict Internet traffic at that scale, the best Congress could hope for would be a symbolic gesture that merely indicates our country's displeasure with online piracy and infringement — without stopping such activities or even slowing them down by much.

Today I happened across a recent report from Cisco Systems entitled "Beg, Borrow or Steal? Young Professionals, College Students Admit They'll Go to Extreme Measures for Internet Access Despite IT Policies, Identity Theft Risks", which studies the infringement motives of a statistically meaningful population. Here's an excerpt:

"Of those who were aware of IT policies, seven of every 10 (70%) employees worldwide admitted to breaking policy with varying regularity. Among many reasons, the most common was the belief that employees were not doing anything wrong (33%). One in five (22%) cited the need to access unauthorized programs and applications to get their job done, while 19% admitted the policies are not enforced. Some (18%) said they do not have time to think about policies when they are working, and others either said adhering to the policies is not convenient (16%), they forget to do so (15%), or their bosses aren't watching them (14%)."

What this means from a high level policy perspective is that we really can put "unintended infringer" into the "myth" category.

Written by Paul Vixie, Chairman and Chief Scientist, Internet Systems Consortium