The PROTECT IP Act, known as PIPA, yesterday passed through the Senate Judiciary Committee with only minimal changes. The current draft bill is here. The good news is that the approval was quickly met by a much-welcome hold on the legislation from Senator Wyden of Oregon.
Wyden sums up our concerns with the bill very nicely:
At the expense of legitimate commerce, PIPA’s prescription takes an overreaching approach to policing the Internet when a more balanced and targeted approach would be more effective. The collateral damage of this approach is speech, innovation and the very integrity of the Internet.
On the more granular side, we have a few additions to the issues raised in our earlier post about PIPA:
The amended bill versus the bill as introduced
The current amendment includes an especially unfortunate edit that the Senate Judiciary Committee failed to highlight in a summary of changes. PIPA enables both the Attorney General and private parties to bring cases against websites “dedicated to infringing activities.” Under the first version of the bill, if a plaintiff “through due diligence” couldn’t find someone within the United States to sue, the Attorney General but not a private litigant was allowed to pursue a claim directly against the domain name of the site. This kind of action is called in rem and refers to a court’s power to issue orders against property without involvement of the owner or other person related to the property. After yesterday's amendments, PIPA allows private litigants to sue in rem as well. As a general matter, the ability to get court orders against an entire website without the site owner’s prior knowledge, much less ability to protest, in and of itself raises concerns about due process. It also raises First Amendment concerns given that the actions target entire websites, including lawful speech on those sites. Extending this power to private parties increases the likelihood that it will be abused.
DNS implications
When COICA was introduced in the Senate last fall, EFF wrote about its dangerous implications for the Internet’s domain name system (DNS). These remain true for PIPA, despite the removal of a provision that would have required registrars and registries to block domain names pointing to sites “dedicated to infringing activities.” Because blocking via registries and registrars underlies Immigration and Customs Enforcement’s ongoing practice of seizing domain names, taking this device out of PIPA is small gain. The bill will still require targeted DNS server operators like ISPs to prevent an identified domain name from resolving to the domain's IP address, thereby preventing their users from accessing those sites. As a result, the warnings that we and others gave last year about serious security vulnerabilities and a fractured Internet are unchanged.
But the new bill goes even further. Where COICA didn't bother to define “domain name system server," PIPA says this:
the term “domain name system server” means a server or other mechanism used to provide the Internet protocol address associated with a domain name
The inclusion of the words “or other mechanism” vastly increases the potential scope of the definition, at the risk of extreme and unintended consequences. The term could sweep in, for example, operating systems, email clients, web clients, routers, and a host of other technology. This may be a simple blunder due to technical ignorance on the part of the drafters, defining “server” so broadly as to mean effectively “client.” If so, that’s troubling enough. If not, this bill has even more grave implications for the health of the network than we thought.