How SOPA's 'circumvention' ban could put a target on Tor

[Eugen Leitl]

http://news.cnet.com/8301-31921_3-57346592-281/how-sopas-circumvention-ban-could-put-a-target-on-tor/

How SOPA's 'circumvention' ban could put a target on Tor

Declan McCullagh

by Declan McCullagh December 21, 2011 12:24 PM PST Follow @declanm

A little-noticed section of the Stop Online Piracy Act could make it illegal
to distribute Tor and other software that can "circumvent" attempts by the
U.S. government to block pirate Web sites.

The controversial Hollywood-backed copyright bill allows injunctions to be
filed against "any" person, nonprofit organization, or company that
distributes a "product or service" that can be used to circumvent or bypass
blockades erected against alleged pirate Web sites such as ThePirateBay.org.
The U.S. government-funded Tor Project could be a target of SOPA's
anti-circumvention section.

The U.S. government-funded Tor Project could be a target of SOPA's
anti-circumvention section.

"It looks like SOPA would outlaw Tor," says Markham Erickson, an attorney
with Holch & Erickson LLP who runs NetCoalition. The trade association
opposes SOPA and counts Amazon.com, eBay, Google, and Yahoo among its
members.

This section of SOPA is straightforward enough: a copyright holder would
contact the U.S. Department of Justice to complain that a Web site is engaged
in piracy. Then the Justice Department would seek a court order from a
federal judge that would compel U.S.-based Internet service providers and
domain name system providers to render the target inaccessible.

But SOPA's author, Rep. Lamar Smith, a conservative Texan who has become
Hollywood's favorite Republican, anticipated that savvy programmers would
find a way around these virtual roadblocks. So Smith inserted language in
SOPA (PDF) -- it's not in the Senate's similar Protect IP bill -- allowing
anyone who knowingly and willfully distributes "circumvention" software to be
forced to remove it. (See CNET's FAQ on SOPA.)

"I worry that it is vague enough, and the intention to prevent tunneling
around court-ordered restrictions clear enough, that courts will bend over
backwards to find a violation," says Mark Lemley, a professor at Stanford Law
School who specializes in intellectual property law.

Smith's anti-circumvention language appears designed to target software such
as MAFIAAFire, the Firefox add-on that bypassed domain seizures, and
ThePirateBay Dancing and Tamer Rizk's DeSOPA add-ons, which take a similar
approach. (As CNET reported in May, the U.S. Department of Homeland Security
has tried, unsuccessfully so far, to remove MAFIAAFire from the Web.)

But Smith worded SOPA broadly enough that the anti-circumvention language
isn't limited to Firefox add-ons. In an echo of the 1998 Digital Millennium
Copyright Act's anti-circumvention section, SOPA targets anyone who
"knowingly and willfully provides or offers to provide a product or service
designed or marketed by such entity...for the circumvention or bypassing" of
a Justice Department-erected blockade.

Smith did not respond to questions from CNET yesterday asking whether Tor and
similar products would be affected. The Motion Picture Association of
America, the Recording Industry Association of America, and the U.S. Chamber
of Commerce, all of which have lobbied for SOPA, also declined to comment.
(See CNET's report on why the U.S. Chamber of Commerce loves SOPA.)

Wendy Seltzer, a fellow at Yale Law School and former intellectual property
litigator who is a member of the Tor Project's board of directors, says she's
worried about how the Justice Department would wield this language. The Tor
Project develops software to preserve online anonymity but which can also be
used to bypass SOPA-created blockades.

"Ordinary security and connectivity tools could fall within its scope,"
Seltzer wrote, referring to SOPA's anti-circumvention, anti-bypassing
language. She added in an e-mail to CNET: "Can actions for injunction be
brought against all sort of general purpose tools, causing nuisance and
expense even if the claims wouldn't hold up in court? Worse, if the
injunction succeeds, then further distribution without an appeal would face
contempt charges."

There's a bit of irony here: Tor was created by the U.S. government
(specifically, the U.S. Naval Research Laboratory). The subsequent
organization formed to develop the software, the nonprofit Tor Project, is
currently funded in part by multiple federal agencies that hope that it will
let Internet users in China and other repressive regimes bypass their
country's informational blockades.

The problem for Smith and other SOPA supporters is that
censorship-circumventing software -- and Tor has consciously used that phrase
to describe itself -- doesn't differentiate between China devising a list of
off-limits Web sites and the U.S. government doing the same thing.

During last week's SOPA debate in the House Judiciary committee, Rep. Zoe
Lofgren, a California Democrat whose district includes the heart of Silicon
Valley, offered an amendment to revise the anti-circumvention language.

"Those very same tools that we have worked to devise, that we have funded to
develop in some cases, are the same tools that could also be used by Internet
users in the United States to circumvent the blocking of a foreign infringing
site under the bill," Lofgren said.

Smith replied by suggesting that "you and I and others involved could write
language that would address your concerns." Lofgren agreed to withdraw her
amendment temporarily, as long as she could offer it again before a final
vote. The committee's debate on SOPA had been scheduled to resume this
morning, but Smith has postponed it until early 2012.

Lofgren's temporarily withdrawn amendment (PDF) said that SOPA "does not
include any product or service designed or marketed for the circumvention of
measures taken by a foreign government to block access to an Internet site."

A broad interpretation of SOPA's anti-circumvention language would sweep even
more broadly than Tor. Software such as VPNs, used by security-conscious
businesses, can also "bypass" a SOPA-established blockade. So could DNS
software. And even the humble "/etc/hosts" file, part of every major
operating system including OS X, Linux, and Windows, can be pressed into
service as a SOPA-bypasser as well.

Stewart Baker, Homeland Security's former policy chief who's now a partner at
the Steptoe and Johnson law firm, suggests SOPA's anti-circumvention and
anti-bypassing language would target Web browsers too.

It's hard to escape the conclusion that this provision is aimed squarely at
the browser companies," he wrote in a blog post. "Browsers implementing
DNSSEC will have to circumvent and bypass criminal blocking, and in the
process, they will also circumvent and bypass SOPA orders." A successful
injunction from the attorney general, Baker said, would shut down all
shipments of a Web browser "until it's been revised to the satisfaction of
his staff and their advisers in Hollywood."

To be sure, it's unlikely that the attorney general would try to force
Microsoft, Apple, and Mozilla to rewrite their operating systems or Web
browsers. Nor would federal judges automatically agree. But, argue SOPA's
many critics (PDF), the Justice Department shouldn't be granted such sweeping
authority in the first place.

David Post, a professor of law at Temple University who has been writing
about copyright law for over a decade, says that even after analyzing SOPA
(and organizing a letter from law professors protesting the legislation) the
anti-circumvention language remains surprisingly opaque.

"It's ambiguous to me," Post says. How far does it reach? "I don't know.
Which is bad."