Why HR1981 is not SOPA, how it is a good for you, and what can be done to make it better.

by on Feb.02, 2012, under Observations

So I’ve gotten a few e-mails from Demand Progress and others claiming that HR 1981 is the new SOPA and asking us to fight this. Claims like “A direct assault on Internet users” have been made. So I went and took a look at this bill, and from what I can see there is no basis for this claim. In fact, from my years of experience working in the industry this legislation is badly needed, and will be greatly appreciated by nearly everyone. The claims being made by Demand Progress and the ACLU are completely off base.

Yes, SOPA was bad. SOPA had hundreds of unintended consequences. This bill isn’t SOPA. This bill doesn’t assault any legitimate Internet user. In fact, this bill is something we should be calling our representatives and asking them to support. And unlike these unsubstantiated claims, I’m going to show you in explicit detail why.

First, let’s talk about the what the bill is. The text of the bill is very short, and I encourage you to read the entire text of the bill here. But I’ve extracted the only operational bit of the bill for you here:

(1) A commercial provider of an electronic communication service shall retain for a period of at least one year a log of the temporarily assigned network addresses the provider assigns to a subscriber to or customer of such service that enables the identification of the corresponding customer or subscriber information under subsection (c)(2) of this section.

(2) Access to a record or information required to be retained under this subsection may not be compelled by any person or other entity that is not a governmental entity.

And just to be clear, they clearly define the target audience of this bill in the text definitions below:

(4) In this subsection—
(A) the term ‘commercial provider’ means a provider of electronic communication service that offers Internet access capability for a fee to the public or to such classes of users as to be effectively available to the public, regardless of the facilities used

So why is this bad? To be honest, it’s not clear to me any reason at all that this is bad. This certainly isn’t an assault on any person. It doesn’t take away their rights, or their privacy. An internet address assignment is almost identical to a phone number. It is exactly the same as having the phone company record that your cell phone number was assigned to your phone device at a given time. If you commit a crime with that cell phone number, you can be identified. There is nothing private about having a cell phone number assigned to you which you should be worried about losing.

The only thing that this bill assaults is Internet Service Providers who are not doing their ethical responsibility to ensure that their service is not being used to commit crimes. Let’s talk about that now:

So why is this good? This is perhaps the much better question. Requiring providers to keep records and make them available to law enforcement is good because it will allow those of us who work on the Internet to identify users who are committing crimes. Let me tell you about all the ways that this issue is abused today. In short, people with ill intent connect to the Internet through an ISP that doesn’t track user information well, acquire a dynamically assigned IP address and then use it to send

  1. Hate speech: People connect to the Internet and send hate mail, or post hateful statements, knowing very well that their ISP is far too busy counting the money to get around to identifying them. With this change, ISPs will be required to turn over the identifying user information to government entities investigating crime.
  2. SPAM: The vast majority of SPAM exists because individuals can connect to the Internet, acquire a dynamically assigned IP address and then use it to send spam. It was formerly used to send the spam e-mail, these days it is used to control botnets which send millions more messages. People trying to shut down the botnets are prevented from bringing these botnet providers to justice because of sloppy record keeping.
  3. Denial of Service attacks: This is a combination of the two above. Some people use ISPs to attack other services. Others use ISPs to control their botnets to attack others.

I’d like to point out that responsible ISPs already keep good records, and cooperate with law enforcement when they are investigating a crime. This change will only affect those companies who are ignoring their ethical duty to prevent their service being used for criminal actions.

What about unintended consequences?

As I read it, there is only one loophole which could be used for consequences not intended by the Internet anti-abuse community. The language for when this information can be accessed currently reads:

(2) Access to a record or information required to be retained under this subsection may not be compelled by any person or other entity that is not a governmental entity.

This loophole could be entirely eliminated with a small change:

(2) Access to a record or information required to be retained under this subsection may not be compelled by any person or other entity that is not a governmental entity investigating a criminal act.

What this change would do is prevent a government entity from asking for the information for any other reason.

Do you think I’m wrong about this? Please feel free to let me know if you feel I’ve overlooked something about this bill. If there are other concerns, let’s get them out here so that people know about them. But be polite. Focus on the issues. Take this as a chance to educate me (and others) about your concerns.

And finally, don’t talk down to people. They are smarter than you think. I’ve been full-time employed with more than 80% of my job dedicated to Internet security issues for over twenty years. I have spent years of my life trying to shut down people who use the internet to abuse and harass others. This is a subject I know deeply and well.

If you have some experience that gives you a different perspective, don’t just yell things. Share with us your background and the basis for your dispute.

2 Comments for this entry

  • Michael J DeLuca

    I disagree. What’s a criminal act? Pirating software. Pirating music. Leaking incriminating government documents. Whatever they say is a criminal act.

    Also, hate speech is protected. As much as we hate listening to it, denying internet access to people who use it doesn’t seem right.

    And I don’t think tracking IPs can stop Denial of Service attacks. The attackers are already using proxies for this, so the information would not be of use.

    On the other hand I totally agree that the people who send those hackle-raising emails inciting us to donate money to their causes are indeed treating us like idiots and I am routinely annoyed that they can’t tone down their rhetoric and talk sensibly.

    • jorhett

      Sorry for the late reply

      You said “I don’t think tracking IPs can stop Denial of Service attacks.” I have personally been involved with chasing down individuals who kept logging on different providers to issue their attacks. If the providers had maintained records, we could have captured the individual. In cases where the local police were willing to shut down the ISP and they finally provided the records, we were able to do so.

      You are also making the point for me regarding proxies, aka botnets. In my business it’s not too difficult to identify a compromised host and then set up a packet sniffer and identify the command-and-control connections it uses to get directives. Same problem here, where we isolate the source/controller and we need the ISP to have records so that we can shut them down.

      And finally, you said “What’s a criminal act? Pirating software. Pirating music. Leaking incriminating government documents.” Um, yes. They are criminal acts. I’m not saying that I don’t agree with a lot of the reasons for leakage, and I’m not saying that some of these laws don’t need changed. Many, many of these laws need a lot of changes. But I don’t agree that we should stop prosecuting all actions, prevent any effective enforcement (which is the case without this change) just because some of the laws are bad. Instead, we should get those laws fixed. I’m quite active in efforts to get those laws fixed. I also believe this is a good change.

Leave a Reply