COICA amended, still threatens Internet security

Responding to a cacophony of opposing voices, citing free expression and global governance concerns, the proposed Combating Online Infringement and Counterfeits Act (COICA) has been slowed down for now. COICA is now scheduled to be taken up during the lame duck session following the November elections, which makes this “intergalacticly bad idea” still very dangerous. For those legislators who won't be returning there is nothing to lose, they might as well placate the well-funded and powerful intellectual property lobby behind it.

An amended version of the bill is now floating around. A comparison reveals that staffers are getting feedback from the network operators who will have to implement the process – namely ISPs and registrars. Changes have been made in an attempt to limit COICA's effects on operation of the global DNS. However, an under appreciated facet is how the bill's attempt to use Internet intermediaries for the purpose of enforcing intellectual property rights (IPR) could impact the Internet's security.

Notable changes to the text include:

  • The legislation is now clearly targeted at registrars and ISPs, or those operating recursive domain name servers, not at operators of authoritative domain name servers. (e.g., VeriSign is authoritative for com)
  • Affected parties will not have to modify their network or other facilities, or take any additional steps in DNS lookups to comply with an order, or continue to prevent lookups if they have been disabled by another party.
  • It is up to the affected parties to determine how, if at all, to communicate (to the registrant) the actions it is taking against a domain name.
  • One year after the date of enactment, DoC shall be required to report on the “impact of the steps described in section 2(e) on an entity's ability to deploy effectively and use Domain Name System Security Extensions.”

The underlying reasoning for adding this last reporting requirement should be emphasized and explained. It is not clear exactly how affected parties would implement the COICA orders they receive, but it's likely seized domain names would redirect users to an enforcement web page similar to what occurred this past summer when the U.S. Customs Department took down nine web sites. A recent Internet-Draft, authored by Comcast (which has been documenting its network management practices via the IETF process) clearly states that the practice of redirection and DNSSEC are incompatible. Without getting too technical, the incompatibility arises from the fact that with a secure DNS, name server operators provide cryptographically signed DNS data. Without access to the private key and/or ability to change information in a DNS zone file (e.g., foo.com), the DNS responses tampered with by ISPs cannot be verified as secure.

COICA, and the IP interests behind it, are forcing some interesting choices for ISPs and registrars. Under the current text, ISPs would likely have to forgo secure DNS resolution for its end customers in order to comply with COICA orders. This is anathema to the stated purpose of DNSSEC, to provide origin authentication and integrity assurance for DNS data, and puts COICA in conflict with some USG agencies support of DNSSEC. An entirely different approach might be requiring registrars to prevent illegal uses of domain names during the registration process. However, this could dramatically raise operational, and ultimately, registrant costs. Neither solution is good, and it raises the valid question as to whether Internet intermediaries should be assuming IPR enforcement roles at all. The COICA debate will go on in parallel with the NTIA proceedings on Copyright Policy, Creativity, and Innovation in the Internet Economy and Global Free Flow of Information on the Internet, which also deal with the role of intermediaries in IPR enforcement.

One comment

  1. Anonymous

    Nothing is perfect and COICA is no exception. However, it should go some way in reigning improving internet security.