December 22, 2024

Spamhaus Tests U.S. Control Over Internet

In a move sure to rekindle debate over national control of the Internet, a US court may soon issue an order stripping London-based spamhaus.org of its Internet name.

Here’s the backstory. Spamhaus, an anti-spam organization headquartered in London, publishes ROKSO, the “Register of Known Spam Operations”. Many sites block email from ROKSO-listed sites, as an anti-spam tactic. A US company called e360 sued Spamhaus, claiming that Spamhaus had repeatedly and wrongly put e360 on the ROKSO, and asking the court to award monetary damages and issue an injunction ordering e360’s removal from ROKSO.

Spamhaus lost the case, apparently due to bad legal maneuvering. Faced with a U.S. lawsuit, Spamhaus had two choices: it could challenge the court’s jurisdiction over it, or it could accept jurisdiction and defend the case on the merits. It started to defend on the merits, but then switched strategies, declaring the court had no jurisdiction and refusing to participate in the proceedings. The court said that Spamhaus had accepted its jurisdiction, and it proceeded to issue a default judgment against Spamhaus, ordering it to pay $11.7M in damages (which it apparently can’t pay), and issuing an injunction ordering Spamhaus to (a) take e360 off ROKSO and keep it off, and (b) post a notice saying that previous listings of e360 had been erroneous.

Spamhaus has ignored the injunction. As I understand it, courts have broad authority to enforce their injunctions against noncompliant parties. In this case, the court is considering (but hasn’t yet issued) an order that would revoke Spamhaus’s use of the spamhaus.org name; the order would require ICANN and the Tucows domain name registry to shut off service for the spamhaus.org name, so that anybody trying to go to spamhaus.org would get a domain-not-found error. (ICANN says it’s up to Tucows to comply with any such order.)

There are several interesting questions here. (1) Is it appropriate under U.S. law for the judge to do this? (2) If the spamhaus.org is revoked, how will spamhaus and its users respond? (3) If U.S. judges can revoke domain name registrations, what are the international implications?

I’ll leave Question 1 for the lawyers to argue.

The other two questions are actually interrelated. Question 3 is about how much extra power (if any) the US has by virtue of history and of having ICANN, the central naming authority, within its borders. The relevance of any US power depends on whether affected parties could work around any assertion of US power, which gets us back to Question 2.

Suppose that spamhaus.org gets shut down. Spamhaus could respond by registering spamhaus.uk. Would the .uk registry, which is run or chartered by the UK government, comply with a US court order to remove Spamhaus’s registration? My guess would be no. But even if the .uk registry complied and removed spamhaus.uk, that decision would not depend on any special US relationship to ICANN.

The really sticky case would be a dispute over a valuable name in .com. Suppose a US court ordered ICANN to yank a prominent .com name belonging to a non-US company. ICANN could fight but being based in the US it would probably have to comply in the end. Such a decision, if seen as unfair outside the US, could trigger a sort of constitutional crisis for the Net. The result wouldn’t be pretty. As I’ve written before, ICANN is far from perfect but the alternatives could be a lot worse.

(via Slashdot)

Taking Stevens Seriously

From the lowliest blogger to Jon Stewart, everybody is laughing at Sen. Ted Stevens and his remarks (1.2MB mp3) on net neutrality. The sound bite about the Internet being “a series of tubes” has come in for for the most ridicule.

I’ll grant that Stevens sounds pretty confused on the recording. But’s let’s give the guy a break. He was speaking off the cuff in a meeting, and he sounds a bit agitated. Have you ever listened to a recording of yourself speaking in an unscripted setting? For most people, it’s pretty depressing. We misspeak, drop words, repeat phrases, and mangle sentences all the time. Normally, listeners’ brains edit out the errors.

In this light, some of the ridicule of Stevens seems a bit unfair. He said the Internet is made up of “tubes”. Taken literally, that’s crazy. But experts talk about “pipes” all the time. Is the gap between “tubes” and “pipes” really so large? And when Stevens says that his staff sent him “an Internet” and it took several days to arrive, it sounds to me like he meant to say “an email” and just misspoke.

So let’s take Stevens seriously, and consider the possibility that somewhere in his head, or in the head of a staffer telling him what to say, there was a coherent argument that was supposed to come out of Stevens’ mouth but was garbled into what we heard. Let’s try to reconstruct that argument and see if it makes any sense.

In particular, let’s look at the much-quoted core of Stevens’ argument, as transcribed by Ryan Singel. Here is my cleaned-up restatement of that part of Stevens’ remarks:

NetFlix delivers movies by mail. What happens when they start delivering them by download? The Internet will get congested.

Last Friday morning, my staff sent me an email and it didn’t arrive until Tuesday. Why? Because the Internet was congested.

You want to help consumers? Consumers don’t benefit when the Net is congested. A few companies want to flood the Internet with traffic. Why shouldn’t ISPs be able to manage that traffic, so other traffic can get through? Your regulatory approach would make that impossible.

The Internet doesn’t have infinite capacity. It’s like a series of pipes. If you try to push too much traffic through the pipes, they’ll fill up and other traffic will be delayed.

The Department of Defense had to build their own network so their time-critical traffic wouldn’t get blocked by Internet congestion.

Maybe the companies that want to dump so much traffic on the Net should pay for the extra capacity. They shouldn’t just dump their traffic onto the same network links that all of us are paying for.

We don’t have regulation now, and the Net seems to be working reasonably well. Let’s leave it unregulated. Let’s wait to see if a problem really develops.

This is a rehash of two of the standard arguments of neutrality regulation opponents: let ISPs charge sites that send lots of traffic through their networks; and it’s not broke so don’t fix it. Nothing new here, but nothing scandalous either.

His examples, on the other hand, seem pretty weak. First, it’s hard to imagine that NetFlix would really use up so much bandwidth that they or their customers weren’t already paying for. If I buy an expensive broadband connection, and I want to use it to download a few gigabytes a month of movies, that seems fine. The traffic I slow down will mostly be my own.

Second, the slow email wouldn’t have been caused by general congestion on the Net. The cause must be either an inattentive person or downtime of a Senate server. My guess is that Stevens was searching his memory for examples of network delays, and this one popped up.

Third, the DoD has plenty of reasons other than congestion to have its own network. Secrecy, for example. And a need for redundancy in case of a denial-of-service attack on the Internet’s infrastructure. Congestion probably ranks pretty far down the list.

The bottom line? Stevens may have been trying to make a coherent argument. It’s not a great argument, and his examples were poorly chosen, but it’s far from the worst argument ever heard in the Senate.

Why then the shock and ridicule from the Internet public? Partly because the recording was a perfect seed for a Net ridicule meme. But partly, too, because people unfamiliar with everyday Washington expect a high level of debate in the Senate, and Stevens’ remarks, even if cleaned up, don’t nearly qualify. As Art Brodsky of Public Knowledge put it, “We didn’t [post the recording] to embarrass Sen. Stevens, but to give the public an inside view of what can go on at a markup. Just so you know.” Millions of netizens now know, and they’re alarmed.

Net Neutrality: Strike While the Iron Is Hot?

Bill Herman at the Public Knowledge blog has an interesting response to my net neutrality paper. As he notes, my paper was mostly about the technical details surrounding neutrality, with a short policy recommendation at the end. Here’s the last paragraph of my paper:

There is a good policy argument in favor of doing nothing and letting the situation develop further. The present situation, with the network neutrality issue on the table in Washington but no rules yet adopted, is in many ways ideal. ISPs, knowing that discriminating now would make regulation seem more necessary, are on their best behavior; and with no rules yet adopted we don’t have to face the difficult issues of line-drawing and enforcement. Enacting strong regulation now would risk side-effects, and passing toothless regulation now would remove the threat of regulation. If it is possible to maintain the threat of regulation while leaving the issue unresolved, time will teach us more about what regulation, if any, is needed.

Herman argues that waiting is a mistake, because the neutrality issue is in play now and that can’t continue for long. Normally, issues like these are controlled by a small group of legislative committee members, staffers, interest groups and lobbyists, but rarely an issue will open up for wider debate, giving broader constituencies influence over what happens. That’s when most of the important policy changes happen. Herman argues that the net neutrality issue is open now, and if we don’t act it will close again and we (the public) will lose our influence on the issue.

He makes a good point: the issue won’t stay in the public eye forever, and when it leaves the public eye change will be more difficult. But I don’t think it follows that we should enact strong neutrality regulation now. There are several reasons for this.

Tim Lee offers one reason in his response to Herman. Here’s Tim:

So let’s say Herman is right and the good guys have limited resources with which to wage this fight. What happens once network neutrality is the law of the land, Public Knowledge has moved onto its next legislative issue, and the only guys in the room at FCC hearings on network neutrality implementation are telco lawyers and lobbyists? The FCC will interpret the statute in a way that’s friendly to the telecom industry, for precisely the reasons Herman identifies. Over time, “network neutrality” will be redefined and reinterpreted to mean something the telcos can live with.

But it’s worse than that, because the telcos aren’t likely to stop at rendering the law toothless. They’re likely to continue lobbying for additional changes to the rules—by the FCC or Congress—that helps them exclude new competitors and cement their monopoly power? Don’t believe me? Look at the history of cable franchising. Look at the way the CAB helped cartelize the airline industry, and the ICC cartelized surface transportation. Look at FCC regulation of telephone service and the broadcast spectrum. All of those regulatory regimes were initially designed to control oligopolistic industries too, and each of them ended up becoming part of the problem.

I’m wary of Herman’s argument for other reasons too. Most of all, I’m not sure we know how to write neutrality regulations that will have the effects we want. I’m all in favor of neutrality as a principle, but it’s one thing to have a goal and another thing entirely to know how to write rules that will achieve that goal in practice. I worry that we’ll adopt well-intentioned neutrality regulations that we’ll regret later – and if the issue is frozen later it will be even harder to undo our mistakes. Waiting will help us learn more about the problem and how to fix it.

Finally, I worry that Congress will enact toothless rules or vague statements of principle, and then declare that the issue has been taken care of. That’s not what I’m advocating; but I’m afraid it’s what we’ll get if insist that Congress pass a net neutrality bill this year.

In any case, odds are good that the issue will be stalemated, and we’ll have to wait for the new Congress, next year, before anything happens.

New Net Neutrality Paper

I just released a new paper on net neutrality, called Nuts and Bolts of Network Neutrality. It’s based on several of my earlier blog posts, with some new material.

Does the Great Firewall Violate U.S. Law?

Clayton, Murdoch, and Watson have an interesting new paper describing technical mechanisms that the Great Firewall of China uses to block online access to content the Chinese government doesn’t like.

The Great Firewall works in two parts. One part inspects data packets that cross the border between China and the rest of the world, looking for “bad” content. The other part tries to shut down cross-border connections that have contained “bad” content. I’ll focus here on the shutdown part.

The shutdown part attacks the TCP protocol, which is used (among many other things) to transfer Web pages and email. TCP allows two computers on the Net to establish a virtual “connection” and then send data over that connection. The technical specification for TCP says that either of the two computers can send a so-called Reset packet, which informs the computer on the other end that some unspecified error has occurred so the connection should be shut down immediately.

The Great Firewall tries to sever TCP connections by forging Reset packets. Each endpoint machine is sent a series of Reset packets purporting to come from the other machine (but really coming from the Great Firewall). The endpoints usually respond by shutting down the connection. If they try to connect again, they’ll get more forged Reset packets, and so on.

This trick of forging Reset packets has been used by denial-of-service attackers in the past, and there are well-known defenses against it that have been built into popular networking software. However, these defenses generally don’t work against an attacker who can see legitimate traffic between the target machines, as the Great Firewall can.

What the Great Firewall is doing, really, is launching a targeted denial of service attack on both ends of the connection. If I visit a Chinese website and access certain content, the Great Firewall will send denial of service packets to a machine in China, which probably doesn’t violate Chinese law. But it will also send denial of service packets to my machine, here in the United States. Which would seem to implicate U.S. law.

The relevant U.S. statute is the Computer Fraud and Abuse Act (18 U.S.C. 1030), which makes it an offense to “knowingly cause[] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause[] damage without authorization, to a protected computer”, as long as certain other conditions are met (about which more below). Unpacking this, and noting that any computer that can communicate with China will meet the definition of “protected computer”, the only part of this requirement that requires any discussion is “damage”. The statute defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information”, so that the unavailability to me of the information on the Chinese website I tried to visit would count as damage.

But the offense has another requirement, which is intended to ensure that it is serious enough to merit legal attention. The offense must also cause, or attempt to cause, one of the following types of harm:

(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;

(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;

(iii) physical injury to any person;

(iv) a threat to public health or safety; or

(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;

This probably wouldn’t apply to an attack on my computer, but attacks on certain U.S. government entities would trigger part (v), and there is a decent argument that the aggregate effect of such attacks on U.S. persons could add up to more than $5000 in damage, which would trigger part (i). I don’t know whether this argument would succeed. And I’m not a lawyer, so I’m relying on real lawyers to correct me in the comments if I’m missing something here.

But even if the Great Firewall doesn’t violate U.S. law now, the law could be changed so that it did. A law banning the sending of forged packets to the U.S. with intent to deny availability of content lawful in the U.S., would put the Great Firewall on the wrong side of U.S. law. And it would do so without reaching across the border to regulate how the Chinese government interacts with its citizens. If we can’t stop the Chinese government from censoring their own citizens’ access to the Net, maybe we can stop them from launching denial of service attacks against us.

(link via Bruce Schneier)