Leahy's Protect IP bill even worse than COICA

Sen. Patrick Leahy (D-Vt.) today introduced a revised version of a controversial billthat would give the Department of Justice and individuals new powers to enforce copyright and trademark law against "rogue" and "pirate" Web sites that offer unlicensed copies of protected content or which sell illegal knock-offs of brand-name goods.

The new bill was long expected. A late draft leaked out last week.

The proposed law, "Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property" or Protect IP, includes several revisions to a draft introduced last year, known then as "Combating Online Infringement and Counterfeits Act," or COICA.

Responding to criticism of COICA
The drafters of Protect IP have tried to respond to some of the most severe criticisms of COICA, which was seen as dangerously vague on its definition of the kinds of Web sites that, under the proposal, can be condemned by the Department of Justice. Critics included public interest groups on both the left and right, the Consumer Electronics Association, domain registries, and operators of large university computer networks.

Members of Congress also objected. In particular, Sen. Ron Wyden (D-Ore.), kept the bill from reaching the Senate floor in the last Congress.

Criticism of COICA included concern that it gave far too much power to the Department of Justice to block non-U.S. domains without adequate due process protections. Critics also noted that more precise tools were already available to protect copyright and trademark holders from wholesale abuse of their rights by rogue sites, such as the 1998 Digital Millennium Copyright Act.

Registries and other Internet infrastructure providers were especially concerned with provisions that could have required any provider of domain name look-up services to comply with court orders to block access to the underlying IP address of a condemned domain name.

Lawmakers didn't seem to appreciate that domain name address resolution takes place throughout the Internet, not just by larger ISPs and registries. Indeed, there are as many as a million worldwide domain names "resolvers," and it is unlikely U.S. courts could or would order all of them to comply with a blocking order.

But incomplete blocking could seriously undermine the integrity of this key feature of the Web's architecture, incentivizing truly rogue Web site operators to use shadow registration systems or simply forgo domain names and rely solely on IP addresses. (A domain name is merely a shorthand to the underlying IP address of the server, and isn't necessary to reach the domain.)

Protect IP responds to some of these concerns. For example, under the revised bill the Attorney General cannot bring action against the domain name directly until first trying to sue the registrant or owner/operator. Suing the domain name itself is a shorthand legal technique that features prominently and notoriously in the Department of Homeland Security's on-going "Operation In Our Sites" antipiracy efforts, which deals exclusively with U.S. Web sites.

And under the revised bill "nonauthoritative domain name system servers" need only take "the least burdensome technically feasible and reasonable measures" available to block access to condemned sites.

The revised law's dangerous new provisions
But critics have already condemned the new version, noting that it not only failed to remove some of the most dangerous features of COICA, but has also added expansive provisions that the earlier draft didn't include. TechDirt's Mike Masnick, for example, notes that the narrower definition of an "Internet site dedicated to infringing activities" in Protect IP is still both broad and vague. And the Electronic Frontier Foundation's Abigail Phillips wrote earlier today that "Despite some salient differences...in the new version, we are no less dismayed by this most recent incarnation than we were with last year's draft."

Some concessions by the drafters of Protect IP turn out to be chimerical. For example, forcing the government to sue the owner/operator rather than the domain name itself, which reduces the likelihood of domain names being condemned without giving notice to the registrant, is an improvement that evaporates on closer inspection.

That's because the attorney general can still go after the domain directly if the owner/operator does not have "an address within a judicial district of the United States." But Protect IP applies only to nondomestic domains--that is, domains registered outside the U.S. Most such registrations are likely to be by companies or individuals without a U.S. address.

Like COICA, Protect IP expands the web of enforcement techniques by requiring advertising networks and financial transaction providers to cut ties to domains found to violate the law. But the new version now adds search engines and others to the list of providers who can be conscripted into complying with court orders. Protect IP would require "information location tools" to "take technically feasible and reasonable measures, as expeditiously as possible," to remove or disable access to the site associated with a condemned domain, including blocking hypertext links to the site.

Another new provision encourages advertising networks and financial transaction service providers (though not search engines), to cut ties voluntarily with domains it believes are "dedicated to infringing activities." As long as such actions are undertaken in good faith and with "credible evidence," Protect IP immunizes those providers from liability for damages caused by erroneous actions against domains.

Perhaps most worrisome of all, Protect IP adds a provision that allows copyright and trademark holders to sue the owner/operator of a domain directly. Again, the provision applies only to nondomestically-registered domains, but it allows the private party, like the government, to sue the domain name itself if the registrant does not have a U.S. address.

That's important because in all cases, once a suit is initiated, the plaintiff can ask the court to issue an injunction or restraining order effectively shutting the site down. Private parties, like the government, can also use the court order to demand cooperation from financial transaction providers and Internet advertising services.

Setting dangerous and possibly illegal precedents
Thus, with minimal court proceedings and perhaps without any opportunity for the defendant to respond or participate, the draft law would enable the Department of Justice or a private party to effectively shut down a nondomestic Web site, putting the burden on the owner/operator to prove that the site is not "dedicated to infringing activities" as defined in the law.

Preemptively shuttering a Web site is certainly one way to curb illegal distribution of copyrighted materials and black market goods, but many see it as a blunt instrument that could ban other, legal content on the site. And, as has already occurred in the Homeland Security seizures, condemning a domain name can have fatal consequences when a site is accidentally blocked even though it is not operating illegally.

By comparison, rights holders already have the ability, under the DMCA, to force site operators to remove particular content that infringes copyrights. The "notice and takedown" regime, increasingly automated by large-scale content hosts including YouTube and eBay, has been generally successful in protecting licensed content without suppressing legally-protected speech.

So why expand those tools so broadly and dangerously under Protect IP? According to rights holders, additional tools are necessary to curb wholesale copyright piracy, especially of movies, and counterfeit goods including medication. The Software and Information Industry Association, for example, applauded the introduction of Protect IP. "The importance of this bill," according to an SIIA spokesman, "lies in the fact that it will eliminate critical technical and financial resources that are used to move pirated and counterfeit goods."

For sites that operate entirely outside the U.S., "notice and takedown" and private lawsuits are legally difficult to pursue, and are largely ineffective. But the need to forcibly "enlist" the support of registries, search engines, advertising networks and financial transaction processors underscores both the difficulty and danger of expanding existing legal tools to deal with non-domestically registered domains.

For one thing, condemning nondomestic domains for their failure to abide by U.S. copyright and trademark law sets a dangerous precedent. Though copyright and trademark are largely uniform in the developed world, there are still important differences that could whipsaw Web site operators and the service providers who would be required to help enforce the new law. "Fair use" and other authorized uses of protected content are not uniform.

Moreover, other governments might use similar techniques to enforce their own laws, some of which would surely conflict with deeply-held American principles. According to David Sohn, senior policy counsel at the Center for Democracy and Technology, "Domain name blocking raises tricky cybersecurity questions and would set a dangerous international precedent for using the domain name system to try to impose domestic laws on foreign Internet activity."

If the U.S. can block domains that violate its copyright and trademark laws, in other words, other countries would feel free to do the same to enforce laws restricting political or other speech that would be protected in the U.S.

Protect IP does not affect ongoing domestic domain seizures
It's worth emphasizing that Protect IP, even more so than COICA, applies to nondomestically-registered domains. That's in part because the U.S. government believes it already has far more expansive and effective powers to condemn rogue U.S. Web sites under the 2008 PRO IP Act. That's the law that the Department of Homeland Security's Immigration and Customs Enforcement division has recently been using to seize domestically-registered domain names and reroute them to an ICE page indicating the underlying site was operating illegally.

In particular, ICE has been using PRO IP to invoke "civil forfeiture" laws, which allow the government to seize "property" used in the commission of certain crimes without ever getting a conviction of the underlying crime.

Protect IP does nothing to curb ICE's use of civil forfeiture law to interrupt domestic Web sites the agency believes are criminally violating copyright law. Under PRO IP, the agency has applied in hundreds of cases to seize a domain name without notice to the registrant and with minimal investigation of whether the domains are in fact violating the law. The agency has been frequently embarrassed to find it has seized domain names that are not violating copyright law in any way, underscoring the danger of allowing such actions to be taken with minimal procedural safeguards.

A number of serious legal questions have been raised about ICE's use of forfeiture law to seize domain names, but so far no legal challenge has been brought. When it does, the agency's practices will be exposed to even more scrutiny, and may be found to fail a variety of constitutional requirements.

Indeed, the existing evidence of ICE's poor performance should have given pause to Senator Leahy and his co-sponsors. Protecting copyright and trademark are of course important objectives. But doing so by trampling due process rights, tinkering dangerously with the mechanics of the Internet, and impressing into police duties an expanding set of Internet service providers, hardly seems the best solution.