Want CNET to notify you of price drops and the latest stories?

How SOPA's 'circumvention' ban could put a target on Tor

Hollywood-backed Stop Online Piracy Act goes further than earlier versions and targets software that can "bypass" or "circumvent" anti-piracy blocks. The Tor Project worries it could be at risk.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read

A little-noticed section of the Stop Online Piracy Act could make it illegal to distribute Tor and other software that can "circumvent" attempts by the U.S. government to block pirate Web sites.

The controversial Hollywood-backed copyright bill allows injunctions to be filed against "any" person, nonprofit organization, or company that distributes a "product or service" that can be used to circumvent or bypass blockades erected against alleged pirate Web sites such as ThePirateBay.org.

The U.S. government-funded Tor Project could be a target of SOPA's anti-circumvention section.
The U.S. government-funded Tor Project could be a target of SOPA's anti-circumvention section.

"It looks like SOPA would outlaw Tor," says Markham Erickson, an attorney with Holch & Erickson LLP who runs NetCoalition. The trade association opposes SOPA and counts Amazon.com, eBay, Google, and Yahoo among its members.

This section of SOPA is straightforward enough: a copyright holder would contact the U.S. Department of Justice to complain that a Web site is engaged in piracy. Then the Justice Department would seek a court order from a federal judge that would compel U.S.-based Internet service providers and domain name system providers to render the target inaccessible.

But SOPA's author, Rep. Lamar Smith, a conservative Texan who has become Hollywood's favorite Republican, anticipated that savvy programmers would find a way around these virtual roadblocks. So Smith inserted language in SOPA (PDF) -- it's not in the Senate's similar Protect IP bill -- allowing anyone who knowingly and willfully distributes "circumvention" software to be forced to remove it. (See CNET's FAQ on SOPA.)

"I worry that it is vague enough, and the intention to prevent tunneling around court-ordered restrictions clear enough, that courts will bend over backwards to find a violation," says Mark Lemley, a professor at Stanford Law School who specializes in intellectual property law.

Smith's anti-circumvention language appears designed to target software such as MAFIAAFire, the Firefox add-on that bypassed domain seizures, and ThePirateBay Dancing and Tamer Rizk's DeSOPA add-ons, which take a similar approach. (As CNET reported in May, the U.S. Department of Homeland Security has tried, unsuccessfully so far, to remove MAFIAAFire from the Web.)

But Smith worded SOPA broadly enough that the anti-circumvention language isn't limited to Firefox add-ons. In an echo of the 1998 Digital Millennium Copyright Act's anti-circumvention section, SOPA targets anyone who "knowingly and willfully provides or offers to provide a product or service designed or marketed by such entity...for the circumvention or bypassing" of a Justice Department-erected blockade.

Smith did not respond to questions from CNET yesterday asking whether Tor and similar products would be affected. The Motion Picture Association of America, the Recording Industry Association of America, and the U.S. Chamber of Commerce, all of which have lobbied for SOPA, also declined to comment. (See CNET's report on why the U.S. Chamber of Commerce loves SOPA.)

Wendy Seltzer, a fellow at Yale Law School and former intellectual property litigator who is a member of the Tor Project's board of directors, says she's worried about how the Justice Department would wield this language. The Tor Project develops software to preserve online anonymity but which can also be used to bypass SOPA-created blockades.

"Ordinary security and connectivity tools could fall within its scope," Seltzer wrote, referring to SOPA's anti-circumvention, anti-bypassing language. She added in an e-mail to CNET: "Can actions for injunction be brought against all sort of general purpose tools, causing nuisance and expense even if the claims wouldn't hold up in court? Worse, if the injunction succeeds, then further distribution without an appeal would face contempt charges."

There's a bit of irony here: Tor was created by the U.S. government (specifically, the U.S. Naval Research Laboratory). The subsequent organization formed to develop the software, the nonprofit Tor Project, is currently funded in part by multiple federal agencies that hope that it will let Internet users in China and other repressive regimes bypass their country's informational blockades.

The problem for Smith and other SOPA supporters is that censorship-circumventing software -- and Tor has consciously used that phrase to describe itself -- doesn't differentiate between China devising a list of off-limits Web sites and the U.S. government doing the same thing.

During last week's SOPA debate in the House Judiciary committee, Rep. Zoe Lofgren, a California Democrat whose district includes the heart of Silicon Valley, offered an amendment to revise the anti-circumvention language.

"Those very same tools that we have worked to devise, that we have funded to develop in some cases, are the same tools that could also be used by Internet users in the United States to circumvent the blocking of a foreign infringing site under the bill," Lofgren said.

Smith replied by suggesting that "you and I and others involved could write language that would address your concerns." Lofgren agreed to withdraw her amendment temporarily, as long as she could offer it again before a final vote. The committee's debate on SOPA had been scheduled to resume this morning, but Smith has postponed it until early 2012.

Lofgren's temporarily withdrawn amendment (PDF) said that SOPA "does not include any product or service designed or marketed for the circumvention of measures taken by a foreign government to block access to an Internet site."

A broad interpretation of SOPA's anti-circumvention language would sweep even more broadly than Tor. Software such as VPNs, used by security-conscious businesses, can also "bypass" a SOPA-established blockade. So could DNS software. And even the humble "/etc/hosts" file, part of every major operating system including OS X, Linux, and Windows, can be pressed into service as a SOPA-bypasser as well.

Stewart Baker, Homeland Security's former policy chief who's now a partner at the Steptoe and Johnson law firm, suggests SOPA's anti-circumvention and anti-bypassing language would target Web browsers too.

It's hard to escape the conclusion that this provision is aimed squarely at the browser companies," he wrote in a blog post. "Browsers implementing DNSSEC will have to circumvent and bypass criminal blocking, and in the process, they will also circumvent and bypass SOPA orders." A successful injunction from the attorney general, Baker said, would shut down all shipments of a Web browser "until it's been revised to the satisfaction of his staff and their advisers in Hollywood."

To be sure, it's unlikely that the attorney general would try to force Microsoft, Apple, and Mozilla to rewrite their operating systems or Web browsers. Nor would federal judges automatically agree. But, argue SOPA's many critics (PDF), the Justice Department shouldn't be granted such sweeping authority in the first place.

David Post, a professor of law at Temple University who has been writing about copyright law for over a decade, says that even after analyzing SOPA (and organizing a letter from law professors protesting the legislation) the anti-circumvention language remains surprisingly opaque.

"It's ambiguous to me," Post says. How far does it reach? "I don't know. Which is bad."