SOPA's latest threat: IP blocking, privacy-busting packet inspection

A little-noticed portion of a controversial House of Representatives copyright bill could require Internet providers to monitor customers' traffic and block the addresses of Web sites suspected of copyright infringement, a significant expansion of requirements in an earlier version of the bill.

The Stop Online Piracy Act, or SOPA, says a network provider can be ordered to "prevent access by its subscribers located within the United States" to the allegedly piratical Web site. That language did not appear in an earlier Senate version called the Protect IP Act.

"It would cover IP blocking," says Markham Erickson, head of NetCoalition, which opposes SOPA and counts Amazon.com, Google, eBay, and Yahoo as members. "I think it contemplates deep packet inspection" as well, he said.

Protect IP, the earlier Senate version, wouldn't require AT&T, Comcast, Verizon, and other ISPs to block their customers from visiting the numeric IP addresses of off-limits Web sites. And it didn't contemplate deep packet inspection. (The domain name system, or DNS, translates alphanumeric domain names like CNET.com into the numeric IP addresses actually used by computers, in this case 64.30.224.118.)

Cary Sherman, the head of the Recording Industry Association of America, wrote in a guest column for CNET that SOPA could be used to force Internet providers to block by "Internet Protocol [IP] address" and deny "access to only the illegal part of the site." The RIAA, along with the Motion Picture Association of America and the U.S. Chamber of Commerce, strongly supports the legislation.

SOPA is designed to respond to the rise of offshore Web sites, sometimes called "rogue" Web sites, that distribute pirated movies, songs, and other copyrighted material. It allows the attorney general to seek a court order against the targeted Web site that would, in turn, be served on Internet providers in an effort to make the target virtually disappear.

An aide to the House Judiciary committee -- chaired by Rep. Lamar Smith (R-Tex.), SOPA's principal sponsor -- did not dispute that IP address blocking and deep packet inspection could be required. It would be up to a judge to determine the nature of the court order that would be needed to block the site, the aide told CNET this afternoon.

Deep packet inspection is the only way to block data from specific Web pages, or URLs. It also may raise new privacy concerns about SOPA because it relies on intercepting customers' Web browsing, analyzing the protocols to see what's going on, and reviewing the packets' contents. That looks a lot like wiretapping, and a bipartisan group of House members soundly condemned it when a company named NebuAd tried it in 2008.

The wording shift from the Senate to the House version explains why Internet providers aren't exactly enthusiastic about SOPA. Verizon has "concerns about the legislation" and is working with congressional staff to address them, a spokesman told CNET.

Tim McKone, AT&T's executive vice president of federal relations, said that "we have been supportive of the general framework" of the Senate bill. But when it comes to SOPA, all AT&T would say is that it is "working constructively with Chairman Smith and others toward a similar end in the House."

Dane Jasper, the CEO and co-founder of Sonic.net, said it's technically feasible for his company to block a list of even thousands of IP addresses provided by the government, though it becomes more difficult as the list grows.

But Jasper, whose Internet service provider is based in Santa Rosa, Calif., about an hour's drive north of San Francisco, says that deep packet inspection would not be feasible.

"We have no capability to do this, so it would not be technically feasible, as it would require complete re-engineering and re-deployment of our network," says Jasper, who has written a blog post critical of SOPA.

Section 102 of SOPA says that, after being served with a removal order, companies must take measures as long as they're "technically feasible and reasonable":

A service provider shall take technically feasible and reasonable measures designed to prevent access by its subscribers located within the United States to the foreign infringing site (or portion thereof) that is subject to the order... Such actions shall be taken as expeditiously as possible, but in any case within 5 days after being served with a copy of the order, or within such time as the court may order.

The RIAA says SOPA is flexible--more flexible, in fact, than the Senate bill--because it isn't as specific. "Instead of setting a particular type of technological response in statute, the bill is flexible to allow an ISP to choose the best method, which today may be DNS blocking," a representative for the organization told CNET today. "If the ISP feels that any one method may have a detrimental effect on the DNS system or on its network, or if technology changes, it is not locked in."

The Senate bill, Protect IP, specifically targeted domain name system providers, financial companies, and ad networks--not companies that provide Internet connectivity.

"The obligations of a service provider receiving one of these orders are incredibly vague and uncertain," says Sherwin Siy, deputy legal director at Public Knowledge.

Seth Schoen, staff technologist at the Electronic Frontier Foundation, says it was "surprising" that SOPA was so much broader than Protect IP.

If enacted, SOPA's blacklists will start to make the United States resemble more repressive regimes, Schoen predicts. "People in a lot of countries experience the Internet in much this way."

Last updated at 8 p.m. PT