Collective Punishment: SOPA and Protect-IP are Threats to NSTIC and Federated Identity

As a technologist you’ve likely heard about the Stop Online Privacy Act (SOPA) or the Protect-IP Act. The intention of these bills, as described by SOPA, is “[t]o promote prosperity, creativity, entrepreneurship, and innovation by combating the theft of U.S. property, and for other purposes.” It provides a range of resource to tackle “foreign websites” who “engage in, enable or facilitate” copyright or trademark infringement. Amongst SOPA’s so-called “reasonable measures” of dealing with the assertion that a site engages in, enables, or facilitates copyright infringement, is the use of DNS filter. In essence, the site’s hosting provider would be required to modify its DNS records such that entry for supposedly_infringingsite.com does not resolve. Beside the well publicized incompatibility between DNS filtering and DNSSEC, DNS filtering has tangible negative effects on federated identity systems including the National Strategy for Trusted Identities in Cyberspace (NSTIC.)

Consider the imaginary example of the University of Imagistan. The University is renowned for its comparative literature, geology, and biology programs as well as it its study-abroad program. The University recently upgraded a section of its website dedicate to excellent study-abroad program, hoping to attract more students from the US. Also the University recently upgraded its search engine making more content accessible from its website

Meanwhile, a professor from the University of Imagistan has been using the National Institutes of Health’s PubMed to aid his research. There she has bookmarked a variety of articles that she found interesting. One thing to note about how the professor logs in to PubMed. Thanks to NSTIC (well FICAM actually, but same idea in this case), she does not need a separate username and password to access PubMed but instead logs in using her credentials from the University of Imagistan – a federated logon. When she accesses PubMed, PubMed gathers credential information from the University’s IdP service.

Now imagine that the University’s search engine discovered, indexed, and then linked to spam found in a student’s University-hosted blog. This spam advertised both herbal “performance enhancement” pills as well as a torrent for Hollywood’s action movie du jour – ‘The Postman Got Disintermediated”. At this point the University is squarely in SOPA’s sights:

  • It is a “foreign website”
  • A portion of it, the study-abroad program, is “US-directed”
  • It facilitates copyright infringement (bit torrent of the movie) and is a threat to health in safety (possibly counterfeit drugs)

If the University’s hosting provider receives and chooses to act upon a request to take the website down via DNS filtering. Now when the professor attempts to access PubMed she cannot. Why? Because the federation between PubMed and the University has been broken. PubMed will be unable to access the identity provider at the University because PubMed cannot resolve it via DNS. This means that the professor loses access to all of the articles she previously bookmarked; the value of PubMed is diminished in the process. Keep in mind, that the professor has absolutely nothing to do with the supposed copyright infringement; she just wanted to use the services that she used to use via federation.

The National Strategy for Trusted Identities in Cyberspace, at its core, promotes the use of federated identity. It asserts that an identity ecosystem can provide stronger, more trustworthy credentials, while offering people greater control over their privacy. The approach SOPA and Protect-IP poisons this ecosystem – denying access to IdPs in turn denies access to downstream relying parties and service.

Using censorship tools to enforce copyright does more harm than good. The DNS filtering in SOPA and Protect-IP proposes breaks federation, denying service to not just a supposed infringing website. SOPA and Protect-IP prevent people, who use identity services (identity provider, attribute provider, etc) from that accused domain, from using services like PubMed and every other relying party such as Flickr, Google Apps, Salesforce.com, etc.) This, my friends, is the definition of collective punishment.

There are a lot of issues with SOPA and Protect-IP, and the bills have inspired a growing chorus of opposition. If reading the works of Congress is unappealing, check out the Center for Democracy and Technology and/or the Electronic Freedom Foundation; they both have excellent coverage of both bills. TechDirt has compiled resources for contacting your Senator or Representative.

UPDATE – January 13

It appears that someone’s (or maybe everyone’s) voice has been heard. Both Lamar Smith and Patrick Leahy have decided to amend SOPA and Protect-IP respectively to remove the DNS filtering sections. It is heartening that Congress has come to its senses and decided not to employ censorship tools to enforce copyright. The only good that came of this affair is the reminder that our identity systems have dependencies lower down in the stack. We must acknowledge and mitigate threats to those foundational layers, regardless whether such threats are technical or legislative.

Thoughts from the last 10 years

Our modern era split into two parts on September 11th. In the last ten years, like the World Trade Center,  some of our shared concepts about our world have fallen. Collapsed is the notion that the world “over there” has no impact on our own soil. In sad heap is the idea that we can apply kinetic force again ideological force. Fallen is the naiveté that we know how to manage the institutions that have fueled America’s growth, whose complexity and interconnectedness have increased geometrically.

There is an idea that has not fallen and has grown in strength and in implication – the idea that we can be completely safe. This farcical idea is literally destroying our country. This myth bankrupting our nation. This myth is breeding ideologues. The fantasy of complete safety has robbed us our dignity. It has decreased our operational efficiency.

This country is behaving like a child, afraid of the dark, insisting to turn on every light in the house. There isn’t a boogeyman under every bed, in every closet. The dark isn’t inherently dangerous. The dark contains the unknown and the undiscovered; it is in the dark that our future rests. It is only through bravery of admitting that we cannot be completely safe, through the decision to not be scared of the dark, that we can progress economically and emotionally.

Those who sacrifice liberty for security deserve neither

Ben Franklin actually wrote, "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." I give the National Park Service a lot of credit for leaving this graffiti up on a bridge in Rock Creek Park. Besides, if Ben Franklin said it, is it really graffiti?

Times change – Toledo Lounge sold (but that’s okay)

As someone of you have already heard, the spiritual home of Tuesdaynight, Toledo Lounge, has been sold. After nearly 20 years Abbajay sisters have sold Toledo to the owners of the Black Squirrel. From reading this article, it sounds like things are going to pretty much stay the same at Toledo which is great news.

BTW – some of us will be at Toledo tonight to reminisce. Come join us!

The continuing story of Privacy Mirror

I had let Privacy Mirror languish for a bit, and having found a free few hours, I decided to update Privacy Mirror to take advantage of Facebook’s Graph API. (For those of you not familiar with my Privacy Mirror experiment, it is a very basic app that explores what personal data apps can see via your friends.) Since I last updated Privacy Mirror, Facebook rolled out two major features. The first was the previously mentioned Graph API, which is a RESTful API that results Facebook data as JSON.

The second, and frankly the more interesting, was extended permissions. The newish extended permissions govern how apps can access data and how users are informed of this use.  It is these extended permissions at the bottom of the recent kerfuffle over Facebook allowing app developers access to phone numbers and addresses. (Ars Technica did a good job over covering this, and here is Facebook’s current response.)

Extended permissions work like this. First, an app developer encodes a request for access to various pieces of your profile data, as well as pieces of your friends’ profile data. Second, when you add the app to your profile, the app asks you for your permission. The following is a picture of what it looks like when Privacy Mirror asks for access to your and your friends’ information.

An example of extended permissions

It is crucial important to notice that you as an app user can only agree to the use of all the requested information (as opposed to individual pieces.) Also, the app user cannot say that the app can have permission to her own data but not that of her friends. (See my series “I ‘like’ you, but I hate you apps” for the implications of this coarse-grained control.) Third, once the app has your permission, it goes off and does what it doe

I have to say, I like the spirit of the extended permissions. I like the fact that developers must ask for permission and I like that users must grant that permission. But I am very troubled by the lack of granular control afforded to the user.

Also, Facebook has not addressed what I feel to be a much bigger privacy issue: the mistreatment of relationship between people and their apps. If I have an app and you don’t use the same app, then that app can only see the elements of your profile that you have allowed applications to see. (This is controlled via the Account > Privacy Settings > Apps, Games and Websites > Info accessible through your friends settings.) But if you and I both have the same app on our profile, then the app can see the elements of your profile that you can granted me access to see. In this sense, the app executes with my permissions based on our relationship. But you have a relationship with me, not my apps. This is subtle and remains an critical unsolved problem.

spots of thoughts: ian and friends rant, rave, and ruminate