Legislation cracking down on rogue websites could inadvertently help hackers who have struck major corporate and government targets in recent weeks, a group of computer science experts said on Thursday.
"America is getting hacked," security consultant Dan Kaminsky said at a Center for Democracy and Technology briefing. "On a deep architectural level, we have to fix this or our economy cannot work."
Senate Judiciary Chairman Patrick Leahy, D-Vt., introduced the PROTECT IP Act to crack down on websites that sell copyrighted and counterfeited materials, and it passed out of committee in May.
But Kaminsky and other Internet architecture experts object to a section that requires Internet service providers to use a controversial method known as domain name system filtering to direct traffic away from websites selling copyrighted or counterfeit materials.
Authorities could use a court order to make service providers do the filtering--in essence, redirecting web users from a rogue website to another website that carries a notice about why the site couldn't be reached. But the filtering mandate could undermine online safety initiatives that hinge on use of Web addresses, the experts say.
The system that would allow filtering would also prevent providers from using an emerging security system known as DNSSEC. This security system sends credentialed messages between browsers and ISPs to ensure that users are taken to the proper website--and not a scam website--when they enter a URL.
Not only would a filtering requirement undermine the spread of DNSSEC, but hackers are likely to offer workarounds to private users. When clicked, these workarounds could also function as entry points, the computer architects argued.
Kaminski, Steve Crocker of the security consultancy Shinkuro, David Dagon of the Georgia Institute of Technology, Danny McPherson of security firm Verisign, and Paul Vixie of the Internet Systems Consortium wrote a white paper in May predicting that businesses relying on secure connections will quickly feel the repercussions of the proposal when hacking increases.
Kaminsky's group said the redirection measures in the bill can be easily circumvented, adding that they have met with the White House, Commerce Department, and members of Congress to air their concerns, which are confined to the technical sections of the bill and not the entire proposal.
The Motion Picture Association of America, a key supporter of the bill, issued a statement on Thursday strongly disputing these claims. Web users are unlikely to reconfigure their computers to circumvent the filtering, the MPAA said, and the security standards cited by the authors ought to be flexible enough to allow for IP protection.
"Here's the bottom line: We rely on the Internet to do too much and be too much to let it decay into a lawless Wild West. We are confident that America's technology community, which leads the world in innovation and creativity, will be capable of developing a technical solution that helps address the serious challenge of rogue sites," said Paul Brigner, chief technology officer at MPAA.
The technical grievances are just one sticking point in a bill that has received strong criticism from the Internet sector, which fears new costs involved with combating piracy. Civil libertarians fear an overly broad bill could suppress online speech. Sen. Ron Wyden, D-Ore., placed a hold on the bill earlier this year after it passed out of committee.
"By ceding control of the Internet to corporations through a private right of action, and to government agencies that do not sufficiently understand and value the Internet, [the legislation] represents a threat to our economic future and to our international objectives," Wyden said at the time.