Blog post

Collective Punishment: SOPA and Protect-IP are Threats to NSTIC and Federated Identity

By Ian Glazer | January 10, 2012 | 6 Comments

As a technologist you’ve likely heard about the Stop Online Privacy Act (SOPA) or the Protect-IP Act. The intention of these bills, as described by SOPA, is “[t]o promote prosperity, creativity, entrepreneurship, and innovation by combating the theft of U.S. property, and for other purposes.” It provides a range of resource to tackle “foreign websites” who “engage in, enable or facilitate” copyright or trademark infringement. Amongst SOPA’s so-called “reasonable measures” of dealing with the assertion that a site engages in, enables, or facilitates copyright infringement, is the use of DNS filter. In essence, the site’s hosting provider would be required to modify its DNS records such that entry for does not resolve. Beside the well publicized incompatibility between DNS filtering and DNSSEC, DNS filtering has tangible negative effects on federated identity systems including the National Strategy for Trusted Identities in Cyberspace (NSTIC.)

Consider the imaginary example of the University of Imagistan. The University is renowned for its comparative literature, geology, and biology programs as well as it its study-abroad program. The University recently upgraded a section of its website dedicate to excellent study-abroad program, hoping to attract more students from the US. Also the University recently upgraded its search engine making more content accessible from its website

Meanwhile, a professor from the University of Imagistan has been using the National Institutes of Health’s PubMed to aid his research. There she has bookmarked a variety of articles that she found interesting. One thing to note about how the professor logs in to PubMed. Thanks to NSTIC (well FICAM actually, but same idea in this case), she does not need a separate username and password to access PubMed but instead logs in using her credentials from the University of Imagistan – a federated logon. When she accesses PubMed, PubMed gathers credential information from the University’s IdP service.

Now imagine that the University’s search engine discovered, indexed, and then linked to spam found in a student’s University-hosted blog. This spam advertised both herbal “performance enhancement” pills as well as a torrent for Hollywood’s action movie du jour – ‘The Postman Got Disintermediated”. At this point the University is squarely in SOPA’s sights:

  • It is a “foreign website”
  • A portion of it, the study-abroad program, is “US-directed”
  • It facilitates copyright infringement (bit torrent of the movie) and is a threat to health in safety (possibly counterfeit drugs)

If the University’s hosting provider receives and chooses to act upon a request to take the website down via DNS filtering. Now when the professor attempts to access PubMed she cannot. Why? Because the federation between PubMed and the University has been broken. PubMed will be unable to access the identity provider at the University because PubMed cannot resolve it via DNS. This means that the professor loses access to all of the articles she previously bookmarked; the value of PubMed is diminished in the process. Keep in mind, that the professor has absolutely nothing to do with the supposed copyright infringement; she just wanted to use the services that she used to use via federation.

The National Strategy for Trusted Identities in Cyberspace, at its core, promotes the use of federated identity. It asserts that an identity ecosystem can provide stronger, more trustworthy credentials, while offering people greater control over their privacy. The approach SOPA and Protect-IP poisons this ecosystem – denying access to IdPs in turn denies access to downstream relying parties and service.

Using censorship tools to enforce copyright does more harm than good. The DNS filtering in SOPA and Protect-IP proposes breaks federation, denying service to not just a supposed infringing website. SOPA and Protect-IP prevent people, who use identity services (identity provider, attribute provider, etc) from that accused domain, from using services like PubMed and every other relying party such as Flickr, Google Apps,, etc.) This, my friends, is the definition of collective punishment.

There are a lot of issues with SOPA and Protect-IP, and the bills have inspired a growing chorus of opposition. If reading the works of Congress is unappealing, check out the Center for Democracy and Technology and/or the Electronic Freedom Foundation; they both have excellent coverage of both bills. TechDirt has compiled resources for contacting your Senator or Representative.

UPDATE – January 13

It appears that someone’s (or maybe everyone’s) voice has been heard. Both Lamar Smith and Patrick Leahy have decided to amend SOPA and Protect-IP respectively to remove the DNS filtering sections. It is heartening that Congress has come to its senses and decided not to employ censorship tools to enforce copyright. The only good that came of this affair is the reminder that our identity systems have dependencies lower down in the stack. We must acknowledge and mitigate threats to those foundational layers, regardless whether such threats are technical or legislative.

Comments are closed


  • Brett Glass says:

    Extremely lame argument. One blog posting with a spam in it does not mean that a site is “dedicated” to counterfeit drugs. And what’s a university doing condoning the theft of intellectual property via BitTorrent? Given the weakness and speciousness of this argument, one must ask whether Gartner has ties to companies that profit from piracy (such as Google).

  • Ian Glazer says:

    Your point about what constitutes a “dedicated” is a good. The proposed legislation doesn’t offer a very crisp definition and thus is open to wide interpretation, especially regarding what “facilitation” means. To you blog spam does not constitute a “dedicated,” but that might not be the case to an attorney general. Your comment reinforces the view that this legislation is too loosely drafted and needs to be revisited.

  • Jim Fenton says:

    @Brett, that’s exactly the point. SOPA and PIPA are very blunt instruments; a single posting or link can be used as a justification to take down an entire domain with no due process. And while Imagistan is apparently a foreign country, there is nothing in the text of SOPA that limits its scope to foreign websites. That’s merely the sales pitch for a bill that is much broader in scope than some would like us to believe.

  • Brett Glass says:

    The two comments above this one are yet more examples of the fallacious fearmongering being done by the large corporations that oppose SOPA. The truth is that the law has ample safeguards against abuse — too many, in fact. (Some recent amendments will, unnecessarily, allow thieves to get away.)

    I urge the public to READ THE LAW rather than allowing itself to be spooked by SOPA alarmism — which is primarily being spread by those associated with corporations which profit from piracy and online theft.

  • Kenneth Michaels says:

    Author: are you sure you are reading the Amended version of the SOPA bill, and not the original version? Some of the wording you use seems to come from the original version, not the current version of the bill. Regards.

  • Ian Glazer says:

    @Kenneth – good catch. I highly recommend people read the amended version of SOPA as well as the summary of the Manager’s Amendment.

    Even with the amendments I still have concerns. Even without the requirement for DNS redirect, an unresolvable DNS entry for my IdP is crippling.

    I am glad to see specificity around subdomains in the amendment, but worry that will put undue burden on web sites to separate their identity services (and other APIs for that matter) into finely grained subdomains.

    Also, it seems to me that Sec 2(5) of the amended version, although well-intended (I guess), gives ISPs a huge out to not enforce any court order it may receive. Furthermore I have a hard time seeing how DNS Filtering does anything other than “impair the security or integrity of the domain name system or of the system or network operated by or on behalf of the party subject to the obligation.”