Piracy runs rampant on the Internet, but Daniel Castro says it doesn't have to be this way. He wants the US government to start creating a blacklist of Internet sites; once approved by a judge, each site would be cut off from American Internet users at the Domain Name System (DNS) level, where readable locations like "arstechnica.com" are turned into numerical IP addresses. US-based credit card companies would be forbidden from doing any business with the site, and US-based advertising networks couldn't serve ads to the site.

Sound familiar? It should—this is the basic outline of the Combating Online Infringement and Counterfeits Act (COICA) legislation first introduced in Congress last year. Castro, a senior analyst at the Information Technology and Innovation Foundation (ITIF), coauthored a 2009 paper on Internet piracy (PDF) that included many of the ideas that found their way into COICA.

He testified this month before Congress about the need for such measures, and I spoke to him recently about Web blocking, censorship, and why he believes that deep packet inspection (DPI) of Internet traffic by ISPs is more like Gmail than wiretapping. As for due process, Castro says COICA is fair—but he's open to some tweaks.

Crime fighting, Internet-style



Ars: I'm sure we can both agree that there's plenty of piratical behavior on the Internet, but the key question is how we deal with that reality. In your view, why is something like COICA the right way forward?

Castro: If you accept the fact that piracy is a problem, government needs to do something. You have to start from that premise. So if you accept that premise, the question is what's the most effective way of reducing infringement?

The problem we have right now is that there's different types of actors: domestic [pirate] sites, foreign sites, domestic consumers, foreign consumers. You have different strategies for dealing with each of these groups. For domestic sites, you can do things like taking down sites very easily. For foreign sites, you can't do that. The question is, are there other options? Of course there are. You can block sites, for example, at the DNS level. Or you can get everyone who's involved in the Internet, the different intermediaries, to come together and find ways to combat piracy, and that's what COICA is about.

Ars: There has been a host of criticisms about the way COICA might be implemented. One of them I've heard repeatedly is that the utility of DNS censorship is going to be fairly low, given that people can still access the sites in question by IP address or by switching DNS providers. Is this just about making piracy a little bit harder?

Castro: Nobody, including myself, makes the claim that DNS blocking will be 100 percent effective. It might not even be 90 percent effective. But the question is, is it effective enough that it's worth the cost of doing it? I think the consensus from the people that can do it is that yes, it is. There's a very low cost if you have a single list of sites that are engaged in piracy. Once you have this list, there's a variety of steps you can take to make accessing these sites more difficult.

It's crime-fighting. You never stop all crime; the point is, can you reduce it to a tolerable level. Right now, we're not really doing all that much to combat piracy and counterfeiting, and there is a lot more that we can do. As long as the steps are reasonable, we should take them.

Ars: In attempting to seize a recent child porn domain name, ICE accidentally took down an extra 80,000 sites and redirected them to a banner claiming that they had been busted as part of a child porn investigation. Do you have concerns about this DNS-based approach to site blocking, especially since COICA's site blocking hearings could be largely non-adversarial?

Castro: Well, that gets to the issue of process, and certainly the process failed with that ICE takedown. That means it should be corrected; I absolutely agree with that. One of the proposals at the hearing where I testified was that the government might give advance notice at times. You can certainly envision a 72-hour notice period where you let the site know that it has infringing content, we are intending to take it down, and you have 72 hours to respond. That's one possibility. We don't do that in the real world with counterfeiting; we go in and seize counterfeit goods when we see them. If a crime is happening, the police can stop it immediately, and there's a limited amount of time in which they can do so without going to a judge. You can stop a crime in progress, and that's the same question we have on the Internet now.

Ars: I was speaking with Rep. Zoe Lofgren (D-CA) about this several weeks ago, and she was very sharp on the “due process” issue. She argued that what was going on with ICE takedowns right now were a travesty of justice and probably illegal, in part because of the seize-first-ask-questions-later approach. But it sounds like you're more open to notification and a chance to respond before some of this blacklisting takes effect.

Castro: Sure. I think there's a couple things to keep in mind. You might want to act so swiftly on some sites that you don't notify them. For example, a site like WatchSeason5Episode2ofDexter.tv, which appears right after the show airs. A reasonable process would say that someone in law enforcement can look at the site, talk to the content owner, and agree that it is an infringing site. Maybe they can take that one down in real-time.

Something else that may be a little more ambiguous might have a 72-hour notice, where the site could come back and possibly provide evidence that what happened was incorrect. Remember, of all the sites that ICE has taken down so far, no one has come back and said, "I really wasn't an infringing site," with that one exception.

Ars: Sure, but isn't that a bit like saying, "We took down all of these allegedly infringing sites and none of the foreign operators behind them hired an expensive US lawyer to get their domain name back, so they must agree with what we did"?

Castro: If my site was taken down illegally by the federal government, I would complain very loudly. And we haven't heard that from the ones who were taken down. I think they know they were engaging in illegal activity, and some people have said they've stopped.

Ars: You draw a distinction between different kinds of sites. But what we've seen from ICE so far has involved many sites which were clearly infringing, but also sites where it wasn't so clear—sites that engage only in linking, for instance, or those that link to illegal content but also to legal material. So it's interesting to hear you call for something better than a one-size-fits-all approach.

Castro: The purpose of COICA is to go after sites that are dedicated to infringing, where there is a significant portion of the content which is infringing. It's not to say that you can avoid penalties by posting entire seasons of HBO shows alongside a few public domain photos. I think that's ridiculous. Of course you can take down the whole site. There are distinctions that can be made. But at the same time, nobody's talking about taking down someone's personal website because they happen to use a copyrighted photo.

Ars: One of the things Lofgren warned about was that if you go down this road, government agencies like ICE could one day choose to shut down Google. Your reaction?

Castro: I don't think anyone seriously thinks that ICE is going to shut down Google. Sites that play by the rules are in no danger of being taken down because that's the whole point: they're part of the solution, not part of the problem.

Ars: Many of these issues are international. For instance, one of the domains taken down in a recent seizure was the Spanish rojadirectas.com, which was declared legal by Spanish courts. Countries obviously have the right to prevent behavior at home that is legal abroad, but it does seem like this gets a bit more complicated when you're trying to do things like COICA is: preventing multinational payment processors and ad networks from working with companies that are legal in their own jurisdictions. Any concerns about extending US law too far when it comes to shaping the Internet?

Castro: I don't think there's a problem with asking companies in the United States to protect other companies and IP rights holders in the United States. They are based here, they should follow US laws. The fact that a country doesn't protect intellectual property is no excuse to just give them free reign to do whatever they want.

Ars: Should private companies be able to go to court under COICA to obtain website blocks, or should that be reserved for government?

Castro: I don't think there needs to be a private right of action, but there needs to be an easy way for rightsholders to report that their content is being infringed upon and have a process so that enforcement action can be taken. If it appears the government alone is unable to provide a significant level of enforcement, then I think a private right is something that should be considered.

Ars: In your 2009 paper, you talked about getting even more Internet intermediaries involved in antipiracy work, even saying that ISPs should install deep packet inspection (DPI) gear to monitor traffic flowing through their network for possible copyright violations. Would you still like to see ISPs get more involved?

Castro: Yes. ISPs certainly have a role in reducing infringement. One recent study found that more than 25 percent of content on the Internet is infringing content. This has a big impact on ISPs and on all users who are not downloading that material. That's why I think it's important to allow ISPs to engage with their customers who are downloading illegal content in different ways; one of those ways would be deep packet inspection.

That is not wiretapping. Wiretapping is when someone is reading your communications, reading your e-mails. Deep packet inspection can be an automated process, it can do content matching and identification, and it can provide a simple warning to a user. Or it could be used in "three strikes" legislation, like they have in a few European countries—where you receive notice and if it keeps happening, you receive some kind of penalty. If it continues, you might have your Internet connection terminated.

But there are other options as well. Content holders could advertise to these people. If you are downloading a certain band's music, that band could contact you to say, “Hey, we're going to be in your town next month, what if you buy these tickets?”

Ars: This talk about getting intermediaries more involved in stopping infringement sounds like a move away from the traditional “safe harbor” approach we have used for communications networks. How would this sort of approach differ from, say, asking a phone company to listen in on calls to prevent illegal activity, or to block a list of government provided numbers to alleged foreign mobsters?

Castro: If you call known foreign terrorists, your line is probably going to be tapped. But I don't think there's actually a parallel there. I don't think those are the same thing. Deep packet inspection is one option. And the key is that this is automated technology. When Gmail provides contextual ads by scanning your e-mail, there is not a privacy violation because there's no person on the other side who's reading your e-mail.

Fireworks and missiles ahead



COICA promises to be one of the crucial pieces of tech-related legislation that Congress will consider this year, and it promises to involve serious fireworks. Sen. Patrick Leahy (D-VT) has already promised that COICA will pass this year, but he's up against Senators like Ron Wyden (D-OR), who said last year that COICA was "like using a bunker-busting cluster bomb when what you really need is a precision-guided missile." Wyden has promised to "take the necessary steps to stop [COICA] from passing the United States Senate."

To catch up on our complete COICA interview series, check out our conversations with Sen. Al Franken (D-MN), who supports COICA with a few changes, and with Rep. Zoe Lofgren (D-CA), a fierce opponent of everything that COICA represents.