As you read this, please keep in mind that I say it all with a track record nearly 14 years of being proactive and having a zero-tolerance policy toward criminal activity and network abuse on our system. We have great relationships with Law Enforcement Agencies both here in Canada and abroad. We are always helpful and (usually) happy to answer questions, and help LEA understand the complexities and nuances of the internet. We've had the good fortune to meet some really intelligent and clued in cybercrime units. We participate in numerous communities in combating net.abuse and cybercrime.

I finally got around to reading the text of the Stop Online Piracy Act (SOPA) today. While the ostensible intentions are to combat online piracy and the sale of counterfeit goods, the bad news is that the legislation contains elements which basically puts every single domain registered under generic TLDs under the authority of the United States Attorney General.

We have already seen in cases if the ICE domain seizures, improper takedowns and overreach resulting in the takedown of tens of thousands of websites when a single one was the target.

How does this affect you?

Our objections to SOPA are very similar to our objections to Verisign's recent proposal which contained overly broad takedown powers and could be used to assert US law (and "requests") on all domain holders internationally.

We consider SOPA far more pernicious because it is possibly to become US law, rather than a policy implemented by a private company (albeit one that holds a monopoly on large tracts of internet namespace).

SOPA differentiates between "domestic" and "foreign" domain names, but the definition of "domestic" basically includes all domains registered under any of the gTLDs (generic Top Level Domains), because their respective Registry operators are US-based entities:

(3) DOMESTIC DOMAIN NAME- The term `domestic domain name' means a domain name that is registered or assigned by a domain name registrar, domain name registry, or other domain name registration authority, that is located within a judicial district of the United States.

All domains under .com, .net, .org, and .biz are "assigned by" a domain name registry in the United States. Verisign, Public Interest Registry and Neustar respectively. Afilias is incorporated in Ireland, however they are operationally in the US. And at the end of the day, all domain names exist in namespaces assigned by ICANN, which is a California corporation.

So basically this means everything. Any domain, any TLD, anywhere, can be cutoff at the knees by the US Attorney General issuing a court order against a service provider, registrar or registry. (Although they may find it more difficult to assert beyond the generic TLDs. ICANN cannot for example, operationally takedown a domain inside some given ccTLD, the way Verisign or some other gTLD registry could simply yank any domain's nameserver records out of the rootzones.)

Perhaps for the scope of this discussion, only gTLDs are at risk. This means you can probably ignore all of this unless your domain is under com/net/org/biz/info, or you use a US-based registrar, service provider or your website is ever visited by anybody from the United States.

Where This Is Going.

If this becomes law, it's a short stretch from SOPA to NODA (No Online Dissent Anywhere) and if you think I'm a nutcase for saying so, I'd like to remind everybody what happened just over a year ago, when US politicians were tripping over themselves to shut down wikileaks (a royal fiasco in which this company was embroiled) and to this day, they have not been charged with a crime anywhere.

Many of the "dirty tricks" employed against Wikileaks would be enshrined on law under SOPA (and someday, NODA):

A requirement that service providers block access to offending domains, including that they stop resolving their DNS

Search engines to purge search results for offending domains

Payment processors to sever ties to offending domains

And they added an extra provision that it will be an offense to knowingly create a service or system to provide a workaround to a banned domain or host. So for example, they would no longer have to hassle Mozilla to remove that firefox plugin that let's you reach ICE blocked websites, it would be illegal to make it or distribute it.

While this is an Online Piracy law, it already contains additional "enhancements" under Title 2: Additional Enhancements to Combat Intellectual Property Theft:, namely:

SEC. 201. STREAMING OF COPYRIGHTED WORKS IN VIOLATION OF CRIMINAL LAW.

SEC. 202. TRAFFICKING IN INHERENTLY DANGEROUS GOODS OR SERVICES.

SEC. 203. PROTECTING U.S. BUSINESSES FROM FOREIGN AND ECONOMIC ESPIONAGE.

Where All This Ends

Even if ICANN is officially against SOPA (Former chairman Vint Cerf wrote a good letter opposing it), failure on ICANN's part to oppose SOPA would mean catastrophic failure in their mission of overseeing the namespace to the benefit of all stakeholders.

If this happens, there needs to be a serious conversation around a topic so incendiary, so heretical that I will probably become persona non-grata within domain policy circles for saying it, but I'm going to say it:

The Internet RootZone would have to be administered by a non-US Entity instead of ICANN.

The reason why is because the internet root is held together largely through two things:

Consensus

Convention

As all of the world's peoples, businesses and websites come increasingly under the jurisdiction and law of a single country, consensus will fragment. The internet root will have to be under the stewardship of an honest broker who can respect the rights of all sovereign interests as they relate to the internet.

Otherwise, it ends with a split internet root, if we're lucky. If not, it ends with a completely Balkanized one, because while it may not be the case now, as this escalates (and I suspect it will), it will pose intolerable risk to non-US entities of all stripes.

Already we get business from companies whose stated corporate IT policy is to not use US based servers to hold email or route web traffic. I'm not talking about torrent hosts, whistleblowers and fake Rolex vendors. We're talking large enterprise entities whose legal departments find even the theoretical legal ability for Homeland Security to monitor their corporate communications simply intolerable.

While I'm not complaining about the extra business, I still smell trouble on the horizon.