New tools to combat thieves online

Today, when criminals sell counterfeit CDs, DVDs or designer handbags from a physical location, the police shut them down.

When counterfeit drugs are being passed off as a regulated brand name or even their generic counterparts, sold and shipped within U.S. borders, law enforcement shuts them down.

But when those same criminals commit these same crimes against American citizens via the Internet from offshore locations, U.S. law is powerless to act.

The recently introduced U.S. Senate bill “PROTECT Intellectual Property (IP) Act of 2011” offers a reasonable solution: After a U.S. court has determined that a foreign site is trafficking counterfeit goods, a court order would be issued to block access to them in the United States.

These court orders would require U.S. search engines, payment processors and ad networks to stop transacting with these foreign criminal websites. Internet Service Providers (ISPs) would also be required to redirect these illegal sites to a government take-down notice using a technique called Domain Name System (DNS) filtering.

This DNS filtering method is being contested by some Internet engineers who have raised some technical concerns, claiming that DNS filtering could “break the Internet.” When these claims are analyzed, the purported engineering concerns made against DNS filtering were riddled with fallacies (see paper).

The first fallacy is that DNS filtering is ineffective when in fact it is widely deployed on the Internet today. For example, DNS filtering is being used to block spam and being proposed as a way to block Internet phishing scams. The Waledac botnet responsible for sending billions of spam messages per day was shut down just last year when judges seized 276 domains used to control computers hijacked by Waledac.

The second fallacy is that DNS filtering would weaken the security of the Internet. Some engineers argue that DNS filtering would prevent websites deemed illegal by the courts from using a secure form of DNS called DNSSEC. But the purpose of the court order is to shut down all access to infringing websites so it would not matter what form of DNS they used. Therefore, the only thing weakened by DNS filtering would be the security of these Internet criminals.

The third fallacy is the assertion that DNS filtering destabilizes the Internet because it fragments the Internet’s official DNS system. The anti-filtering engineers speculate that counterfeiters would create their own filtering system. In reality, counterfeiters have no desire to create an expensive and ineffective alternative DNS system. Real-world examples confirm this.

When these three arguments against the PROTECT IP Act failed to gain traction, the same engineers changed their story and began arguing that the Act would break DNSSEC by making it illegal to implement DNS failover mechanisms — or redundant backup systems — in Web browsers. They argue that because the DNS mechanisms in place today do not know why the DNS lookup failed — whether due to a court-ordered take-down or by criminal mischief — a failover mechanism might inadvertently circumvent the court order. However, the PROTECT IP Act makes no mention of Web browsers or even DNSSEC so the PROTECT IP would not restrict or eliminate these failover mechanisms.

All of the purported technical arguments against the PROTECT IP Act are without merit. Therefore, the courts should be allowed to make reasonable judgments to shut down counterfeit goods sites. The PROTECT IP Act would be an effective way to do just that and to protect American intellectual property and, thus, preserve American jobs.

George Ou is a network engineer who built and designed wired network, wireless network, Internet, storage, security and server infrastructure for various Fortune 100 companies. He is a Certified Information Systems Security Professional, was technical director and editor-at-large at ZDNet.com, wrote the popular blog “Real World IT,” contributes to hightechforum.org and created the non-profit group Digital Society.