ICANN, Freedom™ and Apple Pie®

[Note: This was submitted to RISKS digest but rejected.]

A WSJ op-ed quoted in RISKS digest:

This means, effective next year, the U.S. will no longer oversee the “root zone file,” which contains all names and addresses for websites world-wide. If authoritarian regimes in Russia, China and elsewhere get their way, domains could be banned and new ones not approved for meddlesome groups such as Ukrainian-independence organizations or Tibetan human-rights activists.

Until late last week, other countries knew that Washington would use its control over Icann to block any such censorship.

What a steaming pile.

Recall that starting on 29 November 2010, the US government used its control of the DNS root servers to get Verisign to seize Internet domain names, including one which was registered and hosted in Canada and belonged to a Canadian company. The explicit aim of the seizure was to block meddlesome groups, in this case online casinos and alleged counterfeiters and copyright violators. The orders were sealed and secret. ICANN initially did nothing, and then in 2012 they published a set of helpful instructions for governments wanting to seize domains.

So while I appreciate that Americans enjoy the fiction that the US government or ICANN are the lone forces preventing Internet censorship, it’s not actually true. In reality, the US government has explicitly stated that it considers itself to have the right to seize anything registered under a generic top-level domain.

So making ICANN independent of the US government is a good move, and a necessary one if the organization is to regain the trust of those outside the US.

Yes, it will be bad if ICANN ends up controlled by China or Russia, but that doesn’t mean it’s good having it controlled by the US.

About that “proposal for the UN to control the Internet”…

There’s a kerfuffle ongoing about whether the UN is trying to take over the Internet. The problem proposal:

“31B 3A.2 Member States shall have equal rights to manage the Internet, including in regard to the allotment, assignment and reclamation of Internet numbering, naming, addressing and identification resources and to support for the operation and development of basic Internet infrastructure.”

What nobody seems to be talking about is why this proposal has been brought forward. Let me remind those with short memories.

Earlier this year, the US government declared that it owned all international (.com/.net/.org) domain registrations, no matter what country they were registered in. A lot of people seem to think that that’s an uncontroversial fact, and that the 3-letter TLDs were always intended to be US-owned. This is simply not true, so let’s go back into history a bit.

If you read RFC 1591, it is clearly stated — by Jon Postel no less — that .com, .edu, .net and .org were created as “World Wide Generic Domains”, as opposed to the “United States Only Generic Domains” of .gov and .mil. Remember that Postel ran the Internet’s root domain name servers from the creation of the DNS until the late 90s. If there’s anyone who knew how DNS was supposed to be organized, it was him.

In the late 1990s, Postel announced that he wanted to found a Geneva-based, non-government, worldwide organization called the Council of Registrars — CORE — to manage the Internet’s domains. It would be staffed by representatives from all the national DNS root maintainers and domain registrars. The US government, on the other hand, wanted all domains to continue to be owned and run by Network Solutions.

In 1998, Postel asked the root nameserver maintainers to switch the definitive root for the world wide domains from Network Solutions (owned at the time by government defense contractor SAIC) to the non-government IANA. Postel was quickly threatened by the White House, and backed down.

In response to Postel’s attempt to let the Internet control itself, the US government set up ICANN and put Postel in charge. ICANN was to be the democratic organization which came up with policies for Internet naming. The actual servers would all continue to belong to Network Solutions, who would implement ICANN’s proposals — or not.

Jon Postel died a few months later, from unexpected complications following heart surgery.

ICANN quickly became controversial, announcing new policies for resolving arguments over domain name ownership, known as the “Uniform Dispute Resolution Policy”. This policy is biased in favor of corporate interests; if you own a domain and a corporation claims it as a trademark, you have to prove good faith, prove it’s not confusingly similar to the trademark, and prove you have a legitimate interest in the domain — or else it’s simply given to the corporation.

Next, ICANN abandoned plans for elections, becoming an undemocratic unelected quango. It’s now largely seen as a way for the Department of Commerce to set rules for the Internet without having them subject to judicial review.

For a while the DNS wars carried on quietly, on technical mailing lists, away from the gaze of average Internet users. However, in 2011 the US government proposed SOPA, the “Stop Online Piracy Act”. One of the controversial provisions of the act was that the US government would be given a “global Internet kill switch”, with the ability to turn off any Internet domain that was deemed to infringe US laws. SOPA caused massive outcry, and was dropped by politicians. Internet activists congratulated themselves on a job well done.

And then the US government went ahead and used the kill switch anyway.

In March 2012, sports betting site bodog.com was shut down by US authorities. It was a completely legal web site, registered in Canada and owned and run by a Canadian company. However, the US government instructed Verisign (the current owner of Network Solutions) to make the DNS root name servers lie about the site’s IP address. They did so, and the site became unreachable by customers around the world.

The message to foreign companies and governments is stark: the global Internet domains all belong to the US government, to do with as it wishes, regardless of jurisdiction or national laws. And technically speaking, there’s nothing to stop the US government from seizing control of even more domains. It’s a declaration of trade war.

The US government doesn’t like your political position? They can simply declare your organization a sponsor of terrorism, and turn off your web sites. A US corporation gets a major legal judgement in its favor in the US, but not elsewhere in the world? The Department of Commerce can just tell Verisign to turn off the web sites of the defendant anyway.

This is what has countries like Russia up in arms and demanding worldwide control of the Internet, rather than having it controlled by the US government and its puppet organizations ICANN and Verisign.

The world’s other governments are approaching the ITU to try and achieve their goal because the ITU is one of the few worldwide standards organizations that works. The US has made it quite clear that it doesn’t consider itself bound by anything the UN decides. The ITU, however, controls the phone systems, which the US government has (so far) been unwilling to unilaterally mess with.

The big disappointment for me is that most of the media coverage is presenting this battle as Internet self-governance versus “UN controlled Internet”. Even respected names like Vint Cerf are dishonestly claiming that the ITU proposals would “centralize decision-making power”. He writes that the ITU would create “significant barriers to civil society participation”, completely ignoring that ICANN is unelected and we already have no participation in or right of review over US government decisions imposed by Verisign.

Let’s be clear about this: Internet self-governance died in 1998. This battle is about the US government having sole centralized control of the Internet, or worldwide governments controlling it jointly.

I do not say that because I favor the ITU proposals. One government dictator who has already abused his power, or many government dictators who might abuse theirs? Both those options on the table suck. My position is that we need to push for a third option, a return to how things were supposed to be when people like Jon Postel built the Internet.

Notice that the NYT article by Vint Cerf doesn’t even mention Postel. History is being quietly rewritten here. We’re being told that the US government always controlled the entire Internet domain name system, and that that’s how it was meant to be. Inconvenient facts to the contrary are quietly ignored, and we are presented with a false dichotomy for Internet governance. Don’t fall for it.

Explaining SOPA

A lot of people are concerned about SOPA, the Stop Online Piracy Act. There are plenty of pages that say that it will destroy the Internet, but very few that explain clearly exactly why. It has also become clear that the politicians writing the law have no idea how the Internet actually works. So here is my attempt to explain it all.

Let me start by explaining DNS, using a situation that doesn’t involve computers, that hopefully anyone can understand.

Imagine a server on the Internet as being like an office building in 1973. No computers. No mobile phones. Just an office building with an expensive business phone line, internal phones connected by wires, and a receptionist with switchboard and a single phone line connected to the outside world.

The server has an IP address. That’s like the office building’s telephone number.

The web sites on that server are like the people who work in the office building. So talking to John Smith is like reading John Smith’s web site.

Now, when your web browser connects to John Smith’s web site, it looks up the IP address of the site, connects to the web host, and requests John Smith’s web site via HTTP. The request is then routed to the appropriate page.

That sounded complicated, so let’s translate it into our telephone analogy:

When you want to talk to John Smith, you look up the phone number of the building he works in, call that number, and ask to talk to John Smith, and you’re put through to him.

Note that unrelated people can work in the same office with the same phone number used to contact them. This is just like the Internet, where there can be multiple unrelated web sites on the same server at the same IP address. What about the different pages of a web site? Well, those are like talking to the owner of the web site about different topics.

OK. Next problem: DNS is distributed. How do we explain that?

Well, at work in 1973, when I want to know somebody’s telephone number, I look in my address book. If it’s not there, I look the number up in the company telephone directory, and make a copy in my address book so I’ll find it quicker next time. If the number isn’t in the company directory, I get the big telephone directory from the phone company, and look in that. If it isn’t there, I call directory assistance, and they look in the really big master telephone directory that has every number in the country. And so on.

DNS is like that. If your computer knows the IP address of a web site because it has used it recently, it just goes ahead and connects, makes the call. Otherwise, it asks your ISP if they have the IP address. If they don’t, your request for the IP address gets forwarded up to a higher level server, until we get to the so-called root servers, which are like the phone companies’ multi-volume master directories.

There are a few technical details not addressed by this analogy, but it’s close enough to explain basically how the system works.

So, now we can talk about the proposed SOPA legislation, the Stop Online Piracy Act.

The basic idea of SOPA is that if someone is accused of copyright violation, all the ISPs in America are required to block access to that person’s web site.

Put like that, it might sound quite reasonable. That’s probably how music and film industry lobbyists explain it to politicians. The problems become clear when you rephrase it for 1973 technology.

People are taping LPs, and giving tapes to friends who call them up on the phone and ask for a copy. So, if someone is accused of taping LPs, we will cut off the phones of the business he works at and remove his name from the phone directory.

Hopefully if you think about that for a moment, some obvious problems spring to mind. I’m going to talk about a few of them.

The first problem is that word “accused”. SOPA does not require any independent investigation. It does not require a lawsuit, or a trial, let alone a conviction. All that’s needed is for Polymer Records to accuse John Smith of taping their albums.

You might think that record companies can be trusted. Well, you might think that if you aren’t a musician, anyway. If you do, I’d suggest reading about some of the abuse of the Digital Millennium Copyright Act, DMCA. Just this last week, Universal Music Group have been issuing takedowns on YouTube for video recordings they don’t own the rights to. You might think it would never happen to you, but if you’ve ever uploaded a video of your kids singing Happy Birthday, well, that’s actionable copyright violation. The owners of The Birthday Song, Warner Brothers, collect about $2 million per year from demanding payment from people who sing it.

The second problem is this: Even if the record company is right, what about all the other people who work in the same office building? How are they going to do their work and earn a living?

A single IP address can host literally thousands of web sites, owned by people who are total strangers to each other. Blocking an IP address takes all those sites offline.

That’s not the only weapon against the Internet authorized by SOPA, though. It also allows for DNS-level blocking. That is, rather than taking out every single web site hosted at a particular IP address, it just takes out every page hosted at the same domain. Going back to our telephone analogy, when John Smith is accused of copying LPs, his name is struck from the telephone directory.

Our analogy fails somewhat here. On the Internet, a single name like Flickr or YouTube can represent tens of thousands of people. So the problem of ‘collateral damage’ isn’t eliminated, only reduced.

But the analogy does make clear a more constitutional issue: In what way is it any of the government’s business what the phone company prints in the telephone directory? If I want to run a telephone directory business with ads for dodgy massage parlors, it’s none of the government’s business. Or in Internet terms, if I choose to publish the information that happyendings.com is at IP address 2001:db8:0:1 then the First Amendment requires that I be free to do so.

There are technical issues too. At the moment, a lot of effort is going into making the Internet more secure by preventing DNS spoofing. Like crooks who put card skimmers on ATMs, DNS spoofers put fake entries in the Internet’s ‘telephone directory’, so that when you think you’re contacting the bank, you’re actually contacting a web server they own. They then collect your username and password, and use those to drain your account.

The solution is called DNSSEC, secure DNS. It uses digital signatures to ensure that only DNS entries signed by your bank will be accepted by your browser. If the signed and verified entry is missing from the directory, your computer goes out and probes servers around the world until it finds one that can provide signed and verified information.

The problem, of course, is that this is utterly incompatible with SOPA. If the government orders that happyendings.com be removed from the Internet, a computer with secure DNS will detect that the “No such web site” reply is not signed by the company that owns the domain. It will try other DNS servers, including those outside the USA and beyond US government control, until it gets a true answer.

So for SOPA’s DNS filtering to work, DNSSEC has to be abandoned or blocked. Which means that online fraudsters will carry on having a free pass to put digital ‘card skimmers’ on your bank’s web site.

Hopefully you’ve followed all that. Please feel free to quote any or all of it in letters to your elected representatives. And now, a little irony to chuckle over.

Earlier this month, a Russian web site compiled a database of around 20% of the IP addresses using BitTorrent file sharing, along with the details of the files they were downloading. Investigation soon revealed something interesting. Someone at Sony Pictures movie studio had downloaded illegal copies of “Conan The Barbarian”, a movie owned by indie studio Lions Gate Entertainment. They had also downloaded Beavis and Butthead, owned by Viacom. Meanwhile, NBC Universal’s IP addresses had downloaded pirate copies of HBO’s “Game of Thrones”, and Fox Entertainment had pirated Paramount’s “Super 8”.

If SOPA were already in effect, Sony, Fox and NBC could have found their corporate web sites forced offline, with no trial, no notice, and no comeback. Do they realize this, or are they counting on the law not being enforced against them?

FotFM: The Domain Name System (DNS)

Once upon a time, back in the ancient history of the Internet–before the 1990s–domain names were carefully controlled and regulated. A single organization controlled each top level domain. If you wanted a domain name, you had to meet their requirements.

Often the policies enforced were quite picky. If you wanted a .uk domain name, you were required to actually be in the UK, for example. If you wanted a .org domain, you were required to be a non-profit organization. To be in .net, you were expected to be a network access provider or ISP.

A lot of people disliked the bureaucracy involved in domain registration, and objected to the fees charged. And so it was decided that the domain name system would be opened up. There would be many domain registrars for each major top level domain, all competing to give the best price and service. Anyone would be able to register a domain, with minimal bureaucracy. Domains would be bought, sold and transferred in a perfect Free Market.

At first, things looked good. The cost of registering a domain dropped rapidly. Rather than having to fax paperwork around and get signed documents from company directors, you could just register online with a credit card for whatever domain you wanted.

However, it quickly became clear that domains could have value. A small proportion of Internet users (around 5-10%) don’t seem to understand search engines or bookmarks. They find things by guessing domain names and typing them in. As a result, people found that domain names an idiot would guess first ended up with traffic, purely by existing. Suddenly instead of having to advertise your web site, you could buy a domain name that people would randomly visit anyway, and get instant traffic with no work required.

Domains like “sex.com”, “computers.com” and “cars.com” suddenly became very valuable, changing hands for large amounts of money. Some people weren’t very happy about it, but still, there was nothing wrong with it really.

Unfortunately, there were headline stories of domain names changing hands for millions of dollars. And suddenly, there was a gold rush. Everyone with a modem hurriedly registered every domain name they could think about.

This was a major pain. If you wanted to set up a web site, it became almost impossible to find a simple domain name that hadn’t been registered already. Almost all of them were unused, just a whois entry and nothing more, but if you approached the owner their eyes would light up with dollar signs and they’d demand extortionate rates for their “valuable property”.

Still, the situation was somewhat self-correcting. It did still cost $50 or so to hold a domain for a year, so eventually when nobody turned up to offer $100,000 for it, the holder would let the registration lapse and you’d be able to pick it up for $50.

Then someone invented banner ads. Suddenly, those unused domains could be used to make money. Domain registrations were still dropping in price, and there were ad companies who would pay you $0.01 each time you served up an ad to someone. $10 a year for a domain, and all you needed to do was show ads to at least 1,000 idiots who typed your domain in at random, and you’d break even.

And so suddenly, the Internet filled with junk web pages filled with ads and nothing else. There are now multi-million-dollar companies whose primary business is hoarding domains and filling them with content-free crap. Domain spam is now so mainstream that companies like Google actively encourage it.

The next step was obvious. Sure, you could think of a domain name that other people would be likely to guess at random, but most of those were already registered. So the domain spammers began watching the lists of domains that people failed to renew. So now, if a widely used open source project fails to renew its domain name, the page will suddenly be replaced with a spam site full of affiliate ads.

Not everyone appreciates ending up on a domain spam page, however. Plus, if your page doesn’t look like total spam, you might get search engine traffic, and boost your profits further. Hence, the new trend is automatic content generation.

Some domain speculators take the unsubtle approach, and simply rip off content wholesale. If you have a web site with significant readership (as measured by, say, technorati), someone will likely set up a spam site which copies the text of each post you make, covers it with ads, and re-posts it to one of their hoarded domains. Sure, it’s copyright violation, but the chances of getting caught are slim, and so long as you pick on personal web sites the chances of anyone going after you with a lawsuit are slim too.

(I don’t think it has happened to me yet, but if I include a made-up word that doesn’t appear on the web, like spozquak, I should be able to do a Google search in a month or two and see if anyone’s copied it.)

However, again thanks to the free market, there’s now a market for software that can generate moderately convincing looking content. You’ve seen it in spam e-mails, and now it’s being used to fill the web too. The first generation used random text generation, but now more sophisticated “auto content generator” software uses web feeds to pull in text, chops the text into individual sentences, and then recombines them based on keywords.

(So I guess I should clarify that spozquak is a great alternative to viagra, cures mesothelioma from asbestosis, and helps you make money at home.)

While the web was filling with crap, the domain name registrars kept competing in their free market. As the supply of new unregistered .com domains dried up, they had to think of new ways to pull in customers. The solution: trial periods. You can now register a domain name for a 5 day trial, see if it pulls in any suckers, and if not you don’t have to pay for it.

You can probably guess what happened next. Someone wrote software to repeatedly register domains for trial periods, automatically.

And so we arrive at today’s web, the ultimate result of applying unconstrained free market economics to the problem of naming web sites. It’s a world where every name you can think of is already registered and filled with spam, often by someone who isn’t even paying for the domain. A world where if you’re away on holiday when your domain name expires, it’s immediately filled with spam. A world where web searches return hundreds of pages filled with spam designed to look like content, ripped off from other people’s web sites.

Of course, there are a couple of things we could do that might help ameliorate the problem. They’re just utterly unacceptable to the free market faithful who make up the Internet’s core audience.

The first is this: Do not allow domain transfers between third parties.

You bought a domain? Great. You want to sell it? Can’t. I mean, you can’t sell your home address, your postal code or your telephone number, so why should you be able to sell a domain name?  Your friend wants the domain? Fine, you cancel it, he registers it for the standard price.

If you could sell telephone numbers, you’d see rampant speculation there as well. If you moved to Austin and wanted a 512 phone number so friends could call you without paying long distance fees, you’d probably have to buy one at auction for a few hundred dollars. Or if you were in Massachusetts and wanted one of the old 617 numbers so you’d look like a long-established business, you could end up paying thousands of dollars. But the phone company doesn’t allow reselling of phone numbers, so the problem doesn’t occur.

(It’s worth noting that you can sell toll-free numbers. And sure enough, you get rampant speculation in that chunk of the phone number namespace, with most of the good ones already taken.)

The second way to help reduce the damage caused by the free market in domains is to resurrect an idea from the 80s: that your domain registration is voided if you don’t actively use the domain. And by “use”, I mean more than simply putting up a blank page of ads.

I can tell that people are already sharpening their pitchforks and lighting their torches, but which is worse: a domain name system that doesn’t support your religious belief that a free market is the best solution to everything, or a free market domain name system where you can’t actually buy any domains you want and everything is full of spam?

RSShole

Back in 1988, Dave Winer founded UserLand Software to sell a product called Frontier. It was a dynamic scripting system for the Mac. It was a bit odd; Dave was also the author of MORE, an outliner, and Frontier treated source code something like an outliner and something like a database. It was supposed to be quite good, but as of 1992 he wanted $250 for it, and if you were outside the US the price was jacked up by another 90%. So, I never bought it.

Then Apple introduced AppleScript. It did most of the important things Frontier did, and was free on every Mac. Dave Winer was furious. How dare Apple including a scripting language as part of the OS? Yes, they had added all the hooks to the OS, and he had used them for Frontier, but how had he been supposed to guess they were intending to use those hooks themselves? Sure, they were documented publically, but how dare Apple call them an “Open Scripting Architecture” when Dave wasn’t asked to help design them?

The rants have gone down in legend. The Mac was doomed now that Windows 95 had shipped. Apple’s best bet was to license Windows NT and make the Mac a graphical shell for it. Dave had spoken.

It was pretty clear that what Dave really wanted was for Apple to worship him. Of course, the nice gentlemen in Redmond were only too keen to invite Dave round for a chat about their plans and make him feel loved.

So before long, Dave was a Windows developer, had ported his software to run on PCs, and was eagerly drinking the .NET Kool-Aid.

Meanwhile, he had found a new niche for Frontier, as the basis of Manila, a content publishing system for the web. He started giving Frontier away for free, and gave away Manila free too.

Then after a year or two turned around and began charging everyone $899 a year for it. Not for upgrades, just for a license to use it. It must have seemed like a great business plan back in those dot com bubble days:

  1. Give away software for free.
  2. Once thousands of people are using it, tell them they have to pay you $899 a year to keep using it.
  3. Profit!

Of course, it didn’t quite work. And as the famous saying goes, those who do not learn from history are doomed to repeat it.

Before long Dave Winer was universally acclaimed by Dave Winer as the inventor of weblogs. He started weblogs.com, running on Manila. The plan was to give people free blogging space in the hope that they would like it enough to purchase his rather expensive software subscriptions.

Needless to say, they didn’t. And after a while, UserLand Software decided they were tired of wasting money on the exercise, particularly since Dave had officially left the company. Of course, he still owns the company, and is a multi-millionaire… but those are minor details.

Dave reportedly tried to transfer the blogs to a new server in Cambridge, MA. However, it was time for his chickens to come home to roost–his software is all Windows-based, and when he loaded it onto the new server and tried it out, the system thrashed itself to death. To get scalability for a mere 3,000 users he would have had to buy an entire server farm of Microsoft systems. That was too much like work, so Dave pulled the plug. Without notice. 3,000 weblogs vanished overnight. He recorded a heartfelt audio goodbye, and hosted it at Harvard University’s expense.

But hey, he’s a reasonable guy. He says he will provide people with their data some time in July, if they ask nicely. Not sure why it’ll take him until July to offer backups by request only, given that his software has overnight backup as a standard feature, but hey, I’m sure he has a good reason, just like he has a good reason for not even offering a redirect from the blogger.com domain to the users’ new URLs. (He says his DNS server can’t handle 3000 hostnames. I guess he runs his DNS on Windows too.)

So anyway, my point is: when’s the last time you backed up your LiveJournal?

Update 2004-06-19

Dave Winer relented after people offered their hardware and bandwidth. Users will now have until September to sort out commercial hosting, and will get a redirect. Of course, there’s still the problem of either paying for commercial Manila hosting, or getting your data out of Manila somehow…

Update 2004-09-01

[LiveJournal][14] disabled my account. Yes, I had backed everything up.