Piracy and Malware: Two Parts of a Single Problem

Compartmentalization is one of the things people do best. Life is complicated, so it’s a lot easier to deal with its troubles and travails in little pieces. As Scarlett O’Hara said when she lost Rhett Butler in Gone With the Wind: “I can't think about that right now. If I do, I'll go crazy. I'll think about that tomorrow.”

Compartmentalization plays a large role in both engineering and Internet policy. Engineers and policy makers can influence the nature of the Internet in countless ways by developing new features and enacting new policies that affect its overall behavior. On the one hand, we’re all tempted to make the Internet better by addressing its various shortcomings, and on the other we’re tempted to leave it alone because it’s produced so many benefits. So we tend to reserve our creativity for the problems that we deem most critical and leave the rest alone.  Besides, it’s hard to change the Internet, so every new feature or regulation is likely to cause side effects that we don’t like even if there are net benefits.

The Internet also doesn’t have many levers to press, because it’s a wide open, decentralized system practically patched together out of discrete and diverse technologies operating in a wide array of social contexts. Company networks follow one set of policies, residential ones another; wired networks operate one way, wireless ones another, and so on.

The Domain Name System is one of the levers that both technologists and policy makers can use to control the way the Internet works. As we transition from IP version 4 to version 6, DNS is a key transition technology because it controls the appearance of IPv6 services on the Internet. Facebook servers can process either IPv4 or IPv6, but Facebook can make IPv6 appear and disappear simply by manipulating the information it publishes to the Internet through DNS. Akamai operates high capacity caching servers all over the world, and it controls which ones any given consumer uses by publishing carefully tailored – and different – information around the world through DNS. DNS is a curious hybrid of centralized control and distributed delivery of information that greatly increases the utility and power of the Internet.

It’s natural that policy makers should turn to DNS to help reduce sales of pirated and dangerous goods, unlicensed media content, and bogus drugs over the Internet, as the PROTECT IP (PIPA) and Stop Online Piracy Acts (SOPA) mandate. While not a complete solution to the problems of unlawful commerce, it’s a significant speed bump that can be used to make criminal merchants much harder to find.

A substantial segment of the Internet establishment has a problem with this particular use of DNS, however, even though many of them have histories of supporting the use of DNS filtering and blocking against other types of crimes. In particular, Paul Vixie, the creator of the BIND DNS server’s “Response Policy Zones” (RPZ) feature, opposes the use or RPZ to reduce digital piracy. In his analysis, RPZ should be used to reduce the incidence of really serious crimes such as child pornography and computer hijacking, but not for pedestrian violations of intellectual property rights:

I've been asked by several people whether ISC’s Response Policy Zone technology…can be used to implement government mandated DNS blocking, for example to protect Hollywood against intellectual property theft or to protect children against abuse by the distribution and viewing of Child Abuse Materials or to protect a society against content deemed dangerous by its government. Sadly my answer to this is a qualified "yes."

I say “qualified” because while I can agree that it’s worth perturbing the whole Internet ecosystem to wipe out a domain that’s being used for the distribution of Child Abuse Materials I simply cannot agree that this level of perturbation is warranted for the protection of intellectual property.   

What we have here is a good example of compartmentalization.  RPZ is primarily intended to keep computers safe from malware, the viruses that make them parts of “botnets” controlled by criminal enterprises that seek to use them to spread spam and to launch malicious denial of service attacks on extortion targets. It can also be used to curtail the spread of child abuse materials, unlawful speech, and IPR theft. Stopping child abuse materials and malware are in the “good” compartment, and stopping intellectual property theft or unlawful speech is in the “bad” compartment, so end of discussion.

Or is it?

Note that this is a policy judgment, not a technical one. Vixie admits that response policy can be used for a variety of purposes, and he’s drawing a line based on his personal values. But the line between good and bad domains isn’t really where Vixie thinks it is.

The Internet security company McAfee does regular reports on the kinds of malware that it finds in the course of doing its anti-virus business, and one has some findings that are informative for this discussion.  Its report, Music and Movies: Entertainment Versus Online Risk - Avoiding the risks associated with online music, videos and moviesfinds a significant overlap between sites trafficking in IPR violations and those trafficking in malware. The report finds:

• Adding the word “free” to a search for music ringtones results in a three-fold increase in the riskiness of the sites returned by major search engines in English.
• Searching for “MP3s” adds risk to music search results and searching for “free MP3s” makes music search results even riskier. Even when a consumer indicates that they want to pay for the MP3 in their search, results still send them to pirated content with increased risk of malware.
• Malicious advertising—where an online ad is used to distribute malware or redirect the user’s browser without their knowledge—is a common means of infection, even on well-established sites. For instance, on June 1, 2010, McAfee identified “malvertising” on perezhilton.com that redirected users to a site that delivered malware.
• Sites that are set up to distribute illegal content are difficult for consumers to detect and often distribute malware and expose users to other risks. These sites are so sophisticated that the criminal associations behind the sites can often only be found by tracking the ownership of the domains, and the relationships and tools that were used to develop those sites. Not something the average consumer can, or will, do.

This finding is in line with common sense. It costs money to operate a web site, especially one in a foreign country that serves up movies, TV shows, and songs to the American audience. The criminal has to pay for rack space, storage, and bandwidth, and international bandwidth bills can be high. The criminal enterprises that sell pirated versions of Hollywood movies on-line are not doing so out of the goodness of their hearts.  

Some of these sites fund themselves by selling subscriptions billed to credit cards, but how likely is it that a copyright thief will protect the credit card numbers (and authorization codes) they harvest from abuse? It’s significantly more likely that they’ll sell them to other criminals. And why should they settle for ads from legitimate networks that will comply with the Online Protection and Enforcement of Digital Trade (OPEN) Act when there’s more money to be had by placing malvertising?

The popularity of these criminal sites is on the rise, with more than 2,000 of them within the top million web sites world-wide.

The blue line details the total number of live, active sites distributing this content. The red line indicates sites distributing unauthorized content that are amongthe top one million websites according to Alexa. The McAfee report summarizes very clearly:

Again, consumers should remember that “free” is very often the lure used by cybercrooks and the average consumer cannot identify the illegitimacy of a claim or website. With the massive advances in cybercrime, illegal content becomes yet another platform designed to attract and exploit consumers with sophisticated technology, leaving the user unaware of the risks to which they have been exposed.

So we should be able to see that efforts to reduce digital piracy from profit-driven web site and efforts to reduce malware will typically home on in the same sites, the same actors, and the same motives.

Vixie isn’t the only one who fails to see that commercial piracy and malware are two aspects of a common problem. The Cato Institute’s IPR scholar, Julian Sanchez, insists that only the technically clueless believe that technical measures can help reduce piracy:

I’ve yet to encounter a technically clueful person who believes the Stop Online Piracy Act will actually do anything to meaningfully reduce—let alone “stop”—online piracy, and so I haven’t bothered writing much about the absurd numbers the bill’s supporters routinely bandy about in hopes of persuading lawmakers that SOPA will be an economic boon and create zillions of jobs. 

He should talk to Mr. Vixie, a technically “clueful” person who admits that the measures proposed by PIPA and SOPA can be effective. Sanchez proceeds to offer an economic analysis that purports to show that economic losses due to piracy are simply “allocative efficiency” losses that show up in some other part of the economy. (We pointed out the fallacy of this argument in Network Policy and Economic Doctrines). Sanchez asserts:

As one expert consulted by GAO put it, “effects of piracy within the United States are mainly redistributions within the economy for other purposes and that they should not be considered as a loss to the overall economy.” In many cases—I’ve seen research suggesting it’s about 80 percent for music—a U.S. consumer would not have otherwise purchased an illicitly downloaded song or movie if piracy were not an option. Here, the result is actually pure consumer surplus: The downloader enjoys the benefit, and the producer loses nothing. In the other 20 percent of cases, the result is a loss to the content industry, but not a let loss to the economy, since the money just ends up being spent elsewhere.

(I wonder if Sanchez endorses people sneaking into less than full movie theatres without paying since this is mostly “consumer surplus” or riding on less than full airplanes without paying.) While Sanchez’ comment is meant to criticize SOPA, it actually shows that he, like many other critics, doesn’t even grasp the bill’s focus. SOPA isn’t about piracy that takes place wholly within the American economy; it’s about the direct sale or the advertising-supported distribution of pirated goods by foreign sites.

When an American consumer buys into a Russian download service trafficking in Hollywood movies, the U. S. economy does not receive any benefit. Considering the risk of credit card theft, the American consumer is likely to pay much more in the long run to purchase a $40/year streaming service overseas than to buy from a legitimate seller such as Netflix for $10/month, and all of that money goes into the Russian economy.  The same is true with ad revenue going to other nations. In short, the kind of online piracy that SOPA-PIPA are going after exacerbates the U.S. trade deficit and exports dollars that would otherwise be spent (even if not on content) in the U.S. creating jobs.

Much of the SOPA criticism is like these two examples: emotionally-driven reactions that redefine the problem into neat categories that mistake the nature of piracy and the scope of the PROTECT IP and SOPA bills.  It’s time to have some sensible and rational discourse about these issues without false compartmentalization and distortion.