A dangerous precedent for web blocking
The world wide web seems simple: type in a domain name or use a search engine and get the content you want. But a lot is going on under the hood.
When it comes to blocking content, various companies and governments attempt to block content at different levels of the technology stack that sits between you and content.
In a quiet news story reported on by Electronic Frontier Foundation and others, a German court just handed down an injunction that could have major ramifications for what happens between you and content on the web.
The web stack
To understand what the German court did and why it’s problematic, it’s important to understand what happens when you visit a website.
When you create a website you choose a web host, such as Namecheap. There are thousands of web hosts and cloud providers out there. These hosts maintain content for their customers that web users can access.
Technically, you don’t need a domain name to have a website. But without domain names, each website would have a long, hard-to-remember IP address. Domain names were created as a simpler way to navigate to websites. It’s much easier to remember a domain name like Namecheap.com than to remember a string of numbers like a phone number.
Domain names are registered at a domain name registrar, such as Namecheap. (Companies often act as both a web host and domain name registrar.) When you reserve a domain name through a registrar, the registrar reserves the domain name with a domain name registry. The registry depends on the top-level domain (the part to the right of the dot) you choose.
For example, if you register a .COM domain name, the registry Verisign reserves the domain name. Think of Verisign and other registries like phonebooks. Once you reserve a domain name and connect it to a website, Verisign tells people where the content is that the domain name should point to.
This description simplifies things a lot but describes the basic plumbing of the web.
Then there’s the access side. You use an Internet service provider (ISP) to access the web. In many places, this is a cable or telecom company such as Spectrum or Comcast. On your mobile phone, it’s your mobile service provider, such as Verizon or AT&T.
When you type a domain name into your browser, your ISP acts as the first step to figuring out where the content is hosted. Rather than ping the registry’s “phonebook” each time, many ISPs cache (remember) where a domain name address points. (There can be other parties in this process, but the key is that your query usually starts at the ISP and goes to the phonebook or a copy of it, which then tells your browser where to go.)
Some people don’t like to use the ISP as the first step to navigating to a website. There are many reasons for this; the ISP might be slow to resolve the website, it might interject itself in the process to show ads related to the website you want to visit, and it could track the sites you visit and sell your data.
To bypass the ISP, users can select a different Domain Name Server (DNS) resolution service to resolve their queries. These DNS resolution services promise faster speeds and added security (such as blocking malware). Google and Cloudflare both offer DNS resolution services.
Another service is Quad9, which is the party involved in the German injunction.
Web hosts, domain name registrars, and registries all have some sort of business connection to website creators and play a role in blocking access to content. Their exact roles have changed over time. Sometimes, they require a court order to block content. Other times, they will block access to bad content, such as phishing sites, based on a report.
For example, there is a process in the Digital Millennium Copyright Act that U.S. web hosts follow. If someone complains to the host about copyrighted content a customer hosts, the process lets the host avoid responsibility for the content. Valid complaints usually result in quick content takedowns after the site owner is given a chance to respond.
In another example, domain registrars play a role in cybersquatting disputes. Trademark holders can file a complaint under the Uniform Domain Name Dispute Resolution Policy (UDRP). If they win the case, the UDRP forum will instruct the domain registrar to transfer the domain name to the trademark holder.
Also, courts sometimes instruct domain name registries to suspend or transfer domain names.
Domain name registrars and web hosts often have to balance privacy and due process with blocking content to infringing or potentially dangerous content. Here’s what Namecheap does to strike this balance.
Reasonable people can disagree about the role that these parts of the web stack should have in blocking content. But the key with hosts, registrars, and registries is that they all have a business relationship and direct connection to the person who creates the website/content.
On the contrary, ISPs and DNS resolution services don’t have this direct relationship to the content creator. Most people agree that they should not play a direct role in blocking access to content due to complaints about copyright or opinion.
The German court and Quad9
Sony Music obtained an injunction against Quad9 in the lower court of Hamburg, Germany. Sony Music wants Quad9 to block the resolution of domain names that it says host content that infringes on its copyrights.
This is a dangerous precedent and could lead to more efforts to block content on the access level with entities, such as ISPs, that don’t have a direct relationship with the content creator.
In this case, the court considered that Quad9 already blocks access to certain content, such as malware and phishing sites. Thus, it should be able to block access to sites that infringe copyright, the court determined.
Writing on its blog, Quad9 states:
The inclusion of recursive DNS servers, which do not handle copyrighted material and have no relationship with the involved parties, in the ranks of legally mandated blocking mechanisms is a dangerous precedent. The assertion of this injunction is, in essence, that if there is any technical possibility of denying access to content by a specific party or mechanism, then it is required by law that blocking take place on demand, regardless of the cost or likelihood of success. If this precedent holds, it will appear again in similar injunctions against other distant and uninvolved third parties, such as anti-virus software, web browsers, operating systems, IT network administrators, DNS service operators, and firewalls, to list only a few obvious targets.
A dangerous precedent
The German court’s decision sets a dangerous precedent. Internet access companies that help point domain names to content should not be a chokepoint based on copyright claims.
Organizations that advocate for rights to free speech are taking notice. Electronic Frontier Foundation writes:
The seemingly endless battle against copyright infringement has caused plenty of collateral damage. But now that damages is reaching new levels, as copyright holders target providers of basic internet services.
Quad9 is fighting back with the resources it has. It’s a non-profit with limited resources — perhaps why Sony Music decided to go after it — but it vows to fight the court order.