The Motion Picture Association would like the US Government’s executive cybersecurity order to be optimized to identify operators of pirate sites and services. Among other things, the order should require U.S.-based IaaS providers, including hosting services, DNS servers, reverse proxies, and cryptocurrency exchanges, to robustly verify the identities of foreign customers.
Anonymity is a great good on the Internet but increasingly there are calls for stricter identity checks.
Such requirements are not new. In daily life, many people encounter situations where they have to prove their identity. When opening a bank account, for example. But online it is still rare.
At the start of this year, then-President Donald Trump signed an executive order that could help change this. Titled: ‘Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,’ aims to tackle online cybercrime including copyright infringement.
IaaS Providers Should Verify Customers
The executive order aims to stop foreign cybercriminals from using US-based Infrastructure as a Service (IaaS) products. Specifically, this can be achieved by requiring such services to properly verify and retain the identities of non-US customers.
This proposal is music to the ears of large copyright holder groups, including the Motion Picture Association (MPA). Rightsholders often complain that anonymous operators of pirate sites and services use American services such as domain registrars, hosting companies, CDN and proxy services, and even cryptocurrency exchanges.
So, when the U.S. Department of Commerce launched a public consultation on the implementation of the executive order, Hollywood’s anti-piracy group was keen to respond. According to the MPA, the proposal will help to deter piracy, but only under the right conditions.
MPA Proposes Strict Requirements
Under the DMCA, online services can already be required to identify potential copyright infringers. However, the MPA notes that operators of pirate sites and services often use false information.
“In our experience, malicious cyber actors – including operators of piracy sites and services – almost always misrepresent their identity to IaaS providers. The regulations should therefore ensure that the verification of their identities generates a high degree of confidence that the recorded identities are genuine,” MPA writes.
Among other things, IaaS providers shouldn’t just verify personal information when an account is opened. The services should make sure that this information remains accurate while the customer uses its products.
In addition, the MPA would like these robust identity checks to apply to all customers, not just foreign ones. After all, pirate sites aren’t merely operated by people from other countries.
“While a significant share of malicious cyber activity – including copyright infringement – is perpetrated by non-U.S. commercial actors, U.S. business customers represent a non-negligible share of perpetrators of malicious cyber-enabled activities.”
Ensuring Effective and Correct Policies
The MPA suggests three measures that should help to ensure that the new requirements are effective and correctly implemented by IaaS providers.
Firstly, online services should offer a tool that allows interested parties to notify them if their clients are potentially using false or misleading identities. Secondly, services should terminate the accounts of clients whose information is false or misleading, and who fail to correct these errors.
The third measure is targeted at the IaaS providers themselves. If they fail to comply with the regulation, financial penalties should follow.
The MPA wholeheartedly supports the efforts to require IaaS providers to identify customers. However, the group is concerned that the current IaaS definition used by the Government isn’t broad enough.
Cryptocurrency Exchanges and DNS Servers
For this reason, the regulation should ensure that it covers a wide range of services, including web hosting, reverse proxies, CDNs, DNS servers, anti-DDoS services, domain registrars, payment processors, advertising networks, and cryptocurrency exchanges.
The role of hosting providers is obvious, but the Hollywood group stresses that cryptocurrency exchanges and DNS servers also play an important crucial role in the piracy ecosystem.
“Cryptocurrencies have become a popular method among malicious cyber actors – including copyright infringers – for anonymously receiving payments and storing profits,” MPA writes.
“[DNS] servers ‘resolve’ a web address into the corresponding IP address. DNS resolution is an essential networking function of the internet and infrastructure that is essential to operating a website,” the group adds.
At the moment, many cryptocurrency exchanges already have thorough verification procedures, but the MPA clearly sees room for improvement. For DNS servers this may be harder to implement, as these generally don’t have site operators as customers. But perhaps these could be otherwise urged to stop resolving pirate sites?
If implemented, the MPA has good hope that the new regulation will help to track down cybercriminals and significantly deter piracy. In due course, this should help protect entertainment industry revenues while keeping the public safe from piracy-related malware threats.
A copy of the Motion Picture Association’s comments and suggestions in response to the U.S. Department of Commerce consultation is available here (pdf)
Many thanks to TorrentFreak for the breaking news.