DNSFilter CEO Responds to Quad9 Injunction: “DNS resolvers should not police the internet for copyright violations”
by Ken Carnesi on Jul 27, 2021 12:00:00 AM
In June of this year, Sony Music filed an injunction against DNS resolver Quad9 to block a particular website that contains links to a number of file-sharing sites. When I originally read about this injunction, my initial thought was that Sony was seeking to block access to peer-to-peer sites through Quad9. I supported Quad9’s objection as that type of content filtering should be available to the end customer at the customer’s discretion to use. However, I was floored to learn that the site in question does not actually host any content infringing on copyright. It was a listing of links to peer-to-peer domains. The copyright infringement mentioned in the injunction is a single Evanescence album that was released in March.
As the CEO of a company that provides resolver services in the DNS security space, I support Quad9’s objection to the injunction filed against them by Sony Music. With this case, the courts are creating an environment where litigation of third party security providers can become the norm. Every DNS resolver service should be outraged.
To put Sony’s injunction into perspective, DNSFilter sees over 150,000 queries to P2P or “pirating capable” sites on our network each day. That category is visible as part of our service, and roughly 85% of these queries are blocked by our customers based on either a personal choice or their company policy requirements. But according to this injunction, Quad9 is first being asked to block directly, removing the option from its customers. Second, the site in question and related domains might not even be categorized as P2P per our category service as it is not explicitly a pirating site. This raises the question that in the future if this is enforced, are DNS resolvers now responsible for creating an entirely new category of domains that link or are related to P2P sites? And are DNS resolvers required to block these categories regardless of legitimate use?
According to the injunction, Quad9 could incur a fine of up to $298,356.00 (€250,000) for not blocking the site. In the event they cannot pay the fine, they could be subject to a prison sentence of at least 6 months but not exceeding 2 years. There is no detail in the injunction how many times Quad9 might be responsible for paying this amount. So it is unclear if this would be a one-time fine for failing to comply, or an offense where Quad9 could incur multiple penalties.
As Quad9 is a privacy-centric non-profit, this injunction seems to be a targeted attack on a company with fewer resources, as opposed to a genuine attempt to stop piracy. There are larger players that Sony Music could choose to go after in the DNS space—companies that profit off of their solution, which Quad9 does not. But Quad9 is likely an easy target for them because they’re a non-profit, and also because they are now headquartered in Europe, and therefore eligible to be sued under EU law.
It’s possible that Sony Music is targeting an industry that is growing rapidly, attempting to create new policies now instead of at the point when DNS protection is as ubiquitous as anti-virus—a future that’s virtually here.
But another question I have is: Why go after ISPs and DNS resolvers in the first place? DNS resolvers are a distant third party when it comes to the accessibility of illegal content online. Sony Music should take this issue to those committing the infringement and those hosting the pirated content. DNS resolvers are not responsible for what content is on the internet, they simply resolve the queries. And in many cases, with DNS resolvers like DNSFilter, our content filtering applications actually reduce traffic to peer-to-peer sharing and other illegal sites.
We agree with Quad9 that this injunction could set a dangerous precedent where companies uninvolved with piracy will find themselves responsible for policing online content, adding significant costs and risks to platforms meant for cybersecurity intended to be used for protecting users from malicious content such as ransomware. The costs of these fines could be astronomical depending on how they are enforced. Pirating has been going on for decades, and there will always be a black market for this type of material.
Both Quad9 and DNSFilter’s main objective is to stop users from accessing malicious content online, such as malware, phishing, and botnet sites. As Quad9 addressed in a statement, complying with this injunction will detract from their true mission as it will add unnecessary overhead to the operational costs of their platform, and diminish the quality of the user experience.
While we are against piracy and intellectual property theft, it is not the job of a DNS resolver to police the internet for copyright violations. It is our responsibility to give our users the capability to protect themselves in a digital space. The true parties responsible for this content should be the ones incurring the costs. In the meantime, all of our customers have the option to block these sites if they choose to.
We look forward to supporting Quad9 fully and joining forces with other cybersecurity companies to fight what we believe is only the beginning of a larger attempt to enforce control over internet piracy using DNS resolution as the mechanism.
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.
TL;DR: SASE is broadening—it is about more than just access! It is about endpoint protection and user-based access…and it's called Security Service Edge (SSE). All of the aspects of the joint NSA and CISA guidance on Protective DNS (PDNS) and user-level policies are part of the secure category, originally launched by Gartner in January 2022. Regardless, it’s been interesting to see the NSA and CISA create guidance recognizing the breadth of cyber...