It’s probably prudent to mention again that these blog posts represent strictly my own opinion, see my disclaimer here. In the security presentation game, we spend a lot of time talking about “bad actors”, today it has a somewhat different meaning.
The concerns with ACTA centre mostly around how the bill enforces liability on website for any links that point to disputed content and how ISPs may be obliged to dig deeper into their customers’ online activity. In the world of User Generated Content, the potential for any site to be forced to close down, in a Stalinesque way to become a “non-site” as it is obliterated from search results or even have its domain name seized, all as a result of the actions of its users, is seen as too great a threat to business online.
ACTA is in many senses the big brother of SOPA. SOPA would have had negligible effect outside of the US, as the proposed bill would only remove sites from the US visible part of the web (and even then there are plenty of ways around it). ACTA is proposed as a global “Agreement” which has been negotiated in closed-shops with only one side of the debate having been represented and no jurisdictional or democratic oversight. The closed shop appears to have been cynically and deliberately set up outside of existing structures such as the WTO perhaps to protect vested interests of large corporations and a subset, in fact a tiny minority, of governments.
Our business is not only about security, as far as I am concerned it is also about privacy and trust and this kind of legislation has a damaging effect on all three of those. Under ACTA, ISPs will become accountable for the actions of their subscribers and as such will have no option but to monitor the content that is being both posted and accessed by their customers. This represents a gross invasion of privacy and under much of the western world’s communications intercept laws is already currently at least a legal grey area, if not outright illegal. Under ACTA that same (as in SOPA) issue of sites that link to copyrighted content surfaces again with we sites facing similar risks and similar levels of accountability.
Under current copyright law (which itself should not be considered immutable) rights owners have the legal recourse to seek to defend their own property, however by the same token it should be recognised that “the internet” or even “that web site” does not fall under that definition. To propose legislation that would enable an entire site to be “disappeared” because of a link to copyright content is draconian in the extreme and undemocratic to boot.
The internet is not intellectual property, the internet is the crucible of modern innovation and in large part generated by “we the people”. US law, and many others besides, classify copyright as the right to revenue from the copying of original work in a fixed medium, the internet has surpassed this concept. If I link to a video you posted, in what sense am I “copying” and in what sense is that truly “tangible”? Is the rendering of a picture in my browser copying, or is it simply “display? How do we deal with the concepts of mash-ups, crowd-sourcing and social networks when antiquated laws must apply, and what happened to my freedom of expression?
Security is a much deeper concept that endpoints and data, security is my right to access and use the global resources available to me, unimpeded by the legal ramifications of the actions of other internet users. Legislation such as ACTA and SOPA would make this impossible. The mantra of online innovation should be adapt and survive, the mantra of rights holders is to often “entrench and resist”.
The only niche left for innovation & collaboration in an ACTA world is for ACTA compliance solutions that continually monitor your web properties for infringements (thereby monitoring also the content of any linked site as well) and remove any offending UGC promptly.