When I studied the logistics of running DNS, I realized that the limits on it were artificially imposed in order to limit supply and facilitate control. The central database and “whois” records are all controlled by Network Solutions, Inc., who is a subsidiary of SAIC (Science Applications International Corp.), the largest private contractor for the US National Security Agency and the Pentagon. Most of the top corporate officers are former US military personnel who have retired from service and are engaged in “private practice”, including former NSA Chief, Bobby Inman, current Director on the Board, putting their militarily-acquired skills to work for profit.
In effect, when one registers and pays Network Solutions for a domain name, they are also paying to maintain surveillance on themselves. Ask yourself. Is this what you want? Does it make you feel comfortable?
– Paul Garrin to Pit Schultz, nettime, 1997
When I read that passage a year ago, my answer was, “Yes.”
Yes, I feel comfortable. No, domain names are not an elaborate surveillance scheme. Paul Garrin, you sound like a crazy person.
Now, I’m not so sure — and it might be a good time to revisit Garrin’s doomsday prophecies, on the eve of their incarnation.
You’ve probably already heard about the Stop Online Piracy Act (SOPA). It’s an MPAA- and RIAA-backed package of measures that would give the US government unprecedented options for shutting down sites that are suspected of “engaging in, enabling or facilitating” copyright infringement, and it’s in committee right now. There’s a lot to object to in the package, but the section that’s attracted particular attention is the one that would force ISPs to allow the government to block websites through altering Domain Name System (DNS) records; that’s the one that goes beyond an exasperated “oh, government!” and turns DNS – an essential part of the web’s infrastructure – into a blatant tool of the American state.
Garrin was warning us about this possibility fifteen years ago. For five years from 1996 to 2001, the video artist and activist ran a business-as-activism-as-art project, Name.space, that aimed to decentralize DNS by providing an alternative to the systems run by Network Solutions. It was wrapped in rhetoric equal parts freedom and paranoia, with Garrin warning that a combination of government surveillance and the corporate commodification of language would eventually restrict free speech online; that is, unless everybody switched to systems like Name.space. At the time, in an atmosphere of little meaningful government regulation of the internet, it sounded crazy; DNS was a power structure, sure, but that in and of itself was of interest only to dedicated anarchists. With SOPA, however, the danger is suddenly much more real.
First, some explanation might be helpful: DNS is what turns nice-looking, human-readable domain names, like google.com, into ugly-looking, machine-readable IP addresses, like 126.96.36.199. The system is semi-decentralized, and a bit confusing: if you type in google.com, your computer needs to go find the authoritative DNS record – that reads something like “google.com = 188.8.131.52″ – on the servers of the company that sold Google their name. Thankfully, most of the time you don’t need to go all the way to the source. First, your computer will check its own, local records, in a file stored somewhere on your machine. Failing that, it will check to see whether anyone near you – in infrastructure terms – has looked up that domain lately, asking your home network and your internet service provider for recently found domains that match your request. If all else fails, your computer will contact one of 13 root nameservers on a universal list provided by your operating system, and ask that server where to find the authoritative record. If your computer can find a DNS record from any of these sources, you’ll end up where you wanted to go; if it can’t, you’ll get one of those sad error pages telling you the server couldn’t be found.
SOPA would allow the government to stop this search at a number of levels, both by deleting authoritative DNS records entirely and by forcing your ISP to give your computer false DNS information if you request a suspected site. The language of the law attempts to limit the system to the United States, but the similar system used in China’s Great Firewall has been found to affect users from neighboring countries who, by chance, had their DNS queries routed through Chinese nameservers. It goes without saying that the same effect would be magnified in the US.
Since the details of SOPA became public, a range of easy-to-use workarounds have popped up in anticipation of these DNS provisions; DeSopa, for instance, is a Firefox plugin that allows users to switch from US-based DNS servers to offshore proxies with the click of a button. Workarounds, though, don’t address the underlying problem – that the structure of the internet relies upon a naming system which is relatively centralized and which lies squarely in the sights of government and corporate power. What Garrin tried to convey was that bottlenecks naturally attract surveillance and control – it was only a matter of time before government agencies in the US realized they could use the present DNS system to their own ends.
Ultimately, the service Name.space provided seems to be fairly anodyne: users were given the opportunity to register domains with extensions like .med, .news, or .sex, instead of the official .com or .net. The idea behind Garrin’s project, however, required a radical shift in how DNS worked: rather than drawing from a single, universal list of root nameservers, users would be able to select from a range of nameservers with varying policies, domains, and levels of security. There was a risk of rogue servers – phishing scams, for instance, become a greater threat with an alternative DNS – but there was also the potential for a system, in the true techno-libertarian ideal, beyond state or corporate control. In a 1997 interview with Pit Schultz, Garrin waxed poetic on this point:
Name.space is part of the internet. It is also the future of the named.address structure of the internet. As an independent tactical network, it is a system which will create an economic basis for free media to remain online without corporate or institutional regulation or censorship. The goal of name.space is to buy as much bandwidth and processor power as possible to ensure that there is always a home for free media and alternative voices and visions on the ever changing internet.
To the engineers and administrators who had spent years working to standardize the structure of the internet, though, it looked like anarchy. DNS was the glue holding the internet together – a reliable, centralized, universal system that required little maintenance and less discussion. Every computer on the net was programmed to assume the existence of one domain naming standard and one group of rootservers; overcoming that assumption was an intimidating task. DNS was the epitome of “if it’s not broke, don’t fix it”, and it certainly wasn’t going to undergo such fundamental changes for the sake of internet idealism or a wider selection of domains. In one 2000 memo regarding the difficulty of changing the system, the Internet Architecture Board, a non-profit body tasked with the oversight of various internet structures, flatly declared, “There is no getting away from the unique root of the public DNS.”
Garrin launched a barrage of criticism at the defenders of the status quo, and seemingly found support from the inventor of DNS, Paul Mockapetris. When it became apparent that the nature of the system would not be changed, Garrin applied to have 118 of Name.space’s top-level domains – .med, .news, .sex and the rest – added to the root nameservers, with his own servers holding the authoritative records. His application was denied. Sarah Ferguson, writing for the Village Voice, reported that he was given an opportunity to compromise and receive a smaller set of certified top-level domains, and rejected it:
But Garrin’s problem may be simply that he wants too much. Given ICANN’s stated intention of adding a “modest” number of new domains in this “proof of concept” phase, observers say there’s no way he could have ever won approval for 118. Yet when the board members asked Garrin to select three from his list, he refused.
This shocked even some of Garrin’s sharpest critics and competitors. ”People at the hearings were watching this, saying, ‘Come on, Paul, pick three,’ but he wouldn’t do that,” says Richard Sexton of the Open Root Server Confederation, a network of alternative root servers. “His mentality is, it’s my way or the highway.”
Without support from the root nameservers, Name.space was left without a feasible business model: to view Garrin’s domains, users would need to change their system settings or install special software, and potential domain registrants were scared off by the resulting smallness of the user base.
Garrin went to court over the matter, filing an antitrust suit against Network Solutions, who then held the exclusive Department of Commerce contract to administer DNS. He lost. The result of that ruling established, dubiously, that Network Solutions was immune to antitrust legislation because it was operating a government contract. It also rang the death knell for Name.space, along with a host of commercial alternative DNS services - Sexton’s Open Root Server Confederation among them - that had hoped Garrin’s case would open the door to legitimacy.
We could use those alternatives right now. It’s not that a world of multiple DNS roots would be better – it would add layers of complication to a system designed to be simple, and the benefits of competition in the field of infrastructure are negligible – but rather that that world would have a better chance of not becoming a near future technodystopia where our thoughts are monitored by hyperintelligent lizards. A simple multiplication of DNS services wouldn’t wholly eliminate the possibility of surveillance and control, but it would certainly make it more difficult; the annual “Cyber Monday” seizures of domains selling counterfeit jerseys and handbags, for instance, have required the cooperation of only one firm – Verisign, Inc., which administers all .com and .net domains (among others) through the contract that Network Solutions once held.
Name.space wasn’t the first alternative - AlterNIC probably gets that prize - but it was an early and vocal member of that would-be industry, and its status as an art project gave it a kind of longevity a purely commercial enterprise wouldn’t have. The failure of AlterNIC was one of many dot-com busts; the failure of Name.space was the natural conclusion of a quixotic quest begun in part to prove its own impossibility. The former only elicits a shrug, but the latter might prompt some inquiry into why things have to be this way.
So I’m sorry, Paul Garrin. I had you all wrong. I hope, once SOPA has been safely defeated, that there will be time to appreciate the genius of looking outright crazy.
In closing, a quote from Daniel Castro, an analyst at the Information Technology and Innovation Foundation who first proposed much of SOPA in a 2009 whitepaper (emphasis mine):
Opponents of PIPA/SOPA, such as the Internet Society and Crocker et al., argue that DNS filtering will “puts users at risk.” However there are no security risks from DNS filtering. Instead, the purported security risks for users come about only for those Internet users who begin using alternative DNS services (i.e. those individuals intent on breaking the law).
-Via AFC reader Jonas Lund, Garrin explaining his project on YouTube.
-Lovink’s book, Dark Fiber: Tracking Critical Internet Culture, spends a few pages discussing nettime.free, a strange episode tied into Name.space wherein Garrin attempted to form a splinter community. Salon mentioned it, too.