Really Bad Idea: Make ISPs Liable For Cybercrime Efforts
from the oh-come-on dept
Let me start off this post by noting that, while I don’t know Noah Schachtman personally (other than a few emails back and forth many years ago), I’ve always liked his work writing for Wired and other publications. However, I’m surprised to see him advocating the strong use of third party liability as a tool to deal with cybercrime, as a part of a paper for the Brookings Institute. The idea is that, when talking about spammers & scammers online, there are, perhaps, a small number of ISPs who tend to do business with these guys, and Schachtman believes that by making those ISPs liable, it would pressure them into cutting off the bad clients.
Schachtman has numerous caveats and is pretty specific in his plan that it only apply to a specific list put out by a trusted independent third party, that the methodology for being on the list is clear and that an appeals process also be explicit. On top of that, he says that it should be limited to “universally recognized crimes, like theft, fraud, and criminal trespass” and is clear in saying that it “wouldn?t work for politically inflammatory speech or copyright infringement; they?re too open to abuse and overly broad interpretation.”
Also, in reading the report, it’s clear that this isn’t just something he came up with overnight, or some random blogger or reporter dashing off a column on some fragment of a thought they had an hour before deadline. He’s put a lot of thought and research into this. But I still think the idea is dreadful and shortsighted. It wouldn’t solve the problem it seeks to deal with, at all, and (even worse) it would open up all sorts of collateral damage or unintended consequences.
First off, it wouldn’t solve the problem it’s trying to solve. We’ve seen this time and time again with attempts to shut down any kind of “rogue” behavior online by going after intermediaries. The bad players just figure out some other place to go, and they often go further underground in ways that makes it tougher to find or track them and their activities. Even Schachtman admits that many would likely jump to ISPs elsewhere. So, if it’s not actually stopping the behavior, then what’s the value?
Second, while Schachtman is clear that this shouldn’t be used for those other things, chipping away at third party liability protections in any arena is quite dangerous, because it’s not hard to see lobbyists using that to push for such rules to be expanded to cover their pet area. Anyone who thinks that the RIAA and MPAA wouldn’t pounce on this and work hard to add copyright infringement to the list simply hasn’t been paying attention. What Schachtman describes in terms of the ability to sue an ISP for third party actions has been the legacy entertainment industry’s wet dream for over a decade. Anyone who thinks that politicians would distinguish the types of crimes that Schachtman focuses on from garden variety claims of copyright infringement is living in a dream world.
And, honestly, I’m still at a loss as to why this is actually needed. It seems like there remain much more effective ways to deal with issues like this that don’t involve giving up basic concepts of properly applying liability to the actual party responsible. The first is actually targeting those responsible for the crimes. If they’re using known ISPs, then it seems like there is a record trail that can be traced back to go after those actually breaking the law to try to put them out of business. Second, if the concern (as it appears) is that some US ISPs are doing this and that’s a shame, then deal with that publicly, by more publicly shaming ISPs who are popular among criminals. Use public pressure to get them to (a) either help law enforcement or (b) to enforce reasonable terms of service. Trying to make them liable as a third party will make life difficult for them, but not the actual scammers.
Filed Under: copyrights, cybercrime, isps, liability, third party liability
Comments on “Really Bad Idea: Make ISPs Liable For Cybercrime Efforts”
Not a surprise. Brookings Institute is neo-con HQ.
They pose as libertarian / conservatives.
You're right; it's a bad idea
One of the things we’ve learned over the past few decades of fighting spam, and more generally, abuse, is that legal methods DO NOT WORK.
That is not to advocate illegal methods, of course; it’s to point out that the legal system is the wrong place to address the problem, because it’s clueless, outdated, slow, inept, local (whereas the problem is global) and in some cases, effectively owned by the abusers.
But beyond all that: we already *have* quite effective means at our disposal for applying pressure on ISPs who, let’s say, host gangs of spammers. The problem is not the lack of these methods or their effectiveness; the problem is our unwillingness to use them, particularly our unwillingness to use them when they cause (or appear to cause) issues for our own operations. This problem persists despite the escalating seriousness of the issue — which, as I’ve said elsewhere, I fault *us* for. Had we acted more effectively much sooner, there wouldn’t be an entire ecosystem of abuse to contend with now.
Re: You're right; it's a bad idea
One could make the argument that legal methods could work just fine were it not for the inept grandstanding of District Attorneys and political infighting of various government agencies who feel they should be the ones to get the good press over fighting “cyber” something.
Legality is not the issue, it is ineptitude.
Let us at least both agree that nth degree liability is stupid and wrong and call it at that.
Re: Re: You're right; it's a bad idea
I certainly agree with your final point: nth degree liability is a braindamaged idea.
However, there’s more than just inept grandstanding and political infighting, although I certainly agree that those are both present in large quantities.
There is pervasive technical incompetence. Consider trying to explain the problem of network hijacking (covered in one article here: http://www.theregister.co.uk/2003/06/11/cracking_down_on_cyberspace_land/ ) to a judge, jury, prosecutor or anyone else involved. (Keep in mind today on TechDirt we learned that the feds are flummoxed by a dual-boot laptop.)
And if we solve that problem? (Which, conceivably we could.) Then we have the problem that your laws are not our laws are not their laws. And competent abusers have learned to operate trans-nationally: domains registered in China, hijacked network routed via the Ukraine, payment processing in Brazil, web servers in the UK, and spam from Mexico. Who is going to coordinate that investigation? Who is going to be able to understand the operation (given that the complexities of some of them are a challenge even to people who measure their experience in decades)? Who is going to figure out which laws are being broken where or where litigation should happen? And how’s that going to work out when the “where” is a place where the local political structure is controlled by the Bad Guys?
This is a network engineering issue, and should be handled as such. While network engineering counter-measures (such as: null-routing traffic from selected ASNs) are not without their issues, I think that the people who *built* the Internet are in a much better position to understand the problem and its solutions (and their pitfalls) than anyone in the legal realm. So there is no way that any of this should be the stuff of legal proceedings; this way lies madness.
Re: You're right; it's a bad idea
You hit the nail on the head. ISPs often become havens for illegal operations, playing games that allow their slimy customers to be “shut down” just long enough to pop back up in a whack a mole fashion, while the ISP takes no responsiblity for their actions. You know, the old “we are just a service provider”.
One only has to look at the whole Estdomains / Esthost sitution to understand how this can work.
I also think that the ISPs need to be more transparent. That is to say that they should be obliged by law to disclose customer information based on legal filing, and should not be allowed to fight these sorts of things. Either they are transparent and willing, or they block the process and accept responsiblity for their customers actions.
When “bad actors” (what a term) are able to hide behind their ISP or service provider, it creates a shield from legal action. I don’t think anyone can suggest that any of the various safe harbor laws were intended to give such protections to end users.
Re: Re: You're right; it's a bad idea
I’m always amazed at how gleefully you admit to wanting to erode privacy and due process.
Re: Re: You're right; it's a bad idea
Where did you get those swank jack boots – they’re awesome!
Re: Re: You're right; it's a bad idea
Yeah, I couldn’t agree more Mr. Coward. ISP’s must not be permitted to have representation and if they try to protect their customers they should loose their government granted Internet operations license. We need to establish that office of government pronto. Like I always say, if you’re not responsible for the actions of your clients, then who is? The safe harbors were clearly designed before the Internet was regulated and it’s time to do away with them all together. If you’re on AT&Ts network and you download a song.. ATT owes someone $50,000… There simply aren’t enough laws to protect the children.
Re: Re: Re: You're right; it's a bad idea
Here is the question: Why are they trying to “protect their clients” if they are only straight forward service providers? What interest would they have in getting in the way of a legal action, and making it hard for the suing party to get the lawsuit to the appropriate person if all they are doing is providing a connection?
Do you think the phone company goes to court to complain every time a lawsuit is launched using a phone number as a key source of information?
What benefit is there to the straight service provider to be obstructionist in a lawsuit?
Re: Re: Re:2 You're right; it's a bad idea
The same reason Republican were about the debt: for shits and giggles.
Re: Re: Re:2 You're right; it's a bad idea
The benefit is profit — in some cases, lots of it, far more than what any phone company makes from a single voice line. Abusers, because they are frequently detected and blocked, constantly need new domains, new DNS, new routing, new web hosting, new email service, etc.; this makes them repeat customers and means that they provide a steady flow of income. [Some] ISPs are reluctant to give that up and will argue that what they’re doing isn’t illegal…and in some cases they may be right, despite being abusive, it’s NOT illegal.
Re: Re: Re:3 You're right; it's a bad idea
Yeah, you’re probably right – there are no ethics in business as it is all about profit.
We should just change it from “guilty until proven innocent” to “guilty if your the easiest person to pin it on”
Re: Re:
whoops, yes i flip-flopped that on accident
You're right; it's a bad idea
This will never work. Most spammers/scammers use compromised accounts or forge email headers to seem like it’s originating elsewhere.
“trusted independent third party”
except:
1. Nobody in this business is truly independent, and
2. Many of us have learned the hard way that no one should be trusted. “Trust” is a word used by Politicians, Used Car Salesmen, and Con Men.
How to fix spammers and cyber crime
I would put the death penalty up as a helpful item. Get the attention of some of these folks…even if they are in another country. Get the Seal Team after them and their families.
Same goes for the recent bankers and investment whores that drug us down this slope.
Re: How to fix spammers and cyber crime
Is it possible to sic the hounds upon their masters?
This just goes back to the “legal solution for a technical problem” issue. I haven’t seen any spam in 5 years. Ok, maybe a piece or two I’m forgetting. But I marked it as spam, it got filtered from then on, and that was it. It’s a problem of the technology, and technology can (has?) solve it.
I figured a few ways out of spam
Its basically easy..
MAKE the site/company/group that had it delivered, responsible..
If they spam a porn site, MAKE the porn site liable.
Or even the advertiser..
And if it was an individual..Then they have to have a BANK location, threaten the bank with Closing the ISP link, unless they give you the NAMES and close the account.
Thats much easier then TRYING and missing, with closing a WHOLE SERVER..
but, they wont do that..ITS THE BANK.
Considering how much money is lost to things like fraud and identity theft, it would be really nice to see governments and the various law enforcement agencies put at least an equal effort into hunting them down as they do into hunting down and prosecuting file sharers.
ISP’s should band together and refuse to carry any of their krappy studio sites in retaliation.
financial institutions
when i read the article i thought the isp argument was pretty weak and probably unworkable. however, he also mentioned the financial institutions that seemed even more concentrated than the isp’s. but either way, you have to admit that these isp and financial institutions are selected specifically because they don’t ask too many questions. we have banking laws in this country regarding “know your customer” that limit who can get bank account to real people. this type of law would help in this situation and would involve no 3rd party liability.