Let me start off this post by noting that, while I don't know Noah Schachtman personally (other than a few emails back and forth many years ago), I've always liked his work writing for Wired and other publications. However, I'm surprised to see him advocating the strong use of third party liability
as a tool to deal with cybercrime, as a part of a paper for the Brookings Institute
. The idea is that, when talking about spammers & scammers online, there are, perhaps, a small number of ISPs who tend to do business with these guys, and Schachtman believes that by making those ISPs liable, it would pressure them into cutting off the bad clients.
Schachtman has numerous caveats and is pretty specific in his plan that it only apply to a specific list put out by a trusted independent third party, that the methodology for being on the list is clear and that an appeals process also be explicit. On top of that, he says that it should be limited to "universally recognized crimes, like theft, fraud, and criminal trespass" and is clear in saying that it "wouldn’t work for politically inflammatory speech or copyright infringement; they’re too open to abuse and overly broad interpretation."
Also, in reading the report, it's clear that this isn't just something he came up with overnight, or some random blogger or reporter dashing off a column on some fragment of a thought they had an hour before deadline. He's put a lot of thought and research into this. But I still think the idea is dreadful and shortsighted. It wouldn't solve the problem it seeks to deal with, at all, and (even worse) it would open up all sorts of collateral damage or unintended consequences.
First off, it wouldn't solve the problem it's trying to solve. We've seen this time and time again with attempts to shut down any kind of "rogue" behavior online by going after intermediaries. The bad players just figure out some other place to go, and they often go further underground in ways that makes it tougher to find or track them and their activities. Even Schachtman admits that many would likely jump to ISPs elsewhere. So, if it's not actually stopping the behavior, then what's the value?
Second, while Schachtman is clear that this shouldn't be used for those other things, chipping away at third party liability protections in any arena is quite dangerous, because it's not hard to see lobbyists using that to push for such rules to be expanded to cover their
pet area. Anyone who thinks that the RIAA and MPAA wouldn't pounce on this and work hard to add copyright infringement to the list simply hasn't been paying attention. What Schachtman describes in terms of the ability to sue an ISP for third party actions has been the legacy entertainment industry's wet dream for over a decade. Anyone who thinks that politicians would distinguish the types of crimes that Schachtman focuses on from garden variety claims of copyright infringement is living in a dream world.
And, honestly, I'm still at a loss as to why this is actually needed. It seems like there remain much more effective ways to deal with issues like this that don't involve giving up basic concepts of properly applying liability to the actual party responsible. The first is actually targeting those responsible
for the crimes. If they're using known ISPs, then it seems like there is a record trail that can be traced back to go after those actually breaking the law to try to put them out of business. Second, if the concern (as it appears) is that some US ISPs are doing this and that's a shame, then deal with that publicly, by more publicly shaming ISPs who are popular among criminals. Use public pressure to get them to (a) either help law enforcement or (b) to enforce reasonable terms of service. Trying to make them liable as a third party will make life difficult for them, but not the actual scammers.