Really Bad Idea: Make ISPs Liable For Cybercrime Efforts
from the oh-come-on dept
Let me start off this post by noting that, while I don't know Noah Schachtman personally (other than a few emails back and forth many years ago), I've always liked his work writing for Wired and other publications. However, I'm surprised to see him advocating the strong use of third party liability as a tool to deal with cybercrime, as a part of a paper for the Brookings Institute. The idea is that, when talking about spammers & scammers online, there are, perhaps, a small number of ISPs who tend to do business with these guys, and Schachtman believes that by making those ISPs liable, it would pressure them into cutting off the bad clients.Schachtman has numerous caveats and is pretty specific in his plan that it only apply to a specific list put out by a trusted independent third party, that the methodology for being on the list is clear and that an appeals process also be explicit. On top of that, he says that it should be limited to "universally recognized crimes, like theft, fraud, and criminal trespass" and is clear in saying that it "wouldn’t work for politically inflammatory speech or copyright infringement; they’re too open to abuse and overly broad interpretation."
Also, in reading the report, it's clear that this isn't just something he came up with overnight, or some random blogger or reporter dashing off a column on some fragment of a thought they had an hour before deadline. He's put a lot of thought and research into this. But I still think the idea is dreadful and shortsighted. It wouldn't solve the problem it seeks to deal with, at all, and (even worse) it would open up all sorts of collateral damage or unintended consequences.
First off, it wouldn't solve the problem it's trying to solve. We've seen this time and time again with attempts to shut down any kind of "rogue" behavior online by going after intermediaries. The bad players just figure out some other place to go, and they often go further underground in ways that makes it tougher to find or track them and their activities. Even Schachtman admits that many would likely jump to ISPs elsewhere. So, if it's not actually stopping the behavior, then what's the value?
Second, while Schachtman is clear that this shouldn't be used for those other things, chipping away at third party liability protections in any arena is quite dangerous, because it's not hard to see lobbyists using that to push for such rules to be expanded to cover their pet area. Anyone who thinks that the RIAA and MPAA wouldn't pounce on this and work hard to add copyright infringement to the list simply hasn't been paying attention. What Schachtman describes in terms of the ability to sue an ISP for third party actions has been the legacy entertainment industry's wet dream for over a decade. Anyone who thinks that politicians would distinguish the types of crimes that Schachtman focuses on from garden variety claims of copyright infringement is living in a dream world.
And, honestly, I'm still at a loss as to why this is actually needed. It seems like there remain much more effective ways to deal with issues like this that don't involve giving up basic concepts of properly applying liability to the actual party responsible. The first is actually targeting those responsible for the crimes. If they're using known ISPs, then it seems like there is a record trail that can be traced back to go after those actually breaking the law to try to put them out of business. Second, if the concern (as it appears) is that some US ISPs are doing this and that's a shame, then deal with that publicly, by more publicly shaming ISPs who are popular among criminals. Use public pressure to get them to (a) either help law enforcement or (b) to enforce reasonable terms of service. Trying to make them liable as a third party will make life difficult for them, but not the actual scammers.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: copyrights, cybercrime, isps, liability, third party liability
Reader Comments
Subscribe: RSS
View by: Time | Thread
Not a surprise. Brookings Institute is neo-con HQ.
[ link to this | view in chronology ]
You're right; it's a bad idea
That is not to advocate illegal methods, of course; it's to point out that the legal system is the wrong place to address the problem, because it's clueless, outdated, slow, inept, local (whereas the problem is global) and in some cases, effectively owned by the abusers.
But beyond all that: we already *have* quite effective means at our disposal for applying pressure on ISPs who, let's say, host gangs of spammers. The problem is not the lack of these methods or their effectiveness; the problem is our unwillingness to use them, particularly our unwillingness to use them when they cause (or appear to cause) issues for our own operations. This problem persists despite the escalating seriousness of the issue -- which, as I've said elsewhere, I fault *us* for. Had we acted more effectively much sooner, there wouldn't be an entire ecosystem of abuse to contend with now.
[ link to this | view in chronology ]
Re: You're right; it's a bad idea
Legality is not the issue, it is ineptitude.
Let us at least both agree that nth degree liability is stupid and wrong and call it at that.
[ link to this | view in chronology ]
Re: Re: You're right; it's a bad idea
However, there's more than just inept grandstanding and political infighting, although I certainly agree that those are both present in large quantities.
There is pervasive technical incompetence. Consider trying to explain the problem of network hijacking (covered in one article here: http://www.theregister.co.uk/2003/06/11/cracking_down_on_cyberspace_land/ ) to a judge, jury, prosecutor or anyone else involved. (Keep in mind today on TechDirt we learned that the feds are flummoxed by a dual-boot laptop.)
And if we solve that problem? (Which, conceivably we could.) Then we have the problem that your laws are not our laws are not their laws. And competent abusers have learned to operate trans-nationally: domains registered in China, hijacked network routed via the Ukraine, payment processing in Brazil, web servers in the UK, and spam from Mexico. Who is going to coordinate that investigation? Who is going to be able to understand the operation (given that the complexities of some of them are a challenge even to people who measure their experience in decades)? Who is going to figure out which laws are being broken where or where litigation should happen? And how's that going to work out when the "where" is a place where the local political structure is controlled by the Bad Guys?
This is a network engineering issue, and should be handled as such. While network engineering counter-measures (such as: null-routing traffic from selected ASNs) are not without their issues, I think that the people who *built* the Internet are in a much better position to understand the problem and its solutions (and their pitfalls) than anyone in the legal realm. So there is no way that any of this should be the stuff of legal proceedings; this way lies madness.
[ link to this | view in chronology ]
Re: You're right; it's a bad idea
One only has to look at the whole Estdomains / Esthost sitution to understand how this can work.
I also think that the ISPs need to be more transparent. That is to say that they should be obliged by law to disclose customer information based on legal filing, and should not be allowed to fight these sorts of things. Either they are transparent and willing, or they block the process and accept responsiblity for their customers actions.
When "bad actors" (what a term) are able to hide behind their ISP or service provider, it creates a shield from legal action. I don't think anyone can suggest that any of the various safe harbor laws were intended to give such protections to end users.
[ link to this | view in chronology ]
Re: Re: You're right; it's a bad idea
[ link to this | view in chronology ]
Re: Re: You're right; it's a bad idea
[ link to this | view in chronology ]
Re: Re: You're right; it's a bad idea
[ link to this | view in chronology ]
Re: Re: Re: You're right; it's a bad idea
Do you think the phone company goes to court to complain every time a lawsuit is launched using a phone number as a key source of information?
What benefit is there to the straight service provider to be obstructionist in a lawsuit?
[ link to this | view in chronology ]
Re: Re: Re: Re: You're right; it's a bad idea
[ link to this | view in chronology ]
Re: Re: Re: Re: You're right; it's a bad idea
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: You're right; it's a bad idea
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: You're right; it's a bad idea
[ link to this | view in chronology ]
except:
1. Nobody in this business is truly independent, and
2. Many of us have learned the hard way that no one should be trusted. "Trust" is a word used by Politicians, Used Car Salesmen, and Con Men.
[ link to this | view in chronology ]
How to fix spammers and cyber crime
Same goes for the recent bankers and investment whores that drug us down this slope.
[ link to this | view in chronology ]
Re: How to fix spammers and cyber crime
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I figured a few ways out of spam
MAKE the site/company/group that had it delivered, responsible..
If they spam a porn site, MAKE the porn site liable.
Or even the advertiser..
And if it was an individual..Then they have to have a BANK location, threaten the bank with Closing the ISP link, unless they give you the NAMES and close the account.
Thats much easier then TRYING and missing, with closing a WHOLE SERVER..
but, they wont do that..ITS THE BANK.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
financial institutions
[ link to this | view in chronology ]