In the first of a two-part analysis of ISPs' culpability in the growing number of compromised computers, legal experts explain why mandating more traffic controls is a bad idea.
Compromised computers, or bots, used to send spam and malicious code around the Internet are a huge problem, leading some to call for Internet service providers to regulate their traffic and spy on their own customers. However, mandating ISPs apply such controls is not the answer.
"Trying to hold an ISP liable for failing to prevent their users from sending spam or malicious code is like trying to hold the Postal Service responsible for delivering too many catalogs, or Federal Express liable for delivering a letter with cold germs in it," said Marc Zwillinger, chair of the Information Security and Internet Enforcement Practice at the law firm Sonnenschein, Nath & Rosenthal in Chicago.
The primary argument for ISPs to regulate traffic is based on the idea that they are in the best position to reduce the number and severity of bad acts online.
However, there are more valid reasons why ISPs shouldn't monitor such traffic. A paper by University of Chicago law school professors Doug Lichtman and Eric Posner recognized that imposing liability on ISPs "would reduce subscriber incentives to practice safe computing, install firewalls and virus protection software, and similarly engage in prudent self-help."
"This is troubling because subscribers are often in a better position than their ISP to determine that their computers have been hacked and are often themselves in a good position to take simple, inexpensive but effective precautions like using appropriate passwords in order to prevent unauthorized use," they said.
Another issue noted in Lichtman's and Posner's research is the "concern that any domestic legal regime will have only a limited effect because of the problem of foreign ISPs." They note the difficulty that could arise from attacks originating, or appearing to originate, on foreign soil with weaker Internet regulation. "Imposing liability might therefore seem to be an empty gesture, merely shifting criminal behavior from one ISP to another," they noted. "The problem is acute because of the 'weakest-link' nature of the Internet."
And other issues could hit closer to home.
"If ISPs become more aggressive in their network screening activities, then users should realize that there is likely to be an increased chance that some of their legitimate e-mails and online activities might end up being blocked as a result of the ISP's efforts," said Emily Hancock, an attorney at Steptoe & Johnson in Washington D.C. "In addition, if ISPs take a more aggressive role in order to help protect networks, where does the effort stop?"
Current case law supports that ISPs distance themselves from monitoring users' traffic. The Communications Decency Act of 1996 and the Digital Millennium Copyright Act of 1998 both immunize ISPs from numerous liabilities.
Lichtman and Posner say the DMCA can be interpreted to sharply limit a service provider's liability for copyright infringement in cases where the service provider merely acts as a conduit for the material in question. Further, they argue that statute more broadly limits liability in instances where the service provider did not know about the infringing activity. And a section of the Communications Decency Act notes that allowing ISPs to duck responsibility will increase the incentive for their users to take reasonable steps to defend themselves.
"In Green vs. AOL, an AOL subscriber claimed AOL should be liable when another subscriber sent him a malicious program that damaged his computer," cited independent attorney Benjamin Wright. "The court held that Section 230 of the Communications Decency Act shielded AOL from liability."
Section 230 suggests that ISPs cannot control or police defamatory content without violating the privacy of their users and chilling legitimate discussion.
Regardless of whether they should be taking additional steps to better secure the Internet, ISPs haven't been idle about providing protection for their users. Most provide virus and spam filters, and many provide firewalls. Support is also available from the ISP for less savvy users who have difficulties setting up the software.
"The real harm online stems from criminals and negligent users who fail to take even the most rudimentary precautions to install firewalls and avoid malware," Hancock said. "To punish ISPs for the actions of such criminals or negligent users by assigning ISPs liability for not being ultra-aggressive in screening or policing their networks would increase costs to subscribers and likely would result in over-enforcement by ISPs who are hoping to avoid liability."
And what other reasonable actions should an ISP take?
"It's not exactly clear what an ISP could do to protect third parties except deploy egress filtering -- is that failure the proximate cause of the victim's harm?" asked Zwillinger. "Not likely, any more than the phone companies failure to detect prank calls is the proximate cause of a false bomb scare being called in."
Dig Deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)