On Wed, 21 Jul 1999, Brumfield, Larry wrote:
> I normally just sit back and kinda lurk ... absorbing as much as I can
:)
> However, today I must offer that I disagree with your thoughts about ISP
> responsibility for actions of their users. IMHO, they shouldn't be
> responsible for activities they were not aware of. But, what happens
when
> they are made aware of illegal activity occurring via their equipment,
and
> they fail to take measures to curtail it? It's then that the
responsibility
> becomes a shared entity, legally bordering on conspiracy.
Problem #1
----------
I think it's a hard line to cross -- when do you make them responsible?
When should the ISP decide to shut down someone's account? I have seen
too many examples of people's accounts getting turned off because they
were accused of cracking when in reality they were doing nothing of the
sort. These were IT professionals who were either developing some network
software or developing their own network management skills, which appeared
to be "suspicious" in the eyes of the ISP. They had in no way broken
their terms of service, but the ISP shut them down anyway. I wouldn't be
surprised if some of the things I've done myself get my account shut down,
but I've NEVER attempted to break into someone's system over the internet.
I've also heard of people accused of hacking having their accounts closed
and even in some cases their equipment confiscated, without any real proof
of wrongdoing. There seems to be this pervasive paranoia that anyone with
an internet connection and some technical skill is an "evil hacker" and
needs to be watched/stopped/incarcerated.
Holding ISPs responsible may make it easy for your business to get
results, but it doesn't bode well for the individual user, nor the ISP
itself. There are all sorts of laws being bandied about that, if passed,
will likely shut down a lot of smaller ISPs simply because it will make it
impossible for them to be able to earn a profit in the competitive market,
and once again big business will be in charge (think microsoft). This is
BAD for the internet community as a whole, as well as ISPs and individual
users.
What you need to do is contact your representatives and make them bring
new laws to the table to make individuals responsible and accountable for
their own actions. But also the punnishment must fit the crime. If
someone does real damage, they should be punished accordingly. If someone
does a port scan, but doesn't access any actual data, where's the harm in
that? A slap on the wrist may be warranted.
This of course can apply to all areas of criminal justice, not just
Information Crime. I have lots of problems with the way we do things. But
that's another argument entirely.
Problem #2
----------
As the ISP, when have I been "made aware" of illegal activity? When you
call saying that you've traced a port scan to an IP address in my block?
What if it was a spoofed IP address? How do I know you're telling the
truth? How much proof should I need before I become legally responsible?
If the ISP in fact KNOWS that a user is doing something illegal using
their equipment, and doesn't do anything about it then I agree, they
should be held PARTLY responsible, but I still feel that the primary
responsibility should be with the person actually acting against the
victim. Active crime against a victim should, in general, and IMO, be
considered more serious than passive crime where a party is negligent, or
in the case of the ISP here fails to prevent someone else from commiting
active crime. The punishment should be more harsh for the active crime.
But how do you know that the ISP KNOWS? They can suspect but not know...
should they act anyway? IMO no they shouldn't. Not without proof.
> How about a pharmacy that continues to sell a drug that is known to be
> tainted? Or an auto manufacturer that allows a vehicle to be sold that
they
> know has a bad gasoline leak at the carb? Shall we bring up cigarettes?
I don't think these analogys are very good. In this case, the purchaser
is the victim of the seller, and therefore that is an active crime. In
the case of the ISP, the purchaser is the perpetrator and the victim is a
third party.
> Once the producer and/or seller of a service/commodity is aware of it's
> 'illegal' nature, they must take definitive action to prevent the
product
> from causing harm - or share responsibility for it's consequences.
IMHO :)
The service itself is not illegal, even when it is used illegally. I think
the role of the ISP here is very much like the role of the telephone
company. They're providing a service, and it's up to the customer to use
it properly. You don't see the phone company denying service to the mob,
just because they use it to organize their criminal plots do you? But it
should be the responsibility of the ISP to cooperate in any criminal
investigation, and yes, if they have knowledge of specific crimes being
committed I'll agree that they should terminate accounts and/or engage in
some other sort of disciplinary action upto and including criminal
prosecution.
Derek D. Martin | UNIX System Administrator
[EMAIL PROTECTED] | [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
