Thursday, October 27, 2005

Liability of ISPs for malware?

Bruce Schneier has reiterated his long held belief that ISPs should be held liable for their part in spreading viruses and malware.

The Register quote him as saying: “It’s about externalities – like a chemical company polluting a river – they don’t live downstream and they don’t care what happens. You need regulation to make it bad business for them not to care. You need to raise the cost of doing it wrong.” Schneier said there was a parallel with the success of the environmental movement – protests and court cases made it too expensive to keep polluting and made it better business to be greener.

The analogy is appealing, but wrong. ISPs are not the polluters but the water-ways, or perhaps, their curators. The real polluters are the virus writers and bot creators - who are in most jurisdictions already criminally , and probably, civilly liable - just impossible to find.

Schneier goes on to say that ISPs should offer consumers “clean pipe” services: “Corporate ISPs do it, why don’t they offer it to my Mum? We’d all be safer and it’s in our interests to pay."

Here Schneier gets nearer to the real way forward. What Schneier, being a brilliant security expert, not a lawyer or economist, is getting wrong, is not the desirable end - ISPs helping clean up the Internet "environment" - but how to achieve it. You don't need public regulation of ISPs on the polluters model - which is unfair given the ubiquity malware is nsimply ot their fault - when it's easier to get profits to act as an incentive instead. US companies, correctly, saw cleaning up pollution as a profit loser until it was made too expensive to ignore on a PR level, but security can be turned into a money maker easy.

My Mum, much like Schneier's I suspect, has no idea how to set up a firewall or a virus checker, or come to that, her email account. But she's not that short of a bob. If she was offered, instead of the almost useless "BT Privacy", "BT Security" for an extra £12 a month, say, where BT undertook to manage the security of her machine, monitoring, reporting, isolating and cleaning it out if it was infected or zombified, etc etc, she'd take it tomorrow. ISPs should be offering security cleanfeeds instead of content ones. When there's a decent , competitive market of those, we won't NEED enviromental Internet laws - which will in any case be expensive and almost impossible to enforce universally, due to safe havens and lack of global harmonisation of criminal and public law (as Schneier himself acknowledges).

Someone pointed out to me that this isn't a solution, because those who don't buy in to a secure feed still remain vectors for infection. This is true: but it's possible we can deal with that by making the opters-out personally strictly liable for the security of their own machines (they are likely to be either the techy or the bolshy), rather than imposing inequitable liabilities on ISPs wholesale. Such an onus would be likely to drive all but those who really can look after their own machines - sysops, geeks, Linux lovers :-) - into the arms of a safefeed ISP. Another alternative for such would be to offer insurance to cover claims against them by affected consumers or networks.

Another commentor pointed out that a security service almost exactly as described above already exists - and lo! it costs £12 per month!. Truth is stranger than fiction.

The UK answer thus far is not more law but public education in the shape of the new National Hi Tech Crime Unit GetSafe camapign. We shall report on its success but remain cynical ..

No comments: