On Wed, 11 Mar 2009 10:28:33 -0400 Joe Abley <jabley@hopcount.ca> wrote:
On 11-Mar-2009, at 10:03, Jon Lewis wrote:
but what's the point in getting lawyers involved?
It might convince some pointy-haired person at covad to review the policies and procedures on the abuse desk, maybe.
Whatever access isn't supposed to be open should be filtered.
If you can demonstrate reasonable costs resulting from the behaviour of others, perhaps that's not relevant. Note that in the grand NANOG tradition I say these things without the faintest glimmer of knowledge of the law.
I had long discussions on this with a lawyer ~15 years ago. A "tort" can arise from failure to do something you have a duty to do. Do ISPs have a duty to filter against port scans? I've never seen consensus on that here -- quite the contrary, in many cases. Now -- the courts can rule that you do have a duty to filter, even if the industry does not do it. Do we really want to be there, where ISPs are liable for the actions of their users? Of course, the attacker -- assuming that a scan is really an attack, which is itself a controversial question -- is liable. Is the OP really planning on filing suit? Let me play devil's advocate: how does Covad know that there were really port scans? Perhaps the logs are fakes, designed to uncover the name of someone doing file-sharing or criticizing someone on a blog. Maybe the offended site is a front for the government of Freedonia, which is trying to track down and harass (or worse) expatriate dissidents. Note that courts have held that under the DMCA, at least, the RIAA et al. can't learn alleged infringers' names via mandatory process (i.e., a subpoena) until they have actually filed suit for infringement. And of course, if Covad has a privacy policy, they might be liable to a customer for improper disclosure of identifying information. Don't neglect another possibility: the net result of a disclosure is likely to reveal that the scanning machine is really a bot, in which case the information is useless to the victim. So -- be careful what you wish for; you might get it. --Steve Bellovin, http://www.cs.columbia.edu/~smb