On Thu, 10 Aug 2006, Suresh Ramasubramanian wrote:
The MAAWG bcps, for example, state that ISPs must take responsiblity for mitigating outbound spam and abuse.
The RIAA, for example, states that ISPs must take responsibility for mitigating copyright infringement by its users. Lots of groups state that ISPs must take responsibility for lots of things. Abuse is a very open ended term. There is a difference between enforcing network/service rules such as preventing address forgeries, and being responsible for abuse or disputes between users Is the ISP responsible for mitigating all types of user abuse? Or only some types of abuse by users? For example, are ISPs responsible for mitigating liable, slander, defamation, harrasment, theft, counterfeting, gambling, intolerance, public morals, etc? People shouldn't confuse ISPs with law enforcement or courts. ISPs are responsible for enforcing network standards and its contracts. ISPs are not responsible for solving the world's problems. If the RIAA has a dispute concerning copyright infringement with a user, the RIAA sues the user to stop the user. ISPs aren't expected, yet, to scan users traffic to prevent copyright abuse. If you don't care which mosquitoes you kill, you could drain the swamp by cutting off the entire country of Nigeria. But the reality is all the criminals aren't limited to one place. Almost none of the criminals would even notice. But you will probably harm a lot of innocent Nigerians by doing that; and the smarter criminals will just migrate to new pastures and keep attacking you. Unlike mosquitoes, criminals aren't limited to breeding in only certain areas. The "source" isn't the ISP, the source is the criminal. If you can figure out a way to permanently ban criminals from every ISP in the world other than putting them in jail, you might have a shot with BCPs for ISPs. But even if there was only one ISP remaining in the world, with a single unified user database, I suspect criminals would still use their skills such as identity theft and fraud to get on the net. The goal needs to be arresting the bad guys. The problem isn't the ISP, its the criminal. Bad packets rarely spontanously occur on the net. Every exploit, every virus, every worm, every phishing mail started with a person. Letting the bad guys go free is just teaching the criminals how to improve their skills.