On Sun, 13 Jun 2004 00:10:56 -0400 (EDT), Sean Donelan <sean@donelan.com> writes:
Should ISPs charge for security like the Universial Service Fund fee on your telephone bill, everyone (not just grandmothers) has to pay it. The FCC (or your national equivalent) would sets the rate every quarter, and it appears on everyone's ISP bill. You have to pay it, even if you already have other security.
Not that this solves the problem, but I'll argue that the party responsible for the bill should be the same as the party responsible for the security. Anything else would be a subsidy and perhaps even discourage secure behavior. If users are assumed to have ultimate responsibility, then why would users be proactively secure when they'll be forced to subsidize insecure users. If vendor X builds notoriously insecure software, and vendor Y doesn't, then a scheme that allows vendor X to push the costs onto their non-customers is also a subsidy. In particular, the USF doesn't seem to incentivize the creation or installing of more secure software because neither vendor X nor its users are directly responsible for the aftermarket maintainance and patching costs. The costs should be born by whomever is deemed responsible for the problem. I think that this ultimately comes down to users. They choose what and how their computers are secure and they choose what software to install. I don't think breaking end-to-end by NAT, firwall, or proxy proposals for ordinary users is an acceptable solution. It'll make it much harder to deploy new protocols, and it'll encourage universal tunneling over port 80. Scott