Yes there are P2P pigs out there but a more common scenario is the canonical "Little Old Lady in a Pink Sweater" with a compromised box which is sending spam at a great rate. Should she pay the $500 bill when it arrives or would a more prudent and rational approach be like some universities do.
So, does usage-based pricing come along with some kind of legal liability if the provider does not keep their network botnet-free? After all, by encouraging botnets (meaning by understaffing security and abuse desks) they are actually artificially pumping up their bottom line. The flip-side of this is how many people would be happy to switch to usage-based pricing if they felt that doing so increased the overall security of the Internet, and reduced their personal risk of being victims of fraud and identity theft? --Michael Dillon