Of course, except in this case, the phone company can't easily tell the legitimate calls from the illegitimate ones and block only the illegitimate ones. Every analogy will break down, so don't expect to be able to convince people with analogies that seem so obviously right to you. Nothing is exactly accurate except the actual situation itself.
And how, exactly, did you expect the ISP to tell which packets you were sending were legitimate and which were from the malware running on your computer? Please enlighten me as to how I tell a customer's legitimate outbound email from his system apart from the email from the same system which is being sent not by him, but, by the malware that has infected his system?
In this case, the ISP informed the customer that there was illegitimate traffic. If it's your position that the ISP can't tell the difference, then the notification that we know happened would have been impossible. Presumably they even identified the particular customer responsible for the traffic, given that they notified him about it! Since it's obvious in this case that the customer would have preferred being disconnected to having to pay for the traffic, and the ISP could certainly have disconnected him, the question becomes, why didn't they? Especially since they knew the attack traffic was creating other innocent victims. My guess is that they *were* filtering it (probably by port) and never delivered the attack traffic to its destination anyway. They probably still billed the customer because they bill for traffic over the customer's line, regardless of whether it hits their emergency or bogon filters.
And, again, almost every contract has some insurance elements to it. There will be unusual cases where it's actually possible for the utility to lose money if something unusual happens. My main point is that the understanding that seems so obviously right to you may not seem so obviously right to your customers.
No sane ISP will insure a usage-based customer against traffic sent by that customer's infected machines AFTER he has informed the customer of the problem.
No sane ISP will allow attack traffic to continue to hit the Internet after they know it's coming from one of their customers regardless of what the customer does or does not do. So why should the customer pay for "Internet traffic" that their ISP likely did not (and certainly should not have) actually sent or delivered?
As for all the people who talk about turning off their DSL access when they're away from home, they're missing the point. Obviously a person could do that. We could shut off our electricity when we leave home. We could have our telephone service temporarily disabled when we go on vacation too. A person could do all of these things. My point is that it's also perfectly reasonable for a person not to do these things. Because in general an ISP has more ability to control these things and it makes very little sense for a home user to insure an ISP, it makes more sense for the ISP to insure the user.
I still don't understand why you insist that my ISP has (or should have) more control over what traffic my systems deliver to my internet connection than I do. This simply isn't the case, and I would be very unhappy if it were to become the case.
For the classes of service I'm talking about, like home DSL, they do. They choose which ports to block and they have a responsibility to monitor their customers for machines that are causing problems for others. In this case, they actually did that and detected the problem -- good for them. But they then decided that instead of remedying the problem, they'd bill their customer for it. Maybe they blocked the attack traffic, maybe not. If so, why charge for traffic you won't deliver? If not, then that's serious negligence, no?
In any unfortunate situation, you can find a hundred things that anyone could have done differently that would have avoided the situation. But that is not how you establish responsibility, financial or moral. You look at people who failed to use reasonable prudence.
And you don't think that a person who is informed that their system is infected and chooses not to fix it has failed the reasonable prudence test?
You think an ISP that knows that their customer is sending attack traffic but neither blocks the traffic nor shuts off the customer has failed the reasonable prudence test? And who should be more subject to a reasonable prudence test for Internet practices, a home DSL customer who may not know very much about computers, or an ISP that specializes in Internet access that has monitoring equipment a trained staff 24/7? Your customers expect you to deal with this stuff. You may or may not find their expectations reasonable, but dammit, you had better know what they are!
And, of course, the ISP always (or very nearly always) insures the user against the costs of inbound attack traffic that exceeds his line rate. The more demands you make of your customers, the more you decrease the value of your very own product.
Right, but, that's not what happened in this case.
No, this is much worse. This is a case where an ISP allowed an attack to continue, probably creating more innocent victims.
The arguments that seem so obviously right to you may be greeted by amusement and the analogies you think work will be found unconvincing. This is because this argument is largely about other people's expectations.
Yep... and generally, no matter what, if you find a large enough group of people you will find a certain percentage that will give up their lives before they give up their unrealistic expectations.
I don't think they're so unrealistic. It takes a level of expertise to keep a system safe and secure on the Internet, and the costs of obtaining that level are so high that you would lose half your customers if you insisted on imposing those costs on them. This is why home DSL is so heavily filtered.
However, that doesn't change the fact that a user who has an infected system sending traffic on his usage-based line may have a resonable expectation not to pay for it before his ISP informs him of the problem. However, any expectation not to pay for it _AFTER_ the ISP has informed him of the problem is unrealistic, unreasonable, and, completely fails "reasonable prudence".
Why? Because the ISP has no responsibility to stop attack traffic from its own customers after it has detected it?! (By adding filters, shutting off customers, repeatedly pestering them, or *whatever* it takes.) If you really believe that, you'll set inter-ISP cooperation back many years. DS
participants (1)
-
David Schwartz