ISP's Protective Measures - A Discussion
Chris previously posted on a mock trial for ISP's that weren't doing enough to protect their users. Their argument is that its a slippery slope - which can be construed as 'no argument' at all.
However the slippery slope (in this case, IMHO) is actually a good argument. That argument represents the true issue at hand - what should be done? For a lot of areas in the tech market, consortiums and coalitions help develop standards for the industry to use. In a utopia computing environment, we wouldn't have these issues. The next step along the path is an ISP that protects us from all the dangers on the net. But to what end?
The reason they are not acting is because their acts can have true economic impacts on their business. AOL knows that hand holding can really turn off a lot of users. The people that use AOL are typically known as the computer illiterate who don't know any better. A lot of that is due to their overt control of your Internet experience.
For and ISP to implement security measures, they risk:
1) Trial and error implementations - Let's face it, users can go anywhere for ISP service at a relatively standard price. ISP's don't want unhappy customers related to the errors and annoyances associated with the new protective measures.
2) Negative Backlash - Do you want your Internet monitored? Do you want them to tell you can't visit a certain website because its in a 'danger zone' in the world?
* Reliant Energy (my last company) implemented Websense and most of the employees hated it. It was an imperfect solution and it had a lot of support issues related to it.
3) Increased liability - In Law, if you attempt to protect people from something... then the legal system increases your liability because you 'knew' about the danger. If you try to protect people from it, then its no longer an issue of IF you're liable - its an issue of did you do enough to protect the customer.
4) Wasted Investment - Besides the top 5 ISP's, investments made into this area run the risk of obsoletion if a consortium finally arises. This is a long shot, but businesses have to consider their long term investments and direction.
5) 1 against many - Providing protection to their customers is a large chore and can seem overwhelming to many. In an industry of ever decreasing profit margins (ISP's may be replaced my municipal WiFi, state provided Internet, free hotspots, etc), the investment would be significant. Moreover, the investment is temporary until the malicious attackers figure out a new method. This can jeopardize an ISP to the point of making them go bankrupt.
Its a slippery slope and I can definitely understand why they don't want to move on the issue. On the flip side, inactivity solves nothing and the problem will only get worse. Seems like its time for some teamwork.
Comments
Great points... Especially
Great points... Especially the last one about the tragedy of commons - I think its definitely the case. Its easy for normal people to cast judgement, but its all for naught if an otherwise good company goes out of business.
I'd be interested in seeing a cost comparison of ISP's cost related to negative items (such as spam, bots, etc.) and the measures to protect from them.
A few comments: 1) Trial
A few comments:
Something like blocking outbound SMTP doesn't really fall into this category -- most joe schmoe users would never notice this. The only people affected would be a) advanced users wanting to run their own SMTP server, who can simply smarthost to the ISP SMTP server instead, and b) compromised PCs being used to relay spam.
I agree that other more advanced forms of protection might be more prone to error..
One note is that in a situation like this, the protective measures are not to protect the customer -- they are to protect the Internet community at large from the customer's (or more accurately, their PC's/Microsoft's) negligence and lack of security. I don't know if that necessarily changes the issue of liability, but it's an important distinction.
The cost of some of the simpler measures outlined here and elsewhere is negligible up against the immense cost of spam and viruses on the industry as a whole. Is this an example of the tragedy of the commons? Everyone stands to benefit from a cleaner Internet but no one can "afford" to take the first step?