Bruce Schneier seems to think so...
//////
http://www.theregister.co.uk/2005/10/19/schneier_talks_law/
By John Oates in Vienna
19th October 2005
RSA Europe 2005 ISPs must be made liable for viruses and other bad
network traffic, Bruce Schneier, security guru and founder and CTO of
Counterpane Internet Security, told The Register yesterday.
He said: "It's about externalities - like a chemical company polluting
a river - they don't live downstream and they don't care what happens.
You need regulation to make it bad business for them not to care. You
need to raise the cost of doing it wrong." Schneier said there was a
parallel with the success of the environmental movement - protests and
court cases made it too expensive to keep polluting and made it better
business to be greener.
//////
Let's one up this and blame vendors like Microsoft and hold them liable
too.
http://news.google.com/news?hl=en&ned=us&q=microsoft+patch+worm&btnG=Search+News
RSA Europe 2005 ISPs must be made liable for viruses and other bad
network traffic, Bruce Schneier, security guru and founder and CTO of
Counterpane Internet Security, told The Register yesterday.
Are local town councils responsible for crack dealers
and crack users when that activity takes place within
the bounds of the town?
In some countries, the answer is yes.
http://www.brent.gov.uk/www.nsf/0/19fbe6f14c0f0a8f80256ee600411b1c?OpenDocument
To summarize: Brent is one of the boroughs that forms
the English city formerly known as Greater London. Like
most town councils in the UK, they own housing developments
that provide homes for those unable to afford their own
place to live, i.e. welfare housing. Even though there was
not enough evidence to convict the powerful drug dealers,
the council was able to leverage the Anti-Social Behviour
Act to eject the residents of a particular house/property.
These ASBOs (AntiSocial Behaviour Orders) are also used
in the UK to deal with noisy neighbours, unruly people on
buses, football hooligans, people with habits of getting
drunk and disorderly, abandoned cars, etc.
Note that "The Register" is a UK publication.
Also note that the substance of the above-quoted article is
that various groups COOPERATED and WORKED TOGETHER to solve
the problem. This included the police, the owners of the
property, the users of neighbouring properties. I hope you
see the parallels here.
Mind you, it would help if some of the anti-abuse groups
would band together under some umbrella organization that
ISPs could join. Botnet researchers, SPAM fighters, etc.
That way there could be some sort of good housekeeping
seal of approval that ISPs can use to competitive advantage
in the marketplace. At that point, money starts to talk
and there is an economic incentive to clean up your act
and get that "seal".
--Michael Dillon
The Messaging Anti-Abuse Working Group (MAAWG) and the
Anti-Phishing Working Group (APWG) are conducting a joint
meeting in Montreal next month, largely focusing on phishing
and zombies.
http://www.maawg.org/ -- you don't have to be a member of either
organization to attend the main sessions.
Mind you, it would help if some of the anti-abuse groups
would band together under some umbrella organization that
ISPs could join. Botnet researchers, SPAM fighters, etc.
That way there could be some sort of good housekeeping
seal of approval that ISPs can use to competitive advantage
in the marketplace. At that point, money starts to talk
and there is an economic incentive to clean up your act
and get that "seal".
What would help more would be if people realized that
worms and viruses aren't like crack, they're more like
biological WMD. As such, it is unlikely to be a
productive solution holding the city where the WMD
are being delivered liable. That becomes a game
of legal whack-a-mole. What is needed, instead, is
to hold the companies selling the technology used to
build these WMD liable. If companies that made
vulnerable OSs were held liable for the damage caused
by those vulnerabilities, you would rapidly see $$
make a BIG difference in the security quality of
OS Software.
Why do we have seat belts in every car manufactured
today? Because auto makers started getting held
responsible for injuries caused by the failure to
install them. As much as I think product liability
law, especially in the US, has become insane, the
software industry (where it so far hasn't really
been applied) is one area SCREAMING for this to
happen.
Eliminate (or even significantly reduce) the number
of systems being sold with virus friendly toolkits
and features enabled by default, and, you will go
a long way towards reducing the spam and virus/worm
problem.
Owen
Owen DeLong wrote:
If companies that made
vulnerable OSs were held liable for the damage caused
by those vulnerabilities, you would rapidly see $$
make a BIG difference in the security quality of
OS Software.
How would that work for free/open source OSs/software? Who exactly would be held liable? The contributors? Free OSs are just as capable of sending out malware/virus infected emails, etc. as commercial systems.
Owen
Frem.
That depends:
Free closed source: I would presume the closed source provider or no one.
Hard to assign liability when money did not change hands.
No money, no duty to care in most cases. Product liability
is pretty much limited to products that are sold.
Open Source: I would expect no liability exists because...
1. No money changes hands, no duty to care.
2. End user has full access to source, so, has at least
shared responsibility for fitness to purpose.
3. Full access to source means end user cannot claim
that vulnerability was hidden from end user.
4. Full access to source means end user has ability
to correct vulnerability as soon as identified.
Finally, while your statement is theoretically true, in practice,
resolutions to vulnerabilities in open source software tend to be
delivered much faster than in closed source software. Even allowing
for the difference in market share, the percentage of open source
based systems which are owned and acting as spambots is much lower
than the percentage of closed-source systems which are doing so.
(note: in this, although it is hybrid closed/open, I'll even count
MacOS X in the open source for this purpose).
Owen