Congress may require ISPs to block fraud sites H.R.3817

Did I miss a thread on this? Has anyone looked at this yet?

http://m.news.com/2166-12_3-10390779-38.html

Section 508 of H.R.3817:

SEC. 508. PENALTY FOR MISREPRESENTATION OF SIPC MEMBERSHIP OR PROTECTION.

Section 14 of the Securities Investor Protection Act of 1970 (15 U.S.C. 78jjj) is amended by adding at the end the following new subsection:

`(d) Misrepresentation of SIPC Membership or Protection-

`(1) IN GENERAL- Any person who falsely represents by any means (including, without limitation, through the Internet or any other medium of mass communication), with actual knowledge of the falsity of the representation and with an intent to deceive or cause injury to another, that such person, or another person, is a member of SIPC or that any person or account is protected or is eligible for protection under this Act or by SIPC, shall be liable for any damages caused thereby and shall be fined not more than $250,000 or imprisoned for not more than five years.

`(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on or through a system or network controlled or operated by the Internet service provider, transmits, routes, provides connections for, or stores any material containing any misrepresentation of the kind prohibited in paragraph (1) shall be liable for any damages caused thereby, including damages suffered by SIPC, if the Internet service provider--

`(A) has actual knowledge that the material contains a misrepresentation of the kind prohibited in paragraph (1), or

`(B) in the absence of actual knowledge, is aware of facts or circumstances from which it is apparent that the material contains a misrepresentation of the kind prohibited in paragraph (1), and

upon obtaining such knowledge or awareness, fails to act expeditiously to remove, or disable access to, the material.

`(3) INJUNCTIONS- Any court having jurisdiction of a civil action arising under this Act may grant temporary injunctions and final injunctions on such terms as the court deems reasonable to prevent or restrain any violation of paragraph (1) or (2). Any such injunction may be served anywhere in the United States on the person enjoined, shall be operative throughout the United States, and shall be enforceable, by proceedings in contempt or otherwise, by any United States court having jurisdiction over that person. The clerk of the court granting the injunction shall, when requested by any other court in which enforcement of the injunction is sought, transmit promptly to the other court a certified copy of all papers in the case on file in such clerk's office.'.

Did I miss a thread on this? Has anyone looked at this yet?

`(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
or through a system or network controlled or operated by the Internet
service provider, transmits, routes, provides connections for, or stores
any material containing any misrepresentation of the kind prohibited in
paragraph (1) shall be liable for any damages caused thereby, including
damages suffered by SIPC, if the Internet service provider--

"routes" sounds the most dangerous part there. Does this mean that if
we have a BGP peering session with somebody, we need to filter it?

Fortunately, there's the conditions:

`(A) has actual knowledge that the material contains a misrepresentation
of the kind prohibited in paragraph (1), or

`(B) in the absence of actual knowledge, is aware of facts or
circumstances from which it is apparent that the material contains a
misrepresentation of the kind prohibited in paragraph (1), and

upon obtaining such knowledge or awareness, fails to act expeditiously
to remove, or disable access to, the material.

So the big players that just provide bandwidth to the smaller players are
mostly off the hook - AS701 has no reason to be aware that some website in
Tortuga is in violation (which raises an intresting point - what if the
site *is* offshore?)

And the immediate usptreams will fail to obtain knowledge or awareness of
their customer's actions, the same way they always have.

Move along, nothing to see..

--==_Exmh_1257461806_2581P
Content-Type: text/plain; charset=us-ascii

> Did I miss a thread on this? Has anyone looked at this yet?

> `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
> or through a system or network controlled or operated by the Internet
> service provider, transmits, routes, provides connections for, or stores
> any material containing any misrepresentation of the kind prohibited in
> paragraph (1) shall be liable for any damages caused thereby, including
> damages suffered by SIPC, if the Internet service provider--

"routes" sounds the most dangerous part there. Does this mean that if
we have a BGP peering session with somebody, we need to filter it?

Fortunately, there's the conditions:

> `(A) has actual knowledge that the material contains a misrepresentation
> of the kind prohibited in paragraph (1), or

> `(B) in the absence of actual knowledge, is aware of facts or
> circumstances from which it is apparent that the material contains a
> misrepresentation of the kind prohibited in paragraph (1), and

> upon obtaining such knowledge or awareness, fails to act expeditiously
> to remove, or disable access to, the material.

So the big players that just provide bandwidth to the smaller players are
mostly off the hook - AS701 has no reason to be aware that some website in
Tortuga is in violation (which raises an intresting point - what if the
site *is* offshore?)

Unless it is informed. Once it is informed it has to take action.
Turning the informer off, luckily, doesn't meet the requirements
for "taking action" as you need to protect all of your customers
or make yourself liable for prosecution.

I suspect informing a closer peer that is also subject to the act
would be seen as taking reasonable action as it could be reasonably
assumed that they will take appropriate steps, but one would have
to check that the material was removed/blocked.

If you run a residential network, it appears to me that, you are
now responsible for seeing that all material that is subject to the
act that is reported to you by your customers is addressed.

INAL.

Did I miss a thread on this? Has anyone looked at this yet?

`(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
or through a system or network controlled or operated by the Internet
service provider, transmits, routes, provides connections for, or stores
any material containing any misrepresentation of the kind prohibited in
paragraph (1) shall be liable for any damages caused thereby, including
damages suffered by SIPC, if the Internet service provider--

"routes" sounds the most dangerous part there. Does this mean that if
we have a BGP peering session with somebody, we need to filter it?

Also "transmits". (I'm impressed that someone in Congress knows the word "routes"....)

Fortunately, there's the conditions:

`(A) has actual knowledge that the material contains a misrepresentation
of the kind prohibited in paragraph (1), or

`(B) in the absence of actual knowledge, is aware of facts or
circumstances from which it is apparent that the material contains a
misrepresentation of the kind prohibited in paragraph (1), and

upon obtaining such knowledge or awareness, fails to act expeditiously
to remove, or disable access to, the material.

So the big players that just provide bandwidth to the smaller players are
mostly off the hook - AS701 has no reason to be aware that some website in
Tortuga is in violation (which raises an intresting point - what if the
site *is* offshore?)

And the immediate usptreams will fail to obtain knowledge or awareness of
their customer's actions, the same way they always have.

Note the word "circumstances"...

Move along, nothing to see..

Until, of course, some Assistant U.S. Attorney or some attorney in a civil lawsuit decides you were or should have been aware and takes you to court. You may win, but after spending O(\alph_0) zorkmids on lawyers defending yourself....

    --Steve Bellovin, Steven M. Bellovin

I think the idea is for the government to create an official blacklist of the offending sites, and for ISPs to consult it before routing a packet to the fraud site. The common implementation would be an ACL on the ISPs border router. The Congress doesn't yet understand the distinction between ISPs and transit providers, of course, and typically says that proposed ISP regulations (including the net neutrality regulations) apply only to consumer-facing service providers.

If this measure passes, you can expect expansion of blocking mandates for rogue sites of other kinds, such as kiddie porn and DMCA scofflaws.

RB

Steven Bellovin wrote:

It's worth looking at hhttp://www.cdt.org/speech/pennwebblock/ -- a Federal court struck down a law requiring web site blocking because of child pornography.

    --Steve Bellovin, http://www.cs.columbia.edu/~smb

IANAL, but I wouldn't set too much stock by that order - there are numerous errors of fact in the opinion, and much of it relates to the lack of due process in the maintenance of a secret blacklist. It was also a state law, not a federal one, so there was a large jurisdictional question (the Commerce Clause concern.)

As people in Washington are saying around the net neutrality debate these days: "anything goes is not a serious argument."

RB

Steven Bellovin wrote:

Net neutrality suffers another blow. I liked Congress when they had no
idea what the internet was, now they've progressed to "still have no
idea but like to pretend."

Jeff

I was at an IP (as in intellectual property), um, "constituency" I
think, IPC, meeting at ICANN which basically consisted of 99 lawyers
and me in the room.

There was a fair amount of grousing about how ISPs give them the
run-around when they inform them of a violation looking for a
takedown, and don't take down the site or whatever demanding (sneer
sneer) paper from a court of competent jurisdiction as a dodge.

I explained that they should try it from the other side, we get a fair
amount of spurious stuff. I gave the example of a spouse in an ugly
divorce demanding we do something or other with the web site they
developed together in happier days IMMEDIATELY OR ELSE!!! (typically
change the password to one only they know).

How can we as ISPs possibly sort that out? Court orders are your
friend, they're not that hard to get if you're legitimate.

The way this reg is written it has that feel, it seems to promote the
fantasy that if J. Random Voice calls me and says "a site you host,
creepsrus.com, violates HR3817, YOU HAVE BEEN INFORMED!" then we have
been informed and therefore culpable/liable.

Well, perhaps there's enough precedent that it doesn't have to be
spelled out in that text what's meant by "knowingly" and a call like
that wouldn't be sufficient.

At the very least I'd require a clear transfer of liability.

That is, if the claim (and hence, takedown) turns out to be
unsupportable then any damages etc are indemnified by the complaining
("informing") party.

Barry Shein wrote:

I was at an IP (as in intellectual property), um, "constituency" I
think, IPC, meeting at ICANN which basically consisted of 99 lawyers
and me in the room.
  
By the Montevideo ICANN meeting '01 the "Internet Service Providers Constituency"
(ISPC) had dwindled down to the corporate trademarks portfolio managers for
the few remaining ISPs. At the Paris ICANN meeting a year ago we corrolated
the votes of the Intellectual Property, Business, and ISP Constituencies and
found that there was no discernable independence amongst them, another way of
sayins the IPC had captured the BC and ISPC.

Of course, now we have GNSO reform, and "Stakeholder Groups" replacing the
Constituencies.

Bottom line. ISPs are f**ked by their own sonombulism. In a slightly different
and partially overlapping policy and operational scope, the Address Supporting
Organization originates no policy development of note, and has been somnolent
for most of the ICANN trajectory, so BCP 38 and sBGP and so on have no real
presence in the ICANN toolkit.

So IP lawyers are doing pretty good in the oughts, and more time and bandwidth
goes to retail cops and robbers than goes to any "critical infrastructure
vulnerability", outside of ICANN's DNS mafia, post-Kaminsky.

Any ISP that want's to spend some resources on operational issues, having some
relevance to resource identifiers, feel free to drop me a line. I could just
as well give process clue to Ops folk as ops clue to IP lawyers.

* Jeffrey Lyon:

Net neutrality suffers another blow. I liked Congress when they had no
idea what the internet was, now they've progressed to "still have no
idea but like to pretend."

    Our company is most likely not the owner of the site associated with
    this domain. Please do not contact us with inquiries regarding the web
    site content as they will likely be disregarded.

If you keep playing such games, it's guaranteed that there will be
some sort of backlash.

Don't get hung up on the wording. A DNS blackhole list will do the
trick as well. I don't think border ACLs on routers will be necessary.

- Daniel Golding

Did I miss a thread on this? Has anyone looked at this yet?

`(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
or through a system or network controlled or operated by the Internet
service provider, transmits, routes, provides connections for, or stores
any material containing any misrepresentation of the kind prohibited in
paragraph (1) shall be liable for any damages caused thereby, including
damages suffered by SIPC, if the Internet service provider--

"routes" sounds the most dangerous part there. Does this mean that if
we have a BGP peering session with somebody, we need to filter it?

Fortunately, there's the conditions:

`(A) has actual knowledge that the material contains a misrepresentation
of the kind prohibited in paragraph (1), or

`(B) in the absence of actual knowledge, is aware of facts or
circumstances from which it is apparent that the material contains a
misrepresentation of the kind prohibited in paragraph (1), and

upon obtaining such knowledge or awareness, fails to act expeditiously
to remove, or disable access to, the material.

So the big players that just provide bandwidth to the smaller players are
mostly off the hook - AS701 has no reason to be aware that some website in
Tortuga is in violation (which raises an intresting point - what if the
site *is* offshore?)

mail to: abuse@uu.net

Hi! someone in tortuga on ip address 1.2.3.4 which I accessed through
your network is fraudulently claiming to be the state-bank-of-elbonia.
Just though you should know! Also, I think that HR3817 expects you'll
now stop this from happening!

-concerned-internet-user

oops, now they have actual knowledge... I suppose this is a good
reason though to:

vi /etc/aliases ->
abuse: /dev/null

so, is this bill helping? or hurting?

And the immediate usptreams will fail to obtain knowledge or awareness of
their customer's actions, the same way they always have.

Move along, nothing to see..

to my mind this is the exact same set of problems that the PA state
anti-CP law brought forth...

-chris

I think the idea is for the government to create an official blacklist of
the offending sites, and for ISPs to consult it before routing a packet to

this works exceptionally unwell for the Singaporese(ian) govt'...
(list of bad sites comes out monthly, montly+1min all sites change
ips, weee!)

the fraud site. The common implementation would be an ACL on the ISPs border

'common implementation' isn't 'common' nor 'implementable' in many cases.

router. The Congress doesn't yet understand the distinction between ISPs and
transit providers, of course, and typically says that proposed ISP

nor 'web hosting farm' ... (of course FastFlux puts a hole in the
'hosting' part of that)

regulations (including the net neutrality regulations) apply only to
consumer-facing service providers.

If this measure passes, you can expect expansion of blocking mandates for
rogue sites of other kinds, such as kiddie porn and DMCA scofflaws.

sure, been there, done that... German anti-nazi-propganda laws anyone?
(or france or singapore or ...)

-Chris
(Note, I don't think that NO LAW is a good answer, but often the laws
proposed or passed seem to misunderstand how the networks are
run/build/maintained/used)

Correct me if I'm wrong, but isn't there an RFC(2142 if memory serves) that states filtering certain email addresses(like abuse@, noc@, support@) isn't allowed? I understand your point, but it seems sending it to /dev/null only opens another set of problems for you down the road.

Network Engineer, JNCIS-M

214-981-1954 (office)
214-642-4075 (cell)
jbrashear@hq.speakeasy.net

http://www.speakeasy.net

do you use your ISP's dns servers? does your corporate vpn?

(top posting makes it hard to follow the conversation, but...)

Correct me if I'm wrong, but isn't there an RFC(2142 if memory serves) that states filtering certain email addresses(like abuse@, noc@, support@) isn't allowed? I understand your point, but it seems sending it to /dev/null only opens another set of problems for you down the road.

There are some 'nice to have' ideas that
postmaster/abuse/root/webmaster ought to go somewhere and be seen. If
the business decides that any tom/dick/harry/mary can 'inform' them of
something such as this you can bet your aliases file that abuse@ will
get turned down somewhere.

I don't support that activity, but I also don't support this
incarnation of the anti-X regulation either.

-Chris

> Don't get hung up on the wording. A DNS blackhole list will do the
> trick as well. I don't think border ACLs on routers will be necessary.

do you use your ISP's dns servers? does your corporate vpn?

A DNS blackhole list makes it *appear* as if the government/police
is doing something.

"We must do something. This is something, therefore we must do it."

This way of thinking is alive and well in the form of DNS based child
porn blackhole lists in Norway and several other countries. The fact
that anybody who is *really interested* can easily evade these lists,
for instance by using his own DNS server, does not seem to concern
politicians or police...

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

> Don't get hung up on the wording. A DNS blackhole list will do the
> trick as well. I don't think border ACLs on routers will be necessary.

do you use your ISP's dns servers? does your corporate vpn?

A DNS blackhole list makes it *appear* as if the government/police
is doing something.

right, so now the site I go to MUST BE the real elbonia bank site,
because... the gov't protected me!

oops

"We must do something. This is something, therefore we must do it."

ah, the 'make work' plan

This way of thinking is alive and well in the form of DNS based child
porn blackhole lists in Norway and several other countries. The fact
that anybody who is *really interested* can easily evade these lists,
for instance by using his own DNS server, does not seem to concern
politicians or police...

yes, though in the case of CP the properties of the user are reversed
(in my mind at least)... 'searching out content' versus stumbling upon
content.

-Chris

Some phrases people might search in various combindations on Google

SIPC
Stratton Oakmont
Prodigy
47 USC 230
House of Representatives Conference Report
GAO Report: Securities Investor Protection: Steps needed to better disclose SIPC policies to investors