Dynamic IP log retention = 0?

Wed Mar 11 15:28:28 UTC 2009

On Wed, 11 Mar 2009 10:28:33 -0400
Joe Abley <jabley at hopcount.ca> wrote:

> 
> On 11-Mar-2009, at 10:03, Jon Lewis wrote:
> 
> > but what's the point in getting lawyers involved?
> 
> It might convince some pointy-haired person at covad to review the  
> policies and procedures on the abuse desk, maybe.
> 
> > Whatever access isn't supposed to be open should be filtered.
> 
> If you can demonstrate reasonable costs resulting from the behaviour  
> of others, perhaps that's not relevant. Note that in the grand NANOG  
> tradition I say these things without the faintest glimmer of
> knowledge of the law.
> 
I had long discussions on this with a lawyer ~15 years ago.  A "tort"
can arise from failure to do something you have a duty to do. Do ISPs
have a duty to filter against port scans?  I've never seen consensus on
that here -- quite the contrary, in many cases.

Now -- the courts can rule that you do have a duty to filter, even if
the industry does not do it.  Do we really want to be there, where ISPs
are liable for the actions of their users?

Of course, the attacker -- assuming that a scan is really an attack,
which is itself a controversial question -- is liable.  Is the OP
really planning on filing suit?  Let me play devil's advocate: how does
Covad know that there were really port scans?  Perhaps the logs are
fakes, designed to uncover the name of someone doing file-sharing or
criticizing someone on a blog.  Maybe the offended site is a front
for the government of Freedonia, which is trying to track down and
harass (or worse) expatriate dissidents.  Note that courts have held
that under the DMCA, at least, the RIAA et al. can't learn alleged
infringers' names via mandatory process (i.e., a subpoena) until they
have actually filed suit for infringement.  And of course, if Covad has
a privacy policy, they might be liable to a customer for improper
disclosure of identifying information.

Don't neglect another possibility: the net result of a disclosure is
likely to reveal that the scanning machine is really a bot, in which
case the information is useless to the victim.

So -- be careful what you wish for; you might get it.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb