ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]

Ina Faye-Lund starcat at
Thu Jun 10 08:36:53 UTC 2010

On Tue, Jun 08, 2010 at 11:14:10PM -0700, Paul Ferguson wrote:
> Hash: SHA1
> To cut through the noise and non-relevant discussion, let's see if we can
> boil this down to a couple of issues:
> 1. Should ISPs be responsible for abuse from within their customer base?

No and no.  The first no being legally, the second, morally.

The user is responsible for the abuse.  Now, if the question had been whether
the ISP should be responsible for dealing with it appropriately, then the
answer would be yes.

Of course, when it comes to the legal aspect, it would probably vary from
country to country.  No, let me rephrase that:  It _does_ vary from country to
country, and probably also state to state.

However, to hold someone else responsible for a person's criminal activity
would be just plain wrong, as long as the ISP's part in the activity is only to
give their customer access to networks and services that every other customer
also gets access to.

> 2. Should hosting providers also be held responsible for customers who abuse
> their services in a criminal manner?

No.  For several reasons.

First, the hosting provider normally does not have too much control over what
the customers actually do.  If someone complains, or they detect something
through audits or similar, that is different.  But even then, there will be
certain problems. 

How does the hosting provider know that something is, in fact, criminal?  In
some cases, that may be obvious, but there will be cases where the case is not
so clear.  If the provider might be held responsible for something their
customers do, they might decide to remove legal content 'just in case'.

Also, who would determine whether something is illegal or not?  Tech support?
The admin?  I doubt that any of those are able to determine something that
courts tend to spend a lot of time and resources on.

> I think anyone in their right mind would agree that if a provider see
> criminal activity, they should take action, no?

Not necessarily.

Again, this would of course depend on the laws in the given state or country.
However, people disagree on what is considered legal or not.  If everyone _had_
agreed on this, the courts would have had less work.

It is the responsibility of the judicial system to determine whether someone is
breaking the law or not.  For commercial companies to start making that sort of
judgements is, at least in my opinion, _not_ a good thing.

Ina Faye-Lund 

More information about the NANOG mailing list