Thursday, 11 October 2007

Is Spam Blocking at Odds with Common Carrier Status?

ISPs in many countries, including the U.S. enjoy a legal status often known as "Common Carrier." Simply put, this absolves the ISP of responsibility if it assists in the transfer of illegal materials, such as copyrighted works or child pornography. The philosophy is that as long as the ISP simply moves data from one place to another -- not making any judgment or discrimination about whether to move one type of data or another -- the ISP should enjoy a "safe harbour."

From time to time, some wag gets the idea that email filtering of spam and viruses would cause ISPs to lose this legal protection. In other words, if an ISP chooses not to deliver a message because it's "spam," the ISP is discriminating based on the content or source, which may remove the safe harbour. When one thinks about it, this is complete nonsense, but stranger things have happened in various legal systems around the world.

This debate is happening again. Thanks to the good work done by MAAWG and others, ISPs are being encouraged to set up outbound spam filtering, to prevent zombified PCs sending spam from their networks, and to encourage users to clean their infected machines with walled gardens. Naturally, some are expressing concern that such discrimination would count as another chink in their common carrier armour.

It's time for the FCC and similar regulators in other countries to step up and make it clear that such genuinely useful -- some would say essential -- discrimination would not affect an ISP's common carrier status.

BTW, sorry for the long hiatus. Call it Blogger's Block. Thanks to Kevin Soo Hoo for helping break it.

5 comments:

Security Retentive said...

Richi,

There is a certain confusion though here in the phrase ISP. ISPs both carry traffic, and provide application services to their customers. Some people use an ISPs provided mail services, some people just use it for connectivity.

In the case where the ISP is providing an application service, the case is awfully clear that this isn't a service that would be covered under even a loose interpretation of common carrier.

In cases where an ISP simply routes traffic, it isn't quite so clear.

What if AT&T put mail filters on their backbone links and started filtering all spam there? Would that be acceptable?

I don't think this is quite as black/white as you make it out to be.

Richi Jennings said...

I don't disagree with you that there's a common-sense difference between the near-real-time storage/forwarding of IP packets and the storage/forwarding of email messages.

However, this is the law we're talking about. Common sense rarely comes into it. Especially, when an ISP dearly wants to believe that they're the same thing.

If I remember correctly, ISPs have strenuously argued this in the past and they are motivated to keep on arguing it. Angels on the head of a pin, and all that.

To be fair, I didn't say it was black and white, legally. I argued that it was "nonsense" to suggest that ISPs shouldn't filter spam because of CC (it sounds like you agree).

That's why regulators could usefully clarify the situation, IMHO.

Security Retentive said...

Again though, the law does make a big distinction with respect to data on the wires, and data stored, especially with respect to searches and the 4th amendment.

I'm not arguing that they shouldn't control spam on their networks, but I think we're in vague territory as to whether a customer could opt-out of the default monitoring or not.

If we don't allow people to opt out of those sorts of carrier-level protections, we're doing roughly the same thing as a net-neutrality killing bill would do, allowing ISPs to control the data they pass.

The problem isn't them blocking SPAM, its when they get it wrong or start targeting other things they don't like.

Richi Jennings said...

Yeah, I really, really didn't want to get into the 'net neutrality morass. Every time I mention it, I get a barrage of emailing and commenting from "thinktank" shills for both sides of the debate...

However, seeing as you brought it up, my feeling is that, as with CC status, regulators need to make it clear that spam filtering is a special case.

Security Retentive said...

Fair enough. I wasn't trolling for commentary and/or argument. Just pointing out that its a valid concern, and yes, we need to solve it sensibly.

Post a Comment