Re: Schneier: ISPs should bear security burden

[Owen DeLong <owen () delong com>]

--On Thursday, April 28, 2005 12:18 PM -0400 James Baldwin
<jbaldwin () antinode net> wrote:

> On 28 Apr 2005, at 11:51, Valdis.Kletnieks () vt edu wrote:
>
> > It would seem that relocating the costs of doing extra (filtering, etc)
> > *should* be passed on to the people who necessitated the extra 
> > handling by
> > running software that needs extra protection.  As it stands, you're 
> > charging
> > the people who (in general) aren't the problem more for you *not* to do
> > something...
>
> "Extra" in the sense of this statement is incorrect. If filtered
> connectivity is the norm in our environment, then I would be charging
> people who require unfiltered access more to make an exception for them
> and allow them more flexible connectivity. Exceptions, even in the form
> of removing restrictions, are something.
No, it isn't.  The fact that filtered is becoming the norm is what
many of us are taking exception to.  I shouldn't have to pay extra
for unfiltered intenet just because the majority of your customers
are too ignorant to correctly deal with it.  Fortunately for me,
as long as there are ISPs that don't see the world your way, I won't
have to be your customer, so, have fun.

> > Car insurance companies figured this out long ago:  They charge extra 
> > premiums
> > to those customers who incur them more cost - that's why male 
> > teenagers pay
> > more than middle-aged people, and why people with multiple tickets pay 
> > more.
>
> This is a poor analogy, which is why I have avoided them thus far. It is
> easier to assess blame in automobile incidents. It is, more often than
> not, the fault of a driver of one of the involved automobiles, not some
> nebulous third party. Insurances companies maintain records of traffic
> offenses on customers and check traffic records for prospective
> customers, there is no comparison within network abuse. It is difficult
> to assess responsibility in network abuse.
Actually, it's an excellent analogy.  If your system is a source of
abuse, you are responsible, one way or another.  Either you chose to
run exploitable software and failed to patch it, or, you chose to
run the exploit.  Either way, you have responsibility for abuse
originating from your machine.

Sure, there's a contributing factor in a lot of internet abuse from a
nebulous third party, but, people running exploitable systems should be
held responsible for the abuse those systems generate.

> Increasing the price point, or penalizing the customer, for network
> traffic generated by malware is an excellent way to promote churn and
> reduce revenue. It is more profitable to restrict customers from
> generating unfriendly network traffic in the first place than penalize
> them after the fact.
While I believe we don't currently have a better process than capitalism
available, this is an example of how capitalism does not necessarily lead
to the correct conclusions in a market.  Destroying existing and future
valid capabilities of the network to avoid solving the real problem because
solving the real problem might eat into revenues is exactly why I think
we need to modify our thinking on this.

> > Would any car insurance company be able to stay in business long-term 
> > if they
> > raised the premium for middle-aged men driving boring Toyota sedans 
> > because
> > somebody else's teenager wrapped their Camaro around a tree?  Why is it
> > perceived as reasonable in this industry?
>
> Again, this is a poor analogy. I am not penalizing customers who act
> responsibly. There is no direct correlation between users who are
> responsible and users who require unfiltered internet access. There are
> millions of subscribers who are responsible using filtered internet
> connectivity and they are not penalized for it. In fact, they are
> rewarded as they are paying a lower price point for this adequate and
> restricted service.
Yes you are.  You are penalizing users who act responsibly and want to use
the full capability of the network instead of some subset in order to
subsidize the costs of your other users who don't know and don't care.
It is an excellent analogy, it just doesn't support your point of view.

Your statement that their price point is lower is absurd.  It costs money
to put filters in place.  It doesn't cost money to not filter, except to
the extent that irresponsible actions which filtration would prevent are
not blocked.  Therefore, any increased costs in unfiltered connections
are the direct result of irresponsible use.  Absent irresponsible use,
unfiltered connections will, by definition, cost less.

> Please, stop making the assumption that all responsible users require
> unfiltered internet access.

That isn't the assumption.  The assertion is that unfiltered use costs
less than filtered use unless there is abuse or irresponsible use to be
filtered.  The further assertion is that ISPs should not be the ones
determining what level of access end users require.  ISPs should filter
what end users ask them to filter.  End users should not be charged
extra for access to the whole internet.

Owen

-- 
If it wasn't crypto-signed, it probably didn't come from me.

Attachment: _bin
Description: