Slashdot Mirror
Supreme Court Rules ISPs Not Liable for E-mail Content
dan of the north was the first to write in with the Supreme Court Ruling outcome that ruled that ISPs (in this case, Prodigy), are not liable for the content of e-mail messages sent through them. The details of the circumstance are availible in the above link. Yes, this was a big "duh", but it's good to see this stand.
Legally, I don't want Prodigy liable if somebody abuses their services to harm another.
.5% to the flow of bad data. *Ethically*, the environment of the net *needs* the kind of distributed responsibility that source filtering applies.
But ethically, I think Prodigy has a corporate obligation--perhaps deriving from a cybervariant of environmentalism--to:
A) Investigate when one of their members is polluting the shared pool of trust that the Internet mostly operates upon.
B) Willingly cooperate--and provide additional forensic analysis--when it is clear that somebody's been hurt and they're one of the only organizations that has the capability to find out by whom.
C) *NOT* go overboard and install loggers that make it simple to track down anybody at anytime, privacy be damned. Makes it easy to track down offenders; makes it *too* easy.
Look, we get angry when corporations act like senseless, ethicless fools because That's Not Their Mandate. Source filtering, as a means of shielding against DDoS attacks, only shields the victims--those whose networks are being used to victimize are rarely tapped to the point where they notice failures. *Legally*, I don't want a company liable because a cracker broke in and added
I'm saying this, incidentally, knowing that source port filtering removes some extremely useful tactics for speeding up net connections on asymmetric links(Link 2 forges the source port of Link 1; Link 1 picks up all return traffic but that's ok because return traffic comes in far faster). But the harm that not source filtering allows--even if it shouldn't be a legal issue if you've accidentally left it open--outweighs the gains for people like me.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
>After investigating, Prodigy canceled the accounts, but was unable to identify the impostor.
.. say .. a netbus infected person.
.. well, its no surprise to me.
Maybe I'm on drugs here, but this sounds like a pretty serious problem to me, when an ISP cannot figure out who is using their own service! Based on the facts as I know them, I think Prodigy should have been held liable for this, since they obviously didn't have some way to verify the identities of their users.
Why? Why on earth should they be able to verify the identities of their users? Should hotmail be able to verify the identity of every single hotmail-account owner?
At the best, prodigy can track down the phone number of the person who dialed in - if they are a dialup service. What does that give them? NADA. I'm not sure how prodigy services works, but if it works the same way as some norwegian ISP's, then someone could've signed up by going to certain webpages, and "signed up" for a free account. Furthermore, you can sign up when bouncing via a proxy
It takes no skill to bounce via some totally anonymous bouncers (netbus infected people, people with non-logging wingates running, and so forth).
That prodigy couldn't identify them
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
"Rune Kristian Viken" - http://www.nwo.no - arca
That was Spamford, a few years back, after he'd been blasted off every other ISP. He failed miserably. Being an "ISP" is no good is you can't connect to any other ISP and all your customers are spammers, not spammees. AGIS tolerated him longer than most of his service providers did, and nearly died from the ensuing boycotts and flame wars. (They're gone now.) He and the Cantor&Siegel Green Card Spam Lawyers pretty much invented spamming as an internet industry; he'd also been a major player in fax spam before that.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
example 1
.. :) They make sure that ISP's install spamfilters. Or their mailservers get blocked.
The person who has his account stolen is the one who should be held liable - by the ISP - for gross negligence. He got his account stolen - he is the negligent one. Put the blame where it belongs.
example 2
The ISP should not ble held responsible by authorities. But, we've got some wonderful folks at MAPS
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
"Rune Kristian Viken" - http://www.nwo.no - arca
Consider, first and foremost, web pages have been ruled "publications" under the law. This means that some of the liability laws which apply to more traditional forms of publication also apply to WWW publishing.
I'm not so sure that works. Think about it. Let's say you find an libelous article in the newspaper about you one day. Who do you charge with libel? Do you sue the company that made the paper the news was printed on? No; you sue the people who made the content. Likewise, you shouldn't be holding the ones who simply provide the medium; you have to go to the ones who created the content. And that is not, by and large, the ISP's.
If the newspaper publishes information, it is obligated to either publish a retraction upon a libel or slander challenge or back the columnist. If they choose to back the columnist, they usually become party to the lawsuit for publishing the information.
A newspaper does, not the company that provides the periodical with paper.
Likewise, if an ISP receives information about a hosted site that is considered libelous or slandering, they have to make a choice whether or not to continue "publishing" the site, or removing it from circulation, i.e. blocking access or removing it from the server(s).
This may be the law, but it's simply wrong. An ISP cannot reasonably be expected to control Internet users (AOL is different because its proprietary system is self-contained, but even its Internet portions cannot reasonably be expected to be controlled). There are simply too many random variables. A paper company cannot choose what is printed on its products, so why should an ISP have to try and choose what is "printed" on its media? All an ISP does does is provide the means to publish; the publishing is still done more or less entirely by the user owning the Website. So only the Website owner should be liable, not the ISP.
1) This has got nothing to do with security. It simply states that the ISP is not responsible for the content of email. This is not related to security. While they are not responsible for the content of the email sent from a comprimised account, I would assume that they are still responsible for the hole that allowed the account to be comprimised. If not, well, maybe someone needs to bring a lawsuit up, but that's a whole other issue.
2) SPAM, well, SPAM is SPAM I guess, but I find that by protecting your email address, you don't get a lot. I have been surfing for 6'ish years, total of maybe 5 SPAM messages (not including stupid friends that forward chain-letters).
It is a good thing that they are not responsible for email content, look at demon in the UK, that whole libel thing. I believe that an ISP IS a common carrier and they should be treated as such.
The news story here clearly falsifies the main premise of Slashdot's claim -- the Supreme Court hasn't "ruled" on anything here. All it has done is decided not to accept an appeal. That is a *vastly* different thing than the Supreme Court taking up a case and then making a ruling on some point of law.
Anyone remember the case about how the Nazis wanted to march in Skokie, Illinois? The Supreme Court didn't hear that case, either. They allowed the lower court decision to stand, effectively meaning that it only had a binding precedent in the federal circuit where the lower court case had been decided. The real effect was nationwide, however, as cities and states crafted their new laws to conform to this standard, which the supreme court had not ruled on one way or the other. The concept that "silence gives consent" is in full force in the mind of the people and politicians.
WARNING: there is a trojan on your
Well, a common carrier can't judge messages based on content and forward only certain ones, but they are free to choose their customers (in most circumstances) and to reject those who break the rules to send messages, whatever the content.
So ISPs just need to say that identical email sent to more than 'n' people is in violation of your terms of service, as is nearly identical (just enough to pass a dumb CRC check) bulk email, without an account specifically for running a mailing list, which would be a free upgrade, but would entitle them to monitor the account usage and determine that a subscription based mailing list was being run, not a spam list.
The phone company must let me call people, even if they don't like what I say, but if I hook up nonstandard equipment, or try to send control signals (blue boxing type stuff) or anything else that breaks their rules, they can shut me down. (Without needing to prove criminal actions or intent.)
Somebody else pointed out that Common Carrier rules, if applied to the email world, wouldn't let an ISP refuse to carry spam. They also wouldn't be able to make whatever policies they wanted about what kinds of traffic they carry, probably couldn't offer censored services for the parents that want it, probably couldn't do free-service deals with some partners and not others, probably couldn't have a special "clean-up-the-mess" fee for spammers, etc.
Common carrier status also might affect the ability to offer various privacy services - can you support anonymous users? Must you treat all your users anonymously? Do you need to collect ID information and communication logs on all users so the Fedz can track people they don't like? This is especially an issue for free internet access services, where collecting user information is a major marketing opportunity, but verifying it is a major cost, and for ISPs that want to provide access for kids, where there are special rules about handling information collected on them that may contradict other proposed rules mandating information. Do you allow anybody to claim to be under 13 (and hence non-loggable), or do you insist that they get a "parent"'s signature saying they're a kid?
Common carriers traditionally have to make all their pricing policies public, open to anybody, filed in advance and subject to regulatory approval. Do you want this in your business?
Much nicer to avoid the whole regulatory game, which exists largely to help monopolies and near-monopolies use political influence to restrict their competition anyway :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Are you kidding? The supreme court has jurisdiction over every conceivable piece of law in the country
They are the final arbiters of all law. They don't CREATE law, but they have the power to strike down and/or interpret any law or legal decision whatsoever.
--
"I think there is a world market for, maybe, five computers." __ IBM Chairman, 1943 __
The court (in this case the NY Court of Appeals, affirmed by the Supreme Court since they refused to hear the case) essentially recognized an ISP as a common carrier. This is nothing but good news for all of us.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Honestly, this is a great first step. The decision should have been made ten years ago, but at least it's happenning.
Now the courts need to learn that this ought to apply to Websites too. The E-mail decision will hopefully make that easier to accomplish. It's a shame that this is coming so late in the Net's history (and yes, I know the Net is still in its infancy; this should have been done just as the Net was coming into popularity). But, as I said, it's still getting done, and that's good anyway.
Seeing as how the Supreme court thinks:
"The public would not be well served by compelling an (internet service provider) to examine and screen millions of e-mail communications..."
Glad somebody is taking care of that. Thanks, NSA!
"It's tough to be bilingual when you get hit in the head."
The Supreme Court did not rule on this case, they rejected it without comment. There is a significant difference...they have not offered their opinion of the case at all. They get far too many cases each year to consider and rule on all of them.
They couldn't get reelected if they told media-controllers with lots of money that they had to start policing their users.
Except that Supreme Court Justices aren't elected
When are we going to start standing up and taking responsibility for the actions of others? I mean, really, think about how much dangerous and obscene information must be flowing through email every day.. What excuse do the ISP's have? Its not like they lack the technology to examine every message and track every net user.. Lets keep the net safe!
On a related topic, I really must insist that the US postal service start opening every letter and examining the contents for objectional material.
Come on people! we're racing head-long into a dangerous time where everyone might have to start taking personal responsibility for their own actions.. Isn't that what government is for?
-- 'Won't somebody please think of the lawyers.."
air and light and time and space
This point deserved a lot more atttention. The liability of a bulletin board operator for its content is much less clear cut. Assuming that this ruling was also being challenged, then the Supreme Court has upheld the privileges of bulletin board operators (like CmdrTaco) as carriers, not publishers.
Now that's news!
I can see the fnords!
My reading of the article is that basically the U.S. Supreme Court has held only that the ISP is not liable for the transmission of the offending information, which means that they have what is called "common carrier" status. I'm not sure whether the original lawsuit also contained a request for liability based on the network security issue(s). I'm reminded of the fiasco at Network Solutions not too long ago where hackers forged the email header information for a large number of websites and basically took control of those sites for a while. If I owned the registration on one of those sites, and libel or slandering material was published on those domains, I would very certainly have suffered damages to my reputation, etc. And I would hope that a court would find that if NSI didn't adequately secure my data (or offer higher security for my data to prevent the domain name piracy, which they do), that they are in part responsible for the damage.
Spam mail...I don't know if the courts need to necessarily get involved, because there are other technological ways of dealing with the problem, AKA the RBOC list. If the email services provided by yahoo, etc. don't shut off the flow of spam mail, they can get blocked in a hurry, right? Your question asked Shouldn't these ISP's and large companies be responsible for the information being sent through their network?No -- they can't be under the court opinion. But they can, have, and will continue to be made responsible by the 'Net community for the fact that spam is flowing through their networks. Which is why nearly all ISP's have a policy of cutting off the account(s) of anyone sending spam through their connections.
Final case: "It's just like having a gun... if your gun is taken and used in a homicide, you should be responsible for not taking the necessary precautions and preventing it from being used in a crime."
Depends. If I have the gun in my hand and I let you take it from me, shoot somebody, etc. I'm an accessory to the crime. Likewise, if I allow or assist someone who should not have access to firearms to gain that access, I can again be charged with violating the law. But if you burglarize my house, breaking into a gun cabinet, stealing the weapon, (and I report it to the police, etc.), if you murder someone, should I still be held liable because I didn't somehow prevent your original burglary crime, or store the guns in a 2000 lb. safe, etc.?
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
There is a big difference between suggestions and binding rules.
Rules of etiquette typically exclude criminal conduct, but that does not mean Miss Manners should be given the force of law. Nevertheless, there are cases where ISP authority has been invoked by energetically blurring the distinction between stating very unpopular opinions that ignite flame wars, violating rules of 'netiquette' and breaking the laws regulating the use of communication channels. This typically occurs when widely received neomorals against sins involving human genetics("racism", "sexism", "homophobia" etc.), are violated. That all countries in the industrialized western world now have vigorously enforced statutes on the books prohibiting "hate speech", the definition of which shifts and expands depending on how many and which "victim groups" have joined the coalition against free speech, does not bode well for the rule of law in the resolution of disputes within societies that are both increasingly diverse in their makeup and woefully inexperienced with such rapidly increasing diversity.
How is it, then, that an ISP can avoid legal liability for communications that take place over its wires when it preemptively demands, not only the avoidance of illegal conduct -- such as libel, spam and cracking -- but the adherence to "rules of netiquette" in the name of which unpopular opinions are routinely intimidated and occasionally penalized?
ISP's have, by this careless definition of their bounds of authority, abrogated their role as common carriers and become the de facto enforcers of majority opinion in public speech. All that remains is ever increasing exceptions to the principle of free speech and a free press, as the definition of what constitutes "hate speech" is widened and the force of law to legitimize this censorship in the name of "keeping the peace" is expanded to the last jurisdiction in the developed world still free from such legalistic tyranny: The United States.
I'll post, again, an exerpt of a white paper I wrote in 1982 warning of what is, apparently, coming to pass.
The question at hand is this: How do we mold the early videotex environment so that noise is suppressed without limiting the free flow of information between customers?
The first obstacle is, of course, legal. As the knights of U.S. feudalism, corporate lawyers have a penchant for finding ways of stomping out innovation and diversity in any way possible. In the case of videotex, the attempt is to keep feudal control of information by making videotex system ownership imply liability for information transmitted over it. For example, if a libelous communication takes place, corporate lawyers for the plaintiff will bring suit against the carrier rather than the individual responsible for the communication. The rationalizations for this clearly unreasonable and contrived position are quite numerous. Without a common carrier status, the carrier will be treading on virgin ground legally and thus be unprotected by precedent. Indeed, the stakes are high enough that the competitor could easily afford to fabricate an event ideal for the purposes of such a suit. This means the first legal precedent could be in favor of holding the carrier responsible for the communications transmitted over its network, thus forcing (or giving an excuse for) the carrier to inspect, edit and censor all communications except, perhaps, simple person-to-person or "electronic mail". This, in turn, would put editorial control right back in the hands of the feudalists. Potential carriers' own lawyers are already hard at work worrying everyone about such a suit. They would like to win the battle against diversity before it begins. This is unlikely because videotex is still driven by technology and therefore by pioneers.
The question then becomes: How do we best protect against such "legal" tactics? The answer seems to be an early emphasis on secure identification of the source of communications so that there can be no question as to the individual responsible. This would preempt an attempt to hold the carrier liable. Anonymous communications, like Delphi conferencing, could even be supported as long as some individual would be willing to attach his/her name to the communication before distributing it. This would be similar, legally, to a "letters to the editor" column where a writer remains anonymous. Another measure could be to require that only individuals of legal age be allowed to author publishable communications. Yet another measure could be to require anyone who wishes to write and publish information on the network to put in writing, in an agreement separate from the standard customer agreement, that they are liable for any and all communications originating under their name on the network. This would preempt the "stolen password" excuse for holding the carrier liable.
Beyond the secure identification of communication sources, there is the necessity of editorial services. Not everyone is going to want to filter through everything published by everyone on the network. An infrastructure of editorial staffs is that filter. In exchange for their service the editorial staff gets to promote their view of the world and, if they are in enough demand, charge money for access to their list of approved articles. On a videotex network, there is little capital involved in establishing an editorial staff. All that is required is a terminal and a file on the network which may have an intrinsic cost as low as $5/month if it represents a publication with "only" around 100 articles. The rest is up to the customers. If they like a publication, they will read it. If they don't they won't. A customer could ask to see all articles approved by staffs A or B inclusive, or only those articles approved by both A and B, etc. This sort of customer selection could involve as many editorial staffs as desired in any logical combination. An editorial staff could review other editorial staffs as well as individual articles, forming hierarchies to handle the mass of articles that would be submitted every day. This sort of editorial mechanism would not only provide a very efficient way of filtering out poor and questionable communications without inhibiting diversity, it would add a layer of liability for publications that would further insulate carriers from liability and therefore from a monopoly over communications.
In general, anything that acts to filter out bad information and that is not under control of the carrier, acts to prevent the carrier from monopolizing the evolution of ideas on the network.
Seastead this.
The court (in this case the NY Court of Appeals, affirmed by the Supreme Court since they refused to hear the case) essentially recognized an ISP as a common carrier.
IANAL, but IIRC common carriers by law must relay all messages, and "all messages" includes stupid, pointless, annoying mail commonly called spam..
Will I retire or break 10K?
The Electronic Privacy Communication Act of 1986 already says "private" electronic communications is exactly that -- private. It's nice to see the Supreme Court uphold this law.
-- PhoneBoy
The views expressed herein are not necessarily those of anyone, including the poster.
Quick!
Someone hack up a procmail version of Napster.
-- What you do today will cost you a day of your life.
Now, note the part that says:
Maybe I'm on drugs here, but this sounds like a pretty serious problem to me, when an ISP cannot figure out who is using their own service! Based on the facts as I know them, I think Prodigy should have been held liable for this, since they obviously didn't have some way to verify the identities of their users.Couldn't they have at least provided the credit card number that was used to open the account to investigators or something? Geez...
yes, it's great that you now are given first amendment rights in terms of your email and stuff going through a network. the network is not responsible for what you post. but shouldn't the network be responsible if through their own gross negligence illegal activities are able to happen?
example 1:
what if you're a Prodigy member with a name, circle of friends, credit card info, etc in your account. now lets say that someone somehow steals your account, has access to your credit card info, says damaging things to your circle of contacts, makes threatening emails to people, and all in your name. Shouldn't the ISP, in this case Prodigy, be held liable due to gross negligence in protecting the security of their network?
example 2:
all that damn spam mail... now I'm getting tons and tons of spam mail from legit servers such as excite.com and yahoo.com and hotmail.com... it's going to a mailbox that I don't often use, but same principle applies. Shouldn't these ISP's and large companies be responsible for the information being sent through their network?
yes, I agree that they shouldn't be able to read or censor all of the information, but being able to walk away and say that they're not responsible for all of the spam sent through their servers or their lax security it NOT a good thing. If your computer is on a network that is accessable from anywhere in the world, you should be held responsible for your computer. It's just like having a gun... if your gun is taken and used in a homicide, you should be responsible for not taking the necessary precautions and preventing it from being used in a crime.