At least in the United States, ISPs are NOT protected as Common Carriers, nor are they required to carry the traffic of the net's bad seeds. It would be a crucial step backward if they were.

The power of any group, be it government, cooperative, or industry-specific, will be drawn from its ability to evoke fear of consequences from its recommendation.

The solution to this problem, at least in the U.S., is a standard of criminal negligence for ISPs. That is, if you don't implement basic processes for the handling of complaints, you can be either civilly or criminally liable. There's precedent for such rules: the Communications Decency Act (the portion of it which still stands) and the Digital Millennium Copyright Act are good examples.

Further, any regulation of processes for the handling of complaints of abuse should make explicit that both criminal and civil complainants have the right to request the rogue ISP be shut down, provided probable cause (or a preponderance of evidence) for a finding of negligence. Complaints should be permitted without requirement of standing, to ensure a timely response to bad actors; that is, you shouldn't need to prove that you were personally damaged by a rogue ISP to request that it be taken offline. There's precedent for both of these as well, in the enforcement powers of the Federal Trade Commission and several smaller state agencies around the country. These actors regularly use the civil system to prosecute matters that could be legitimate criminal complaints.

With the civil system at its disposal, the community could act far faster than the FBI ever could, and it could drive a knife through the heart of cybercrime.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/487/35282#35282