Thursday, August 21, 2008

Do we need an "Internet driver's license"?

Recently I found a white paper by Robert B. Standler dating back to 2004, “Possible vicarious liability for computer users in the U.S.A.?”, link here.

The “obvious” question is whether home or small business users could or should be held liable if their computers are hacked and used as “zombies” in botnet “denial of service” (DOS) attacks. A more remote possibility is whether they could be held (in civil or criminal circumstances) responsible for crimes committed with their computers without their knowledge, or for illegal content on it. Sometimes the law regards certain matters as “strict liability offenses” although most of the time, in actual practice, it seems the law takes into consideration whether the computer owner knew or could or should have known about the illegal activity.

Standler makes some interesting analogies. The first comparison is to state laws holding automobile owners responsible if they leave keys in the car, and the cars are stolen and someone is injured. Not all states do this, but some states regard an improperly secured vehicle as an “attractive nuisance.” Car rental companies are especially vigorous in warning customers about this possibility. Similar liability may exist with cars not in safe condition. He goes on to discuss the public health concept of “herd immunity” with respect to vaccinations (a real controversy now, possibly complicated by the autism debate) and even makes some comparison to agricultural and ranching issues known in the 19th Century (and inspiring the plots of some western movies).

In April 2008, Wired published an article “Zombie Computers Decried as Imminent National Threat” here.
And in June 2007 Wired has also published “Desperate Botnet Battlers Call for an Internet Driver’s License” here.

Okay, I could carry the rhetoric further. I’ve heard a couple people say that no one should be allowed on broadband, at least, until they can cleanse a harddrive and rebuild their machine themselves from installation discs. It can happen to anybody, they say. Usually this kind of talk comes from super-techies, the kind who got in to the business of open systems in the early and mid 1990s.

Personally, I think that the comparison between cars (and motor vehicle licenses) and computers with broadband connections (and “Internet licenses?”) is a bit incomplete. Standards for the safe operation of automobiles have long been known and in legal practice, even if the media often reports new safety issues in that area. With open-system computers (mainly Microsoft and Apple, and perhaps Linux) the actual “rules” of best practice, to be expected of “average” home users, are still a bit murkier.

It is true, if you buy a modern computer from a reputable source, receive all the recommended operating system security updates, and purchase a subscription anti-virus program from a reputable vendor (most likely McAfee or Norton or one of a few others), and practice common sense in computing (don’t fall for phishing, don’t open unknown attachments, and don’t visit the porn sites) you’ll probably be all right. By and large, security updates and anti-virus software and firewalls do work pretty well (actually amazingly well) with little effort by computer users, and at only modest cost. One problem, however, is that if there is a problem, getting customer support for mail-order vendors or from anti-virus companies can be challenging, more so than in the automobile world.

Companies that hire people to work from home as customer service agents have to become concerned with home computer safety. Some of them require that the employees purchase windows machines used for work only, and monitor the computers themselves from central servers, perhaps adding an element of safety.

Still, there are a lot of “controversies” about which there are legitimate differences in opinion. Is McIntosh really “safer” than the Microsoft PC? Is Mozilla safer than Internet Explorer? Is it safer to turn off your computer or Internet connection when you’re not home, or let the security updates load all the time (it’s probably easier on your hard drive to leave it on, and only slightly more expensive as to power use)? Or can you count on properly installed security software.

There’s another area, too. Our culture allows, even encourages, people to promote themselves in public on the Web, when people have little or no legal training as to the risks with copyright, libel, etc. This cultural change would have been unimaginable in the publication world before the Internet, where due diligence was part of publication. True, the actual incidence of litigation is extremely low compared to the volume of users and “self-publishers.” But insurance companies scratch their heads, as they have no idea how to assess this new kind of “risk.” And, true, the “reputation defense” business has more recently encouraged “ordinary people” to pull back a bit from self-promotion outside of an income-paying job.

It's well to remember that there are some downstream liability protections in the law, such as the 1996 Telecommunications Act "Section 230" (when "hosting" material "published") by others. From a federal and constitutional perspective, the Supreme Court (with MGM v Grokster) seems to be heading toward a doctrine where downstream liability exists when a party's "business model" or purpose seems predicated on attracting legal infringement; but at a conceptual level, such a legal standard could become ambiguous.

We’ve come a long way from the mid or late 90s, when most security hazards were spread with floppy diskettes or by email attachments. Continuous broadband is almost a necessary utility now, just to receive the massively large security updates (often while you sleep). But broadband itself was rocky for the first couple or years it was in frequent use, and the security issues really didn’t start to get a lot of press until, say, 2003. So the issues simply haven’t been around long enough for society, through democratic political institutions, to develop reliable standards. Libertarians want a free marketplace, and let the tort law fall where it may. Okay, then you risk frivolous litigation over “downstream liability” issues and maybe even wrongful seizures or prosecutions. Furthermore, you may risk arbitrary behavior by "private" ISP's if you depend on them to pull the plug on individual users who allow their machines to become infected (and you might run into other issues brought up in the network neutrality debate, as with recent concerns over ISP monitoring for excessive P2P use). We do, as a culture, need to sit down and sort this out. We need to present it to kids in public schools, too. But only the big players in the industry (the big telecommunications companies, the software vendors like Microsoft and Apple, the open source people like Linux, and search engine and news companies like Google, Yahoo!. etc,, as long as the standards people like ICANN and W3C) can provide the guidance that political institutions – and schools – need. We do need a culture of “communications citizenship.” Most of us just don’t know enough, yet, to define it. Even other social issues and presence (or absence) of family ties and environments come into play.

No comments: