On Wed, 3 Mar 2004, Nathaniel Borenstein wrote: > The problem with this kind of proposal is that it punishes too many of > the wrong people. I myself was the victim of a blacklist for most of > last year; my ISP was blacklisted by another ISP, and they spent 6 > months arguing about it, during which time all my email to users of the > other ISP was blocked (although they kept helpfully telling me that I > could always switch to using *them* as my ISP). And this should not happen, agreed. But Jeff's proposal doesn't suggest that we get into "ISP wars" between pairs of competing ISPs. It suggests that an offending ISP be cut off from EVERYBODY, and only AFTER a carefully prescribed due process involving collected complaints and a lack of action resolving those complaints. Not just any complaints, either -- complaints of actions that violate AUAs of networks upon which the SP-generated traffic is carried. If your ISP >>is<< a hotspot for spammers and viruses and its managers tolerate the abuse, well, the rest of the people in the network don't want to be abused. This isn't really punishing the innocent -- it is punishing poorly run and marginal businesses (the SPs). They will have to very rapidly change their ways and become responsive and police their clients. In MOST cases their clients have choices in the marketplace, and if they choose to leave their SP for another that polices their networks well, that's business. If it drives marginal SPs out of business, that too is the way it goes. Don't run and ISP business unless you can afford to keep it reasonably clean and still make money. > In essence, a blacklist cuts users off from some subset of the Internet > based on the conclusions of some ISP or other "authority" with which > the user has no relationship at all. At best, this says that users are This is not true. The entire Internet is stitched together by acceptable use agreements NOW. If you are a user of ANY network service provider, you a) have an AUA with them, even if you aren't aware of it; and b) you have an AUA with them whether or not they have one of their own because THEY have an AUA with THEIR PoP(s), all the way back to the backbone providers. IIRC, "all" of these AUA's have inheritance clauses that make you subject to them even if you don't know it, and most of them tightly regulate network abuse with disconnection as a clearly spelled out option. The problem is that over time many networking authorities have become appallingly sloppy about enforcing AUAs. In part this is because AUAs while universal are not uniform, in part because while commerce of a variety of sorts is permitted and even encouraged, the lines between permissible use and non-permissible use has gotten very sloppy. It isn't always easy to differentiate between "free speech" (something the Internet openly encourages and enables) and "violating privacy" (something the Internet de facto enables along with that freedom of expression). Finally, the network has grown to where the most religious of enforcers (the toplevel backbone networks) simply don't have the resources to police SPs connected to networks connected to networks connected to networks connected to the backbones (with money and contracts involved at lots of the levels in between). Consequently you have individual SPs making unilateral blacklist/whitelist decisions without an associated due process and possibly motivated by reasons drawn from the marketplace and not abuse at all. You also have networks like yahoo.com that live in more or less perpetual abuse of AUAs prohibiting spam and requiring a degree of self-regulation being left alone because they are so BIG, with so many clients, that disconnecting them is unthinkable. I disagree -- I think that it is both thinkable and the ONLY thing short of otherwise-punitive legislation that will make them change their ways. Disconnection hurts an SP in the only place they really care about -- their pocketbook. It is a ticket to instant bankruptcy if they don't do WHATEVER IT TAKES to clean up their act, up to and including altering their fundamental business model. I think Jeff's proposal is to make this process formal and consistent and to get back to ENFORCING AUAs at the SP juncture as a means of arm-twisting SPs to a) communicate AUA requirements to their own clients; and b) to police those clients individually, lest the rest of the network police the SP itself collectively (effectively driving it out of business). > One man's blacklist is another's denial-of-service attack. Denial of > service is not the answer in a world where it's so hard to assure that > the correct people are being punished. -- Nathaniel Sure, but take your own example seriously. Surely if a newspaper were being printed in the blood of children (or whatever it was) there would be simple objective tests that would validate this assertion. In fact, there might well be a chief of police, or an association of newspaper publishers, that collected reports of people whose newspapers' ink tested positive for human blood factors and investigated whether or not they are true. In a sane universe, if it were TRUE that this were occurring, or that the newspaper were being run by the mob, or that the newspaper constantly ran advertisements featuring ritual human sacrifices of naked persons (or engaging in ANY behavior deemed collectively to be antisocial and/or illegal) it would be perfectly reasonable to shut the paper down and arrest the owner, or arrange for a boycott of the newspaper, or remove the paper's "credentials" from the association of newspaper publishers (said credentials required for the newspaper to be delivered as the paper is delivered for free by PUBLIC servants who won't deliver trash). Would this "punish" the subscribers? Not at all. There are other papers to subscribe to. Perhaps they'd miss some featured columnist. Maybe they LIKE getting newpapers printed with the blood of children. However, it's reasonable to deny them access to public resources to deliver those papers if those public resources clearly state that they don't accept messages in which children or animals were harmed in the printing process. rgb -- Robert G. Brown http://www.phy.duke.edu/~rgb/ Duke University Dept. of Physics, Box 90305 Durham, N.C. 27708-0305 Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb@xxxxxxxxxxxx