[Cryptography] Sonic.net implements DNSSEC, performs MITM against customers. Are they legally liable?
Peter Fairbrother
zenadsl6186 at zen.co.uk
Fri Oct 10 19:00:22 EDT 2014
On 10/10/14 18:51, David Conrad wrote:
> Hi,
>
> On Oct 9, 2014, at 2:01 PM, Bear <bear at sonic.net> wrote:
[..]
>> But Sonic.net ... have no claim to common carrier status for DNSSEC.
>
> I don't believe ISPs in general have common carrier status (at least yet, see discussions about net neutrality).
Being a Brit I know very little about US law, but in UK and EU law
common carrier status isn't something that an ISP either does or does
not have.
If a person (eg an ISP) is acting, in a particular case, only as a
carrier of information for other people's data, then they may have
common carrier status in that particular case; which is a defence
against many civil actions and criminal charges, ranging from treason to
copyright violation to libel or slander.
It is like they are saying that they are not responsible for the content
of what they transmit, as they just carried it - just like the post
office is not responsible for threats against the president or fruits of
treason which are carried in the mail.
Roughly implicit in that is the idea that the person did not know what
the content was, or that it was unlawful - but only roughly, not
necessarily. Perhaps more implicit, but again not always necessarily so,
is the idea that they must not discriminate, ie they must carry comms
from anyone to anyone (as long as they get paid).
Persons may have to comply with other legislation in order to retain
their common carrier status, and thus their immunity from civil and
criminal liability - for instance, youtube must respond in timely
fashion to DCMA takedown requests.
In most cases, ISPs do have common carrier status, and they value it
highly.
In US statutory law common carrier status gives an ISP immunity to
liability for copyright violations in third party content (DMCA), and
against action for libel or slander in third party content
(Communications Decency Act). The other immunities I mentioned are a mix
of statutory and common law.
In the EU at least ISPs can also, for example, do spam filtering, and
that does not affect their common carrier status, if it is done in order
to facilitate the transmission of emails - they can reasonably say the
email system would get completely clogged up if they didn't.
However when they start inspecting or censoring traffic for reasons
other than facilitating the transmission of communications they may lose
their common carrier status. This would leave them open to some civil
suits and criminal prosecutions. In the UK/EU it would also be illegal
interception if they looked at content, but not in the US.
Their T+C's are not usually immediately relevant to whether a person who
passes on a communication has common carrier status.
(Net neutrality is kinda orthogonal to common carrier status - they
don't really have that much to do with each other. Even if an ISP does
deep packet inspection in order to decide whether to send a packet by
the fast or the slow routes, that needn't necessarily affect its common
carrier status. As long as the slow stuff gets there without inordinate
delay, if the fast stuff gets there quicker then so what?
Common carrier status goes back a very long way; eg a shipping agent in
India in the 1850's might offer a clipper service which would take ten
weeks, or a barque service which would take twenty - but as long as he
didn't discriminate based on factors other than price he would be a
common carrier.
The censoring of communications by ISPs based on eg IP address or other
communications metadata, rather than based on immediate inspection of
content, is a slightly different, and thorny, issue, For instance if
they bar access to hard-pron.com, for eg child-protection reasons, that
is not interception of content (which would be illegal in the EU) - but
it may cause them to lose common carrier status, not just for those
comms, but for all comms. The law on all this is a bit unclear.)
As for Sonic.net and DNSSEC, no they do not have common carrier status
in that respect. The DNSSEC communications are (presumably) between you
and Sonic who run the DNSSEC server, so common carrier status would be
impossible, and not relevant to the issue of whether you can sue them.
Sadly, as I know very little US law, I have no idea whether you can sue
them or not.
-- Peter Fairbrother
More information about the cryptography
mailing list