[Cryptography] Sonic.net implements DNSSEC, performs MITM against customers. Are they legally liable?

Peter Fairbrother zenadsl6186 at zen.co.uk
Fri Oct 10 19:00:22 EDT 2014

On 10/10/14 18:51, David Conrad wrote:
> Hi,
> On Oct 9, 2014, at 2:01 PM, Bear <bear at sonic.net> wrote:
>> But Sonic.net ... have no claim to common carrier status for DNSSEC.
> I don't believe ISPs in general have common carrier status (at least yet, see discussions about net neutrality).

Being a Brit I know very little about US law, but in UK and EU law 
common carrier status isn't something that an ISP either does or does 
not have.

If a person (eg an ISP) is acting, in a particular case, only as a 
carrier of information for other people's data, then they may have 
common carrier status in that particular case; which is a defence 
against many civil actions and criminal charges, ranging from treason to 
copyright violation to libel or slander.

It is like they are saying that they are not responsible for the content 
of what they transmit, as they just carried it - just like the post 
office is not responsible for threats against the president or fruits of 
treason which are carried in the mail.

Roughly implicit in that is the idea that the person did not know what 
the content was, or that it was unlawful - but only roughly, not 
necessarily. Perhaps more implicit, but again not always necessarily so, 
is the idea that they must not discriminate, ie they must carry comms 
from anyone to anyone (as long as they get paid).

Persons may have to comply with other legislation in order to retain 
their common carrier status, and thus their immunity from civil and 
criminal liability - for instance, youtube must respond in timely 
fashion to DCMA takedown requests.

In most cases, ISPs do have common carrier status, and they value it 

In US statutory law common carrier status gives an ISP immunity to 
liability for copyright violations in third party content (DMCA), and 
against action for libel or slander in third party content 
(Communications Decency Act). The other immunities I mentioned are a mix 
of statutory and common law.

In the EU at least ISPs can also, for example, do spam filtering, and 
that does not affect their common carrier status, if it is done in order 
to facilitate the transmission of emails - they can reasonably say the 
email system would get completely clogged up if they didn't.

However when they start inspecting or censoring traffic for reasons 
other than facilitating the transmission of communications they may lose 
their common carrier status. This would leave them open to some civil 
suits and criminal prosecutions. In the UK/EU it would also be illegal 
interception if they looked at content, but not in the US.

Their T+C's are not usually immediately relevant to whether a person who 
passes on a communication has common carrier status.

(Net neutrality is kinda orthogonal to common carrier status - they 
don't really have that much to do with each other. Even if an ISP does 
deep packet inspection in order to decide whether to send a packet by 
the fast or the slow routes, that needn't necessarily affect its common 
carrier status. As long as the slow stuff gets there without inordinate 
delay, if the fast stuff gets there quicker then so what?

Common carrier status goes back a very long way; eg a shipping agent in 
India in the 1850's might offer a clipper service which would take ten 
weeks, or a barque service which would take twenty - but as long as he 
didn't discriminate based on factors other than price he would be a 
common carrier.

The censoring of communications by ISPs based on eg IP address or other 
communications metadata, rather than based on immediate inspection of 
content, is a slightly different, and thorny, issue, For instance if 
they bar access to hard-pron.com, for eg child-protection reasons, that 
is not interception of content (which would be illegal in the EU) - but 
it may cause them to lose common carrier status, not just for those 
comms, but for all comms. The law on all this is a bit unclear.)

As for Sonic.net and DNSSEC, no they do not have common carrier status 
in that respect. The DNSSEC communications are (presumably) between you 
and Sonic who run the DNSSEC server, so common carrier status would be 
impossible, and not relevant to the issue of whether you can sue them.

Sadly, as I know very little US law, I have no idea whether you can sue 
them or not.

-- Peter Fairbrother

More information about the cryptography mailing list