BLOG

ISPs may face blocking challenges

Eric Goldman wrote an article about a Comcast subscriber suing a number of companies (including Comcast and Microsoft and TRUSTe) for blocking mail. As part of the judge’s decision he rules that the ISPs that blocked the plaintiff’s email are not protected under 47 USC 230(c)(2).

the court reaches a decidedly defendant-unfriendly conclusion by rejecting Comcast’s, Cisco’s and Microsoft’s 230(c)(2) defense, the statutory immunity for online filtering decisions–and the often overlooked cousin of 230(c)(1) which I have blogged about many times. Worse, the court reaches its conclusion in the face of several clearly applicable precedent cases. In my opinion, this is an example of how Smith’s pro se status causes the court to be overly cautious…to the point of reaching the wrong result.

Mr. Goldman goes on to discuss how this ruling conflicts with multiple instances of case law.
I don’t expect this will necessarily lead to a spate of suits against Internet providers for blocking, but there is a definite conflict in current case law surrounding spam filtering and if it’s protected under 47 USC 230(c)

13 comments

  1. John Levine says

    Holy petunias, Russ Smith. I have looked at his complaint, and his facts are utterly bogus. I’ll blog about it when I have a chance but the short version is that Comcast’s low-level support people read from the wrong script when he misconfigured his home mail setup, and he hosted his server at an infamous spam-friendly ISP in Florida to whom I wouldn’t give the benefit of the doubt, either.
    I presume Comcast, Cisco, and Microsoft will appeal. They have to.

  2. Bill Silverstein says

    I get the impression that the court leaned that way is because of the offer of a pink contract, interpreting Comcast’s position as, “you can spam all you want, you just have to pay extra for the privilege.”
    This could have been a pink contract offer, or an offer of a fixed IP address which would be allowed to send e-mails and not be blocked as much as a dynamic IP.

  3. laura says

    If you’ve got a copy of the complaint, John, I’d be interested in seeing it (404 pages? Really?) I didn’t realize this was the Russ Smith thing, which I’d avoided mentioning previously because it just struck me as such a bogus suit. Guess I’ll need to pay more attention to this one.
    Somehow, Bill, I don’t think that he was offered a ‘pink contract’, that it was a misinterpretation somewhere along the line. It may have been a poorly trained phone rep, or a problem on the other side of the phone, or just an unclear description of the conversation in the complaint. Having interacted with folks on the Comcast abuse and security desk, I’m pretty sure that’s not an accurate reflection of Comcast policy.

  4. Bill Silverstein says

    I agree it probably was not offered. It just was worded that way in the complaint, based on the read of Eric’s column.
    Dealing with Comcast support, I would not be surprised that they would tell someone that once they upgraded to a business account, they could send all the e-mail they want without problem. I have had a few horror stories with them.

  5. John Levine says

    See http://jl.ly/2010/05/15#consumer
    Smith put all the stuff at http://lawsuit.privacy.net/, linked at the bottom of the page. Most of the 404 pages is printouts of stuff he thinks is relevant.

  6. Russ Smith says

    The point of the case is this, Microsoft and Cisco operate blacklists/reputation scores for IP addresses. They collected information about my IP’s and eventually put it on their lists (apprarently in error). When I invoked their privacy policies to find out why I was on the lists they refused to give the information. Anyone can easily find similar stories about FrontBridge and Ironport. In fact there are several complaints from law firms who were put on FrontBridge becuas ethey operate their own mail servers. As for Ironport, they appear to use of combination of third party reports and network monitors where they collect data on their own (the blocking decisions do not depend entirely on content).
    As for Comcast, the issue involves port 25 blocking. It is unlear whether they actually collected information or fully depended on Ironport’s report. The MAWG best practices discuss port 25 blocking and indicate ports should be blocked except unless the user has a legitimate use for port 25. Many entities (such as Comcast, Ironport and Spamhaus) disregard this best practice and simply block all ports or claim all IP’s should be blocked based on “policy” (PBL). In the case of Comcast they have no such policy even though SpamHaus claims they do and places all their IP’s on the PBL. In any case, the MAWG best practices are correct it is just that most enities don’t follow it correctly.
    As for the Comcast “pink contract,” it is was not some mistake by a phone rep. The matter was discussed with the security department and confirmed by their legal department. They said if I signed up for Comcast business then there would not be any port 25 blocking. Comcast even offered me a free year of business service if I dropped the suit. As for Ironport and Frontbridge I expect you are also whitelisted (at least to the point of fixing the erroneous listings) if you pay them.
    The issue boils down to this, the privacy policies say I can review information they collect about me and I think that includes the information they collected to put me on a “blacklist.” I do not see what is bogus about this and the people who keep saying it is never can explain why they claim it is a bogus issue. (Mr. Levine is angry because I feel some of his opinions are based on an anti-spam religion rather than a balance between security and privacy).

    1. laura says

      I understand the point of the case, I just think you don’t understand what IP based reputation is about. It’s not about a person, it’s about the mail coming from a particular IP address. It has nothing to do with you or even the owner of the IP address. IP addresses, particularly those assigned to users of commercial ISPs, do not identify specific people. While the IPs can be stable over days or weeks, they will rotate and change. You don’t even know if the listing involved was for activity from when you had the IP, or if the listing is related to when someone else had the IP. And if the listing is about behaviour when someone else used the IP then by your own stance you have no right to the information about the listing.
      IPs from cable modems are not personally identifiable information. In fact, I have no doubt that the listing consisted solely of the IP address. They had no idea that was the IP used by Russ Smith, and have no way to identify that you are the person who was using the IP.
      On the reputation end, I’ve talked over and over and over again about what goes into a reputation score, and about why the information is not shared with the people using the IPs. http://blog.wordtothewise.com/tag/reputation/ and http://blog.wordtothewise.com/search/reputation explain how reputation is measured and used at ISPs and spam blocking companies.
      I fail to see how offering business class service, with open ports and the ability to run servers, is a pink contract. While that’s a term I haven’t heard used in the last few years, it was coined to describe ISPs that let spammers modify the AUP so that spam would not cause a disconnection. Offering a different service, with unblocked port 25 (and other server ports) is not a pink contract.
      It is not impossible to send mail if port 25 is blocked. You can use Comcast’s server. You can even use your own server to send mail. I can think of at least 3 separate ways to get mail from a cable modem to a smarthost: submit over 587, use a VPN to the server or use a SSH tunnel and port forwarding.
      the privacy policies say I can review information they collect about me and I think that includes the information they collected to put me on a “blacklist.” I do not see what is bogus about this and the people who keep saying it is never can explain why they claim it is a bogus issue.
      It’s a bogus issue because they didn’t collect information about you. They collected information about an IP address. You are not synonymous with that IP address.

  7. Al says

    I don’t understand the point of the case. It feels like the case has a plaintiff that doesn’t know much about IP reputation or blacklists.
    I pay for business class cable from RCN so I can have a static IP address with custom rDNS. Should I have just sued them instead?
    As somebody who has regularly had to deal with blacklist/reputation issues due to things like spamtrap hits, where the listing entity will NOT provide you listing info, it never dawned on me to just try to sue my way out of them.
    Russ, I call bogus. What exactly do you need me to explain as far as what makes it bogus? I’ll be happy to go into detail.

  8. Al says

    Actually, maybe I better hold off. Maybe Comcast will need an expert witness if/when this goes to trial. 🙂

  9. The Proverbial Barry says

    now you see what we have to deal with??

  10. Bill Silverstein says

    Al,
    I have seen somebody try to sue their way off of block lists. David Linhardt.

  11. Huey says

    Bill – and how is that working out for him?

  12. John says

    To suggest that somehow reputation based filtering as practised is somehow OK, is bogus. While i’ll submit that it could have fair use if one could attribute spam or some other bad acts to a particular entity rather than an pseudo-anonymous (dynamic) ip address. This is not the case. I have seen it reported that ISPs submit their own ip’s to spam databases based on the type of account ie.(dynamic=non business=never should host mail) This amounts to non-neutrality by proxy. A real world analogy would be saying we are not making you personally identifiable by name however as a class (ethnic) you should be discriminated against. That kind of baloney would never be tolerated in the real world. Unless ISPs are transparent about the information they collect and how it affects you anonymous or not, there will be no accountability. If ISP’s were to give all customers fixed ip addresses or provide info with re guards to the periods the customer possessed the ip in a transparent manor then customers such as Russ would be able to defend himself from attacks against his ip reputation or other non-neutral traffic filtering. Clearly ISP’s have the ability to to provide the information as they are more than happy to pro actively give up this information in the case of criminal activity. Reporters of ip reputation should be held libel for not keeping ip reputation accurate and current . Unlike credit agencies whose reporting is subject to US law some of these companies who provide the negative reporting databases are served from foreign soil which provides them a fair level of insulation from US lawsuits. I would also suggest that if a major ISP had ALL of its ip’s blocked (including its commercial accounts) as a result of a high number of low ip reputation gigs their lobbyists would be screaming to outlaw the practice. It’s too convenient that the blacklisting practice benefits the ISP by forcing those who wish to serve their own email to upgrade to a far more expensive commercial account.

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.