I was reading an article today called Does Your ISP Care About Protecting Your Privacy?. An interesting question. The ISPs in the article are even thinking of VPNing all the traffic to avoid the necessity for keeping the logs (or probably better, NATing the whole network). So it seems that the ISPs in this article are trying to do their best to protect your privacy.
Isn’t that great? Well, not really as there is a second aspect to this: I was recently talking to Michel van Eeten from the Delft University of Technology in the Netherlands. He did with some other academics a study for the OECD called The Role of Internet Service Providers in Botnet Mitigation (based on spam data), which came to the conclusion that there are ISPs which do a good job and others which do not. If you look at this graph you will see that if we could reduce the spam from the top 50 ISPs (the worst ones) we would get rid of almost 50% of the spam worldwide:
Additionally they found out that over the years (2006-2009) at least half of the ISPs (when it comes to the number of infected machines per subscriber) remained the same in the Top 50.
So, it seems that the ISPs stick to their practices – good or bad.
Which leads me back to my initial question: What do we want? If an ISP would encrypt the traffic to protect our privacy completely, it would not be possible to find the bots and help the consumer to clean. If we want them to completely address the problem, they would most probably have to do at least a certain level of traffic inspection. So, what to we want? How far are we willing to give up a certain level of privacy to allow law enforcement to go after the bad guys?
I think we should come to the point, where we get a more balanced view on such issues. The biggest challenge, however, will be that the answer to the question will be different from culture to culture but the problem is global. So, we kind of need a culture-agnostic answer/solution, which will be very hard to achieve.
Oh, I think I owe you one thing. Based on the study there were a few simple things, which the best ISPs do. I quote the findings of the study:
That ISPs (as opposed to other types of players, such as hosting providers or corporations operating a network with its ASN) play a central role in botnet activity was already discussed, as was the great variability among ISPs. In addition to these findings, our data indicate the following (see Asghari 2010 for a more detailed discussion):
- There is a widely held belief that larger ISPs show worse security performance, as they face much less peer pressure. For instance, Moore, Clayton, and Anderson (2009) state that “…very large ISPs are effectively exempt from peer pressure as others cannot afford to cut them off. Much of the world’s bad traffic comes from the networks of these ‘too big to block’ providers.” In contrast to this belief, our dataset indicates that, while larger ISPs emit more spam in absolute numbers, relative to size their performance is on average slightly better than that of smaller ISPs.
- Another claim is that lower average revenue per user (ARPU) is a sign of higher financial pressure that might result in less attention to security. Our data suggests that ARPU and relative security performance are unrelated.
- Given differences in networking technology and user base, one might hypothesise that cable service providers can enhance their security performance easier than DSL providers. Our data indicates an 8 % lower incidence of unique sources for cable companies. The volume of spam, however, is similar for both types of providers. This might reflect that cable subscriptions have higher average bandwidths than DSL subscriptions, that cable providers use more Network Address Translation technology, or that they more often block port 25.
- Bivariate analysis indicates that ISPs in countries that have joined the London Action Plan (LAP) have, on average, fewer bot infections. Likewise, operating in a country that has signed the Council of Europe’s Convention on Cybercrime is negatively correlated with botnet infections. Neither of these initiatives targets botnets directly. However, one could argue that membership of LAP is a proxy for the activity of a country’s regulatory entities in the area of cybersecurity, whereas membership of the Convention on Cybercrime is a proxy for the activity of law enforcement institutions in a country. These memberships, we assume, are associated with a broader set of measures undertaken by the governments in those countries. Earlier research by Wang and Kim (2009) provided some evidence in support of this effect, though they presume a somewhat tenuous direct causal link between the Convention and cybercrime incidents, rather than interpreting membership of the Convention as a proxy variable. However, factors correlated with a country’s willingness to sign these agreements could also be at work both for the Convention as well as the LAP.