-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 14 July 2004 09:55 am, Paul Howarth wrote:
Jonathan Gardner wrote:
I disagree. I believe example.com is responsible for their ISPs
failing.
Let's say I am the general contractor responsible for building a new
apartment building. I hire a carpenter and he and his team builds the
structure. I am still responsible for the structure being up to code
and if it fails in any way, I will be held responsible. I can't tell
the city inspector, "Well, it's not my fault. It's the carpenter. Why
don't you blame him and leave me alone?"
On the other hand it's possible that the carpenter has significantly
exceeded every requirement specified by the code but the structure could
still fail because the code does not consider every possible scenario
(e.g. a truck crashing into the building). Does that make the carpenter
incompetent? Is that really your fault?
Yes, it is the GC's responsibility.
In the real world, only responsibility is important.
Fault is a way to point fingers after the fact. But finding fault doesn't
get anything done, and it doesn't prevent anything from happening. Even if
you do find the culprit to blame, does that fix your problems? No, you
still have to collect damages or labor or whatever from the culprit. You
still have to mete a just punishment out to the culprit. And you may have
to make sure that the culprit's public reputation suffers. But it is still
your responsibility. Finding the culprit is your responsibility. Punishing
the culprit is your responsibility. I don't mean vigilante justice, I mean
cooperating with the police and prosecutors so that the can find and punish
the criminals. If you don't call the police, how can they open a case on
it?
The GC can take precautions to prevent a truck from damaging the structure.
The GC can make sure that only responsible people are allowed near the
construction site or only responsible companies that hire responsible
workers. The GC can buy an insurance policy and pay the premiums to help
him recover from this kind of thing. But if the GC is contracted to build a
structure, and he doesn't deliver, his only hope is to get out of the
contract some way and get rid of his responsibility.
The domain owner can take precautions to prevent spam from being sent in
their names. They can choose to use operating systems and software programs
that are secure. They can apply the best secutiry practices. They can hire
a security consultant or network administrator to handle these issues. They
can choose an ISP with a track record of security and responsible sending.
They can even use their own servers for sending.
If their economic situation, geographical location, skin color, preferred
religion, or even language used at home prevents them from securing their
servers, that is still no excuse. Their governments can prevent them from
securing their servers. Aliens can beam mindwaves that manipulate them to
leaves their servers insecure. But they still have responsibility for their
domain names.
I'll try to make this simple. Let's examine the fact, and let's draw two
sets of conclusions. You decide which one you will conclude. My conclusion
should be obvious.
FACT: example.com sends spam, or allows spam to be sent in their name.
Conclusion 1:
We feel sorry for example.com. They are naive / poor / hacked /have a bad
ISP / <insert any other possible excuse>. But since we feel so sorry for
them, we will still give them the same reputation as
responsible_sender.com, who has never sent any spam in its name. It's only
fair right? I mean look at how naive / poor / hacked / have a bad ISP /
<insert excuse> they are! Don't you feel sorry for them too?
You can't expect them to secure their systems the same way as
responsible_sender.com, because, well, they are so naive / poor /...! They
deserve the same reputation as responsible_sender.com!
I mean, responsible_sender.com spends a huge amount of resources so that
they can have a good reputation. They use every possible mechanism to
ensure they have a good reputation. They do this because their reputation
is their business. But example.com needs reputation too! Shouldn't we just
give it to them because they need it so much? Why do they have to go
through the same steps that responsible_sender.com went through? It's not
fair that they have to put in as much as responsible_sender.com put in to
get the same thing out.
Conclusion 2:
We feel sorry for example.com. They are either unable to secure their
servers, too poor to hire people to do that for them, or their ISP is
incompetent, or <insert excuse>.
However, the fact remains, example.com sends spam. Therefore, we cannot
give the same reputation to example.com as responsible_sender.com. In fact,
we may have to apply more scrutiny to example.com's emails, or even
blacklist them until they fix their problems. We'd do the same to
responsible_sender.com if they started to send spam. That's fair.
If example.com violates laws, then they will still be subject to the
punishments of those laws. Let the judge and jury decide.
We will make certain that example.com cleans up their act, because we
cannot have these kinds of irresponsible people running the internet. If
everyone behaved like example.com, the internet would be useless.
- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFA9seOBFeYcclU5Q0RAgbhAJ9wTkE4ZPDX9USiW+aBa2XwGG9jvwCgv2gy
q4buWr/oKRDorNFrdMtAasg=
=+osY
-----END PGP SIGNATURE-----