Best of the ISP-Lists

Must ISPs Pay for Viruses?

Members of the ISP-Marketing list discuss the role of an ISP in virus protection.

[July 28, 2000]

On the ISP-Marketing list in June, EA asked for feedback on the issue that had been raised on the ISP-CEO Moderated list:

"Who is responsible for virus protection? Comments?"

The post elicited a tsunami of responses.

A number of respondents proclaimed that end users bore responsibility for protecting themselves:

[MK wrote] "It is up to the individual to protect his or her self and to accept the consequences of irresponsible behavior (like opening attachments without knowing who they're from or what they contain)."

However, another respondent felt that a portion of the responsibility fell on the ISPs:

[DB opined] "My personal opinion is that service should be comprehensive and the ISP should take responsibility for viruses passing through to the subscribers. The end user has a responsibility to protect their systems, including being informed about viruses."

Another user questioned the assumption that ISPs were unable to protect themselves and their users from viruses:

[CC wrote] "With some very good products out there (yes we sell some), why would you not have protection? Regardless of what 'legal' terms you use, a customer will come after the ISP for damages. Wouldn't it be better to set up some minimum protection to for yourself and your customers?"

This rather benign suggestion sparked a flurry of responses:

[PF wrote] "No virus scanner is 100% effective."

[MK concurred] "The average customer will only hear that you do virus scanning. And when a virus gets through and wipes their system they'll blame you first! The more you 'massage their data' the more liability you expose yourself to."

MN picked up that thread and ran with it:

"Once courts get around the concept of holding ISPs responsible for viruses then it is only a short walk to holding them responsible for users who fall for hoaxes, get stung by scams or have confidential documents stolen from their PC after being duped into installing a trojan. ISPs need to be 'hands off' — they provide an infrastructure. Their job is to manage that infrastructure and bill clients according to the nature of their access. ISPs should, however, be pro-active in educating customers about the risks involved. Having done that, it should fall upon the individual user to make a decision about how to respond to those risks (e.g. install anti-virus software, firewall etc. etc.)."

EA weighed in again with these comments:

"One of the theories the courts have used is that of assuming that the ISP is like an insurer and that if the user is 'hurt' the 'insurer' must provide a remedy. This assumes that the ISP can bear the risk since it passes the cost of these claims to its users. One can rail about the obligation of the consumer to protect him/herself all that one wants and how unjust the courts are until you are blue in the face, but it just does not work that way. So the answer is to protect oneself by getting proper legal advice, consider installing an anti-virus system, check out your terms of service, provide warnings to customers and buy insurance."

One respondent took issue with EA's theory:

[RK wrote] "Under the law, ISPs are 'common carriers' and as such we cannot be held responsible if someone uses a device attached to the 'common carried' in order to maim, harm, or damage. If you start to modify the data sent through your system you are actually taking on the role of an editor, and opening yourself up to liability."

DD, in turn, argued that ISPs were not actually common carriers, but agreed with RK's other points:

"Some cases have held that ISPs are not responsible for the content they transport. If they massage content, they start exercising editorial judgement and can get in trouble. ISPs are pipes, not publishers."

—End