WEIS Recap: Review of "Might Governments Clean Up Malware?"

Richard Clayton wrote on the more interesting papers presented at WEIS.  In his paper “Might Government Clean Up Malware” [pdf] he suggests some possible goverment intervention to aid consumers in cleaning up their computers.  His paper explains the reasons as follows.  

1) ISPs do not have an incentive to act

2) The problem has public dimensions very similar to public health issues

3) The math behind this issue requires someone (the government) to seed the funding for experts to act

I agree with the contention that ISPs do not have incentives to act.  Of the web hosts that I have communicated with not a single one has found it financially rewarding to deal with the problems I highlight.  This really isn’t how it is supposed to work either.  As Clayton points out “in principle the market should deal with ISPs who skimp on abuse activity.”  Which put another way means that those ISPs who do actively clean up infections in their consumer base should have a better image and thus more business.  The market should reward those ISPs who go out of their way to make sure that its customers remain protected.  But as pointed out in many of the papers who grace WEIS and other conferences like it the margins are extremely slim.

Clayton’s paper even references  another paper which makes the claim that a single interaction with a customer by an ISP will eat up all of the profit generated by that customer for the entire year.  (In a footnote he mentions that this may be exaggerated but not greatly so)  

The one issue I have with this paper is that it doesn’t quite cover the issue I’m most concerned about.  And obviously that isn’t a valid criticism of the paper so much as a want from my side.  The paper deals with helping out web “surfers” instead of web masters.  Often the problem that I’m studying involves both levels.  Web sites are infected because the web master’s personal computer was infected and the attacker gathered the login details from there.  So fixing one may in fact help fix the other.  But there is a major difference worth noting.  The paper made a good point in writing about the hesitation of an ISP in engaging with its customers this way.  When margins are thin profit is only acceptable through volume.  So any actions which drive customers away in any number are dangerous.  Accusing customers of infections isn’t always rewarded with gratitude.  Customers can feel angry, ashamed, alienated or all three at once.  It is difficult to find new options for bandwidth provision for many people.  In Cambridge I have my choice between one cable company and two DSL (one who just resells the others at a mark up).  And the change from cable to DSL (or vice versa) comes with considerable costs as well.  But for web hosting providers there isn’t that much cost and there are a lot of choices.  So the dangers of customer alienation for web hosting firms are very very high.