If Technology Alone Doesn't Work, What's the Answer?
The answer is a law that allows people and organizations to easily sue entities on "operating computers connected to public networks negligently in a manner that harms the public." The model would be the Federal junk fax laws that allow suing locally in small claims courts, adapted to cover current technology and circumstances. Proposed penalties might be $20 or court costs for the first offense, $100 per spam/malware for subsequent offenses.
This law must be implemented fairly, of course. Computers are difficult to secure and computer competence is still unusual. And it takes time to make people aware of a new law. You don't want your grandmother being hit with a massive fine for a first offense because she didn't know what an antivirus program is. Users must be informed that they have a problem and pointed at resources that provide a fix. If the problem persists, the ISP must be required to turn over the name and address of the public nuisance for legal action under this new law.
Let's consider how each player in this situation is affected.
Here's what might be expected from the ISP:
ISPs and network providers must make available and monitor abuse@ addresses so that users and sysadmins can complain about malware spreaders by IP address.
ISPs must relay complaints to problem users. For example, the ISP should send a standard form complaint to the user, including the following information:
The offending email, with full headers
A list of computer security information resources
A statement that the user will be sued if the problem isn't fixed
If a second complaint is made about a user, the ISP would be required to give that user's name and address to the complainant.
If an ISP doesn't respond or falsely claims that the IP is not on the ISP's network, the ISP must assume joint responsibility with the user for his or her negligent practices.
ISPs would have to keep track of complaints against individual users. They should be doing this anyway, but the tradeoff for this requirement is the reduction in the bandwidth and computational resources needed for random incoming spam/malware.
Let's start with a national database to allow the discovery by any court of previous convictions; the courts must report convictions as they happen.
Expertise must be made available to judges, to make it possible for them to answer these essential questions:
Did this item of spam/malware come from the defendant's machine?
Did the defendant take "best practice" measures to prevent this offense?
The plaintiff would take these steps to file a complaint under this law:
Find the actual source of the spam/malware by IP address.
Send a standard complaint form to abuse@ or postmaster@ the spam/malware source.
If the user gets more spam/malware from the same IP address, send a second complaint to the ISP.
File suit in small claims court against the name provided by the ISP, or, if the ISP fails to cooperate, sue the ISP and a "John Doe" defendant who sent the spam/malware.
For a first offense, the defendant would be allowed to file responses via email or web form. (An innocent defendant shouldn't have to pay the costs required for an in-person court appearance.)
The defendant may be able to claim some affirmative defenses:
The complainant doesn't have an evidentiary email with full headers (case dismissed with prejudice).
The defendant can prove that the offending spam/malware didn't originate on the defendant's machine. Demonstrating a "joe job" or IP spoofing would qualify as proof.
The defendant can prove best practices in use on the date of the spam/malware occurrence.
The defendant can show that a "zero-day" exploit or other attack occurred against which there is no current technological defense.
There also may be some defense or penalty mitigation:
A first offense limits penalties to the plaintiff's court costs. The plaintiff can sue based on only one piece of mail in a first offense, though other email messages can be used as supporting evidence.
The defendant can file a response via electronic mail or web form in a first offense case only.
Proof of best practices can be given by taking and passing a simple test on user "best practices" given by the courtonce.
Full penalties would be assessed to any non-responding defendant.