Best of the ISP-Lists

The Anti-Virus Can Of Worms

Members of the ISP-Marketing list discuss the promise and possible peril of offering anti-virus services to residential Internet subscribers.

[December 13, 2001]

On the ISP-Marketing list in November, EA proclaimed,

"With all the new viruses that are circulating right now, isn't it time that ISPs protected their subscribers against these viruses? ISPs could even use the anti-virus system as an excuse to raise rates!"

A number of respondents were concerned about liability issues:

[MS asked] "What happens when a virus gets through and a user's machine is erased, and they sue you? I think it's a bad can of worms to open up. Also, you will have to spend extra money to manage it. If you are that worried about it, just outsource your e-mail to a provider who has virus checking, and let them worry about managing it."

[BS added] "False positives are another problem that can produce similar results."

[FM agreed] "Or you kill an e-mail that should have gone through. How would you word the TOS on such a service, and where would the buck stop? You just can't protect your users 100 percent."

[JB noted] "If someone pays me for this service and they load an infected Excel spreadsheet from a floppy, who are they going to look to? It's a pretty broad brush to have to manage."

Others offered some simple solutions to such fears:

[EA advised] "Just don't offer a 100 percent guarantee, and make sure your subscribers know that."

[JE agreed] "Say in your TOS that you disclaim any liability for the service, and that the customer uses it at their own risk."

Still others claimed that liability really is a non-issue:

[JS observed] "We're one of several companies offering full-service 'on demand' anti-virus to ISPs, and most folks seem to be embracing this as a service that can instantly add to the bottom line. Besides, the liability problem doesn't exist. If it did, I would be able to sue Microsoft every time it crashes when I'm in the middle of writing a document."

[AS agreed] "There are holes in Internet Explorer such that if a user browses to a website designed to exploit the hole, the user can infect their own machine. It would be absurd to assume that the ISP is responsible for such customer actions, or even other actions, such as not patching their browser/operating system, or opening virus attachments to e-mail from their own system, or the porn that junior downloaded last week, ad nauseum."

[PF added] "I just started a virus scanning service for a fee. Am I worried about liability? No! Why? Terms of service are a great tool. Also, if someone says that they got a virus from you, tell them they need to surrender their computer for an indefinite time so you can verify that the virus exists, came via e-mail, etc. Unless they can prove negligence or fraud, they can't do a thing."

MN suggested that there are a number of solid arguments for offering virus protection-with limitations:

"I'm a big believer in user responsibility: end users should certainly understand that, at the end of the day, they are responsible for their data integrity. But I do think there are sound arguments for virus scanning at the ISP end: the obvious ones are reduced tech support overhead, and reduced network load. An ISP that elects to offer virus scanning at the mail server level could certainly draft an appropriate clause in its TOS or member agreement that absolves it from liability should a virus get through. At the end of the day, though, users should not be allowed to bask in a false sense of security: viruses spread offline, too, so PC-level protection is still a must."

— End