Frankly Speaking: Policing Cyberspace

I was going to write about another bunch of cyberspace vigilantes - the Enterprise Virus Alert Community (EVAC), a British group that warns its members as quickly as possible about virus outbreaks. But not everyone likes it when I call groups such as EVAC and the spam-blocking Mail Abuse Prevention System LLC (MAPS) "vigilantes." After my column two weeks ago, my in-box was flooded by readers snarling about that word. Mostly, they objected to the implication that these groups are taking the law into their own hands.

Yes, that's exactly what they're doing. And that's why understanding MAPS, EVAC and groups like them is so critical for corporate IT shops.

These groups have to take the law into their own hands. The laws that cover spam, viruses, online pornography and privacy violations are toothless. Cops who deal with online crime have bigger concerns - fraud, break-ins, theft.

So people who want something done about these problems have to do it themselves. And they aren't just lobbying for better laws or enforcement.

They're taking direct action - to block spam and porn from their systems, to speed up warnings about viruses and to blow the whistle on privacy violators.

That kind of direct action isn't a new idea, and it's not confined to the Internet. A century ago, it was vigilance committees in the Old West; today, it's neighborhood watch groups. What the law can't or won't handle, these groups step in to do.

Yes, membership is voluntary, and the members are only protecting their rights.

But because they function outside established law and business practice, other laws - and rights - may collide with what they're doing.

So polling firm Harris Interactive Inc. is suing MAPS for blocking its mass e-mails. More lawsuits are inevitable. Eventually, the conflict between the right to send mass e-mail and the right to block it will be hashed out in courts and legislatures. But until then, it's all happening outside the law.

Which brings us back to EVAC, a loose coalition formed a few months ago by a handful of British e-mail administrators who wanted faster warnings of virus outbreaks and were willing to work outside their companies to get them, according to BBC News.

When a new virus hits, EVAC uses e-mail, cell phones or whatever it takes to get word to members at the 17 companies in the informal network - faster than the CERT Coordination Center, faster than news reports or warnings from antivirus vendors. With bad virus outbreaks, minutes and even seconds matter.

EVAC's members are trying to get that little extra jump that will make a difference.

Sounds pretty simple and innocuous, eh? In fact, it sounds like a great idea, and EVAC's members say it helped keep damage from the recent "Life Stages" virus to a minimum.

But operating outside their companies raises other potential problems. What if e-mail administrators at two competing businesses share virus information directly? Will that run afoul of antitrust laws? Or of upper management at each company? What if another competitor wants to join the group and is rebuffed, then sues?

Suddenly, it isn't so simple or innocuous. This is new legal ground - shifting ground on which corporate IT shops need to tread with care.

Which doesn't mean EVAC is a bad idea - just that it's a lot more complicated than it first appears. Like MAPS and other private groups protecting themselves on the Internet, EVAC is pushing the limits of law on the cyberfrontier.

That's their real challenge - whether you call them vigilantes or not.

Hayes, Computerworld's senior news columnist, has covered IT for more than 20 years. His e-mail address is frank_hayes@computerworld.com.

Join the newsletter!

Error: Please check your email address.

More about BBC Worldwide AustralasiaCERT AustraliaEnterprise Virus Alert CommunityHarris InteractiveHayesINSMail Abuse Prevention SystemVigilance

Show Comments