Yui Kee Computing Limited is warning that CPCNet Hong Kong Limited's Terms and Conditions make their customers more vulnerable to malicious software, such as viruses. CPCNet has imposed a ban on its customers sending samples of malicious code, including if they are sent to an anti-virus developer or other information security expert. Current viruses can spread round the world at Internet speed, but CPCNet customers can only shout for help at snail mail speed. CPCNet has shown that it is willing to terminate customer accounts in support of this draconian ban.
Some customers may already be in violation of the ban because their anti-virus software is configured to automatically send a sample to the developer via the Internet. CPCNet has insisted that it will apply their Terms and Conditions equally to all customers, so these customers may have their Internet connection terminated.
The problem came to light when Yui Kee, a customer of the ISP since 1994, decided to change its existing Leased Line to a Broadband connection. The new Terms and Conditions included clause 18(c):
18. The Customer must not use the Services to store, transmit or distribute:
(c) any virus, worm or Trojan horse software or any software for damaging or compromising the security of other computers, networks or sites.
"We knew immediately that this clause was a problem for us, we use the Internet to communicate with anti-virus researchers and other information security professionals around the world. Occasionally, this includes sending a sample of malicious code, in a safe, secure manner", said Allan Dyer, Chief Consultant of Yui Kee. "However, a little further thought reveals that it is a problem for anyone who cares about their information security."
When users encounter a problem, they ask their support staff. If it is new to the support staff, they will contact the vendors' technical support department. If the problem involves a suspicious program or file, they will send it with the question. Naturally, they will all use the easiest and quickest communication method: usually, the Internet. Some anti-virus products even automate this process, as can be seen from the following excerpts from the Symantec web site:
http://enterprisesecurity.symantec.com/products/products.cfm?productid=155 "NAVEX^(TM) and Digital Immune System^(TM) technologies provide virus detection, analysis, and repairs via automated submission and response mechanisms."
http://securityresponse.symantec.com/avcenter/submit.html "If you would like to submit a virus sample manually, please use our secure Web Submission Tool."
http://service1.symantec.com/SUPPORT/ent-gate.nsf/df96e9c0a4b1dfa288256bc1005cd7d5/7b22e01d8ca57fdb88256c77005673af?OpenDocument&src=bar_sch_nam "You want to know what changes need to be made at the firewall to allow the Quarantine Server to communicate with Symantec for delivery of suspect files."
This shows that transmission of suspicious samples to anti-virus developers via the Internet is considered normal, and it may be configured to occur transparently to the user.
"We tried to explain the issues and our concerns to CPCNet, but they just reiterated their policy", Dyer reported, "We even re-wrote the clause for them":
18. (c) any software, including but not limited to any virus, worm or Trojan horse with the intention of infecting, damaging or compromising the security of other computers, networks or sites.
The modified clause allows transmission of samples to support or information security professionals because the intent of the customer is taken into account. Even Hong Kong Law does not seek to define a computer virus; it also uses the intent of the perpetrator when defining Criminal Damage.
"Then, on 15th October, they sent an ultimatum: sign an undertaking, or have our Leased Line terminated.", Dyer continued. The letter included a statement of CPCNet's understanding of the threat:
"Transmission or storage of virius worm or Trojan horse software or anything of similar nature is hazardous and may cause significant and irremediable damages to the network system and any persons connected with the network."
Allan Dyer commented, "They are including irremediable damage to people? I suppose that must mean permanent injury or death. CPCNet thinks that emailing a computer virus sample can kill people! Even ignoring that hyperbole, CPCNet does not appear to understand the ISO Seven Layer network model, which guarantees that the content of a message will not affect the lower layers of the network infrastructure."
Yui Kee took the issue to OFTA. OFTA choose to view the matter as a contractual issue, "We would like to reiterate that OFTA’s powers and functions do not extend to the arbitration on fairness of contractual terms or settlement of contractual disputes between individual customers and the operators."
Meanwhile, following the expiry of the deadline, CPCNet sent a Notice of Termination of Service on 1 November, saying that Yui Kee's leased line would be cut at 6:00 p.m. on 29 November. Dyer was confused, "Apparently, from their earlier ultimatum, they consider that our actions may kill someone, yet they wait six weeks before acting. These are not the actions of a responsible company."
Yui Kee's previous use of CPCNet's service, including the receipt of virus samples and the sending of encrypted virus samples, has caused no interruption or security problem. Dyer emphasised, "I can also state that we will always act to prevent such problems. CPCNet is claiming that we represent a grave threat to their network, but they have never explained the basis of these fears. The truth is we are not a threat, we have not been a threat, and we will not be a threat, CPCNet's fears are groundless."
Yui Kee is contending that they have not violated their existing Terms and Conditions, so CPCNet has no grounds for termination, and OFTA should act to prevent the disconnection of a customer that has done nothing wrong. OFTA has not yet responded to this.
However, Dyer points out that the more important issue is whether an ISP can be allowed to restrict their customer's access to effective anti-virus support, "CPCNet has failed to explain how users can quickly send samples to anti-virus researchers for analysis. It is not too late for CPCNet to take the sensible course, and change the problematic clause for all their customers."