Scanning isn’t the only legal quagmire. Even if ISPs could scan all incoming e-mail, it’s nearly impossible for them to distinguish between, for example, a computer being used in a DDoS attack and legitimate Internet traffic such as the Weatherbug, which automatically checks National Weather Service servers every five minutes for regional weather updates. And just as ISPs can get themselves into hot water for blocking legitimate e-mail from a network, Zittrain says, they also can cause trouble when they are overzealous in monitoring legitimate e-mail going out of a network.

"If a customer is sending out 25 messages a day and suddenly blasts 500, that’s a red light that maybe they have a spam zombie in place," says Don Blumenthal, Internet Lab Coordinator at the FTC. "Of course it also might be that the customer has just become [Parent-Teacher Association] president and is using his work computer to send out some personal e-mails. You just never know."

Down the road, perhaps the biggest security challenge could come from the increased use of encryption. For instance, Vista, the new Microsoft operating system that is expected to debut next year, streamlines point-to-point encryption across the Internet. As a result, ISPs and security vendors alike may have trouble determining which e-mail packets are legitimate and which are malicious, possibly giving hackers unmitigated opportunities to wreak havoc everywhere.

The ISPs say it’s not as if they don’t care about security. But because they operate in a free-market economy, the decision to provide security is one each provider makes individually. America Online, Comcast, EarthLink and SBC—the four largest ISPs by number of subscribers, according to a June 2005 market report from JupiterResearch—all provide users with some rudimentary security services in the form of standard e-mail filtering and antispyware protection. EarthLink, SBC and some other ISPs also attempt to prevent virus and worm outbreaks by blocking traffic through Port 25, the server port used for simple mail transfer protocol, or SMTP, transmissions. (For more on how this works, read "The First Line of Defense" on Page 70.) Many other ISPs provide additional security to specific corporate customers at extra cost. And then there are those ISPs that don’t bother with security at all.

ISP executives say a more standardized approach to security would be cost-prohibitive—and it might not be what their business customers want anyway. "When you’re dealing with security, there’s simply too much at stake for us to offer a one-size-fits-all solution that works for everybody," says Stan Barber, vice president of engineering operations for Verio, an ISP and a subsidiary of NTT Communications. "What’s important for one company might not be important for another, and we need features that can scale."