[floatingatoll]

Is the carrier willing to work with any website who is abused by their customer? Is their barrier to accountability the demand for a civil or criminal lawsuit? Can sites with mouth legal presence in the same country as the provider seek accountability? Must sites have vast monetary resources sufficient to survive the provider’s attempt to protect their customer from being held accountable under the banner of privacy? How can the provider defend themselves against abusive and falsified requests for identification? Is there an agreement that can be reached to protect identities while still stopping ongoing willful abuse by anonymous customers?

I appreciate the theory that you’re sketching, and I think it certainly has potential. But we already have the theoretical capability you describe today, and have had it for decades, and yet online abuse continues unchecked — so you’ll have to talk more about how and why your recommendation improves on what we have today.

[vitus]

Oh, I agree that the carrier isn't going to work with just any website.

But companies like Zoom (as would be relevant in this scenario) might hold more sway, especially if the looming threat is "deal with this on your end, or we will, with the blunt instrument that is IP banning". (Now, whether Zoom would engage in an IP ban just for abuse affecting a single school is a different story. But I imagine they must have some motivation to deal with zoombombing. Right??)

The school itself might not have the resources to engage in a legal battle, but they could certainly get law enforcement involved, especially if the abuse enters, say, hate crime territory, as it seems like it may have in this case.

(Granted, the privacy concerns that you raise are an entire issue in themselves, and I don't have any answers there.)

To be clear -- this isn't a novel proposal, per se, unless talking to other people is novel :) But, it's just a suggestion that while circumventing CG-NAT is technologically infeasible from the outside, technical solutions are not the only option.

And if it's not possible from the outside, well, there's one entity who's positioned to further trace the abusive users...

[floatingatoll]

Law enforcement has not demonstrated a willingness to spend its resources on these concerns, and frequently will disregard threats of bodily harm and murder. Expecting them to respond to requests from a web forum, my go-to litmus test for solution viability, is laughable in the United States and I suspect most of the rest of the world as well.

The entity delivering service to the abusive customer is profiting from that delivery. Terminating service to that customer hurts their bottom line. They have strong incentives to not only refuse all requests for help, but to resist even the most serious of requests, in order to protect their bottom line.

I’m sorry to rain on your parade - it’s nothing personal! I wish I could be more supportive! - but there is overwhelming evidence that every entity that is positioned to help will do whatever it takes to avoid helping.

If this remains unsolved, we’re going to end up losing anonymity on the Internet. Several online food delivery systems in the US already permanently block Cloudflare’s 1.1.1.1 VPN product by IP, using Cloudflare’s own CDN protection tools! Because it turns out that effective anonymity for all comers protects abusers from accountability.

That’s why this is a billion-dollar problem.

[vitus]

No offense taken!

I do wish that the market would work as intended such that failures in handling abuse (e.g. frivolous accusations as we're plausibly seeing here) would lead to organizations moving away from Zoom to competitors, whether it's Teams or Meet or BlueJeans or whatever else. But unfortunately the friction of changing platforms is high, between sunk cost of contracts, needing to vet / compare multiple new systems, training on the use of new software, etc.

Meanwhile, the existing solution mostly just works 99% of the time.

(All this said -- even if CG-NAT is to blame for multiple students showing up with the same IP address, that should be tangential to the actual identification of abuse. Either there's a process failure (students aren't required to sign in), or Zoom's not logging or looking at the right things (e.g. display name changes).)

[TomSwirly]

> I do wish that the market would work as intended

(Intended?! By whom?!)

In this case, the market is working exactly as markets are supposed to. Effectively dealing with abuse is expensive, and has no profit potential whatsoever.

The market will therefore penalize companies that spend money on dealing with abuse, and reward companies that do not. Economically, companies that manage to sweep abuse under the rug for the minimum possible cost will naturally dominate, and companies that spend the considerable investments needed to do a good job on it will eventually go to the wall.

If "market working as intended" has any meaning, maximizing profits is certainly it. It's very economically logical for a provider to not cater to the 1% or so abuse victims, who are expensive to handle, offer little revenue, and might stay with you anyway out of a lack of other places to go. It might be unfair, lack compassion, and be cruel to prioritize abusers over the abused, but none of these terms have any meaning by the metric of "markets"

[vitus]

By "markets working as intended", I mean "if one provider of a service has a critical flaw that's specific to that provider, and that flaw is a dealbreaker for some customers, then they ought to be able to vote with their wallets to switch to otherwise equivalent providers that don't have that flaw.

But I see your point that the markets are working logically from the perspective of there being insufficient incentive for companies (well, Zoom at least) to invest in dealing with this issue. Negative press only goes so far, and it doesn't matter much when it's the dominant player in the market by far (in part due to design choices that facilitated these flaws -- minimized friction in the interest of accessibility also minimizes friction for malicious action).

[celsoazevedo]

> Several online food delivery systems in the US already permanently block Cloudflare’s 1.1.1.1 VPN product by IP, using Cloudflare’s own CDN protection tools!

If they use Cloudflare, then that block is dumb. Sites behind Cloudflare are able to see the real IP of a 1.1.1.1 WARP user. Non-Cloudflare sites will see Cloudflare's IP.

WARP isn't a traditional VPN service[0]:

> "From a technical perspective, WARP is a VPN. But it is designed for a very different audience than a traditional VPN. WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit."

[0] https://blog.cloudflare.com/announcing-warp-plus/

[floatingatoll]

Yes, I agree that the block is dumb. No, knowing that technically it’s useless made no difference whatsoever in getting them to lift it. There is no financial incentive for them to improve their block to be more capable or granular. They would rather not have customers who use a VPN, because to them a higher percentage of those customers are abusive. What case might you recommend to convince them otherwise?

[TomSwirly]

> But we already have the theoretical capability you describe today, and have had it for decades, and yet online abuse continues unchecked

There is absolutely no mystery as to why. The for-profit corporations that provide these services have absolutely no interest in preventing online abuse, because doing so is expensive and there's no way to make money out of it.

[the provider blah blah]

As a human being, I really don't give a tuppenny damn about "the providers" anymore. This has been a problem for decades, and for decades we've had nothing but whining excuses from "the providers" while they continue to do nothing.

"The providers" should have been investing in anti-abuse technologies and systems starting in the previous century. They haven't done anything.

Draconian measures are needed. If "the providers" have to scramble, maybe even take losses for a few quarters, it's too damn bad for them.