I saw a few articles recently (to which I would post a link, but I can't find them again...) about how download limits are bad for security. The basic point being made was that developers can't be trusted to deliver secure software, so a plethora of security updates is inevitable. For those people subject to download limits, they may (or probably would) choose to spend their precious download limits on things they perceive as far more valuable to themselves than a patch for Windows or Acrobat.

The sudden interest seems to have come on the back of US ISPs such as Time Warner Cable looking at charging customers by the byte which has led to a consumer advocacy group asking Congress to investigate whether charging by the byte is 'price gouging'.

While it may be new for the US, this type of download limitation and additional charges for exceeding set caps is nothing new here in Australia or many other parts of the world.

But how could this affect security?

I was told a story from a South African Microsoft employee about the way ISPs divided up download limits in the Republic. As far as I recall, there was basically a generous allowance for sites hosted within South Africa, and a much smaller allowance for sites based overseas. As Microsoft did not have a windows update server in South Africa, this led to people being unwilling to update windows and burn up their precious overseas download limit. A partial solution was another Microsoft employee set up a private WSUS server within South Africa and advised people to connect to his server to obtain the frequent updates.
While there are obvious potential security issues with that solution, it is perhaps the lesser of two evils compared to not patching at all.

But do 'regular' users really pay all that much attention to their download caps? All sorts of applications rely heavily on internet access to be able to download updates, from Windows and Adobe Acrobat to itunes and anti-virus products. Would someone really disable their AV updates to save download allowance?

Speaking to a few non-IT friends the prevailing opinion is it is not something they even think about, and I imagine that is the common view. I suspect it would take being heavily slugged with extra charges for exceeding your allowance before most people even think about their download limits - although I have heard of people using 3G tethered internet connections on global roaming being unhappily surprised with hugh bills for unknowingly downloading patches and updates automatically while travelling.

At this point it seems like much ado about nothing, and the introduction of download limits in the US will hardly lead to a new age of poorly secured unpatched systems. The bigger problem is the underlying operating systems and applications that are built with security as an afterthought (if it is thought of at all), the constant downloading of updates and patches is simply a symptom.