oversubscribing is not my problem
Oversubscribing is common, and generally accepted. Not only in ISPs, but in airlines, doctors offices, heck even freeway design. The problem is not "should we allow oversubscribing" but when oversubscribing comes back to bite them "who's problem is it?"
I'll give you the answer: Just like with the airlines, it's THEIR problem. If you have a ticket for an overbooked flight, and you get bumped, they HAVE TO PAY YOU. The same should apply to ISPs. If they sell you unlimited access, up to some speed cap, and because of network congestion you get throttled to a lower speed, then they should have to compensate you for it, either in free time online, lowered bills, or outright in refunds.
It was their choice to subscribe you, their choice to set the limits for your access, and their mathematical prediction formula for over subscription. Your choice to use what you have been given is not your problem, and if they actively block or delay packets from your IP, then they're violating their agreement. We're all used to the idea that networks run slower at certain times in the day, and we all know we rarely if ever get the speeds we're sold. However, active processes that interfere with that must be prohibited, especially any that target specific applications, uses, or behaviors.
Here's what i propose: Oversubscription is fine, provided that 1) throttling is global to all accounts on a percentage basis, never on an individual IP, 2) bandwidth is not reduced by more than 30% at any point, 3) bandwidth is not throttled at all for more than 8 hours a day cumulative, and 4) packet loss is less than 1% for residential class connections (0.2% should be normal for business class). This is the difference between "oversubscribed" and "overbooked." If the network is "overbooked" for any neighborhood or group of users for more than 1% of the billing cycle, then all those users should get their monthly bill reduced by 25%, and an additional 25% for each additional 1% of time overbooked, and this bill reduction should be automatic and never user requested. The penalties for overbooking should be higher than expanding capacity, so hopefully few will ever see this kind of discounting, and we'll all have better running networks for it.
As far as download/upload caps? They admit that 5% of the users are problems for the network. Fine, lets set the the caps at a point such that 95% of users on a given subscription level do not pay overage charges. We'll further cap overage charges for any connection at the cost of the next highest connection tier. Beyond that, we'll throttle the connection to 50% of the lowest tier speed (about 1MB down, 128K up, which can't be further throttled for any reason) unless the user agrees to accepting further charges for access. The maximum allowable monthly charge, regardless of speed of connection or price tier, will be locked at $99.99 / month, and you can't be charged more than $20 above your current tier price without verbal or written confirmation. (no surprise bills). We'll require ISPs to increase the caps quarterly as necessary to ensure 90% of users in any 30 day cycle receive no additional billing. We'll allow the caps to be lowered only for new subscribers or for those on month to month billing (contractless customers).
As far as security management, I will allow ISPs to voluntarily block users from connecting to known sources of virus, phishing, and other malicious activity. For example, if we know that http://www.EBY.com is a phishing site mocking ebay, then we'll redirect that address to a warning site indicating the user either made a typo or followed a bad link. Additionally, I'd allow them to automatically quarantine incoming e-mails containing links to those same known bad addresses (provided they're recoverable if false positive), and provided those e-mails actually come through their servers (aka, not blocking 3rd party provided sources like gmail or MSN). The list of bad addresses should be 1) published and 2) provided by a 3rd party (so the ISP can't block sites they "feel" are bad). This should help limit identity theft and bot net activity.
Further, in their defense, if the ISP is CERTAIN that a machine at your address is infected (because say it's repeatedly trying to connect to a known IRC channel operated by virus writers, or that it keeps sending phishing spam through your personal account, etc), they should notify you, and if possible, block that SPECIFIC activity or SPECIFC system deemed infected, with as little impact to other systems as is possible. If they can't stop the particular infection activity (or don;t care to try) without impacting other activity, they should simply notify you. I do not approve of the ISP disconnecting you simply because you have an infection, though I do approve of them having a contract requirement for you to maintain "reasonable" security measures, including the use of a simple hardware firewall and any of the top 10 commonly accepted security software packages on your PC (at least one of which they should provide for free under your contract). If you're still infected after 30 days, have no security software installed and up to date, and can't provide a receipt from an engineer showing your PC was inspected and free of infection, then they should be permitted to quarantine your connection (though not completely disconnect it). On the other hand, false positives should be quickly discovered and compensated (check in hand within 5 business days, NOT a service discount), including the full cost of diagnostic charges, rental fees of temporary equipment if the diagnostics take longer than 24 hours, and compensation for any time needing to be taken off work, at your full hourly rate, plus any additional charges that might reasonably apply.