Slashdot Mirror
Who Is Liable For Software With Security Holes?
securitas writes "Interesting article over at eWEEK that asks who is and should be legally responsible for insecure software. Some say it's the manufacturer. Currently software is exempt from product liability as we've come to know it in the physical world. Others say the software licenses should make users responsible if they don't install patches and updates. Infosecurity czar Richard Clarke said in his speech at RSA that Nimda cost US companies an estimated $2 billion. Imagine if Microsoft was legally liable and a $2 billion suit was filed. Now extend that to the other jurisdictions outside the US. What does this mean to open source software, which is being used to a greater extent in corporate environments? Food for thought."
Yes, it is the software manufacturer's fault if they make buggy software and don't ever put a hold on new features to fix bugs. The customer is responsible for installing bugfixes, when released.
Still, they aren't legally responsible for the bugs. If you read most licenses, they say "this software is provided as is." Everybody makes mistakes and even though software creators should make more effort to stamp out bugs, no code of a certain level's complexity is perfect.
The important thing here that needs to happen is that businesses and consumers say "features are nice, but fix the bugs first." At the moment though, they say "features first! bugs aren't displayed on the box." They speak with their wallets by buying buggy software. I don't mean to be one of those typical anti-MS people (even though I dislike their software), but the fact is, they produced extremely buggy software and most people still bought it. That says something.
Funny that Nimda was mentioned; I seem to remember that @Home.net and AT&T were pulling the plugs on their customers because they were saturating the bandwidth due to Nimda. This seems to be directed towards the users' negligence/lack of knowledge about what they're doing, and so one can argue "why blame them? They did exactly what MS said they could do: plug and play."
Now I also remember when the commercial version of SSH released v3.0, there was a HUGE security hole (passwords of length 2 or less would always work...), and SSH developers took the heat; rightfully so. They 'fessed up, and they fixed it. As far as I know, there were no incidents because of it, because the problem was fixed before it was used widespread. But if it did create an issue (like Nimda, Code Red 1/2, etc.) before a fix was made (proactive vs. reactive), they should be held liable, not the users. If a fix exists, and a user says "oh, I don't have *that* problem," well, I think we all know who should get the blame. Just my $0.02 worth though...
That's a little different. Software bugs cost money to fix. Car bugs kill people. The tobacco industry gets sued because they kill their own customers, but I don't think software companies do the same. Plus, if the software manufacturer is liable, and writes nearly perfect code, and then five years later somebody discovers a single bug and writes an exploit, who is liable? I say nobody is, the licenses always say that the software provider is not responsible.
Liability is an individual thing. Liability is based on making statements that are not true, or the deliberate cause of harm.
The supposed $2B in "damages" are a liability on those who wrote and launched the worms, directly.
By connecting to the net, just like stepping outside your door, you are assuming risk.
That said, Microsoft should be liable if they represent their product as "safe" and it isn't. I believe their representation of XP as the "Most Secure Windows Ever" does open the company to prosecution for misleading advertizing, but who has the resources to prosecute it?
There is a great deal of difficulty with trying to assign liability to those who are in the wrong place at the wrong time. Someone who gets wet because they weren't wearing a long coat when a truck splashed them doesn't expect to sue the truck driver, do they?
The systems owners who were "damaged" by the worms are indeed guilty of not securing their systems. Who will prosecute them? And for what?
Liability is based on two things: Intent and negligence. False advertizing and misrepresentation are the former, the success of virii is the latter.
Personally, I think a few false-advertizing claims against Microsoft would be great, and from a theoretical standpoint they certainly are misrepresenting their products when they call them "secure" or "safe". Who's got a million or two for the legal fees when we lose?
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
I'm a professional software developer. I work for a very large computer company (not ms). We all try pretty hard to get rid of bugs in programs, hell as programmers we do care that our code is as bug free as possible, it's a pride thing - as well as being good for business. :) However it is possible to lower the amount of problems you are willing to invest a lot more money into testing which in turn ends up costing the users a lot more money (yes I'm sure there will be replies saying open source can solve this problem; more eyes find bugs quicker etc etc etc but a lot of people are still not going to consider open source solutions).
Unfortunately there's no way to produce software which is bug free, just not possible today. Well perhaps with the exception of hello world
I don't think software producers should be responsible unless it's shown they are grossly neglegent and even then they are not neccessarily responsible. Otherwise amer^H^H^H^H people are probably just going to start suing people stupid leading to massive rises in software prices. OTOH when I use windows it pisses me off when it crashes, it I upgraded from 95 to Xp a few months ago. MS says XP is rock stable, hardly ever crashes, bullshit. The lies in advertising piss me off more than the crashes themselves - false advertising that is something I'd like to see them punished for.
He who defends everything, defends nothing. -- Fredrick The Great
Most people seem to be missing two important distinctions here. You pay for commercial software, but not for free software.
:-), the latter is practicing medicine without a license.
This totally changes the nature of the beast. As a specific, non-tech example, I can give a friend a ride. I can even graciously accept gas money, or a free lunch for my troubles. I could even be a good Samaritan and offer a lift to total strangers.
But the instant I actively charge people for this, even if it's a token amount, I become a "for hire" limosine service and am required to obey a large number of laws. Some are "on point," others seem to exist solely to eliminate competition.
There are other, more subtle differences. I can refuse to give a friend a lift without explanation. Once I become "for hire" I can't (legally) refuse to accept a passenger without a good reason. E.g., someone showing a weapon can be refused, but someone who stinks because they haven't bathed in weeks can't be refused.
An even more extreme example is the difference between my friend asking me if I've ever experienced certain medical symptoms and a stranger paying me for advice. The former is a casual conversation between friends (or not so casual, if it involves a possible STD
In the software realm, I would expect to see a similiar difference in the treatment of amateur efforts (where people develop software for the love of the craft) and commercial efforts. If someone is grossly negligent, it won't matter whether they're compensated or not. But for routine oversights, I would expect to see far more severe penalties for commercial vendors than OSS providers.
The second difference is that when you get software from Microsoft, you can't change it. Any errors *have* to be due to Microsoft's (in)action. In contrast, free software is released in source form and patches are routinely assigned. It's not morally acceptable to hold people accountable for the (mis)actions of others, so it's much harder to justify penalties against parties that provide source code.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
If I build a tree house on my property that is unsafe and someone tresspasses and uses this tree house (which I haven't even said he could use) and gets hurt then I am potentially liable both crimally and civilly. It's called an attractive nuiscence.
I didn't charge anybody anything... I didn't even give permission for it to happen. So if this is a crime surely if I knowingly give somebody a car that is faulty (even if I don't charge him) shouldn't I also be guilty.
Just because I don't profit off of a transaction doesn't give me a right to put somebody at risk, financially or physically, unless perhaps I am completely forth right and even then often not; and simply saying "Well, at your own risk," is not completely forth right, not even close.
The problem with your argument is you offer two different arguments and claim that one applies to paid software and the other to free. Yet your arguments have no dependency on this variable so it is unclear why the arguments vary so. What it appears you are saying is if you are giving away software then you are a nice person. And nice people shouldn't be held to the same laws as mean people. Well a system bases on niceness is in a different ball park than a justice system.
The other way your argument makes sense is if the seller is only liable up to the price he charged and is not liable for damages. Otherwise you're buying the right not to be put in a dangerous situation with out your knowledge... which u can't buy.
Selling software is great. Compared to someone selling a real physical product like spark plugs, you legally retain much more extensive control over how your product can be used even after you've sold it. This is because of the enhanced rights you get as a holder of intellectual property as opposed to real property. But even though you can dictate to people the conditions under which they can use your software, if anything goes wrong, the product liability risk you expose yourself to as a seller of software is zero!
Why does anyone even try to sell anything else?
In addition, there should perhaps be restrictions on what can be sold: for the sale to be legal, consumer software should perhaps have to conform to some basic safety standards, analogous to UL standards for electrical devices. (Since this is a restriction on sales, it would obviously not apply to free software.)
Large commercial customers are presumed to be competent, and they should be responsible for this themselves; they don't need regulations or legislation to protect them. For example, if a company exposes 10000 people to identity theft through an unsecure computer system, the company should be legally liable for that. The company will then insure against that risk (possible directly through the software vendor). The insurer will assess the risk and compute the cost of the insurance. The company then can take the cost of the insurance into account when selecting software. I.e., it comes down to the question of: is Apache plus insurance more or less expensive than IIS plus insurance?
My car's design has a flaw and the manufacturer issues a public recall for a free repair, I have this mentioned when I next go for a service, but choose not to have the work done because it's too inconvenient. The part fails and I am involved in an incident that causes harm to a third party - I think I should have my ass sued clean off, don't you?
My software has a bug, the vendor issues a freely downloadable patch, and even emails me about it, which I choose to ignore and don't install it. My server is compromised and used to DoS a third party - I think I should have my ass sued clean off, don't you?
In the incidence of software this is clearly related to the debate about disclosure of vulnerabilities. You have to acknowledge that software is going to have flaws, that it takes a period of time from discovery of a flaw to produce, test and release the fix, and that during this time liability is the grey area this topic is discussing, but once the fix is out and announced, responsibilty *has* to be transferred onto the people using the software rather than those that produced it.
I don't think you can blame a vendor for having a bug in their code, because it's not a perfect world and it happens (albeit more with some vendors than with others) and doing so sets a precedent that would effect other industries as well. You can however apportion a great deal of blame after the flaw becomes public knowledge, and reapportion that blame once the fix is available or if the fix is sufficiently tardy in arrival to cause problems. Which explains a great deal about some people's attitudes towards the issue of full disclosure, doesn't it?
UNIX? They're not even circumcised! Savages!
I mean, if you buy bulletproof glass for your car, and somebody shoots you through it, you might have a case: one of its purposes is to stop bullets. But if you buy an ordinary car, and somebody shoots you through the window, you hardly have grounds to sue them for poor product quality.
Being able to stand up against novel forms of human attack is not basic product quality. Worms, trojans, and viruses are not mere environmental hazards, they are the results of intensive effort to find and exploit any system weaknesses.
Disappointed customers and annoyed partners are punishment enough. Market forces will correct the problem; people will eventually learn not to buy stuff that doesn't work. They will also learn to do their part, since security doesn't come in a shrink-wrapped box.
In a way, these petty vandals are doing us all a favor by forcing us to harden our systems. If nobody exploited the security holes, you couldn't convince people to spend extra money or effort on security. Then, when somebody made a truly serious attack, as an act of war, we would be utterly defenseless. I believe humans evolved an instinct for mischief for just this reason, and so we shouldn't be too hard on the script kiddies.
Considering the nature of software, bugs are a fact of life. No code is going to be 100% bug free unless it's a simple "Hello World" program. It's how the vendor treats the bugs that counts.
If the vendor is informed and fixes the bug in a reasonable amount of time then they shouldn't be liable. (Reasonable being a flexible span of time. If a bug is particularly vexing but they keep their users informed of the progress, then they should get extra time. But if they just say "yeah, yeah, we'll work on it" and then nothing happens for a month, they don't get extra time.) Of course, if the vendor is informed about the bug and does nothing about it, they should be made liable.
Finally, if they release a patch but the user doesn't install it and has their security compromised (e.g. what happened with CodeRed), the user is the one at fault. In this case, it would be like an automobile manufacturer issuing a recall, a consumer ignoring the recall, and then getting into an accident because of the very defect that prompted the recall. Software companies shouldn't be liable for the stupidity/ignorance of their users.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Comment removed based on user account deletion
It should not be possible for Microsoft (or any company, but Microsoft is the best example) to boast about how robust and secure their products are in their marketing, and then make the purchaser agree to a EULA that removes their liability, if their claims turn out to be untrue.
This is especially true of their enterprise products, like, say, Outlook/Exchange. It should not be a full-time job patching and reconfiguring the damn stuff to keep the misfit script kiddies with Outlook Worm Kits from bringing down an entire organization's e-mail system. Microsoft should damn well have been able to be held liable for something like ILOVEYOU, that knocked some very large companies' mailservers off the Net for days.
Imagine if, after all the car commercials boasting airbags, crumple zones, etc, those safety features turned out not work-- and then, while paging through it from your hospital bed, you found a EULA in the back of the Owner's Manual disclaiming Ford/GM/whoever from liability, if they didn't?
The biggest bullshit, though, is the notion that people will eventually get pissed off about software not living up to the hype and take their business elsewhere. If that theory held water, Microsoft would already be a memory amongst sysadmins these days. Companies are practically locked into using Microsoft products. And what people use at work, they will buy and use at home because by and large, they are sheep who fear change. Which is exactly the kind of environment in which companies like Microsoft can shovel sub-par shit out the door, not be liable for its flaws, and still thrive.
~Philly
You know, I have zero problem with saying people should be responsible for software they write, at least in the abstract. The idea that they should not is kind of silly, if you think about it honestly.
But at this point in time, it would be disasterous to start allowing liability. Why? Because liability is determined by the court system, and with no offense intended, the court system is incompetent at this time to make those sort of decisions.
I have no faith in the ability of the court system to distinguish between an obscure flaw that allows a man-in-the-middle attack on a so-called "secure" connection, and a glaringly obvious security problem like "By default, everyone in the world has full access to your desktop." (reference: Symantec's PCAnywhere for a *very* long time.) In fact, I don't trust me to make those decisions.
At this point in time, and at our current technology level, as we've all heard and said many times, one wrong character in the wrong location, out of billions, can cause a difficult-to-detect error that, when exploited, can give an attacker root access. It's difficult to come up with any sort of definition of proportional responsibility.
If a bridge collapses because all of the tons upon tons of concrete used was an inferior grade, that's one thing. But if the bridge collapses because one screw was made of aluminum instead of steel, is that worth suing over? My real point can be seen in how this metaphor is not applicable; A bridge would never collapse over something so trivial unless it had other fundamental problems! Software is fundamentally more fragile. (So far, all attempts to negate this have essentially failed, and I'm not willing to count on some miraculuous development in the future. Though I suppose if such a thing occurred, and it was legally mandated to use formal methods, that would make people like me who could understand them suddenly no longer competing with hacks who think they're leet 'cause they can sorta use Perl... >:-) )
Even a professional like me might be hard pressed, after the fact, to determine which sort of problem is before the court, to determine liability. Do you want to leave it in the hands of lawyers?