Slashdot Mirror
Who Is Liable For Software With Security Holes?
securitas writes "Interesting article over at eWEEK that asks who is and should be legally responsible for insecure software. Some say it's the manufacturer. Currently software is exempt from product liability as we've come to know it in the physical world. Others say the software licenses should make users responsible if they don't install patches and updates. Infosecurity czar Richard Clarke said in his speech at RSA that Nimda cost US companies an estimated $2 billion. Imagine if Microsoft was legally liable and a $2 billion suit was filed. Now extend that to the other jurisdictions outside the US. What does this mean to open source software, which is being used to a greater extent in corporate environments? Food for thought."
That's a little different. Software bugs cost money to fix. Car bugs kill people. The tobacco industry gets sued because they kill their own customers, but I don't think software companies do the same. Plus, if the software manufacturer is liable, and writes nearly perfect code, and then five years later somebody discovers a single bug and writes an exploit, who is liable? I say nobody is, the licenses always say that the software provider is not responsible.
Liability is an individual thing. Liability is based on making statements that are not true, or the deliberate cause of harm.
The supposed $2B in "damages" are a liability on those who wrote and launched the worms, directly.
By connecting to the net, just like stepping outside your door, you are assuming risk.
That said, Microsoft should be liable if they represent their product as "safe" and it isn't. I believe their representation of XP as the "Most Secure Windows Ever" does open the company to prosecution for misleading advertizing, but who has the resources to prosecute it?
There is a great deal of difficulty with trying to assign liability to those who are in the wrong place at the wrong time. Someone who gets wet because they weren't wearing a long coat when a truck splashed them doesn't expect to sue the truck driver, do they?
The systems owners who were "damaged" by the worms are indeed guilty of not securing their systems. Who will prosecute them? And for what?
Liability is based on two things: Intent and negligence. False advertizing and misrepresentation are the former, the success of virii is the latter.
Personally, I think a few false-advertizing claims against Microsoft would be great, and from a theoretical standpoint they certainly are misrepresenting their products when they call them "secure" or "safe". Who's got a million or two for the legal fees when we lose?
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
As a matter of law,in Australia, goods including software have to be "reasonably fit for the purpose" they have been purchased for, of "merchantable quality", and must fit the "description" they are sold under. If a good fails to comply with any or all of the above conditions, the disgruntled purchaser can sue for damages or a suitable replacement.In Queensland the relevant legislation is the 1896 Sales of Goods Act, which all Australian and New Zealand jurisdictions, has analogues of.
Many Commonwealth jurisdictions have similar regulatory regimes.
It is arguable that software which doesn't work very well fails all of the above requirements. A former law school acquaintenance of mine has even sued a car distributor, for a fleet of Lada Samaras, claiming that they didn't fit the description of a "motor vehicle" (ie a moving machine !) because they spent all their time in the shop !
What needs to be remembered is that all software producers can be liable under such a regime, Linux or Winduhs.
who is and should be legally responsible for insecure software?
A. The Author/Publisher
B. The User
C. CowboyNeil
'Same speed C but faster'
If party A licenses software from Microsoft, and agrees not to hold Microsoft liable for any bugs in their code, than MS may be safe from suit from party A. However, if party A's sevevers start attacking party B's servers, and party B never had a contract with Microsoft, there's nothing legally stopping them from trying to sue Microsoft. In that, I think, is why issues like this are important.
Be the Ultimate Ninja! Play Billy Vs. SNAKEMAN today!
Most people seem to be missing two important distinctions here. You pay for commercial software, but not for free software.
:-), the latter is practicing medicine without a license.
This totally changes the nature of the beast. As a specific, non-tech example, I can give a friend a ride. I can even graciously accept gas money, or a free lunch for my troubles. I could even be a good Samaritan and offer a lift to total strangers.
But the instant I actively charge people for this, even if it's a token amount, I become a "for hire" limosine service and am required to obey a large number of laws. Some are "on point," others seem to exist solely to eliminate competition.
There are other, more subtle differences. I can refuse to give a friend a lift without explanation. Once I become "for hire" I can't (legally) refuse to accept a passenger without a good reason. E.g., someone showing a weapon can be refused, but someone who stinks because they haven't bathed in weeks can't be refused.
An even more extreme example is the difference between my friend asking me if I've ever experienced certain medical symptoms and a stranger paying me for advice. The former is a casual conversation between friends (or not so casual, if it involves a possible STD
In the software realm, I would expect to see a similiar difference in the treatment of amateur efforts (where people develop software for the love of the craft) and commercial efforts. If someone is grossly negligent, it won't matter whether they're compensated or not. But for routine oversights, I would expect to see far more severe penalties for commercial vendors than OSS providers.
The second difference is that when you get software from Microsoft, you can't change it. Any errors *have* to be due to Microsoft's (in)action. In contrast, free software is released in source form and patches are routinely assigned. It's not morally acceptable to hold people accountable for the (mis)actions of others, so it's much harder to justify penalties against parties that provide source code.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Its shameful, the way we try to pin the crimes of computers on people. A man buys a computer, the computer hacks into the Federal Reserve and and he goes to jail. Another man writes an operating system, a computer using that operating system smurfs AT&T but he goes to jail. The computers remain free to strike again... when will society hold computers accountable for their actions? When will we stop persecuting man for the crimes of his possessions? Perhaps some day... in the Twilight Zone. (insert cheesy dramatic music followed by annoying roll-credits music)
Does it seem to anyone else that the whole software industry is starting to look like a house of cards?
All these products are being marketed as easy to use, easy to take care of, easy to everything. It's not. It's hard, very hard sometimes. I run into the strangest interdependencies, completely unexpected behavior, just plain wierd shit all the time.
It's dumb stuff mostly. How many of you knew that Photoshop 6.0 will randomly cut off network access on a Windows box? (6.0.1 fixes it) When presented with this problem, Photoshop was not my first thought, I'm looking at the swich, changing cables etc. Took me an hour to realize that this only happened when Photoshop was running. Would the user have been able to figure this out herself? Not very quickly.
People are starting to clue into this, I've had two people ask me if they should buy Windows XP. Both of them asked if it would mess up any of their programs first, before the asked if XP had any new features they would find useful. It seems to me that the marketing messages are failing, the upgrade treadmill is starting to look more and more like a sham. Seriously, what is the compelling value that will make me upgrade my company from Office 2k to XP? Somebody tell me cause I have no idea at all. I don't want to woosh around the desert on my desk, I want to not restore Outlook .pst files 3 times a week.
I think soon the software industry is going to have to really consider making a more stable product, the flashy wizz bang product doesn't have the draw it used to. Security is really only a part of this but given the Summer of the Worms (tm) we just went through it is the most visible part right now. People are terrified of thier email, those little home firewalls are flying off the shelves, we're almost to the point of widespread clue. I just hope we make it.
I mean, if you buy bulletproof glass for your car, and somebody shoots you through it, you might have a case: one of its purposes is to stop bullets. But if you buy an ordinary car, and somebody shoots you through the window, you hardly have grounds to sue them for poor product quality.
Being able to stand up against novel forms of human attack is not basic product quality. Worms, trojans, and viruses are not mere environmental hazards, they are the results of intensive effort to find and exploit any system weaknesses.
Disappointed customers and annoyed partners are punishment enough. Market forces will correct the problem; people will eventually learn not to buy stuff that doesn't work. They will also learn to do their part, since security doesn't come in a shrink-wrapped box.
In a way, these petty vandals are doing us all a favor by forcing us to harden our systems. If nobody exploited the security holes, you couldn't convince people to spend extra money or effort on security. Then, when somebody made a truly serious attack, as an act of war, we would be utterly defenseless. I believe humans evolved an instinct for mischief for just this reason, and so we shouldn't be too hard on the script kiddies.