Who is Responsible? The Developer? The User?

Anonymous Coward II asks: "I am working on a paper for a computer ethics course, and need to answer the following question: Who must be held responsible: The person that develops a software that will (or can) be used to illegal ends (like to break into a computer system, to illegaly monitor other users, a virus, etc), or the person that use it afterward? I'd like to know what Slashdot users think, and what is the answer according to the law." Software is a tool, just like any other, so when things go wrong I think this then boils down to a question of personal responsibility or negligence. What are your opinions?

Definitely the user...

[JatTDB]

I don't blame gun manufacturers or knife manufacturers for murders. I don't blame car manufacturers for drunk drivers. And I don't blame developers for writing software that could be used in an illegal way.

HNN's take

[Ratface]

The Hacker News Network has been asking much the same question. Anti Virus companies have been labelling some programs that allow remote undetected monitoring of a computer as virusses (e.g. BO2K) while other products released by "mainstream" software companies,(such as Softeyes) are not scanned for at all.

What makes an anti virus company label one program as a vrius, while another program with similar uses is unlabelled?

HNN ask the question at http://www.hackernews.com/orig/avind ustry.html

Re:Yes! (was: No !)

[Bruenor]

Okay, I hate to reply to myself, but I just found another reason:

I'm on BUGTRAQ. I have been for quite a few years. Often a security problem is found and a commercial vendor remains unresponsive until someone produces a working exploit. Then, once the world has access to the exploit, the vendor usually begins work on a patch. Sometimes it's the only way to get their attention.

Now, the exploit itself has no legal purpose when you use it. It could be an educational tool to explain about buffer overruns/race conditions/whatever, perhaps. But often someone needs to write it and publish it or the vendor will never do anything about it.

Having virii and exploits should make us all more conscious of security and more prone to check your provider of software, check digital signatures, and more apt to want to see the source code.

The world is not a nice place and people would attempt to break into machines anyway. If having virii and exploits out there increases the level of security in software and systems then I am all for it.

Crowbars and JackHammers

[Father]

I worked for a contract shop in Florida, and more than once used "hack" tools to get a job done. Occasionally the rules of engagement get you in a bind and you have to work outside those rules to get your job done. We had a source control machine that crashed, dead, inoperable with quite a bit of source code that we needed to retrieve. Without hack tools, etc, we wouldn't have been able to get the data back out by playing the role of script kiddies and using hack s/w to make the drive accessible. A tool is a tool. Without those tools in particular, my company would have had to face a serious financial set back. mike

Question of ethics or law?

[evilpenguin]

I think the law has to treat the person who uses a product for illegal means as the "guilty" party. The person who makes it bears no automatic culpability.

This is my general take. Gun manufacturers are not responsible for murders committed with guns. Now, I'm not a gun nut, but I think this is legally right.

The same should hold true for the authors of nmap and queso (to name a couple tools that system crackers might use) and the authors of pgp and gpg (to name a couple tools that criminals or terrorists might use).

Now, if it is a question of ethics, you've opened an entirely different can of worms. Ethically, I think several guns need a closer look. I think teflon tips are something that raise ethical questions. I think nmap has a few grey areas (what legitimate use requires the micro-fragmentation feature? That's there just to avoid string scanning intrusion detection.), but in each of these cases (except maybe those teflon tips) I think the law has to protect the author/maker and hold the user accountable.

If we hold that the maker/author is responsible for all of the ways in which their product/idea is used, then we should have locked up Darwin because his ideas contributed to holocaust. We should lock up the inventor of the circular saw because it has maimed and killed. And so on...

Ethics lies behind law, but the cliched figure of justice that adorns so many government buildings (at least so many American ones) wields a scale, a sword, and she is blindfolded. The sword is two edged as well. It may be a cliche, but it is an apt one. The law is not ethics. The law is the minimum interference to maintain the social order. While many conservatives in this country will argue with me about the law being minimal, it is certainly not the opposite. You can write and buy a book about how to crack safes. That's legal. Crack somebody else's safe, and you've broken the law. It seems absurd, but it isn't. To write a book on how to crack safes (so long as you believe in the idea of private property) is unethical, but I for one would not want to see it made illegal.

Re:Question of ethics or law?

[evilpenguin]

Actually, you are wrong (up to a point). Here is the relevant section of Chapter 12, Title 17 (which was added to Title 17 by the Digital Millenium Copyright act of 1998):

(Warning: The following was cut-and-pasted from a PDF file and is correcpondingly unreadable). The two relevant facts are that DeCSS comes in under the grandfathering 2-year period documented below, and that anyone seeking to do what DeCSS does should apply to the librarian of Congress and the Register of Copyrights that lack of client software for Linux constitutes an adverse effect on their ability to make non-infringing use. Seems like perfectly good law to me.

The section below is quoted from the text of the relevant law, and IA (still) NAL.

'' 1201. Circumvention of copyright protection systems ''(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNO-LOGICAL MEASURES.Ð(1)(A) No person shall circumvent a techno-logical measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter. ''(B) The prohibition contained in subparagraph (A) shall not apply to persons who are users of a copyrighted work which is in a particular class of works, if such persons are, or are likely to be in the succeeding 3-year period, adversely affected by virtue of such prohibition in their ability to make noninfringing uses of that par-ticular class of works under this title, as determined under subpara-graph (C). ''(C) During the 2-year period described in subparagraph (A), and during each succeeding 3-year period, the Librarian of Con-gress, upon the recommendation of the Register of Copyrights, who shall consult with the Assistant Secretary for Communications and Information of the Department of Commerce and report and com-ment on his or her views in making such recommendation, shall make the determination in a rulemaking proceeding on the record for purposes of subparagraph (B) of whether persons who are users of a copyrighted work are, or are likely to be in the succeeding 3- year period, adversely affected by the prohibition under subpara-graph (A) in their ability to make noninfringing uses under this title of a particular class of copyrighted works. In conducting such rule-making, the Librarian shall examineÐ ''(i) the availability for use of copyrighted works; ''(ii) the availability for use of works for nonprofit archival, preservation, and educational purposes; ''(iii) the impact that the prohibition on the circumvention of technological measures applied to copyrighted works has on criticism, comment, news reporting, teaching, scholarship, or re-search; ''(iv) the effect of circumvention of technological measures on the market for or value of copyrighted works; and ''(v) such other factors as the Librarian considers appro-priate.

Re:Depends

[h2so4]

As source code, I wouldn't say that the authors of these programs are necessarily the "bad guy"; the code can provide interesting insights into security flaws.

In the case of a virus, if the developer keeps the code within a quarantined environment, which he has authorisation to be using, it seems legitimate. As long as he does not distribute the code to unstrusted partied, or release a binary into the wild, then he has not really done any damage, it is when this boundary is crossed that he could be held responsible (to some extent) for damage.

Software or guns, it's the same debate

[Basje]

In the US, a similar debateis over guns. Possesion of certain weapons is illegal. For other guns, possesion is legal, while damaging other people with them isn't (obviously).

The same can be applied (in general terms) to software. Harmful virusses and the like have only
limited use: causing damage, for whatever reason. Possession of these could be considered criminal.

OTH, a lot of programs (eg. portscanners) can be used for good or for bad, directly or indirectly. In case of those, it's up to the user to use them ethically.

The problems with legislation are rather similar to the guns debate too. Illegal possesion will occur. How to handle that is off topic here.

----------------------------------------------

Some further questions

[hobbit]

Off the top of my head, I'd say this is rather like the question of firearms, and I'd say that "guns don't kill people, people kill people" is even more applicable for software than for guns.

Why? When was the last time you saw a gun with virus-like properties?

As far as I can see liability for breaking the law lies with the person whose intent it was to break it. If the that is the author of some software (eg, a program deliberately designed to spread a virus) then so be it, but if the author produces a tool with multiple functions (eg. BO2K) then he's no more guilty than a man who makes a knife.

"a program deliberately designed to spread a virus" - AKA a virus.

There are of course some tricky cases. For instance a friend of mine once wrote a virus as an exercise and gave it a slightly nasty payload. He never intended to release it, but unfortunately a copy got loose on his hard drive and infected several other machine before it was wiped out. If that had well and truly escaped, and done serious damage, where would the liability lie for that ? or is it a natural hazard ? Possibly there is no criminal liability in that case, but merely civil negligence by failing to contain the virus ?

Why anyone would give a virus a 'slightly nasty payload' without malicious intent I have no idea. It isn't much more a 'natural hazard' than a bullet flying toward a crowd is a 'natural hazard'.

Just my tuppence worth (IEIANAL).

Intent and diligence

[Salamander]

IANAL, but I've been involved in legal matters and talked to lawyers a bit. There's a very difficult distinction involved here that I'll try to clarify a little. The law doesn't recognize actual intent or state of mind, rightly holding these things to be unknowable in any specific instance. However, the law does recognize that the maker of a tool or provider of a service "should have known" how that tool/service might be used. It's very similar to the standard of diligence applied in many other areas. For example, libel/slander cases often hinge not on whether the accused did know that a statement was false, but on whether they should have known and failed to exercise due diligence in checking their facts. Ignorance is not necessarily a permissible excuse under the law, especially when the claim of ignorance is either facile or tantamount to professional malpractice.

With respect to software, I think the application of this principle is pretty obvious. The person who uses a software tool illegally always bears some responsibility; the question is whether the software author is responsible as well as - not instead of - the user. This can pretty much only be true when the maker of software "should have known" that their software would be used in such a manner, that such use could have been prevented without undue burden or compromise of other functionality, and that the author nonetheless did nothing to prevent it. The phrase "should have known" is of course vague, but I think people who work in a field generally have a pretty strong consensus on what's common knowledge and what's not. What one person in the field should have known, is what the majority of practitioners do know or could figure out in a jiffy.

This definition obviously does not indict word processors or other common types of software. It's not even clear that it indicts something like SATAN, which the author deliberately tried to present to system administrators and such as a way to improve security. I think the line gets crossed with something like Back Orifice, which was very obviously pushed primarily as a way to hack systems; any claims about it being a remote administration tool are obviously accompanied by a smirk and a wink, which would only piss off judges and juries. Even if the tool's primary purpose was legal and positive, it's pretty bleeding obvious that it can also be used illegally and negatively. Some announcement of its presence on a system would discourage the latter use while in no way interfering with the first, and the absence of such announcement could readily be construed as an indication of the author's lack of professional diligence (remember, we can't impute malice because that comes down to a matter of concrete intent).