In the general sense, possibly, but where there are lawyers there is always discoragement.
Suing people with no money is easy, but it does stop them from contributing in most cases. There are always a few who like getting sued. RIAA has shown companies will widescale sue so your argument is suspect, IMO…
RIAA is a very different context from what we are talking about here.
First, the number of people getting attacked from Open Source systems
is very small, so, you have a very small class of plaintiffs. Second,
said class of plaintiffs is probably not as well funded as RIAA.
OTOH, the number of people/organizations being attacked from Micr0$0ft
based systems is relatively high, so, a large class of plaintiffs,
and, some of them being enterprises are relatively well funded.
Second, in the case of RIAA, it is businesses suing to do what they
perceive as protecting their profit stream, and, they know they
are suing a collection of defendants that are relatively poorly
funded and have no organization. In the case of Open Source, I
think there is a pretty good track record of the community coming
to the aid of those that get sued for various reasons (DeCSS comes
to mind).
Sure, it's easy to sue someone who doesn't have any money, but,
there's no point in doing so. Frankly, it's not the people with
no money that are at risk here. It's the people with some money
and some assets. If you have nothing, you're pretty safe ignoring
a civil suit because you have nothing to lose. Frankly, if RIAA
were to sue me, it wouldn't cost me $250,000 to fight it. It
might cost me a few thousand if I chose to involve a lawyer in
some portion of the process, but, initially, I think I could
make their life difficult enough to get them to go away without
involving a lawyer.
I've already made MPAA/Disney go away twice without a lawyer. Admittedly,
they went away before even filing a suit, so, technically, I haven't been
sued, but, I've been threatened by them, and, I'm sure if I'd
buckled under or failed to confront them appropriately, I would
have either gotten sued or ended up handing over money.
The costs of defending a suit are $0 until you hire a lawyer.
Owen
I've spent a *lot* of time talking to lawyers about this. In fact, a few
years ago I (together with an attorney I know) tried to organize a "moot
court" liability trial of a major vendor for a security flaw. (It
ended up being a conference on the issue.)
The reason there have not been any lawsuits against vendors is because
of license agreements -- every software license I've ever read,
including the GPL, disclaims all warranties, liability, etc. It's not
clear to me that that would stand up with a consumer plaintiff, as opposed
to a business; that hasn't been litigated. I tried to get around that
problem for the moot court by looking at third parties who were injured
by a problem in a software package they hadn't licensed -- think
Slammer, for example, which took out the Internet for everyone.
The issue of liability based on operational practices is untested. As
I concluded in that book chapter from 1994, I (and the attorneys who
helped me (a lot) with it) felt that there may very well be cause for a
lawsuit. However, to the best of my knowledge there have been no court
rulings on this issue. Unless and until that happens, we're just
guessing. I'll give two short quotes that illustrate why I'm concerned.
This one is from a standard textbook on tort law:
The standard of conduct imposed by the law is an external one,
based upon what society demands generally of its members,
rather than upon the actor's personal morality or individual
sense of right and wrong. A failure to conform to the standard
is negligence, therefore, even if it is due to clumsiness,
stupidity, forgetfulness, an excitable temperament, or even
sheer ignorance. An honest blunder, or a mistaken belief that
no damage will result, may absolve the actor from moral blame,
but the harm to others is still as great, and the actor's
individual standards must give way in this area of the law to
those of the public. In other words, society may require of a
person not to be awkward or a fool.
The second, a quote from a 1932 (U.S.) Court of Appeals opinion, was
for a case where some barges sank because the tugboat pulling them had
no radio receivers, and hence didn't know the weather forecast:
Indeed in most cases reasonable prudence is in face common
prudence; but strictly it is never its measure; a whole
calling may have unduly lagged in the adoption of new and available
devices. It may never set its own tests, however persuasive be its
usages. Courts must in the end say what is required; there are
precautions so imperative that even their universal disregard will
not excuse their omission. ... But here there was no custom at all
as to receiving sets; some had them, some did not; the most that
can be urged is that they had not yet become general.
Certainly in such a case we need not pause; when some have thought
a device necessary, at least we may say that they were
right, and the others too slack.
...
We hold [against] the tugs therefore because [if] they had been
properly equipped, they would have got the Arlington [weather]
reports. The injury was a direct consequence of this
unseaworthiness.
Again, though, this has never been litigated for ISP-type issues.
The reason there have not been any lawsuits against vendors is because
of license agreements -- every software license I've ever read,
including the GPL, disclaims all warranties, liability, etc. It's not
clear to me that that would stand up with a consumer plaintiff, as opposed
to a business; that hasn't been litigated. I tried to get around that
problem for the moot court by looking at third parties who were injured
by a problem in a software package they hadn't licensed -- think
Slammer, for example, which took out the Internet for everyone.
Yes, I think this is the only way it will work. Plaintiffs that are not
subject to the EULA will have to sue the manufacturer of vulnerable
software installed on remote systems that attack their site. Otherwise,
the liability waivers they signed make it much harder. Of course, interestingly,
automobile manufacturers cannot get around having to build cars that
meet safety standards regardless of waivers customers may sign. Perhaps
what we need first is a consortium to agree on a set of standards for
software security followed by someone like Ralph Nader doing the
"Unsafe at any clockspeed" campaign.
The issue of liability based on operational practices is untested. As
I concluded in that book chapter from 1994, I (and the attorneys who
helped me (a lot) with it) felt that there may very well be cause for a
lawsuit. However, to the best of my knowledge there have been no court
rulings on this issue. Unless and until that happens, we're just
guessing. I'll give two short quotes that illustrate why I'm concerned.
This one is from a standard textbook on tort law:
Yep... I think that is true. However, unless and until someone steps up
and actually does it (and frankly, I think the effective strategy here
would be coordinating a large number of injured parties in small offices
and residences to sue in small claims court at roughly the same time),
all we'll be able to do is guess.
The standard of conduct imposed by the law is an external one,
based upon what society demands generally of its members,
rather than upon the actor's personal morality or individual
sense of right and wrong. A failure to conform to the standard
is negligence, therefore, even if it is due to clumsiness,
stupidity, forgetfulness, an excitable temperament, or even
sheer ignorance. An honest blunder, or a mistaken belief that
no damage will result, may absolve the actor from moral blame,
but the harm to others is still as great, and the actor's
individual standards must give way in this area of the law to
those of the public. In other words, society may require of a
person not to be awkward or a fool.
So, does that mean that if most of society is ignorant enough to tolerate
insecure buggy software, we must accept that as the standard for software
performance? That is an unfortunately low barrier indeed for a profession
like software development. In general, professional liability is different
from general civil liability. Once money changes hands, you have a much
greater "duty to care" about the potential harm caused by your "product"
than an individual citizen.
For example, a guy that pours gasoline into his gopher holes and lights
it is an idiot. However, as long as everything he blows up is his own
and he harms noone else, he's still just an idiot, but, not liable.
However, if he packages gas cans and matches together and sells them
with instructions as a "Gopher Eradication Kit", he gets to be liable
for the damage to all the houses of all the people dumb enough to
use his product, and, any neighbors unfortunate enough to live within
the blast radii.
Let's face it, some software vendors are selling the moral equivalent
of a minivan with no seatbelts and no airbags.
The second, a quote from a 1932 (U.S.) Court of Appeals opinion, was
for a case where some barges sank because the tugboat pulling them had
no radio receivers, and hence didn't know the weather forecast:Indeed in most cases reasonable prudence is in face common
prudence; but strictly it is never its measure; a whole
calling may have unduly lagged in the adoption of new and available
devices. It may never set its own tests, however persuasive be its
usages. Courts must in the end say what is required; there are
precautions so imperative that even their universal disregard will
not excuse their omission. ... But here there was no custom at all
as to receiving sets; some had them, some did not; the most that
can be urged is that they had not yet become general.
Certainly in such a case we need not pause; when some have thought
a device necessary, at least we may say that they were
right, and the others too slack.
...
We hold [against] the tugs therefore because [if] they had been
properly equipped, they would have got the Arlington [weather]
reports. The injury was a direct consequence of this
unseaworthiness.Again, though, this has never been litigated for ISP-type issues.
Those will be interesting cases as well if they are ever tested, but, I
think they will actually be more complex than injured third parties
suing software VENDORS over vulnerable software which later caused
harm. Again, I think that the David v. Goliath nature of the majority
of injured parties v. software vendors means that a large highly
visible class action or high-profile suit is unlikely to meet with
much success. However, given the relatively low risks associated
with filing in small claims court in most jurisdictions and
extremely low filing costs associated, I think it would be very
interesting to see a coordinated attack of this nature played out
in the small claims courts across the country. Even if the software
vendors were able to win each and every case, the costs of fighting
them would be impressive and would send a pretty clear message that
we, as a society, are fed up and won't take it any more.
Owen
There was a lot of discussion about this in the music / technology / legal community
at the time of the Sony root exploit CD's - which
I and others thought fully opened Sony for liability for 2nd party attacks. (I.e., if a hacker uses the Sony
root kit to exploit your machine, then Sony is probably liable, regardless of the EULA. They put
it in there; they made the attack possible.) IANAL, but I believe that if a vendor has even a
partial liability, they can be liable for the whole.
I suspect that eventually EULA's will prove to be weak reeds, in much the same way that manufacturers may be
liable when bad things happen, even if the product is being grossly misused. My intuition says that
unfortunately somebody is going to have to die to establish this, as part of a wrongful death suit.
With the explosion in VOIP use, this is probably only a matter of time.
Regards
Marshall Eubanks
There was a lot of discussion about this in the music / technology /
legal community
at the time of the Sony root exploit CD's - which
I and others thought fully opened Sony for liability for 2nd party
attacks. (I.e., if a hacker uses the Sony
root kit to exploit your machine, then Sony is probably liable,
regardless of the EULA. They put
it in there; they made the attack possible.) IANAL, but I believe
that if a vendor has even a
partial liability, they can be liable for the whole.
But, what constitutes an exploit severe enough to warrant liability of
this type? For instance, let's look at some scripts ... formmail is
a perfect example. First, there was no "real" EULA. I'm definitely
not a laywer, but I would think that would open up the writer to all
sorts of liability... Anyways, the script was, obviously, flawed.
Spammers took notice and used that script to spam all over the place.
This hurt the hoster of the script, the people who were spammed, and
probably the ISPs that wasted the bandwidth carrying the spam.
So, should the writer of the script be sued for this? Is he liable
for damages? If that's the case, then I'm gonna hang up my
programming hat and go hide in a closet somewhere. I'm far from
perfect and, while I'm relatively sure there are none, exploitable
bugs *might* exist in my software. Or, perhaps, the exploit exists in
a library I used. I've written a lot of PHP code, perhaps PHP has the
flaw.. Am I still liable, or is PHP now liable?
This has scary consequences if it becomes a blanket argument.
Alternatively, if the programmer is made aware of the problem and does
nothing, then perhaps they should be held accountable. But, then,
what happens to "old" software that is no longer maintained?
I suspect that eventually EULA's will prove to be weak reeds, in much
the same way that manufacturers may be
liable when bad things happen, even if the product is being grossly
misused. My intuition says that
unfortunately somebody is going to have to die to establish this, as
part of a wrongful death suit.
With the explosion in VOIP use, this is probably only a matter of time.
Personally, I feel that is a person "grossly misuses" a product and is
hurt as a result, they deserve it. Within some acceptable reason, of
course. One expects that if you place a cup of coffee in your lap,
that you just purchased, I might add, that it may burn you if it
spills. Or, if you puncture a can of hair spray near an open fire,
you may experience a slight burning sensation a few seconds later.
People, use your brains. Next we'll have someone suing craftsman when
they chop their leg off because there was no label on the saw that
said "don't place running saw in lap" ... Come on, how stupid can you
be? I apparently wouldn't make a good judge because I'd laugh most of
these cases right out of the courtroom! Reasonable precaution should
be expected of all people.
Jason Frisvold wrote:
There was a lot of discussion about this in the music / technology /
legal community
at the time of the Sony root exploit CD's - which
I and others thought fully opened Sony for liability for 2nd party
attacks. (I.e., if a hacker uses the Sony
root kit to exploit your machine, then Sony is probably liable,
regardless of the EULA. They put
it in there; they made the attack possible.) IANAL, but I believe
that if a vendor has even a
partial liability, they can be liable for the whole.But, what constitutes an exploit severe enough to warrant liability of
this type? For instance, let's look at some scripts ... formmail is
a perfect example. First, there was no "real" EULA. I'm definitely
not a laywer, but I would think that would open up the writer to all
sorts of liability... Anyways, the script was, obviously, flawed. Spammers took notice and used that script to spam all over the place. This hurt the hoster of the script, the people who were spammed, and
probably the ISPs that wasted the bandwidth carrying the spam.So, should the writer of the script be sued for this? Is he liable
for damages?
I am not a lawyer, but I believe there is a significant difference in the liability that ensues from knowingly selling a defective product, and from giving something away for free. Matt gave away FormMail for free. When Matt wrote FormMail open relays were common on the internet. His Perl scripts were similar in security and utility to other software at the time. Once it became known how this type of software could be abused, *then* he had an obligation (moral obligation if not strictly legal obligation) to stop distributing the old insecure scripts, which is what he did.
(Researching FormMail history, I found a page that suggested fixing the FormMail problem by replacing the FormMail scripts with PhP scripts. 
Personally, I feel that is a person "grossly misuses" a product and is
hurt as a result, they deserve it. Within some acceptable reason, of
course. One expects that if you place a cup of coffee in your lap,
that you just purchased, I might add, that it may burn you if it
spills.
If you tell someone "be careful, that coffee is hot and may burn you" most people will equate "burn" with "might cause some temporary pain or perhaps a minor blister" and not with "I will spend 2 weeks in the hospital with 3rd degree burns and require skin grafts and have over $20k in medical bills". Stella assumed the coffee she was served was served was at a normal hot coffee temperature, hot enough to perhaps hurt a bit if spilled but NOT so hot as to cause severe and disfiguring burns. See:
<http://www.lectlaw.com/files/cur78.htm>
<quote>
McDonalds also said during discovery that, based on a consultants
advice, it held its coffee at between 180 and 190 degrees fahrenheit to
maintain optimum taste. He admitted that he had not evaluated the
safety ramifications at this temperature. Other establishments sell
coffee at substantially lower temperatures, and coffee served at home is
generally 135 to 140 degrees."
</quote>
McDonalds intentionally served the coffee hotter than was safe, hotter than was safe for *drinking* (the purpose of the product) and ignored the dangers this presented and the prior cases of damage it caused.
Back to the topic of computers and software that damages other computers over the network:
Most people expect that their operating system and browser will work securely, not that it will let intruders steal their data, compromise their privacy, and inflict damage on others. Just as McDonalds was held liable for repeatedly intentionally selling coffee they knew was being served too hot and capable of causing much greater harm than the buyer was aware of, IMHO so should a software company be held liable for repeatedly knowingly selling defective software, especially when that software causes damage to 3rd parties who have not agreed to the EULA.
jc
I am not a lawyer, but I believe there is a significant difference in
the liability that ensues from knowingly selling a defective product,
and from giving something away for free. Matt gave away FormMail for
free. When Matt wrote FormMail open relays were common on the internet.
His Perl scripts were similar in security and utility to other
software at the time. Once it became known how this type of software
could be abused, *then* he had an obligation (moral obligation if not
strictly legal obligation) to stop distributing the old insecure
scripts, which is what he did.
And I would agree with this reasoning. If the software is defective,
fix it or stop selling it. However, I don't think all software
developers have "control" over the selling of the software after it's
sent to the publisher. (I'm by no means intimate with how all this
works) So, for instance, if developer A creates product A+, publisher
P deals with packaging it up, distributing it, etc. A few months
later, developer A goes out of business for some insane reason.
Publisher P continues to sell the software in which a security hole is
discovered a month later. There's no way for developer A to fix the
hole, they don't exist. And publisher P isn't near smart enough to
fix it. So they just continue selling it. Life goes on, it
eventually falls into the bargain bin where publisher P continues to
package it, but in recycled fish wrap instead of the pristine new
boxes it used to.
So is developer A still liable? Is publisher P liable? Should they be?
If you tell someone "be careful, that coffee is hot and may burn you"
most people will equate "burn" with "might cause some temporary pain or
perhaps a minor blister" and not with "I will spend 2 weeks in the
hospital with 3rd degree burns and require skin grafts and have over
$20k in medical bills". Stella assumed the coffee she was served was
served was at a normal hot coffee temperature, hot enough to perhaps
hurt a bit if spilled but NOT so hot as to cause severe and disfiguring
burns. See:
Still, a little common sense... Hot coffee of any type, between the
legs, in a moving car? Umm.. even "normal" coffee still causes a
jump of pain. That jump of pain could easily cause a car accident.
So who do I sue? McDonalds for selling the coffee? Or the driver who
put it between his/her legs?
Most people expect that their operating system and browser will work
securely, not that it will let intruders steal their data, compromise
their privacy, and inflict damage on others. Just as McDonalds was held
liable for repeatedly intentionally selling coffee they knew was being
served too hot and capable of causing much greater harm than the buyer
was aware of, IMHO so should a software company be held liable for
repeatedly knowingly selling defective software, especially when that
software causes damage to 3rd parties who have not agreed to the EULA.
If it's a known issue and the developer continues to ignore it, then
yeah, they should probably be held accountable. But, there's still
the issue of what is bad and what isn't. Madden 2006 for the PSP
reboots when I end a franchise mode game. It destroys the data I just
spent 30 minutes generating while playing the game. Is that bad
enough that the company should be held liable for it? (Yes, I'm aware
they're replacing the discs now. Excellent move on EA's part)
There's another form mailer out there that I dealt with, and wrote a
large post on Bugtraq about, that continues to allow relaying even
after a complete bug report with a fix. Should that developer be held
liable for damages? It's just spam, it's not really hurting anyone,
is it?
Then there's something like Internet Explorer. Any one of the dozens
of exploits "allows a remote attacker to assume control of the
computer" ... That's bad.. That's definitely an issue. I could
agree that the developer should be held liable for that ...
Maden 2006 I had to pay for. IE came with Windows, so I didn't
*really* have to pay for it, depending on how you look at it. The
form mailer was free on the internet. Does having to pay for it
determine if the developer should be liable? What if Linux had a
security hole that was reported and never fixed? Should Linus get
sued? Wow.. who would you even sue in that instance?
Software confuses things a bit I think.. I can agree that an IE bug,
unchecked, should be liable. But a form mailer? It was free to begin
with, so just move on to something else...
I'm not sure I, personally, could get behind holding software
companies liable until some standard was set to determine what the
expectations were... And setting those standards is the hard part...
Here is the link again:
<http://www.lectlaw.com/files/cur78.htm>
Please spend some time reading that site to educate yourself about the facts and common misconceptions about this incident before you try any further analogies based on it.
In *this* case the injured woman had done most[1] of the reasonable things one should do to try to mitigate injury, but she was seriously injured and the seriousness of the injury was directly due to the product being defective. McDonalds was held liable because they knowingly and intentionally sold a defective product even after having over 700 prior incidents (serious burns) reported to them due to this defect (the coffee being too hot).
Jason Frisvold wrote:
Still, a little common sense... Hot coffee of any type, between the
legs, in a moving car? Umm.. even "normal" coffee still causes a
jump of pain. That jump of pain could easily cause a car accident.
<quote>
Critics of civil justice, who have pounced on this case, often charge that Liebeck was driving the car or that the vehicle was in motion when she spilled the coffee; neither is true.
</quote>
The coffee wasn't just "hot", it was much too hot to be safely consumed. Note that
<quote>
[if the] spill had involved coffee at 155 degrees, the liquid would have cooled and given her time to avoid a serious burn
</quote>
and
<quote>
The company admitted its customers were unaware that they could suffer third degree burns from the coffee and that a statement on the side of the cup was not a "warning" but a "reminder" since the location of the writing would not warn customers of the hazard.
</quote>
Now let us consider Microsoft's continued sales of defective Windows and IE software given their track record for failing to ensure that their product works safely and doesn't enable others to cause damage to the user's system and data or (of primary importance to the networking community) the systems and networks of others:
<http://bcheck.scanit.be/bcheck/page.php?name=STATS2004>
Even if the end user updates their Windows/IE software the minute a security update is available, their browser would still have been vulnerable for all but 7 days in 2004! I wonder how 2005 has been shaping up. Hmmm. I wonder if Stella's lawyers would like to take on Microsoft....
jc
[1] The jury awarded Liebeck $200,000 in compensatory damages. This amount
was reduced to $160,000 because the jury found Liebeck 20 percent at
fault in the spill. The jury also awarded Liebeck $2.7 million in
punitive damages, which equals about two days of McDonalds' coffee
sales.
Post-verdict investigation found that the temperature of coffee at the
local Albuquerque McDonalds had dropped to 158 degrees fahrenheit.
The trial court subsequently reduced the punitive award to $480,000 --
or three times compensatory damages -- even though the judge called
McDonalds' conduct reckless, callous and willful.
There was a lot of discussion about this in the music / technology /
legal community
at the time of the Sony root exploit CD's - which
I and others thought fully opened Sony for liability for 2nd party
attacks. (I.e., if a hacker uses the Sony
root kit to exploit your machine, then Sony is probably liable,
regardless of the EULA. They put
it in there; they made the attack possible.) IANAL, but I believe
that if a vendor has even a
partial liability, they can be liable for the whole.But, what constitutes an exploit severe enough to warrant liability of
this type? For instance, let's look at some scripts ... formmail is
a perfect example. First, there was no "real" EULA. I'm definitely
not a laywer, but I would think that would open up the writer to all
sorts of liability... Anyways, the script was, obviously, flawed.
Spammers took notice and used that script to spam all over the place.
This hurt the hoster of the script, the people who were spammed, and
probably the ISPs that wasted the bandwidth carrying the spam.
It's not just about the severity of the exploit. What did you pay
for formmail? Did the author have a "duty to care"? If money
did not change hands, then, liability becomes much more difficult
unless you can show gross negligence. Further, since formmail
is provided in source form, the server owner could have fully evaluated it
for
vulnerability prior to deploying it. Thus, even if there is some
liablity, it primarily falls to the person/organization who
placed the script in use on the server, not the author.
So, should the writer of the script be sued for this? Is he liable
for damages? If that's the case, then I'm gonna hang up my
programming hat and go hide in a closet somewhere. I'm far from
perfect and, while I'm relatively sure there are none, exploitable
bugs *might* exist in my software. Or, perhaps, the exploit exists in
a library I used. I've written a lot of PHP code, perhaps PHP has the
flaw.. Am I still liable, or is PHP now liable?
Again, it all boils down to whether money changed hands or not.
If you didn't get paid for your script, you probably aren't liable.
Since PHP is free (and there's not really a legal entity to sue
for it anyway), PHP probably isn't liable.
This has scary consequences if it becomes a blanket argument.
Alternatively, if the programmer is made aware of the problem and does
nothing, then perhaps they should be held accountable. But, then,
what happens to "old" software that is no longer maintained?
Look at it another way... If the software is open source, then, there
is no requirement for the author to maintain it as any end user has
all the tools necessary to develop and deploy a fix. In the case of
closed software, liability may be the only tool society has to
protect itself from the negligence of the author(s). What is the
liability situation for, say, a Model T car if it runs over someone?
Can Ford still be held liable if he accident turns out to be caused
by a known design flaw in the car? (I don't know the answer, but,
I suspect that it would be the same for "old" software).
I suspect that eventually EULA's will prove to be weak reeds, in much
the same way that manufacturers may be
liable when bad things happen, even if the product is being grossly
misused. My intuition says that
unfortunately somebody is going to have to die to establish this, as
part of a wrongful death suit.
With the explosion in VOIP use, this is probably only a matter of time.Personally, I feel that is a person "grossly misuses" a product and is
hurt as a result, they deserve it. Within some acceptable reason, of
course. One expects that if you place a cup of coffee in your lap,
that you just purchased, I might add, that it may burn you if it
spills. Or, if you puncture a can of hair spray near an open fire,
you may experience a slight burning sensation a few seconds later.
The first one here is not your best choice of examples. It turns out
that in that suit, McDonalds was violating ANSI/ISO standards and
handing out liquids that were hotter than the industry considers
"safe". There is a major difference in the level of injury that
occurs above a certain temperature (I think it's 180F if memory
serves), and, their coffee was shown to be well above that. They
had been repeatedly informed of this problem prior to the incident
and had refused to do anything about it.
Yes, you expect to get burned, and, if you keep the coffee below
a serving temperature of 180F, then, there's no liability. However,
serving it above 180F is not "reasonable and prudent" and that is
why the jury found for the plaintiff.
In general, if the gross act of stupidity was reasonably foreseeable,
the manufacturer has a "duty to care" to make some attempt to mitigate
or prevent the customer from taking such action. That's why toasters
all come with warnings about unplugging them before you stick a
fork in them. That's why every piece of electronic equipment says
"No user serviceable parts inside" and "Warning risk of electric shock".
People, use your brains. Next we'll have someone suing craftsman when
they chop their leg off because there was no label on the saw that
said "don't place running saw in lap" ... Come on, how stupid can you
be? I apparently wouldn't make a good judge because I'd laugh most of
these cases right out of the courtroom! Reasonable precaution should
be expected of all people.
Actually, there are several such warnings on saws for just that reason,
so, that is history, not prediction. The letter of the law does expect
the plaintiff to have been reasonable and prudent. Judges are not
really the problem here. Unfortunately, our cultural tendency to
feel for the underdog leads to a jury pool that often doesn't see
"An idiot who chopped off his leg by sticking the saw in his lap
vs. a company that builds nice saws." They see "The poor defenseless
carpenter vs. the evil giant corporation profiting from his misery."
They feel for the carpenter and the only option they have to help
him is to take money from the corporation.
Owen
[snip]
And I would agree with this reasoning. If the software is defective,
fix it or stop selling it. However, I don't think all software
developers have "control" over the selling of the software after it's
sent to the publisher. (I'm by no means intimate with how all this
works) So, for instance, if developer A creates product A+, publisher
P deals with packaging it up, distributing it, etc. A few months
later, developer A goes out of business for some insane reason.
Publisher P continues to sell the software in which a security hole is
discovered a month later. There's no way for developer A to fix the
hole, they don't exist. And publisher P isn't near smart enough to
fix it. So they just continue selling it. Life goes on, it
eventually falls into the bargain bin where publisher P continues to
package it, but in recycled fish wrap instead of the pristine new
boxes it used to.So is developer A still liable? Is publisher P liable? Should they be?
Liability generally ends at death. Since developer A is essentially dead
(no longer exists), no.
If publisher P is the current copyright owner, then probably yes.
If they have been informed of the defect and continue to sell the defective
product, yes.
So who do I sue? McDonalds for selling the coffee? Or the driver who
put it between his/her legs?
In the case of an accident and you are the driver she hit, you would
sue the driver. The driver may then sue McDonalds if the coffee was
"too hot", but, your cause of action is against the direct actor...
The driver, and, the owner of the vehicle that hit you.
If it's a known issue and the developer continues to ignore it, then
yeah, they should probably be held accountable. But, there's still
the issue of what is bad and what isn't. Madden 2006 for the PSP
reboots when I end a franchise mode game. It destroys the data I just
spent 30 minutes generating while playing the game. Is that bad
enough that the company should be held liable for it? (Yes, I'm aware
they're replacing the discs now. Excellent move on EA's part)
I guess that depends on how much you feel you are harmed by that loss
of data. However, in that case, you probably accepted an EULA that
says "We aren't liable for the software not functioning." This is
much more a gray area than what I think is the first issue that should
be addressed. What if, instead, your PSP was network enabled, and,
at the end of your game, it not only rebooted, but, it wiped out all
data from all PSPs it could find on the network. Then, the owner
of thoses PSPs should have a cause of action against EA (and possibly
you). They didn't agree to an EULA allowing EAs software to wipe
their data. That's the situation of the third parties being harmed
by exploited hosts.
There's another form mailer out there that I dealt with, and wrote a
large post on Bugtraq about, that continues to allow relaying even
after a complete bug report with a fix. Should that developer be held
liable for damages? It's just spam, it's not really hurting anyone,
is it?
SPAM does a lot of actual harm. There are relatively high costs associated
with SPAM. Machine time, network bandwidth, and, labor.
Then there's something like Internet Explorer. Any one of the dozens
of exploits "allows a remote attacker to assume control of the
computer" ... That's bad.. That's definitely an issue. I could
agree that the developer should be held liable for that ...
Yes. These are the sorts of things we are really talking about primarily.
Maden 2006 I had to pay for. IE came with Windows, so I didn't
*really* have to pay for it, depending on how you look at it. The
form mailer was free on the internet. Does having to pay for it
determine if the developer should be liable? What if Linux had a
security hole that was reported and never fixed? Should Linus get
sued? Wow.. who would you even sue in that instance?
You did pay for it. It was part of what you paid for when you bought
Windows. If Windows came bundled with your machine, you still paid
for it in the form of buying the machine and it was part of what was
included. In any case, you still paid for IE.
As to Linux, I don't believe Linus ever sold it. For the most part,
there's nobody to sue because nobody got paid. Further, since
it is open source, you have the ability and responsibility to fix it
if you are informed your machine is doing harm. You don't have the
ability to fix IE. In the case of packages like Red Hat Enterprise
Linux and such, yes, if they are exploited, it is not unlikely that
Red Hat could be sued by injured third parties, and, this is not
inappropriate.
Software confuses things a bit I think.. I can agree that an IE bug,
unchecked, should be liable. But a form mailer? It was free to begin
with, so just move on to something else...
Software doesn't confuse things. Things given away for free are not held
to the same "duty to care" as things sold as a product. Software fits
into this model nicely.
I'm not sure I, personally, could get behind holding software
companies liable until some standard was set to determine what the
expectations were... And setting those standards is the hard part...
I agree it would be nice to set some standards. I think what is needed
is a consortium of software security experts to set some minimum "safety
standards" that can be used as a legal basis.
Something like:
Prudently written software is expected to take the following precautions:
+ Check length on any storage operation to prevent undetected
buffer overruns.
+ Check all external input for validity and consistency prior to
placing it into an operation which could result in execution
or harmful parsing of said input (such as passing it to a shell
for evaluation).
etc. You get the idea. I don't think this would have to be particularly
lengthy or complicated, but, I bet if we hit the highlights that cover
most of the existing known vulnerabilities, it would do the trick.
Owen
[snip]
I agree it would be nice to set some standards. I think what is needed
is a consortium of software security experts to set some minimum "safety
standards" that can be used as a legal basis.
You're barking up the wrong tree.
Mediocre product quality is just one of many symptoms of a lack of
competition. The real problem is that we've got monopolies backed by a
draconian patent regime. Imagine a situation where there are drop-in
replacements for most proprietary technologies with little or no barrier
to entry (financial or technical). A serious flaw in product X could
easily cause mass customer defection to competing products. Maybe some
of the profits of today would have to be invested in quality assurance
to prevent that.
How would a brand of household-appliances hold up to the competition if
their products were riddled with flaws that had no solution, just
workarounds using expensive add-ons? Should the market accept that MS
enter the market of "anti-products" instead of solving the problem
within their products? Keep in mind that such products are parasites
which represent no customer value.
Why have the monopolies we normally despise become the norm in the
software industry? Or rather, why did we let them dictate a legislation
that give them legroom for such behaviour.
//per
Look at it another way... If the software is open source, then, there
is no requirement for the author to maintain it as any end user has
all the tools necessary to develop and deploy a fix. In the case of
closed software, liability may be the only tool society has to
protect itself from the negligence of the author(s). What is the
liability situation for, say, a Model T car if it runs over someone?
Can Ford still be held liable if he accident turns out to be caused
by a known design flaw in the car? (I don't know the answer, but,
I suspect that it would be the same for "old" software).
But can't something similar be said for closed source? You know
there's a vulnerability, stop using it... (I'm aware that this is
much harder in practice)
<snip dead horse />
In general, if the gross act of stupidity was reasonably foreseeable,
the manufacturer has a "duty to care" to make some attempt to mitigate
or prevent the customer from taking such action. That's why toasters
all come with warnings about unplugging them before you stick a
fork in them. That's why every piece of electronic equipment says
"No user serviceable parts inside" and "Warning risk of electric shock".
So what if Microsoft put a warning label on all copies of Windows that
said something to the tune of "Not intended for use without firewall
and anti-virus software installed" ? Isn't the consumer at least
partially responsible for reasonable precautions?
They feel for the carpenter and the only option they have to help
him is to take money from the corporation.
I'm all for compassion, but sometimes it's a bit much..
Owen
I guess, in a nutshell, I'm trying to understand the liability
issue... It seems, based on the arguments, that it generally applies
to "stuff" that was received due to some monetary transaction. And
that the developer/manufacturer/etc is given a chance to repair the
problem, provided that problem does not exist due to gross negligence
on the part of the developer/manufacturer/etc ... Does that about sum
it up?
[From your other mail]
SPAM does a lot of actual harm. There are relatively high costs associated
with SPAM. Machine time, network bandwidth, and, labor.
*nod* I agree.. My point here was that SPAM, when compared to
something like a virus, is *generally* less harmful. Granted, SPAM is
more of a constant problem rather than a single virus that may attack
for a few days before mitigation is possible. I spend a great deal of
time tweaking my mail servers to prevent spam..
There have been successful cases for pedestrians that used a train trestle as a walk-way, where warnings were clearly displayed, and a fence had been put in place, but the railroad failed to ensure repair of the fence. The warning sign was not considered adequate. Would this relate to trespassers that use an invalid copy of an OS refused patches? Would this be similar to not repairing the fence? Clearly the pedestrians are trespassing, nevertheless the railroad remains responsible for the safety of their enterprise.
-Doug
...
So what if Microsoft put a warning label on all copies of Windows that
said something to the tune of "Not intended for use without firewall
and anti-virus software installed" ?
partially responsible for reasonable precautions?
...
Last time I looked at an MS Windows package, Microsoft actually put a
much stronger warning than that on all of its packages. And a truthful
one, as well!
Something like, "This software is not guaranteed to do anything in
particular."
Look at it another way... If the software is open source, then, there
is no requirement for the author to maintain it as any end user has
all the tools necessary to develop and deploy a fix. In the case of
closed software, liability may be the only tool society has to
protect itself from the negligence of the author(s). What is the
liability situation for, say, a Model T car if it runs over someone?
Can Ford still be held liable if he accident turns out to be caused
by a known design flaw in the car? (I don't know the answer, but,
I suspect that it would be the same for "old" software).But can't something similar be said for closed source? You know
there's a vulnerability, stop using it... (I'm aware that this is
much harder in practice)
Yes... You say that as if I have a problem with people using bad software
being held liable for the damage it does. I do not.
<snip dead horse />
In general, if the gross act of stupidity was reasonably foreseeable,
the manufacturer has a "duty to care" to make some attempt to mitigate
or prevent the customer from taking such action. That's why toasters
all come with warnings about unplugging them before you stick a
fork in them. That's why every piece of electronic equipment says
"No user serviceable parts inside" and "Warning risk of electric shock".So what if Microsoft put a warning label on all copies of Windows that
said something to the tune of "Not intended for use without firewall
and anti-virus software installed" ?
partially responsible for reasonable precautions?
Yes. Again, I have no problem if every user of Windows starts paying
for failing to prevent it from damaging the network (or any other
software that does damage in this context). Perhaps that will finally
start showing corporate america the true cost of running windows.
They feel for the carpenter and the only option they have to help
him is to take money from the corporation.I'm all for compassion, but sometimes it's a bit much..
No argument. My point was that it isn't so much the judge as some
aspects of our jury system that are at the root of many of these
decisions.
I guess, in a nutshell, I'm trying to understand the liability
issue... It seems, based on the arguments, that it generally applies
to "stuff" that was received due to some monetary transaction. And
that the developer/manufacturer/etc is given a chance to repair the
problem, provided that problem does not exist due to gross negligence
on the part of the developer/manufacturer/etc ... Does that about sum
it up?
Mostly. Certainly, liability is more certain in those circumstances
than if any of those things are not present.
[From your other mail]
SPAM does a lot of actual harm. There are relatively high costs
associated with SPAM. Machine time, network bandwidth, and, labor.*nod* I agree.. My point here was that SPAM, when compared to
something like a virus, is *generally* less harmful. Granted, SPAM is
more of a constant problem rather than a single virus that may attack
for a few days before mitigation is possible. I spend a great deal of
time tweaking my mail servers to prevent spam..
The primary output of viruses these days is SPAM. The primary harm done
by viruses is SPAM. Sure, there are occasional DOS issues, but, there
is actually more harm done by SPAM than DOS from a monetary perspective.
Owen
One other thing I forgot to say here... With closed software, you don't
have the option of fixing it yourself. With open source, that claim
cannot be made. As such, since there are some cases in which the
damage done by stopping use must be weighed against the damage
done by continued use, it's a harder question WRT closed software,
especially when it is an operating system.
Owen
While I think it is unfair in the case of the railroad, and, burglars that
injure themselves in peoples stores/houses, it works for me in the case
of software.
Denying patches doesn't tend to injure the trespassing user so much as
it injures the others that get attacked by his compromised machine.
I think that is why many manufacturers release security patches to
anyone openly, while restricting other upgrades to registered users.
Owen
There have been successful cases for pedestrians that used a train
trestle as a walk-way, where warnings were clearly displayed, and a
fence had been put in place, but the railroad failed to ensure repair
of the fence. The warning sign was not considered adequate. Would
this relate to trespassers that use an invalid copy of an OS refused
patches? Would this be similar to not repairing the fence? Clearly
the pedestrians are trespassing, nevertheless the railroad remains
responsible for the safety of their enterprise.
There is a huge difference that everyone seems to keep ignoring. Most of
the defective software issues we're talking about here cause no damage until
a knowledgeable person with malicious intent knows the 'defect',
specifically intends to cause harm with it, and uses the defect specifically
to cause that harm. This, unfortunately, makes it more analogous to the
'defect' in a gun that a criminal can use it to do harm just as an honest
person can use it to prevent harm.
Of course, it also makes it analogous to a gun that, when you point it at a
criminal, the criminal can make it blow up in your hands.
DS
To beat a dead horse just a little harder the problem I have is when a
certain company kept distributing software with security flaws
specifically because they're profiting from those flaws.
For example, graphics libraries which accept binary code chunks to be
executed in kernel mode without limits for support of quick screen
updates in games considered of marketing importance. Blaming it on the
games vendors seems inadequate, particularly over several years and
releases of each.
That's just pure economics and, hence, profiting on others' serious
pain.