RE: product liability (was 'we should all be uncomfortable with t he extent to which luck..')

From: William Allen Simpson [mailto:wsimpson@greendragon.com]
Sent: Tuesday, July 24, 2001 11:43 PM

Perhaps a different approach is in order -- product liability.

Network operators have been injured by the distribution of
buggy software from M$. We need to be compensated for our
time and expenses.

End users need to be compensated for their costs to upgrade.

A check in the mail would be a better incentive to
administrators than "automatic" updates.

Now *there's* a thought. However, all software companies carry product
liability insurance. It's sometimes called a shrink-wrap license. You might
actually try reading it the next time you purchase and install software.

It does seem odd as a consumer that my car didn't come with a shrink-wrap license. I can imagine what it'd say if Microsoft owned Volvo: "We make no guarantees that this car is suitable for driving on highways, dirt roads, or anything in between. Customer assumes all responsibility for the suitability of this product to any use."

And add to that: "Check our website every so often to see if we've found any design flaws in your car. If we find any, we'll make fixes available to you eventually, but you have to pay for and supply your own trained mechanic to install the fixes."

Roeland Meyer wrote:

> From: William Allen Simpson [mailto:wsimpson@greendragon.com]
> A check in the mail would be a better incentive to
> administrators than "automatic" updates.

Now *there's* a thought. However, all software companies carry product
liability insurance. It's sometimes called a shrink-wrap license. You might
actually try reading it the next time you purchase and install software.

I'm not a party to the EULA.

For the sake of argument, ISPs are the party that the SUV hit when it
rolled over after the tires exploded....

(actually, because of our proactive action and filtering, we had
exactly zero customers that were still infected by Jul 20th. But we
had to spend the manpower and technical support -- that's worth
something!)

Also, you may have noticed that shrink-wrap licenses are valid in only
two places: Washington (state) and Virginia. This would be a Federal
class action.

Joe Shaw wrote:

And with this latest threat of code red, Microsoft would have been covered
anyway, because a patch for this exploit existed well before CodeRed hit.
They released a patch for the indexing server on June 18, 2001, which as
you know is a full month before CodeRed. So, people had a MONTH to
prepare for something like this, and it's a sad statement that they did
not.

Actually, although the patch was released, M$ lied, saying it was only
needed by web servers. We have since learned that *ALL* W2K and XP
systems were vulnerable. Fraud and misrepresentation?

human somewhere wrote some bad code. It happens, and continues to happen
on a daily basis.

It's long past time that humans were held accountable.

Funny, the engine electronics in my car doesn't seem to be vulnerable
to these failures.... Maybe it's the extensive (years) of testing and
code review?

Why should I have to pay for the desire of M$ to be "first to market",
or more usually, "last to market but cheaper".

There is no other industry where such bad practices would be
acceptable. It shouldn't be in ours, either!

Security requires vigilence, and there seems to be too little of it out in
the world.

Agreed.

William Allen Simpson wrote:

Also, you may have noticed that shrink-wrap licenses are valid in
only two places: Washington (state) and Virginia. This would be a
Federal class action.

Didn't the Digital Millennium Copyright Act make shrink-wrap licenses
valid nation-wide?

-- David

David Charlap wrote:

William Allen Simpson wrote:
>
> Also, you may have noticed that shrink-wrap licenses are valid in
> only two places: Washington (state) and Virginia. This would be a
> Federal class action.

Didn't the Digital Millennium Copyright Act make shrink-wrap licenses
valid nation-wide?

No.

You are thinking of last year's electronic signatures act -- an act that
has no signatures, merely "sound, symbol, or process".

After much debate, including contact with staff of the Senator that
introduced the bill (now secretary of energy after we kicked him out of
the senate), I have written assurances that normal contract law will
always supercede, and nobody can be bound to anything that they have not
yet seen and affirmatively acknowledged.

And I expect the companies pushing the law will argue otherwise, and the
courts will decide....

We had a recent success on web site terms of use. The result is, you
have to hide the entire site behind an agreement page, and securely
prevent anyone from accessing the material without going through the agreement page.

I'll point to another "success", although not for an intangible good.
My 3 year old powerbook came with a power brick. The warranty has
long since expired. The "shrinkwrap" agreement says they are not
liable for consequential damages.

Yet, Apple is sending free (no cost in any way) replacements!

Seems that 6 out of several million got too hot and caused a fire.
(They do get hot!)

Now, is that responsible corporate citizenship? Or enlightened self
interest? Or fear of bigger (punative) penalties?

Whatever it is, we need more of it....

You're thinking of UCITA - the proposed revisions to the Universal
Commercial Code. These WOULD make shrink wrap licenses a lot more
powerful and painful.

The good news is that UCITA has to be enacted state-by-state, and an
increasing number of big players (e.g. large, corporate software buyers)
are lining up against UCITA.

Apparently, you replied to the wrong message.

The innermost refers to UCITA and its UETA sibling, only enacted in 2 states.

David was referring to the DMCA of 1998 (see
http://thomas.loc.gov/cgi-bin/bdquery/z?d105:HR02281:@@@L&summ2=m&|/bss/d105query.html|
for legislative history.)

Then, I was referring to the more recent e-signature act (see
http://thomas.loc.gov/cgi-bin/bdquery/D?d106:1:./temp/~bdh8zW:@@@L&summ2=m&|/bss/d106query.html|
for legislative history.)