[ISN] Should Microsoft be Liable for Bugs?

From: InfoSec News (isnat_private)
Date: Mon Sep 15 2003 - 00:35:42 PDT

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - September 12th 2003"

    Forwarded from: "Kirstan Beeson" <kbeesonat_private>
    September 12, 2003
    A defect is found in one of the world's most popular products. Less
    than a month later, its consequences emerge -- idling workers around
    the globe, causing huge losses for businesses and generally
    inconveniencing hundreds of thousands of people.
    Under different circumstances, this scenario might be a class-action
    lawyer's dream. But the product in question is software, and the
    companies that make it claim special protections from liability
    through the licensing deals that come as a condition of using their
    Those protections help shield Microsoft Corp. and other software
    companies from paying what could conceivably amount to billions of
    dollars in damages. But they're coming under increased scrutiny amid a
    rising tide of computer viruses, many of which exploit known flaws in
    popular Microsoft programs.
    Consumer advocates and some computer users argue that the protections
    should be ended or diminished to let businesses and people try to hold
    software makers at least partially liable for the effects of product
    flaws. Doing so, they say, would make companies such as Microsoft more
    accountable, resulting in programs with fewer defects.
    "It's crazy that Firestone can produce this tire with a systemic flaw
    and they're liable, whereas Microsoft produces an operating system
    with two systemic flaws per week and they're not liable," said Bruce
    Schneier, chief technical officer at Counterpane Internet Security
    Inc. and a longtime advocate of changing the software-liability rules.
    Add to the debate the profits Microsoft earns from its lucrative
    Windows and Office programs, and some users question why the company
    doesn't spend more to make its products more secure. Microsoft last
    week reported $8.4 billion in fiscal 2003 operating profit for its
    desktop Windows division alone.
    "My sense is that they could do a lot more than they are doing to
    protect people," said Doug Schuler, a professor who teaches courses on
    computers and society at The Evergreen State College. "As a consumer,
    I would like them to be more on the hot seat for quality of product.
    ... They've got the best programmers on the planet, so why does it
    seem to be so buggy?"
    That issue was underscored this week, when Microsoft released another
    security alert -- its 39th this year -- about a "critical" Windows
    flaw that could allow a computer to be infiltrated, and urged users to
    download a patch to fix the problem.
    Who's to blame?
    But the software industry and some legal experts contend that to go
    after companies such as Microsoft over their product flaws would be to
    misplace the blame. After all, it's a criminal act -- the unleashing
    of a virus -- that turns the flaw into such a problem for computer
    For that reason, some want the government to make an example of the
    teenager arrested for allegedly unleashing one variant of the Blaster
    worm, which infiltrated computers around the world last month by
    exploiting a flaw in Microsoft's Windows operating system.
    "We're all hoping he just gets pounded. The consequences should be
    very, very high," said Jim Denison, owner and president of Seattle
    Micro, a computer support and sales company. "That's where I would lay
    the blame, more so than on Microsoft for writing an imperfect
    Some experts point out that opening software companies to liability
    would increase the prices charged to consumers and keep them from
    enjoying the benefits of software features that Microsoft, under
    threat of litigation, might deem too risky to release. They also say
    lawsuits wouldn't stop or stem the flow of viruses and worms.
    "No matter how careful a software code writer and a manufacturer might
    be, there is likely to be a more crafty criminal element out there,"
    said lawyer Christopher Wolf, partner in the Washington, D.C., office
    of law firm Proskauer Rose. "There is no such thing as an absolutely
    secure piece of software."
    Even if lawsuits were allowed, it isn't clear that there would be
    overwhelming public sentiment to sue software companies. Although many
    consumers question why the company isn't liable, some people whose
    computers were infected by the latest wave of viruses aren't eager to
    point the finger at Microsoft.
    "It was a pain in the rear, don't get me wrong, but I don't blame
    Microsoft as much as I blame the individual" behind the worm, said
    Eric Vennes, 36, of Snohomish, whose home computer was infected by
    Blaster. "Maybe Microsoft should have been more diligent, but I still
    go back to the guy that's sitting in the room 14 hours a day trying to
    create havoc."
    Others aren't so sure. True, the man accused of hacking may be getting
    what he deserves, but Microsoft's role shouldn't be forgotten, said
    Maggie Sullivan, 41, a Glenside, Pa., resident who experienced the
    latest wave of viruses at the law firm where she works as a Web
    content coordinator.
    "I don't hate Microsoft; I don't begrudge them their huge marketplace
    dominance," Sullivan said. "It just seems to me they have more of a
    responsibility to test before they send (their software) out into the
    In a report last year, the Computer Science and Telecommunications
    Board of the National Research Council recommended that legislators
    consider increasing the exposure of software makers and others to
    liability for security breaches.
    There has been an even greater push overseas to hold Microsoft
    accountable. Taiwan's Consumers Foundation is urging Microsoft to
    compensate consumers for losses resulting from viruses that attack
    software flaws. A South Korean civic group has reportedly sued
    Microsoft over the effects of the Slammer worm, which earlier this
    year targeted computers running Microsoft's SQL Server software.
    The fine print
    At the center of the liability debate are the so-called end-user
    license agreements, also known as shrink-wrap agreements, that come
    with every piece of computer software. Taken as written, they would
    prevent businesses and individuals from collecting damages from
    software makers for the ill effects of any product flaw, even if the
    flaw results from negligence.
    Critics point out that consumers don't have any choice but to consent
    to such an agreement if they want to use a particular software
    program. Often consumers don't even see the agreements until they've
    actually made the purchase. As a result, some lawyers say, the deals
    could be challenged and possibly negated as so-called contracts of
    adhesion, agreements in which one party doesn't truly have any
    bargaining power.
    "That's an issue that all software vendors face, and I think Microsoft
    has a potentially larger challenge there than other parties might have
    because of its market strength," said Jeff Harmes, managing partner in
    the Seattle office of law firm Gray Cary Ware & Freidenrich.
    But since the mid-1990s, a string of court decisions has upheld the
    validity of using license agreements to limit a software maker's
    liability. Such decisions are premised in part on the concept that a
    person or business that buys software doesn't buy a product, but
    rather acquires a right, or a license, to use the software.
    "A license is an intangible, and so all of the consumer protection
    laws that were written to cover every sale of goods become
    inapplicable," said Cem Kaner, a lawyer and professor of computer
    sciences at the Florida Institute of Technology and an expert on the
    subject of flawed software.
    That's why software makers aren't held to the same standards of
    liability as are manufacturers of other products, such as automobile
    Yet the comparison between tires and software isn't entirely fair,
    some experts point out. For one thing, software problems don't
    generally result in death or bodily harm. For another, while it's
    possible to create a safe tire, no one has figured out yet how to
    create completely secure software in an open, complex and
    ever-changing system like the Internet.
    "We're not living in a stagnant environment, where the tools of
    cyber-criminals remain constant," said Microsoft spokesman Sean
    Sundwall. "If that were the case, software companies would have this
    thing licked."
    In a January 2002 memo, Microsoft Chairman Bill Gates launched what
    the company calls its Trustworthy Computing initiative, declaring
    security and related issues Microsoft's top priority.
    Microsoft takes issue with the presumption behind the call for the
    ability to sue over product flaws -- that the company isn't doing
    enough about security, and that there needs to be some kind of
    economic or legal incentive for security to be improved.
    "The premise is just flat-out incorrect," Sundwall said. "We're taking
    drastic measures to make sure that our software is secure."
    A maturing industry
    Despite Microsoft's efforts to prevent flaws and to issue patches when
    flaws are found, legal experts said the company may find itself facing
    increased resistance to the blanket protection from liability it
    asserts in its licensing agreements.
    A mature industry "has to take its rightful place and follow the rules
    that everybody else does," said Frances Zollers, professor of law and
    public policy at Syracuse University's Whitman School of Management.
    The law will clamp down, she said, "if software companies keep writing
    what I believe are unconscionable clauses in their contracts such that
    their obligations are none and the other side's obligations are many."
    Kaner, the expert in flawed software, said he would like to see the
    software industry and computer users find a middle ground.
    "I think it's unreasonable that software customers have no rights," he
    said. "I think it would be unreasonable, as well, to put software
    companies at a risk of damages for every defect their product carries
    because we don't know how to make perfect products, and we could
    easily destroy the industry by holding it to too high a standard."
    But even if courts or legislators limited the protective effects of
    software licenses, it wouldn't mean certain victory for consumers
    seeking to hold software companies liable for flaws exploited by
    On the contrary, legal experts said, consumers would face the daunting
    task of proving that a company was negligent in allowing the flaw to
    "If you have somebody who's intent on a criminal activity, I can't
    imagine how you would blame the person who created the weakness unless
    it was negligent and it was completely foreseeable," said Hwan Kim,
    co-chair of technology and telecommunications practice in the
    Washington, D.C., office of law firm Chadbourne & Parke.
    That means, for the time being, the best way for consumers to protect
    themselves may be to watch for security alerts and download patches.
    But even that isn't a perfect solution.
    It has been difficult for Microsoft to persuade some individual
    consumers to take the time to download and install patches.
    At the same time, hackers have demonstrated the ability to unleash a
    virus within a few weeks of a flaw's discovery, which is too quick for
    some companies.
    "Most organizations will tell you, if they're honest, that it takes
    them six to eight weeks to deploy a given patch across a large
    organization without making it an emergency," said Steve Larsen, CEO
    of BigFix Inc., an Emeryville, Calif., patch management company.
    "If they drop everything else, they can probably do it a little
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 15 2003 - 03:00:51 PDT