Forwarded from: "Kirstan Beeson" <kbeesonat_private> http://seattlepi.nwsource.com/business/139286_msftliability12.html By TODD BISHOP SEATTLE POST-INTELLIGENCER REPORTER September 12, 2003 A defect is found in one of the world's most popular products. Less than a month later, its consequences emerge -- idling workers around the globe, causing huge losses for businesses and generally inconveniencing hundreds of thousands of people. Under different circumstances, this scenario might be a class-action lawyer's dream. But the product in question is software, and the companies that make it claim special protections from liability through the licensing deals that come as a condition of using their programs. Those protections help shield Microsoft Corp. and other software companies from paying what could conceivably amount to billions of dollars in damages. But they're coming under increased scrutiny amid a rising tide of computer viruses, many of which exploit known flaws in popular Microsoft programs. Consumer advocates and some computer users argue that the protections should be ended or diminished to let businesses and people try to hold software makers at least partially liable for the effects of product flaws. Doing so, they say, would make companies such as Microsoft more accountable, resulting in programs with fewer defects. "It's crazy that Firestone can produce this tire with a systemic flaw and they're liable, whereas Microsoft produces an operating system with two systemic flaws per week and they're not liable," said Bruce Schneier, chief technical officer at Counterpane Internet Security Inc. and a longtime advocate of changing the software-liability rules. Add to the debate the profits Microsoft earns from its lucrative Windows and Office programs, and some users question why the company doesn't spend more to make its products more secure. Microsoft last week reported $8.4 billion in fiscal 2003 operating profit for its desktop Windows division alone. "My sense is that they could do a lot more than they are doing to protect people," said Doug Schuler, a professor who teaches courses on computers and society at The Evergreen State College. "As a consumer, I would like them to be more on the hot seat for quality of product. ... They've got the best programmers on the planet, so why does it seem to be so buggy?" That issue was underscored this week, when Microsoft released another security alert -- its 39th this year -- about a "critical" Windows flaw that could allow a computer to be infiltrated, and urged users to download a patch to fix the problem. Who's to blame? But the software industry and some legal experts contend that to go after companies such as Microsoft over their product flaws would be to misplace the blame. After all, it's a criminal act -- the unleashing of a virus -- that turns the flaw into such a problem for computer users. For that reason, some want the government to make an example of the teenager arrested for allegedly unleashing one variant of the Blaster worm, which infiltrated computers around the world last month by exploiting a flaw in Microsoft's Windows operating system. "We're all hoping he just gets pounded. The consequences should be very, very high," said Jim Denison, owner and president of Seattle Micro, a computer support and sales company. "That's where I would lay the blame, more so than on Microsoft for writing an imperfect product." Some experts point out that opening software companies to liability would increase the prices charged to consumers and keep them from enjoying the benefits of software features that Microsoft, under threat of litigation, might deem too risky to release. They also say lawsuits wouldn't stop or stem the flow of viruses and worms. "No matter how careful a software code writer and a manufacturer might be, there is likely to be a more crafty criminal element out there," said lawyer Christopher Wolf, partner in the Washington, D.C., office of law firm Proskauer Rose. "There is no such thing as an absolutely secure piece of software." Even if lawsuits were allowed, it isn't clear that there would be overwhelming public sentiment to sue software companies. Although many consumers question why the company isn't liable, some people whose computers were infected by the latest wave of viruses aren't eager to point the finger at Microsoft. "It was a pain in the rear, don't get me wrong, but I don't blame Microsoft as much as I blame the individual" behind the worm, said Eric Vennes, 36, of Snohomish, whose home computer was infected by Blaster. "Maybe Microsoft should have been more diligent, but I still go back to the guy that's sitting in the room 14 hours a day trying to create havoc." Others aren't so sure. True, the man accused of hacking may be getting what he deserves, but Microsoft's role shouldn't be forgotten, said Maggie Sullivan, 41, a Glenside, Pa., resident who experienced the latest wave of viruses at the law firm where she works as a Web content coordinator. "I don't hate Microsoft; I don't begrudge them their huge marketplace dominance," Sullivan said. "It just seems to me they have more of a responsibility to test before they send (their software) out into the world." In a report last year, the Computer Science and Telecommunications Board of the National Research Council recommended that legislators consider increasing the exposure of software makers and others to liability for security breaches. There has been an even greater push overseas to hold Microsoft accountable. Taiwan's Consumers Foundation is urging Microsoft to compensate consumers for losses resulting from viruses that attack software flaws. A South Korean civic group has reportedly sued Microsoft over the effects of the Slammer worm, which earlier this year targeted computers running Microsoft's SQL Server software. The fine print At the center of the liability debate are the so-called end-user license agreements, also known as shrink-wrap agreements, that come with every piece of computer software. Taken as written, they would prevent businesses and individuals from collecting damages from software makers for the ill effects of any product flaw, even if the flaw results from negligence. Critics point out that consumers don't have any choice but to consent to such an agreement if they want to use a particular software program. Often consumers don't even see the agreements until they've actually made the purchase. As a result, some lawyers say, the deals could be challenged and possibly negated as so-called contracts of adhesion, agreements in which one party doesn't truly have any bargaining power. "That's an issue that all software vendors face, and I think Microsoft has a potentially larger challenge there than other parties might have because of its market strength," said Jeff Harmes, managing partner in the Seattle office of law firm Gray Cary Ware & Freidenrich. But since the mid-1990s, a string of court decisions has upheld the validity of using license agreements to limit a software maker's liability. Such decisions are premised in part on the concept that a person or business that buys software doesn't buy a product, but rather acquires a right, or a license, to use the software. "A license is an intangible, and so all of the consumer protection laws that were written to cover every sale of goods become inapplicable," said Cem Kaner, a lawyer and professor of computer sciences at the Florida Institute of Technology and an expert on the subject of flawed software. That's why software makers aren't held to the same standards of liability as are manufacturers of other products, such as automobile tires. Yet the comparison between tires and software isn't entirely fair, some experts point out. For one thing, software problems don't generally result in death or bodily harm. For another, while it's possible to create a safe tire, no one has figured out yet how to create completely secure software in an open, complex and ever-changing system like the Internet. "We're not living in a stagnant environment, where the tools of cyber-criminals remain constant," said Microsoft spokesman Sean Sundwall. "If that were the case, software companies would have this thing licked." In a January 2002 memo, Microsoft Chairman Bill Gates launched what the company calls its Trustworthy Computing initiative, declaring security and related issues Microsoft's top priority. Microsoft takes issue with the presumption behind the call for the ability to sue over product flaws -- that the company isn't doing enough about security, and that there needs to be some kind of economic or legal incentive for security to be improved. "The premise is just flat-out incorrect," Sundwall said. "We're taking drastic measures to make sure that our software is secure." A maturing industry Despite Microsoft's efforts to prevent flaws and to issue patches when flaws are found, legal experts said the company may find itself facing increased resistance to the blanket protection from liability it asserts in its licensing agreements. A mature industry "has to take its rightful place and follow the rules that everybody else does," said Frances Zollers, professor of law and public policy at Syracuse University's Whitman School of Management. The law will clamp down, she said, "if software companies keep writing what I believe are unconscionable clauses in their contracts such that their obligations are none and the other side's obligations are many." Kaner, the expert in flawed software, said he would like to see the software industry and computer users find a middle ground. "I think it's unreasonable that software customers have no rights," he said. "I think it would be unreasonable, as well, to put software companies at a risk of damages for every defect their product carries because we don't know how to make perfect products, and we could easily destroy the industry by holding it to too high a standard." But even if courts or legislators limited the protective effects of software licenses, it wouldn't mean certain victory for consumers seeking to hold software companies liable for flaws exploited by viruses. On the contrary, legal experts said, consumers would face the daunting task of proving that a company was negligent in allowing the flaw to exist. "If you have somebody who's intent on a criminal activity, I can't imagine how you would blame the person who created the weakness unless it was negligent and it was completely foreseeable," said Hwan Kim, co-chair of technology and telecommunications practice in the Washington, D.C., office of law firm Chadbourne & Parke. That means, for the time being, the best way for consumers to protect themselves may be to watch for security alerts and download patches. But even that isn't a perfect solution. It has been difficult for Microsoft to persuade some individual consumers to take the time to download and install patches. At the same time, hackers have demonstrated the ability to unleash a virus within a few weeks of a flaw's discovery, which is too quick for some companies. "Most organizations will tell you, if they're honest, that it takes them six to eight weeks to deploy a given patch across a large organization without making it an emergency," said Steve Larsen, CEO of BigFix Inc., an Emeryville, Calif., patch management company. "If they drop everything else, they can probably do it a little faster." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Sep 15 2003 - 03:00:51 PDT