more on Deworming the Internet -- addressing market failure in computer security

[David Farber <dave () farber net>]

Begin forwarded message:

From: Douglas Barnes <salguod () mail utexas edu>
Date: November 23, 2004 9:35:47 PM EST
To: jean_camp () harvard edu
Cc: dave () farber net
Subject: RE: [IP] more on Deworming the Internet -- addressing market 
failure in computer security

Prof. Camp,
 
You raise some good points, and I thank you for pointing me in the 
direction of some sources that I overlooked.  One lesson I've learned 
from this -- my first foray in publishing an academic article -- is 
that it would have been very valuable to circulate drafts more widely 
before publication.  I had some trepidation about that, but clearly it 
would have been better to get this sort of feedback when there was time 
to do something about it.  My bad.
 
Before addressing your specific points, I want to establish some 
context.  Law reviews are student-run publications, and the members of 
law review write "notes" in their second year of law school (in my 
case, that was last year) which are finished shortly after spring 
break, and are selected for publication in the summer.  These notes are 
written in addition to quite full academic loads and substantial time 
commitments to the editorial process of the law review. 
  
It's clear from a quick look at some of the sources you mention 
that, in the process of writing a paper spanning three disciplines, I 
overlooked some important work which covered some similar ground.  In 
particular, my command of the economics literature isn't very strong, 
but will hopefully improve over time (I feel it improving already 
...).  My knowledge of the CS literature is slightly better, and I also 
rely on my personal experience in that area.  But while I seem to have 
reinvented the wheel in a few places, it still appears to be round.
 
You have a good time with my use of popular news sources, but bear in 
mind that for my audience -- a broad cross-section of legal 
practitioners and academics -- one of my primary hurdles was convincing 
them that this was an interesting and relevant topic.  In other places 
where I cite popular news sources, I am discussing the existence and 
nature of popular discussion and debate.  I notice that the Kannan et 
al. working paper on vulnerabilities, which you allude to and which I 
should have cited, also makes use of popular media sources for similar 
purposes.   
  
You also suggest that I came to this project with a conclusion firmly 
in mind.  Hardly.  I started with the idea of making a call for 
judicial expansion of tort liability, inspired by popular calls for 
"liability."  As I worked through the structure of the market in 
software of the sort afflicted by worms and viruses, I began to realize 
that any software publisher that tried to compete by building in good 
security would tend to get crushed, while a less conscientious 
publisher would be willing to absorb very large amounts of liability in 
exchange for winning the standards competition.  I also began to worry 
about the implications for open source software, which, absent a 
statutory approach, would simply hang over the heads of developers -- 
while the doctrine evolved, it would be far from clear that judges 
would come up with a safe harbor for open source software.   Yes, 
open-source businesses might, in some cases, provide a more attractive 
target for lawsuits than open-source contributors, but those 
contributors would still be on the hook.   Although I don't mention 
this -- and perhaps should have -- it's fairly obvious that a 
plaintiffs' lawyer might very well decide to go after both the 
businesses and the contributors. 
  
Another concern I came to see -- and which I express in the paper -- is 
that the ad-hoc expansion of tort liability would lead to unpredictable 
standards and damage awards.  Tort law is developed on a state-by-state 
basis, and the prospect of fifty different standards evolving on the 
fly would not be a very stable target for those thinking of continuing 
to develop software.  This is entirely different from the result of a 
national standards-setting process which -- as I clearly state -- the 
software industry could and should be involved with developing (as 
other industries are involved in their own regulation).  Yes, this 
might bottom out in a form of tailored liability, but more importantly 
it would allow the kind of ex-ante planning that would enable software 
publishers to avoid the race to the bottom without creating anything 
like the same degree of unpredictability.
 
Best regards,
 
Douglas Barnes
 
 
> -----Original Message-----
> From: owner-ip () v2 listbox com
> [mailto:owner-ip () v2 listbox com] On Behalf Of David Farber
> Sent: Tuesday, November 23, 2004 4:31 PM
> To: Ip
> Subject: [IP] more on Deworming the Internet -- addressing
> market failure in computer security
>
>
>
>
> Begin forwarded message:
>
> From: jean_camp <jean_camp () harvard edu>
> Date: November 23, 2004 2:47:59 PM EST
> To: dave () farber net
> Subject: Re: [IP] Deworming the Internet -- addressing market
> failure 
> in computer security
>
> This is not, frankly, good scholarship. The issues addressed
> here in a 
> cursory way have been addressed in depth in a considerable
> literature 
> that has been ignored.
>
> The descriptions of possible foundations for torts under
> California law 
> are informative. In particular the finding that software
> providers have 
> no duty to provide reliable software is an interesting read.
> Of course 
> the part that decries the problems with liability all assume that 
> software manufacturers never have a simple duty but rather are 
> immediately hit with strict liability. Burning straw men is
> fun in the 
> open desert, but more is expected of policy arguments.
>
> For example, the call for bounties is listed as Larry's and not 
> footnoted. That is because the first calls came from outside
> the legal 
> literature. (Yes, there is a literature not written by
> lawyers.) Stuart 
> Schechter wrote that up and yes there were Microsoft people
> who saw his 
> paper well before the bounty was offered. There was even a
> Boston Globe 
> article that mentions' Stuart's work cited - but not Stuart's work.
>
> As for the market for vulnerabilities, and the related work,
> there are 
> at least a dozen solid (ignored) works.  I particularly
> recommend the 
> work of Rahul at CMU Heinz or the group at UMD. Instead we get the 
> Detroit News and the Washington Monthly. Despite the fact
> that Vairan 
> has published explicitly on information security economics,
> the author 
> found only "Information Rules" .  All the economics work, all the 
> theory that would inform this paper remains unaddressed.
> Three security 
> papers. Pitiful. Why use research when we have USA Today!
>
> Finally, liability is one of the reasons for free software
> businesses. 
> They give you someone to sue. They make guarantees about the 
> reliability and interoperability of software. They offer
> branding and 
> trust.  Contributions to free software and open code could be
> covered 
> by good samaritan clauses that hold those who contribute to
> open source 
> and free software projects for no profit, and perhaps limited to 
> software under some licenses. Of course, the paper has ONE
> PARAGRAPH on 
> this radical finding, and then notes it only applies "absent  safe 
> harbor".
>
> This paper reads as if the author had a conclusion, did some cursory 
> research (I would guess a lexis search on popular press and a legal 
> search) and then used, unread, the references to support the 
> unwarranted conclusion. Even his own words don't support his
> conclusion 
> - after decrying liability on the basis that it _must_ _mean_ strict 
> liability he effectively proposes, standards for software
> providers are 
> suggested. Perhaps failure to meet the standards would create
> - viola- 
> liability!
>
> This is not  an academic paper. This is a  quotable conclusion in 
> verbose but fruitless search of an intellectual  foundation.
>
> -Jean
>
>
>
> On Nov 21, 2004, at 11:25 AM, David Farber wrote:
>
> >
> >
> > Begin forwarded message:
> >
> > From: Douglas Barnes <salguod () mail utexas edu>
> > Date: November 20, 2004 10:48:55 AM EST
> > To: dave () farber net
> > Subject: Deworming the Internet -- addressing market failure in
> > computer security
> >
> >
> > Dave--
> >
> > I thought IP folks might be interested in a paper I've
> written which 
> > is just
> > now available on SSRN.  In part it's a response to the
> periodic calls 
> > for
> > "liability" (notably from Bruce Schneier) as a mechanism for solving
> > computer problems.  The upshot is that I think Bruce is right that 
> > there is
> > a need for a regulatory response, but that extending, say, tort 
> > liability to
> > software would be a disaster.  In addition to my more
> complicated law &
> > economics argument for why this is, I point out in passing that 
> > ordinary
> > tort liability could crush open source software, which has the 
> > potential to
> > act as a positive force in addressing the underlying market failure.
> >
> > Links and abstract below.  Comments welcome.
> >
> > Cheers,
> >
> > Douglas Barnes
> >
> > ===========
> >
> >
> http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID622364_code402
123.pdf?
> abstra
> ctid=622364&mirid=1 or http://papers.ssrn.com/abstract=622364
>
> Abstract:
> Both law enforcement and markets for software standards have failed 
to 
> solve
> the problem of software that is vulnerable to infection by
> network-transmitted worms. Consequently, regulatory attention should 
> turn to
> the publishers of worm-vulnerable software. Although ordinary tort 
> liability
> for software publishers may seem attractive, it would interact in
> unpredictable ways with the winner-take-all nature of competition 
among
> publishers of mass-market, internet-connected software. More tailored
> solutions are called for, including mandatory "bug bounties" for 
those 
> who
> find potential vulnerabilities in software, minimum quality standards 
> for
> software, and, once the underlying market failure is remedied, 
> liability for
> end users who persist in using worm-vulnerable software.
>
>
> -------------------------------------
> You are subscribed as Jean_Camp () harvard edu
> To manage your subscription, go to
>  http://v2.listbox.com/member/?listname=ip
>
> Archives at: 
> http://www.interesting-people.org/archives/interesting-people/
>

-------------------------------------
You are subscribed as cman () io com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: 
http://www.interesting-people.org/archives/interesting-people/

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/