Should Microsoft be Liable for Bugs?

[InfoSec News <isn () c4i org>]

Forwarded from: "Kirstan Beeson" <kbeeson () telebyte net>

http://seattlepi.nwsource.com/business/139286_msftliability12.html

By TODD BISHOP
SEATTLE POST-INTELLIGENCER REPORTER
September 12, 2003

A defect is found in one of the world's most popular products. Less
than a month later, its consequences emerge -- idling workers around
the globe, causing huge losses for businesses and generally
inconveniencing hundreds of thousands of people.

Under different circumstances, this scenario might be a class-action
lawyer's dream. But the product in question is software, and the
companies that make it claim special protections from liability
through the licensing deals that come as a condition of using their
programs.

Those protections help shield Microsoft Corp. and other software
companies from paying what could conceivably amount to billions of
dollars in damages. But they're coming under increased scrutiny amid a
rising tide of computer viruses, many of which exploit known flaws in
popular Microsoft programs.

Consumer advocates and some computer users argue that the protections
should be ended or diminished to let businesses and people try to hold
software makers at least partially liable for the effects of product
flaws. Doing so, they say, would make companies such as Microsoft more
accountable, resulting in programs with fewer defects.

"It's crazy that Firestone can produce this tire with a systemic flaw
and they're liable, whereas Microsoft produces an operating system
with two systemic flaws per week and they're not liable," said Bruce
Schneier, chief technical officer at Counterpane Internet Security
Inc. and a longtime advocate of changing the software-liability rules.

Add to the debate the profits Microsoft earns from its lucrative
Windows and Office programs, and some users question why the company
doesn't spend more to make its products more secure. Microsoft last
week reported $8.4 billion in fiscal 2003 operating profit for its
desktop Windows division alone.

"My sense is that they could do a lot more than they are doing to
protect people," said Doug Schuler, a professor who teaches courses on
computers and society at The Evergreen State College. "As a consumer,
I would like them to be more on the hot seat for quality of product.
... They've got the best programmers on the planet, so why does it
seem to be so buggy?"

That issue was underscored this week, when Microsoft released another
security alert -- its 39th this year -- about a "critical" Windows
flaw that could allow a computer to be infiltrated, and urged users to
download a patch to fix the problem.


Who's to blame?

But the software industry and some legal experts contend that to go
after companies such as Microsoft over their product flaws would be to
misplace the blame. After all, it's a criminal act -- the unleashing
of a virus -- that turns the flaw into such a problem for computer
users.

For that reason, some want the government to make an example of the
teenager arrested for allegedly unleashing one variant of the Blaster
worm, which infiltrated computers around the world last month by
exploiting a flaw in Microsoft's Windows operating system.

"We're all hoping he just gets pounded. The consequences should be
very, very high," said Jim Denison, owner and president of Seattle
Micro, a computer support and sales company. "That's where I would lay
the blame, more so than on Microsoft for writing an imperfect
product."

Some experts point out that opening software companies to liability
would increase the prices charged to consumers and keep them from
enjoying the benefits of software features that Microsoft, under
threat of litigation, might deem too risky to release. They also say
lawsuits wouldn't stop or stem the flow of viruses and worms.

"No matter how careful a software code writer and a manufacturer might
be, there is likely to be a more crafty criminal element out there,"
said lawyer Christopher Wolf, partner in the Washington, D.C., office
of law firm Proskauer Rose. "There is no such thing as an absolutely
secure piece of software."

Even if lawsuits were allowed, it isn't clear that there would be
overwhelming public sentiment to sue software companies. Although many
consumers question why the company isn't liable, some people whose
computers were infected by the latest wave of viruses aren't eager to
point the finger at Microsoft.

"It was a pain in the rear, don't get me wrong, but I don't blame
Microsoft as much as I blame the individual" behind the worm, said
Eric Vennes, 36, of Snohomish, whose home computer was infected by
Blaster. "Maybe Microsoft should have been more diligent, but I still
go back to the guy that's sitting in the room 14 hours a day trying to
create havoc."

Others aren't so sure. True, the man accused of hacking may be getting
what he deserves, but Microsoft's role shouldn't be forgotten, said
Maggie Sullivan, 41, a Glenside, Pa., resident who experienced the
latest wave of viruses at the law firm where she works as a Web
content coordinator.

"I don't hate Microsoft; I don't begrudge them their huge marketplace
dominance," Sullivan said. "It just seems to me they have more of a
responsibility to test before they send (their software) out into the
world."

In a report last year, the Computer Science and Telecommunications
Board of the National Research Council recommended that legislators
consider increasing the exposure of software makers and others to
liability for security breaches.

There has been an even greater push overseas to hold Microsoft
accountable. Taiwan's Consumers Foundation is urging Microsoft to
compensate consumers for losses resulting from viruses that attack
software flaws. A South Korean civic group has reportedly sued
Microsoft over the effects of the Slammer worm, which earlier this
year targeted computers running Microsoft's SQL Server software.


The fine print


At the center of the liability debate are the so-called end-user
license agreements, also known as shrink-wrap agreements, that come
with every piece of computer software. Taken as written, they would
prevent businesses and individuals from collecting damages from
software makers for the ill effects of any product flaw, even if the
flaw results from negligence.

Critics point out that consumers don't have any choice but to consent
to such an agreement if they want to use a particular software
program. Often consumers don't even see the agreements until they've
actually made the purchase. As a result, some lawyers say, the deals
could be challenged and possibly negated as so-called contracts of
adhesion, agreements in which one party doesn't truly have any
bargaining power.

"That's an issue that all software vendors face, and I think Microsoft
has a potentially larger challenge there than other parties might have
because of its market strength," said Jeff Harmes, managing partner in
the Seattle office of law firm Gray Cary Ware & Freidenrich.

But since the mid-1990s, a string of court decisions has upheld the
validity of using license agreements to limit a software maker's
liability. Such decisions are premised in part on the concept that a
person or business that buys software doesn't buy a product, but
rather acquires a right, or a license, to use the software.

"A license is an intangible, and so all of the consumer protection
laws that were written to cover every sale of goods become
inapplicable," said Cem Kaner, a lawyer and professor of computer
sciences at the Florida Institute of Technology and an expert on the
subject of flawed software.

That's why software makers aren't held to the same standards of
liability as are manufacturers of other products, such as automobile
tires.

Yet the comparison between tires and software isn't entirely fair,
some experts point out. For one thing, software problems don't
generally result in death or bodily harm. For another, while it's
possible to create a safe tire, no one has figured out yet how to
create completely secure software in an open, complex and
ever-changing system like the Internet.

"We're not living in a stagnant environment, where the tools of
cyber-criminals remain constant," said Microsoft spokesman Sean
Sundwall. "If that were the case, software companies would have this
thing licked."

In a January 2002 memo, Microsoft Chairman Bill Gates launched what
the company calls its Trustworthy Computing initiative, declaring
security and related issues Microsoft's top priority.

Microsoft takes issue with the presumption behind the call for the
ability to sue over product flaws -- that the company isn't doing
enough about security, and that there needs to be some kind of
economic or legal incentive for security to be improved.

"The premise is just flat-out incorrect," Sundwall said. "We're taking
drastic measures to make sure that our software is secure."


A maturing industry

Despite Microsoft's efforts to prevent flaws and to issue patches when
flaws are found, legal experts said the company may find itself facing
increased resistance to the blanket protection from liability it
asserts in its licensing agreements.

A mature industry "has to take its rightful place and follow the rules
that everybody else does," said Frances Zollers, professor of law and
public policy at Syracuse University's Whitman School of Management.
The law will clamp down, she said, "if software companies keep writing
what I believe are unconscionable clauses in their contracts such that
their obligations are none and the other side's obligations are many."

Kaner, the expert in flawed software, said he would like to see the
software industry and computer users find a middle ground.

"I think it's unreasonable that software customers have no rights," he
said. "I think it would be unreasonable, as well, to put software
companies at a risk of damages for every defect their product carries
because we don't know how to make perfect products, and we could
easily destroy the industry by holding it to too high a standard."

But even if courts or legislators limited the protective effects of
software licenses, it wouldn't mean certain victory for consumers
seeking to hold software companies liable for flaws exploited by
viruses.

On the contrary, legal experts said, consumers would face the daunting
task of proving that a company was negligent in allowing the flaw to
exist.

"If you have somebody who's intent on a criminal activity, I can't
imagine how you would blame the person who created the weakness unless
it was negligent and it was completely foreseeable," said Hwan Kim,
co-chair of technology and telecommunications practice in the
Washington, D.C., office of law firm Chadbourne & Parke.

That means, for the time being, the best way for consumers to protect
themselves may be to watch for security alerts and download patches.
But even that isn't a perfect solution.

It has been difficult for Microsoft to persuade some individual
consumers to take the time to download and install patches.

At the same time, hackers have demonstrated the ability to unleash a
virus within a few weeks of a flaw's discovery, which is too quick for
some companies.

"Most organizations will tell you, if they're honest, that it takes
them six to eight weeks to deploy a given patch across a large
organization without making it an emergency," said Steve Larsen, CEO
of BigFix Inc., an Emeryville, Calif., patch management company.

"If they drop everything else, they can probably do it a little
faster."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.