Posted on 09/12/2003 7:11:57 AM PDT by Sub-Driver
SEATTLE POST-INTELLIGENCER http://seattlepi.nwsource.com/business/139286_msftliability12.html
Should Microsoft be liable for bugs? Consumer advocates argue software makers should pay for damage from viruses
Friday, September 12, 2003
By TODD BISHOP SEATTLE POST-INTELLIGENCER REPORTER
A defect is found in one of the world's most popular products. Less than a month later, its consequences emerge -- idling workers around the globe, causing huge losses for businesses and generally inconveniencing hundreds of thousands of people.
Under different circumstances, this scenario might be a class-action lawyer's dream. But the product in question is software, and the companies that make it claim special protections from liability through the licensing deals that come as a condition of using their programs.
Those protections help shield Microsoft Corp. and other software companies from paying what could conceivably amount to billions of dollars in damages. But they're coming under increased scrutiny amid a rising tide of computer viruses, many of which exploit known flaws in popular Microsoft programs.
Consumer advocates and some computer users argue that the protections should be ended or diminished to let businesses and people try to hold software makers at least partially liable for the effects of product flaws. Doing so, they say, would make companies such as Microsoft more accountable, resulting in programs with fewer defects.
"It's crazy that Firestone can produce this tire with a systemic flaw and they're liable, whereas Microsoft produces an operating system with two systemic flaws per week and they're not liable," said Bruce Schneier, chief technical officer at Counterpane Internet Security Inc. and a longtime advocate of changing the software-liability rules.
Add to the debate the profits Microsoft earns from its lucrative Windows and Office programs, and some users question why the company doesn't spend more to make its products more secure. Microsoft last week reported $8.4 billion in fiscal 2003 operating profit for its desktop Windows division alone.
"My sense is that they could do a lot more than they are doing to protect people," said Doug Schuler, a professor who teaches courses on computers and society at The Evergreen State College. "As a consumer, I would like them to be more on the hot seat for quality of product. ... They've got the best programmers on the planet, so why does it seem to be so buggy?"
That issue was underscored this week, when Microsoft released another security alert -- its 39th this year -- about a "critical" Windows flaw that could allow a computer to be infiltrated, and urged users to download a patch to fix the problem.
Who's to blame?
But the software industry and some legal experts contend that to go after companies such as Microsoft over their product flaws would be to misplace the blame. After all, it's a criminal act -- the unleashing of a virus -- that turns the flaw into such a problem for computer users.
For that reason, some want the government to make an example of the teenager arrested for allegedly unleashing one variant of the Blaster worm, which infiltrated computers around the world last month by exploiting a flaw in Microsoft's Windows operating system.
"We're all hoping he just gets pounded. The consequences should be very, very high," said Jim Denison, owner and president of Seattle Micro, a computer support and sales company. "That's where I would lay the blame, more so than on Microsoft for writing an imperfect product."
Some experts point out that opening software companies to liability would increase the prices charged to consumers and keep them from enjoying the benefits of software features that Microsoft, under threat of litigation, might deem too risky to release. They also say lawsuits wouldn't stop or stem the flow of viruses and worms.
"No matter how careful a software code writer and a manufacturer might be, there is likely to be a more crafty criminal element out there," said lawyer Christopher Wolf, partner in the Washington, D.C., office of law firm Proskauer Rose. "There is no such thing as an absolutely secure piece of software."
Even if lawsuits were allowed, it isn't clear that there would be overwhelming public sentiment to sue software companies. Although many consumers question why the company isn't liable, some people whose computers were infected by the latest wave of viruses aren't eager to point the finger at Microsoft.
"It was a pain in the rear, don't get me wrong, but I don't blame Microsoft as much as I blame the individual" behind the worm, said Eric Vennes, 36, of Snohomish, whose home computer was infected by Blaster. "Maybe Microsoft should have been more diligent, but I still go back to the guy that's sitting in the room 14 hours a day trying to create havoc."
Others aren't so sure. True, the man accused of hacking may be getting what he deserves, but Microsoft's role shouldn't be forgotten, said Maggie Sullivan, 41, a Glenside, Pa., resident who experienced the latest wave of viruses at the law firm where she works as a Web content coordinator.
"I don't hate Microsoft; I don't begrudge them their huge marketplace dominance," Sullivan said. "It just seems to me they have more of a responsibility to test before they send (their software) out into the world."
In a report last year, the Computer Science and Telecommunications Board of the National Research Council recommended that legislators consider increasing the exposure of software makers and others to liability for security breaches.
There has been an even greater push overseas to hold Microsoft accountable. Taiwan's Consumers Foundation is urging Microsoft to compensate consumers for losses resulting from viruses that attack software flaws. A South Korean civic group has reportedly sued Microsoft over the effects of the Slammer worm, which earlier this year targeted computers running Microsoft's SQL Server software.
The fine print
At the center of the liability debate are the so-called end-user license agreements, also known as shrink-wrap agreements, that come with every piece of computer software. Taken as written, they would prevent businesses and individuals from collecting damages from software makers for the ill effects of any product flaw, even if the flaw results from negligence.
Critics point out that consumers don't have any choice but to consent to such an agreement if they want to use a particular software program. Often consumers don't even see the agreements until they've actually made the purchase. As a result, some lawyers say, the deals could be challenged and possibly negated as so-called contracts of adhesion, agreements in which one party doesn't truly have any bargaining power.
"That's an issue that all software vendors face, and I think Microsoft has a potentially larger challenge there than other parties might have because of its market strength," said Jeff Harmes, managing partner in the Seattle office of law firm Gray Cary Ware & Freidenrich.
But since the mid-1990s, a string of court decisions has upheld the validity of using license agreements to limit a software maker's liability. Such decisions are premised in part on the concept that a person or business that buys software doesn't buy a product, but rather acquires a right, or a license, to use the software.
"A license is an intangible, and so all of the consumer protection laws that were written to cover every sale of goods become inapplicable," said Cem Kaner, a lawyer and professor of computer sciences at the Florida Institute of Technology and an expert on the subject of flawed software.
That's why software makers aren't held to the same standards of liability as are manufacturers of other products, such as automobile tires.
Yet the comparison between tires and software isn't entirely fair, some experts point out. For one thing, software problems don't generally result in death or bodily harm. For another, while it's possible to create a safe tire, no one has figured out yet how to create completely secure software in an open, complex and ever-changing system like the Internet.
"We're not living in a stagnant environment, where the tools of cyber-criminals remain constant," said Microsoft spokesman Sean Sundwall. "If that were the case, software companies would have this thing licked."
In a January 2002 memo, Microsoft Chairman Bill Gates launched what the company calls its Trustworthy Computing initiative, declaring security and related issues Microsoft's top priority.
Microsoft takes issue with the presumption behind the call for the ability to sue over product flaws -- that the company isn't doing enough about security, and that there needs to be some kind of economic or legal incentive for security to be improved.
"The premise is just flat-out incorrect," Sundwall said. "We're taking drastic measures to make sure that our software is secure."
A maturing industry
Despite Microsoft's efforts to prevent flaws and to issue patches when flaws are found, legal experts said the company may find itself facing increased resistance to the blanket protection from liability it asserts in its licensing agreements.
A mature industry "has to take its rightful place and follow the rules that everybody else does," said Frances Zollers, professor of law and public policy at Syracuse University's Whitman School of Management. The law will clamp down, she said, "if software companies keep writing what I believe are unconscionable clauses in their contracts such that their obligations are none and the other side's obligations are many."
Kaner, the expert in flawed software, said he would like to see the software industry and computer users find a middle ground.
"I think it's unreasonable that software customers have no rights," he said. "I think it would be unreasonable, as well, to put software companies at a risk of damages for every defect their product carries because we don't know how to make perfect products, and we could easily destroy the industry by holding it to too high a standard."
But even if courts or legislators limited the protective effects of software licenses, it wouldn't mean certain victory for consumers seeking to hold software companies liable for flaws exploited by viruses.
On the contrary, legal experts said, consumers would face the daunting task of proving that a company was negligent in allowing the flaw to exist.
"If you have somebody who's intent on a criminal activity, I can't imagine how you would blame the person who created the weakness unless it was negligent and it was completely foreseeable," said Hwan Kim, co-chair of technology and telecommunications practice in the Washington, D.C., office of law firm Chadbourne & Parke.
That means, for the time being, the best way for consumers to protect themselves may be to watch for security alerts and download patches. But even that isn't a perfect solution.
It has been difficult for Microsoft to persuade some individual consumers to take the time to download and install patches.
At the same time, hackers have demonstrated the ability to unleash a virus within a few weeks of a flaw's discovery, which is too quick for some companies.
"Most organizations will tell you, if they're honest, that it takes them six to eight weeks to deploy a given patch across a large organization without making it an emergency," said Steve Larsen, CEO of BigFix Inc., an Emeryville, Calif., patch management company.
"If they drop everything else, they can probably do it a little faster."
Right. If you don't like it and/or believe the risk is too much to bear, you can (1) take your business elsewhere, (2) write your own software, or (3) avoid software altogether and do your thing the old-fashioned way.
Whining is not the only option.
In no other field would an absent warranty of merchantability be tolerated.
Software companies have been getting away with this for a long time. Why are they "special", and exempted for any consequences for rushing defective products to market? Just because they products were written by thousands of Dilberts in thousands of different cubicles?
Uh, that's a hardware problem, not a software problem. Guess you should sic your lawyers on IBM, US Robotics, and S3 for making and using an open specification. While you're at it, sic the lawyers on Novell, too, since their NE2000 card overlapped the IO space of some video cards.
Firmware, fixed by a romflash. The point is the manufacturers have a very good idea about what the installed base is and what addresses are used by common devices, and made no effort at all to think about it.
If we universally agree that popular cars run on 87 octane, then it is reasonable to assume Shell will not be selling kerosene, or something else that will not run with the installed base. What's the difference between the two instances? Those memory addresses for I/O are not just arbitrarily plucked off a dartboard.
If I've had the car 5 years or completed a certain number of miles, I'm deemed to have used the car sufficiently for any defects in performance to be my responsibility. Now some cars go for 20 years, long after their warranty has expired, without so much as the need for anything more than an oil change, a new battery and a brake job. Others die the day after their warranty expires. This difference is no doubt due, at least in part, to a difference in product quality apart from the wear and tear which I have contributed. Should we sue those automakers whose cars do not meet our expectations?
Further, if someone deliberately breaks into my car, pours sugar in the gas tank and cuts the coolant hose, so that my vehicle is no longer usable, should I sue the maker for not making a more secure vehicle?
The "I hate Bill Gates club", strikes again. Whining, crying ninnies.
If Microsoft ever does make a product which is impervious to each and every malicious attempt to compromise its function, they will have achieved a first in the recorded history of consumer affairs.
And the MS haters will still whine.
My local Shell station sells diesel fuel. It isn't compatible with my car. Can I join your lawsuit parade now?
What's the difference between the two instances? Those memory addresses for I/O are not just arbitrarily plucked off a dartboard.
There is/was no Soviet grand council that approved IO address usage. I made a board for my own use and chose its IO address, without getting approval from anyone. BTW, IO addresses are not "memory addresses". Different instructions with very different implementations.
You would when you bought an air conditioner that did not work till you ran out and got a freon "patch" for it to charge it with, or a car that would not run till you replaced the valves with a needed "patch", or or a television that would not run until you upgraded it with some needed soldering.
What is the problem with having a product work out of the box? Why is it ONLY this field that people just shrug and endure it? What is so unreasonable about expecting a purchased product to work?
So many ways to respond...
I DON'T buy Microsoft products, but I'm still affected by their crappy software.
I had to get someone's Internet connection terminated last week because his Slammer worm was killing my Mac's connection on our shared subnet. His Windows computer was spewing out hundreds of viruses per second - and I'm told that the owner of that computer was a Microsoft Certified "Engineer".
If I was a litigious person, I'd have an excellent case to sue Microsoft. I have the right to sue them because I didn't sign my rights away with their End User License Agreement. But Windows users do not have that right.
Sorry, but there are laws about making drugs in your home.
So, are you saying that you have never been able to run Windows without patching it? That's strange because hundreds of millions of people around the world are successfully running it right now. I've even managed to install and run Windows myself a few times.
What is the problem with having a product work out of the box? Why is it ONLY this field that people just shrug and endure it? What is so unreasonable about expecting a purchased product to work?
Windows works "out of the box" with thousands of different 2d video cards, 3d video cards, motherboards, processors, sound cards, 1394 cards, USB ports, SCSI cards, IDE ports, inkjet printers, laserjet printers, mice, keyboards, etc., etc from hundreds of different companies. Then there are the tens of thousands of win32 applications.
Of course, this is a free country. No one is forcing you to run Windows or any other Microsoft product. Write your own operating system! You may learn to have respect for Windows' capabilities after you try to emulate 0.00001% of what it does.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.