Computers, Privacy & the Constitution

View   r13  >  r12  >  r11  >  r10  >  r9  >  r8  ...
AndreiVoinigescuFirstPaper 13 - 05 Jan 2010 - Main.IanSullivan
Line: 1 to 1
Changed:
<
<
META TOPICPARENT name="FirstPaper"
>
>
META TOPICPARENT name="OldPapers"
 

Making Microsoft Pay for Windows' Shoddy Security

-- By AndreiVoinigescu - 07 Apr 2009


AndreiVoinigescuFirstPaper 12 - 15 Apr 2009 - Main.EbenMoglen
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"

Making Microsoft Pay for Windows' Shoddy Security

Line: 58 to 58
 After Microsoft patched some of the NetBIOS? vulnerabilities the Conficker worm was using to spread, the worm modified its behavior to take spread via USB drives. Windows sets the autorun on by default for USB drives, though users can disable it manually. Changing the default to off seems like the kind of design decision that would increase security at minimal cost. Should Microsoft be able to ignore changes like that by merely warning users about the danger of autorun?

-- AndreiVoinigescu - 14 Apr 2009

Added:
>
>
  • As a lawyer for people who make software, I'm not sure why I want compulsory warranties. As you make clear yourself, the task of security-testing and patch distribution can be a third-party service generating value and therefore compelling payment, for FOSS. Third-party warranties are worth allowing for, in a market where no vendor warrants mass-market software with respect to security. Imposing warranties on a market that uniformly shuns them is likely to have some pretty substantial side-effects, which you don't make any attempt to estimate or allow for.

  • From Microsoft's point of view, requiring publication of Windows source code would be to take the predominant part of the product's value. That's obviously excessive even in relation to the harm done, unless you have somehow decided that software unlike everything else should be sold on terms that prohibit limitation of liability for consequential economic harms, which is an eye-popping act of legal discrimination against software industries. This is about Adobe, too, after all, and--in light, for example, of the OpenSSL fiasco over at Debian--about us.

  • At the end of the day, it seems to me, you are making an antitrust complaint: MS as monopolist has produced low-quality goods, and has deprived the consumer at every turn of the opportunity to use interoperable software of higher quality that MS could find any way, fair or foul, to drive out of the market. Now you are trying to impose liability for the resulting low security of the network on MS. I'm not sure why you aren't also trying to impose the lost worktime costs, global warming costs, the landfill costs, and many other costs arising from the poor performance, instability, bloat, unnecessary hardware obsolescence and other similarly expensive and disgraceful features of monopoly software. Maybe you too over-emphasize the whole cyberwar schtick?

  • From my point of view, the question of policy should be made on the assumption that the Free World, not MS, will be the dominant supplier of software at the end of the next decade. The solution is not tort liability for economic harms arising from security breaches, but a system of scecurity laboratories funded as all educational activity is funded and as commercial activities are funded, all providing patches to the copyleft commons, thus ensuring rapid and effective immunological adaptation. Getting there is not about making and destroying tort rules to distort the market against MS, but rather about urging people to replace insecure software, like MS products, with securer software, made by freedom.
 
 
<--/commentPlugin-->

AndreiVoinigescuFirstPaper 11 - 14 Apr 2009 - Main.AndreiVoinigescu
Line: 1 to 1
Changed:
<
<
META TOPICPARENT name="FirstPaper%25"
>
>
META TOPICPARENT name="FirstPaper"
 

Making Microsoft Pay for Windows' Shoddy Security

-- By AndreiVoinigescu - 07 Apr 2009

Line: 7 to 7
 

Introduction

Changed:
<
<
Conficker was hypothesized by some as the progenitor of a cyber-9/11. The worm, which targets vulnerabilities in the network code of all versions of Microsoft Windows in common use, has managed to infect at least nine million computers worldwide, including government and military networks. It has created a vast network of zombie machines--a botnet--which awaits instructions from the worm's creator. Like all botnets, it could be used to generate spam messages, to overload websites and networked services in denial-of-service attacks, and to fetch sensitive data from the infected machines.
>
>
Conficker is the latest in a series of malware exploiting security vulnerabilities in the Windows operating system and other commonly-used Microsoft software. The 'worm' has managed to infect at least nine million computers worldwide, including government and military networks. It has created a vast network of zombie machines--a botnet--which awaits instructions from the worm's creator. Like all botnets, it could be used to generate spam messages, to overload websites and networked services in denial-of-service attacks, and to fetch sensitive data from the infected machines. Given its unprecedented spread, the Conficker botnet might even be able to orchestrate the internet equivalent of the 9/11 or Pearl Harbor attacks.
 Lost productivity caused by malware and the costs of anti-malware measures is in the billions, and rising. Cellphone companies and governmental agencies who favor a move towards walled private networks with built-in layers for perfect identification, surveillance and enforcement have seized upon the cost of malware as part of their rhetoric. If a cyber-9/11 really does come to pass, it probably won't take long for legislation eliminating the last vestiges of network openness and anonymity to be pushed through.
Line: 47 to 47
 It seems, to me at least, that smart computing has a large effect on whether a PC is able to avoid being turned into a zombie, either by running recommended security measures (as listed above), or by not running random .exe files sent by strangers, with the subject line "ILOVEYOU."

-- JonathanBonilla - 11 Apr 2009

Added:
>
>

Jonathan -- good point about the link. I had linked Wired blog as shorthand to aggregate a number of different articles about the Conficker worm, but I can see how it undercuts my argument. On further consideration, I've revised that paragraph.

Your raise two interesting substantive points, both arguments which Microsoft would probably seize upon if sued. I will concede that 'smart computing' reduces the risk from malware substantially. As may warnings -- though I would argue that the over-reliance on warning dialogs in Vista is actually detrimental to security, since the annoyance factor convinces many users to just turn the warnings off or subconsciously ignore them.

Can Microsoft discharge its duty of care/design responsibilities with warnings and partial fixes? I would argue that it can't, though I think this is an unsettled area of tort law. But it seems to me that claiming 'my product is pretty safe, and in any case, I warn users of the danger' shouldn't be enough when you can take additional precautions that have a favorable cost:benefit ratio.

After Microsoft patched some of the NetBIOS? vulnerabilities the Conficker worm was using to spread, the worm modified its behavior to take spread via USB drives. Windows sets the autorun on by default for USB drives, though users can disable it manually. Changing the default to off seems like the kind of design decision that would increase security at minimal cost. Should Microsoft be able to ignore changes like that by merely warning users about the danger of autorun?

-- AndreiVoinigescu - 14 Apr 2009

 
 
<--/commentPlugin-->

AndreiVoinigescuFirstPaper 10 - 11 Apr 2009 - Main.JonathanBonilla
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper%25"

Making Microsoft Pay for Windows' Shoddy Security

Line: 38 to 38
 The point of all of this isn't to give Microsoft its just deserts. If a lawsuit succeeds in forcing them to internalize some of the costs of combating malware, those costs will only be passed on to the consumer. A higher price for Windows might encourage free software adoption, but I suspect the effect will be marginal; most consumers are not aware of the true cost of a Windows license because the cost is folded into the price of new hardware. Hopefully, however, a credible threat of class action litigation will convince more software vendors to abandon attempts at security through obscurity, and to democratize the patching of vulnerabilities. Holding software vendors liable for negligent security practices should go a long way towards securing both the network and the devices attached to it. It may also ensure that the knowledge embodied in the source code is available to any mind curious enough to learn it, and that the inner workings of the technology regulating greater and greater portions of our lives remain transparent.
Added:
>
>

Perhaps a minor first point, but I think linking to a blog that makes fun of the Conficker "threat" is hardly the way to establish that it is in fact a threat.

For substance, I'm curious as to how you would respond to the argument that when Windows is used "as directed," namely with Windows Defender active, Auto-updates, third-party virus scan, Windows Firewall, and User Account Control ... that the threat of virus / spyware infection is quite minimal. (Indeed, in Vista various warnings will now be provided if these systems are disabled, thus reducing the mystery behind keeping one's system safe, though earlier versions did not have such warning)

It seems, to me at least, that smart computing has a large effect on whether a PC is able to avoid being turned into a zombie, either by running recommended security measures (as listed above), or by not running random .exe files sent by strangers, with the subject line "ILOVEYOU."

-- JonathanBonilla - 11 Apr 2009

 
 
<--/commentPlugin-->

AndreiVoinigescuFirstPaper 9 - 10 Apr 2009 - Main.AndreiVoinigescu
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper%25"

Making Microsoft Pay for Windows' Shoddy Security

Line: 18 to 18
 The natural place to look for a remedy when commercial software fails to live up to the security and reliability expectations of its users is contract law. Not surprisingly, the EULA for Windows Vista (typical of such EULAs) disclaims liability for "consequential, lost profits, special, indirect or incidental damages" as well as liability caused by "the acts of others." Given that this is a mass-market form contract and that Microsoft enjoys a somewhat dominant position in the operating system market, there's a plausible argument that these clauses are procedurally unconscionabl; a contract of adhesion--see Comb v. PayPal Inc. for analogous circumstances. Of course, substantial unconscionability will be harder to establish.
Changed:
<
<
And there's another problem: unconscionably necessitates a case-by-case inquiry, informed by the particular circumstances of the complainant. This will complicate the class-certification process. Worse, it will introduce a heavy dose of uncertainty into the question of liability. Even if a court is willing to find unconscionability and rewrite the contract ex post, what sort of warranties will judges create? Limited warranties whose existence and content is subject to judicial discretion might not be strong enough an incentive to trigger the significant overhaul in security practices that is needed.
>
>
And substantial unconscionability is really the problem: it necessitates a case-by-case inquiry, informed by the particular circumstances of the complainant. This will complicate the class-certification process. Worse, it will introduce a heavy dose of uncertainty into the question of liability. Even if a court is willing to find unconscionability and rewrite the contract ex post, what sort of warranties will judges create? Limited warranties whose existence and content is subject to judicial discretion might not be strong enough an incentive to trigger the significant overhaul in security practices that is needed.
 

Tort Law to the Rescue?

Tort liability is a better avenue for forcing software companies to absorb the costs of the security vulnerabilities in their products. Malware, after all, exploits design flaws and shoddy programming and quality assurance practices during the software development cycle. The EULA's damages limitations would fall out of the picture, since tort liability can't be contractually disclaimed. However, for a tort claim to succeed, whether sounding in negligence or for design defect, one would have to show that Microsoft could be handling Windows' security vulnerabilities in a better way, and that tort law is the appropriate mechanism for distributing the costs of malware among the various parties involved.

Negligence/Defective Design

Changed:
<
<
Both the negligence and the defective design risk-utility inquiries seek to balance the effectiveness of whatever other precautions the manufacturer could have taken against the costs and disadvantages of those precautions. Microsoft can substantially reduce the security danger Windows-based computers pose to the network ecosystem without any significant investment by making its source code available and permitting users to write and distribute their own patches. More eyes would be available to spot vulnerabilities, and unofficial patches would decrease the response time for known issues, especially when dealing low-priority fixes that affect only a fraction of users. Microsoft isn't in the business of providing security fixes, and copyright law would still protect its operating system from outright copying or derivation even if the source code is released. And while hackers might have an easier time exploiting vulnerabilities with access to the source code, years of experience with FOSS software in the e-commerce realm suggests that the benefits of openness outweigh its downsides.
>
>
Both the negligence and the defective design risk-utility inquiries seek to balance the effectiveness of whatever other precautions the manufacturer could have taken against the costs and disadvantages of those precautions. Microsoft can substantially reduce the security danger Windows-based computers pose to the network ecosystem without any significant investment by making its source code available and permitting users to write and distribute their own patches. More eyes would be available to spot vulnerabilities, and peer review of design decisions involving security compromises often produces more elegant alternative solutions. Unofficial patches would decrease the response time for known issues, especially when dealing low-priority fixes that affect only a fraction of users.
 
Changed:
<
<

Getting Past the Economic Loss Rule

Thus, we have a straightforward argument that Microsoft's anti-malware measures are negligent. But the economic injury rule might still bar recovery. As the theory goes, malware-related losses are purely economical, the result of dissapointed consumer expectations about the reliability and security of the software they run. And since consumer expectations are the core concern of contract law, tort should be kept out of it; the parties can allocate the risks of security-related software failure among themselves.
>
>
Years of experience with FOSS software in the e-commerce realm suggests that the benefits of openness outweigh its downsides. Secrecy is not much of an obstacle for hackers who can repeatedly probe a networked machine for vulnerabilities, but it does slow down coordinated response to vulnerabilities once discovered. Ultimately, Microsoft isn't in the business of providing security fixes; copyright law would still protect its operating system from outright copying or derivation even if the source code is released.
 
Changed:
<
<
There may be merits to such an approach where privity exists between the software vendor and the person suffering the economic loss. But vulnerabilities in Windows machines are used to create botnets, and the spam and denial-of-service attacks these botnets generate burden all networked users. Tort law is meant to deal exactly with this sort of situation where the transaction costs of allocating risk ex-anti among all affected parties are too high.
>
>

Getting Past the Economic Loss Rule

Establishing negligent security practices is not enough; the economic injury rule might still bar recovery. As the theory goes, malware-related losses are purely economical, the result of dissapointed consumer expectations about the reliability and security of the software they run. And since consumer expectations are the core concern of contract law, tort should be kept out of it; the parties can allocate the risks of security-related software failure among themselves. All true--but only where privity exists between the software vendor and the person suffering the economic loss. Spam and denial-of-service attacks, however, are a burden on all networked users. Tort law is meant to deal exactly with this sort of situation where the transaction costs of allocating risk ex-anti among all affected parties are too high.
 Many states recognize an exception to the economic loss rule where a product causes damage to property other then itself. This exception can be stretched to cover malware by borrowing the definition of damages used in the context of electronic trespass to chattels, where cases like Ebay, Inc. v. Bidder's Edge, Inc. treat unauthorized deprivation of network bandwith and processing time as an actionable harm to property.

Conclusion

Changed:
<
<
The point of all of this isn't to give Microsoft its just deserts. If a lawsuit succeeds in forcing them to internalize some of the costs of combatting malware, those costs will only be passed on to the consumer. While this result would be desirable if the higher cost of windows products led to greater adoption of free software, such market correction is improbable. Most consumers are not aware of the true cost of a Windows license because the cost is folded into the price of new hardware. Hopefully, however, a credible threat of class action litigation will convince proprietary software companies to abandon attempts at security through obscurity in favor of making their source code available (and, even better, licensing their users to patch security vulnerabilities themselves on a limited non-commercial basis). Adopting such a practice would make a big difference in the long run towards securing both the network and the devices attached to it. It would ensure that the knowledge embodied in the source code is available to any mind curious enough to learn it, and that the inner workings of the technology responsible for controlling greater and greater portions of our lives stay transparent.
>
>
The point of all of this isn't to give Microsoft its just deserts. If a lawsuit succeeds in forcing them to internalize some of the costs of combating malware, those costs will only be passed on to the consumer. A higher price for Windows might encourage free software adoption, but I suspect the effect will be marginal; most consumers are not aware of the true cost of a Windows license because the cost is folded into the price of new hardware. Hopefully, however, a credible threat of class action litigation will convince more software vendors to abandon attempts at security through obscurity, and to democratize the patching of vulnerabilities. Holding software vendors liable for negligent security practices should go a long way towards securing both the network and the devices attached to it. It may also ensure that the knowledge embodied in the source code is available to any mind curious enough to learn it, and that the inner workings of the technology regulating greater and greater portions of our lives remain transparent.
 
 
<--/commentPlugin-->

AndreiVoinigescuFirstPaper 8 - 10 Apr 2009 - Main.AndreiVoinigescu
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper%25"

Making Microsoft Pay for Windows' Shoddy Security

Line: 7 to 7
 

Introduction

Changed:
<
<
Conficker was hypothesized by some as the progenitor of a cyber-9/11. Since its initial discovery in November, the worm, which targets vulnerabilities in the network code of all versions of Microsoft Windows in common use, has managed to infect at least nine million computers worldwide, including French, British and German military networks. These computers--a vast network of zombie machines, or botnet--await instructions from the worm's creator. Botnets are commonly used to generate spam messages, to overload and thus block access to certain websites or networked services in denial-of-service attacks, or to fetch sensitive data (such as passwords and credit card information) from the machines they infest. The lost productivity caused by malware and the costs of anti-malware measures is staggering, and rising: $13.3 billion in 2006, up from $3.3 billion in 1997. It plays an essential part in the rhetoric employed by those who want to chip away at anonymity on the internet: cellphone companies and governmental agencies who favor a move towards walled private networks with built-in layers for perfect identification, surveillance and enforcement. If a cyber-9/11 really does come to pass, it probably won't take long for legislation eliminating the last vestiges of network openness and anonymity to be pushed through.
>
>
Conficker was hypothesized by some as the progenitor of a cyber-9/11. The worm, which targets vulnerabilities in the network code of all versions of Microsoft Windows in common use, has managed to infect at least nine million computers worldwide, including government and military networks. It has created a vast network of zombie machines--a botnet--which awaits instructions from the worm's creator. Like all botnets, it could be used to generate spam messages, to overload websites and networked services in denial-of-service attacks, and to fetch sensitive data from the infected machines.
 
Changed:
<
<
But litigation--class action lawsuits on behalf of the owners of infected computers--could provide an alternative; a way to force Microsoft and other proprietary software companies to internalize more of the costs of malware prevention and cleanup. The vast majority of malware is written to exploit vulnerabilities in Microsoft code, bugs that often are not easy for outsiders to discover, and only Microsoft can patch. While such an outcome, in Microsoft's case, might be both the most economically efficient result and the most appealing to intrinsic fairness, those seeking to initiate such lawsuits should be cautious. As I outline below, there are several legal hurdles that a class action lawsuit must overcome. The legal theories we adopt in such litigation must be narrow enough so that we do not end up imposing blanket liability for security vulnerabilities on every programmer who publicly releases code.
>
>
Lost productivity caused by malware and the costs of anti-malware measures is in the billions, and rising. Cellphone companies and governmental agencies who favor a move towards walled private networks with built-in layers for perfect identification, surveillance and enforcement have seized upon the cost of malware as part of their rhetoric. If a cyber-9/11 really does come to pass, it probably won't take long for legislation eliminating the last vestiges of network openness and anonymity to be pushed through.

But class action litigation could provide an alternative; a way to force software vendors to internalize more of the costs of malware prevention and cleanup, to steal the walled network movement's thunder. The vast majority of malware is written to exploit vulnerabilities in Microsoft code, bugs that often are not easy for outsiders to discover, and only Microsoft can patch. Could an enterprising plaintiff's lawyer make Microsoft pay? We need a legal theory for liability strong enough to stimulate salutatory changes in the software ecosystem but narrow enough not to impose blanket liability for security vulnerabilities on every programmer who publicly releases code.

 

Seeking a Remedy in Contract Law

Changed:
<
<
The natural place to look for a remedy when commercial software fails to live up to the security and reliability expectations of its users is contract law. Not surprisingly, the EULA for Windows Vista (typical of such EULAs) disclaims liability for "consequential, lost profits, special, indirect or incidental damages" as well as liability caused by "the acts of others." Since the EULA is a form contract and since Microsoft enjoys a somewhat dominant position in the operating system market, there might be a plausible argument that these clauses are procedurally unconscionable as a contract of adhesion (see Comb v. PayPal Inc. for a comparable situation), but substantial unconscionability will be harder to establish. But a theory of unconscionably necessitates a case-by-case inquiry, informed by the particular circumstances of the complainant. This will complicate the class-certification process. Worse, it will introduce a heavy dose of judicial discretion into the question of liability. Even if a court is willing to find unconscionability and rewrite the contract ex post, what sort of warranties will judges create? Limited warranties contingent on a judicial discretion might not be strong enough an incentive to trigger the significant overhaul in security practices that is needed.
>
>
The natural place to look for a remedy when commercial software fails to live up to the security and reliability expectations of its users is contract law. Not surprisingly, the EULA for Windows Vista (typical of such EULAs) disclaims liability for "consequential, lost profits, special, indirect or incidental damages" as well as liability caused by "the acts of others." Given that this is a mass-market form contract and that Microsoft enjoys a somewhat dominant position in the operating system market, there's a plausible argument that these clauses are procedurally unconscionabl; a contract of adhesion--see Comb v. PayPal Inc. for analogous circumstances. Of course, substantial unconscionability will be harder to establish.

And there's another problem: unconscionably necessitates a case-by-case inquiry, informed by the particular circumstances of the complainant. This will complicate the class-certification process. Worse, it will introduce a heavy dose of uncertainty into the question of liability. Even if a court is willing to find unconscionability and rewrite the contract ex post, what sort of warranties will judges create? Limited warranties whose existence and content is subject to judicial discretion might not be strong enough an incentive to trigger the significant overhaul in security practices that is needed.

 

Tort Law to the Rescue?


AndreiVoinigescuFirstPaper 7 - 10 Apr 2009 - Main.DanielHarris
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper%25"

Making Microsoft Pay for Windows' Shoddy Security

Line: 32 to 32
 

Conclusion

The point of all of this isn't to give Microsoft its just deserts. If a lawsuit succeeds in forcing them to internalize some of the costs of combatting malware, those costs will only be passed on to the consumer. While this result would be desirable if the higher cost of windows products led to greater adoption of free software, such market correction is improbable. Most consumers are not aware of the true cost of a Windows license because the cost is folded into the price of new hardware. Hopefully, however, a credible threat of class action litigation will convince proprietary software companies to abandon attempts at security through obscurity in favor of making their source code available (and, even better, licensing their users to patch security vulnerabilities themselves on a limited non-commercial basis). Adopting such a practice would make a big difference in the long run towards securing both the network and the devices attached to it. It would ensure that the knowledge embodied in the source code is available to any mind curious enough to learn it, and that the inner workings of the technology responsible for controlling greater and greater portions of our lives stay transparent.

Added:
>
>
 
<--/commentPlugin-->
 \ No newline at end of file

AndreiVoinigescuFirstPaper 6 - 09 Apr 2009 - Main.AndreiVoinigescu
Changed:
<
<
Revision 5 is unreadable
>
>
META TOPICPARENT name="FirstPaper%25"

Making Microsoft Pay for Windows' Shoddy Security

-- By AndreiVoinigescu - 07 Apr 2009

Introduction

Conficker was hypothesized by some as the progenitor of a cyber-9/11. Since its initial discovery in November, the worm, which targets vulnerabilities in the network code of all versions of Microsoft Windows in common use, has managed to infect at least nine million computers worldwide, including French, British and German military networks. These computers--a vast network of zombie machines, or botnet--await instructions from the worm's creator. Botnets are commonly used to generate spam messages, to overload and thus block access to certain websites or networked services in denial-of-service attacks, or to fetch sensitive data (such as passwords and credit card information) from the machines they infest. The lost productivity caused by malware and the costs of anti-malware measures is staggering, and rising: $13.3 billion in 2006, up from $3.3 billion in 1997. It plays an essential part in the rhetoric employed by those who want to chip away at anonymity on the internet: cellphone companies and governmental agencies who favor a move towards walled private networks with built-in layers for perfect identification, surveillance and enforcement. If a cyber-9/11 really does come to pass, it probably won't take long for legislation eliminating the last vestiges of network openness and anonymity to be pushed through.

But litigation--class action lawsuits on behalf of the owners of infected computers--could provide an alternative; a way to force Microsoft and other proprietary software companies to internalize more of the costs of malware prevention and cleanup. The vast majority of malware is written to exploit vulnerabilities in Microsoft code, bugs that often are not easy for outsiders to discover, and only Microsoft can patch. While such an outcome, in Microsoft's case, might be both the most economically efficient result and the most appealing to intrinsic fairness, those seeking to initiate such lawsuits should be cautious. As I outline below, there are several legal hurdles that a class action lawsuit must overcome. The legal theories we adopt in such litigation must be narrow enough so that we do not end up imposing blanket liability for security vulnerabilities on every programmer who publicly releases code.

Seeking a Remedy in Contract Law

The natural place to look for a remedy when commercial software fails to live up to the security and reliability expectations of its users is contract law. Not surprisingly, the EULA for Windows Vista (typical of such EULAs) disclaims liability for "consequential, lost profits, special, indirect or incidental damages" as well as liability caused by "the acts of others." Since the EULA is a form contract and since Microsoft enjoys a somewhat dominant position in the operating system market, there might be a plausible argument that these clauses are procedurally unconscionable as a contract of adhesion (see Comb v. PayPal Inc. for a comparable situation), but substantial unconscionability will be harder to establish. But a theory of unconscionably necessitates a case-by-case inquiry, informed by the particular circumstances of the complainant. This will complicate the class-certification process. Worse, it will introduce a heavy dose of judicial discretion into the question of liability. Even if a court is willing to find unconscionability and rewrite the contract ex post, what sort of warranties will judges create? Limited warranties contingent on a judicial discretion might not be strong enough an incentive to trigger the significant overhaul in security practices that is needed.

Tort Law to the Rescue?

Tort liability is a better avenue for forcing software companies to absorb the costs of the security vulnerabilities in their products. Malware, after all, exploits design flaws and shoddy programming and quality assurance practices during the software development cycle. The EULA's damages limitations would fall out of the picture, since tort liability can't be contractually disclaimed. However, for a tort claim to succeed, whether sounding in negligence or for design defect, one would have to show that Microsoft could be handling Windows' security vulnerabilities in a better way, and that tort law is the appropriate mechanism for distributing the costs of malware among the various parties involved.

Negligence/Defective Design

Both the negligence and the defective design risk-utility inquiries seek to balance the effectiveness of whatever other precautions the manufacturer could have taken against the costs and disadvantages of those precautions. Microsoft can substantially reduce the security danger Windows-based computers pose to the network ecosystem without any significant investment by making its source code available and permitting users to write and distribute their own patches. More eyes would be available to spot vulnerabilities, and unofficial patches would decrease the response time for known issues, especially when dealing low-priority fixes that affect only a fraction of users. Microsoft isn't in the business of providing security fixes, and copyright law would still protect its operating system from outright copying or derivation even if the source code is released. And while hackers might have an easier time exploiting vulnerabilities with access to the source code, years of experience with FOSS software in the e-commerce realm suggests that the benefits of openness outweigh its downsides.

Getting Past the Economic Loss Rule

Thus, we have a straightforward argument that Microsoft's anti-malware measures are negligent. But the economic injury rule might still bar recovery. As the theory goes, malware-related losses are purely economical, the result of dissapointed consumer expectations about the reliability and security of the software they run. And since consumer expectations are the core concern of contract law, tort should be kept out of it; the parties can allocate the risks of security-related software failure among themselves.

There may be merits to such an approach where privity exists between the software vendor and the person suffering the economic loss. But vulnerabilities in Windows machines are used to create botnets, and the spam and denial-of-service attacks these botnets generate burden all networked users. Tort law is meant to deal exactly with this sort of situation where the transaction costs of allocating risk ex-anti among all affected parties are too high.

Many states recognize an exception to the economic loss rule where a product causes damage to property other then itself. This exception can be stretched to cover malware by borrowing the definition of damages used in the context of electronic trespass to chattels, where cases like Ebay, Inc. v. Bidder's Edge, Inc. treat unauthorized deprivation of network bandwith and processing time as an actionable harm to property.

Conclusion

The point of all of this isn't to give Microsoft its just deserts. If a lawsuit succeeds in forcing them to internalize some of the costs of combatting malware, those costs will only be passed on to the consumer. While this result would be desirable if the higher cost of windows products led to greater adoption of free software, such market correction is improbable. Most consumers are not aware of the true cost of a Windows license because the cost is folded into the price of new hardware. Hopefully, however, a credible threat of class action litigation will convince proprietary software companies to abandon attempts at security through obscurity in favor of making their source code available (and, even better, licensing their users to patch security vulnerabilities themselves on a limited non-commercial basis). Adopting such a practice would make a big difference in the long run towards securing both the network and the devices attached to it. It would ensure that the knowledge embodied in the source code is available to any mind curious enough to learn it, and that the inner workings of the technology responsible for controlling greater and greater portions of our lives stay transparent.


AndreiVoinigescuFirstPaper 5 - 09 Apr 2009 - Main.AndreiVoinigescu
Changed:
<
<
Revision 4 is unreadable
>
>
Revision 5 is unreadable

AndreiVoinigescuFirstPaper 4 - 09 Apr 2009 - Main.AndreiVoinigescu
Changed:
<
<
Revision 3 is unreadable
>
>
Revision 4 is unreadable

AndreiVoinigescuFirstPaper 3 - 09 Apr 2009 - Main.AndreiVoinigescu
Changed:
<
<
Revision 2 is unreadable
>
>
Revision 3 is unreadable

AndreiVoinigescuFirstPaper 2 - 09 Apr 2009 - Main.AndreiVoinigescu
Changed:
<
<
Revision 1 is unreadable
>
>
Revision 2 is unreadable

AndreiVoinigescuFirstPaper 1 - 07 Apr 2009 - Main.AndreiVoinigescu
Changed:
<
<
Revision 1 is unreadable
>
>
Revision 1 is unreadable

Revision 13r13 - 05 Jan 2010 - 22:30:00 - IanSullivan
Revision 12r12 - 15 Apr 2009 - 15:53:18 - EbenMoglen
Revision 11r11 - 14 Apr 2009 - 19:45:58 - AndreiVoinigescu
Revision 10r10 - 11 Apr 2009 - 18:32:26 - JonathanBonilla
Revision 9r9 - 10 Apr 2009 - 20:39:52 - AndreiVoinigescu
Revision 8r8 - 10 Apr 2009 - 15:44:32 - AndreiVoinigescu
Revision 7r7 - 10 Apr 2009 - 13:43:21 - DanielHarris
Revision 6r6 - 09 Apr 2009 - 21:47:26 - AndreiVoinigescu
Revision 5r5 - 09 Apr 2009 - 18:51:34 - AndreiVoinigescu
Revision 4r4 - 09 Apr 2009 - 14:39:30 - AndreiVoinigescu
Revision 3r3 - 09 Apr 2009 - 01:56:57 - AndreiVoinigescu
Revision 2r2 - 09 Apr 2009 - 00:45:00 - AndreiVoinigescu
Revision 1r1 - 07 Apr 2009 - 17:49:37 - AndreiVoinigescu
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM